Slashdot Mirror
WarTalking Arrest
PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."
We all know that its illegal to teach things to people that could possibly be used for malicious purposes. We also know that pointing out flaws or weaknesses in computer systems is an activity reserved for terrorists and other 'undesirables'.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Unless he was hired for the job, he deserves it.
Just because you *can* do something doesn't mean you *should*.
Tired of having all these people act like "well, it's not secure, so I should poke around."
Hey Taco! Looks like you're using the "infinite monkeys and typewriters" scheme to generate Ask Slashdots again...
Comment removed based on user account deletion
He went about this wrong, he should have mentioned that he believed it was insecure and then with explict permission demonstrated why he believes this is the case. If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?
- District Clerk Charles Bacarisse told the paper that confidential information was disclosed and the alleged intrusion eventually resulted in the county closing its wireless LAN only a month after it was activated.
Theft of information and the associated cost of dismantling the service is going to add up to at least five grand. I'm surprised it's not more.You are the lamest FP troll ever. For Christ's sake, already there are some posts on topic.
Anyway, if I were to try all the doors at the court house, find one that is routinly unlocked and goed to a restricded area, and then talk about it. I would imagine there would be some questions for me to answer in a room with a bright light.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
This is a very interesting case, a guy that was showing a newspaper, and someone working for the county how easy it would be for a hacker to break into the court's system. Then he gets arrested for the act. And this is because they had to take the thing down for a month because of there being a break. I would say with that kind of security, it should have never been brought up in the first place. Also I would say that it was better that they found out that the system could be broken before the network was actually used for a critical task, and could get hacked during a court proceeding, that could be a very embarrassing thing for a court to have to face. Being the ones that where hacked into while court was in session. Hopefully, at least they learned from what he did and at least secured the thing. Although since he is being possibly jailed for it, perhaps he should have told his superiors about how shoddy the security was before he did a demonstration.
Too much FUD - too, too much FUD.
There's no point in pulling a 'white hat' anymore since it seems there's no distinction - the embarassment of having been 'h4x0r3d' drives most to pursue legal routes.
Really annoying. Surely this guys actions should be rewarded if you consider the probs that someone with malicious intent could have caused.
Bah - you 'mericans are all nutts (not that us poor Scotsmen are gonna fair much better by the time the UK parliament and Europe have finished legislating the backside off us).
Bah!!!
"It's just a shame that the only people who really know how to run a business and country are too busy driving taxis and flipping burgers."
--Unknow origins
"It's the early bird that get's the worm, but the second mouse that get's the cheese!"
Maybe they should upgrade the charges to treason and sedition. Hacking is terrorism, after all, and this was rather insulting to the court.
He did it, but it's hard to believe he had any criminal intent, considering he did it in the presence of a county official and a reporter.
There is a big difference between saying "I just stumbled across a major security hole that you might want to fix before the bad guys exploit it" and saying "ha ha I h4x0red j00 bitch3s!!!!!1" The former is helpful, the latter is criminal. The two are not the same - the underlying act may be the same but the intent is dramatically different.
If we all pretend the problem doesn't exist... maybe it will go away on its own? We'll just prosecute anyone who points out that we have a problem. Then, everything will be fine. I swear -- the intelligence in this country has gone right down the shitter in the last 25 years. We used to respect and honor knowledge. Now me simply make a mockery of it. I weep for my generation.
It's funny, already I'm seeing people saying this guy deserves what he gets... but if I was sitting on a bench in front of the courthouse with my laptop and found that I could access the network with little or no problem, I'd walk straight in there myself and let them know. I worked as a contractor at the Ministry of Health in Ontario for a bit, and you want to talk shoddy administration. It was hideous. And they have information like registries of people suffering from AIDS, or who is getting drug benefits and what claims they're making. Sure he might just be trying to drum up business, but if the end result is that it closes a serious security hole, more power to him.
Or do you really want your next door neighbor's son finding out about that fraternity prank that had you arrested for stealing a minivan full of sheep in your boxers or some other weird crime?
He did access their network without permission.
Did they create a public network? Public as in accessible to the public without any reasonable indication or security that it is indeed a private network.
I think broadcasting a private network and letting people on it is akin to making a public network.
It isn't this guys fault they had to shut down their network, it is the people who set up the insecure network in the first case.
"Puffer demonstrated to a county official and a Chronicle reporter" Most people would be grateful for such a demonstration. If YOU leave holes in your system then YOU should be liable for any clean up bill. Not the guy who showed it to you. Although I didn't read the article so I don't know if this is the case here.
- This and all my posts are public domain. I am a Physicist. I am not your Physicist. This is not Physically advice
From the article, he's charged with a violation _prior_ to the demonstration. He isn't being charged for the demonstration to the reporter and county official. If he's guilty, this is black hat, not white hat.
Cursed is the bearer of bad news.
But seriously, can anyone provide any info on just what exactly he did that cost 5000$ to clean up? Seems like he'd have to be a fool to actually break/steal/change something if he intended to report the intrusion afterwards
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
Tis but one way to find the guilt of this hacker. Attach a large stone to his leg and throw him into a lake. If he floats the water has rejected his evil hacker body and he is guilty, if he sinks he is innocent!
Be wary Lucifer is a trickster.
"I don't know that atheists should be considered citizens, nor should they be considered patriots." George HW Bush
This is his crime?
I'm glad they've taken prompt measures to make sure nobody else every reports a security hole to them!
I don't care if it's 90,000 hectares. That lake was not my doing.
Why should I even care? A part of me wants to get all loud and stupid about this but Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did). Let them get burned on their own or if they're government go through the usual channels. No need to be 'Captain Wireless.'
Worst of all, for all we know he did not do this to demonstrate anything. The last time slashdot got up in arms about some supposed 'white hat' hacker it ended up being an excuse. In my experience it usually is an excuse. "Dude, I'm totally looking out for you when I hack your stuff!" No one should be that naive anymore.
