Slashdot Mirror
AOL Employee Arrested in Spam Scheme
LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."
"You've Got Spam!"
That they didn't pay more for the list. I mean, the names of 92 million really clueless people who think AOL is "that thar interweb" would probably buy V1@GR@ by the case. Jesus, it would be a spammer's wet dream!
And $25,000 seems a tad...low.
A blog like any other.
You've Got Jail!
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
Aren't we supposed to wait for someone to be found guilty before punishing them?
Now imagine how much personal info is being sold overseas from outsourced companies.
You would think there would be limitations on HOW an employee could access such a large database. I mean, does AOL throw out CDs with conveniently formatted lists of all the screen names of its customers?
All they did was just fire him?!?!?!? He should have sent to prison for 25 years too!
Red Bull gave me wings and I flew into the ceiling fan.
..didn't a bunch of airlines admit to (basically) the same thing? no arrests there..
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
with large, easily searched and copied databases of highly consolidated private data.
The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.
The same goes for backdoors. I'm not half so worried about some script kiddie hacking my router as I am some employee/former employee of Cisco simply walking right in.
KFG
Hi.
I'm the government. I can't do anything prison-like or fine-like to you without convicting you first.
Hi.
I'm your employer. Unless you have a contract stating otherwise, odds are you're an at-will employee, which means *I can fire you for just about any reason I want*.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
It's well known that you can invent "unguessable" accounts at hotmail, e.g. rmgdrduckk5arp@hotmail.com, and never join any mailing list or submit your name to any website or allow MSN to list you in the Hotmail User Directory, and yet within a few days or weeks your account will miraculously begin receiving offers from mail order brides, pills, porn, and so on. I've long suspected that someone working for Hotmail is making money on the side by downloading the user list once a week and selling it to spammers. Which is why my hotmail accounts have lapsed and I mainly use my yahoo or Gmail accounts.
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
I say make him answer AOL tech support phone calls. He'll beg for jail time after about a week.
I hope his punishment includes the jailer "jacking up the jail and throwing him under it". Seriously, if this was the EU, he would seriously be screwed. Why does the US think privacy is such unimportant issue ( CAPPS II anyone)??
... each one of those 92 million victims should be allowed to kick him in the nuts.
% wc -l /etc/passwd /etc/passwd
184533
...what the charge was? What's illegal about what he did?
More details about the scheme are available at CBS Marketwatch.
News just in :
In response to this 99% of AOL members surveyed who recieved the e-mail clicked on the link and frittered many dollars away at the casino making spam profitable and so continuing the downward spiral of e-mail.
One user replied saying : "I trust AOL so much when it comes to spam, they always send me the top dollar stuff like penis enlargement pills and always ask me to change my password on non secure sites and ask for my credit card as my account has been hacked. They care so much"
It's really no surprise that this sort of thing would come out of AOL. Considering that they're much more concerened with profits than providing even a half-decent service at a fair price, it's a wonder they actually caught this tool. Of course, AOL users bring a lot of this shit on themselves. If people used common sense (which I am convinced does not exist in most of the world), life would be so much easier.
Is that it will be quickly followed by.
Welcome!
"You've got Bail!"
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
What worries me is that there could easily be many more employees doing this - not just at AOL, but at other ISPs as well. However, I'm willing to bet that AOL isn't going to hunt for any other people like this doing it. Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.
And tomorrow the stock exchange will be the human race
Okay the guy has been arrested and fired, but what about those names already sold to spammers?
In the article AOL didn't seem to mention what they are doing to protect the victims, except "they are thoroughly reviewing and strengthening our internal procedures".
Is this good enough? Sometimes you can punish the offender enough to compensate the victims.
Rock that crushes, Paper & Scissors that don't matter.
An interesting way to look at this is consider the age of the people involved. The engineer was 24 and the Casino guy was 21. IT, notorious for age discrimination in favor of young, brighteyed types, may actually be introducing a greater security risk with the practice.
I remember when I was in my early 20s and lets just say I didn't have a lot to lose... and everything to gain from taking a chance here and there. By placing less mature workers into places where personal ethics and great responsibility collide, you're asking for issues just like this.
I don't mean in indict all younger workers. Certainly most are good employees; I've hired many younger people without trouble. But as a percentage of population, the younger I expect to make more 'mistakes' both simple errors and errors in judgment.
My two bits...
SCB
Cellmate named Gerome who has been working out in the yard for the past half of his 20 year sentence and he's looking mighty hard at your well-fed, sedentary, badonka-donk behind.
soundclip
HIV Crosses Species Barrier... into Muppets
i've created hotmail accounts with crypto-hard random usernames, not listed anywhere, and almost immediately started receiving spam to them.
it seems to really only happen on new accounts though. old hotmail accounts dont seem to get spam, if you dont publish them anywhere.
it's entirely possible someone has recently (within the last few years) backdoored hotmail's account creation system to notify them of new accounts, which would explain why old accounts dont get any spam.
