Slashdot Mirror
AOL Employee Arrested in Spam Scheme
LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."
"You've Got Spam!"
That they didn't pay more for the list. I mean, the names of 92 million really clueless people who think AOL is "that thar interweb" would probably buy V1@GR@ by the case. Jesus, it would be a spammer's wet dream!
And $25,000 seems a tad...low.
A blog like any other.
You've Got Jail!
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
Aren't we supposed to wait for someone to be found guilty before punishing them?
How did this guy have such easy access to the database of screen names?
Now imagine how much personal info is being sold overseas from outsourced companies.
You would think there would be limitations on HOW an employee could access such a large database. I mean, does AOL throw out CDs with conveniently formatted lists of all the screen names of its customers?
AOL Sucks. Film at eleven.
Seriously, is anybody surprised when this happens? I think this happens *all the time*. This time, the kid got caught.
I hope the guy that sold the list burns in AOHell. ba-da-bum.
All they did was just fire him?!?!?!? He should have sent to prison for 25 years too!
Red Bull gave me wings and I flew into the ceiling fan.
..didn't a bunch of airlines admit to (basically) the same thing? no arrests there..
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
Wonder how many offers of penile enhancement before they grab virtual rope and look for a virtual tree. :-)
Also wonder how much Google will charge to filter out searches for the name "Jason Smathers".
-"Duck!"... "Rabbit"
I mean comeon, these are AOL users...
These people are half the reason spam exists with their click anything that comes in mentality.
with large, easily searched and copied databases of highly consolidated private data.
The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.
The same goes for backdoors. I'm not half so worried about some script kiddie hacking my router as I am some employee/former employee of Cisco simply walking right in.
KFG
Spam is the most wonderful thing in the world. Without spam, my life would be boring and meaningless. It tells me about the latest product innovations, about my lottery winnings and about ways to get a university degree or to become an ordained minister. I won't even talk about the length of my dick, although you may feel free to ask.
Let's face it - spam is the spice of life. It is truly one of the great innovations of the Internet age.
Hi.
I'm the government. I can't do anything prison-like or fine-like to you without convicting you first.
Hi.
I'm your employer. Unless you have a contract stating otherwise, odds are you're an at-will employee, which means *I can fire you for just about any reason I want*.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
It's well known that you can invent "unguessable" accounts at hotmail, e.g. rmgdrduckk5arp@hotmail.com, and never join any mailing list or submit your name to any website or allow MSN to list you in the Hotmail User Directory, and yet within a few days or weeks your account will miraculously begin receiving offers from mail order brides, pills, porn, and so on. I've long suspected that someone working for Hotmail is making money on the side by downloading the user list once a week and selling it to spammers. Which is why my hotmail accounts have lapsed and I mainly use my yahoo or Gmail accounts.
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
I say make him answer AOL tech support phone calls. He'll beg for jail time after about a week.
reason not to use AOL.
As a computer, I am amused by the faith you have in technology.
I hope his punishment includes the jailer "jacking up the jail and throwing him under it". Seriously, if this was the EU, he would seriously be screwed. Why does the US think privacy is such unimportant issue ( CAPPS II anyone)??
... each one of those 92 million victims should be allowed to kick him in the nuts.
% wc -l /etc/passwd /etc/passwd
184533
...what the charge was? What's illegal about what he did?
More details about the scheme are available at CBS Marketwatch.
News just in :
In response to this 99% of AOL members surveyed who recieved the e-mail clicked on the link and frittered many dollars away at the casino making spam profitable and so continuing the downward spiral of e-mail.
One user replied saying : "I trust AOL so much when it comes to spam, they always send me the top dollar stuff like penis enlargement pills and always ask me to change my password on non secure sites and ask for my credit card as my account has been hacked. They care so much"
It's really no surprise that this sort of thing would come out of AOL. Considering that they're much more concerened with profits than providing even a half-decent service at a fair price, it's a wonder they actually caught this tool. Of course, AOL users bring a lot of this shit on themselves. If people used common sense (which I am convinced does not exist in most of the world), life would be so much easier.
Is that it will be quickly followed by.
Welcome!
"You've got Bail!"
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
What worries me is that there could easily be many more employees doing this - not just at AOL, but at other ISPs as well. However, I'm willing to bet that AOL isn't going to hunt for any other people like this doing it. Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.
And tomorrow the stock exchange will be the human race
Okay the guy has been arrested and fired, but what about those names already sold to spammers?
In the article AOL didn't seem to mention what they are doing to protect the victims, except "they are thoroughly reviewing and strengthening our internal procedures".
Is this good enough? Sometimes you can punish the offender enough to compensate the victims.
Rock that crushes, Paper & Scissors that don't matter.
