Slashdot Mirror
WarTalking Arrest
PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."
From the article, he's charged with a violation _prior_ to the demonstration. He isn't being charged for the demonstration to the reporter and county official. If he's guilty, this is black hat, not white hat.
Search first, ask questions later.
FYI: Texas Computer Crime Law
TEXAS PENAL CODE TITLE 7. OFFENSES AGAINST PROPERTY
CHAPTER 33. COMPUTER CRIMES
33.01. Definitions
In this chapter:
(1) "Access" means to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer
software in, or otherwise make use of any resource of a computer,computer system, or computer network.
(2) "Communications common carrier" means a person who owns or operates a telephone system in this state that includes equipment or facilities for the conveyance, transmission, or reception of
communications and who receives compensation from persons who use that system.
(3) "Computer" means an electronic, magnetic, optical,
electrochemical, or other high-speed data processing device that
performs logical, arithmetic, or memory functions by the
manipulations of electronic or magnetic impulses and includes all
input, output, processing, storage, or communication facilities
that are connected or related to the device.
(4) "Computer network" means the interconnection of two or more
computers or computer systems by satellite, microwave, line, or
other communication medium with the capability to transmit
information among the computers.
(5) "Computer program" means an ordered set of data representing coded
instructions or statements that when executed by a computer cause
the computer to process data or perform specific functions.
(6) "Computer security system" means the design, procedures, or other
measures that the person responsible for the operation and use of
a computer employs to restrict the use of the computer to
particular persons or uses or that the owner or licensee of data
stored or maintained by a computer in which the owner or licensee
is entitled to store or maintain the data employs to restrict
access to the data.
(7) "Computer services" means the product of the use of a computer,
the information stored in the computer, or the personnel
supporting the computer, including computer time, data processing,
and storage functions.
(8) "Computer system" means any combination of a computer or computer
network with the documentation, computer software, or physical
facilities supporting the computer or computer network.
(9) "Computer software" means a set of computer programs, procedures,
and associated documentation related to the operation of a
computer, computer system, or computer network.
(10) "Computer virus" means an unwanted computer program or other set
of instructions inserted into a computer's memory, operating
system, or program that is specifically constructed with the
ability to replicate itself or to affect the other programs or
files in the computer by attaching a copy of the unwanted program
or other set of instructions to one or more computer programs or
files.
(11) "Data" means a representation of information, knowledge, facts,
concepts, or instructions that is being prepared or has been
prepared in a formalized manner and is intended to be stored or
processed, is being stored or processed, or has been stored or
processed in a computer. Data may be embodied in any form,
including but not limited to computer printouts, magnetic storage
media, laser storage media, and punchcards, or may be stored
internally in the memory of the computer.
(12) "Effective consent" includes consent by a person legally
authorized to act for the owner. Consent is not effective if:
(A) induced by deception, as defined by Section 31.01, or induced
by coercion;
(B) given by a person the actor knows is not legally authorized to
act for the owner;
(C) given by a person who by reason of youth, mental disease or
defect, or intoxication is known by the actor to be unable to
make reasonable property dispositions;
(D) given solely to detect the commission of an offense; or
(E) used for a purpose other than that for which the consent was
given.
(13) "Electric utility" has the meaning assigned by Subsection (c),
Section 3, Public Utility Regulatory Act (Article 1446c, Vernon's
Texas Civil Statutes).
(14) "Harm" includes partial or total alteration, damage, or erasure
of stored data, interruption of computer services, introduction of
a computer virus, or any other loss, disadvantage, or injury that
might reasonably be suffered as a result of the actor's conduct.
(15) "Owner" means a person who:
(A) has title to the property, possession of the property, whether
lawful or not, or a greater right to possession of the
property than the actor;
(B) has the right to restrict access to the property; or
(C) is the licensee of data or computer software.
(16) "Property" means:
(A) tangible or intangible personal property including a computer,
computer system, computer network, computer software, or data;
or
(B) the use of a computer, computer system, computer network,
computer software, or data.
33.02. Breach of Computer Security
(a) A person commits an offense if the person knowingly accesses a
computer, computer network, or computer system without the
effective consent of the owner.
(b) A person commits an offense if the person intentionally or
knowingly gives a password, identifying code, personal
identification number, debit card number, bank account number, or
other confidential information about a computer security system to
another person without the effective consent of the person
employing the computer security system to restrict access to a
computer, computer network, computer system, or data.
(c) An offense under this section is a Class A misdemeanor unless the
actor's intent is to obtain a benefit or defraud or harm another,
in which event the offense is:
(1) a state jail felony if the value of the benefit or the amount
of the loss or harm is less than $20,000; or
(2) a felony of the third degree if the value of the benefit or
the amount of the loss or harm is $20,000 or more.
(d) A person who is subject to prosecution under this section and any
other section of this code may be prosecuted under either or both
sections.
33.03. Defenses
It is an affirmative defense to prosecution under Section 33.02 that
the actor was an officer, employee, or agent of a communications
common carrier or electric utility and committed the proscribed act or
acts in the course of employment while engaged in an activity that is
a necessary incident to the rendition of service or to the protection
of the rights or property of the communications common carrier or
electric utility.
33.04. Assistance by Attorney General
The attorney general, if requested to do so by a prosecuting attorney,
may assist the prosecuting attorney in the investigation or
prosecution of an offense under this chapter or of any other offense
involving the use of a computer.
--
Looks like Mr. Puffer clearly committed the offense described in 33.02(a)
Now is Harris Country guilty of negligence in adequatelely protecting their computer networks? I'd have to argue that yes, in my opinion they probably are. Anyone who'd carelessly run wide open unprotected wireless ethernet in a local government agency is not only a moron, but also a very poor steward of public records, which is a job taken *very* seriously in Texas.
This isn't the first time the Houston Chronicle (which the Register references) has reported on this story. What they're leaving out in this article is that the county official that Puffer demonstrated the breakin to was, in fact, the equivalent of the head of IT for the county. So, one wonders if indeed that could be counted as having permission...
(I don't remember what his exact title was, and I don't remember the links offhand, but the official was definitely the head of the county's equivalent of an IT department.)
Just my $.02...
Doesn't matter, he had permission:
The decision was made Tuesday, after a computer security analyst demonstrated to Steve Jennings, head of the county's Central Technology Department, and the Houston Chronicle how the system could be compromised
Jennings said he was concerned that the system could be accessed from the outside and that he wanted to learn more about the problem before alerting Bacarisse
Realities just a bunch of bits.
Yikes. The story contains many more details... Like a pr0n file appearing on a server, the target's stormy past with the county, political power grabs... It's a lot more than just war-driving! Here's a link with the scandalous details: http://www.chron.com/cs/CDA/story.hts/metropolitan /1302663
I guess I was lucky. When I did this exact thing (and maybe a little more fun stuff ;) )
in our harmless local campus network while at school, I got into so much trouble,
you just cannot imagine!
The thing that I learnt very hard and sadly was that people in charge of making
decisions related to the networks hardly know any technical details. And they
always come down hard exactly because of their ignorance.
Anyway, at that point it put a dampener to my enthusiasm to find holes in systems.
And I am sure I will never find myself in the position this man found himself, thanks
to this enlightening experience!
Of course, it would be very nice if someone educated the lawmakers and buerocrats
a little bit more about the systems, security and technology in general.
(sigh)
DO NOT PANIC