The article says he's a software engineer at AOL with inside knowledge of their computer systems. It doesn't say that he was directly responsible for the customer database systems, but even if not, it can't be that hard to dump the names out. Any sysadmin is in a position of great trust. They could walk off with all your data on their servers, but they're trusted not to.
You have the list with 92 million screennames? Ex----cellent, Smathers.
Blogging Weight Loss, Distance Education, and more at verlin.com
Damn Cruel and Unusual clause will stop it. I mean somethings are just too inhumane. He's ONLY a spammer....
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
This AOL employee only made $0.0005652174 per e-mail address he sold. Is that anywhere near the fair market list for e-mail lists? Seems a bit low, but then again IANAS (I am not a spammer).
"There is no spoon." - The Matrix
Smathers! Bring me the list of AOL subscribers!
*taps fingers expectantly*
Excellent...
I didn't say there was anything wrong with it.
I'd love a world where I had a guaranteed job, but just like everyone else, I work for mine. I was just explaining the difference to the original poster between "innocent before proven guilty" and "we can fire you if we damn well want to."
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
Based on a recent e-mail offering 5 million verified addresses for $300, the value of a single address should be 6 thousandths of a cent. The guy who paid $25,000 is the one who got ripped off- proper value of 92 million verified e-mail addresses at 6 thousandths of a cent per name is $5,520.....
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Reception of stolen property? Industrial Espionage? Violation of consumer privacy? anti-spam laws?
This case presents an interesting opportunty. If some of those 92 million names were faked, AOL-internal-only addresses (i.e., no outsider ever had them or ever could have them) then anyone caught using or selling them is guilty of accepting or selling stolen property. Any email arriving to a never-released, but stolen name would let AOL and authorities track the spammer network and subpeona spam-using e-commerce sites to reveal the identity of marketing affiliates.
Two wrongs don't make a right, but three lefts do.
no big deal, your submition will show up as a dup tomorrow
Leave?
Guess I should have RTFA'd first. This idiot paid $100,000 for the updated, verified list. That's a 1,812% markup of the street price. WHAT AN IDIOT!
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
And there are no closed union shops in Virginia - you want to work somewhere, the company wants to hire you - no one can force to you join a union. Heck, even on the Washington Redskins - which is legally a Virginia company - players tend not to pay NFLPA union dues....
About the only useful info a cracker would find in /etc/password is usernames, and if he can see that file to begin with, he's already got a login.
Yeah, and a huge list of email addresses. In the case of the grandparent, about 183,000.
a company that can't fire people at will is a company that will be burdened by excessive, redundant and unnecessary employees, and will cease to be efficient or make money
hey, leave those poor public servants alone!
When they came for the communists, I said "He's next door. Take him away. Goddam commies."
If I understand correctly, California has a law that requires a company to contact each customer that was affected by disclosure of information due to a security problem. I wonder what that'll cost AOL.
I'm also interested if the spammers the casino guy resold the list(s) to will also be prosecuted for purchasing stolen goods. At a minimum, they should be publicly identified.
92 million verified AOL email addresses, well, that's pure gold. You know if they're an AOL subscriber, they're a sucker anyway...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.
They're both major concerns.
In fact, they're just two sides of the same problem: that personal information can and will be used inappropriately. We worry about rogue employees and about black hats. But we also worry about entire corporations, and about the government. See today's story about airlines sharing far more data than they previously admitted with the TSA.
Scene : AOL Boardroom
CEO : Well, that was a right cock up lads. How are we going to prove we are a nice reliable company now!
Exec 1: Well we could send out more free trial CD's, everyone loves those.
Exec 3: Well we could actually let people use their own browsers for once
Exec 2: No no no, Bill.....Thats suicide, our customers wouldn't know how to use internet explorer by themselves, THEY WANT CONNIE, THEY NEED CONNIE!!!
I got a better Idea : How about we send the spammers cd's full of addresses as a Free Trial and see if they want to subscribe to our "Targeted Advertising Program" with included AOL Mass Mailer 9.0 bloatware. Then everyone can become a spammer
CEO : Great thinking guys, now to topple yahoo with an attack of flying Free Trial CD's dropped from a plane!
*5 Minutes later all board members spontaneously combust as ElBazo works his voodoo curse
Mr. Burns ...
...
...
...
...
Hmmmmm, mmmmm! "SMATHERS!!!! YOU FIRED!"
