Slashdot Mirror
AOL Employee Arrested in Spam Scheme
LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."
And $25,000 seems a tad...low.
A blog like any other.
It never reached the court of law, it seems, so the company is only taking preventative - if premature - actions.
A blog like any other.
It's well known that you can invent "unguessable" accounts at hotmail, e.g. rmgdrduckk5arp@hotmail.com, and never join any mailing list or submit your name to any website or allow MSN to list you in the Hotmail User Directory, and yet within a few days or weeks your account will miraculously begin receiving offers from mail order brides, pills, porn, and so on. I've long suspected that someone working for Hotmail is making money on the side by downloading the user list once a week and selling it to spammers. Which is why my hotmail accounts have lapsed and I mainly use my yahoo or Gmail accounts.
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
its a sad world we live in where our email address has more protection than we do
% wc -l /etc/passwd /etc/passwd
184533
Okay the guy has been arrested and fired, but what about those names already sold to spammers?
In the article AOL didn't seem to mention what they are doing to protect the victims, except "they are thoroughly reviewing and strengthening our internal procedures".
Is this good enough? Sometimes you can punish the offender enough to compensate the victims.
Rock that crushes, Paper & Scissors that don't matter.
soundclip
HIV Crosses Species Barrier... into Muppets
i've created hotmail accounts with crypto-hard random usernames, not listed anywhere, and almost immediately started receiving spam to them.
it seems to really only happen on new accounts though. old hotmail accounts dont seem to get spam, if you dont publish them anywhere.
it's entirely possible someone has recently (within the last few years) backdoored hotmail's account creation system to notify them of new accounts, which would explain why old accounts dont get any spam.
I didn't say there was anything wrong with it.
I'd love a world where I had a guaranteed job, but just like everyone else, I work for mine. I was just explaining the difference to the original poster between "innocent before proven guilty" and "we can fire you if we damn well want to."
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
Based on a recent e-mail offering 5 million verified addresses for $300, the value of a single address should be 6 thousandths of a cent. The guy who paid $25,000 is the one who got ripped off- proper value of 92 million verified e-mail addresses at 6 thousandths of a cent per name is $5,520.....
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
This case presents an interesting opportunty. If some of those 92 million names were faked, AOL-internal-only addresses (i.e., no outsider ever had them or ever could have them) then anyone caught using or selling them is guilty of accepting or selling stolen property. Any email arriving to a never-released, but stolen name would let AOL and authorities track the spammer network and subpeona spam-using e-commerce sites to reveal the identity of marketing affiliates.
Two wrongs don't make a right, but three lefts do.
He should have sent to prison for 25 years too!
For breaking what law?
I don't mind so much that my employer can fire me for pretty much any reason they like. I can quit for pretty much any reason I like, too. But I sure don't want to live in a world where my employer can send me to prison.
If I understand correctly, California has a law that requires a company to contact each customer that was affected by disclosure of information due to a security problem. I wonder what that'll cost AOL.
I'm also interested if the spammers the casino guy resold the list(s) to will also be prosecuted for purchasing stolen goods. At a minimum, they should be publicly identified.
I'm guessing that AOL will go for something like grand theft. The list was re-sold for $52,000. No telling how much the guy he originally gave it to paid him. I'm sure the value of the list to AOL's business is much higher but this sets a lower bound that easily puts the theft into the range where grand theft would stick. From this perspective, what he did was no different than carting out a server or some other piece of equipment and fencing it for $52,000.
Personally, I think the dweeb should be staked out on an ant-hill or drawn and quartered but I've been accused of being a little extreme when it comes to spam, spammers and people who disclose e-mail addresses without the owners's permission.
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
They can prosecute this guy, and everyone he sold the list to, and everyone they sold the list to, and so on, nine ways from Sunday - won't make any difference for the spammed masses now that the list is out. Nor will AOL's privacy policy (or whatever goes for it over there). The safeguards that are in place are (and always will be) inadequate against a motivated individual who doesn't understand consequences of his/her actions, or doesn't give a whistle about them, or both. AOL? MSN? Yahoo? Ne-ext!