An interesting way to look at this is consider the age of the people involved. The engineer was 24 and the Casino guy was 21. IT, notorious for age discrimination in favor of young, brighteyed types, may actually be introducing a greater security risk with the practice.
I remember when I was in my early 20s and lets just say I didn't have a lot to lose... and everything to gain from taking a chance here and there. By placing less mature workers into places where personal ethics and great responsibility collide, you're asking for issues just like this.
I don't mean in indict all younger workers. Certainly most are good employees; I've hired many younger people without trouble. But as a percentage of population, the younger I expect to make more 'mistakes' both simple errors and errors in judgment.
My two bits...
SCB
Soooo grease!
And talk about a PR disaster...
and what is wrong with firing people at will?
they are firing you, they aren't imprisoning you, just go get another job
a company that can't fire people at will is a company that will be burdened by excessive, redundant and unnecessary employees, and will cease to be efficient or make money
a job is not a constitutional right, a job is a priveledge that you must work hard at to maintain
a world where you just get a job for just being you is a world that exists only in your imagination
but if it will make you feel better, you can go ahead and flame me for this post, but there is a saying and it has something to do with shooting the messenger...
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Cellmate named Gerome who has been working out in the yard for the past half of his 20 year sentence and he's looking mighty hard at your well-fed, sedentary, badonka-donk behind.
soundclip
HIV Crosses Species Barrier... into Muppets
i've created hotmail accounts with crypto-hard random usernames, not listed anywhere, and almost immediately started receiving spam to them.
it seems to really only happen on new accounts though. old hotmail accounts dont seem to get spam, if you dont publish them anywhere.
it's entirely possible someone has recently (within the last few years) backdoored hotmail's account creation system to notify them of new accounts, which would explain why old accounts dont get any spam.
You have the list with 92 million screennames? Ex----cellent, Smathers.
Blogging Weight Loss, Distance Education, and more at verlin.com
Damn Cruel and Unusual clause will stop it. I mean somethings are just too inhumane. He's ONLY a spammer....
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
This AOL employee only made $0.0005652174 per e-mail address he sold. Is that anywhere near the fair market list for e-mail lists? Seems a bit low, but then again IANAS (I am not a spammer).
"There is no spoon." - The Matrix
Smathers! Bring me the list of AOL subscribers!
*taps fingers expectantly*
Excellent...
Based on a recent e-mail offering 5 million verified addresses for $300, the value of a single address should be 6 thousandths of a cent. The guy who paid $25,000 is the one who got ripped off- proper value of 92 million verified e-mail addresses at 6 thousandths of a cent per name is $5,520.....
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Actually, he'll beg for execution, not jail!
Reception of stolen property? Industrial Espionage? Violation of consumer privacy? anti-spam laws?
This case presents an interesting opportunty. If some of those 92 million names were faked, AOL-internal-only addresses (i.e., no outsider ever had them or ever could have them) then anyone caught using or selling them is guilty of accepting or selling stolen property. Any email arriving to a never-released, but stolen name would let AOL and authorities track the spammer network and subpeona spam-using e-commerce sites to reveal the identity of marketing affiliates.
Two wrongs don't make a right, but three lefts do.
no big deal, your submition will show up as a dup tomorrow
Leave?
Guess I should have RTFA'd first. This idiot paid $100,000 for the updated, verified list. That's a 1,812% markup of the street price. WHAT AN IDIOT!
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
And there are no closed union shops in Virginia - you want to work somewhere, the company wants to hire you - no one can force to you join a union. Heck, even on the Washington Redskins - which is legally a Virginia company - players tend not to pay NFLPA union dues....
About the only useful info a cracker would find in /etc/password is usernames, and if he can see that file to begin with, he's already got a login.
Yeah, and a huge list of email addresses. In the case of the grandparent, about 183,000.
If I understand correctly, California has a law that requires a company to contact each customer that was affected by disclosure of information due to a security problem. I wonder what that'll cost AOL.
I'm also interested if the spammers the casino guy resold the list(s) to will also be prosecuted for purchasing stolen goods. At a minimum, they should be publicly identified.
92 million verified AOL email addresses, well, that's pure gold. You know if they're an AOL subscriber, they're a sucker anyway...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Put the right address on it, and no one would notice....
The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.
They're both major concerns.
In fact, they're just two sides of the same problem: that personal information can and will be used inappropriately. We worry about rogue employees and about black hats. But we also worry about entire corporations, and about the government. See today's story about airlines sharing far more data than they previously admitted with the TSA.
Ah! You've discerned that the common word for unsolicited bulk email is the same as the name of a spiced ham product, and have constructed a pun based on this overlap. How amusing. How refreshingly novel.
Scene : AOL Boardroom
CEO : Well, that was a right cock up lads. How are we going to prove we are a nice reliable company now!
Exec 1: Well we could send out more free trial CD's, everyone loves those.
