WarTalking Arrest

PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."

Mmhmm.

[Renraku]

We all know that its illegal to teach things to people that could possibly be used for malicious purposes. We also know that pointing out flaws or weaknesses in computer systems is an activity reserved for terrorists and other 'undesirables'.

Re:Mmhmm.

[gad_zuki!]

Heaven forbid he goes through proper government channels or sues for various violations of privacy laws if they have open access to private data. What he did was stupid and no one should be that naive today, especially someone in IT.

Re:Mmhmm.

We all know that its illegal to teach things to people that could possibly be used for malicious purposes. We also know that pointing out flaws or weaknesses in computer systems is an activity reserved for terrorists and other 'undesirables'.

Have you watched any form of news media since 9/11? Haven't you heard of the number of weaknesses that news anchors have pointed out time and time again? Any of these phrases ring a bell? "This is how they could attack a nuclear plant." "These bridges would be prime locations for terrorist bombing." etc, etc. I know your comment was a sarcastic one, but the point you're trying to prove is wrong. People are allowed to share weaknesses, turn to your local news if you disagree.

Re:Mmhmm.

[wandernotlost]

> If you want to make a point make it the legal way like the rest of us.

Hmmm...so notifying a public official is illegal now? *sigh* One more thing I'll have to remember, I guess. Just out of curiosity, what would you have done upon finding that peoples' -- possibly your own -- private information were being sent through the air, open to anyone with a network card? Ignored it? Well, that would make you a good little citizen, wouldn't it. Certainly better than actually doing something useful. Better yet, you could have dropped a few grand on a lawyer to sue them for privacy violations. That would be truly American!

There's no evidence here that this man was acting with any malicious intent or action. Why would you be so quick to label it "breaking in," when we're talking about a network broadcast over public spectrum. Hardly like throwing a rock through a window. A little bit more like watching TV, perhaps.

Deserved it.

[Jonny+290]

Unless he was hired for the job, he deserves it.

Just because you *can* do something doesn't mean you *should*.

Tired of having all these people act like "well, it's not secure, so I should poke around."

Re:Deserved it.

> It's like gangs of burglars coming round to your house, breaking in and then telling you exactly how they kicked your doorframe in.

No it isn't. Its like someone walking in through your open front door to tell you that your door is insecure. If they're doing burgling while they're in there that's a different matter.

Re:Deserved it.

[rdean400]

Whether he deserved it or not depends totally on the context. If he brought it to their attention "as a concerned citizen", knowing that insecurities of wireless networks can be exploited intentionally or accidentally, then they should have heard him out and then fixed it. However, if he brought it to their attention in more of a "look what I can do" fashion, then he deserved what he got.

Re:Deserved it.

More like you leaving a signed blank check outside your house on the sidewalk, and someone picking it up and returning it to you, then you having them arresting for stealing your property.

Re:Deserved it.

[wandernotlost]

> Unless he was hired for the job, he deserves it.

That's absolutely absurd. The man simply brought to the attention of the clerk the fact that its network was insecure. That a person is prosecuted for trying to point out a potentially dangerous security flaw shows the extent to which this country has fallen into a legal and intellectual paralysis. He should be hailed as a good samaritan looking out for the safety of the county's information!

From the original article:

District Clerk Charles Bacarisse said no files were compromised, but the county had to shut down the wireless system about a month after it was set up.

It appears that there was no malicious action or intent on the part of Mr. Puffer, but rather that the clerk's office is upset because someone discovered its incompetence. What would have happened if someone truly malicious had stumbled upon this network? To what ends could he or she have used the information found?

If you broadcast your network all over your block unprotected, you shouldn't be surprised when someone discovers it and pokes around. Plain and simple. What about those that willingly open their networks to the public? Should we make free public access illegal, so that fools like this can remain under their rocks and pretend that no one can see their secrets?

Re:Deserved it.

[WEFUNK]

Based on the account in the article your response is simply ridiculous. Although the story is brief and somewhat biased ("Ethical Hacker" etc.) NOWHERE does it indicate that he *poked* around or otherwise exploited the security gap.

Even if he had, there are many who would argue that a little poking around is natural and innocent when someone discovers such a thing (and one might not even know that they have stumbled into a restricted space without a little exploring).

