Slashdot Mirror


AOL Employee Arrested in Spam Scheme

LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."

21 of 428 comments (clear)

  1. Fired? by 91degrees · · Score: 3, Insightful

    Aren't we supposed to wait for someone to be found guilty before punishing them?

    1. Re:Fired? by EvanED · · Score: 4, Insightful

      Firing someone has a lower burden of proof (and rightly so) than a criminal conviction; if there's enough for an arrest and charges to be brought, then there's probably enough evidence to warrant a firing.

    2. Re:Fired? by Motherfucking+Shit · · Score: 5, Insightful
      Aren't we supposed to wait for someone to be found guilty before punishing them?
      My guess, and this is only a guess, is that Mr. Smathers was almost certainly confronted by HR or security (do they still call it OpsSec?). My second guess is that he probably admitted what he did.

      In any case, AOL doesn't have an opportunity to wait around and find out whether or not this guy is guilty in a court of law. This is a huge privacy breach affecting millions of people. According to CNN's version of the story, not only did the list contain screen names, it also had each user's telephone number, ZIP code, etc. AOL has no choice but to take immediate and harsh action, i.e. terminating the employee and alerting the authorities. If they hadn't fired the employee they'd be sued faster than you can say "1099 Hours Free."

      There may be lawsuits anyway. Millions of people entrusted their information to AOL, and now it's floating around in the hands of who knows how many spammers.
      --
      "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    3. Re:Fired? by Ratbert42 · · Score: 3, Insightful
      My guess, and this is only a guess, is that Mr. Smathers was almost certainly confronted by HR or security ...

      I didn't read through the whole thing, but my guess is that an informant approached the secret service and the case began outside of AOL. AOL really has no interest in this case being prosecuted. The bad publicity will cost them much much more than any restitution they'll get out of an unemployable 24 year old.

  2. Security? by shadowkoder · · Score: 5, Insightful

    You would think there would be limitations on HOW an employee could access such a large database. I mean, does AOL throw out CDs with conveniently formatted lists of all the screen names of its customers?

    1. Re:Security? by isthisthingon · · Score: 5, Insightful
      Hmmm...just a guess, but it probably went something like this:
      SELECT *
      FROM customer_list
      ORDER BY last_name ASC;
      [zoom to scene of employee nervously looking over his shoulder and tapping his fingers impatiently]

      92,213,798 rows returned.

      [employee thinks to self]: "Dude! Cool! Bonus! We only had 91,125,553 last time I ran this. I'll have to thank the marketing department for sending out those CDs!"
      --
      And then one day you find, ten years have gone behind you....
  3. Double standards.. by BlueLines · · Score: 5, Insightful

    ..didn't a bunch of airlines admit to (basically) the same thing? no arrests there..

    --
    --BlueLines "The cost of living hasn't affected it's popularity." -anonymous
  4. And this is the inherent problem . . . by kfg · · Score: 5, Insightful

    with large, easily searched and copied databases of highly consolidated private data.

    The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.

    The same goes for backdoors. I'm not half so worried about some script kiddie hacking my router as I am some employee/former employee of Cisco simply walking right in.

    KFG

  5. Maybe there're more? by oberondarksoul · · Score: 5, Insightful

    What worries me is that there could easily be many more employees doing this - not just at AOL, but at other ISPs as well. However, I'm willing to bet that AOL isn't going to hunt for any other people like this doing it. Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.

    --
    And tomorrow the stock exchange will be the human race
  6. An observation. by steve+buttgereit · · Score: 4, Insightful

    An interesting way to look at this is consider the age of the people involved. The engineer was 24 and the Casino guy was 21. IT, notorious for age discrimination in favor of young, brighteyed types, may actually be introducing a greater security risk with the practice.

    I remember when I was in my early 20s and lets just say I didn't have a lot to lose... and everything to gain from taking a chance here and there. By placing less mature workers into places where personal ethics and great responsibility collide, you're asking for issues just like this.

    I don't mean in indict all younger workers. Certainly most are good employees; I've hired many younger people without trouble. But as a percentage of population, the younger I expect to make more 'mistakes' both simple errors and errors in judgment.