Smithers
Emmm, "That's Smithers, Mr. Burns"
Mr. Burns
Hmmm. "Smithers - Smathers, whatever your reeaaaal name is, hmmmm - GET OUT."
Smithers
"But Mr. Burns!"
Mr. Burns
"OUT, OUT, OUT, I say - and no dilly-dallying, scoot, scoot."
~hylas
The complaint further charges that Dunaway later paid Smathers $100,000 for an updated version of AOL's customer list.
Huh!!
've been thinking all these days that only OS updates cost big money
What spam do you want to get today !?
They can prosecute this guy, and everyone he sold the list to, and everyone they sold the list to, and so on, nine ways from Sunday - won't make any difference for the spammed masses now that the list is out. Nor will AOL's privacy policy (or whatever goes for it over there). The safeguards that are in place are (and always will be) inadequate against a motivated individual who doesn't understand consequences of his/her actions, or doesn't give a whistle about them, or both. AOL? MSN? Yahoo? Ne-ext!
I can assure you, the best way to get rid of dragons is to have one of your own.
Watch out for embedded guys. Lots of embedded devices have backdoors that the developers can just walk right through. For example take any embedded linux device. The developer who made it most likely set a default root password that is the same on every one of those devices. If he gets ahold of yours and he's not a good guy your fscked.
Hmmmm, maybe I should get a job at a company that makes security systems... It would be cool when I get kidnapped by burglars to take part in their movie plot-like crime.
The GeekNights podcast is going strong. Listen!
We worry about rogue employees and about black hats. But we also worry about entire corporations, and about the government.
Of course. We worry especially about the latter, don't we? Especially when the government is the primary holder of the data in the first place and we already know they are untrustworthy.
KFG
"Yes, I have a Disaster Recovery Plan. It's called my Resume"
Now, what part of AOL's security system failed?
Oops, that's right - they have no security system. That's why some idiot can swipe 92meg of users and sell them to some other idiot who wants to spam us with his own (did I say these guys were idiots?) gambling scheme and then resell the 92meg of users to the other vile spammers.
AOL can't be let off the hook. They had a duty to protect the user base as certainly as every one of us has a duty not to leave loaded guns where 5 year-olds can play with them. This is a clear example of AOL permitting a dangerous instrumentality to fall into the hands of the incompetent.
BUT, we should also tell Ashcroft that the two idiots are "the terrorists' friends" and let Ashcroft make them disappear (along with their families, friends and dogs).
Every situation is unique, and sometimes different situations require different actions. You see the simularities between two situations, and your opinion is that differences are nonconsequential, but that doesn't mean the other person thinks they same way. They might think that the differences are very important and the simularities are nonconsequential. That doesn't mean that they have a double standard or are hypocritical, it just means that they put different value on the various aspects of the situations than you.
:)
It's just like the Kerry is a waffler fallacy. Votes for PATRIOT act, then when he actually gets to read it, changes his mind. Does not vote for iraq funding, but latter does when the source of the funding is changed. To a conservative pundit, there is not concievable reason not to support things go towards "national security", but Kerry disagreed. The same way a libertarian can't think of any reason to give up privacy, but the conservatives think that that it is sometimes necesarry. That does not mean that they are hypocrites, it means they see things differently than you.
Even if they are wrong
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
...his job was answering AOL tech support phone calls.
smather (verb) To have personal information sold to advertisers without your consent or knowledge.
"Man, I just got this new Hotmail account, but in less than an hour, it's been smathered!"
[DISCLAIMER: This post is a work of satire and should not be misconstrued as a holy text upon which to base a religion.]
Aside from the obvious fact that this individual might be a large reason why AOLers receive such a tremendous amount of email spam... this data should have most definately been better safeguarded by AOL.
:-)
Allowing a person in his position access to specific areas of their database depending on what needs to be done, would have made collecting the data at least a bit more challenging. From what I've read, the employee basically lifted the entire database straight up without much effort... sigh...
This isn't just a warning for AOL, but to any ISP or email service that allows employees with such unrestricted access to seemingly less confidential data. (Thankfully CC #s and SSNs are generally much more secure and hidden for the most part.)
I'll end my post on a positive note:
thank goodness for Spam Assassin
Karma police, arrest this man, he talks in maths....
Impossible. The man could never work AOL technical support. He doesn't speak Svengali.
Hey freaks: now you're ju
Never underestimate the power of one determined individual. To use a harsh anaology - think of all the presidential assinations(or attempted), sure a good amount were caught and executed, but they still were able to do what they set out to do.
Your Gmail account may be spam free for a while but IF at some point someone gets determined enough they can take your info and sell it off, sure they may have to suffer the consequences, but to them it may be worth the risk.
