Slashdot Mirror
AOL Employee Arrested in Spam Scheme
LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."
"You've Got Spam!"
That they didn't pay more for the list. I mean, the names of 92 million really clueless people who think AOL is "that thar interweb" would probably buy V1@GR@ by the case. Jesus, it would be a spammer's wet dream!
And $25,000 seems a tad...low.
A blog like any other.
You've Got Jail!
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
Aren't we supposed to wait for someone to be found guilty before punishing them?
Now imagine how much personal info is being sold overseas from outsourced companies.
You would think there would be limitations on HOW an employee could access such a large database. I mean, does AOL throw out CDs with conveniently formatted lists of all the screen names of its customers?
All they did was just fire him?!?!?!? He should have sent to prison for 25 years too!
Red Bull gave me wings and I flew into the ceiling fan.
..didn't a bunch of airlines admit to (basically) the same thing? no arrests there..
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
with large, easily searched and copied databases of highly consolidated private data.
The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.
The same goes for backdoors. I'm not half so worried about some script kiddie hacking my router as I am some employee/former employee of Cisco simply walking right in.
KFG
Hi.
I'm the government. I can't do anything prison-like or fine-like to you without convicting you first.
Hi.
I'm your employer. Unless you have a contract stating otherwise, odds are you're an at-will employee, which means *I can fire you for just about any reason I want*.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
It's well known that you can invent "unguessable" accounts at hotmail, e.g. rmgdrduckk5arp@hotmail.com, and never join any mailing list or submit your name to any website or allow MSN to list you in the Hotmail User Directory, and yet within a few days or weeks your account will miraculously begin receiving offers from mail order brides, pills, porn, and so on. I've long suspected that someone working for Hotmail is making money on the side by downloading the user list once a week and selling it to spammers. Which is why my hotmail accounts have lapsed and I mainly use my yahoo or Gmail accounts.
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
I say make him answer AOL tech support phone calls. He'll beg for jail time after about a week.
... each one of those 92 million victims should be allowed to kick him in the nuts.
% wc -l /etc/passwd /etc/passwd
184533
More details about the scheme are available at CBS Marketwatch.
News just in :
In response to this 99% of AOL members surveyed who recieved the e-mail clicked on the link and frittered many dollars away at the casino making spam profitable and so continuing the downward spiral of e-mail.
One user replied saying : "I trust AOL so much when it comes to spam, they always send me the top dollar stuff like penis enlargement pills and always ask me to change my password on non secure sites and ask for my credit card as my account has been hacked. They care so much"
Is that it will be quickly followed by.
Welcome!
"You've got Bail!"
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
What worries me is that there could easily be many more employees doing this - not just at AOL, but at other ISPs as well. However, I'm willing to bet that AOL isn't going to hunt for any other people like this doing it. Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.
And tomorrow the stock exchange will be the human race
Okay the guy has been arrested and fired, but what about those names already sold to spammers?
In the article AOL didn't seem to mention what they are doing to protect the victims, except "they are thoroughly reviewing and strengthening our internal procedures".
Is this good enough? Sometimes you can punish the offender enough to compensate the victims.
Rock that crushes, Paper & Scissors that don't matter.
An interesting way to look at this is consider the age of the people involved. The engineer was 24 and the Casino guy was 21. IT, notorious for age discrimination in favor of young, brighteyed types, may actually be introducing a greater security risk with the practice.
I remember when I was in my early 20s and lets just say I didn't have a lot to lose... and everything to gain from taking a chance here and there. By placing less mature workers into places where personal ethics and great responsibility collide, you're asking for issues just like this.
I don't mean in indict all younger workers. Certainly most are good employees; I've hired many younger people without trouble. But as a percentage of population, the younger I expect to make more 'mistakes' both simple errors and errors in judgment.
My two bits...
SCB
soundclip
HIV Crosses Species Barrier... into Muppets
i've created hotmail accounts with crypto-hard random usernames, not listed anywhere, and almost immediately started receiving spam to them.
it seems to really only happen on new accounts though. old hotmail accounts dont seem to get spam, if you dont publish them anywhere.
it's entirely possible someone has recently (within the last few years) backdoored hotmail's account creation system to notify them of new accounts, which would explain why old accounts dont get any spam.