    My two bits...
    SCB

    1. Re:An observation. by Telastyn · · Score: 3, Insightful

      Error in judgement? Come on, this is pretty obviously a 'bad thing'. No mistake; criminal intent.

    2. Re:An observation. by Kphrak · · Score: 4, Insightful

      Why don't we put it another way? "Note that both people involved were guys. By its traditional discrimination against women (who more civilized) in favor of men (more aggressive and violent), IT is introducing a security risk since men will take more chances." It makes as much sense as the above "these damn' kids screw up all the time" rant (and before some /. feminist says "you go girl!", I should add that I'm male, 23, and consider both arguments completely idiotic).

      IT is a younger field, therefore more IT guys are younger. Granted, it's been around for the last 40 years, but for about half of that time, you needed a lot of money to get a computer. The generation that got to use truly cheap computers came of age just ten years ago. It's natural that there is now an explosion of younger IT workers.

      Marital, family, religious, and civic ties to society, IMHO, are much more likely to keep people honest than their age, even counting the fact that younger workers may be less experienced. And if you don't believe me, check a newspaper and see how many older, powerful men are at this moment headed to Club Fed because they weren't any better at ethics than the AOL dimwits mentioned in this article. Most of Congress is composed of older men, and I'd almost rather have Sanford Wallace (of Cyber Promotions infamy) representing me than some of these folks.

      I work in a government agency, so I see a large proportion of older workers. Some are smart, hard workers; others are idiots. I see no larger proportion of idiots among younger people than I do among older ones, nor do I see any indication that the intelligence or ethics of the old have anything to do with the fact that they are old.

      --

      There's no sig like this sig anywhere near this sig, so this must be the sig.
  7. What a crime! by CHaN_316 · · Score: 4, Insightful

    This AOL employee only made $0.0005652174 per e-mail address he sold. Is that anywhere near the fair market list for e-mail lists? Seems a bit low, but then again IANAS (I am not a spammer).

    --
    "There is no spoon." - The Matrix
  8. Congratulations on completely missing the point by drkhwk · · Score: 3, Insightful

    About the only useful info a cracker would find in /etc/password is usernames, and if he can see that file to begin with, he's already got a login.

    Yeah, and a huge list of email addresses. In the case of the grandparent, about 183,000.

  9. Re:AOL's New Slogan by frodo+from+middle+ea · · Score: 4, Insightful

    In the context of mails previously received to/from AOL accounts..
    prey explain how's this different from their previous slogan.

    --
    for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
  10. Re:Now do the same over at MSN/Hotmail by Hays · · Score: 5, Insightful

    Dictionary attacks become exponentially harder as your user name becomes longer, assuming that is constructed of random characters.

    The likelihood of a dictionary attack hitting a n character random string of characters and numbers is miniscule for n larger than 15 or so, even if the dictionary attacker is trying 1 million combinations a second, because there are (at least) 36^n user names in that space.

    my rough calculations say that it would take 7 billion years to dictionary attack the space of 15 character random numbers of and letters, even if you could do so at a rate of one million a second.

    So if your 15 character random user name gets spammed immediately after creation without ever being used, it's an inside job.

    But I wouldn't be surprised if it was buried in the Hotmail terms of service that they can sell your addresses.

  11. I hate the "double standard" arguement by pavon · · Score: 3, Insightful

    Every situation is unique, and sometimes different situations require different actions. You see the simularities between two situations, and your opinion is that differences are nonconsequential, but that doesn't mean the other person thinks they same way. They might think that the differences are very important and the simularities are nonconsequential. That doesn't mean that they have a double standard or are hypocritical, it just means that they put different value on the various aspects of the situations than you.

    It's just like the Kerry is a waffler fallacy. Votes for PATRIOT act, then when he actually gets to read it, changes his mind. Does not vote for iraq funding, but latter does when the source of the funding is changed. To a conservative pundit, there is not concievable reason not to support things go towards "national security", but Kerry disagreed. The same way a libertarian can't think of any reason to give up privacy, but the conservatives think that that it is sometimes necesarry. That does not mean that they are hypocrites, it means they see things differently than you.

