Slashdot Mirror
Google Search Convicts Hacker
An anonymous reader writes "Google search terms have helped convict a wireless hacker. The queries the hacker performed were introduced into evidence at court, where Matthew Schuster was charged with disrupting his former employer's wireless network and imitating other users' MAC addresses to obtain access. From the article: 'Court documents are ambiguous and don't reveal how the FBI discovered his search terms. That could have happened in one of three ways: an analysis of his browser's history and cache; an Alpha employee monitoring the company's wireless connection; or a subpoena to Google from the police for search terms tied to his Internet address or cookie. Google has confirmed that it can provide search terms if given an Internet address or Web cookie, but has steadfastly refused to say how often such requests arrive.'
No, they'll just give it all away anyway.
But when Google does it, it can only be for the common good, right? A malicious Hax0r gets put away??
Let's look at Google's privacy policy, shall we?
Information sharing
Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:
* We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
* We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures.
* We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law.
That's a pretty broad policy. *ANY* applicable law, regulation, legal process or enforeable governmental request. That leaves the door pretty wide open for the Chinese government to start asking for the query strings of their citizens to me.
I think the answer is clear, if you need to see webpages and want NO trace of you - you have to compromise a machine, surf via a proxy you set up in it, and then timebomb the drive to wipe itself after you are done. And even then you may get caught, if there are firewall logs.
Let's look at a leading company that does web proxy policy:
DISCLOSURE
All use of our site is confidential. We disclose user information only as provided for herein and when we believe that the law requires it, or when disclosure is necessary to identify, contact or bring legal action against someone who may be causing injury to others or interfering with Proxify's rights or property.
In the event of an assignment, sale, joint venture, or other transfer or disposition of some or all of the assets of Proxify, you agree that we can accordingly assign, sell, license or transfer any information that our users have provided to us. Please note, however, that the purchasing party cannot use the personal information you have submitted to us under this Privacy Policy in a manner that is materially inconsistent with this Privacy Policy without your prior consent.
That pretty much says: hey, we have your web surfing logs and we'll give em up if we have to. We don't want to, and we'll destroy logs after 30 days (it says that elsewhere in the policy) but dammit, if they bend us over and lube us up - we're gonna damn well hand it over rather than taking one for the team, so to speak.
I wonder: Is there a way to conceal IP addresses and MAC addresses? What about slashdot? Are we being monitored? You see, I have posted what has been regarded as "flambait" a number of times.
Yet another reason to create a web user, copy in your bookmarks, do your online reading and can that user!
Yes Francis, the world has gone crazy.
I am no hacker and I do use google for many searches that I would not like to be a public information. Let us come clean, how many of us have not searched for a mp3 we liked a lot, or p0rn, or how to bypass company firewall?
The first thing he should have done is to delete Cache, browse anonymously, and FOR GOD'S SAKE, not be logged into google (which is integrated everywhere), or delete search history, or delete all cookies!
I know because I have suffered from this kind of stupidity, and in the end, I was unable to blame anyone.
Google has confirmed that it can provide search terms if given an Internet address or Web cookie, but has steadfastly refused to say how often such requests arrive.'
Or your Google Account search history if you remained logged in after you use GMail (or any of their other services).
I hope nobody ever finds a reason to check my search records, I already know I can never become a politician.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Because Google can say ANYTHING it wants about you and people/police/FBI/government/corporations/your_emp loyer/etc will believe them without an OPEN REVIEW of how they obtain, generate, and store that information.
Is the information faulty? Did someone munge with the data? Were Google's databases corrupt? Was the data recreated or generated from other data? Has Google's spy software been through open source review? How well was Google's software tested?
It continually astounds me how intellectually lazy Americans have become! It continually astounds me how the American people are willing to look the other way when it comes to their liberty and civil rights being encroached on!
THINK FOR ONCE PEOPLE!
So it's not clear that Google had anything to do with this, and aside from the search terms, other evidence also pointed to his crimes. I'm pretty sure you've overreacted.
I'm not too surprised, though. A story like this (and realistically, the entire YRO section) is pretty much intended to rile the tin-foil hat crowd. Good thing for me that I'm entertained by it.
Slashdot - where whining about luck is the new way to make the world you want.
...is not a bloody security feature. This is why people who actually want to secure a wireless network use some combination of Radius and VPNs...
The secret to creativity is knowing how to hide your sources. - Albert Einstein
The Linksys router Schuster used at his home and its MAC address proved that he was accessing the CWWIS wireless network.
Sounds like the MAC address was tied to his name somewhere and this was the evidence the FBI used to obtain the warrant. After that, everything was revealed by the contents of his computer.