Honestly i've had really bad luck lately and if someone offered me $50,000 cash (more than my yearly salary) for the emails at my work I would have a very hard time saying no. Of course my fear of things like losing my job and getting sued would override the tempatation, but I blame that on my rational thinking process.
Ave Molech Setting
Comment removed based on user account deletion
related?
check the forum
[ No prescription needed ]
here in san jose I spend 100% of my pay check on rent, car insurance (good driver), car payment (commuter), phone bill (rarely talk on it), and food (ramen, milk, and eggs).
If you offered me $52,000 for a list of emails or names and info from my work i'd take itin an instance. I may get fired and sued but hay with that I could afford to move out of this shit whole and be over seas with my family tomorrow.
At least he would qualify for those low phone rates ;p
In keeping with the first item with your list, I would advise giving all the money you're spending on consultants who give you three sentence recommendations and give it to the people who actually have to work for a living.
would 5 years in prison make it easier to say no?
Most people are
[X] evil.
Smathers' spam scheme skimmed screennames? A shocking scam.
Crhis Mattern
Section 1037(a)(2), (b)(2)(C), and (b)(2)(E) of Title 18 of the USC, at least according to these court documents.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
Former AOL employee Smathers sold the initial list for an unmentioned amount to Dunaway (the spammer) then Smathers sold an updated list to Dunaway for $100,000. Dunaway sold lists to other spammers for $52,000.
Smathers & Dunaway to AOL members: "All your screenname are belong to us!"
I expect something like this happened at eBay a while back. I changed my email address for eBay to a new mailbox. A few weeks later someone spammed it offering to sell lists of eBay members. Then spam followed, usually from phishers.
A feeling of having made the same mistake before: Deja Foobar
Burnin's too good for him...
He should be torn into itsy bitsy pieces and BURIED ALIVE!
Comment removed based on user account deletion
Of all the ills you could accuse AOL of -- lowering the signal-to-noise ratio of the Internet, filling our landfills with CDs -- there is absolutely no evidence that AOL use causes erectile dysfunction ... ... you insensitive clod!
The mathematics of the situation would make that improbable. He would need to generate and send 8,186,051,427,373,440,000,000,000 spams (assuming screen names of 6 to 16 characters in length, letters and numbers only) to hit all possible combinations that way.
This for each spam message. Far likelier that he is getting addresses from an inside source.
Can we have a list of people whose screen-names were sold?
In the dot.com boom days, biz plan spielers thought that a valid email address was worth $1-$10.
Never eat anything bigger than your head.
Smathers has been fired.
Out of a cannon, I hope.
Or fired at with a gun.
Either way works for me.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
What a Stupid Mother Fokker
Hack Your Way to Hollywood
You know, the word "hack" above really bothers me.
Maybe its just me, but if I were going to risk my job and possible jail time, I'd want at least a penny per name, a half cent at least. $52,000 what's that? Someone back alley gambling debt. Geez.
So AOL lost control of their list. Bah. They never had control. It was only a matter of time, and now that spam is becoming big business now was the time. The only way to manage these things correctly regarding the IT team would have been:
1) Restrict mobile/personal storage and technology within the IT core;
2) search employees entering and leaving the IT facilities for CDs, storage dongles, smart cards, USB-enabled watches and lapel pins, MP3 players, laptop computers, palmtop devices, etc;
3) workstations used by developers have no Internet access whatever;
4) no public/personal email access from developer workstations;
5) the firewalls and other IT are managed by people who never come into contact with someone who themselves has access to data, and IT people have no access to data themselves;
6) all data traversing the LAN is AES encrypted;
7) there is no wireless access anywhere in the business, period.
Did AOL do *any* of this? Even one thing? I doubt it. Why would they? these aren't even standard practices except maybe at the NSA.
And that's just the AOL IT people. What do you then do with the marketing and sales folk? Presumably, they don't have the right kind of access to bulk data in the first place and/or cannot save data to storage that they can pull up in the normal course of work, but that's another policy to set up and more restrictions (ie, they cannot save files to their workstation, and cannot burn CDs, and cannot bring laptop computers home, etc.) And what if AOL decided to outsource customer support? What path does data take then?
All of this would kinda-sorta make sense when protecting things like source code where there are only a few that need access anyway, and there is no obvious reason for the code to leave the site. But in the case of customer account info, that's not restricted to development and the customers are dealing with very low level employees who need a broad kind of access to customer data to deal with customer issues.
I don't know if there are very many companies that would put their minimum wage earning sales and support drones (or their outsource suppliers) through that kind of security policy. And the marketing people would simply bite your head off at the very mention of leaving their laptop computers at work.