This is something that many people in the InfoSec industry are worried about and more so in the current political environment. EVERY seminar, conference or training event I've been too, there has been someone standing there for twenty minutes lecturing everyone on covering your ass.
What bothers me is that the reason things like this happen is ignorance of non-techies and refusal to see things in a reasonable light. If you were in a bank with a locksmith, and he showed the bank manager that the locks they were using were insecure, the manager would thank the locksmith and change the locks. Show a business manager the exact same thing with their network and they might decide to have you arrested.
Whenever I'm going to show a client ANYTHING I get full written approval ahead of time to discuss or test their security, and I get written approval to discuss my findings. There have been times when I've found vulnerabilities and not said a damn word because the client refused to sign off.
It's sad, there are people out there - and I've worked for and with them often - who really believe in security through anonymity and believe they are acting in their best interests by alienating and prosecuting the people who can really protect their networks.
What I will admit however is that part of the problem rests with people who try to look smart and show off the security vulnerabilities in a smart-assed kind of way. As annoying as it sometimes is, you need to manage people's expectations, fears and prejudices.
If you really care about the security :)
being fixed (and don't want to jeopardize
yourself for a dubious expectation of fame)
is to notify whoever you want appropriately.
If they fail to respond, you could always
contact the media.
Considered harmful.
At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th. Now maybe he was unable to get an appoitment to see anyone, or maybe he took 10 days to poke around in the network and see what was there. He should have reported the insecurity immediately. The fact that he didn't is suspicious.
Because we all know how quickly the issues would have been looked at / fixed if he went thru the "proper"/cover my ass channels...
The Mongrel Dogs Who Teach
So, just break back in, and erase the record of the charge.. duh..
--
Power to the Peaceful
where do they get these numbers? $5,000 to cleanup the intrusion??
They only have his word that he didn't do anything malicious. They have to hire someone to come in and make sure that he didn't install a backdoor while he was in there.
A legparnasom tele van angolnaval.
From the article.
On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card.
You DO NOT expose items like this in front of a reporter in an election year...
Well, if they know the date that he went in... why don't they juse restore the system from daily backups, and keep the current database, and user home directories???? Sounds like a really simple solution, if they don't believe him. And why can't their IS people verify what was happening in their own network... What were they doing? Eating donuts
Tibbon
tibbon.com
I hereby inform you that I have NOT been required to provide any decryption keys.
Some details would be nice. Did the LAN have no password, was the password easy to crack, or was there some other kind of security flaw? If he went all around the city, trying to brute force the password on every wireless LAN he could find, then I doubt he has a legal leg to stand on. If he simply powered on his laptop and noticed he had link, that's different.
-a
How to rationalize theft.
Remember, never point out someone's security holes so they can fix things before real damage is done. If you do these things, you are nothing more than an evil terrorist! And according to Gestapo... err Attorney General John Ashcroft, you must be an Al Qaeda operative deserving of the death penalty!!
"You spoony bard!" -Tellah
What is it going to take for people to realize that they need to lock down their systems -- the digital equivalent of 9/11? Honestly, it seems the government can't accept any criticism of its systems, or act on the information at all........ and instead of fixing the problem, they decide to prosecute instead.
Pretty deranged, IMHO.
According to the Houston Chronicle article, he discovered the security problem "early March", the demonstration was on March 18th, and he is charged with hacking on Match 8th, so he is being charged with the discovery, not the demo.
Also, there may be more going on, as the article also alludes to "a pornographic picture found on the clerk's office server in March." Perhaps they believe that was another "demonstration".
Person has a hole in his pocket. He loses change, but doesn't seem to notice. Another person informs this man of the hole and tries to collect the change strewn on the ground to show him as evidence of the problem. Man with hole is outraged and has the other arrested for theft of his change and the trouble of switching to an old pair of pants with no hole.
Does this make any sense? Not to me.
Search first, ask questions later.
FYI: Texas Computer Crime Law
TEXAS PENAL CODE TITLE 7. OFFENSES AGAINST PROPERTY
CHAPTER 33. COMPUTER CRIMES
33.01. Definitions
In this chapter:
(1) "Access" means to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer
software in, or otherwise make use of any resource of a computer,computer system, or computer network.
(2) "Communications common carrier" means a person who owns or operates a telephone system in this state that includes equipment or facilities for the conveyance, transmission, or reception of
communications and who receives compensation from persons who use that system.
(3) "Computer" means an electronic, magnetic, optical,
electrochemical, or other high-speed data processing device that
performs logical, arithmetic, or memory functions by the
manipulations of electronic or magnetic impulses and includes all
input, output, processing, storage, or communication facilities
that are connected or related to the device.
(4) "Computer network" means the interconnection of two or more
computers or computer systems by satellite, microwave, line, or
other communication medium with the capability to transmit
information among the computers.
(5) "Computer program" means an ordered set of data representing coded
instructions or statements that when executed by a computer cause
the computer to process data or perform specific functions.
(6) "Computer security system" means the design, procedures, or other
measures that the person responsible for the operation and use of
a computer employs to restrict the use of the computer to
particular persons or uses or that the owner or licensee of data
stored or maintained by a computer in which the owner or licensee
is entitled to store or maintain the data employs to restrict
access to the data.
(7) "Computer services" means the product of the use of a computer,
the information stored in the computer, or the personnel
supporting the computer, including computer time, data processing,
and storage functions.
(8) "Computer system" means any combination of a computer or computer
network with the documentation, computer software, or physical
facilities supporting the computer or computer network.
(9) "Computer software" means a set of computer programs, procedures,
and associated documentation related to the operation of a
computer, computer system, or computer network.
(10) "Computer virus" means an unwanted computer program or other set
of instructions inserted into a computer's memory, operating
system, or program that is specifically constructed with the
ability to replicate itself or to affect the other programs or
files in the computer by attaching a copy of the unwanted program
or other set of instructions to one or more computer programs or
files.
