Slashdot Mirror

← Back to Stories (view on slashdot.org)

WarTalking Arrest

Posted by Hemos on from the get-yer-cuffs-on dept.

PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."

5 of 390 comments (clear)

  1. I am incredibly torn on this... by tlambert · · Score: 4, Interesting

    On one hand, they are trying to charge him for what it cost them the insecure system, now that they've had to discontinue it. That's really assinine. It's like buying a Corvair, and then suing Ralph Nader after he publishes "Unsafe At Any Speed".

    On the other hand, it sets a nice precedent for when the cable companies come snooping around, trying to enforce against "connection sharing" when people set up unsecured wireless access points on the end of a cable modem connection.

    AT&T: We're disconnecting you for running an insecure access point.

    Customer: I'm suing you for proving my network is insecure; thanks, Stefan Puffer!

    -- Terry

  2. Re:No need for free security consultants by corby · · Score: 5, Interesting

    Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did).

    This is true. So why doesn't Harris County prosecute the case on these grounds? They seem to feel that their case is not strong enough without conjuring ludicrous claims that Mr. Puffer caused $5,000 in damages.

    The claim of $5,000 arises entirely from the cost of taking down the network to secure it, not from any actual damage caused by Mr. Puffer. To say that Mr. Puffer caused $5,000 damages is to say that if it wasn't for him the Civil Courts Building could have left their 802.11 free and unsecured forever.

    Worst of all, for all we know he did not do this to demonstrate anything.

    You go, man! You're not afraid to tell it like it is! Now read the article. He accessed the network in a prearranged meeting with a newspaper reporter and a county official in the room. It's pretty safe to say he was taking part in a demonstration.

    It's obvious that an indictment was not sought because of actual damages caused by the defendant. This case went to a grand jury because officials didn't want a newspaper story about how the Civil Courts Building decided to open their computer network to the whole world.

  3. Cyberphobia strikes again by stinky+wizzleteats · · Score: 5, Interesting

    So, let me get this straight. You happy people (non-tech) will put us in jail for attempting to help you use technology in a secure way, because you hate and fear us so much. You actually are prepared to alienate all of us (and imprison some of us) rather than deal with the embarassment of your own inability to use technology, and to willingly make it impossible for anyone to conduct IT security work in good faith. You want to make enemies of all of us, do you?

    ...dusts off black hat...

    Have it your way.

    1. Re:Cyberphobia strikes again by hklingon · · Score: 4, Interesting

      I want to go to lawschool for this very reason. I had an interesting debate a few months ago, which has expanded onto several threads of thought. Consider the following:
      1. Is it legal if someone hires you to kill them?
      2. Is it legal if someone hires you to destroy some of their property?
      3. If someone hires you to simply annoy them, what then? (i.e. a "crime" that does no measurable damages)
      4. What happens if observe that a crime could easily be commited, and yet you do nothing?
      5. What if you have advance knowledge of a crime, and do nothing?

      There are two things working against techies: 1. Social engineering (direct or indirect) works on law enforcement with reguard to technology issues because they simply aren't trained. If the head of IT for a city or other "important" person calls and tells the law to arrest someone based on some obscure log printout, the law will probably be able to do so. 2. No one understands technology, except you, and well, no one will listen to you when you stand accused. Unlike other scuffles, the cops can't examine the situation and determine for themselves the severity and how to handle it.*

      Clearly, #1 is illegal. Based on many cases in CA, VA it would seem that even if you have papers signed by the CTO and CEO , and you do a full security audit you can still be arrested. (Remember the case in CA where the guy did social engineering and took pictures of the server room -- thats it. He's serving a 1 year prison sentence. The board of directors and the President of the company sent him up -- the CTO and CEO resigned.) "Breaking the law is still breaking the law, irregardless of intent..." is what the prosecution successfully ordered. But whats the analogy for wireless? An english school boy standing on your lawn with a bell yelling about how you never lock your house when you leave that only some people can hear? Or is the better analogy like going up to someone's door, rattling it, then discovering that there is no lock? Its all a matter of politics and twisted truths -- not really the crucible that should burn all that away.

  4. Re:One omission in the articles... by _Sprocket_ · · Score: 4, Interesting
    This is quite facinating. There are a couple really important statements made in that article:
    The network had not yet been set up, they said, and neither Puffer nor anyone else could have done any damage.
    ...
    But because the county's main system and the independent one run by Bacarisse are connected, Puffer was able to show Jennings that he could get information about the county computer network.
    ...
    Bacarisse said his staff found a pornographic picture on one of its servers Tuesday that he suspected was planted by Puffer. He said he would refer the incident to the District Attorney's Office.
    ...
    Bacarisse accused Jennings of giving Puffer information to help him access the system and hinted that Jennings was trying to use the demonstration to increase his authority over systems that he didn't control.

    Jennings and Puffer vehemently denied that.
    These quotes lead to a lot of questions. If this was a test network that couldn't present any threat to the government's network... how come Puffer was able to access the County network? Furthermore, why is Puffer being convicted? And how would he have been able to post a pornographic photograph?

    This has all the markings of beurocratic infighting. A techie quiting after a short, stormy tenure. A beucrocrat implementing an insecure network and assuring that it was no threat... and then convicting on charges of altering government systems. And that same beurocrat accusing another government worker of moving in on his personal feifdom.

    The only thing I'm suprised is that after having seen the insides of all this, Puffer was stupid enough to make his name known. Big hint to whistle-blowers: use the press and insist on being anonymous.