I can assure you, the best way to get rid of dragons is to have one of your own.
Now, what part of AOL's security system failed?
Oops, that's right - they have no security system. That's why some idiot can swipe 92meg of users and sell them to some other idiot who wants to spam us with his own (did I say these guys were idiots?) gambling scheme and then resell the 92meg of users to the other vile spammers.
AOL can't be let off the hook. They had a duty to protect the user base as certainly as every one of us has a duty not to leave loaded guns where 5 year-olds can play with them. This is a clear example of AOL permitting a dangerous instrumentality to fall into the hands of the incompetent.
BUT, we should also tell Ashcroft that the two idiots are "the terrorists' friends" and let Ashcroft make them disappear (along with their families, friends and dogs).
related?
check the forum
[ No prescription needed ]
Who burnt down the building and kept the money?
One of the largest demographics for shoplifting consists of middle aged women who are housewives.
would 5 years in prison make it easier to say no?
As it happens however he has been caught. How was he caught? I don't know, but it's not beyond the realm of possibility that the aforementioned database had triggers and an audit trail that says who did what and dumps it in a log somewhere. Or perhaps he tripped over by querying for everything including the flagged accounts - accounts that AOL regularly sacks people for looking at because they belong to celebs and so forth.
It would not surprise me at all if the alarm bells didn't start ringing as soon as the DB ground to a halt while it was returning 92000000 rows.
Why don't we put it another way? "Note that both people involved were guys. By its traditional discrimination against women (who more civilized) in favor of men (more aggressive and violent), IT is introducing a security risk since men will take more chances." It makes as much sense as the above "these damn' kids screw up all the time" rant (and before some /. feminist says "you go girl!", I should add that I'm male, 23, and consider both arguments completely idiotic).
Actually, I wouldn't be terribly surprised if the counter-point you offer to try to discredit my argument is, itself, true. By the way, my observation is derived not from a single article but experience from my experience working in IT. The article simply providing an interesting context.
IT is a younger field, therefore more IT guys are younger. Granted, it's been around for the last 40 years, but for about half of that time, you needed a lot of money to get a computer. The generation that got to use truly cheap computers came of age just ten years ago. It's natural that there is now an explosion of younger IT workers.
I'm not sure what relavence this statement has to my point. This is all true on the face of it, but neither supports nor detracts from my hypothesis. What I will say, assuming your statement is true, is that the impact mistakes made by anyone in IT has the potential to be greater than at any time in history. Would, 40 years ago, a couple of 20somethings have had the tools to commit a crime that impacted as many 93 million people? What if he weren't at AOL, but Bank of America?
Marital, family, religious, and civic ties to society, IMHO, are much more likely to keep people honest than their age, even counting the fact that younger workers may be less experienced.
Thank you for help in supporting my point. Much of my point is predicated on the fact that younger people are more likely not to have the same connections and convictions that older people do. How many professional 24 year olds are married as compared to say married 45 year olds? How many have their own families (a strong connection than to just mom & dad)? Never did I mention experience: I was careful to say mature.
And if you don't believe me, check a newspaper and see how many older, powerful men are at this moment headed to Club Fed because they weren't any better at ethics than the AOL dimwits mentioned in this article. Most of Congress is composed of older men, and I'd almost rather have Sanford Wallace (of Cyber Promotions infamy) representing me than some of these folks.
I find trouble in using the newspaper to uncover trends, there are too many other factors to consider them useful sources of this kind of information. Older people are more likely to have roles in more sophisticated, larger stakes games. But what we don't see in the papers are how many people are being put away for $50K in embezzlement here, $75K in kickbacks there... in fact, if it weren't for the 93 million users, you would probably have never heard of this either in the papers. I still maintain that younger workers will have higher security issues as compared to the population as a whole. By the way... how many older people do we hear about getting put away writing viruses and worms? Don't confuse high profile for quantity or even severity.