Reality: The only personal data that is safe is the data that is encrypted, then the passcode encrypted, then the passcode is lost, then the data is deleted, then the disk containing the data is formatted and overwritten with random bits, then the disk removed from the system and shredded, and then the small bits are randomly distributed over the surface of the sea. At night during a storm.
Failing all that...well don't expect your personal data to be private for any length of time so long as someone...anyone...the janitor...an intern...a poor working mother in Pakistan...can make a buck (exactly $1US) selling it.
=^..^= all your rodent are belong to us
i fail to see how this is much different than Airlines giving out passenger info.
AOL pays Employee for a service. AOL expects Employee will not give out sensitive info about themselves. Both agree to terms of employment, and money is exchanged.
Passenger pays Airlines for a service. Passenger expects Airlines will not give out sensitive info about themselves. Both agree to terms of employment, and money is exchanged.
How is this very different?
AIRLINES ARE THE EMPLOYEE OF PASSENGERS!
Troll, Troll, go away and flame again some other day
regardless of the first two....it's a damn good plan...but who watches who?
Pretty soon it'll be "You've got Male!"
Thank you for this day's serving of libertarian nonsense.
-josh
Not really. Mailing to AOL is a hit-or-miss thing. We run a lot of mailing lists (bands' fanlists, organiztions' newsletters, etc.) and about half of the time you have AOL addresses on a list they bounce it. And they don't *just* bounce it, they set up a slow-ass connection to your bounce server and time it out (clever idea actually).
So, if you were a spammer, AOL addresses would be of dubious use.
All's true that is mistrusted
http://www.kuro5hin.org/comments/2004/6/21/19280/4 046/24#24
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
But you can be sure that if a major company has your information, many employees that are making very little have access to that information.
::sniff::
At MCI, where I used to work, I would see the personal information including name, address, phone numbers, credit card numbers, birthdays, and email addresses of hundreds of customers a week. Not only that, but every employee was identified in the system by his or her SS#, and your SS# was stamped on every note you placed in the system.
I earned $8.47 (American) per hour, and the call center contractor had a less than rigorous screening process. I did have a pulse, so I was hired. I have more ethics than the company I worked for, and I would never do such a thing.
But you have to ask yourself, if a company is willing to hire employees for next to nothing, and hand these employees access to information that they can sell for 3 times what they earn in a year, how long untill the SS# you give the company is compromised?
Do not give truely sensitive information to companies. If they do not have legal authorization to demand a SS#, they are using it for identification purposes only. Give them a fake one.
On another note: Anyone want to hire an aspiring writer? Seriously, $8.47/hr is still better than the $0/hr I'm making now. Please!
Be strong!
I have been a member of CompuServe since before AOL bought them. Never got Spam from anyone. Never got mail from anyone I didn't know. One month after AOL bought CompuServe I started getting spam, and AOL started saying they never sold there customer lists. Someone has been lying for a while.
What exactly is the crime he's accused of? Taking customer lists from any other business would be actionable in civil court, ie he wouldn't be arrested. What value can they assess on a list of email addresses? Not that I'm defending this jackass. Frankly I'd like to meat [sic] up with him in a dark alley with an old Sun keyboard. Something from the original IPC would do nicely. I'm just curious what the actual criminal crime is that would cause him to be arrested, or if this is another company with $$$ getting the police to handle their civil affairs.
Mind you, the rules have changed today:
- Find someone with an itch they want to scratch
- Make sure they have integrity
- Turn 'em loose
Which can be summarized in 1 sentence: Only work with people you can trust completely, and do nothing to betray their trust in return.But, back to what the posers were saying. It's a balancing act. Each side watches the other. If you've ever worked as an outside consultant, you get used to that sort of dynamic VERY quickly.
Reminds me of one time I was consulting, and the prima donna head coder didn't believe that a query with millions of records would run fast enough on a 486 (this was about 10 years ago). Didn't understand that properly indexed searches scale nicely, instead of linearly.
So, I told everyone that I would prove it tomorrow. Went in after supper, dumped copies of all my code and data onto 2 machines (a server and his box), reformatted, re-installed, and wrote the code to generate my test database. Then went home to bed.
Of course, the next morning, idiot has already complained to management that I must be up to something fishy, because all my code is wiped from my machine (snoopy little snot), and they want to know why they should continue to trust me.
So, I explain that it's all sitting on the idiot's own box, as well as the server, because, remember, we're doing a test today, and I needed all the disk space I could find.
Oh, the reason I call him an idiot? He wanted to continue arguing about whether a query would execute fast enough, when it was easy enough to test. That's just plain stupid. But it's the sort of thing you have to learn to handle if you're going to do consulting :-)
That actually explains something that happened to me recently. I have an decade-old AOL screen name that I use only for obscure, identity-fuzzed postings, questionable registrations, etc. that I would never, ever have used with my actual address or telephone number. This year, I started getting mortgage spam on that quasi-anonymous account targeted to my real name and street address. That was hard to explain, unless someone inside gave out my data.
