Slashdot Mirror
WarTalking Arrest
PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."
We all know that its illegal to teach things to people that could possibly be used for malicious purposes. We also know that pointing out flaws or weaknesses in computer systems is an activity reserved for terrorists and other 'undesirables'.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Unless he was hired for the job, he deserves it.
Just because you *can* do something doesn't mean you *should*.
Tired of having all these people act like "well, it's not secure, so I should poke around."
Hey Taco! Looks like you're using the "infinite monkeys and typewriters" scheme to generate Ask Slashdots again...
Comment removed based on user account deletion
He went about this wrong, he should have mentioned that he believed it was insecure and then with explict permission demonstrated why he believes this is the case. If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?
This is a very interesting case, a guy that was showing a newspaper, and someone working for the county how easy it would be for a hacker to break into the court's system. Then he gets arrested for the act. And this is because they had to take the thing down for a month because of there being a break. I would say with that kind of security, it should have never been brought up in the first place. Also I would say that it was better that they found out that the system could be broken before the network was actually used for a critical task, and could get hacked during a court proceeding, that could be a very embarrassing thing for a court to have to face. Being the ones that where hacked into while court was in session. Hopefully, at least they learned from what he did and at least secured the thing. Although since he is being possibly jailed for it, perhaps he should have told his superiors about how shoddy the security was before he did a demonstration.
Maybe they should upgrade the charges to treason and sedition. Hacking is terrorism, after all, and this was rather insulting to the court.
If we all pretend the problem doesn't exist... maybe it will go away on its own? We'll just prosecute anyone who points out that we have a problem. Then, everything will be fine. I swear -- the intelligence in this country has gone right down the shitter in the last 25 years. We used to respect and honor knowledge. Now me simply make a mockery of it. I weep for my generation.
It's funny, already I'm seeing people saying this guy deserves what he gets... but if I was sitting on a bench in front of the courthouse with my laptop and found that I could access the network with little or no problem, I'd walk straight in there myself and let them know. I worked as a contractor at the Ministry of Health in Ontario for a bit, and you want to talk shoddy administration. It was hideous. And they have information like registries of people suffering from AIDS, or who is getting drug benefits and what claims they're making. Sure he might just be trying to drum up business, but if the end result is that it closes a serious security hole, more power to him.
Or do you really want your next door neighbor's son finding out about that fraternity prank that had you arrested for stealing a minivan full of sheep in your boxers or some other weird crime?
He did access their network without permission.
Did they create a public network? Public as in accessible to the public without any reasonable indication or security that it is indeed a private network.
I think broadcasting a private network and letting people on it is akin to making a public network.
It isn't this guys fault they had to shut down their network, it is the people who set up the insecure network in the first case.
This is his crime?
I'm glad they've taken prompt measures to make sure nobody else every reports a security hole to them!
I don't care if it's 90,000 hectares. That lake was not my doing.
Why should I even care? A part of me wants to get all loud and stupid about this but Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did). Let them get burned on their own or if they're government go through the usual channels. No need to be 'Captain Wireless.'
Worst of all, for all we know he did not do this to demonstrate anything. The last time slashdot got up in arms about some supposed 'white hat' hacker it ended up being an excuse. In my experience it usually is an excuse. "Dude, I'm totally looking out for you when I hack your stuff!" No one should be that naive anymore.
This is something that many people in the InfoSec industry are worried about and more so in the current political environment. EVERY seminar, conference or training event I've been too, there has been someone standing there for twenty minutes lecturing everyone on covering your ass.
What bothers me is that the reason things like this happen is ignorance of non-techies and refusal to see things in a reasonable light. If you were in a bank with a locksmith, and he showed the bank manager that the locks they were using were insecure, the manager would thank the locksmith and change the locks. Show a business manager the exact same thing with their network and they might decide to have you arrested.
Whenever I'm going to show a client ANYTHING I get full written approval ahead of time to discuss or test their security, and I get written approval to discuss my findings. There have been times when I've found vulnerabilities and not said a damn word because the client refused to sign off.
It's sad, there are people out there - and I've worked for and with them often - who really believe in security through anonymity and believe they are acting in their best interests by alienating and prosecuting the people who can really protect their networks.
What I will admit however is that part of the problem rests with people who try to look smart and show off the security vulnerabilities in a smart-assed kind of way. As annoying as it sometimes is, you need to manage people's expectations, fears and prejudices.