(11) "Data" means a representation of information, knowledge, facts,
concepts, or instructions that is being prepared or has been
prepared in a formalized manner and is intended to be stored or
processed, is being stored or processed, or has been stored or
processed in a computer. Data may be embodied in any form,
including but not limited to computer printouts, magnetic storage
media, laser storage media, and punchcards, or may be stored
internally in the memory of the computer.
(12) "Effective consent" includes consent by a person legally
authorized to act for the owner. Consent is not effective if:
(A) induced by deception, as defined by Section 31.01, or induced
by coercion;
(B) given by a person the actor knows is not legally authorized to
act for the owner;
(C) given by a person who by reason of youth, mental disease or
defect, or intoxication is known by the actor to be unable to
make reasonable property dispositions;
(D) given solely to detect the commission of an offense; or
(E) used for a purpose other than that for which the consent was
given.
(13) "Electric utility" has the meaning assigned by Subsection (c),
Section 3, Public Utility Regulatory Act (Article 1446c, Vernon's
Texas Civil Statutes).
(14) "Harm" includes partial or total alteration, damage, or erasure
of stored data, interruption of computer services, introduction of
a computer virus, or any other loss, disadvantage, or injury that
might reasonably be suffered as a result of the actor's conduct.
(15) "Owner" means a person who:
(A) has title to the property, possession of the property, whether
lawful or not, or a greater right to possession of the
property than the actor;
(B) has the right to restrict access to the property; or
(C) is the licensee of data or computer software.
(16) "Property" means:
(A) tangible or intangible personal property including a computer,
computer system, computer network, computer software, or data;
or
(B) the use of a computer, computer system, computer network,
computer software, or data.
33.02. Breach of Computer Security
(a) A person commits an offense if the person knowingly accesses a
computer, computer network, or computer system without the
effective consent of the owner.
(b) A person commits an offense if the person intentionally or
knowingly gives a password, identifying code, personal
identification number, debit card number, bank account number, or
other confidential information about a computer security system to
another person without the effective consent of the person
employing the computer security system to restrict access to a
computer, computer network, computer system, or data.
(c) An offense under this section is a Class A misdemeanor unless the
actor's intent is to obtain a benefit or defraud or harm another,
in which event the offense is:
(1) a state jail felony if the value of the benefit or the amount
of the loss or harm is less than $20,000; or
(2) a felony of the third degree if the value of the benefit or
the amount of the loss or harm is $20,000 or more.
(d) A person who is subject to prosecution under this section and any
other section of this code may be prosecuted under either or both
sections.
33.03. Defenses
It is an affirmative defense to prosecution under Section 33.02 that
the actor was an officer, employee, or agent of a communications
common carrier or electric utility and committed the proscribed act or
acts in the course of employment while engaged in an activity that is
a necessary incident to the rendition of service or to the protection
of the rights or property of the communications common carrier or
electric utility.
33.04. Assistance by Attorney General
The attorney general, if requested to do so by a prosecuting attorney,
may assist the prosecuting attorney in the investigation or
prosecution of an offense under this chapter or of any other offense
involving the use of a computer.
--
Looks like Mr. Puffer clearly committed the offense described in 33.02(a)
Now is Harris Country guilty of negligence in adequatelely protecting their computer networks? I'd have to argue that yes, in my opinion they probably are. Anyone who'd carelessly run wide open unprotected wireless ethernet in a local government agency is not only a moron, but also a very poor steward of public records, which is a job taken *very* seriously in Texas.
They also have more secure networks.
Let me get this strait. He shows them they have a flaw, so they can fix it, and they call him a hacker, and arrest him. No good deed goes unpunished. Never be a dogooder. I hope from now on, no one in the tech community helps out another government agency or company unless on their payroll, with a written agreement that finding the security flaws is their job, not hacking. To hell with them all! I hope a real hacker teaches them a lesson over this!
How ya like dat?
The person charged was not acting maliciously, did not cause any damage (what is claimed is bogus), and his actions were willfully disclosed in good faith. He got the raw deal...
SIG: HUP
Quite informative, I see your point.
I would argue that 33.02(a) Effective consent was given in that it the network was publicly broadcast.
Television broadcasts are free to view, radio free to listen. This is implied in that they are publicly broadcast to any recipient.
Embarrassment is what it comes down to. When the courthouses pretty new wireless system, which they paid a good amount for, is found to be vulnurable to an attack they blame the one who found it instead of the admin who put the package together.
Good point, what are the laws in Texas on Criminal Intent.
You don't get a B&E for pulling someone out of a burning building.
I would argue that 33.02(a) Effective consent was given in that it the network was publicly broadcast.
Television broadcasts are free to view, radio free to listen. This is implied in that they are publicly broadcast to any recipient.
You or I may equate wireless ethernet as "broadcasting" but unfortunately the law in Texas does not legally consider it as such.... at this point in time. A very close friend of mine is the network manager for a medium size city government in Texas and while he forbids it on any of the city govt networks he runs, for the obvious reasons, he explains that legally it is currently still viewed foremost as just another variety of computer networking, and hence intercepting it bears the legal equivalence pretty much the same as wiretapping a conventional wired network. Maybe this case will help enlighten the powers that be into realizing that wireless ethernet, while convenient and a neat toy, is the same as publishing the contents of your computers on billboards at the side of a busy interstate highway.
"On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card."
He was arrested for showing them that their network was insecure. That's far different from the "well, it's not secure, so I should poke around" mentality you seem to attribute to him.
This is not really that scary; the guy apparently expected a little common sense, and that's usually a mistake in dealing with the government
What's scary is the recent corporate crime bill recently passed by the house of representatives, which would make it illegal to attempt a federal crime, not just to commit it.
