WarTalking Arrest

PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."

Ignorance is bliss.

[papasui]

He went about this wrong, he should have mentioned that he believed it was insecure and then with explict permission demonstrated why he believes this is the case. If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?

Re:Ignorance is bliss.

[gilroy]

Blockquoth the poster:

If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?

If I go up to a soda-machine owner and say, "This machine gives out free Cokes", then press a button and watch a Coke drop, should I expect to go to jail?? Maybe I'm old fashioned, but I would expect the soda-machine owner to be grateful that someone pointed out the flaw, so that it could be fixed.

But of course, in this case, it would require the government to admit that there had been a mistake, that confidential data conceivably might have gotten out without them knowing it, and that they weren't competent enough to detect the hole themselves. And that's why, instead, he's being charged.

My questions

[nuggz]

He did access their network without permission.
Did they create a public network? Public as in accessible to the public without any reasonable indication or security that it is indeed a private network.

I think broadcasting a private network and letting people on it is akin to making a public network.

It isn't this guys fault they had to shut down their network, it is the people who set up the insecure network in the first case.

No need for free security consultants

[gad_zuki!]

Why should I even care? A part of me wants to get all loud and stupid about this but Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did). Let them get burned on their own or if they're government go through the usual channels. No need to be 'Captain Wireless.'

Worst of all, for all we know he did not do this to demonstrate anything. The last time slashdot got up in arms about some supposed 'white hat' hacker it ended up being an excuse. In my experience it usually is an excuse. "Dude, I'm totally looking out for you when I hack your stuff!" No one should be that naive anymore.

Serious Consequences fo InfoSec People

[Inexile2002]

This is something that many people in the InfoSec industry are worried about and more so in the current political environment. EVERY seminar, conference or training event I've been too, there has been someone standing there for twenty minutes lecturing everyone on covering your ass.

What bothers me is that the reason things like this happen is ignorance of non-techies and refusal to see things in a reasonable light. If you were in a bank with a locksmith, and he showed the bank manager that the locks they were using were insecure, the manager would thank the locksmith and change the locks. Show a business manager the exact same thing with their network and they might decide to have you arrested.

Whenever I'm going to show a client ANYTHING I get full written approval ahead of time to discuss or test their security, and I get written approval to discuss my findings. There have been times when I've found vulnerabilities and not said a damn word because the client refused to sign off.

It's sad, there are people out there - and I've worked for and with them often - who really believe in security through anonymity and believe they are acting in their best interests by alienating and prosecuting the people who can really protect their networks.

What I will admit however is that part of the problem rests with people who try to look smart and show off the security vulnerabilities in a smart-assed kind of way. As annoying as it sometimes is, you need to manage people's expectations, fears and prejudices.

Damning evidence?

[balthan]

At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th. Now maybe he was unable to get an appoitment to see anyone, or maybe he took 10 days to poke around in the network and see what was there. He should have reported the insecurity immediately. The fact that he didn't is suspicious.

Re:Damning evidence?

[geoswan]

At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th.

I read the July 24th Houston Chronicle article and the March 21st article too. The Cheif County Clerk seems to be saying that one (1) pornographic picture found on one (1) of his department's poorly secured computers was the sole damage found. He claims it cost $5,000 to fix the damage he accuses Puffer (the whistleblower) of causing.

With a network as poorly secured as his practically anyone with a wifi card could have uploaded that picture.

If any repercussions should come anyone's way over this incident I don't understand why the first candidate isn't Charles Bacarisse, the County's District Clerk. Bacarisse claims that none of the computers under his administration could have been seriously damaged by the penetration of war-drivers. Okay, but am I mis-reading the Chronicles quotes from him? Doesn't he seem to have been completely oblivious to the vulnerability his insecure testing was opening to the rest of the computers on the County's system?

We have seen this before, with Randal Schwartz's ordeal at Intel. This comp.security article contains a contemporary account of his "crimes".

The lesson seems to be that no matter how well intentioned you are, the only safe way to report a security vulnerability is if you can find a way to do so anonymously.

Re:where do they get these numbers??

[gilroy]

Blockquoth the poster:

he alleged intrusion eventually resulted in the county closing its wireless LAN only a month after it was activated

the associated cost of dismantling the service is going to add up to at least five grand. I'm surprised it's not more

So, because the county installed a stupid system and was forced to shut it down, this guy is liable? There doesn't seem to be any accusation that he made the system (more) insecure. They just seem peeved that he actually demonstrated an existing insecurity, that mandated a reversal of policy. Shoot enough messengers and soon no one will bother you with news about bad things. And of course that means bad things will cease to exist.

People are afraid of being proven wrong

[Ride-My-Rocket]

What is it going to take for people to realize that they need to lock down their systems -- the digital equivalent of 9/11? Honestly, it seems the government can't accept any criticism of its systems, or act on the information at all........ and instead of fixing the problem, they decide to prosecute instead.

Pretty deranged, IMHO.

Bullshit

[autocracy]

Mr. Puffer (?) should never have been charged with this crime. The suits at the courthouse are mad because their fancy new wireless network they built to keep up the with the times wasn't taken care of properly and possibly isn't suitable for them. How it cost them $5k to "clean it up" is beyond me. Of course it costs more money to do it right - but how do you expect to claim that as "cleanup?"

The person charged was not acting maliciously, did not cause any damage (what is claimed is bogus), and his actions were willfully disclosed in good faith. He got the raw deal...

Re:Deserved it.

[wandernotlost]

> Unless he was hired for the job, he deserves it.

That's absolutely absurd. The man simply brought to the attention of the clerk the fact that its network was insecure. That a person is prosecuted for trying to point out a potentially dangerous security flaw shows the extent to which this country has fallen into a legal and intellectual paralysis. He should be hailed as a good samaritan looking out for the safety of the county's information!

From the original article:

District Clerk Charles Bacarisse said no files were compromised, but the county had to shut down the wireless system about a month after it was set up.

It appears that there was no malicious action or intent on the part of Mr. Puffer, but rather that the clerk's office is upset because someone discovered its incompetence. What would have happened if someone truly malicious had stumbled upon this network? To what ends could he or she have used the information found?

If you broadcast your network all over your block unprotected, you shouldn't be surprised when someone discovers it and pokes around. Plain and simple. What about those that willingly open their networks to the public? Should we make free public access illegal, so that fools like this can remain under their rocks and pretend that no one can see their secrets?

Re:Deserved it.

[mrzaph0d]

i think its closer to this:

a company develops a new lock that makes it easier for anyone in the house to open the door. instead of using a key they can just wiggle the lock a certain way and they're in. someone notices that all these locks are made the same, and all that is required to get into the house is this same "wiggle". this person notices that these locks are in use at a government building. fearing that any criminal could get in, he rounds up a government official and a reporter and shows them how easy it is for anyone to get in. he then gets arrested for breaking and entering.