At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th. Now maybe he was unable to get an appoitment to see anyone, or maybe he took 10 days to poke around in the network and see what was there. He should have reported the insecurity immediately. The fact that he didn't is suspicious.
The Mongrel Dogs Who Teach
So, just break back in, and erase the record of the charge.. duh..
Well, if they know the date that he went in... why don't they juse restore the system from daily backups, and keep the current database, and user home directories???? Sounds like a really simple solution, if they don't believe him. And why can't their IS people verify what was happening in their own network... What were they doing? Eating donuts
Tibbon
tibbon.com
I hereby inform you that I have NOT been required to provide any decryption keys.
Some details would be nice. Did the LAN have no password, was the password easy to crack, or was there some other kind of security flaw? If he went all around the city, trying to brute force the password on every wireless LAN he could find, then I doubt he has a legal leg to stand on. If he simply powered on his laptop and noticed he had link, that's different.
-a
How to rationalize theft.
Remember, never point out someone's security holes so they can fix things before real damage is done. If you do these things, you are nothing more than an evil terrorist! And according to Gestapo... err Attorney General John Ashcroft, you must be an Al Qaeda operative deserving of the death penalty!!
"You spoony bard!" -Tellah
What is it going to take for people to realize that they need to lock down their systems -- the digital equivalent of 9/11? Honestly, it seems the government can't accept any criticism of its systems, or act on the information at all........ and instead of fixing the problem, they decide to prosecute instead.
Pretty deranged, IMHO.
Search first, ask questions later.
FYI: Texas Computer Crime Law
TEXAS PENAL CODE TITLE 7. OFFENSES AGAINST PROPERTY
CHAPTER 33. COMPUTER CRIMES
33.01. Definitions
In this chapter:
(1) "Access" means to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer
software in, or otherwise make use of any resource of a computer,computer system, or computer network.
(2) "Communications common carrier" means a person who owns or operates a telephone system in this state that includes equipment or facilities for the conveyance, transmission, or reception of
communications and who receives compensation from persons who use that system.
(3) "Computer" means an electronic, magnetic, optical,
electrochemical, or other high-speed data processing device that
performs logical, arithmetic, or memory functions by the
manipulations of electronic or magnetic impulses and includes all
input, output, processing, storage, or communication facilities
that are connected or related to the device.
(4) "Computer network" means the interconnection of two or more
computers or computer systems by satellite, microwave, line, or
other communication medium with the capability to transmit
information among the computers.
(5) "Computer program" means an ordered set of data representing coded
instructions or statements that when executed by a computer cause
the computer to process data or perform specific functions.
(6) "Computer security system" means the design, procedures, or other
measures that the person responsible for the operation and use of
a computer employs to restrict the use of the computer to
particular persons or uses or that the owner or licensee of data
stored or maintained by a computer in which the owner or licensee
is entitled to store or maintain the data employs to restrict
access to the data.
(7) "Computer services" means the product of the use of a computer,
the information stored in the computer, or the personnel
supporting the computer, including computer time, data processing,
and storage functions.
(8) "Computer system" means any combination of a computer or computer
network with the documentation, computer software, or physical
facilities supporting the computer or computer network.
(9) "Computer software" means a set of computer programs, procedures,
and associated documentation related to the operation of a
computer, computer system, or computer network.
(10) "Computer virus" means an unwanted computer program or other set
of instructions inserted into a computer's memory, operating
system, or program that is specifically constructed with the
ability to replicate itself or to affect the other programs or
files in the computer by attaching a copy of the unwanted program
or other set of instructions to one or more computer programs or
files.
(11) "Data" means a representation of information, knowledge, facts,
concepts, or instructions that is being prepared or has been
prepared in a formalized manner and is intended to be stored or
processed, is being stored or processed, or has been stored or
processed in a computer. Data may be embodied in any form,
including but not limited to computer printouts, magnetic storage
media, laser storage media, and punchcards, or may be stored
internally in the memory of the computer.
(12) "Effective consent" includes consent by a person legally
authorized to act for the owner. Consent is not effective if:
(A) induced by deception, as defined by Section 31.01, or induced
by coercion;
(B) given by a person the actor knows is not legally authorized to
act for the owner;
(C) given by a person who by reason of youth, mental disease or
defect, or intoxication is known by the actor to be unable to
make reasonable property dispositions;
(D) given solely to detect the commission of an offense; or
(E) used for a purpose other than that for which the consent was
given.