If you purchase a network card online with a credit card it's possible that the FBI can trace the MAC address of that card back to you, providing the seller keeps records. If you're a linux user you can change your MAC address with,
ifconfig ethX hw ether xx:xx:xx:xx:xx:xx
As long as you don't pass traceable information (like logging onto a traceable email account) and you use an anonymous proxy like tor as extra protection, it's pretty difficult to trace you. It's possible, of course, to locate you physically by triangulating your radio signals but this requires a bit more effort.
The above is provided for educational purposes only. I do not advocate breaking the law.
I know that Google analyzes the searches of its users -- for good purposes. I am sure they analyze how their search works, how users use it, and other things about those users. This helps them make a better tool. What I'm worried about is when this information is used to profile users, and identify potential 'terrorists'.
Zhrodague.net - I do projects and stuff too.
This kind of proxy is very common on businesses and among other useful stuff they log the HTTP request made by any client in the network. This is the easiest way, noone else is requiered to get the queries just check your own server logs.
Wow - after reading that headline it's clear that corporations are getting more powerful. This conviction brought to you by Google Court Beta.
Actually, the first thing he should have done was to stop using his former employer's wireless network by appropriating its other customers MAC addresses to gain illegal access. The second thing he should have done was to not launch DOS attacks against said customers' websites. That automatically raised damages to above $5000 which led to the FBI getting involved. Once that happened, he was screwed.
Yeah, it's a bit sensationalistic to claim he was "convicted" simply due to his google search terms - those were merely one part of the evidence given in court.
Because now you have a lot fewer of those rights.
In what way? To claim that a "right" has been violated here seems tantamount to making an assertion such as "Of course I may leave footprints, but no one has a right to follow them."
Why should an electronic trail have legal protections that a physical trail does not?
instead of searching for: "how to broadcast interference over wifi 2.4 GHZ," "interference over wifi 2.4 Ghz," "wireless networks 2.4 interference," and "make device interfere wireless network." he should have first searched for: "how to surf anonymously," "how to delete my browser data," and "how to shower without dropping your soap."
I seem to recall that there is a legal obligation to report certain classes of suspicious activity if they become aware of it -- notably, child pornography. They may not be obligated to actively search for it, but if they spot indications that a user is involved in that while analyzing their logs...
Only the dead have seen the end of war.
Yeah, what with being forced to use Google and all.
I mean, seriously, which right was violated here? The right to use a search engine without records? The right to use someone's wireless network without records?
Sorry, I'm a writer. That makes you raw material.
boggle
My eyes reflect the stars and a smile lights up my face.
Kudos on the post's headline being more accurate than TFA's headline.
The article's headline says: "Google searches nab wireless hacker," but the article actually says:
That may seem like simple semantics, but it's actually a pretty big difference.
Sorry, I'm a writer. That makes you raw material.
If someone is charged in one country for what is done with servers located in another country, it stands to reason they're liable for what they did in the origin country. International treaties specify information sharing between various security and police forces, so any company has to comply with such requests. If a country signs up to an international treaty, then the people and businesses in that country have to abide as best they can.
Think about it -- sysadmins and servers are scattered around the globe, but the corporations that manage them have to comply with the law in each country they have offices in. It doesn't matter whether that country has servers located elsewhere -- they're just tools.
I do not fail; I succeed at finding out what does not work.
Wow, your sysadmin was a real jerk. I actually got caught pirating using the school network (lesson learned: pirating to just anyone is asking for trouble), which got me banned until they found out they needed geeks to operate PageMaker for the yearbook. hahaha :) The librarians just sighed every time I used the computer -- the latest attempts to keep the hackers out inevitably failed.
mandelbr0t
"Please describe the scientific nature of the 'whammy'" - Agent Scully
Am I alone for thinking that 15 months in prison, three years of probation, and $20k in restitution is just a LITTLE high for MAC spoofing to score some free wifi? Even if it was taken to the level of interfering with the signal, 2.4G is unlicensed. As any aspiring hacker should know, a properly configured microwave will cause wifi (and 2.4G phones and baby monitors) many problems. Unless he was pulling some seriously bad juju, this is Mitnick-esque "damages".
The truth about Scientology, Xenu, and you: Operation Clambake
That's like looking at a key eye witness who saw you stab Nicole Brown Simpson and saying "How do I know you weren't on LSD and just imagining me there?" Seriously, independent third party witnesses are key to the judicial process. Get over yourself. Google openly makes money on the fact that they keep track of your browsing habits in order to make their advertising revenue more beneficial to their paying customers. Google could plaster those records for everyone on the planet to see them and your rights still haven't been violated. If you don't like what Google or any other company does, don't use them. With Google it's especially easy to avoid. Being a techy, you could take it a step farther and route google.com to /dev/null.