As attempt is obviously pretty subjective, this is awful scary. War Driving would be illegal. As someone else pointed out, just running a auto-discovery tool would be illegal, or could be made to appear as illegal.
I was looking for a quote from Orwell on the subject, something on the lines of make everyone a criminal, if you want control, but I'm sick of the whole subject.
Enjoy Freenet & Frost while you can.
Why, yes, I AM a Pagan Libertarian.
Stefan Puffer, 33, was indicted by a Grand Jury on Wednesday with two counts of burglary for allegedly breaking into Harris County district clerk's offices. It's believed to be the first case of its kind in the US.
Puffer, who was employed briefly by the county's security department in 1999, could get five years in jail and faces a $250,000 fine on each count if convicted, the Houston Chronicle reports.
He's accused of accessing the offices March 8 in an alleged intrusion that cost the county a reported $5,000 to clean up.
District Clerk Charles Bacarisse told the paper that no confidential paperwork was disclosed but the alleged intrusion eventually resulted in the county closing its new offices only a month after they were opened.
But is the prosecution a case of shooting the messenger?
On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's offices using only a hammer and paperclip. Puffer first noticed the problem while scanning for insecure homes and offices throughout Houston earlier that month, around the time that the alleged offence took place.
Would you be upset at the above news story?
Really folks, with a $4 hammer, you'd be surprised at how "insecure" most homes are! Have you ever heard of a "white hat" burglar?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
apparently this is the website of the county clerk quoted in the houston cronicle story. since /. failed to get info from him, perhaps we could each drop him an email to find out the other side of the story.
however, i do note that the county attorney seems a little selective in what laws he wants enforced.
US Citizen living abroad? Register to vote!
The network was totally wide open - no WEP and DHCP on ... anyone w/ an XP computer and built-in WiFi who turned their computer on would have automatically associated to the network, so what is Puffer's "crime?" He was demoing to a county official, don't forget. Meanwhile, Steve Balmer brags about stealing bandwidth with Bill Gates and gets applauded:
2 2/ 020722opcurve.xml
http://www.infoworld.com/articles/op/xml/02/07/
"For all his success at bringing Microsoft's warring constituencies together, there are still things beyond Bill and Steve's control. "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer.
"Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him up and said, 'Hey, come over to my room.' So soon everyone is there and connecting to the Internet through my room."
Chalk up another good day for Steve Ballmer, CEO. Bill Gates may be the chief software architect, but as Microsoft matures in the Ballmer era innovation in software shares the spotlight with teamwork.
"
if you think a system might be insecure, you tell the system administrators. You do not commit a crime to prove the insecurity. if you do, and you are arrested, hopefully you'll get the death penalty so I can read the resulting amusing Darwin Award writeup about your dumb a$$.
On one hand, they are trying to charge him for what it cost them the insecure system, now that they've had to discontinue it. That's really assinine. It's like buying a Corvair, and then suing Ralph Nader after he publishes "Unsafe At Any Speed".
On the other hand, it sets a nice precedent for when the cable companies come snooping around, trying to enforce against "connection sharing" when people set up unsecured wireless access points on the end of a cable modem connection.
AT&T: We're disconnecting you for running an insecure access point.
Customer: I'm suing you for proving my network is insecure; thanks, Stefan Puffer!
-- Terry
Damnit, my license is at stake here!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
The Register is cool and all, but why not just link the Houston Chronicle article that they got it from? Their article is much better.
good thing he didn't do something really big, like loot a major (http://www.enron.com/corp/) public corporation. oh, I get it: you need to be a major political donor to not get busted. I see...
Just how white-hat is this guy, anyway? Looks like he was actively searching for hackable networks, for reasons which the article leaves unclear.
This is why in the movies, the anonymous tipster remains anonymous, instead of calling a #@$@%@ press conference. Sheesh!
Now, granted, he could have placed them eariler, but so could have anyone else.
If corporations are people, aren't stockholders guilty of slavery?
From now on, never tell any dumbass idiot government morons that their networks are insecure or else you go to jail. Fine, I can pretend the Emperor has clothes even when he is stark, fscking naked, but Al Queda is going to laugh all the way to the fscking bank.
In my opinion someone should indite this Grand Jury for Indictment While Under the Influence. This is the craziest, stupid bullshit I've ever fscking seen.
So, remember, from now on, never tell any government official that their networks are insecure, or else you go to jail. Just tell any muslim terrorists you know instead. As far as I know, THAT is still legal.
"There are laws that enslave men, and laws that set them free. " - Sean Connery as King Arthur
He was demonstrating to a county official AND a reporter. That somewhat implies that this wasn't a behind closed doors, tiger team type evaluation on the network. This wasn't just a "hey, I accidently noticed you left your network wide open. Might wanna fix that". If there was a reporter there, someone's toes were probably getting stepped on. The security analyst doesn't deserve to get charges pressed against him, but he should have gotten something in writing from the officials BEFORE demonstrating illegal activity.
Although the metaphors aren't identical, if I reported to the police, or a homeowner that they've been leaving their doors unlocked, someone at some point will probably ask me how I know that. Computer security is taken rather seriously these days. There seems to be no effort in making sure there is any, but they sure like to rake you over the coals for any alleged violation of it. When the "victim" happens to be the government, especially the court system, that will just up the stakes even more.
Its unfortunate that this has to happen. But if your less than legitimate activities happen to result in useful information for somebody, don't think that the simple act of good faith by handing that information over will clear the slate for you. Either do it anonymously or get immunity first. Or just keep your mouth shut.
-Restil
Play with my webcams and lights here
The fact that he showed it to a newspaper reporter indicates there was *no* goodwill involved.
So, we should do it the Microsoft way? Tell the company about a flaw in their system and let them spend months to fix it, leaving countless unaware individuals completely vulnerable while the "proper authorities" formulate a cost-benefit analysis and figure out where the bug fix lives on the Gantt chart?