(13) "Electric utility" has the meaning assigned by Subsection (c),
Section 3, Public Utility Regulatory Act (Article 1446c, Vernon's
Texas Civil Statutes).
(14) "Harm" includes partial or total alteration, damage, or erasure
of stored data, interruption of computer services, introduction of
a computer virus, or any other loss, disadvantage, or injury that
might reasonably be suffered as a result of the actor's conduct.
(15) "Owner" means a person who:
(A) has title to the property, possession of the property, whether
lawful or not, or a greater right to possession of the
property than the actor;
(B) has the right to restrict access to the property; or
(C) is the licensee of data or computer software.
(16) "Property" means:
(A) tangible or intangible personal property including a computer,
computer system, computer network, computer software, or data;
or
(B) the use of a computer, computer system, computer network,
computer software, or data.
33.02. Breach of Computer Security
(a) A person commits an offense if the person knowingly accesses a
computer, computer network, or computer system without the
effective consent of the owner.
(b) A person commits an offense if the person intentionally or
knowingly gives a password, identifying code, personal
identification number, debit card number, bank account number, or
other confidential information about a computer security system to
another person without the effective consent of the person
employing the computer security system to restrict access to a
computer, computer network, computer system, or data.
(c) An offense under this section is a Class A misdemeanor unless the
actor's intent is to obtain a benefit or defraud or harm another,
in which event the offense is:
(1) a state jail felony if the value of the benefit or the amount
of the loss or harm is less than $20,000; or
(2) a felony of the third degree if the value of the benefit or
the amount of the loss or harm is $20,000 or more.
(d) A person who is subject to prosecution under this section and any
other section of this code may be prosecuted under either or both
sections.
33.03. Defenses
It is an affirmative defense to prosecution under Section 33.02 that
the actor was an officer, employee, or agent of a communications
common carrier or electric utility and committed the proscribed act or
acts in the course of employment while engaged in an activity that is
a necessary incident to the rendition of service or to the protection
of the rights or property of the communications common carrier or
electric utility.
33.04. Assistance by Attorney General
The attorney general, if requested to do so by a prosecuting attorney,
may assist the prosecuting attorney in the investigation or
prosecution of an offense under this chapter or of any other offense
involving the use of a computer.
--
Looks like Mr. Puffer clearly committed the offense described in 33.02(a)
Now is Harris Country guilty of negligence in adequatelely protecting their computer networks? I'd have to argue that yes, in my opinion they probably are. Anyone who'd carelessly run wide open unprotected wireless ethernet in a local government agency is not only a moron, but also a very poor steward of public records, which is a job taken *very* seriously in Texas.
They also have more secure networks.
The person charged was not acting maliciously, did not cause any damage (what is claimed is bogus), and his actions were willfully disclosed in good faith. He got the raw deal...
SIG: HUP
Quite informative, I see your point.
I would argue that 33.02(a) Effective consent was given in that it the network was publicly broadcast.
Television broadcasts are free to view, radio free to listen. This is implied in that they are publicly broadcast to any recipient.
Embarrassment is what it comes down to. When the courthouses pretty new wireless system, which they paid a good amount for, is found to be vulnurable to an attack they blame the one who found it instead of the admin who put the package together.
Good point, what are the laws in Texas on Criminal Intent.
You don't get a B&E for pulling someone out of a burning building.
That's like seeing a wide open door to the court house in the middle of the night. What business do you have looking at the court house at night!?
Of course, I don't know how much this guy poked around before he decided to tell them, so I really can't judge this one.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Or, more to the point, the clerk probably found a welcome excuse to explain the presence of this picture on his PC to his boss...
Stefan Puffer, 33, was indicted by a Grand Jury on Wednesday with two counts of burglary for allegedly breaking into Harris County district clerk's offices. It's believed to be the first case of its kind in the US.
Puffer, who was employed briefly by the county's security department in 1999, could get five years in jail and faces a $250,000 fine on each count if convicted, the Houston Chronicle reports.
He's accused of accessing the offices March 8 in an alleged intrusion that cost the county a reported $5,000 to clean up.
District Clerk Charles Bacarisse told the paper that no confidential paperwork was disclosed but the alleged intrusion eventually resulted in the county closing its new offices only a month after they were opened.
But is the prosecution a case of shooting the messenger?
