Slashdot Mirror
WarTalking Arrest
PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."
We all know that its illegal to teach things to people that could possibly be used for malicious purposes. We also know that pointing out flaws or weaknesses in computer systems is an activity reserved for terrorists and other 'undesirables'.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Unless he was hired for the job, he deserves it.
Just because you *can* do something doesn't mean you *should*.
Tired of having all these people act like "well, it's not secure, so I should poke around."
Hey Taco! Looks like you're using the "infinite monkeys and typewriters" scheme to generate Ask Slashdots again...
He went about this wrong, he should have mentioned that he believed it was insecure and then with explict permission demonstrated why he believes this is the case. If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?
Maybe they should upgrade the charges to treason and sedition. Hacking is terrorism, after all, and this was rather insulting to the court.
If we all pretend the problem doesn't exist... maybe it will go away on its own? We'll just prosecute anyone who points out that we have a problem. Then, everything will be fine. I swear -- the intelligence in this country has gone right down the shitter in the last 25 years. We used to respect and honor knowledge. Now me simply make a mockery of it. I weep for my generation.
It's funny, already I'm seeing people saying this guy deserves what he gets... but if I was sitting on a bench in front of the courthouse with my laptop and found that I could access the network with little or no problem, I'd walk straight in there myself and let them know. I worked as a contractor at the Ministry of Health in Ontario for a bit, and you want to talk shoddy administration. It was hideous. And they have information like registries of people suffering from AIDS, or who is getting drug benefits and what claims they're making. Sure he might just be trying to drum up business, but if the end result is that it closes a serious security hole, more power to him.
Or do you really want your next door neighbor's son finding out about that fraternity prank that had you arrested for stealing a minivan full of sheep in your boxers or some other weird crime?
He did access their network without permission.
Did they create a public network? Public as in accessible to the public without any reasonable indication or security that it is indeed a private network.
I think broadcasting a private network and letting people on it is akin to making a public network.
It isn't this guys fault they had to shut down their network, it is the people who set up the insecure network in the first case.
Why should I even care? A part of me wants to get all loud and stupid about this but Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did). Let them get burned on their own or if they're government go through the usual channels. No need to be 'Captain Wireless.'
Worst of all, for all we know he did not do this to demonstrate anything. The last time slashdot got up in arms about some supposed 'white hat' hacker it ended up being an excuse. In my experience it usually is an excuse. "Dude, I'm totally looking out for you when I hack your stuff!" No one should be that naive anymore.
This is something that many people in the InfoSec industry are worried about and more so in the current political environment. EVERY seminar, conference or training event I've been too, there has been someone standing there for twenty minutes lecturing everyone on covering your ass.
What bothers me is that the reason things like this happen is ignorance of non-techies and refusal to see things in a reasonable light. If you were in a bank with a locksmith, and he showed the bank manager that the locks they were using were insecure, the manager would thank the locksmith and change the locks. Show a business manager the exact same thing with their network and they might decide to have you arrested.
Whenever I'm going to show a client ANYTHING I get full written approval ahead of time to discuss or test their security, and I get written approval to discuss my findings. There have been times when I've found vulnerabilities and not said a damn word because the client refused to sign off.
It's sad, there are people out there - and I've worked for and with them often - who really believe in security through anonymity and believe they are acting in their best interests by alienating and prosecuting the people who can really protect their networks.
What I will admit however is that part of the problem rests with people who try to look smart and show off the security vulnerabilities in a smart-assed kind of way. As annoying as it sometimes is, you need to manage people's expectations, fears and prejudices.
At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th. Now maybe he was unable to get an appoitment to see anyone, or maybe he took 10 days to poke around in the network and see what was there. He should have reported the insecurity immediately. The fact that he didn't is suspicious.
The Mongrel Dogs Who Teach
So, just break back in, and erase the record of the charge.. duh..
What is it going to take for people to realize that they need to lock down their systems -- the digital equivalent of 9/11? Honestly, it seems the government can't accept any criticism of its systems, or act on the information at all........ and instead of fixing the problem, they decide to prosecute instead.
Pretty deranged, IMHO.
Search first, ask questions later.