Why do you think we *have* news?? You would prefer to get all your news from press releases and government propaganda, it seems.
First of all, the county's IT department was negligent, possibly to the point of criminality, in providing WiFi access to the LAN without any security measures. Would Puffer be looking at five years of jail time if he plugged his laptop into a jack in the hall and found he had LAN access? Maybe. But isn't the County office, by definition, public property? He wasn't tresspassing.
It's like if the government was sending secret information unencrypted on 95.5 FM. You tuned in, told a govt agent and a reporter about it, and now you're the one who did something wrong? This makes sense to anyone here?
The person who really made out in this gig is the "Security Consultant" who charged $5,000 to "solve" this problem. Setting up a VPN for your WiFi clients takes what, about 20 minutes? But clearly the County was so alarmed about the Terrorist Hackers out there that they decided they needed a big expensive solutions. These are serious problems, you know, and they will probably get some of that Anti-Terrorism money from the Feds to pay for Hardening their System against FutureTerrorist Attacks.
By the way, I deal with confidential medical data as part of my job. There's this law called HIPAA. If I were to set up an open WiFi access point on my LAN, *I* could be jailed and fined up to $25,000. *NOT* the guy who is nice enough to tell us (but kind of a dick for telling the local paper.)
What's next? Are we gonna go after Richard Feynman for pointing out that frozen O-Rings make the Shuttle blow up? Mabye I should get hauled off for mentioning that you can punch through the hull of a pressurized aircraft while it's in flight with a big enough screwdriver!
Don't worry about me, though. When I get hauled off into the black Fed car, I'll just yell "Hack the Planet" to the kids on the street and next thing you know, the Slashdot Activist Justice League will rally to my defense!
This isn't the first time the Houston Chronicle (which the Register references) has reported on this story. What they're leaving out in this article is that the county official that Puffer demonstrated the breakin to was, in fact, the equivalent of the head of IT for the county. So, one wonders if indeed that could be counted as having permission...
(I don't remember what his exact title was, and I don't remember the links offhand, but the official was definitely the head of the county's equivalent of an IT department.)
Just my $.02...
Microsoft was (wrongly, imo, but that's besides the point) convicted of being a monopoly, and wasn't even punished.
:p
*shrug* I guess that opened the doors for MS. Shit, maybe I should get hired there. If I work my way up enough, I bet I can go steal a nice car and be applauded for it, too.
The above is copyright.. Ah, screw it, if Ballmer goes and steals a car and gets away with it, more power to the asshole.
i think the case should be dropped but i think also, that the security consultant forgot about rule one:
Analyze the security or check for holes only when you got hired for it by the affected company. Don't rely on a spoken permission, get it written
Even then you may spend a miserable weekend trying to calm down the CEO of a company several hundred times the size of your company. Believe me, the more permissions you have, the better. In my case, after three days i got all involved managers back from the trees back down to the ground. But only because we observed this rule.
From a business point of view: There are people out there (like me), who try to make a living by checking for such things. If you do it, be sure to get paid for. Otherwise it's unfair competition. And being paid for is as good as a permission.
Another hint: avoid press at any costs. They don't get it. My experiences are, that most journalists won't even get the spelling of your name right. They will try to add sex&crime because it makes their article more interesting. This isn't good for your reputation.
If you stumble over a hole by accident. Leave it, don't even poke. Inform the affected organisation at a technical level as silently as you can (and describe why it was an accident). If they don't act, keep quiet. You may bang your head against the wall if it helps you, but leave them.
I know, it's hard to bear.
Yours, Martin
Look, the days of the whiz-kid cracking into systems and then getting hired by the same company as a result is long over. There are professional security consultants that do this sort of thing and if the agency didn't hire them beforehand, well, then, they deserved to get fucked. But it was neither this man's job, his obligation, nor his civic duty to prove to them this fact.
/etc/passwd because they're getting spam and "they had to get those addresses somehow."
The fact that this guy called the media out to witness this will damn him in court. He's watched _Sneakers_ too many times. The age of the geeky computer hacker is long gone; if you know a lot about computers these days, you're either a communist, terrorist or both. Ask any ordinary USian. They're *TERRIFIED* of computers. They refuse to give credit cards to my company because "we might be hacked". They constantly think that somebody stole our
Ignorance is the key matter at hand. The laws today are ignorant of the 'intent' of the accused, and for good reason. Every computer cracker ever caught has pulled the "i just wanted to show them how insecure their system was" line, and they're sick and tired of letting kids trash networks and getting probation for it.
Hey Taco! Looks like you're using the "infinite monkeys and typewriters" scheme to generate Ask Slashdots again...
What if I were to get a directional antenna, and beam my wireless network in the general direction of the court building? And of course, setup a dhcp server and use no encryption and all the default workgroups. Could I then charge them for breaking into my wireless network?
Same question goes with a neighbor? Can I charge my neighbor for hacking into my network? Is it my responsibility to line my walls with aluminum foil so my signal doesn't go out? Or is it his responsibility to line his walls so he doesn't accidently hack into someone elses network?
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
I took the $5000 figure to mean that the original wireless network equipment cost them $5000 and since they had to take it down because of the intrusion, it was $5000 down the drain. now that is a bullshit claim, but it wouldn't surprise me if that is exactly what that figure represents.
I read the articles about this yesterday, and as I understand it there was a breach of their wireless lan (they don't specify what happened in the breach, but it sounded like someone did something malicious). This breach happened around a time that the person who is being charged was scanning for insecure wireless networks. If he didn't do anything malicious I don't think he has anything to worry about.
from the Houston Chronicle article:
County Attorney Mike Stafford said he will resume his investigation into whether the security breach was corrected as promptly as county officials learned of it and the origin of a pornographic picture found on the clerk's office server in March.
Now it's not exactly clear what happened, but you can't tell me that demonstrating that someone's server is insecure by turning their server into a goatse.cx mirror is a white hat operation. Or, well, you could, but i'd laugh at you.