Check out my lame java blog at www.javachopshop.com
Yeah, it was actually on a library computer I was on, too, so I was banned from the library's computers... until a couple years later when I was suddenly recruited to help keep the library network running in the school... heh!
In this day and age where anybody can wardrive past your place and do God knows what with your Internet connection (provided your WAP isn't secured), how can simple Google query logs prove ANYTHING? For all we know, this guy had an enemy at work who decided to set him up.
And if he doesn't have a WAP, or it's secured, then it's just as possible that the aforementioned enemy somehow hacked into this guy's computer and sent those queries.
How likely is this to happen? Maybe not that likely, but in this country at least guilt must be proved BEYOND reasonable doubt. I think the ease with which people can compromise your home net connection definitely provides reasonable doubt. In ALL cases.
Even more, the fact that this guy is clearly not "liked" at work just makes it even more plausible that somebody would want to frame him. What are the chances? Low, probably, but is there reasonable doubt? Definitely.
Offtopic? Lawl, sorry for discussing things on this discussion forum.
Why should an electronic trail have legal protections that a physical trail does not?
Physical trails in the public are not protected. Physical trails in private are.
Its OK for me to watch you in public talking to person X. In theory, one needs a warrant and probable cause of a specific crime to listen to person talking with person X on the telephone.
None of that matters when they get the letter. They have to fork it over regardless of what agreement you made with them at that point anyway.
I just wonder how long it will take to start general 'fishing expeditions' of search history to show 'possible intent' of comitting a crime and get warrants based on that 'suspicion'. " we see here you did a search for the word crack, come with us". " we dont care that what you have searched for might have been legal when you searched, its not now".
Scary stuff.
Curiosity did kill the cat, and it may kill the rest of us too...
---- Booth was a patriot ----
That's not comparable.
In this instance it would be like talking to person X on company Y's premises. Company Y certainly has a right to know what is going on in their building and if it's illegal have every right to call the police about it.
That's my view, anyway.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Your metaphor is rendered invalid when the receiving end of your conversation is a corporate entity residing on a public domain. Google has every right to surrender any information it may have. Whether it's ethical to do so remains another, entirely different question. Don't be evil!!!
Your post leads to confusion .. not that it has anything wrong in it, but it has the potential to confuse:
:-)
__1__
His MAC address, when he connected to the local gateway, was logged.
You suggest using tor for protection; tor wouldn't have helped this person. Tor obfuscates IPs.
__2__
Another poster writes that he's sure the FBI would use a MAC address database to track the person down.
This would prove *extremely* difficult, and generally not plausible.
There is a "database"[1], but it's a pretty granular database, with the equivalent of old-school "Class A" (256^3) blocks of addressing[2], going to the manufacturer-on-record of that NIC.
It's also important to know, folks, that just because you change your MAC address, it doesn't mean you're "secure". Infact, if you do it on any of many wired networks, port-security will kick in and you'll be administratively (automagically) shutdown.
There's very very little anonymity, if any, left on the Internet these days.
And call it what it is -- just because there's a wireless signal, and it happens to reach into your home, doesnt mean you can use it. It's still "theft of services," and tack on some aggravated Theft By Deception, Exceeding Authorized Access, Circumventing a device connected to a Critical Infrastructure, one could even make a stretch argument to identity theft.
I'm all for finding new and fun ways to get around systems.. but break down and buy a router already, eh?
[1] IEEE OUI
[2] 00->ff ^ 3
That's like looking at a key eye witness who saw you stab Nicole Brown Simpson and saying "How do I know you weren't on LSD and just imagining me there?"
..." They had come from another machine in the same domain as the funny page. I erased them, checked occasionally, and they didn't reappear.
Funny, yes. But I have a story that's not too far off from that sort of thing. About 10 years ago I was working on a project at a big corporation whose name isn't relevant here. I had a row of machines with different OSs for doing portability testing. Someone sent me email pointing to a bit of humor on some web site, and by chance I happened to read it on the NT box. It was cute, I sent back a message saying that I'd laughed, and went about the day's work.
When I came in the next morning, the NT machine was sitting there displaying a whole lot of pornographic images. "Well, that's interesting
But the next morning, they were there on the screen again. So I really investigated. I found the "deleted" email, fetched the funny page again, and examined its source. It had some truly bizarre javascript that I didn't quite understand, but I did find the routine that fired off a download just after midnight. I called a few coworkers over and showed them the original page, the code, and the results. Nobody could quite explain the code, other than that it did something just after midnight. We found that when we disabled JS, the porn downloads stopped.