You may disagree that intentional hacking can fall into such a grey area, sometimes described as analogous to checking the locks and then walking into an unlocked house. Fair enough. However, unless you have some additional facts to the contrary, the events in the article are more akin to walking by and noticing someone's door is wide open with the keys left in the lock. Any snooping might have been equivalent to peering inside as you walk by. You might even have ethical obligation to report it to a neighbour or the police and perhaps even take them the keys for safe keeping.

Finally, does anyone have any idea how we can educate the public and the law that pointing out a flaw or security issue is NOT the same as causing damage? He is being charged with forcing their system down and costing $5000 to install a secure system. Why is this the standard in the computing, but not in the real world?

Re:Deserved it.

[nehril]

from time to time my company offers security scanning and consulting services. before doing ANYTHING to a system we get extensive permission from top management (NOT just the IT monkey) and we notify their ISP.

"free security scans" are NOT welcome by anyone. Management types (IT and non-IT) cannot distinguish them from "real" hack attempts. CYA extensively or don't rattle the locks. 'Nuff said.

Re:Deserved it.

[mrzaph0d]

i think its closer to this:

a company develops a new lock that makes it easier for anyone in the house to open the door. instead of using a key they can just wiggle the lock a certain way and they're in. someone notices that all these locks are made the same, and all that is required to get into the house is this same "wiggle". this person notices that these locks are in use at a government building. fearing that any criminal could get in, he rounds up a government official and a reporter and shows them how easy it is for anyone to get in. he then gets arrested for breaking and entering.

Re:Deserved it.

[GlassUser]

If I were to do something like this, I would want a reporter there. If I didn't have one, I'm sure it would be easy for the government to sweep something under the table. Either the issue, just ignoring me, or me entirely. I'd want a third party with an inclination to make everything public.

As I heard this morning, they arrested him because they found a single pr0n file on the server that they think was planted by him.

Ignorance is bliss.

[papasui]

He went about this wrong, he should have mentioned that he believed it was insecure and then with explict permission demonstrated why he believes this is the case. If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?

Re:Ignorance is bliss.

[gilroy]

Blockquoth the poster:

If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?

If I go up to a soda-machine owner and say, "This machine gives out free Cokes", then press a button and watch a Coke drop, should I expect to go to jail?? Maybe I'm old fashioned, but I would expect the soda-machine owner to be grateful that someone pointed out the flaw, so that it could be fixed.

But of course, in this case, it would require the government to admit that there had been a mistake, that confidential data conceivably might have gotten out without them knowing it, and that they weren't competent enough to detect the hole themselves. And that's why, instead, he's being charged.

Re:Ignorance is bliss.

[clifyt]

"If I go up to a soda-machine owner and say, "This machine gives out free Cokes", then press a button and watch a Coke drop, should I expect to go to jail??"

Well, he didn't just pull up an iBook and yoink the network was free to access if I get what is being said.

This is more like putting saltwater down the coin dispenser of the coke machine and telling the owner it was insecure and anyone dumping a bucket of the stuff could clean the thing out.

I 'heard' this hack worked back with I was in college...but I would never be stupid enough to try it (and if I ever did, I'd never be stupid enough to admit to it).

Re:Ignorance is bliss.

[John+Hasler]

Most people don't need their egos fed 24/7 and
are able to take a dose of humility just fine
thanks. Those who can't... well... they're the
stuff assholes are made of.

They are also the stuff politicians are made of.

Could be a screwed situation

[bastard01]

This is a very interesting case, a guy that was showing a newspaper, and someone working for the county how easy it would be for a hacker to break into the court's system. Then he gets arrested for the act. And this is because they had to take the thing down for a month because of there being a break. I would say with that kind of security, it should have never been brought up in the first place. Also I would say that it was better that they found out that the system could be broken before the network was actually used for a critical task, and could get hacked during a court proceeding, that could be a very embarrassing thing for a court to have to face. Being the ones that where hacked into while court was in session. Hopefully, at least they learned from what he did and at least secured the thing. Although since he is being possibly jailed for it, perhaps he should have told his superiors about how shoddy the security was before he did a demonstration.

Re:Could be a screwed situation

[DavidTC]

I was posting a way to tell them without worrying about it, but, you know what? Fuck them, you're right. It's not worth it. I'll just tell everyone anonymously how to do it, it should get fixed soon then.