So we're not just talking about compromized AOL accounts here -- we're talking about accounts and the personal information tied to them. That's a *much* bigger crime, and a much bigger deal, and I hope AOL ruins this asshole's life as much as he deserves.
It's clear from reading them that this guy was not one of the brighter people at AOL.
The problem with your "new" way of doing business is (1) it isn't new and (2) it doesn't work now any more than it ever did.
Having an itch to scratch does nothing for the guy who's gambled his way under a mountain of debt and who goes from being completely trustworthy to being willing to steal from his best friend, to say nothing of his employer. That's not a hypothetical case; I'm thinking of a particular person with whom I worked about a decade ago. (Luckily for me, I wasn't one of his friends, so he didn't rip me off.) People change, and someone who's completely trustworthy today may not be five years from now. Worse, people are not always what they seem, and only observation over a very long term reveals them for what they are.
Who watches the watchers? I don't know -- but they need to be there in any org which handles things of value.
I work for a Fortune 500 company who is a supplier of information technology.
I was told that the entire company's list of email addresses was taken and sold by a sysadmin a few years ago.
Granted, this is not an ISP, and they are not millions, but still a lot of addresses, same cause.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
...violation of 18 USC 1037, which was codified by, and is otherwise known as, the CAN-SPAM Act.
==========
Old saying - there are 3 types of people you can never trust:==========
Ever ask yourself why he wasn't your friend? You probably had a gut feeling about what he was really like. We had a discussion about this at work this morning, about someone who was fired recently for stealing, etc., who I never liked and never trusted. Just a gut reaction. How about you?==========
2 sets, they watch each other. Mutual distrust will keep everyone honest (just like mutually-assured destruction "MAD" kept us from blowing the world up).Just some thoughts.
The US Army is even making the videos that will be sold by them...
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
AOL can't really have 92 million subscribers, can it? Assuming almost all are in the US, that's almost a third of the population, virtually the entire number of people with any kind of email.
Seriously, anyone with an AOL account already feels like every spammer on the planet knows their screen name. What difference would it make?
How valuable would such a list be anyway? Every account has multiple screen names, and every conceivable permutation of names and common words has been taken. If there's one domain name-guessing probably works on, it's AOL.com.
That being said, lock him up and throw away the key, but be sure to also nail the sleazebags he worked with.
Good, I hope they get the max, both of them.
Grab yer torches and pitchforks!
A witty saying proves you are wittier than the next guy.
a guaranteed job is stupid
;-)
a political philosophy based on selfishness is stupid
show me the fallacy, numbnuts
life is more complicated than black and white
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
First, I am not a lawyer. This is a lay opinion only.
Second, I am not a particularly vengeful person, or at least I don't really want spammers to face the death penalty, castration, or other such suggested punishments.
Jason Smathers has been charged with theft and fired by AOL. I'm assuming the actual charge is something like felony grand theft, and that the amount his co-conspirator got for the lists will be all the proof AOL will need to offer for a grand jury to agree with that charge.
According to the article, he also used another employee's ID in the act. That's probably either a separate charge or at least an aggrevating factor to the first charge. Among lots of other effects, this employee probably has standing to sue both men and a fair chance of winning, regardless of whether AOL does (with "winning" limited by the condition that they must somehow have forfitable assets after their prosecution).
It also looks like there was possibly more than one actual theft, as the article mentions the men either actually obtaining or conspiring to obtain an updated version of the list, which would imply an older version also existed in their posession. One or both men may have made fraudulent promises to a person or persons who bought the list, representing it as legally obtained.
So, Smathers could well be inditeable with three or more felonies (three strikes rules may apply), and it's possible with multiple persons accused that the whole thing could fall under RICO, either of which could easily make the overall sentence 30 years or more. Even with the usual time off for good behavior type clauses, that means serving a good solid 18 years or so.
AOL probably wants the whole thing to go away. Since they can't really get that, the next best thing is to get seriously Neolithic on his ass, and hope it has a deterrent effect.
Who is John Cabal?
Seriously, I think it's time we all banded together. There's got to be a /.'er in just about every geographical location on earth, so I say we set up a site to report spammers, get a few volunteers to track them down (electronically) and get who ever lives closest to break into the place with base ball bats.
And NO this isn't sarcasm or a joke.