On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's offices using only a hammer and paperclip. Puffer first noticed the problem while scanning for insecure homes and offices throughout Houston earlier that month, around the time that the alleged offence took place.
Would you be upset at the above news story?
Really folks, with a $4 hammer, you'd be surprised at how "insecure" most homes are! Have you ever heard of a "white hat" burglar?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
apparently this is the website of the county clerk quoted in the houston cronicle story. since /. failed to get info from him, perhaps we could each drop him an email to find out the other side of the story.
however, i do note that the county attorney seems a little selective in what laws he wants enforced.
US Citizen living abroad? Register to vote!
The network was totally wide open - no WEP and DHCP on ... anyone w/ an XP computer and built-in WiFi who turned their computer on would have automatically associated to the network, so what is Puffer's "crime?" He was demoing to a county official, don't forget. Meanwhile, Steve Balmer brags about stealing bandwidth with Bill Gates and gets applauded:
2 2/ 020722opcurve.xml
http://www.infoworld.com/articles/op/xml/02/07/
"For all his success at bringing Microsoft's warring constituencies together, there are still things beyond Bill and Steve's control. "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer.
"Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him up and said, 'Hey, come over to my room.' So soon everyone is there and connecting to the Internet through my room."
Chalk up another good day for Steve Ballmer, CEO. Bill Gates may be the chief software architect, but as Microsoft matures in the Ballmer era innovation in software shares the spotlight with teamwork.
"
On one hand, they are trying to charge him for what it cost them the insecure system, now that they've had to discontinue it. That's really assinine. It's like buying a Corvair, and then suing Ralph Nader after he publishes "Unsafe At Any Speed".
On the other hand, it sets a nice precedent for when the cable companies come snooping around, trying to enforce against "connection sharing" when people set up unsecured wireless access points on the end of a cable modem connection.
AT&T: We're disconnecting you for running an insecure access point.
Customer: I'm suing you for proving my network is insecure; thanks, Stefan Puffer!
-- Terry
Damnit, my license is at stake here!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
The Register is cool and all, but why not just link the Houston Chronicle article that they got it from? Their article is much better.
He was demonstrating to a county official AND a reporter. That somewhat implies that this wasn't a behind closed doors, tiger team type evaluation on the network. This wasn't just a "hey, I accidently noticed you left your network wide open. Might wanna fix that". If there was a reporter there, someone's toes were probably getting stepped on. The security analyst doesn't deserve to get charges pressed against him, but he should have gotten something in writing from the officials BEFORE demonstrating illegal activity.
Although the metaphors aren't identical, if I reported to the police, or a homeowner that they've been leaving their doors unlocked, someone at some point will probably ask me how I know that. Computer security is taken rather seriously these days. There seems to be no effort in making sure there is any, but they sure like to rake you over the coals for any alleged violation of it. When the "victim" happens to be the government, especially the court system, that will just up the stakes even more.
Its unfortunate that this has to happen. But if your less than legitimate activities happen to result in useful information for somebody, don't think that the simple act of good faith by handing that information over will clear the slate for you. Either do it anonymously or get immunity first. Or just keep your mouth shut.
-Restil
Play with my webcams and lights here
The fact that he showed it to a newspaper reporter indicates there was *no* goodwill involved.
So, we should do it the Microsoft way? Tell the company about a flaw in their system and let them spend months to fix it, leaving countless unaware individuals completely vulnerable while the "proper authorities" formulate a cost-benefit analysis and figure out where the bug fix lives on the Gantt chart?
Why do you think we *have* news?? You would prefer to get all your news from press releases and government propaganda, it seems.
First of all, the county's IT department was negligent, possibly to the point of criminality, in providing WiFi access to the LAN without any security measures. Would Puffer be looking at five years of jail time if he plugged his laptop into a jack in the hall and found he had LAN access? Maybe. But isn't the County office, by definition, public property? He wasn't tresspassing.
It's like if the government was sending secret information unencrypted on 95.5 FM. You tuned in, told a govt agent and a reporter about it, and now you're the one who did something wrong? This makes sense to anyone here?
The person who really made out in this gig is the "Security Consultant" who charged $5,000 to "solve" this problem. Setting up a VPN for your WiFi clients takes what, about 20 minutes? But clearly the County was so alarmed about the Terrorist Hackers out there that they decided they needed a big expensive solutions. These are serious problems, you know, and they will probably get some of that Anti-Terrorism money from the Feds to pay for Hardening their System against FutureTerrorist Attacks.