Exec 3: Well we could actually let people use their own browsers for once
Exec 2: No no no, Bill.....Thats suicide, our customers wouldn't know how to use internet explorer by themselves, THEY WANT CONNIE, THEY NEED CONNIE!!!
I got a better Idea : How about we send the spammers cd's full of addresses as a Free Trial and see if they want to subscribe to our "Targeted Advertising Program" with included AOL Mass Mailer 9.0 bloatware. Then everyone can become a spammer
CEO : Great thinking guys, now to topple yahoo with an attack of flying Free Trial CD's dropped from a plane!
*5 Minutes later all board members spontaneously combust as ElBazo works his voodoo curse
Mr. Burns ...
...
...
...
...
Hmmmmm, mmmmm! "SMATHERS!!!! YOU FIRED!"
Smithers
Emmm, "That's Smithers, Mr. Burns"
Mr. Burns
Hmmm. "Smithers - Smathers, whatever your reeaaaal name is, hmmmm - GET OUT."
Smithers
"But Mr. Burns!"
Mr. Burns
"OUT, OUT, OUT, I say - and no dilly-dallying, scoot, scoot."
~hylas
It also means "You can quit whenever you want, for any reason you want". I kind of like that part of the at-will deal.
Dumbass, and asshat. I hope they fine the shit out of him just for being a stupid fucktard hack and then triple it for being a complete and total shit. Those are legal terms, BTW. IANALBIPOIMFW.
[BIPOIMFW = But I play one in my fantasy world]
The complaint further charges that Dunaway later paid Smathers $100,000 for an updated version of AOL's customer list.
Huh!!
've been thinking all these days that only OS updates cost big money
What spam do you want to get today !?
They can prosecute this guy, and everyone he sold the list to, and everyone they sold the list to, and so on, nine ways from Sunday - won't make any difference for the spammed masses now that the list is out. Nor will AOL's privacy policy (or whatever goes for it over there). The safeguards that are in place are (and always will be) inadequate against a motivated individual who doesn't understand consequences of his/her actions, or doesn't give a whistle about them, or both. AOL? MSN? Yahoo? Ne-ext!
I can assure you, the best way to get rid of dragons is to have one of your own.
$52,000 as severance package may still sound like good business to a lot of people.
The guy should be charged, arrested, or sued.
Watch out for embedded guys. Lots of embedded devices have backdoors that the developers can just walk right through. For example take any embedded linux device. The developer who made it most likely set a default root password that is the same on every one of those devices. If he gets ahold of yours and he's not a good guy your fscked.
Hmmmm, maybe I should get a job at a company that makes security systems... It would be cool when I get kidnapped by burglars to take part in their movie plot-like crime.
The GeekNights podcast is going strong. Listen!
We worry about rogue employees and about black hats. But we also worry about entire corporations, and about the government.
Of course. We worry especially about the latter, don't we? Especially when the government is the primary holder of the data in the first place and we already know they are untrustworthy.
KFG
"Yes, I have a Disaster Recovery Plan. It's called my Resume"
Now, what part of AOL's security system failed?
Oops, that's right - they have no security system. That's why some idiot can swipe 92meg of users and sell them to some other idiot who wants to spam us with his own (did I say these guys were idiots?) gambling scheme and then resell the 92meg of users to the other vile spammers.
AOL can't be let off the hook. They had a duty to protect the user base as certainly as every one of us has a duty not to leave loaded guns where 5 year-olds can play with them. This is a clear example of AOL permitting a dangerous instrumentality to fall into the hands of the incompetent.
BUT, we should also tell Ashcroft that the two idiots are "the terrorists' friends" and let Ashcroft make them disappear (along with their families, friends and dogs).
Every situation is unique, and sometimes different situations require different actions. You see the simularities between two situations, and your opinion is that differences are nonconsequential, but that doesn't mean the other person thinks they same way. They might think that the differences are very important and the simularities are nonconsequential. That doesn't mean that they have a double standard or are hypocritical, it just means that they put different value on the various aspects of the situations than you.
:)
It's just like the Kerry is a waffler fallacy. Votes for PATRIOT act, then when he actually gets to read it, changes his mind. Does not vote for iraq funding, but latter does when the source of the funding is changed. To a conservative pundit, there is not concievable reason not to support things go towards "national security", but Kerry disagreed. The same way a libertarian can't think of any reason to give up privacy, but the conservatives think that that it is sometimes necesarry. That does not mean that they are hypocrites, it means they see things differently than you.
Even if they are wrong
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
...his job was answering AOL tech support phone calls.
smather (verb) To have personal information sold to advertisers without your consent or knowledge.
"Man, I just got this new Hotmail account, but in less than an hour, it's been smathered!"
[DISCLAIMER: This post is a work of satire and should not be misconstrued as a holy text upon which to base a religion.]