Are you listening, government and businesses? Shoot the messanger enough time, and people stop sending you messages.

Once again....security through obscurity...

[GuNgA-DiN]

If we all pretend the problem doesn't exist... maybe it will go away on its own? We'll just prosecute anyone who points out that we have a problem. Then, everything will be fine. I swear -- the intelligence in this country has gone right down the shitter in the last 25 years. We used to respect and honor knowledge. Now me simply make a mockery of it. I weep for my generation.

My questions

[nuggz]

He did access their network without permission.
Did they create a public network? Public as in accessible to the public without any reasonable indication or security that it is indeed a private network.

I think broadcasting a private network and letting people on it is akin to making a public network.

It isn't this guys fault they had to shut down their network, it is the people who set up the insecure network in the first case.

No need for free security consultants

[gad_zuki!]

Why should I even care? A part of me wants to get all loud and stupid about this but Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did). Let them get burned on their own or if they're government go through the usual channels. No need to be 'Captain Wireless.'

Worst of all, for all we know he did not do this to demonstrate anything. The last time slashdot got up in arms about some supposed 'white hat' hacker it ended up being an excuse. In my experience it usually is an excuse. "Dude, I'm totally looking out for you when I hack your stuff!" No one should be that naive anymore.

Serious Consequences fo InfoSec People

[Inexile2002]

This is something that many people in the InfoSec industry are worried about and more so in the current political environment. EVERY seminar, conference or training event I've been too, there has been someone standing there for twenty minutes lecturing everyone on covering your ass.

What bothers me is that the reason things like this happen is ignorance of non-techies and refusal to see things in a reasonable light. If you were in a bank with a locksmith, and he showed the bank manager that the locks they were using were insecure, the manager would thank the locksmith and change the locks. Show a business manager the exact same thing with their network and they might decide to have you arrested.

Whenever I'm going to show a client ANYTHING I get full written approval ahead of time to discuss or test their security, and I get written approval to discuss my findings. There have been times when I've found vulnerabilities and not said a damn word because the client refused to sign off.

It's sad, there are people out there - and I've worked for and with them often - who really believe in security through anonymity and believe they are acting in their best interests by alienating and prosecuting the people who can really protect their networks.

What I will admit however is that part of the problem rests with people who try to look smart and show off the security vulnerabilities in a smart-assed kind of way. As annoying as it sometimes is, you need to manage people's expectations, fears and prejudices.

Damning evidence?

[balthan]

At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th. Now maybe he was unable to get an appoitment to see anyone, or maybe he took 10 days to poke around in the network and see what was there. He should have reported the insecurity immediately. The fact that he didn't is suspicious.

Re:Damning evidence?

[GSloop]

More to the point, it appears as though it was a wireless network WITHOUT WEP turned on. (not that WEP does anything of much use anyway, but at least that way, you could attempt to show that the network was not intended to be for public use!)

As far as I am concerned, that is a PUBLIC network. It would be like stringing Cat5 to a power/light pole outside my house, and outside my property, and then claiming tresspass should anyone plug into that network connection!

Wireless ethernet doesn't require any "authentication." This sounds like a situation that someone got caught out, and now wants a pound of flesh to make themselves look better.

I'd be likely to counter-sue claiming malicious prosecution.

Cheers!

Re:Damning evidence?

[geoswan]

At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th.

I read the July 24th Houston Chronicle article and the March 21st article too. The Cheif County Clerk seems to be saying that one (1) pornographic picture found on one (1) of his department's poorly secured computers was the sole damage found. He claims it cost $5,000 to fix the damage he accuses Puffer (the whistleblower) of causing.

With a network as poorly secured as his practically anyone with a wifi card could have uploaded that picture.

If any repercussions should come anyone's way over this incident I don't understand why the first candidate isn't Charles Bacarisse, the County's District Clerk. Bacarisse claims that none of the computers under his administration could have been seriously damaged by the penetration of war-drivers. Okay, but am I mis-reading the Chronicles quotes from him? Doesn't he seem to have been completely oblivious to the vulnerability his insecure testing was opening to the rest of the computers on the County's system?

We have seen this before, with Randal Schwartz's ordeal at Intel. This comp.security article contains a contemporary account of his "crimes".

