21 August 2001


Date: Mon, 20 Aug 2001 22:27:50 -0700
From: Todd Jonz <todd@tj.org>
To: jya@pipeline.com
Subject: Okie Rag Security Hole Eggs DoJ/FBI Attack

Yesterday you posted an offsite pointer on Cryptome to which I had alerted you:

Okie Rag Security Hole Eggs DoJ/FBI Attack
http://www.linuxfreak.org/post.php/08/17/2001/134.html

In light of the attached, you may wish to withdraw that item.  My apology for the red herring....

--

Todd Jonz When cryptography is outlawed,
todd@tj.org bayl bhgynjf jvyy unir cevinpl.

* * *

From: rms@privacyfoundation.org (Richard M. Smith)
To: <politech@politechbot.com>, <todd@tj.org>
Subject: RE: Feds target Oklahoma good samaritan who noted web security hole
Date: Mon, 20 Aug 2001 19:04:09 -0400

Declan and Todd,

  >>> In addition to the story above see: http://www.bkw.org/pdf/
  >>> for several collateral documents, including correspondence
  >>> from DOJ and a detailed description of how this ridiculous
  >>> travesty unfolded.

I think that anyone who is interested in this story, should carefully read over the 4 pages of comments posted after the Linux Freak story. Apparently some of the players involved in the situation are providing information beyond what the story itself had to say.  My impression after reading the comments as well as some earlier news reports is what happened is a bit more complicated than the Linux Freak story leads one to believe.  This news story in particular is very interesting:

http://www.bkw.org/pdf/stigler-news-hack.pdf

(Please ignore the dumb definition of "hacking").

I have always felt that it can be very risky to do too much research on security holes on other people's Web servers without their permission. It is particularly problematic if the servers belong to a direct competitor which apparently is the case in this story.

The reason that the FBI and US attorney's office got involved is that they are alleging that a few hundred files where downloaded by Brian West from a competitor's Web server.  Some of this files included password files and Perl scripts owned by the competitor.

Richard M. Smith
CTO, Privacy Foundation

http://www.privacyfoundation.org

* * *

From: Todd Jonz <todd@tj.org>
To: "Richard M. Smith" <rms@privacyfoundation.org>
Cc: declan@well.com
Subject: Re: Feds target Oklahoma good samaritan who noted web security hole
Date: Mon, 20 Aug 2001 22:02:32 -0700

Richard writes:

> Apparently some of the players involved in the situation
> are providing information beyond what the [Linux Freak]
> story itself had to say.

Including the FBI in its affidavit, which I've only just read:

| 15.  ...West indicated to Burchett that West had accessed
| the PDNS Web site by obtaining the user names and passwords.

which contradicts Linux Freak's claim that the site was accessed without authentication.  Furthermore:

| 19.  ...the logs reflect that the attempts to connect were
| not simply requests to view the webpage, but attempts to
| access the files and Perl scripts that cause the webpage
| to operate....[West's presumed host] was able to enter a
| command line to access the file containing user
| identifications and passwords...

No doubt about it:  this was a simple case of breaking and entering. Declan, my sincerest apologies for the false alarm.

--

Todd Jonz When cryptography is outlawed,
todd@tj.org bayl bhgynjf jvyy unir cevinpl.


Date: Tue, 21 Aug 2001 06:44
To: Todd Jonz <todd@tj.org>
From: John Young <jya@pipeline.com>
Subject: Okie Rag Security Hole Eggs DoJ/FBI Attack

I had read the FBI affidavit alleging break-in and the other case documents and found Brian's offering of them forthright.

What is missing is Brian's answer to the specific details the affidavit alleges. Have you seen Brian's response to the detailed allegations of the affidavit?

There have been instances of misinformation in such affidavits, in particular allegations of access violations which turned out to be not altogether truthful. Smith hints at such exaggeration.

The FBI and Smith may be right but I'd like to see more from Brian before assuming the affidavit tells the full story of what was going on with the newspaper's server and its ISP team. AFAIK no criminal charges have been made against Brian, so he is presumed innocent. Not that that has prevented prosecutors in other cases from bluffing targets into accepting plea bargains.

Even so I will put up Smith's remarks and invite others to comment.


Comments on this story to: jya@pipeline.com