I hereby place the above post in the public domain.
More than once I've found passwd files which were able to be
1. Downloaded
2. Cracked with little effort using Crack, etc.
I debated for some time whether I should call the ISP and alert them to the issue. Thankfully, I never did, and just figured Darwinism would work it's way through.
This is truly a sad case - prosecuting those who bring issues to businesses and the fed government. If you stumble on a security issue, I guess it's just best not to help.
You might end up typing the wrong number, getting in contact with something secret, and get 5 years in prison for hacking.
The fact that they had to shut down their wireless LAN is not the fault of the "hacker" here, but it is the fault of the community's suppliuer, who ought to cover the costs, as he must have given very bad advice.
US laws needs to be made a little closer to reality, rather than being created to protect incompetent companies, who does far too little to protect themself or their products. They make the profits, the government gets all the trouble.
Attorney #1: Your honor, h4x0ring is not allowed in the court of law! Judge: Sir, you have crossed the line! H4x0r Attorney: w00t!
Efren Belizario
headspeak.com
Everyone is linking to the new stuff.
1 30 2663
Here is the background info:
http://www.chron.com/cs/CDA/story.hts/topstory/
This isn't really about wireless war driving, or anything else. It's about an ex-employee & political infighting.
Everybody has the wrong story, IMHO
So, let me get this straight. You happy people (non-tech) will put us in jail for attempting to help you use technology in a secure way, because you hate and fear us so much. You actually are prepared to alienate all of us (and imprison some of us) rather than deal with the embarassment of your own inability to use technology, and to willingly make it impossible for anyone to conduct IT security work in good faith. You want to make enemies of all of us, do you?
Have it your way.
It looks as if the AP's were open. They basically setup a public network. "Officials said the security feature on Bacarisse's network was not enabled because it was only being tested. "
The article isn't entirely clear, but my take on the "Clean up" costs is that the county spend $5000 putting in a wireless system, and then had to take it down a month later because he showed them it was insecure (thereby making the $5000 a waste of money). Hardly seems like a crime to me.
"If English was good enough for Jesus, it's good enough for everyone else."
You just happily use their network for free access until they figure it out themselves.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
No man is an island, and all our systems are interconnected...If I let you sign your own death warrent, I may just find one signed for me.
In essence, they're telling everyone "don't tell us about any security vulnerabilities we might have. If you do, we'll prosecute you".
Okay, Harris County, have it your way. If you want to live in ignorance, fine. The end result is that your network will end up being hacked by people who really are black hats and who don't give a shit about the integrity of your computer systems or network.
It's unfortunate that other entities that are inclined to be more reasonable will suffer, but so be it. Those that are really enlightened will probably put up a statement on their website saying something like "if you manage to hack into our systems or network and notify us immediately of the fact that you did so and how you did it, and do not make any modifications to our data or copy any of it that isn't already published, we'll not only refrain from suing you, but we'll pay you a reward for your efforts" -- the intent being to make it clear to white hat hackers that they really do want to know about security vulnerabilities.
But the bottom line is that places like Harris County will end up having a lot more problems than more enlightened places. Evolution in action.
I, for one, am not going to tell anyone a damned thing about any security vulnerability of theirs I stumble across unless I happen to work for them and have gotten prior permission to look for security vulnerabilities. And I'll laugh at anyone who behaves the way Harris County did and manages to get hacked later on.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
If I ever discover a hole war driving (or war walking.) you can bet your ass I won't tell anybody there about it.
Though I may give my friends the location...
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Is claim he was looking for files of his that were copyrighted. Hw should get at least a couple of grand from the MPAA and the RIAA for his defense.
But if Puffer had tried to alter any programs, they said, security safeguards and software would have blocked him and alerted them immediately.
I call bullshit.
-BK
Chemical Blog
Well of course it's going to cost money to clean up! He just showed the courthouse there's a BIG vulnerability in their network. That is more of a result of bad administration, than his "hacking". I can't think of any reason to punish this man for doing the courthouse a service.
The Original Houston Chronicle Story
The Houston Chronical Story #2
Since when did we become slaves to exactly what the law said? The basis of our law system is that laws provide strong guidelines but judges are given a great deal of power exactly so that these kind of idiocies don't happen. The guy pointed out that the system was borked. He didn't do anything wrong in the process. The IT department should thank him for pointing out the flaw, fix it, and move on with their lives. The judge should have thrown out the case after a preliminary hearing because it was stupid. It's incredible that we've gotten to the point where we're intellectualizing these things so much (and both sides are at fault here, both people defending him and opposing him) that we're treating the law like the synactical rules of C++ rather than the very different rules of a human society.
A deep unwavering belief is a sure sign you're missing something...
No, he did not perform the demonstration for Charles Bacarisse, who, is the closest thing to a Court official in this story. He performed the demonstration for Jennings the head of the County's Technology department.
Did Jennings have the authority to order Bacarisse to close down or secure his network, because it was putting the rest of the County's systems at risk? I suspect he did not. Or why wouldn't he have done so? Is it possible Jennings agreed to Puffer's demonstration in order to win a turf war with Bacarisse?
Note to all ethical hackers, script kiddies, and whistle-blowers: the US Government does not want your help. If you point out insecurities (glaringly obvious or otherwise) in any Government host or network, do not expect thanks. Instead, you should expect to be the subject of investigation.
.gov IP space is child's play.
There are three things one should consider when dealing with the US Government on information security issues. First, the US Government's business is law, not technology - they have much more understanding of the former than latter. Secondly, the US Government tends to not understand information security issues. Their expertise deals with government and Cold War policy - the modern infosec environment has aspects of that era... but it is quite different. Finally, the US Government is not interested in information security issues. Lets address these points.
