LinuxFreak: Cyber Citizen lands Felony

Aug 20, 2001, 14:16 (22 Talkback[s])

[ Thanks to gh0ul for this link. ] Readers here and around the web have advocated a variety of "white hat" approaches to dealing with Code Red infected machines. This story, though not dealing with Code Red, illustrates some of the perils that can come from seemingly innocuous attempts to help. As one reader has pointed out already, it's also worthwhile to examine the documents provided in this article and get a better sense of balance than the article itself provides:

"A good deed may lead to prosecution for Brian K. West, a 24 year old sales and support employee for an internet service provider in SE Oklahoma. Mr. West has become a statistic for the Computer Analysis Response Team because he alerted a local business to a serious security flaw in their website.

On February 1, 2000, one of West's co-workers created a banner advertisement to be placed on the Poteau Daily News website as part of a legitimate advertising campaign for his employer. To test how how the finished ad would look on the site, West clicked the 'Edit' button on Microsoft's Internet Explorer. This action brought up Microsoft FrontPage and should have created a local copy of the web page, allowing West to do a mock-up of the site on his own computer.

In this case, however, Microsoft FrontPage displayed some unusual files due to a server misconfiguration. After some confusion, West realized that the webserver hosting the Poteau Daily News site required no authentication to edit any file on the site. The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password. Clearly, this was a massive security hole."

Complete Story