Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Employee Arrested in Spam Scheme

Posted by simoniker on from the america-shaking-fist-online dept.

LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."

23 of 428 comments (clear)

  1. Re:Fired? by Kiryat+Malachi · · Score: 5, Informative

    Only in criminal court. Unless the guy had an employment contract that stated otherwise, he was employed "at the pleasure of the employer" - i.e. he can be fired for just about anything, barring discriminatory or retaliatory firings.

    And I don't think anyone can argue that there's cause here.

    --

    ---
    Mod me down, you fucking twits. Go ahead. I dare you.
    (I read with sigs off.)
  2. Re:Arrested and accused... how about convicted by Kiryat+Malachi · · Score: 4, Informative

    Hi.

    I'm the government. I can't do anything prison-like or fine-like to you without convicting you first.

    Hi.

    I'm your employer. Unless you have a contract stating otherwise, odds are you're an at-will employee, which means *I can fire you for just about any reason I want*.

    --

    ---
    Mod me down, you fucking twits. Go ahead. I dare you.
    (I read with sigs off.)
  3. Re:That's a lot of names... by cipher+uk · · Score: 2, Informative

    which is why he got $52,000 for it.

  4. Re:Fired? by lukateake · · Score: 2, Informative

    Virginia (among others) is a state where "employment-at-will" prevails. That means he can be fired at anytime for any reason, thus his punishment. Surely, he was terminated from AOL for good cause after an internal investigation fingered him. But he isn't guilty in a legal sense and that's what the proceedings before him will determine. But you don't have to be legally convicted of anything in order to be terminated. Also, IANAL.

  5. More details by Gogo+Dodo · · Score: 2, Informative

    More details about the scheme are available at CBS Marketwatch.

  6. Re:Access? by homer_ca · · Score: 4, Informative

    The article says he's a software engineer at AOL with inside knowledge of their computer systems. It doesn't say that he was directly responsible for the customer database systems, but even if not, it can't be that hard to dump the names out. Any sysadmin is in a position of great trust. They could walk off with all your data on their servers, but they're trusted not to.

  7. Re:This reminds me by Anonymous Coward · · Score: 1, Informative
    With the value of valid e-mail addresses increasing...how long before /etc/passwd is no longer world readable?
    There's no real trouble with having /etc/passwd world readable. Unless you're running something archaic, that file doesn't contain passwords, or even encrypted passwords. About the only useful info a cracker would find in /etc/password is usernames, and if he can see that file to begin with, he's already got a login.

    Now, if your /etc/shadow or /etc/master.passwd are world readable, you've got an issue...
  8. Say what?? by Robert+Petersen · · Score: 2, Informative

    Reception of stolen property? Industrial Espionage? Violation of consumer privacy? anti-spam laws?

  9. Re:Access? by YU+Nicks+NE+Way · · Score: 5, Informative
    When I was a young man, a bank in New York hired an ourside consultant to find out how to protect their data against their programmers. The response was one of the shortest lists of recommendations ever:
    • Pay them well
    • Keep them very happy
    • Watch them very very closely
  10. Re:This reminds me by stratjakt · · Score: 2, Informative

    /etc/passwd has to be world readable, or some other nameservice (ie, nss_ldap or whatever).

    That's why they moved the passwords to the (non world readable) /etc/shadow, many many moons ago.

    Though if you're really cool you'd move that to LDAP. If configuring pam, nss, openldap and samba wasn't such a PAIN IN THE ASS (why cant ldap clients just agree to read one conf file, why do I have to deal with /etc/openldap/ldap.conf, /etc/ldap.conf, /etc/smbldap-tools/smbldap.conf, et cetera et cetera) it'd probably be standard by now.

    Secure authentication against an LDAP directory. What a concept. Wonder who does that, oh yeah, Windows 2000 and up. Meanwhile here I am sending out MD4 password hashes to authenticate against samba, one of the biggest security faults of NT4.0 that's now embraced by the OSS community for some reason. (Andrew, Samba needs to function as an Active Directory controller! Accept nothing less!)

    Anyways, you need to upgrade, fella. There shouldn't be anything special in /etc/passwd.

    --
    I don't need no instructions to know how to rock!!!!
  11. Re:AOL's New Slogan by homer_ca · · Score: 5, Informative

    That's easy to block if you run your own mail server. All AOL dialups have hostnames ending with ipt.aol.com. AOL's mail servers have hostnames ending with mx.aol.com. Deny hosts from ipt.aol.com and problem solved.

  12. Re:That's a lot of names... by bigman2003 · · Score: 5, Informative

    Especially for a list of confirmed gullible people.

    The chances of an AOL user falling for a spam-scam are probably good. They already fell for one scam, so they've proven themselves to be targets already.

    --
    No reason to lie.
  13. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  14. Re:AOL's New Slogan by JPriest · · Score: 5, Informative
    Why would they? Once the aliases are sold and resold, what can AOL really do to recover them?