Aside from the obvious fact that this individual might be a large reason why AOLers receive such a tremendous amount of email spam... this data should have most definately been better safeguarded by AOL.
:-)
Allowing a person in his position access to specific areas of their database depending on what needs to be done, would have made collecting the data at least a bit more challenging. From what I've read, the employee basically lifted the entire database straight up without much effort... sigh...
This isn't just a warning for AOL, but to any ISP or email service that allows employees with such unrestricted access to seemingly less confidential data. (Thankfully CC #s and SSNs are generally much more secure and hidden for the most part.)
I'll end my post on a positive note:
thank goodness for Spam Assassin
Karma police, arrest this man, he talks in maths....
Impossible. The man could never work AOL technical support. He doesn't speak Svengali.
Hey freaks: now you're ju
Never underestimate the power of one determined individual. To use a harsh anaology - think of all the presidential assinations(or attempted), sure a good amount were caught and executed, but they still were able to do what they set out to do.
Your Gmail account may be spam free for a while but IF at some point someone gets determined enough they can take your info and sell it off, sure they may have to suffer the consequences, but to them it may be worth the risk.
Honestly i've had really bad luck lately and if someone offered me $50,000 cash (more than my yearly salary) for the emails at my work I would have a very hard time saying no. Of course my fear of things like losing my job and getting sued would override the tempatation, but I blame that on my rational thinking process.
Ave Molech Setting
Comment removed based on user account deletion
More accurate, certainly. New? Hardly.
related?
check the forum
[ No prescription needed ]
here in san jose I spend 100% of my pay check on rent, car insurance (good driver), car payment (commuter), phone bill (rarely talk on it), and food (ramen, milk, and eggs).
If you offered me $52,000 for a list of emails or names and info from my work i'd take itin an instance. I may get fired and sued but hay with that I could afford to move out of this shit whole and be over seas with my family tomorrow.
At least he would qualify for those low phone rates ;p
would 5 years in prison make it easier to say no?
Most people are
[X] evil.
Smathers' spam scheme skimmed screennames? A shocking scam.
Crhis Mattern
Section 1037(a)(2), (b)(2)(C), and (b)(2)(E) of Title 18 of the USC, at least according to these court documents.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
Former AOL employee Smathers sold the initial list for an unmentioned amount to Dunaway (the spammer) then Smathers sold an updated list to Dunaway for $100,000. Dunaway sold lists to other spammers for $52,000.
Smathers & Dunaway to AOL members: "All your screenname are belong to us!"
I expect something like this happened at eBay a while back. I changed my email address for eBay to a new mailbox. A few weeks later someone spammed it offering to sell lists of eBay members. Then spam followed, usually from phishers.
A feeling of having made the same mistake before: Deja Foobar
Burnin's too good for him...
He should be torn into itsy bitsy pieces and BURIED ALIVE!
Comment removed based on user account deletion
Email me here so I can apologize in person!
JasonSmathers@aol.com
Of all the ills you could accuse AOL of -- lowering the signal-to-noise ratio of the Internet, filling our landfills with CDs -- there is absolutely no evidence that AOL use causes erectile dysfunction ... ... you insensitive clod!
The mathematics of the situation would make that improbable. He would need to generate and send 8,186,051,427,373,440,000,000,000 spams (assuming screen names of 6 to 16 characters in length, letters and numbers only) to hit all possible combinations that way.
This for each spam message. Far likelier that he is getting addresses from an inside source.
Can we have a list of people whose screen-names were sold?
In the dot.com boom days, biz plan spielers thought that a valid email address was worth $1-$10.
Never eat anything bigger than your head.
Smathers has been fired.
Out of a cannon, I hope.
Or fired at with a gun.
Either way works for me.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
What a Stupid Mother Fokker
Hack Your Way to Hollywood
You know, the word "hack" above really bothers me.
Maybe its just me, but if I were going to risk my job and possible jail time, I'd want at least a penny per name, a half cent at least. $52,000 what's that? Someone back alley gambling debt. Geez.
So AOL lost control of their list. Bah. They never had control. It was only a matter of time, and now that spam is becoming big business now was the time. The only way to manage these things correctly regarding the IT team would have been:
1) Restrict mobile/personal storage and technology within the IT core;
2) search employees entering and leaving the IT facilities for CDs, storage dongles, smart cards, USB-enabled watches and lapel pins, MP3 players, laptop computers, palmtop devices, etc;
3) workstations used by developers have no Internet access whatever;
4) no public/personal email access from developer workstations;
5) the firewalls and other IT are managed by people who never come into contact with someone who themselves has access to data, and IT people have no access to data themselves;
6) all data traversing the LAN is AES encrypted;
7) there is no wireless access anywhere in the business, period.
Did AOL do *any* of this? Even one thing? I doubt it. Why would they? these aren't even standard practices except maybe at the NSA.
