Slashdot Mirror
WarTalking Arrest
PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."
He did access their network without permission.
Did they create a public network? Public as in accessible to the public without any reasonable indication or security that it is indeed a private network.
I think broadcasting a private network and letting people on it is akin to making a public network.
It isn't this guys fault they had to shut down their network, it is the people who set up the insecure network in the first case.
His biggest error probably was talking about it. He should have sold the info to some mobster gang. They'd probably be much more gratefull.
If at first you don't succeed, skydiving is not for you
This is something that many people in the InfoSec industry are worried about and more so in the current political environment. EVERY seminar, conference or training event I've been too, there has been someone standing there for twenty minutes lecturing everyone on covering your ass.
What bothers me is that the reason things like this happen is ignorance of non-techies and refusal to see things in a reasonable light. If you were in a bank with a locksmith, and he showed the bank manager that the locks they were using were insecure, the manager would thank the locksmith and change the locks. Show a business manager the exact same thing with their network and they might decide to have you arrested.
Whenever I'm going to show a client ANYTHING I get full written approval ahead of time to discuss or test their security, and I get written approval to discuss my findings. There have been times when I've found vulnerabilities and not said a damn word because the client refused to sign off.
It's sad, there are people out there - and I've worked for and with them often - who really believe in security through anonymity and believe they are acting in their best interests by alienating and prosecuting the people who can really protect their networks.
What I will admit however is that part of the problem rests with people who try to look smart and show off the security vulnerabilities in a smart-assed kind of way. As annoying as it sometimes is, you need to manage people's expectations, fears and prejudices.
At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th. Now maybe he was unable to get an appoitment to see anyone, or maybe he took 10 days to poke around in the network and see what was there. He should have reported the insecurity immediately. The fact that he didn't is suspicious.
The network was totally wide open - no WEP and DHCP on ... anyone w/ an XP computer and built-in WiFi who turned their computer on would have automatically associated to the network, so what is Puffer's "crime?" He was demoing to a county official, don't forget. Meanwhile, Steve Balmer brags about stealing bandwidth with Bill Gates and gets applauded:
2 2/ 020722opcurve.xml
http://www.infoworld.com/articles/op/xml/02/07/
"For all his success at bringing Microsoft's warring constituencies together, there are still things beyond Bill and Steve's control. "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer.
"Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him up and said, 'Hey, come over to my room.' So soon everyone is there and connecting to the Internet through my room."
Chalk up another good day for Steve Ballmer, CEO. Bill Gates may be the chief software architect, but as Microsoft matures in the Ballmer era innovation in software shares the spotlight with teamwork.
"
Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did).
This is true. So why doesn't Harris County prosecute the case on these grounds? They seem to feel that their case is not strong enough without conjuring ludicrous claims that Mr. Puffer caused $5,000 in damages.
The claim of $5,000 arises entirely from the cost of taking down the network to secure it, not from any actual damage caused by Mr. Puffer. To say that Mr. Puffer caused $5,000 damages is to say that if it wasn't for him the Civil Courts Building could have left their 802.11 free and unsecured forever.
Worst of all, for all we know he did not do this to demonstrate anything.
You go, man! You're not afraid to tell it like it is! Now read the article. He accessed the network in a prearranged meeting with a newspaper reporter and a county official in the room. It's pretty safe to say he was taking part in a demonstration.
It's obvious that an indictment was not sought because of actual damages caused by the defendant. This case went to a grand jury because officials didn't want a newspaper story about how the Civil Courts Building decided to open their computer network to the whole world.
This isn't the first time the Houston Chronicle (which the Register references) has reported on this story. What they're leaving out in this article is that the county official that Puffer demonstrated the breakin to was, in fact, the equivalent of the head of IT for the county. So, one wonders if indeed that could be counted as having permission...
(I don't remember what his exact title was, and I don't remember the links offhand, but the official was definitely the head of the county's equivalent of an IT department.)
Just my $.02...
In related news, a local terrorist was arrested today, after he pointed out to the bank that their safe had a huge gaping hole leading to a back alley. He is charged with causing $50,000 worth of damage, the cost of repairing the hole.
So, let me get this straight. You happy people (non-tech) will put us in jail for attempting to help you use technology in a secure way, because you hate and fear us so much. You actually are prepared to alienate all of us (and imprison some of us) rather than deal with the embarassment of your own inability to use technology, and to willingly make it impossible for anyone to conduct IT security work in good faith. You want to make enemies of all of us, do you?
Have it your way.
"No, you read the article. He first broke in on March 8th then arranged his big expose on the 18th. Ten days of silence."
Ten days? Seems sinister. Could that possibly be roughly the amount of time it takes to get an appointment with the appropriate county employee?