WarTalking Arrest

PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."

Ignorance is bliss.

[papasui]

He went about this wrong, he should have mentioned that he believed it was insecure and then with explict permission demonstrated why he believes this is the case. If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?

Re:Ignorance is bliss.

[gilroy]

Blockquoth the poster:

If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?

If I go up to a soda-machine owner and say, "This machine gives out free Cokes", then press a button and watch a Coke drop, should I expect to go to jail?? Maybe I'm old fashioned, but I would expect the soda-machine owner to be grateful that someone pointed out the flaw, so that it could be fixed.

But of course, in this case, it would require the government to admit that there had been a mistake, that confidential data conceivably might have gotten out without them knowing it, and that they weren't competent enough to detect the hole themselves. And that's why, instead, he's being charged.

My questions

[nuggz]

He did access their network without permission.
Did they create a public network? Public as in accessible to the public without any reasonable indication or security that it is indeed a private network.

I think broadcasting a private network and letting people on it is akin to making a public network.

It isn't this guys fault they had to shut down their network, it is the people who set up the insecure network in the first case.

No need for free security consultants

[gad_zuki!]

Why should I even care? A part of me wants to get all loud and stupid about this but Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did). Let them get burned on their own or if they're government go through the usual channels. No need to be 'Captain Wireless.'

Worst of all, for all we know he did not do this to demonstrate anything. The last time slashdot got up in arms about some supposed 'white hat' hacker it ended up being an excuse. In my experience it usually is an excuse. "Dude, I'm totally looking out for you when I hack your stuff!" No one should be that naive anymore.

Re:No need for free security consultants

[corby]

Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did).

This is true. So why doesn't Harris County prosecute the case on these grounds? They seem to feel that their case is not strong enough without conjuring ludicrous claims that Mr. Puffer caused $5,000 in damages.

The claim of $5,000 arises entirely from the cost of taking down the network to secure it, not from any actual damage caused by Mr. Puffer. To say that Mr. Puffer caused $5,000 damages is to say that if it wasn't for him the Civil Courts Building could have left their 802.11 free and unsecured forever.

Worst of all, for all we know he did not do this to demonstrate anything.

You go, man! You're not afraid to tell it like it is! Now read the article. He accessed the network in a prearranged meeting with a newspaper reporter and a county official in the room. It's pretty safe to say he was taking part in a demonstration.

It's obvious that an indictment was not sought because of actual damages caused by the defendant. This case went to a grand jury because officials didn't want a newspaper story about how the Civil Courts Building decided to open their computer network to the whole world.

Re:No need for free security consultants

[startled]

"No, you read the article. He first broke in on March 8th then arranged his big expose on the 18th. Ten days of silence."

Ten days? Seems sinister. Could that possibly be roughly the amount of time it takes to get an appointment with the appropriate county employee?

Re:Deserved it.

[Khazunga]

It just depends on *how* insecure it really was. If it was really bad, driving around with a wireless-enabled laptop running XP could result in a five-year jail sentence. With XP's automatic wireless lan setup and all.

His biggest error probably was talking about it. He should have sold the info to some mobster gang. They'd probably be much more gratefull.

Serious Consequences fo InfoSec People

[Inexile2002]

This is something that many people in the InfoSec industry are worried about and more so in the current political environment. EVERY seminar, conference or training event I've been too, there has been someone standing there for twenty minutes lecturing everyone on covering your ass.

What bothers me is that the reason things like this happen is ignorance of non-techies and refusal to see things in a reasonable light. If you were in a bank with a locksmith, and he showed the bank manager that the locks they were using were insecure, the manager would thank the locksmith and change the locks. Show a business manager the exact same thing with their network and they might decide to have you arrested.

Whenever I'm going to show a client ANYTHING I get full written approval ahead of time to discuss or test their security, and I get written approval to discuss my findings. There have been times when I've found vulnerabilities and not said a damn word because the client refused to sign off.

It's sad, there are people out there - and I've worked for and with them often - who really believe in security through anonymity and believe they are acting in their best interests by alienating and prosecuting the people who can really protect their networks.

What I will admit however is that part of the problem rests with people who try to look smart and show off the security vulnerabilities in a smart-assed kind of way. As annoying as it sometimes is, you need to manage people's expectations, fears and prejudices.

Damning evidence?

[balthan]

At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th. Now maybe he was unable to get an appoitment to see anyone, or maybe he took 10 days to poke around in the network and see what was there. He should have reported the insecurity immediately. The fact that he didn't is suspicious.

Re:Damning evidence?

[geoswan]

At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th.

I read the July 24th Houston Chronicle article and the March 21st article too. The Cheif County Clerk seems to be saying that one (1) pornographic picture found on one (1) of his department's poorly secured computers was the sole damage found. He claims it cost $5,000 to fix the damage he accuses Puffer (the whistleblower) of causing.

With a network as poorly secured as his practically anyone with a wifi card could have uploaded that picture.