By the way, I deal with confidential medical data as part of my job. There's this law called HIPAA. If I were to set up an open WiFi access point on my LAN, *I* could be jailed and fined up to $25,000. *NOT* the guy who is nice enough to tell us (but kind of a dick for telling the local paper.)
What's next? Are we gonna go after Richard Feynman for pointing out that frozen O-Rings make the Shuttle blow up? Mabye I should get hauled off for mentioning that you can punch through the hull of a pressurized aircraft while it's in flight with a big enough screwdriver!
Don't worry about me, though. When I get hauled off into the black Fed car, I'll just yell "Hack the Planet" to the kids on the street and next thing you know, the Slashdot Activist Justice League will rally to my defense!
This isn't the first time the Houston Chronicle (which the Register references) has reported on this story. What they're leaving out in this article is that the county official that Puffer demonstrated the breakin to was, in fact, the equivalent of the head of IT for the county. So, one wonders if indeed that could be counted as having permission...
(I don't remember what his exact title was, and I don't remember the links offhand, but the official was definitely the head of the county's equivalent of an IT department.)
Just my $.02...
Look, the days of the whiz-kid cracking into systems and then getting hired by the same company as a result is long over. There are professional security consultants that do this sort of thing and if the agency didn't hire them beforehand, well, then, they deserved to get fucked. But it was neither this man's job, his obligation, nor his civic duty to prove to them this fact.
/etc/passwd because they're getting spam and "they had to get those addresses somehow."
The fact that this guy called the media out to witness this will damn him in court. He's watched _Sneakers_ too many times. The age of the geeky computer hacker is long gone; if you know a lot about computers these days, you're either a communist, terrorist or both. Ask any ordinary USian. They're *TERRIFIED* of computers. They refuse to give credit cards to my company because "we might be hacked". They constantly think that somebody stole our
Ignorance is the key matter at hand. The laws today are ignorant of the 'intent' of the accused, and for good reason. Every computer cracker ever caught has pulled the "i just wanted to show them how insecure their system was" line, and they're sick and tired of letting kids trash networks and getting probation for it.
Hey Taco! Looks like you're using the "infinite monkeys and typewriters" scheme to generate Ask Slashdots again...
What if I were to get a directional antenna, and beam my wireless network in the general direction of the court building? And of course, setup a dhcp server and use no encryption and all the default workgroups. Could I then charge them for breaking into my wireless network?
Same question goes with a neighbor? Can I charge my neighbor for hacking into my network? Is it my responsibility to line my walls with aluminum foil so my signal doesn't go out? Or is it his responsibility to line his walls so he doesn't accidently hack into someone elses network?
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
I took the $5000 figure to mean that the original wireless network equipment cost them $5000 and since they had to take it down because of the intrusion, it was $5000 down the drain. now that is a bullshit claim, but it wouldn't surprise me if that is exactly what that figure represents.
actively attempting to gain access to a computer system you are not authorized to access is illegal
I read the articles about this yesterday, and as I understand it there was a breach of their wireless lan (they don't specify what happened in the breach, but it sounded like someone did something malicious). This breach happened around a time that the person who is being charged was scanning for insecure wireless networks. If he didn't do anything malicious I don't think he has anything to worry about.
So, let me get this straight. You happy people (non-tech) will put us in jail for attempting to help you use technology in a secure way, because you hate and fear us so much. You actually are prepared to alienate all of us (and imprison some of us) rather than deal with the embarassment of your own inability to use technology, and to willingly make it impossible for anyone to conduct IT security work in good faith. You want to make enemies of all of us, do you?
Have it your way.
the point is that he knew he was not authorized to access it. if you open the door to someone else's house and it is unlocked does that mean he can go in, just to see if the door is secure, unless there is a sign saying "no trespassing"?
The article isn't entirely clear, but my take on the "Clean up" costs is that the county spend $5000 putting in a wireless system, and then had to take it down a month later because he showed them it was insecure (thereby making the $5000 a waste of money). Hardly seems like a crime to me.
"If English was good enough for Jesus, it's good enough for everyone else."
Because we all know how quickly the issues would have been looked at / fixed if he went thru the "proper"/cover my ass channels...
So? He wasn't an employee, he wasn't responsible for the system, and whether they fixed it or not wouldn't have affected him. That's like me breaking into your house to "prove" how bad your security is, then justifying it by complaining that if you had just told me how bad my locks were I wouldn't have changed them.