    Mr. Spammers, please delete all @aol.com email addresses in you list, yeah right!

    My girlfriend recently recovered an account that has not been active in 3 1/2 years, it still gets flooded with spam despite 3 1/2 years of not existing.

    I doubt AOL users will be much better off unless they want to create a new alias.

    --
    Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  15. Perhaps... by nelsonal · · Score: 2, Informative

    Section 1037(a)(2), (b)(2)(C), and (b)(2)(E) of Title 18 of the USC, at least according to these court documents.

    --
    Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
  16. $25,000? by ackthpt · · Score: 4, Informative
    Read the article lately?

    Former AOL employee Smathers sold the initial list for an unmentioned amount to Dunaway (the spammer) then Smathers sold an updated list to Dunaway for $100,000. Dunaway sold lists to other spammers for $52,000.

    Smathers & Dunaway to AOL members: "All your screenname are belong to us!"

    I expect something like this happened at eBay a while back. I changed my email address for eBay to a new mailbox. A few weeks later someone spammed it offering to sell lists of eBay members. Then spam followed, usually from phishers.

    --

    A feeling of having made the same mistake before: Deja Foobar
  17. Re:AOL's New Slogan by bugmenot · · Score: 2, Informative

    The new AOL spam filters work pretty well. I've had my AOL email address for almost 8 years and used to recieve hundreds of spams per day. This has drastically improved after the new spam filter was implemented. I now get less than five per day. I guess that may still be five too many for some people, but all of my friends have this address and it would be too difficult to change it. I also enjoy some of the other exclusive content that AOL provides.

    --
    This account has been seized by the GNAA. That is all.
  18. Re:Now do the same over at MSN/Hotmail by mt+v2.7 · · Score: 2, Informative

    Acctually I got about 27.004 years.

  19. Re:AOL's New Slogan by Anonymous Coward · · Score: 3, Informative

    This doesn't relate to people sending mail *from* AOL accounts though... it's people sending mail *to* AOL addresses, or AIM screennames. The spammers apparently didn't steal any passwords.

  20. Re:92 million?? by ChairmanMeow · · Score: 3, Informative

    It's 92 million screen names, and many people may have more than one screen name, especially for AIM, etc., so it wouldn't actually be 92 million people.

    --
  21. RTC! by Pakup · · Score: 2, Informative

    Read the Complaint filed by the Secret Service agent. Posted over at Smoking Gun, it's fascinating and shows how Smathers pointed the finger right at himself: when he did a test retrieve, logged of course by AOL, he retrieved just one, incriminating account from the millions there: his own.

    He also e-mailed himself logs of his IM conversations with the buyer, which his AOL laptop stored away, to wit:

    "I think I found the member database . . . Just need to figure out how to get the SNs [screen names] it is spread over like 30 computers . . .

    OK, I got it figured out . . . there are going to be millions of them so, will take time to extract I will do them a chunk at a time . . . "

    Most interestingly, the government isn't just charging him with theft; it's also charging him with conspiracy to spam, under the so-called Can-Spam Act enacted late last year.

  22. Re:Security? by BalloonMan · · Score: 2, Informative
    How was he caught? I don't know, ...
    RTFA, please, instead of spouting completely unfounded theories.

    It explains exactly how he was caught. AOL looked at the datestamps in the file that the Secret Service showed them, then correlated that with database access logs and determined whose computer was using the database at the time. It was so easy that it's clear this crook never expected to be caught. But, AOL would never have noticed this activity if nobody had asked them to look. Apparently, they did not monitor database usage in any way before this happened. Maybe now they will.
    It would not surprise me at all if the alarm bells didn't start ringing as soon as the DB ground to a halt while it was returning 92000000 rows.
    I seriously doubt AOL's DBMS would "grind to a halt" doing a straightforward query of any scale.
  23. Re:Fired? by SillySlashdotName · · Score: 2, Informative

    In an Employment-at-will state you are employed "at the whim of the employer", and only as long as the employer wants you to be employed. Without a contract, the employer can, without any stated reason, tell you you are no longer employed and you have no recourse.

    From this (pdf) article in the "Monthly Labor Review" written by Charles J. Muhl, Esq. "In legal terms, though, since the last half of the 19th century, employment in each of the United States has been "at will," or terminable by either the employer or employee for any reason whatsoever. The employment-at-will doctrine avows that, when an employee does not have a written employment contract and the term of employment is of indefinite duration, the employer can terminate the employee for good cause, bad cause, or not cause at all"

    In the footnotes, it is noted that "This article does not address statutory exceptions to employment at will. Many such exceptions have been enacted at both the Federal and State level." examples given are federal laws against discrimination, and some states laws against termination for 'whistleblowing'.

    --
    Acts of massive stupidity are almost never covered by warranty. --me.