Slashdot Mirror
Google Search Convicts Hacker
An anonymous reader writes "Google search terms have helped convict a wireless hacker. The queries the hacker performed were introduced into evidence at court, where Matthew Schuster was charged with disrupting his former employer's wireless network and imitating other users' MAC addresses to obtain access. From the article: 'Court documents are ambiguous and don't reveal how the FBI discovered his search terms. That could have happened in one of three ways: an analysis of his browser's history and cache; an Alpha employee monitoring the company's wireless connection; or a subpoena to Google from the police for search terms tied to his Internet address or cookie. Google has confirmed that it can provide search terms if given an Internet address or Web cookie, but has steadfastly refused to say how often such requests arrive.'
No, they'll just give it all away anyway.
But when Google does it, it can only be for the common good, right? A malicious Hax0r gets put away??
Let's look at Google's privacy policy, shall we?
Information sharing
Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:
* We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
* We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures.
* We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law.
That's a pretty broad policy. *ANY* applicable law, regulation, legal process or enforeable governmental request. That leaves the door pretty wide open for the Chinese government to start asking for the query strings of their citizens to me.
I think the answer is clear, if you need to see webpages and want NO trace of you - you have to compromise a machine, surf via a proxy you set up in it, and then timebomb the drive to wipe itself after you are done. And even then you may get caught, if there are firewall logs.
Let's look at a leading company that does web proxy policy:
DISCLOSURE
All use of our site is confidential. We disclose user information only as provided for herein and when we believe that the law requires it, or when disclosure is necessary to identify, contact or bring legal action against someone who may be causing injury to others or interfering with Proxify's rights or property.
In the event of an assignment, sale, joint venture, or other transfer or disposition of some or all of the assets of Proxify, you agree that we can accordingly assign, sell, license or transfer any information that our users have provided to us. Please note, however, that the purchasing party cannot use the personal information you have submitted to us under this Privacy Policy in a manner that is materially inconsistent with this Privacy Policy without your prior consent.
That pretty much says: hey, we have your web surfing logs and we'll give em up if we have to. We don't want to, and we'll destroy logs after 30 days (it says that elsewhere in the policy) but dammit, if they bend us over and lube us up - we're gonna damn well hand it over rather than taking one for the team, so to speak.
I am no hacker and I do use google for many searches that I would not like to be a public information. Let us come clean, how many of us have not searched for a mp3 we liked a lot, or p0rn, or how to bypass company firewall?
The first thing he should have done is to delete Cache, browse anonymously, and FOR GOD'S SAKE, not be logged into google (which is integrated everywhere), or delete search history, or delete all cookies!
I know because I have suffered from this kind of stupidity, and in the end, I was unable to blame anyone.
Because Google can say ANYTHING it wants about you and people/police/FBI/government/corporations/your_emp loyer/etc will believe them without an OPEN REVIEW of how they obtain, generate, and store that information.
Is the information faulty? Did someone munge with the data? Were Google's databases corrupt? Was the data recreated or generated from other data? Has Google's spy software been through open source review? How well was Google's software tested?
It continually astounds me how intellectually lazy Americans have become! It continually astounds me how the American people are willing to look the other way when it comes to their liberty and civil rights being encroached on!
THINK FOR ONCE PEOPLE!
So it's not clear that Google had anything to do with this, and aside from the search terms, other evidence also pointed to his crimes. I'm pretty sure you've overreacted.
I'm not too surprised, though. A story like this (and realistically, the entire YRO section) is pretty much intended to rile the tin-foil hat crowd. Good thing for me that I'm entertained by it.
Slashdot - where whining about luck is the new way to make the world you want.
...is not a bloody security feature. This is why people who actually want to secure a wireless network use some combination of Radius and VPNs...
The secret to creativity is knowing how to hide your sources. - Albert Einstein
The Linksys router Schuster used at his home and its MAC address proved that he was accessing the CWWIS wireless network.
Sounds like the MAC address was tied to his name somewhere and this was the evidence the FBI used to obtain the warrant. After that, everything was revealed by the contents of his computer.
If you purchase a network card online with a credit card it's possible that the FBI can trace the MAC address of that card back to you, providing the seller keeps records. If you're a linux user you can change your MAC address with,
ifconfig ethX hw ether xx:xx:xx:xx:xx:xx
As long as you don't pass traceable information (like logging onto a traceable email account) and you use an anonymous proxy like tor as extra protection, it's pretty difficult to trace you. It's possible, of course, to locate you physically by triangulating your radio signals but this requires a bit more effort.
The above is provided for educational purposes only. I do not advocate breaking the law.
Actually, the first thing he should have done was to stop using his former employer's wireless network by appropriating its other customers MAC addresses to gain illegal access. The second thing he should have done was to not launch DOS attacks against said customers' websites. That automatically raised damages to above $5000 which led to the FBI getting involved. Once that happened, he was screwed.
There are numerous ways to make yourself anonymous, however, they are for another discussion. Which is why I just suffice to say this guy is a piss-poor hacker.
He didn't even try. He was just a disgruntled IT worker. Instead of using a machine gun to mow people down he wanted to use a transmitter to mow packets down. In this day and age people take that very seriously. So he's going to jail for 15 months. End of story.
TLF
I do not respond to cowards. Especially anonymous ones.
Because now you have a lot fewer of those rights.
In what way? To claim that a "right" has been violated here seems tantamount to making an assertion such as "Of course I may leave footprints, but no one has a right to follow them."
Why should an electronic trail have legal protections that a physical trail does not?
Yeah, what with being forced to use Google and all.
I mean, seriously, which right was violated here? The right to use a search engine without records? The right to use someone's wireless network without records?
Sorry, I'm a writer. That makes you raw material.
Kudos on the post's headline being more accurate than TFA's headline.
The article's headline says: "Google searches nab wireless hacker," but the article actually says:
That may seem like simple semantics, but it's actually a pretty big difference.
Sorry, I'm a writer. That makes you raw material.
That's like looking at a key eye witness who saw you stab Nicole Brown Simpson and saying "How do I know you weren't on LSD and just imagining me there?" Seriously, independent third party witnesses are key to the judicial process. Get over yourself. Google openly makes money on the fact that they keep track of your browsing habits in order to make their advertising revenue more beneficial to their paying customers. Google could plaster those records for everyone on the planet to see them and your rights still haven't been violated. If you don't like what Google or any other company does, don't use them. With Google it's especially easy to avoid. Being a techy, you could take it a step farther and route google.com to /dev/null.
Check out my lame java blog at www.javachopshop.com
That's not comparable.
In this instance it would be like talking to person X on company Y's premises. Company Y certainly has a right to know what is going on in their building and if it's illegal have every right to call the police about it.
That's my view, anyway.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
True, but the GP's point is still valid ... conviction based solely upon server log entries (or even the use of such logs to intimidate, such as the RIAA has been doing) should simply be unacceptable to a judge. Such information being a part of the fabric of evidence in a larger case is one thing, but it is simply not reliable enough to be depended upon in such important matters.
Courts need to become more technically competent, I think. We're too accustomed to the idea that if data comes from a computer it is implicitly trustworthy, and that's a big problem.
The higher the technology, the sharper that two-edged sword.