You just happily use their network for free access until they figure it out themselves.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
In essence, they're telling everyone "don't tell us about any security vulnerabilities we might have. If you do, we'll prosecute you".
Okay, Harris County, have it your way. If you want to live in ignorance, fine. The end result is that your network will end up being hacked by people who really are black hats and who don't give a shit about the integrity of your computer systems or network.
It's unfortunate that other entities that are inclined to be more reasonable will suffer, but so be it. Those that are really enlightened will probably put up a statement on their website saying something like "if you manage to hack into our systems or network and notify us immediately of the fact that you did so and how you did it, and do not make any modifications to our data or copy any of it that isn't already published, we'll not only refrain from suing you, but we'll pay you a reward for your efforts" -- the intent being to make it clear to white hat hackers that they really do want to know about security vulnerabilities.
But the bottom line is that places like Harris County will end up having a lot more problems than more enlightened places. Evolution in action.
I, for one, am not going to tell anyone a damned thing about any security vulnerability of theirs I stumble across unless I happen to work for them and have gotten prior permission to look for security vulnerabilities. And I'll laugh at anyone who behaves the way Harris County did and manages to get hacked later on.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
If I ever discover a hole war driving (or war walking.) you can bet your ass I won't tell anybody there about it.
Though I may give my friends the location...
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
I think a more applicable analogy is as follows:
Person A: Your house is vulnerable. Somebody could break in anytime he/she wants.
Person B: Is not!
Person A: Yes, it is. And I suggest you get it fixed before somebody takes advantage of it.
Person B: Proove it!
Person A: Puts hand on front door's doorknob, turns doorknob, pushes door open. See?
Person B: Dials 911 on his cell phone. Hello, I'd like to report that "Person A" just broke into my house, and I want to press charges.
Time flies like an arrow. Fruit flies like a banana.
>So, it'd be more like a closed, but not locked
>door, and on a hunch the guy went over and
>pushed the latch.
Ehh, maybe if he walked over, pushed the latch, then looked around inside for a while...
Finding an open lock isn't illegal - trespassing as a result of the open lock is.
They don't go into much detail about what he did with the open network during the time he knew about it, but what are the odds that he just ignored it and didn't report it till later cause it was on the back burner?
If they can demonstrate that he poked around, he broke the law.
-l
Only that the "Prove it" part didn't happen. Note he was not being prosecuted for demonstrating to the court official on the 18th, but rather for the initial breakin on the 8th which he did with no prodding.
So, analogy would be:
Person A: Your house is vulnerable. Somebody could break in anytime he/she wants.
Person B: Is not!
Person A: Yes it is. And suggest you get it fixed before somebody takes advantage of it.
Person B: Prove it!
Person A: Puts hand on front door's doorknob, turns doorknob, pushes door open. See?
Person B: Well I'll be. I'm glad you showed me before anyone else broke in.
Person A: No problem. By the way, I did the same thing last week; went into your house, rifled through your papers, drank your beer. No need to thank me.
Person B reaches for the cell phone...
He committed a crime while in the presence of a public official. It DOESN'T FUCKING MATTER what his "intent" was.
>>>>>
Actually, if I run down somebody in the presence of a public official, it matters. If there was intent, its murder (probably first degree because by inviting the official, it was premeditated). In that case, you are looking at the death penalty or life imprisonment. If it was an accident, its vechicular manslaughter, which is a misdemeanor in many places, so its community service and a fine or a short jail term.
A deep unwavering belief is a sure sign you're missing something...
Since when did we become slaves to exactly what the law said? The basis of our law system is that laws provide strong guidelines but judges are given a great deal of power exactly so that these kind of idiocies don't happen. The guy pointed out that the system was borked. He didn't do anything wrong in the process. The IT department should thank him for pointing out the flaw, fix it, and move on with their lives. The judge should have thrown out the case after a preliminary hearing because it was stupid. It's incredible that we've gotten to the point where we're intellectualizing these things so much (and both sides are at fault here, both people defending him and opposing him) that we're treating the law like the synactical rules of C++ rather than the very different rules of a human society.
A deep unwavering belief is a sure sign you're missing something...
Don't connect to gnutella either, you might be attempting to break federal trademark laws...
No, he did not perform the demonstration for Charles Bacarisse, who, is the closest thing to a Court official in this story. He performed the demonstration for Jennings the head of the County's Technology department.
