Slashdot Mirror
Hacker Group Demands "Idiot Tax" From Payday Lender
snydeq writes "Hacker group Rex Mundi has made good on its promise to publish thousands of loan-applicant records it swiped from AmeriCash Advance after the payday lender refused to fork over between $15,000 and $20,000 as an extortion fee — or, in Rex Mundi's terms, an 'idiot tax.' The group announced on June 15 that it was able to steal AmeriCash's customer data because the company had left a confidential page unsecured on one of its servers. 'This page allows its affiliates to see how many loan applicants they recruited and how much money they made,' according to the group's post on dpaste.com. 'Not only was this page unsecured, it was actually referenced in their robots.txt file.'"
Just because I left my door open, doesn't mean it's okay to steal.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
One would suspect the FBI might soon be levying it own 'idiot tax' on Rex Mundi ...
unless of course said hacker is not US-based but that would raise EVEN MORE questions about the ethics if hackers are getting involved in commercial arrangements in FOREIGN countries
So they published the database on the Internet for anyone to access. I would be hard pressed to find a legal cause of action against the "hackers" (web surfers?) who browsed and saved the file. Additionally, because the database contains only a tabulation of factual information, it cannot be copyrighted. Thus, Rex Mundi may be legally allowed to publish it at will. Most of the civil causes of action that could be brought in a case of blackmail or extortion may be unsuccessful here since the "victim" PUBLICLY PUBLISHED the data themselves. Interesting case.
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
Too bad they can't both lose.
First time protecting their customers was part of these people's business model.
xkcd is not in the sudoers file. This incident will be reported.
I think they are all fool.
I really love club dresses ,
King of the world? Seriously? Must have an extremely small set of tackle between the legs :-)
Crypted details about our next Hollywood celebrity victim:
Unp2Z25qY3Z4Znp5b3Z0Z2ptZ3Zwb2l6bW56aHZkZ3Z4eGpwaW9odml0ZGlvem16bm9kaWJ oem5udmJ6bmFtamhidnRodmd6YW1kaXlzcmNqaGN6bXpicGd2bWd0aHp6eW5ham14dm5 wdnFuenNyZGdnbXpnenZuenl2b3Zndm96bQ==
Props to the one who decrypts it first!
Spaces added by me to get past slashdot filter. Any takers?
I.e., they left the front door open and attached a post-it saying "please don't look under the shelf".
So basically, they're coming to the defense of customers being ripped off by this lender, and are they're going to show 'em who's boss by widening the customers' exposure to identity theft? Wow, there's some moral high ground there. The customers must be so grateful.
"Howdy neighbor. I happened to hear you beating your wife last night. You can give me $1000 and I'll go away quietly. Otherwise, I'll give her another beating myself."
Just when everything seemed lost, you sprung to action and saved the day. Hurray.
Fucking door analogies, how do they work?
It's not okay to steal? No shit, Sherlock.
it was like putting a bmw up on blocks with a sign that said "steal my wheels".
no it's not, in your analogy the person is consciously sending the contents of the safe to you. at no point in the actual scenario did this happen.
we can agree however, that accessing the information was not a criminal offence.
what they did with the data afterwards quite clearly is though.
i spent five minutes thinking and all i got was this crappy sig
But give me 5 dollar or I tell everyone about this post of yours on slashdot, that is a bit less clear. How can you extort someone with information they published themselves?
Also, for a financial institution, it is illegal to have information so readily available. Who is the bigger criminal here?
If I exort your by saying give me a fiver or I will tell everyone where you buried your victims MIGHT see the police question me but it is YOU that will end up in jail.
Go ahead bank, file charges against the hackers, then explain in court how you violated countless banking and privacy laws.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Thief on thief violence is fine with me. Payday advance companies are nothing more than Loan sharking and are therefore thieves taking advantage of the dumb.
Do not look at laser with remaining good eye.
It's confusing for the mortals who will amalgamate them with the real hackers (the ones who make technology progress)
These are thieves, hijackers, robbers, burglars, muggers ... the correct words to describe them are aplenty.
Ignoring the acts of the hacker group for a moment, I think every customer should sue these idiots for publicly publishing personal information on the internet. They deserve to go out of business for this.
There looks to be some other interesting pages still referenced in their robots.txt file:
http://www.americashadvance.com/robots.txt
while questioning suspects & informants, so it must be ok.
Extortion is "acquisition by violence, threat, oppression, or abuse of authority." A threat to release information is still a threat, so blackmail falls within that definition. Thus blackmail is not necessarily much less serious than extortion.
Contribute to civilization: ari.aynrand.org/donate
At least they didn't pay the dane gold.
OK let me get this right. You extort money from a group that preys on the poor then because they won't pay up you expose the financial and personal data of the same poor people you say are being taken advantage of?
It all starts at 0
This here is an example of not using appropriate sources:
Yeah, a wikipedia article that characterizes the law with no citations to primary or secondary sources regarding the law (only citing a general -- not legal -- dictionary and another digital encyclopedia) it characterizes isn't really something you want to rely on.
The actual US federal extortion law is 18 USC Chapter 41; the two general provisions of which (not requiring the perpetrator or victim to be public or foreign officials or specially protected persons or having other similar special limitaitons) or 18 USC Secs. 873 & 875:
I don't think either really applies to the behavior at issue here.
Non-federal extortion provisions will vary considerably from jurisdiction to jurisdiction, so you really need to look at the laws of the jurisdiction applicable to the particular event.
