Slashdot Mirror

← Back to Stories (view on slashdot.org)

WarTalking Arrest

Posted by Hemos on from the get-yer-cuffs-on dept.

PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."

9 of 390 comments (clear)

  1. Another 'example' will be made... by Cruciform · · Score: 3, Interesting

    It's funny, already I'm seeing people saying this guy deserves what he gets... but if I was sitting on a bench in front of the courthouse with my laptop and found that I could access the network with little or no problem, I'd walk straight in there myself and let them know. I worked as a contractor at the Ministry of Health in Ontario for a bit, and you want to talk shoddy administration. It was hideous. And they have information like registries of people suffering from AIDS, or who is getting drug benefits and what claims they're making. Sure he might just be trying to drum up business, but if the end result is that it closes a serious security hole, more power to him.
    Or do you really want your next door neighbor's son finding out about that fraternity prank that had you arrested for stealing a minivan full of sheep in your boxers or some other weird crime?

  2. I am incredibly torn on this... by tlambert · · Score: 4, Interesting

    On one hand, they are trying to charge him for what it cost them the insecure system, now that they've had to discontinue it. That's really assinine. It's like buying a Corvair, and then suing Ralph Nader after he publishes "Unsafe At Any Speed".

    On the other hand, it sets a nice precedent for when the cable companies come snooping around, trying to enforce against "connection sharing" when people set up unsecured wireless access points on the end of a cable modem connection.

    AT&T: We're disconnecting you for running an insecure access point.

    Customer: I'm suing you for proving my network is insecure; thanks, Stefan Puffer!

    -- Terry

  3. Re:No need for free security consultants by corby · · Score: 5, Interesting

    Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did).

    This is true. So why doesn't Harris County prosecute the case on these grounds? They seem to feel that their case is not strong enough without conjuring ludicrous claims that Mr. Puffer caused $5,000 in damages.

    The claim of $5,000 arises entirely from the cost of taking down the network to secure it, not from any actual damage caused by Mr. Puffer. To say that Mr. Puffer caused $5,000 damages is to say that if it wasn't for him the Civil Courts Building could have left their 802.11 free and unsecured forever.

    Worst of all, for all we know he did not do this to demonstrate anything.

    You go, man! You're not afraid to tell it like it is! Now read the article. He accessed the network in a prearranged meeting with a newspaper reporter and a county official in the room. It's pretty safe to say he was taking part in a demonstration.

    It's obvious that an indictment was not sought because of actual damages caused by the defendant. This case went to a grand jury because officials didn't want a newspaper story about how the Civil Courts Building decided to open their computer network to the whole world.

  4. Turn this around by SeanTobin · · Score: 3, Interesting

    What if I were to get a directional antenna, and beam my wireless network in the general direction of the court building? And of course, setup a dhcp server and use no encryption and all the default workgroups. Could I then charge them for breaking into my wireless network?

    Same question goes with a neighbor? Can I charge my neighbor for hacking into my network? Is it my responsibility to line my walls with aluminum foil so my signal doesn't go out? Or is it his responsibility to line his walls so he doesn't accidently hack into someone elses network?

    --
    Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
  5. Cyberphobia strikes again by stinky+wizzleteats · · Score: 5, Interesting

    So, let me get this straight. You happy people (non-tech) will put us in jail for attempting to help you use technology in a secure way, because you hate and fear us so much. You actually are prepared to alienate all of us (and imprison some of us) rather than deal with the embarassment of your own inability to use technology, and to willingly make it impossible for anyone to conduct IT security work in good faith. You want to make enemies of all of us, do you?

    ...dusts off black hat...

    Have it your way.

    1. Re:Cyberphobia strikes again by hklingon · · Score: 4, Interesting

      I want to go to lawschool for this very reason. I had an interesting debate a few months ago, which has expanded onto several threads of thought. Consider the following:
      1. Is it legal if someone hires you to kill them?
      2. Is it legal if someone hires you to destroy some of their property?
      3. If someone hires you to simply annoy them, what then? (i.e. a "crime" that does no measurable damages)
      4. What happens if observe that a crime could easily be commited, and yet you do nothing?
      5. What if you have advance knowledge of a crime, and do nothing?