Did Jennings have the authority to order Bacarisse to close down or secure his network, because it was putting the rest of the County's systems at risk? I suspect he did not. Or why wouldn't he have done so? Is it possible Jennings agreed to Puffer's demonstration in order to win a turf war with Bacarisse?
Note to all ethical hackers, script kiddies, and whistle-blowers: the US Government does not want your help. If you point out insecurities (glaringly obvious or otherwise) in any Government host or network, do not expect thanks. Instead, you should expect to be the subject of investigation.
.gov IP space is child's play.
There are three things one should consider when dealing with the US Government on information security issues. First, the US Government's business is law, not technology - they have much more understanding of the former than latter. Secondly, the US Government tends to not understand information security issues. Their expertise deals with government and Cold War policy - the modern infosec environment has aspects of that era... but it is quite different. Finally, the US Government is not interested in information security issues. Lets address these points.
Before going further on this rant... I'd like to make one qualifying statement. Like all large groups, there are individuals within various Government bureaucracies who are exceptions to these observations. I like to think I was one of them. And I know some excellent people working information security within their departments who defy the norm. But nonetheless, the norm does exist. Despite these excellent few examples, it is the leadership and the vast majority of management in US Government institutions who generate the following attitude.
The business of Government is not information technology, it is law. Any manager within Government is a bureaucrat in one way or another... including IT. One does not gain any such level of trust without understanding the political system in which one operates. This often leads to IT managers who have a limited familiarity with IT systems, but are very comfortable with rules and law. This can work for them if they're forced to fight for their environment's budget. If a Government agency is lucky, they have enough pull to win a decent budget and easily meet their needs. Many agencies are forced to make due on what little IT budget they are able to scrounge. This leads to few resources be it equipment or manpower. With this in mind, the highly skilled IT worker is few and far between within Government. And those few dedicated souls will likely be overworked.
Governmental infosec agents tend to have a physical security / Cold War background. They are used to dealing with entirely different environment than what is commonly found today. This leads to a slew of misconceptions, but we'll focus on a few specifics. They value secrecy over disclosure. They have a hard time accepting hacking (malicious or not) as entertainment / educational. They believe anybody exposing a system's vulnerabilities have only malicious motives.
I'd like to demonstrate these two points with a quick story. I was attending a monthly cross-contract infosec meeting for a large US Government facility. The meeting started with a nice presentation of a recent vulnerability and how to mitigate the threat. There were a few attentive audience members, but the vast majority sat there with a dazed look as the presentation washed over them. Then the local FBI agent stood up to make a presentation on a recent compromise of one of the facility labs. The lab manager was on hand to give testimony on the damage caused to his environment and the loss of resources to the FBI as they confiscated equipment to collect evidence for the future prosecution phase of the case. The room lit up. There were notes being taken, questions being asked and an overall enthusiasm for the process of catching the perpetrators of this damage. The interesting point was that this same manager had told me two months prior that he didn't wish to deal with any of the infosec procedures I had been suggesting as the changes would be "more disruptive than anything those hackers could do." If the audience in that room paid more attention, time, and funds to improving their security stance they would spend MUCH less time and funds in recovering from attacks. The point was always lost on them.
Finally, the Government is not interested in information security. If they were, they would fund it. And they don't. I would constantly hear phrases along the lines of "we would do that if we had the funding, but we can't spend that much time on that kind of activity without specific funding for it... and we've been trying to get funding for infosec, but can't." I always found it ironic when a defaced web page would include instructions from the attacker on how to secure the machine. Its not (always) that the sysadmin was incompetent and needed instruction. Often its that he/she doesn't have the time or permission to deal with it. The sad fact is that compromising
So what if you STILL want to blow the whistle? First, make it public and embarassing - nothing gets a beurocracy moving faster than public embarassment. That usually means the press. But the trick is to find a reporter you can trust to keep your identity anonymous. The last thing you want is an embarassed beurocrat trying to cover their tail by shifting the blame on to you.
And maybe he'll turn into a ostrich. Because, after all it no one TELLS you there's a problem then there isn't one. Right??
He sounds like a "security professional" who "demonstrates a flaw in the system" to a potential client. This is not the smartest way to win clients. It is embarassing.
Had he called their IT director, described the flaw to him in private, he chose to take it to the press first. He might actually have won business from the IT director had he been a little more professional about it.
