August 28, 2001

Showdown at the Poteau Corral: FBI, DOJ, MS, and West

Author: JT Smith

- by Tina Gasperson -
Is the FBI simply trying to help a web host protect its intellectual property by pursuing charges against Brian K. West? He claims he was only trying to help the Poteau News agency (Poteau, Oklahoma) plug some serious security holes at its Web site, hosted by Cyberlink Rural Telecommunications (CRTI). CRTI, Poteau, and the FBI say that West had malicious intent. Who is telling the truth? And is this somehow all Microsoft's fault?It's a messy story. Brian K. West says that on January 29, 2000, he was testing a banner ad that his ISP employer was going to place on the Poteau Daily News Web site, according to a report at LinuxFreak.org. He surfed to the site, clicked the "edit" option in MS Explorer in order to place a copy of the banner ad on a locally cached copy of the main page of the Poteau Daily News. Inexplicably, through Front Page (an HTML editing program), West gained write-level access to all the files on the PDN site, which is hosted by CRTI, a competitor to West's employer, CWIS.

In the report, West says he contacted PDN to alert them to the situation. The editor-in-chief freaked out and sicced the FBI on West. No charges have been filed in the case, but the Department of Justice, amazingly, has asked West to accept a felony conviction and five years of probation.

West's attorney, Cherie Chapell, is bringing out the big guns to defend her client. "Because it appears that Microsoft's software may have caused this unfortunate situation to occur, we will likely subpoena Microsoft personnel if the case goes to trial," Chapell told NewsForge. A statement released by Chapell's office explains the statute (Title 18 of the United States Code, Section 1030(a)(2)(C)) being used to assert a claim of wrongdoing against West:

"...it is a crime
for: "Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if
the conduct involved an interstate or foreign communication;" The statute also provides definitions for certain key phrases used in the statute.
18 USC 1030(e): As used in this section - (1) the term ''computer'' means an electronic, magnetic, optical, electrochemical, or other high speed data processing device
performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with
such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device; (2) the term ''protected
computer'' means a computer - (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for
such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution
or the Government; or (B) which is used in interstate or foreign commerce or communication; (6) the term ''exceeds authorized access'' means to access a computer
with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter; This statute may be fatally
flawed."

Following the logic, Chapell believes that while her client, West, accidentally gained access to files on the Poteau Daily News server, the true fault lies with Microsoft, whose products including Windows, Internet Explorer, Front Page, NT 4.0, and IIS, are flawed enough to allow illegal, unauthorized access to information.

Chapell adds that the statute is overly broad and possibly unconstitutional. "There has been a concern for some time over how
to integrate law and technology on the internet," she says. "The question exists as to whether the Internet should be regulated, if so by whom, and to what degree."

Perl Script?

In an affidavit sworn by the FBI special agent assigned to the case, it appears that CRTI, Poteau's Web host, is concerned about a perl script written by James McCoy, a former employee at Cyberlink Rural Telecommunications. The script was used by Poteau as a "backend" administration tool with which reporters and editors could enter and manipulate the contents of the Web pages. According to the affidavit, CRTI was testing the tool, which they named "EZ Net News," on Poteau's site and anticipated marketing their program as an "off-the-shelf software package that could be customized and sold to medium and small news agencies." The affidavit states that CRTI planned to sell the script at prices ranging from $4,000 to $6,000 per copy.

The FBI special agent doesn't go into the reasons why this information was included in his affidavit, which was used to obtain a search warrant for the hard drive contents at CWIS, West's employer. Neither do any previously published reports, including an article written (PDF - 567k) by the editor-in-chief at Poteau News -- but the tacit implication is that since West gained access to the program, he has in some way either damaged it, or has taken possession of intellectual property with the intent to distribute it for profit.

Poteau News and Cyberlink are now aware that West is making waves with his story. An article published at Poteau News this morning states: "It is evident that West's words are getting around. CNN, Fox News
Channel and USA Today have made inquiries to the PDN concerning his
story." NewsForge found that no one at Cyberlink or Poteau has been willing to comment on the case, citing legalities.

Related Links:

Brian K. West's archive of case-related documents: www.bkw.org/pdf
Story at The Register: MS bugware blamed for
'inadvertent' hack

Cyberlink Rural Telecommunications

Click Here!