And that's just the AOL IT people. What do you then do with the marketing and sales folk? Presumably, they don't have the right kind of access to bulk data in the first place and/or cannot save data to storage that they can pull up in the normal course of work, but that's another policy to set up and more restrictions (ie, they cannot save files to their workstation, and cannot burn CDs, and cannot bring laptop computers home, etc.) And what if AOL decided to outsource customer support? What path does data take then?
All of this would kinda-sorta make sense when protecting things like source code where there are only a few that need access anyway, and there is no obvious reason for the code to leave the site. But in the case of customer account info, that's not restricted to development and the customers are dealing with very low level employees who need a broad kind of access to customer data to deal with customer issues.
I don't know if there are very many companies that would put their minimum wage earning sales and support drones (or their outsource suppliers) through that kind of security policy. And the marketing people would simply bite your head off at the very mention of leaving their laptop computers at work.
Reality: The only personal data that is safe is the data that is encrypted, then the passcode encrypted, then the passcode is lost, then the data is deleted, then the disk containing the data is formatted and overwritten with random bits, then the disk removed from the system and shredded, and then the small bits are randomly distributed over the surface of the sea. At night during a storm.
Failing all that...well don't expect your personal data to be private for any length of time so long as someone...anyone...the janitor...an intern...a poor working mother in Pakistan...can make a buck (exactly $1US) selling it.
=^..^= all your rodent are belong to us
i fail to see how this is much different than Airlines giving out passenger info.
AOL pays Employee for a service. AOL expects Employee will not give out sensitive info about themselves. Both agree to terms of employment, and money is exchanged.
Passenger pays Airlines for a service. Passenger expects Airlines will not give out sensitive info about themselves. Both agree to terms of employment, and money is exchanged.
How is this very different?
AIRLINES ARE THE EMPLOYEE OF PASSENGERS!
Troll, Troll, go away and flame again some other day
Get it all here.
A computer makes it possible to do, in half an hour, tasks which were completely unnecessary to do before.
Pretty soon it'll be "You've got Male!"
Not really. Mailing to AOL is a hit-or-miss thing. We run a lot of mailing lists (bands' fanlists, organiztions' newsletters, etc.) and about half of the time you have AOL addresses on a list they bounce it. And they don't *just* bounce it, they set up a slow-ass connection to your bounce server and time it out (clever idea actually).
So, if you were a spammer, AOL addresses would be of dubious use.
All's true that is mistrusted
smoking gun has more info
superman runs linux
http://www.kuro5hin.org/comments/2004/6/21/19280/4 046/24#24
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
But you can be sure that if a major company has your information, many employees that are making very little have access to that information.
::sniff::
At MCI, where I used to work, I would see the personal information including name, address, phone numbers, credit card numbers, birthdays, and email addresses of hundreds of customers a week. Not only that, but every employee was identified in the system by his or her SS#, and your SS# was stamped on every note you placed in the system.
I earned $8.47 (American) per hour, and the call center contractor had a less than rigorous screening process. I did have a pulse, so I was hired. I have more ethics than the company I worked for, and I would never do such a thing.
But you have to ask yourself, if a company is willing to hire employees for next to nothing, and hand these employees access to information that they can sell for 3 times what they earn in a year, how long untill the SS# you give the company is compromised?
Do not give truely sensitive information to companies. If they do not have legal authorization to demand a SS#, they are using it for identification purposes only. Give them a fake one.
On another note: Anyone want to hire an aspiring writer? Seriously, $8.47/hr is still better than the $0/hr I'm making now. Please!
Be strong!
I have been a member of CompuServe since before AOL bought them. Never got Spam from anyone. Never got mail from anyone I didn't know. One month after AOL bought CompuServe I started getting spam, and AOL started saying they never sold there customer lists. Someone has been lying for a while.
What exactly is the crime he's accused of? Taking customer lists from any other business would be actionable in civil court, ie he wouldn't be arrested. What value can they assess on a list of email addresses? Not that I'm defending this jackass. Frankly I'd like to meat [sic] up with him in a dark alley with an old Sun keyboard. Something from the original IPC would do nicely. I'm just curious what the actual criminal crime is that would cause him to be arrested, or if this is another company with $$$ getting the police to handle their civil affairs.
That actually explains something that happened to me recently. I have an decade-old AOL screen name that I use only for obscure, identity-fuzzed postings, questionable registrations, etc. that I would never, ever have used with my actual address or telephone number. This year, I started getting mortgage spam on that quasi-anonymous account targeted to my real name and street address. That was hard to explain, unless someone inside gave out my data.
So we're not just talking about compromized AOL accounts here -- we're talking about accounts and the personal information tied to them. That's a *much* bigger crime, and a much bigger deal, and I hope AOL ruins this asshole's life as much as he deserves.