Unfortunately, he chose to try and shock not only them, but the public as well.
He pulled an incredibly stupid stunt: did something illegal and told people about it. Don't you think he should've been arrested, too?
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
The fact that this writer could actually talk about "encrypting the airwaves" and "rid[ing] into the network" after researching this story says something. I'm not sure what, but I'm sure it's hysterical. In both senses of "hysterical."
Eternal vigilance only works if you look in every direction.
Except this is exactly what the guy did, and got arrested for.
funny munging
According to the Houston Chronicle article, it's obvious Puffer did more than benignly access the Courthouse's network. Where else could that pr0n picture on the clerk's office server have come from?
I wouldn't be suprised, the "consultants" get most of their pay from whoever made the hardware
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Good joke, it's relevant, read on. . .
A man is flying in a hot air balloon and realises he is lost. He reduces height and spots a man down below. He lowers the balloon further and shouts:
"Excuse me, can you tell me where I am?"
The man below says: "yes you're in a hot air balloon, hovering 30 feet above this field."
"You must work in I.T." says the balloonist.
"I do" replies the man. "How did you know."
"Well" says the balloonist, "everything you have told me is technically correct, but it's no bloody use to anyone."
The man below says "you must work in business."
"I do" replies the balloonist, "but how did you know?"
"Well", says the man, "you don't know where the hell you are, or where the hell you're going, but you expect me to be able to help. You're in the same position you were before we met, but now it's my fault."
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
chose an example of crimes for which intent is built into the definition:
If there was intent, its murder...If it was an accident....
For various types of homicide, the crime is determined in part by intent. For illegal entry to a computer system, there is no such differentiation.
Evil is the money of root.
I guess those Houston police shouldn't bother prosecuting anyone who's crime doesn't rise to the level of the Enron looting. Priorities and all, you know.
Evil is the money of root.
while wardriving seems like a passive activity, he is actually running an application that alerts him that he has found a network. this makes it active, not passive. if it was simply a passive process, he would be sitting in one spot with his laptop, not ACTIVELY looking for a network to gain access to
I guess I was lucky. When I did this exact thing (and maybe a little more fun stuff ;) )
in our harmless local campus network while at school, I got into so much trouble,
you just cannot imagine!
The thing that I learnt very hard and sadly was that people in charge of making
decisions related to the networks hardly know any technical details. And they
always come down hard exactly because of their ignorance.
Anyway, at that point it put a dampener to my enthusiasm to find holes in systems.
And I am sure I will never find myself in the position this man found himself, thanks
to this enlightening experience!
Of course, it would be very nice if someone educated the lawmakers and buerocrats
a little bit more about the systems, security and technology in general.
(sigh)
DO NOT PANIC
A proper response would have been:
"Bummer. Well, stop war-driving; it could get you in hot water some day. We'll put out a public service anouncement through the local chamber of comerce to give businesses in the area a heads up."
Now you and I know that those businesses' IT folk should bloody well have known how insecure their wireless stuff was, but it is also the case that non-IT people purchase and use equipment that the IT people know nothing about.
Why does a court need a wireless LAN, and exactly how much taxpayer money went into installing the LAN in the first place?
!#@%*)anks for hanging up the phone, dear.
try explaining that to a court. the law does not care if the program passively finds connections (or rather connections find it) but the act of war driving is the active component and the court is going to say "the only purpose of wardriving is to find networks to hack into" there is a difference between wardriving and pinging. pinging serves non-hacking purposes, wardriving does not. And to answer your question, I have not wardriven but i would not anyway because i do not wish to have access to anybody else's networks without thier permission, don't want to get arrested for informing them thier networks are open, and i have better things to do with my time (such as posting these stupid arguments on slashdot) than drive around with a laptop trying to find open networks!
Since the 2.4Ghz. spectrum is unlicensed, just like CB radio or cordless phone bands, how can you possibly charge somebody with illegally receiving or transmitting in this range? Somebody correct me if I'm wrong, but is that not their explicit right so long as they use approved equipment and do not exceed FCC regulations on signal power? It's not like the court had exclusive permission to use this frequency. Similarly, what if this guy had switched off his 802.11 transmitter and just listened instead of actually interacting with the network?
It just seems ridiculous. If we're going to have unlicensed bands on the public airwaves, any expectations of privacy / security must be the burden of people using those bands, not law enforcement. This situation is entirely different than "wiggling door handles" because there is no trespass of private property involved.