VENI, VIDI, VICI, DIXI
I worked at one of Canada's largest ISPs, as a customer service rep, but had direct SQL access to the database. What happened was, they got me to help out with the intranet. I came across some code that connected directly to the user database (which was Oracle) and did a "SELECT FROM" query from it. Sure enough, the username and password it used had full permission to the database. I would have had no difficulty doing a "DELETE FROM" statement, let alone a "SELECT username FROM" statement. For some reason I never used this for personal profit. Then again we already knew I was foolhardy, I was coding for their intranet at a Customer Service Rep wage...
- Allen Pike
Altering time, one time at a time.
Oops, that's right - they have no security system. That's why some idiot can swipe 92meg of users
What would you suggest instead? A system nobody can access? Oops, looks like we lost a hard drive . . . but nobody's allowed to access the system to replace it, so I guess we're SOL!
No matter how much security you implement, if you want a tool to be useful you have to at some point trust the people who were using it. Given that the guy who sold the user list was (according to the article) a software engineer, I'd say it's pretty likely he had access to the raw database, even if the front-line people didn't. There is no security system that completely eliminates the possibility of malicious abuse.
Now, I have no idea how AOL's system is set up--maybe they don't have any security at all, and if that's the case they definitely ought to be fined up the ass. But if they were making good efforts to avoid problems like this, they shouldn't take the blame for one unethical employee.
Fired... out of a cannon... into the sun.
"If anything can go wrong, it will." - Murphy
Um, a large proportion of people in jail are not convicted; they are on remand.
This proportion rises to 100% when you look at Guantanamo bay.
Regardless of the who the owner of this site is, he's got the coolest web portal access statistics page I've seen. Interesting to see that Netscape still has around 35% of the market vs. IE at 45%.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Read the Complaint filed by the Secret Service agent. Posted over at Smoking Gun, it's fascinating and shows how Smathers pointed the finger right at himself: when he did a test retrieve, logged of course by AOL, he retrieved just one, incriminating account from the millions there: his own.
.
He also e-mailed himself logs of his IM conversations with the buyer, which his AOL laptop stored away, to wit:
"I think I found the member database . . . Just need to figure out how to get the SNs [screen names] it is spread over like 30 computers . .
OK, I got it figured out . . . there are going to be millions of them so, will take time to extract I will do them a chunk at a time . . . "
Most interestingly, the government isn't just charging him with theft; it's also charging him with conspiracy to spam, under the so-called Can-Spam Act enacted late last year.
And what makes you think those 5 million verified addresses for $300 are anything but utter bullshit? You're trusting a spammer's word that those addresses were valid at some point in the last 20 years, which is neither relevant to current affairs, nor necessarily true.
There are two types of email lists with VERY different pricing schemes: the garbage ones that spammers sell to suckers (worthless, which is why they sell 'em for "only" $300), and the ones they sell to each other. This list is at the very top of the heap of the second category.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
But then, obviously I'm a socialist because I live in Europe and we have laws to protect the weak against the strong.
To have a right to do a thing is not at all the same as to be right in doing it
I use a unique email address for all online vendors. The one I used for ftd.com is being spammed by what appears to be a single spammer. I've been unable to convince FTD that this is a security issue.
He was the only person with an AOL screen name NOT receiving spam...
"Computer Scientists can count to 1024 on their fingers" (non-mutant, non-mutilatated, human computer scientists)
Wow, what's his boss's name, Monty bournes?
boycott slashdot February 10th - 17th check out: altSlashdot.org
Mr. Burns must be really disappointed.
Just as Lenin said: trust is good, control is better.
No sig today.
"Smathered" is now an official net-term. I will begin using it as soon as context allows.
I am very small, utmostly microscopic.
A few weeks ago I came across about 30 old 5 1/4" floppies.
I hooked up an old drive to see what was up and low and behold it worked and on the disks (that could still be read) was vital stats on about 85,000 people - meaning name, SS#, address, health insurance policy numbers, ect. All good, all verified assuming the individual was still alive and hadn't moved.
This was left over from when I worked at an insurance company in 1992: a migration from a THEN ancient mini to a PC based system. There that data was sitting in my basement for 12 years (and I have moved twice since then!)
Being an honest man, out came the scissors... but the ID theft possibilities were really astounding.
How much old data like this is just sitting around on forgotten tapes and disks?
If I were to set up an huge ID theft ring this is the sort of stuff I would look for. Good data, but old. Not in any current database, absolutely no audit trail, individuals have since moved around and changed employers obliterating any or most chance of establishing a pattern to the thefts. Best of all, not only are there no access logs, but the organization wouldn't even miss the old media and if they do someone could just claim that it was thrown out months ago.
Mildly disturbing - but less so than the thought of a dirty bomb I suppose.
I am very small, utmostly microscopic.
I like at-will employment. It makes sense.