It's clear from reading them that this guy was not one of the brighter people at AOL.
Right. Quis custodie ipsos custodes? And corporations cam make it very easy, possibly in ways they aren't expecting. For example, somebody I know got a brief gig as a contracting Oracle DBA at a very large company. Quite rightly her access to production databases was very, very tightly controlled. However, she told me that the clones of the production databases, used for load testing, development, etc, had real live data in them, including names, addresses, DoBs, and - yes - SSNs. About 12 million of them... And she was working on an H-1B.
I work for a Fortune 500 company who is a supplier of information technology.
I was told that the entire company's list of email addresses was taken and sold by a sysadmin a few years ago.
Granted, this is not an ISP, and they are not millions, but still a lot of addresses, same cause.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
...violation of 18 USC 1037, which was codified by, and is otherwise known as, the CAN-SPAM Act.
The US Army is even making the videos that will be sold by them...
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
AOL can't really have 92 million subscribers, can it? Assuming almost all are in the US, that's almost a third of the population, virtually the entire number of people with any kind of email.
Exactly how did they find this out? It'd be pretty hard, if not impossible, to catch something like this.
Someone should find his address so we can /. that fuckers house. I say we spam him on behalf of those poor AOL idio... um... users!
Seriously, anyone with an AOL account already feels like every spammer on the planet knows their screen name. What difference would it make?
How valuable would such a list be anyway? Every account has multiple screen names, and every conceivable permutation of names and common words has been taken. If there's one domain name-guessing probably works on, it's AOL.com.
That being said, lock him up and throw away the key, but be sure to also nail the sleazebags he worked with.
Good, I hope they get the max, both of them.
Grab yer torches and pitchforks!
A witty saying proves you are wittier than the next guy.
a guaranteed job is stupid
;-)
a political philosophy based on selfishness is stupid
show me the fallacy, numbnuts
life is more complicated than black and white
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
First, I am not a lawyer. This is a lay opinion only.
Second, I am not a particularly vengeful person, or at least I don't really want spammers to face the death penalty, castration, or other such suggested punishments.
Jason Smathers has been charged with theft and fired by AOL. I'm assuming the actual charge is something like felony grand theft, and that the amount his co-conspirator got for the lists will be all the proof AOL will need to offer for a grand jury to agree with that charge.
According to the article, he also used another employee's ID in the act. That's probably either a separate charge or at least an aggrevating factor to the first charge. Among lots of other effects, this employee probably has standing to sue both men and a fair chance of winning, regardless of whether AOL does (with "winning" limited by the condition that they must somehow have forfitable assets after their prosecution).
It also looks like there was possibly more than one actual theft, as the article mentions the men either actually obtaining or conspiring to obtain an updated version of the list, which would imply an older version also existed in their posession. One or both men may have made fraudulent promises to a person or persons who bought the list, representing it as legally obtained.
So, Smathers could well be inditeable with three or more felonies (three strikes rules may apply), and it's possible with multiple persons accused that the whole thing could fall under RICO, either of which could easily make the overall sentence 30 years or more. Even with the usual time off for good behavior type clauses, that means serving a good solid 18 years or so.
AOL probably wants the whole thing to go away. Since they can't really get that, the next best thing is to get seriously Neolithic on his ass, and hope it has a deterrent effect.
Who is John Cabal?
I know some people who paid $15k for this list, and others who got it for free. It's a safe bet that most spammers on AOL (they mostly share programs/lists) have this list. There is no way to track down every single person who has obtained it. I truly hope credit card numbers are not part of the list; otherwise, they'll have millions of very angry people waiting to sue or do what they can to make sure it doesn't happen again.
IMHO, this is why anyone who gets hired for a major company like this should have a thorough background check, especially if they are in the 18-30 age range. Yes, I know this is discrimination, but a lot of these spammers are in that age range and TRY to get jobs at AOL EXACTLY for this purpose (obtain confidential information). And the same people who have this list say "So what, one inside contact down. I hope this doesn't scare our other contacts."
its real easy to be gullible when you can't
see where the email is coming from without opening it,
and even then you can be screwed easy
shoddy software makes being gullible easy
Seriously, I think it's time we all banded together. There's got to be a /.'er in just about every geographical location on earth, so I say we set up a site to report spammers, get a few volunteers to track them down (electronically) and get who ever lives closest to break into the place with base ball bats.
And NO this isn't sarcasm or a joke.
VENI, VIDI, VICI, DIXI
I worked at one of Canada's largest ISPs, as a customer service rep, but had direct SQL access to the database. What happened was, they got me to help out with the intranet. I came across some code that connected directly to the user database (which was Oracle) and did a "SELECT FROM" query from it. Sure enough, the username and password it used had full permission to the database. I would have had no difficulty doing a "DELETE FROM" statement, let alone a "SELECT username FROM" statement. For some reason I never used this for personal profit. Then again we already knew I was foolhardy, I was coding for their intranet at a Customer Service Rep wage...