Right, but I think the point is that it's a stupid law. (And therefore nobody respects it or obeys it, and therefore nobody expects anyone else to obey it, and therefore that law is useless to (and probably even contrary to) the cause of justice.) In a thread titled "strange sense of morals" that's not irrelevant.
Are you authorized to read the data at http://amazon.com/? How do you know? Who authorized you? When? What evidence do you have that you were authorized to request that page? What evidence do you have that you were authorized to receive the reply after you request that page?
I know those are all stupid questions, but only because you have not been authorized to read Amazon's page, or if you have, it was done secretly inside Amazon and was never communicated to you. That is why it is a stupid law.
It reminds me of how nobody has ever actually been prosecuted for playing a CSS-protected DVD on a DVDCCA-approved DVD player. Every time you descramble the CSS on a DVD, that's "circumvention" and illegal per DMCA, unless you have authorization by the movie's copyright holder, to do that. But of course, nobody has ever gotten authorization to do that. (Disagree? Prove it, or at least show some modest indirect evidence. This is harder than you think. Hint: purchasing the DVD does not imply permission to descramble the CSS, or else 2600 would have won their DeCSS case.) Every time anyone played a commercial DVD or BluRay, they were breaking the law, and the player manufacturer and the retail store who sold the player, broke the law too. That is, unless there's some sort of secret and uncommunicated authorization.
So how do you know if you're authorized? You don't. You never know, until you moment you die without ever having been called to court.
Same for public web servers. Everyone just assumes that information left in public, and without any notices it shouldnt' be accessed, nor with any even half-hearted ineffective attempts to limit access, is .. well .. publically accessible. But then fuckwits come along with a law saying you need authorization -- something that no one ever has, or at least can never show or demonstrate they have. The only authorization is hidden within the mind of whoever owns the server. It is never revealed, and it's lack is also never revealed, until the moment you get a letter from a lawyer or are confronted by a cop.
They can retroactively say you didn't have authorization, and there's nothing anyone can do about it. Any arguments they make which happen to get applied to clearly valuable or sensitive information (situations where common sense tells you the owner wouldn't want the information to be public -- situations the law was ostensibly intended to cover) apply just as logically to Amazon's home page. It's just that if Amazon prosecuted you for shopping at their store, the judge wouth laugh them out of court despite the technical wording of the law, simply because it's so absurd. Common sense would prevail if Amazon sued you for being a customer -- in defiance of what Congress wrote.
But in between these two extreme examples, is a shitload of gray area. (Nearly everything you did on the web today was technically illegal.) The written law doesn't distinguish between any two points along this spectrum, just as DMCA doesn't distinguish between pirates and people merely playing their DRMed movies on Sony players. It must necessarily comes down to a judge needing to pull an arbitrary decision out of their ass, every single time.
Not that I have any sympathy for the bad guys in this case. The extortion is illegal in itself, and shows some clearly malicious intent. If
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
robots.txt is a hint file to automated software crawling websites.
Note that everything on a web site is published.
Possibly not indexed, but, for an individual, robots.txt is just as valid an index as index.html.
So, the company published the information; the hacker group now has the information.
It wasn't theft -- the company still has the information.
The hacker group now told the company about this information. Actually, this should have been known by the company. Given that the company did not want to pay for suppressing republication, we can assume that they were aware.
The information accessed was a simple data list. Since this is pure information, it cannot be copyrighted.
So, republishing this information is not copyright infringement.
A simple offer was made -- please pay us not to republish the information. This is a normal legal offer. No law would be broken by republishing, and the information was not obtained illegally. It may have been worth something to republish, or (as the government has shown by paying farmers not to grow crops) it may have been worth something to not republish.
Given that the company should have aware of the availability of the information, we must assume that they wouldn't mind the republishing.
The hacker group would wish to remain anonymous. I imagine that the people on the list may like to sue someone, and may try to sue the hacker group. Making this more difficult makes sense. (Especially if the hacker group is not US resident).
This is not illegal access, extortion, copyright infringement or any other crime that I can think of. You may not like it. Heck, I don't like arbitrage.
It appears from your comment (focussing on the header) that you believe there is a difference between moral and legal here (Sophocles' tragedy Antigone comes to mind). As Plato exposes, you may want to work to bring your morality and law closer.
Be careful. Steps in that direction may bring the downfall of the Web (certainly the concept of URLs).
The hacker group has it right. They simply demanded a fee for stupidity. I don't believe that you can legislate stupidity out of existence.
Just another "Cubible(sic) Joe" 2 17 3061
Criminal stupidity is responsible for the vast majority of arrests. So it's not surprising that Rex Mundi went for the absolutely boneheaded move of trying to extort the scumbag AmeriCash. That move is about as lucrative and, only slightly less risky then robbing a bank. They could have made a lot more money --and had a much better chance of avoiding law enforcement-- if instead they had just quietly sold this data to AmeriCash's scumbag competitors.
Instead, their actions have rewarded them with the rapt attention of the same type of law enforcement team that was able to track down members of Anonymous.
You are allowed to take a picture of the wad of 20s that are in plane view.
The files were never taken from the server, they were copied from the server; via a legitimate request and the original files were not harmed.
If you don't want somebody making a copy of your data, don't put it out in public view. And a publicly accessible URL, even if its not indexed by search engines, is still in public view.
Aha, so they probably used that top secret hacker technique known as a "site:url" google search lol.
Sorry, but this is like stealing from a Crack dealer! These people have no morals. They are legal Loan Sharks.