    Even if they are wrong :)

  12. I WOULD HAVE TOO! by Anonymous Coward · · Score: 3, Insightful

    here in san jose I spend 100% of my pay check on rent, car insurance (good driver), car payment (commuter), phone bill (rarely talk on it), and food (ramen, milk, and eggs).

    If you offered me $52,000 for a list of emails or names and info from my work i'd take itin an instance. I may get fired and sued but hay with that I could afford to move out of this shit whole and be over seas with my family tomorrow.

  13. Hate to break it to you all... by SetupWeasel · · Score: 3, Insightful

    But you can be sure that if a major company has your information, many employees that are making very little have access to that information.

    At MCI, where I used to work, I would see the personal information including name, address, phone numbers, credit card numbers, birthdays, and email addresses of hundreds of customers a week. Not only that, but every employee was identified in the system by his or her SS#, and your SS# was stamped on every note you placed in the system.

    I earned $8.47 (American) per hour, and the call center contractor had a less than rigorous screening process. I did have a pulse, so I was hired. I have more ethics than the company I worked for, and I would never do such a thing.

    But you have to ask yourself, if a company is willing to hire employees for next to nothing, and hand these employees access to information that they can sell for 3 times what they earn in a year, how long untill the SS# you give the company is compromised?

    Do not give truely sensitive information to companies. If they do not have legal authorization to demand a SS#, they are using it for identification purposes only. Give them a fake one.

    On another note: Anyone want to hire an aspiring writer? Seriously, $8.47/hr is still better than the $0/hr I'm making now. Please! ::sniff::

    Be strong!

  14. Appropriate penalties by Artifakt · · Score: 4, Insightful

    First, I am not a lawyer. This is a lay opinion only.
    Second, I am not a particularly vengeful person, or at least I don't really want spammers to face the death penalty, castration, or other such suggested punishments.
    Jason Smathers has been charged with theft and fired by AOL. I'm assuming the actual charge is something like felony grand theft, and that the amount his co-conspirator got for the lists will be all the proof AOL will need to offer for a grand jury to agree with that charge.
    According to the article, he also used another employee's ID in the act. That's probably either a separate charge or at least an aggrevating factor to the first charge. Among lots of other effects, this employee probably has standing to sue both men and a fair chance of winning, regardless of whether AOL does (with "winning" limited by the condition that they must somehow have forfitable assets after their prosecution).
    It also looks like there was possibly more than one actual theft, as the article mentions the men either actually obtaining or conspiring to obtain an updated version of the list, which would imply an older version also existed in their posession. One or both men may have made fraudulent promises to a person or persons who bought the list, representing it as legally obtained.
    So, Smathers could well be inditeable with three or more felonies (three strikes rules may apply), and it's possible with multiple persons accused that the whole thing could fall under RICO, either of which could easily make the overall sentence 30 years or more. Even with the usual time off for good behavior type clauses, that means serving a good solid 18 years or so.
    AOL probably wants the whole thing to go away. Since they can't really get that, the next best thing is to get seriously Neolithic on his ass, and hope it has a deterrent effect.

    --
    Who is John Cabal?
  15. Re:Clearly you've never sent bulk mailings... by bigsteve@dstc · · Score: 3, Insightful
    And they don't *just* bounce it, they set up a slow-ass connection to your bounce server and time it out (clever idea actually).

    Clever idea ... but counter-productive in the long run.

    Assuming that the spammer is using a herd of zombie PCs for spam relaying, and each PC can handle multiple mail connections, they are not likely to be slowed down much by this tactic. In addition, spamming PC can be set up to aggressively time out connections to slow mail servers.

    On the other hand, people who run legitimate mailing lists may suffer when a list submission triggers spam detection and slow server counter measures. The mailing list server will typically NOT be able to send huge numbers of emails in parallel, and will NOT want to aggressively time out slow mail servers. As a result, if a mailing is (rightly or wrongly) classified as SPAM and triggers counter measures, mailing list delivery suffers.