If any repercussions should come anyone's way over this incident I don't understand why the first candidate isn't Charles Bacarisse, the County's District Clerk. Bacarisse claims that none of the computers under his administration could have been seriously damaged by the penetration of war-drivers. Okay, but am I mis-reading the Chronicles quotes from him? Doesn't he seem to have been completely oblivious to the vulnerability his insecure testing was opening to the rest of the computers on the County's system?

We have seen this before, with Randal Schwartz's ordeal at Intel. This comp.security article contains a contemporary account of his "crimes".

The lesson seems to be that no matter how well intentioned you are, the only safe way to report a security vulnerability is if you can find a way to do so anonymously.

Re:where do they get these numbers??

[gilroy]

Blockquoth the poster:

he alleged intrusion eventually resulted in the county closing its wireless LAN only a month after it was activated

the associated cost of dismantling the service is going to add up to at least five grand. I'm surprised it's not more

So, because the county installed a stupid system and was forced to shut it down, this guy is liable? There doesn't seem to be any accusation that he made the system (more) insecure. They just seem peeved that he actually demonstrated an existing insecurity, that mandated a reversal of policy. Shoot enough messengers and soon no one will bother you with news about bad things. And of course that means bad things will cease to exist.

People are afraid of being proven wrong

[Ride-My-Rocket]

What is it going to take for people to realize that they need to lock down their systems -- the digital equivalent of 9/11? Honestly, it seems the government can't accept any criticism of its systems, or act on the information at all........ and instead of fixing the problem, they decide to prosecute instead.

Pretty deranged, IMHO.

Bullshit

[autocracy]

Mr. Puffer (?) should never have been charged with this crime. The suits at the courthouse are mad because their fancy new wireless network they built to keep up the with the times wasn't taken care of properly and possibly isn't suitable for them. How it cost them $5k to "clean it up" is beyond me. Of course it costs more money to do it right - but how do you expect to claim that as "cleanup?"

The person charged was not acting maliciously, did not cause any damage (what is claimed is bogus), and his actions were willfully disclosed in good faith. He got the raw deal...

Balmer Steals Access and Brags About It

[lincomatic]

The network was totally wide open - no WEP and DHCP on ... anyone w/ an XP computer and built-in WiFi who turned their computer on would have automatically associated to the network, so what is Puffer's "crime?" He was demoing to a county official, don't forget. Meanwhile, Steve Balmer brags about stealing bandwidth with Bill Gates and gets applauded:

http://www.infoworld.com/articles/op/xml/02/07/2 2/ 020722opcurve.xml

"For all his success at bringing Microsoft's warring constituencies together, there are still things beyond Bill and Steve's control. "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer.

"Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him up and said, 'Hey, come over to my room.' So soon everyone is there and connecting to the Internet through my room."

Chalk up another good day for Steve Ballmer, CEO. Bill Gates may be the chief software architect, but as Microsoft matures in the Ballmer era innovation in software shares the spotlight with teamwork.
"

I am incredibly torn on this...

[tlambert]

On one hand, they are trying to charge him for what it cost them the insecure system, now that they've had to discontinue it. That's really assinine. It's like buying a Corvair, and then suing Ralph Nader after he publishes "Unsafe At Any Speed".

On the other hand, it sets a nice precedent for when the cable companies come snooping around, trying to enforce against "connection sharing" when people set up unsecured wireless access points on the end of a cable modem connection.

AT&T: We're disconnecting you for running an insecure access point.

Customer: I'm suing you for proving my network is insecure; thanks, Stefan Puffer!

-- Terry

I'm interested.

[DarkHelmet]

Whatever hole he found, I'd be willing to buy it from him. There are a couple speeding tickets I need cleared.

Damnit, my license is at stake here!

Re:Deserved it.

[wandernotlost]

> Unless he was hired for the job, he deserves it.

That's absolutely absurd. The man simply brought to the attention of the clerk the fact that its network was insecure. That a person is prosecuted for trying to point out a potentially dangerous security flaw shows the extent to which this country has fallen into a legal and intellectual paralysis. He should be hailed as a good samaritan looking out for the safety of the county's information!

From the original article:

District Clerk Charles Bacarisse said no files were compromised, but the county had to shut down the wireless system about a month after it was set up.

It appears that there was no malicious action or intent on the part of Mr. Puffer, but rather that the clerk's office is upset because someone discovered its incompetence. What would have happened if someone truly malicious had stumbled upon this network? To what ends could he or she have used the information found?

If you broadcast your network all over your block unprotected, you shouldn't be surprised when someone discovers it and pokes around. Plain and simple. What about those that willingly open their networks to the public? Should we make free public access illegal, so that fools like this can remain under their rocks and pretend that no one can see their secrets?

One omission in the articles...

[D'Arque+Bishop]

This isn't the first time the Houston Chronicle (which the Register references) has reported on this story. What they're leaving out in this article is that the county official that Puffer demonstrated the breakin to was, in fact, the equivalent of the head of IT for the county. So, one wonders if indeed that could be counted as having permission...