I work in a government agency, so I see a large proportion of older workers. Some are smart, hard workers; others are idiots. I see no larger proportion of idiots among younger people than I do among older ones, nor do I see any indication that the intelligence or ethics of the old have anything to do with the fact that they are old.
Don't get me wrong... avarice comes in all ages. But the selection process for congress is slanted to those that are most likely to be less than honest and government workers are place, in my experience, by other less than optimal hiring methodologies. Though, sure there are older idiots as well. But I find the young, smart, but overly ambitious types to be the ones to keep an eye on.
Well argued nonetheless. And for the record I'm an old guy in tech terms... mid 30s!
Cheers!
SCB
Enough to fire him in a private company. For the first three offenses at a state or federal job it'd be a written warning.
Some guy brought in a gun to work with him at the UC Davis monkey lab, allegedly with a list of people he was mad at (gun for sure, not sure about the list). He's one of the same 2 people who "lost" a monkey. That one made national news, and the other guy got a promotion. Anyway, he got 30 days of "administrative leave" for the gun, which meant they were going to fire him.
Security was told, "Hey, we had to suspend this guy. If he shows up, wave, let him through, and call the police because he knows he's not supposed to be here". No point in actually telling the security why they were looking for him. And no point in telling employees what was going on. This was during the period when UC Davis was trying to get the Level IV Biohazard Lab, so that *might* have been part of the secrecy, but I think it's because all state jobs usually have A Giant State Head up their ass all the time. In the meantime, this guy got arrested in Wyoming, with the gun, with filed off serial numbers, and illegal drugs. He was in a car his mom rented that wasn't supposed to leave the state. Not sure how much time he's serving. But being black in a Wyoming prison can't be fun. He was a nice guy before he started taking drugs.
riding round the world on an old motorcycle
Hack Your Way to Hollywood
You know, the word "hack" above really bothers me.
So AOL lost control of their list. Bah. They never had control. It was only a matter of time, and now that spam is becoming big business now was the time. The only way to manage these things correctly regarding the IT team would have been:
1) Restrict mobile/personal storage and technology within the IT core;
2) search employees entering and leaving the IT facilities for CDs, storage dongles, smart cards, USB-enabled watches and lapel pins, MP3 players, laptop computers, palmtop devices, etc;
3) workstations used by developers have no Internet access whatever;
4) no public/personal email access from developer workstations;
5) the firewalls and other IT are managed by people who never come into contact with someone who themselves has access to data, and IT people have no access to data themselves;
6) all data traversing the LAN is AES encrypted;
7) there is no wireless access anywhere in the business, period.
Did AOL do *any* of this? Even one thing? I doubt it. Why would they? these aren't even standard practices except maybe at the NSA.
And that's just the AOL IT people. What do you then do with the marketing and sales folk? Presumably, they don't have the right kind of access to bulk data in the first place and/or cannot save data to storage that they can pull up in the normal course of work, but that's another policy to set up and more restrictions (ie, they cannot save files to their workstation, and cannot burn CDs, and cannot bring laptop computers home, etc.) And what if AOL decided to outsource customer support? What path does data take then?
All of this would kinda-sorta make sense when protecting things like source code where there are only a few that need access anyway, and there is no obvious reason for the code to leave the site. But in the case of customer account info, that's not restricted to development and the customers are dealing with very low level employees who need a broad kind of access to customer data to deal with customer issues.
I don't know if there are very many companies that would put their minimum wage earning sales and support drones (or their outsource suppliers) through that kind of security policy. And the marketing people would simply bite your head off at the very mention of leaving their laptop computers at work.
Reality: The only personal data that is safe is the data that is encrypted, then the passcode encrypted, then the passcode is lost, then the data is deleted, then the disk containing the data is formatted and overwritten with random bits, then the disk removed from the system and shredded, and then the small bits are randomly distributed over the surface of the sea. At night during a storm.
Failing all that...well don't expect your personal data to be private for any length of time so long as someone...anyone...the janitor...an intern...a poor working mother in Pakistan...can make a buck (exactly $1US) selling it.