The article says he's a software engineer at AOL with inside knowledge of their computer systems. It doesn't say that he was directly responsible for the customer database systems, but even if not, it can't be that hard to dump the names out. Any sysadmin is in a position of great trust. They could walk off with all your data on their servers, but they're trusted not to.
You have the list with 92 million screennames? Ex----cellent, Smathers.
Blogging Weight Loss, Distance Education, and more at verlin.com
Damn Cruel and Unusual clause will stop it. I mean somethings are just too inhumane. He's ONLY a spammer....
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
This AOL employee only made $0.0005652174 per e-mail address he sold. Is that anywhere near the fair market list for e-mail lists? Seems a bit low, but then again IANAS (I am not a spammer).
"There is no spoon." - The Matrix
Smathers! Bring me the list of AOL subscribers!
*taps fingers expectantly*
Excellent...
I didn't say there was anything wrong with it.
I'd love a world where I had a guaranteed job, but just like everyone else, I work for mine. I was just explaining the difference to the original poster between "innocent before proven guilty" and "we can fire you if we damn well want to."
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
Based on a recent e-mail offering 5 million verified addresses for $300, the value of a single address should be 6 thousandths of a cent. The guy who paid $25,000 is the one who got ripped off- proper value of 92 million verified e-mail addresses at 6 thousandths of a cent per name is $5,520.....
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Reception of stolen property? Industrial Espionage? Violation of consumer privacy? anti-spam laws?
This case presents an interesting opportunty. If some of those 92 million names were faked, AOL-internal-only addresses (i.e., no outsider ever had them or ever could have them) then anyone caught using or selling them is guilty of accepting or selling stolen property. Any email arriving to a never-released, but stolen name would let AOL and authorities track the spammer network and subpeona spam-using e-commerce sites to reveal the identity of marketing affiliates.
Two wrongs don't make a right, but three lefts do.
no big deal, your submition will show up as a dup tomorrow
And there are no closed union shops in Virginia - you want to work somewhere, the company wants to hire you - no one can force to you join a union. Heck, even on the Washington Redskins - which is legally a Virginia company - players tend not to pay NFLPA union dues....
About the only useful info a cracker would find in /etc/password is usernames, and if he can see that file to begin with, he's already got a login.
Yeah, and a huge list of email addresses. In the case of the grandparent, about 183,000.
a company that can't fire people at will is a company that will be burdened by excessive, redundant and unnecessary employees, and will cease to be efficient or make money
hey, leave those poor public servants alone!
When they came for the communists, I said "He's next door. Take him away. Goddam commies."
If I understand correctly, California has a law that requires a company to contact each customer that was affected by disclosure of information due to a security problem. I wonder what that'll cost AOL.
I'm also interested if the spammers the casino guy resold the list(s) to will also be prosecuted for purchasing stolen goods. At a minimum, they should be publicly identified.
92 million verified AOL email addresses, well, that's pure gold. You know if they're an AOL subscriber, they're a sucker anyway...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You'd be surprised how many people don't even know that's an option. Remember these people are using AOL, they think it IS the internet.
If you build it, nerds will come. Soylentnews.org
Mr. Burns ...
...
...
...
...
Hmmmmm, mmmmm! "SMATHERS!!!! YOU FIRED!"
Smithers
Emmm, "That's Smithers, Mr. Burns"
Mr. Burns
Hmmm. "Smithers - Smathers, whatever your reeaaaal name is, hmmmm - GET OUT."
Smithers
"But Mr. Burns!"
Mr. Burns
"OUT, OUT, OUT, I say - and no dilly-dallying, scoot, scoot."
~hylas
The complaint further charges that Dunaway later paid Smathers $100,000 for an updated version of AOL's customer list.
Huh!!
've been thinking all these days that only OS updates cost big money
What spam do you want to get today !?
They can prosecute this guy, and everyone he sold the list to, and everyone they sold the list to, and so on, nine ways from Sunday - won't make any difference for the spammed masses now that the list is out. Nor will AOL's privacy policy (or whatever goes for it over there). The safeguards that are in place are (and always will be) inadequate against a motivated individual who doesn't understand consequences of his/her actions, or doesn't give a whistle about them, or both. AOL? MSN? Yahoo? Ne-ext!
I can assure you, the best way to get rid of dragons is to have one of your own.
Now, what part of AOL's security system failed?
Oops, that's right - they have no security system. That's why some idiot can swipe 92meg of users and sell them to some other idiot who wants to spam us with his own (did I say these guys were idiots?) gambling scheme and then resell the 92meg of users to the other vile spammers.