The lesson seems to be that no matter how well intentioned you are, the only safe way to report a security vulnerability is if you can find a way to do so anonymously.

Re:where do they get these numbers??

[gilroy]

Blockquoth the poster:

he alleged intrusion eventually resulted in the county closing its wireless LAN only a month after it was activated

the associated cost of dismantling the service is going to add up to at least five grand. I'm surprised it's not more

So, because the county installed a stupid system and was forced to shut it down, this guy is liable? There doesn't seem to be any accusation that he made the system (more) insecure. They just seem peeved that he actually demonstrated an existing insecurity, that mandated a reversal of policy. Shoot enough messengers and soon no one will bother you with news about bad things. And of course that means bad things will cease to exist.

People are afraid of being proven wrong

[Ride-My-Rocket]

What is it going to take for people to realize that they need to lock down their systems -- the digital equivalent of 9/11? Honestly, it seems the government can't accept any criticism of its systems, or act on the information at all........ and instead of fixing the problem, they decide to prosecute instead.

Pretty deranged, IMHO.

Bullshit

[autocracy]

Mr. Puffer (?) should never have been charged with this crime. The suits at the courthouse are mad because their fancy new wireless network they built to keep up the with the times wasn't taken care of properly and possibly isn't suitable for them. How it cost them $5k to "clean it up" is beyond me. Of course it costs more money to do it right - but how do you expect to claim that as "cleanup?"

The person charged was not acting maliciously, did not cause any damage (what is claimed is bogus), and his actions were willfully disclosed in good faith. He got the raw deal...

Re:Bullshit

[antirename]

Yeah, but that's just doing work that they should have done in the first goddamn place. They did the job, they fucked it up, and then they get paid to do it again correctly. I wish I got paid on those terms. (Assuming they were contract labor... even if they were salaried employees, the point is the same).

Blame Game

[Ashcrow]

Embarrassment is what it comes down to. When the courthouses pretty new wireless system, which they paid a good amount for, is found to be vulnurable to an attack they blame the one who found it instead of the admin who put the package together.

Re:A different perspective:

[flonker]

I'd say its more analagous to an open window of the courthouse spewing court documents out onto the street. This guy unfortunately stooped down and picked one up.

Not only that, he had the gall to go to a local official, and show it to them! And they had to get someone to close the window. It took about 30 minutes to get in touch with the judge who had left his window open. That's... $100 of damage, assuming, on a wild guess, the judge costs taxpayers $200/hour.

Re:You Are Correct...

[cookd]

I think a more applicable analogy is as follows:

Person A: Your house is vulnerable. Somebody could break in anytime he/she wants.

Person B: Is not!

Person A: Yes, it is. And I suggest you get it fixed before somebody takes advantage of it.

Person B: Proove it!

Person A: Puts hand on front door's doorknob, turns doorknob, pushes door open. See?

Person B: Dials 911 on his cell phone. Hello, I'd like to report that "Person A" just broke into my house, and I want to press charges.

What he did was stupid.

[Wakko+Warner]

He sounds like a "security professional" who "demonstrates a flaw in the system" to a potential client. This is not the smartest way to win clients. It is embarassing.

Had he called their IT director, described the flaw to him in private, he chose to take it to the press first. He might actually have won business from the IT director had he been a little more professional about it.

Unfortunately, he chose to try and shock not only them, but the public as well.

He pulled an incredibly stupid stunt: did something illegal and told people about it. Don't you think he should've been arrested, too?

- A.P.

This is sad.

Here is a quote from the Harris County DC's Office I found on their site. This was from a news release about a service they call e-DOCS which allows people to get court documents over the Internet. "He (Bacarisse) stressed that Family Court orders, many of which contain sensitive, intimate information, will not be available to the public via the Internet. (Family Court documents that are not sealed are available to the public, as always, if ordered in person. Juvenile Court documents are sealed by law.)" "Charles Bacarisse is in his second term as the District Clerk of Harris County - an office that acts as record-keeper for 74 courts while also charged with managing one of the nation's largest Jury systems and a $1-million-per-day Child Support Division. " Does anyone still think Mr. Puffer should not have said anything? As a registered voter in Harris County, Mr Bacarisse will not be getting my vote since it's obvious to me he thinks his reputation is more important than safeguarding court documents and jury information.