      There are two things working against techies: 1. Social engineering (direct or indirect) works on law enforcement with reguard to technology issues because they simply aren't trained. If the head of IT for a city or other "important" person calls and tells the law to arrest someone based on some obscure log printout, the law will probably be able to do so. 2. No one understands technology, except you, and well, no one will listen to you when you stand accused. Unlike other scuffles, the cops can't examine the situation and determine for themselves the severity and how to handle it.*

      Clearly, #1 is illegal. Based on many cases in CA, VA it would seem that even if you have papers signed by the CTO and CEO , and you do a full security audit you can still be arrested. (Remember the case in CA where the guy did social engineering and took pictures of the server room -- thats it. He's serving a 1 year prison sentence. The board of directors and the President of the company sent him up -- the CTO and CEO resigned.) "Breaking the law is still breaking the law, irregardless of intent..." is what the prosecution successfully ordered. But whats the analogy for wireless? An english school boy standing on your lawn with a bell yelling about how you never lock your house when you leave that only some people can hear? Or is the better analogy like going up to someone's door, rattling it, then discovering that there is no lock? Its all a matter of politics and twisted truths -- not really the crucible that should burn all that away.

  6. Re:Serious Consequences fo InfoSec People by ErfC · · Score: 3, Interesting
    If you were in a bank with a locksmith, and he showed the bank manager that the locks they were using were insecure, the manager would thank the locksmith and change the locks.

    If you're Richard Feynmann and you go up to the general in charge of the Los Alamos nuclear bomb research stuff and tell him (and indeed show him) that the safes all the top secret research is in are insecure and can be picked if you can get at it with the door open (which was relatively easy to do), the general would (did) order that all safes be kept closed when Feynmann is in the room...

    Not everybody in power appreciates weaknesses being shown; nor do they always get the point you're trying to make when you demonstrate the weaknesses. This applies to any field.

    --

    -Erf C.
    Cthulu always calls collect...

  7. Re:One omission in the articles... by _Sprocket_ · · Score: 4, Interesting
    This is quite facinating. There are a couple really important statements made in that article:
    The network had not yet been set up, they said, and neither Puffer nor anyone else could have done any damage.
    ...
    But because the county's main system and the independent one run by Bacarisse are connected, Puffer was able to show Jennings that he could get information about the county computer network.
    ...
    Bacarisse said his staff found a pornographic picture on one of its servers Tuesday that he suspected was planted by Puffer. He said he would refer the incident to the District Attorney's Office.
    ...
    Bacarisse accused Jennings of giving Puffer information to help him access the system and hinted that Jennings was trying to use the demonstration to increase his authority over systems that he didn't control.

    Jennings and Puffer vehemently denied that.
    These quotes lead to a lot of questions. If this was a test network that couldn't present any threat to the government's network... how come Puffer was able to access the County network? Furthermore, why is Puffer being convicted? And how would he have been able to post a pornographic photograph?

    This has all the markings of beurocratic infighting. A techie quiting after a short, stormy tenure. A beucrocrat implementing an insecure network and assuring that it was no threat... and then convicting on charges of altering government systems. And that same beurocrat accusing another government worker of moving in on his personal feifdom.

    The only thing I'm suprised is that after having seen the insides of all this, Puffer was stupid enough to make his name known. Big hint to whistle-blowers: use the press and insist on being anonymous.
  8. How About I Shoot You? by Drake58 · · Score: 1, Interesting

    I was walking around one day and I noticed that you don't have good security. I called over a police officer and a reporter and said, "Look, this guy should be wearing a bulletproof vest!" I then proceed to shoot you in the chest.

    Just pointing out security vulnerabilities?

    I agree with the rest of /., just playing Devil's Advocate.