Monday, May 12, 2008
Brian West says he was doing a public service when he pointed out a security hole in an Oklahoma newspaper's Web site. So why did the editor in chief call the cops?
Aug 29, 2001 | Brian K. West simply wanted to see how his company's advertisement would look in the online edition of the Poteau Daily News & Sun, his local Oklahoma newspaper. But while trying to create a mockup, he discovered a security flaw that let him put the ad on the actual home page of the newspaper. No password or permission was required. In fact, anyone with Microsoft's FrontPage -- a Web site development program used to create the newspaper's Web pages -- could go in and redesign at will, wreaking havoc on the home page's structure, color and text.
West, a 24-year-old sales and support employee of a nearby Internet service provider, didn't put his ad on the page or make any of these changes. He downloaded some files, apparently to verify the hole, then called the newspaper's editor in chief to let him know that his Web site wasn't secure -- that anyone could get in and "edit your stories."
But instead of thanking him, the suspicious editor contacted the police, setting in motion a chain of events that would lead to an 18-month FBI investigation and an invitation to appear before a grand jury Sept. 5.
In the community of hackers, the details outlined above could be expected to result in West's immediate treatment as a hero, a well-meaning altruist trapped by an undiscriminating justice system. Protests could have been scheduled, money raised. Like the recently indicted Russian programmer Dmitry Sklyarov, accused of illegally distributing code that unlocks electronic books, West might have become a poster child for reforms to laws that, according to critics, treat security research as a crime rather than a virtuous act of science.
But even though charges have not yet been filed, West is not getting the hacker hero treatment. The reason? According to court documents West didn't just warn the Poteau Daily News about the hole; among the items he downloaded were files containing source code and passwords for the proprietary software that the newspaper's editors used to post stories from remote locations. It was only a beta version, and it's not clear whether West knew what he was downloading, but because the newspaper bought the software from an Internet service provider that was a competitor to West's company, the act itself did much to tarnish West's "good Samaritan" image.
So, instead of becoming an icon, a victim and a martyr, he's instead a lightning rod for debate. Hundreds of people have written to the U.S. attorney in charge of the case since Aug. 17, when an abbreviated version of West's story appeared on the geek news site LinuxFreak.org. And while the prosecutor and West's lawyers exchange responses to the public outcry -- the latest volley appeared last Friday -- heavyweights in the world of security don't know what to make of West's actions. Some, like Richard M. Smith, CTO of the Privacy Foundation, argue that West went too far, while others argue that West "is just a guy who found a flaw and tried to fix it," as cryptography expert Bruce Schneier puts it. Even if he poked around a bit, these defenders say, he shouldn't be treated like a criminal. "The punishment doesn't fit the crime," Schneier says.
The debate itself is not new. It's been almost 20 years since hackers, geeks and lawmakers first started struggling with the question of how software vulnerabilities should be handled. Hackers -- as distinguished from crackers, who break and enter computer systems for purposes of profit or destruction -- have long argued that by pointing out security holes in software they are doing a public service. The companies who are the recipients of hacker explorations, and the vendors of software that is found to be vulnerable, often disagree, seeing hacker activity as illegal trespassing or worse. It's a tension that is at the core of hacker life; one could even argue that the "public service" theory is, at least in part, a rationalization aimed at justifying the results of hacker curiosity.
But even though the debate is old, the stakes keep rising. The laws as currently written are unfriendly to "unauthorized access," regardless of what the intent is. The passage of the Digital Millennium Copyright Act (DMCA) in 1998, which, among other things, made it illegal to do so much as reveal how copyright controls can be circumvented, has also upped the ante for those who like tinkering with other people's software. But while high-profile cases such as Sklyarov's and the DeCSS lawsuit wend their way through the courts, few experts in the technology community have offered clear alternatives that can be applied in the real world.
There's still not an accepted set of guidelines for how people like West should proceed -- and that's "a serious problem," says Jennifer Granick, a San Francisco attorney who regularly defends hackers. Until consensus is reached -- which won't be easy, she says -- West's mistakes are destined to be repeated. Every security researcher and every Net user who happens to find a security flaw is vulnerable. The witness stand could only be a mouse-click away.
Get Salon in your mailbox!