I can't be fired for retaliatory or discriminatory reasons. But I can walk away at any time I choose, while my employer has the right to ask me to leave at any time they choose, provided they have legitimate cause. The definition of legitimate cause excludes retaliation, discrimination, refusal of a lie detector test, alien status, complaining about OSHA violations, and violation of public policy. In addition, if your employer has made any sort of promise (verbal or written) regarding your future employment, they may well be held to an implied contract, which requires something called "good cause" to fire you.
See, I'm okay with this. Generally I look at it like this - if I do a good job, I won't get fired for no reason. If I get fired for no reason, then it was probably a job with management I didn't want to work for anyway.
I like social welfare programs in general, but I also don't feel legislation should be used to solve something that's self-regulating - companies that abuse at-will firing procedures tend to have trouble attracting competent employees, once word gets out of their bad habits.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
First, jail != prison. Second, to be remanded to custody you must usually be (Gitmo is different, and I'm not going to address it because it has nothing to do with my original point):
1) Arrested (taken into custody)
2a) Indicted, or in the process of being indicted.
2b) A material witness with a risk of flight.
2c) A material witness requiring protection.
3) Convicted for a minor offense (punishment of less than one years confinement is generally served in a jail setting rather than a prison)
b and c are slight exceptions, but you can't be put into jail in the US for more than a short span of time unless you are being charged with a crime.
Third, a large proportion? Not in prison. Anyone in prison was convicted and sentenced. You can be in jail without being convicted, but if you are, you're generally in categories 1-3 above.
Again, leave Gitmo out of it. Gitmo doesn't reflect US law for the most part.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
and his AOL work computer
Apparently once he had access he first tried to get everything, but the queries results were too large for things to succeed! Then he queried a single AOL account, his own!
After that he came back two weeks later with the scheme of trying all the accounts that start with A, then all the accounts that start with B and so on...
Even more fun was that he was apparently doing this all from his AOL company laptop via a nice VPN from his home. He didn't even have to go into the office to steal...
Probing further...
Since court papers give out his AOL employee email, JasonS2e@aol.com, we can find out via Google Groups, that Mr. Smathers was busy using the Internet to:
In any case, selling >90 million customer records to spammers is not a minor incident. You'd get fired even if you had been elected the employee of the year just a week before. Unless you could convince your employer of your innocence.
I love C++
But 1) They fucked up the code. 2) Milton didn't get caught.
you used ie?!?!
This message brought to you by Jack Schitt's Previously Shat Shit
OK, I am not familiar with the distinction you make between a prison and a jail. IIRC In the UK people get transferred from a police cell (at the local cop shop) to a prison within 48 hours, long before any trial.
Being charged with a crime does not necessarily mean you are guilty. I hear that in Japan nearly all cases brought to trial result in a guilty verdict, but I thought that a significant proportion of US defendants were found to be not guilty, like in the UK. Perhaps I am wrong there.
OTOH, if as you say trials are speedy in the US once charged, that is certainly better than in the UK where people can wait for 6 months in prison before trial (often the same prisons as for convicts, but with slightly different privileges - some guilty prisoners prefer to delay the trial for that reason, but anyone protesting their innocence has less luck).
"You Got Nailed!"
"Insert Sig Here"
Prisons are long term facilities; everyone in a prison has been convicted of a felony crime. They aren't used as holding cells for people who haven't been convicted, and are nearly never occupied by prisoners with sentences under a year. Also, they are always seperate facilities. A jail can be a seperate facility, but is just as often attached to a courthouse, sheriff's building, or other law enforcement institution. Drunk tanks and the like are always in jails, as are the cells used for most prisoners who have been arrested but not yet convicted. Its rare for someone to be in jail for more than a year; generally jails are used for misdemeanor and minor felony convictions, those lasting under a year's sentence. Basically, get busted with a joint, go to jail, get busted for selling pounds, go to prison after the trial.
A significant proportion of US defendants are found to be not guilty. However, the government balances the probability of innocence against the risk of a guilty party fleeing. This is where the institution of allowing bail came from; in theory, if someone has assets on the line that will be seized if they run, they're less likely to try to avoid trial. If someone is deemed a significant enough flight risk, they're denied bail altogether. But most people have relatively minor bails set, their bond is posted and they go home while the trial is occurring. Bail is set at the arraignment, which is nearly always within a few days of arrest.
I never said US trials are speedy. They aren't. The 72 hour rule I referred to refers to arraignments; they can arrest you and hold you, but if they aren't going to charge you with a crime, they have to let you go relatively soon. However, a good portion of US defendants are out on bail during their trials, living their lives relatively normally. You want a high profile example? Look at Kobe Bryant. He's in the middle of a rape trial and still found the time to go lose an NBA championship.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)