(I don't remember what his exact title was, and I don't remember the links offhand, but the official was definitely the head of the county's equivalent of an IT department.)

Just my $.02...

Re:One omission in the articles...

[D'Arque+Bishop]

(I don't remember what his exact title was, and I don't remember the links offhand, but the official was definitely the head of the county's equivalent of an IT department.)

I just found an older link. It was Steve Jennings, head of the County Technology Department. Also, the article shows just exactly how badly Bacarisse reacted, inclusing saying "hackers, terrorists or anyone else intending harm would be detected long before they could do any damage or use the system illegally."

You can read the rest for yourself here.

Just my $.02...

Re:One omission in the articles...

[_Sprocket_]

This is quite facinating. There are a couple really important statements made in that article:

The network had not yet been set up, they said, and neither Puffer nor anyone else could have done any damage.
...
But because the county's main system and the independent one run by Bacarisse are connected, Puffer was able to show Jennings that he could get information about the county computer network.
...
Bacarisse said his staff found a pornographic picture on one of its servers Tuesday that he suspected was planted by Puffer. He said he would refer the incident to the District Attorney's Office.
...
Bacarisse accused Jennings of giving Puffer information to help him access the system and hinted that Jennings was trying to use the demonstration to increase his authority over systems that he didn't control.

Jennings and Puffer vehemently denied that.

These quotes lead to a lot of questions. If this was a test network that couldn't present any threat to the government's network... how come Puffer was able to access the County network? Furthermore, why is Puffer being convicted? And how would he have been able to post a pornographic photograph?

This has all the markings of beurocratic infighting. A techie quiting after a short, stormy tenure. A beucrocrat implementing an insecure network and assuring that it was no threat... and then convicting on charges of altering government systems. And that same beurocrat accusing another government worker of moving in on his personal feifdom.

The only thing I'm suprised is that after having seen the insides of all this, Puffer was stupid enough to make his name known. Big hint to whistle-blowers: use the press and insist on being anonymous.

Re:Deserved it.

[flonker]

In related news, a local terrorist was arrested today, after he pointed out to the bank that their safe had a huge gaping hole leading to a back alley. He is charged with causing $50,000 worth of damage, the cost of repairing the hole.

Cyberphobia strikes again

[stinky+wizzleteats]

So, let me get this straight. You happy people (non-tech) will put us in jail for attempting to help you use technology in a secure way, because you hate and fear us so much. You actually are prepared to alienate all of us (and imprison some of us) rather than deal with the embarassment of your own inability to use technology, and to willingly make it impossible for anyone to conduct IT security work in good faith. You want to make enemies of all of us, do you?

...dusts off black hat...

Have it your way.

Re:Cyberphobia strikes again

[hklingon]

I want to go to lawschool for this very reason. I had an interesting debate a few months ago, which has expanded onto several threads of thought. Consider the following:
1. Is it legal if someone hires you to kill them?
2. Is it legal if someone hires you to destroy some of their property?
3. If someone hires you to simply annoy them, what then? (i.e. a "crime" that does no measurable damages)
4. What happens if observe that a crime could easily be commited, and yet you do nothing?
5. What if you have advance knowledge of a crime, and do nothing?

There are two things working against techies: 1. Social engineering (direct or indirect) works on law enforcement with reguard to technology issues because they simply aren't trained. If the head of IT for a city or other "important" person calls and tells the law to arrest someone based on some obscure log printout, the law will probably be able to do so. 2. No one understands technology, except you, and well, no one will listen to you when you stand accused. Unlike other scuffles, the cops can't examine the situation and determine for themselves the severity and how to handle it.*

Clearly, #1 is illegal. Based on many cases in CA, VA it would seem that even if you have papers signed by the CTO and CEO , and you do a full security audit you can still be arrested. (Remember the case in CA where the guy did social engineering and took pictures of the server room -- thats it. He's serving a 1 year prison sentence. The board of directors and the President of the company sent him up -- the CTO and CEO resigned.) "Breaking the law is still breaking the law, irregardless of intent..." is what the prosecution successfully ordered. But whats the analogy for wireless? An english school boy standing on your lawn with a bell yelling about how you never lock your house when you leave that only some people can hear? Or is the better analogy like going up to someone's door, rattling it, then discovering that there is no lock? Its all a matter of politics and twisted truths -- not really the crucible that should burn all that away.

Re:Deserved it.

[mrzaph0d]

i think its closer to this:

a company develops a new lock that makes it easier for anyone in the house to open the door. instead of using a key they can just wiggle the lock a certain way and they're in. someone notices that all these locks are made the same, and all that is required to get into the house is this same "wiggle". this person notices that these locks are in use at a government building. fearing that any criminal could get in, he rounds up a government official and a reporter and shows them how easy it is for anyone to get in. he then gets arrested for breaking and entering.