- Allen Pike
Altering time, one time at a time.
My vote's is to make them hit delete once for each address that was sold.
-cmh
Oops, that's right - they have no security system. That's why some idiot can swipe 92meg of users
What would you suggest instead? A system nobody can access? Oops, looks like we lost a hard drive . . . but nobody's allowed to access the system to replace it, so I guess we're SOL!
No matter how much security you implement, if you want a tool to be useful you have to at some point trust the people who were using it. Given that the guy who sold the user list was (according to the article) a software engineer, I'd say it's pretty likely he had access to the raw database, even if the front-line people didn't. There is no security system that completely eliminates the possibility of malicious abuse.
Now, I have no idea how AOL's system is set up--maybe they don't have any security at all, and if that's the case they definitely ought to be fined up the ass. But if they were making good efforts to avoid problems like this, they shouldn't take the blame for one unethical employee.
Fired... out of a cannon... into the sun.
"If anything can go wrong, it will." - Murphy
Um, a large proportion of people in jail are not convicted; they are on remand.
This proportion rises to 100% when you look at Guantanamo bay.
Read the Complaint filed by the Secret Service agent. Posted over at Smoking Gun, it's fascinating and shows how Smathers pointed the finger right at himself: when he did a test retrieve, logged of course by AOL, he retrieved just one, incriminating account from the millions there: his own.
.
He also e-mailed himself logs of his IM conversations with the buyer, which his AOL laptop stored away, to wit:
"I think I found the member database . . . Just need to figure out how to get the SNs [screen names] it is spread over like 30 computers . .
OK, I got it figured out . . . there are going to be millions of them so, will take time to extract I will do them a chunk at a time . . . "
Most interestingly, the government isn't just charging him with theft; it's also charging him with conspiracy to spam, under the so-called Can-Spam Act enacted late last year.
And what makes you think those 5 million verified addresses for $300 are anything but utter bullshit? You're trusting a spammer's word that those addresses were valid at some point in the last 20 years, which is neither relevant to current affairs, nor necessarily true.
There are two types of email lists with VERY different pricing schemes: the garbage ones that spammers sell to suckers (worthless, which is why they sell 'em for "only" $300), and the ones they sell to each other. This list is at the very top of the heap of the second category.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I use a unique email address for all online vendors. The one I used for ftd.com is being spammed by what appears to be a single spammer. I've been unable to convince FTD that this is a security issue.
On this page is a big AOL ad reading:
ADD MORE KNOWLEDGE
I took a screenshot of this page.
More knowledge indeed!
He was the only person with an AOL screen name NOT receiving spam...
"Computer Scientists can count to 1024 on their fingers" (non-mutant, non-mutilatated, human computer scientists)
Wow, what's his boss's name, Monty bournes?
boycott slashdot February 10th - 17th check out: altSlashdot.org
Mr. Burns must be really disappointed.
the uptick in spamming to my aol account that
occured last year now has an explanation. It
was the last straw that caused me to get a new
provider...AOL should charge the bums for the
lost business. Better yet, since 33 million
of the 92 million screen names are still
paying customers, AOL should mail them all an
apology and publish the home address, cell
phone numbers etc. for Mr. Smathers and his family
members and update as they move to avoid
retribution....can you imagine the pent up
frustration the average spam victim could
unleash now that we actually have a culprit?
HE GAVE AWAY 92000000 ADDRESSES! WHAT WOULD BE
SO UNFAIR ABOUT GIVING HIS ADDRESS TO 92000000
PEOPLE?
"Smathered" is now an official net-term. I will begin using it as soon as context allows.
I am very small, utmostly microscopic.
A few weeks ago I came across about 30 old 5 1/4" floppies.
I hooked up an old drive to see what was up and low and behold it worked and on the disks (that could still be read) was vital stats on about 85,000 people - meaning name, SS#, address, health insurance policy numbers, ect. All good, all verified assuming the individual was still alive and hadn't moved.
This was left over from when I worked at an insurance company in 1992: a migration from a THEN ancient mini to a PC based system. There that data was sitting in my basement for 12 years (and I have moved twice since then!)
Being an honest man, out came the scissors... but the ID theft possibilities were really astounding.
How much old data like this is just sitting around on forgotten tapes and disks?
If I were to set up an huge ID theft ring this is the sort of stuff I would look for. Good data, but old. Not in any current database, absolutely no audit trail, individuals have since moved around and changed employers obliterating any or most chance of establishing a pattern to the thefts. Best of all, not only are there no access logs, but the organization wouldn't even miss the old media and if they do someone could just claim that it was thrown out months ago.