AOL can't be let off the hook. They had a duty to protect the user base as certainly as every one of us has a duty not to leave loaded guns where 5 year-olds can play with them. This is a clear example of AOL permitting a dangerous instrumentality to fall into the hands of the incompetent.
BUT, we should also tell Ashcroft that the two idiots are "the terrorists' friends" and let Ashcroft make them disappear (along with their families, friends and dogs).
Every situation is unique, and sometimes different situations require different actions. You see the simularities between two situations, and your opinion is that differences are nonconsequential, but that doesn't mean the other person thinks they same way. They might think that the differences are very important and the simularities are nonconsequential. That doesn't mean that they have a double standard or are hypocritical, it just means that they put different value on the various aspects of the situations than you.
:)
It's just like the Kerry is a waffler fallacy. Votes for PATRIOT act, then when he actually gets to read it, changes his mind. Does not vote for iraq funding, but latter does when the source of the funding is changed. To a conservative pundit, there is not concievable reason not to support things go towards "national security", but Kerry disagreed. The same way a libertarian can't think of any reason to give up privacy, but the conservatives think that that it is sometimes necesarry. That does not mean that they are hypocrites, it means they see things differently than you.
Even if they are wrong
smather (verb) To have personal information sold to advertisers without your consent or knowledge.
"Man, I just got this new Hotmail account, but in less than an hour, it's been smathered!"
[DISCLAIMER: This post is a work of satire and should not be misconstrued as a holy text upon which to base a religion.]
Comment removed based on user account deletion
related?
check the forum
[ No prescription needed ]
here in san jose I spend 100% of my pay check on rent, car insurance (good driver), car payment (commuter), phone bill (rarely talk on it), and food (ramen, milk, and eggs).
If you offered me $52,000 for a list of emails or names and info from my work i'd take itin an instance. I may get fired and sued but hay with that I could afford to move out of this shit whole and be over seas with my family tomorrow.
In keeping with the first item with your list, I would advise giving all the money you're spending on consultants who give you three sentence recommendations and give it to the people who actually have to work for a living.
would 5 years in prison make it easier to say no?
Smathers' spam scheme skimmed screennames? A shocking scam.
Crhis Mattern
Section 1037(a)(2), (b)(2)(C), and (b)(2)(E) of Title 18 of the USC, at least according to these court documents.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
Former AOL employee Smathers sold the initial list for an unmentioned amount to Dunaway (the spammer) then Smathers sold an updated list to Dunaway for $100,000. Dunaway sold lists to other spammers for $52,000.
Smathers & Dunaway to AOL members: "All your screenname are belong to us!"
I expect something like this happened at eBay a while back. I changed my email address for eBay to a new mailbox. A few weeks later someone spammed it offering to sell lists of eBay members. Then spam followed, usually from phishers.
A feeling of having made the same mistake before: Deja Foobar
Of all the ills you could accuse AOL of -- lowering the signal-to-noise ratio of the Internet, filling our landfills with CDs -- there is absolutely no evidence that AOL use causes erectile dysfunction ... ... you insensitive clod!
Hack Your Way to Hollywood
You know, the word "hack" above really bothers me.
So AOL lost control of their list. Bah. They never had control. It was only a matter of time, and now that spam is becoming big business now was the time. The only way to manage these things correctly regarding the IT team would have been:
1) Restrict mobile/personal storage and technology within the IT core;
2) search employees entering and leaving the IT facilities for CDs, storage dongles, smart cards, USB-enabled watches and lapel pins, MP3 players, laptop computers, palmtop devices, etc;
3) workstations used by developers have no Internet access whatever;
4) no public/personal email access from developer workstations;
5) the firewalls and other IT are managed by people who never come into contact with someone who themselves has access to data, and IT people have no access to data themselves;
6) all data traversing the LAN is AES encrypted;
7) there is no wireless access anywhere in the business, period.
Did AOL do *any* of this? Even one thing? I doubt it. Why would they? these aren't even standard practices except maybe at the NSA.
And that's just the AOL IT people. What do you then do with the marketing and sales folk? Presumably, they don't have the right kind of access to bulk data in the first place and/or cannot save data to storage that they can pull up in the normal course of work, but that's another policy to set up and more restrictions (ie, they cannot save files to their workstation, and cannot burn CDs, and cannot bring laptop computers home, etc.) And what if AOL decided to outsource customer support? What path does data take then?