We tried it on a number of other machines. It only worked on MS Windows boxes, not on Solaris or linux or FreeBSD or any of the others. We had lots of Windows boxes, each with a different release installed, so after a while, we had lots of machines that were all downloading porn every night just after midnight.
We did discuss the implications if the higher-ups got wind of this. We had this scenario of them trying to figure out how we were sneaking in every night at midnight without the security guys seeing us, downloading a lot of porn, and then sneaking out without being seen. We were sure that the porn downloads were going into our permanent records.
Actually, we thought it was funny, as did our bosses. And these were all "crash and burn" test machines, so eventually we wiped each one clean, reinstalled the OS, and the porn went away.
But the legal system doesn't have our sense of humor. It's easy to imagine, in the light of TFA, that we could have been charged with a repeated pattern of downloading porn on company machines. In some companies, this could have easily got us fired. Luckily for us, our bosses just considered us crazy software developers.
I did learn enough that, some time later, I wrote up a little demo of how to make an innocent-looking web page download files that the user never sees, but which leaves incriminating downloads in the browser cache and the firewall logs, which could convict them as happened to this guy. I use the demo to convince people that I'm not being paranoid when the first thing I do with a new browser is to turn off java, JS and any other "scripting" tool. We're reaching the stage where you can be convicted for what you computer does behind your back. Stories like this are good for explaining why everyone really needs to learn enough about how their software works that you can block things like this that can plant evidence on your machine.
Of course, you really can't know about every automated thing that might be hidden in that box. And I should probably add this news story to my demo's docs, as an extra motivator.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Court documents say that Schuster ran a Google search over CWWIS' network using the following search terms: "how to broadcast interference over wifi 2.4 GHZ," "interference over wifi 2.4 Ghz," "wireless networks 2.4 interference," and "make device interfere wireless network." [TFA]
... A few months ago, I did a number of google searches with very similar terms. I was trying to find out how to diagnose and defend against some wireless interference. Not that I learned all that much. I suspect that you need some rather special equipment to locate the source of interference, but I don't know what that equipment might be.
Hmmm
Anyway, I wonder if I could be a suspect now because of those searches?
I have noticed in the past that if you ask questions about security, you're usually treated as if you were a potential security risk, not as someone trying to improve your own security.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
It continually astounds me how the American people are willing to look the other way when it comes to their liberty and civil rights being encroached on!
Dude, the American people just looked the other way when the US government allowed itself to torture prisoners, and compromised just about every tenet of a fair trial. And you want us to care about web cookies and browser logs and shit?
sic transit gloria mundi
Agreed all! I'll add one: Might someone at google have an agenda? I.e., might the data be deliberately falsified?
- First they ignore you, then they laugh at you, then ???, then profit.
In a (sane) legal proceeding, there are resources allocated to evaluating the likelihood of scenarios proposed by either side. If one side posits that one of the witnesses may be unreliable because of being on LSD, the assertion isn't just tossed out... it's evaluated. There will be people who can come forward and testify as to the witness's habits, character, circumstances, all of which will usually lead to a reasonable assessment of the credibility of the "might he have been on LSD" question.
If google turns over search terms, this gets one FUCK of a lot harder. If someone wants to contest the search terms, what exactly are they going to say? "Um, I want google to prove the impossibility of someone mucking with the records in question. And I'd like google to prove the integrity of the code involved in collecting and storing this data"... even though doing so is in all likelihood impossible even for someone with a triple PhD in computer science, and to even try is something that google will fight tooth and nail since it would involve revealing both code and business logic.
- First they ignore you, then they laugh at you, then ???, then profit.
One of my "bosses", who is responsible for security control of our Active Directory domain was utterly mystified that I could log into a dozen or so PCs in 4 different offices and change the Domain that they belong to without leaving my chair. She had never heard of VNC let alone FastPush. Her expectation was that I would physically walk to each desk and do this in turn. With that level of comprehension and that level of responsibility, it would be SO easy to scatter red herrings throughout the enterprise. Without details on how the evidence was gathered and the skill of the investigators, I have little faith in its reliability.
WARNING: Smoking this sig may cause lowered IQ, insanity or short term memory loss. It is also really bad for your monit
Considering how much of the modern Web you'd be shutting yourself out from if you disabled JavaScript, I wouldn't view that as a solution. What are some other lessons you think novice computer users need to learn, that would have prevented this particular problem from arising? Can you clearly explain the reasons to your mother? Have you done so?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Heh, you did that too? ;-)
Here's a HyperCard stack I created to disable FoolProof, which prevented users from dragging icons in the Finder (and probably did a couple of other things, but that was the main feature I remember).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
So if your phone lines pass through Company Y's systems, they can listen in? Oops, now all forms of long-distance communication are open for listening!