Mildly disturbing - but less so than the thought of a dirty bomb I suppose.
I am very small, utmostly microscopic.
First, jail != prison. Second, to be remanded to custody you must usually be (Gitmo is different, and I'm not going to address it because it has nothing to do with my original point):
1) Arrested (taken into custody)
2a) Indicted, or in the process of being indicted.
2b) A material witness with a risk of flight.
2c) A material witness requiring protection.
3) Convicted for a minor offense (punishment of less than one years confinement is generally served in a jail setting rather than a prison)
b and c are slight exceptions, but you can't be put into jail in the US for more than a short span of time unless you are being charged with a crime.
Third, a large proportion? Not in prison. Anyone in prison was convicted and sentenced. You can be in jail without being convicted, but if you are, you're generally in categories 1-3 above.
Again, leave Gitmo out of it. Gitmo doesn't reflect US law for the most part.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
and his AOL work computer
Apparently once he had access he first tried to get everything, but the queries results were too large for things to succeed! Then he queried a single AOL account, his own!
After that he came back two weeks later with the scheme of trying all the accounts that start with A, then all the accounts that start with B and so on...
Even more fun was that he was apparently doing this all from his AOL company laptop via a nice VPN from his home. He didn't even have to go into the office to steal...
Probing further...
Since court papers give out his AOL employee email, JasonS2e@aol.com, we can find out via Google Groups, that Mr. Smathers was busy using the Internet to:
My gf uses AOL, I'm trying to get her away from it but that's beside the point. And she definately doesn't cause erectile dysfunction if you get my meaning sir.
Now, if you link it the other way, erectile dysfunction causes AOL use, I'd agree with you there.
and yes I'm being a coward by posting this anonymously. so be it.
But 1) They fucked up the code. 2) Milton didn't get caught.
According to all of the articles they are only being charged under the new CAN SPAM law. Not being charged with theft or security hacking. At least not as of yet. Conspiracy is a ridiculous law. As though there being more then 1 person involved in something somehow makes it 5 x worse of an actual offense.
I'm interested in people's opinions. Do you think that this news will hurt AOL's business and have any significant effect on how many customers they gain and retain? Time Warner's stock price was unaffected by the news so far.
Also, strictly hypothetically, if AOL was able with the help of authorities to arrest and indict these two without ever making any press releases about it and keeping it out of the news. Plus never telling any of there customers about what happened with there emails. Then you found out about it much later on through a leak of the news, would you think that they were scum for keeping quiet and secret about it? Would you even think that it would be against the law for them to keep it secret from there own customers?
OK, I am not familiar with the distinction you make between a prison and a jail. IIRC In the UK people get transferred from a police cell (at the local cop shop) to a prison within 48 hours, long before any trial.
Being charged with a crime does not necessarily mean you are guilty. I hear that in Japan nearly all cases brought to trial result in a guilty verdict, but I thought that a significant proportion of US defendants were found to be not guilty, like in the UK. Perhaps I am wrong there.
OTOH, if as you say trials are speedy in the US once charged, that is certainly better than in the UK where people can wait for 6 months in prison before trial (often the same prisons as for convicts, but with slightly different privileges - some guilty prisoners prefer to delay the trial for that reason, but anyone protesting their innocence has less luck).
"You Got Nailed!"
"Insert Sig Here"
Prisons are long term facilities; everyone in a prison has been convicted of a felony crime. They aren't used as holding cells for people who haven't been convicted, and are nearly never occupied by prisoners with sentences under a year. Also, they are always seperate facilities. A jail can be a seperate facility, but is just as often attached to a courthouse, sheriff's building, or other law enforcement institution. Drunk tanks and the like are always in jails, as are the cells used for most prisoners who have been arrested but not yet convicted. Its rare for someone to be in jail for more than a year; generally jails are used for misdemeanor and minor felony convictions, those lasting under a year's sentence. Basically, get busted with a joint, go to jail, get busted for selling pounds, go to prison after the trial.
A significant proportion of US defendants are found to be not guilty. However, the government balances the probability of innocence against the risk of a guilty party fleeing. This is where the institution of allowing bail came from; in theory, if someone has assets on the line that will be seized if they run, they're less likely to try to avoid trial. If someone is deemed a significant enough flight risk, they're denied bail altogether. But most people have relatively minor bails set, their bond is posted and they go home while the trial is occurring. Bail is set at the arraignment, which is nearly always within a few days of arrest.
I never said US trials are speedy. They aren't. The 72 hour rule I referred to refers to arraignments; they can arrest you and hold you, but if they aren't going to charge you with a crime, they have to let you go relatively soon. However, a good portion of US defendants are out on bail during their trials, living their lives relatively normally. You want a high profile example? Look at Kobe Bryant. He's in the middle of a rape trial and still found the time to go lose an NBA championship.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)