All of this would kinda-sorta make sense when protecting things like source code where there are only a few that need access anyway, and there is no obvious reason for the code to leave the site. But in the case of customer account info, that's not restricted to development and the customers are dealing with very low level employees who need a broad kind of access to customer data to deal with customer issues.
I don't know if there are very many companies that would put their minimum wage earning sales and support drones (or their outsource suppliers) through that kind of security policy. And the marketing people would simply bite your head off at the very mention of leaving their laptop computers at work.
Reality: The only personal data that is safe is the data that is encrypted, then the passcode encrypted, then the passcode is lost, then the data is deleted, then the disk containing the data is formatted and overwritten with random bits, then the disk removed from the system and shredded, and then the small bits are randomly distributed over the surface of the sea. At night during a storm.
Failing all that...well don't expect your personal data to be private for any length of time so long as someone...anyone...the janitor...an intern...a poor working mother in Pakistan...can make a buck (exactly $1US) selling it.
=^..^= all your rodent are belong to us
Not really. Mailing to AOL is a hit-or-miss thing. We run a lot of mailing lists (bands' fanlists, organiztions' newsletters, etc.) and about half of the time you have AOL addresses on a list they bounce it. And they don't *just* bounce it, they set up a slow-ass connection to your bounce server and time it out (clever idea actually).
So, if you were a spammer, AOL addresses would be of dubious use.
All's true that is mistrusted
But you can be sure that if a major company has your information, many employees that are making very little have access to that information.
::sniff::
At MCI, where I used to work, I would see the personal information including name, address, phone numbers, credit card numbers, birthdays, and email addresses of hundreds of customers a week. Not only that, but every employee was identified in the system by his or her SS#, and your SS# was stamped on every note you placed in the system.
I earned $8.47 (American) per hour, and the call center contractor had a less than rigorous screening process. I did have a pulse, so I was hired. I have more ethics than the company I worked for, and I would never do such a thing.
But you have to ask yourself, if a company is willing to hire employees for next to nothing, and hand these employees access to information that they can sell for 3 times what they earn in a year, how long untill the SS# you give the company is compromised?
Do not give truely sensitive information to companies. If they do not have legal authorization to demand a SS#, they are using it for identification purposes only. Give them a fake one.
On another note: Anyone want to hire an aspiring writer? Seriously, $8.47/hr is still better than the $0/hr I'm making now. Please!
Be strong!
What exactly is the crime he's accused of? Taking customer lists from any other business would be actionable in civil court, ie he wouldn't be arrested. What value can they assess on a list of email addresses? Not that I'm defending this jackass. Frankly I'd like to meat [sic] up with him in a dark alley with an old Sun keyboard. Something from the original IPC would do nicely. I'm just curious what the actual criminal crime is that would cause him to be arrested, or if this is another company with $$$ getting the police to handle their civil affairs.
Mind you, the rules have changed today:
- Find someone with an itch they want to scratch
- Make sure they have integrity
- Turn 'em loose
Which can be summarized in 1 sentence: Only work with people you can trust completely, and do nothing to betray their trust in return.But, back to what the posers were saying. It's a balancing act. Each side watches the other. If you've ever worked as an outside consultant, you get used to that sort of dynamic VERY quickly.
Reminds me of one time I was consulting, and the prima donna head coder didn't believe that a query with millions of records would run fast enough on a 486 (this was about 10 years ago). Didn't understand that properly indexed searches scale nicely, instead of linearly.
So, I told everyone that I would prove it tomorrow. Went in after supper, dumped copies of all my code and data onto 2 machines (a server and his box), reformatted, re-installed, and wrote the code to generate my test database. Then went home to bed.
Of course, the next morning, idiot has already complained to management that I must be up to something fishy, because all my code is wiped from my machine (snoopy little snot), and they want to know why they should continue to trust me.
So, I explain that it's all sitting on the idiot's own box, as well as the server, because, remember, we're doing a test today, and I needed all the disk space I could find.
Oh, the reason I call him an idiot? He wanted to continue arguing about whether a query would execute fast enough, when it was easy enough to test. That's just plain stupid. But it's the sort of thing you have to learn to handle if you're going to do consulting :-)
It's clear from reading them that this guy was not one of the brighter people at AOL.