The person charged was not acting maliciously, did not cause any damage (what is claimed is bogus), and his actions were willfully disclosed in good faith. He got the raw deal...
SIG: HUP
Stefan Puffer, 33, was indicted by a Grand Jury on Wednesday with two counts of burglary for allegedly breaking into Harris County district clerk's offices. It's believed to be the first case of its kind in the US.
Puffer, who was employed briefly by the county's security department in 1999, could get five years in jail and faces a $250,000 fine on each count if convicted, the Houston Chronicle reports.
He's accused of accessing the offices March 8 in an alleged intrusion that cost the county a reported $5,000 to clean up.
District Clerk Charles Bacarisse told the paper that no confidential paperwork was disclosed but the alleged intrusion eventually resulted in the county closing its new offices only a month after they were opened.
But is the prosecution a case of shooting the messenger?
On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's offices using only a hammer and paperclip. Puffer first noticed the problem while scanning for insecure homes and offices throughout Houston earlier that month, around the time that the alleged offence took place.
Would you be upset at the above news story?
Really folks, with a $4 hammer, you'd be surprised at how "insecure" most homes are! Have you ever heard of a "white hat" burglar?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
The network was totally wide open - no WEP and DHCP on ... anyone w/ an XP computer and built-in WiFi who turned their computer on would have automatically associated to the network, so what is Puffer's "crime?" He was demoing to a county official, don't forget. Meanwhile, Steve Balmer brags about stealing bandwidth with Bill Gates and gets applauded:
2 2/ 020722opcurve.xml
http://www.infoworld.com/articles/op/xml/02/07/
"For all his success at bringing Microsoft's warring constituencies together, there are still things beyond Bill and Steve's control. "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer.
"Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him up and said, 'Hey, come over to my room.' So soon everyone is there and connecting to the Internet through my room."
Chalk up another good day for Steve Ballmer, CEO. Bill Gates may be the chief software architect, but as Microsoft matures in the Ballmer era innovation in software shares the spotlight with teamwork.
"
On one hand, they are trying to charge him for what it cost them the insecure system, now that they've had to discontinue it. That's really assinine. It's like buying a Corvair, and then suing Ralph Nader after he publishes "Unsafe At Any Speed".
On the other hand, it sets a nice precedent for when the cable companies come snooping around, trying to enforce against "connection sharing" when people set up unsecured wireless access points on the end of a cable modem connection.
AT&T: We're disconnecting you for running an insecure access point.
Customer: I'm suing you for proving my network is insecure; thanks, Stefan Puffer!
-- Terry
Damnit, my license is at stake here!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
This isn't the first time the Houston Chronicle (which the Register references) has reported on this story. What they're leaving out in this article is that the county official that Puffer demonstrated the breakin to was, in fact, the equivalent of the head of IT for the county. So, one wonders if indeed that could be counted as having permission...
(I don't remember what his exact title was, and I don't remember the links offhand, but the official was definitely the head of the county's equivalent of an IT department.)
Just my $.02...
What if I were to get a directional antenna, and beam my wireless network in the general direction of the court building? And of course, setup a dhcp server and use no encryption and all the default workgroups. Could I then charge them for breaking into my wireless network?
Same question goes with a neighbor? Can I charge my neighbor for hacking into my network? Is it my responsibility to line my walls with aluminum foil so my signal doesn't go out? Or is it his responsibility to line his walls so he doesn't accidently hack into someone elses network?
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
So, let me get this straight. You happy people (non-tech) will put us in jail for attempting to help you use technology in a secure way, because you hate and fear us so much. You actually are prepared to alienate all of us (and imprison some of us) rather than deal with the embarassment of your own inability to use technology, and to willingly make it impossible for anyone to conduct IT security work in good faith. You want to make enemies of all of us, do you?
Have it your way.
He sounds like a "security professional" who "demonstrates a flaw in the system" to a potential client. This is not the smartest way to win clients. It is embarassing.
Had he called their IT director, described the flaw to him in private, he chose to take it to the press first. He might actually have won business from the IT director had he been a little more professional about it.
Unfortunately, he chose to try and shock not only them, but the public as well.
He pulled an incredibly stupid stunt: did something illegal and told people about it. Don't you think he should've been arrested, too?
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"