Before going further on this rant... I'd like to make one qualifying statement. Like all large groups, there are individuals within various Government bureaucracies who are exceptions to these observations. I like to think I was one of them. And I know some excellent people working information security within their departments who defy the norm. But nonetheless, the norm does exist. Despite these excellent few examples, it is the leadership and the vast majority of management in US Government institutions who generate the following attitude.
The business of Government is not information technology, it is law. Any manager within Government is a bureaucrat in one way or another... including IT. One does not gain any such level of trust without understanding the political system in which one operates. This often leads to IT managers who have a limited familiarity with IT systems, but are very comfortable with rules and law. This can work for them if they're forced to fight for their environment's budget. If a Government agency is lucky, they have enough pull to win a decent budget and easily meet their needs. Many agencies are forced to make due on what little IT budget they are able to scrounge. This leads to few resources be it equipment or manpower. With this in mind, the highly skilled IT worker is few and far between within Government. And those few dedicated souls will likely be overworked.
Governmental infosec agents tend to have a physical security / Cold War background. They are used to dealing with entirely different environment than what is commonly found today. This leads to a slew of misconceptions, but we'll focus on a few specifics. They value secrecy over disclosure. They have a hard time accepting hacking (malicious or not) as entertainment / educational. They believe anybody exposing a system's vulnerabilities have only malicious motives.
I'd like to demonstrate these two points with a quick story. I was attending a monthly cross-contract infosec meeting for a large US Government facility. The meeting started with a nice presentation of a recent vulnerability and how to mitigate the threat. There were a few attentive audience members, but the vast majority sat there with a dazed look as the presentation washed over them. Then the local FBI agent stood up to make a presentation on a recent compromise of one of the facility labs. The lab manager was on hand to give testimony on the damage caused to his environment and the loss of resources to the FBI as they confiscated equipment to collect evidence for the future prosecution phase of the case. The room lit up. There were notes being taken, questions being asked and an overall enthusiasm for the process of catching the perpetrators of this damage. The interesting point was that this same manager had told me two months prior that he didn't wish to deal with any of the infosec procedures I had been suggesting as the changes would be "more disruptive than anything those hackers could do." If the audience in that room paid more attention, time, and funds to improving their security stance they would spend MUCH less time and funds in recovering from attacks. The point was always lost on them.
Finally, the Government is not interested in information security. If they were, they would fund it. And they don't. I would constantly hear phrases along the lines of "we would do that if we had the funding, but we can't spend that much time on that kind of activity without specific funding for it... and we've been trying to get funding for infosec, but can't." I always found it ironic when a defaced web page would include instructions from the attacker on how to secure the machine. Its not (always) that the sysadmin was incompetent and needed instruction. Often its that he/she doesn't have the time or permission to deal with it. The sad fact is that compromising
So what if you STILL want to blow the whistle? First, make it public and embarassing - nothing gets a beurocracy moving faster than public embarassment. That usually means the press. But the trick is to find a reporter you can trust to keep your identity anonymous. The last thing you want is an embarassed beurocrat trying to cover their tail by shifting the blame on to you.
And maybe he'll turn into a ostrich. Because, after all it no one TELLS you there's a problem then there isn't one. Right??
breaking in when the real criminal is the IT
department and the organization yelling "victim"
was so ignorant as to put up a web site
that apparently used some obvious combination
of name, birthday and social security number.
If I were a Yale student, I'd be suing Yale for
willful negligence (IANAL). Isn't this what
got the Interior Dept pulled offline regarding
Indian Affairs?
And here we go again, why doesn't the courthouse
just hand out all its correspondance on the
street? I'd think anyone with a case more
serious than a parking ticket could go after
the court itself.
Maybe rather than disclosing vulnerabilities, :-)
a more fruitful approach would be to help those
affected initiate lawsuits. eg, if you find a
security hole at a bank, don't go to the bank,
but set up a meeting with a bunch of account
holders and a lawyer on percentage. Put their
feet to the fire. Get paid for it too.
Makes sense. Instead of quietly taking the network down and fixing it, they make a martyr.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
What I'd conclude from this is that if I discover a security problem in a government system, I'd better not tell them about it. Rather than hire me to fix it, they'll probably just arrest me.
What I should obviously do is pass the word among other interested parties that I know how to get info out of the government system. There are lots of people out there that will pay for this. And they won't arrest me, because they aren't part of the legal system.
I suspect that the folks in the Houston government understand this quite well. In fact, if I talk to some of them in private, I'd bet that they might be quite happy to pass my name to some of their campaign contributors, where I could pick up a few nice consulting contracts.
Does anyone here think I'm being overly cynical? If so, you don't know much about Texas politics. You oughta read some Molly Ivins.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
He sounds like a "security professional" who "demonstrates a flaw in the system" to a potential client. This is not the smartest way to win clients. It is embarassing.
Had he called their IT director, described the flaw to him in private, he chose to take it to the press first. He might actually have won business from the IT director had he been a little more professional about it.
Unfortunately, he chose to try and shock not only them, but the public as well.
He pulled an incredibly stupid stunt: did something illegal and told people about it. Don't you think he should've been arrested, too?
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
The fact that this writer could actually talk about "encrypting the airwaves" and "rid[ing] into the network" after researching this story says something. I'm not sure what, but I'm sure it's hysterical. In both senses of "hysterical."
Eternal vigilance only works if you look in every direction.
Here is a quote from the Harris County DC's Office I found on their site. This was from a news release about a service they call e-DOCS which allows people to get court documents over the Internet. "He (Bacarisse) stressed that Family Court orders, many of which contain sensitive, intimate information, will not be available to the public via the Internet. (Family Court documents that are not sealed are available to the public, as always, if ordered in person. Juvenile Court documents are sealed by law.)" "Charles Bacarisse is in his second term as the District Clerk of Harris County - an office that acts as record-keeper for 74 courts while also charged with managing one of the nation's largest Jury systems and a $1-million-per-day Child Support Division. " Does anyone still think Mr. Puffer should not have said anything? As a registered voter in Harris County, Mr Bacarisse will not be getting my vote since it's obvious to me he thinks his reputation is more important than safeguarding court documents and jury information.