The problem with your "new" way of doing business is (1) it isn't new and (2) it doesn't work now any more than it ever did.
Having an itch to scratch does nothing for the guy who's gambled his way under a mountain of debt and who goes from being completely trustworthy to being willing to steal from his best friend, to say nothing of his employer. That's not a hypothetical case; I'm thinking of a particular person with whom I worked about a decade ago. (Luckily for me, I wasn't one of his friends, so he didn't rip me off.) People change, and someone who's completely trustworthy today may not be five years from now. Worse, people are not always what they seem, and only observation over a very long term reveals them for what they are.
Who watches the watchers? I don't know -- but they need to be there in any org which handles things of value.
It's 92 million screen names, and many people may have more than one screen name, especially for AIM, etc., so it wouldn't actually be 92 million people.
First, I am not a lawyer. This is a lay opinion only.
Second, I am not a particularly vengeful person, or at least I don't really want spammers to face the death penalty, castration, or other such suggested punishments.
Jason Smathers has been charged with theft and fired by AOL. I'm assuming the actual charge is something like felony grand theft, and that the amount his co-conspirator got for the lists will be all the proof AOL will need to offer for a grand jury to agree with that charge.
According to the article, he also used another employee's ID in the act. That's probably either a separate charge or at least an aggrevating factor to the first charge. Among lots of other effects, this employee probably has standing to sue both men and a fair chance of winning, regardless of whether AOL does (with "winning" limited by the condition that they must somehow have forfitable assets after their prosecution).
It also looks like there was possibly more than one actual theft, as the article mentions the men either actually obtaining or conspiring to obtain an updated version of the list, which would imply an older version also existed in their posession. One or both men may have made fraudulent promises to a person or persons who bought the list, representing it as legally obtained.
So, Smathers could well be inditeable with three or more felonies (three strikes rules may apply), and it's possible with multiple persons accused that the whole thing could fall under RICO, either of which could easily make the overall sentence 30 years or more. Even with the usual time off for good behavior type clauses, that means serving a good solid 18 years or so.
AOL probably wants the whole thing to go away. Since they can't really get that, the next best thing is to get seriously Neolithic on his ass, and hope it has a deterrent effect.
Who is John Cabal?
Um, a large proportion of people in jail are not convicted; they are on remand.
This proportion rises to 100% when you look at Guantanamo bay.
Read the Complaint filed by the Secret Service agent. Posted over at Smoking Gun, it's fascinating and shows how Smathers pointed the finger right at himself: when he did a test retrieve, logged of course by AOL, he retrieved just one, incriminating account from the millions there: his own.
.
He also e-mailed himself logs of his IM conversations with the buyer, which his AOL laptop stored away, to wit:
"I think I found the member database . . . Just need to figure out how to get the SNs [screen names] it is spread over like 30 computers . .
OK, I got it figured out . . . there are going to be millions of them so, will take time to extract I will do them a chunk at a time . . . "
Most interestingly, the government isn't just charging him with theft; it's also charging him with conspiracy to spam, under the so-called Can-Spam Act enacted late last year.
A few weeks ago I came across about 30 old 5 1/4" floppies.
I hooked up an old drive to see what was up and low and behold it worked and on the disks (that could still be read) was vital stats on about 85,000 people - meaning name, SS#, address, health insurance policy numbers, ect. All good, all verified assuming the individual was still alive and hadn't moved.
This was left over from when I worked at an insurance company in 1992: a migration from a THEN ancient mini to a PC based system. There that data was sitting in my basement for 12 years (and I have moved twice since then!)
Being an honest man, out came the scissors... but the ID theft possibilities were really astounding.
How much old data like this is just sitting around on forgotten tapes and disks?
If I were to set up an huge ID theft ring this is the sort of stuff I would look for. Good data, but old. Not in any current database, absolutely no audit trail, individuals have since moved around and changed employers obliterating any or most chance of establishing a pattern to the thefts. Best of all, not only are there no access logs, but the organization wouldn't even miss the old media and if they do someone could just claim that it was thrown out months ago.
Mildly disturbing - but less so than the thought of a dirty bomb I suppose.
I am very small, utmostly microscopic.
In any case, selling >90 million customer records to spammers is not a minor incident. You'd get fired even if you had been elected the employee of the year just a week before. Unless you could convince your employer of your innocence.
I love C++