=^..^= all your rodent are belong to us
Not really. Mailing to AOL is a hit-or-miss thing. We run a lot of mailing lists (bands' fanlists, organiztions' newsletters, etc.) and about half of the time you have AOL addresses on a list they bounce it. And they don't *just* bounce it, they set up a slow-ass connection to your bounce server and time it out (clever idea actually).
So, if you were a spammer, AOL addresses would be of dubious use.
All's true that is mistrusted
I don't know about that particular case (I'm not even sure that it's not an hoax) but the thing is that you can file a frivolous lawsuit and win
What exactly is the crime he's accused of? Taking customer lists from any other business would be actionable in civil court, ie he wouldn't be arrested. What value can they assess on a list of email addresses? Not that I'm defending this jackass. Frankly I'd like to meat [sic] up with him in a dark alley with an old Sun keyboard. Something from the original IPC would do nicely. I'm just curious what the actual criminal crime is that would cause him to be arrested, or if this is another company with $$$ getting the police to handle their civil affairs.
Mind you, the rules have changed today:
- Find someone with an itch they want to scratch
- Make sure they have integrity
- Turn 'em loose
Which can be summarized in 1 sentence: Only work with people you can trust completely, and do nothing to betray their trust in return.But, back to what the posers were saying. It's a balancing act. Each side watches the other. If you've ever worked as an outside consultant, you get used to that sort of dynamic VERY quickly.
Reminds me of one time I was consulting, and the prima donna head coder didn't believe that a query with millions of records would run fast enough on a 486 (this was about 10 years ago). Didn't understand that properly indexed searches scale nicely, instead of linearly.
So, I told everyone that I would prove it tomorrow. Went in after supper, dumped copies of all my code and data onto 2 machines (a server and his box), reformatted, re-installed, and wrote the code to generate my test database. Then went home to bed.
Of course, the next morning, idiot has already complained to management that I must be up to something fishy, because all my code is wiped from my machine (snoopy little snot), and they want to know why they should continue to trust me.
So, I explain that it's all sitting on the idiot's own box, as well as the server, because, remember, we're doing a test today, and I needed all the disk space I could find.
Oh, the reason I call him an idiot? He wanted to continue arguing about whether a query would execute fast enough, when it was easy enough to test. That's just plain stupid. But it's the sort of thing you have to learn to handle if you're going to do consulting :-)
Since the FA says he did this at least twice, either they don't check their audit files very often, or he was ratted out by someone later, or did something stupid with his ill-earned cash to attract attention.
Large databases usually don't use files, they use raw partitions, with a weird combination of striped and RAIDed volumes for speed and reliability. So it may well be difficult to copy the database - and then to recreate it at home.
Um, a large proportion of people in jail are not convicted; they are on remand.
This proportion rises to 100% when you look at Guantanamo bay.
Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.
AOL said that they are thoroughly reviewing and strengthening their internal procedures in response to this.
You're making rhetorical errors that prove my point. But you'll know better as you get older ;-).
The attitudes by older manager types is that wisdom comes with intelligence and technical acumen. My point is that this is a mistake that increases the likelihood of such breaches. Remember my inititial observation: IT, notorious for age discrimination in favor of young, brighteyed types, may actually be introducing a greater security risk with the practice.
Depending on the exact role of this 'engineer' there may be legitimate reasons for that individual to have access to this data. Indeed, even older and higher ranking people within AOL may have been so enamored with this young man that he might have been a team lead or other senior technical resource with the authority himself to be the gatekeeper. Another scenario says maybe he wasn't 'granted' access at all: software engineers are ultimately in control... including the programming of backdoors, exploiting of known flaws, etc.
My point isn't that older workers don't make mistakes, but that they are less likely to be reckless or take as many chances with authority as younger workers.
Finally, the real error with your most recent comments is that the older manager you speak of didn't act with malicious intent; whereas the younger worker clearly did. This is the heart of my point: managers should be more cautious in assigning younger workers to places of high responsibility regardless of skill or qualifications.
Cheers!
SCB