I was walking around one day and I noticed that you don't have good security. I called over a police officer and a reporter and said, "Look, this guy should be wearing a bulletproof vest!" I then proceed to shoot you in the chest.
/., just playing Devil's Advocate.
Just pointing out security vulnerabilities?
I agree with the rest of
Just because you put your money into something doesn't give you any rights to do what you like with its product.
I live in Houston, so I have a stake in this. My public business is transacted on this network.
My tax records, my court records, my property records--I damn sure want this stuff secure, protected from snooping and alteration. The county left the file cabinet unlocked and the APPROVED stamp on the ink pad. Records could conceivably be added, altered, or deleted. How would you like to find out you didn't own your house anymore, and never had? How about suddenly having an arrest warrant go out because of all those unpaid traffic tickets you never got?
I'm personally grateful to the guy for pointing out the problem and bringing it to the public's attention via the press.
In the wrong hands, sanity is a dangerous weapon.
According to the Houston Chronicle article, it's obvious Puffer did more than benignly access the Courthouse's network. Where else could that pr0n picture on the clerk's office server have come from?
I wouldn't be suprised, the "consultants" get most of their pay from whoever made the hardware
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Good joke, it's relevant, read on. . .
A man is flying in a hot air balloon and realises he is lost. He reduces height and spots a man down below. He lowers the balloon further and shouts:
"Excuse me, can you tell me where I am?"
The man below says: "yes you're in a hot air balloon, hovering 30 feet above this field."
"You must work in I.T." says the balloonist.
"I do" replies the man. "How did you know."
"Well" says the balloonist, "everything you have told me is technically correct, but it's no bloody use to anyone."
The man below says "you must work in business."
"I do" replies the balloonist, "but how did you know?"
"Well", says the man, "you don't know where the hell you are, or where the hell you're going, but you expect me to be able to help. You're in the same position you were before we met, but now it's my fault."
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
chose an example of crimes for which intent is built into the definition:
If there was intent, its murder...If it was an accident....
For various types of homicide, the crime is determined in part by intent. For illegal entry to a computer system, there is no such differentiation.
Evil is the money of root.
I guess those Houston police shouldn't bother prosecuting anyone who's crime doesn't rise to the level of the Enron looting. Priorities and all, you know.
Evil is the money of root.
living in texas for 30 years, this comes as no suprise, being that members of texas law enforcement and our judicial system are exempt from drug testing and incest marriages.
I believe the problem might be that he broke in without getting proper clearance on the 8th of march.
If you are going to do any security audit. Get a written permit signed by the responsible person. Then break in.
If you break in first, without anyone asking you to break in, I can really understand if you get prosecuted.
So, the solution is simple. Since you obviously can't go to the head of IT for the county and demonstrate to him that his security blows, you might as well call up 2600 and then see how long it takes the county to realize where the bandwidth is going and why attacks are being launched from their county courthouse.
Yikes. The story contains many more details... Like a pr0n file appearing on a server, the target's stormy past with the county, political power grabs... It's a lot more than just war-driving! Here's a link with the scandalous details: http://www.chron.com/cs/CDA/story.hts/metropolitan /1302663
Try this link.
'SBEMAIL!' is better than a goat!!
I guess I was lucky. When I did this exact thing (and maybe a little more fun stuff ;) )
in our harmless local campus network while at school, I got into so much trouble,
you just cannot imagine!
The thing that I learnt very hard and sadly was that people in charge of making
decisions related to the networks hardly know any technical details. And they
always come down hard exactly because of their ignorance.
Anyway, at that point it put a dampener to my enthusiasm to find holes in systems.
And I am sure I will never find myself in the position this man found himself, thanks
to this enlightening experience!
Of course, it would be very nice if someone educated the lawmakers and buerocrats
a little bit more about the systems, security and technology in general.
(sigh)
DO NOT PANIC
Why does a court need a wireless LAN, and exactly how much taxpayer money went into installing the LAN in the first place?
!#@%*)anks for hanging up the phone, dear.
The original joke is engineers vs management, and is much longer and actually funny in that form.
Yap.
Since the 2.4Ghz. spectrum is unlicensed, just like CB radio or cordless phone bands, how can you possibly charge somebody with illegally receiving or transmitting in this range? Somebody correct me if I'm wrong, but is that not their explicit right so long as they use approved equipment and do not exceed FCC regulations on signal power? It's not like the court had exclusive permission to use this frequency. Similarly, what if this guy had switched off his 802.11 transmitter and just listened instead of actually interacting with the network?
It just seems ridiculous. If we're going to have unlicensed bands on the public airwaves, any expectations of privacy / security must be the burden of people using those bands, not law enforcement. This situation is entirely different than "wiggling door handles" because there is no trespass of private property involved.
The extent to which you are missing the point is truly staggering. Did you actually read my post or any of the articles?
> If I forget to lock my door at night, I SHOULD NOT EXPECT a burglar, rapist, or other intruder.
No, but if you place all your belongings all over the sidewalk in front of your house, you should expect people to walk among them and inspect them. From what the articles tell us, Puffer did not "break in" anywhere. He merely observed data that was broadcast to him and reported the fact that it was revealing to an appropriate authority. It's entirely specious to suggest that a network broadcast over public airwaves, with no concealment of the data therein, is one that is private. By what means then can one differentiate between public and private?
> ...he didn't get arrested for pointing out the flaw to the Clerk. He got arrested from all his "experiments" while he was probing for the problem in unsuspecting networks.
From whence did you fabricate that piece of information? None of the articles say that, and most directly counter that. The earlier article in the Houston paper especially (linked to in someone's comment somewhere) makes it sound like this Clerk is just being a territorial asshole.