Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher and Alleged Spam Operator To Square Off In Court In Ugly Lawsuit (bleepingcomputer.com)

Posted by BeauHD on from the sit-back-and-enjoy-the-show dept.

An anonymous reader writes: River City Media, the company accused of running a huge spam operation, has filed a lawsuit against the security researcher and the journalist who exposed their activities. In a ludicrous lawsuit complaint, the company claims the security researcher didn't just stumble upon its unprotected Rsync server, but "perpetrated a coordinated, months-long cyberattack," during which it skirted firewall rules to access its server, used a VPN to disguise his identity, deleted critical files, and published his findings to make a name for himself as an elite security researcher. The company claims the researcher accessed Dropbox and HipChat logs, and even its PayPal account, from where it used funds to purchase various domains. The only evidence the company has is that the person who purchased the domains used a ProtonMail email, just like the researcher, who also uses a ProtonMail email. Remind you, this is the same security researcher, Chris Vickery, who discovered a Reuters database of supposed terrorism suspects, national voter databases for various U.S. states and Mexico, and various other companies.

56 comments

  1. Streisand effect by TimSSG · · Score: 2

    https://en.wikipedia.org/wiki/... Tim S.

    1. Re:Streisand effect by Frosty+Piss · · Score: 1

      How so?

      --
      If you want news from today, you have to come back tomorrow.
  2. I can see it now by Brockmire · · Score: 2

    Defender's lawyers send over 1 billion boxes of documents after prosecution requested related materials.

    1. Re: I can see it now by saloomy · · Score: 5, Interesting

      This happened to a client, they received a truckload of documents. We paid an outsourcing company a couple grand to scan them into an OCR program and used text search to find the proverbial nails for their coffin. With the newest bad-ass document solutions from big printer manufacturers. This isn't really that much of an issue anymore. Just drop a thousand sheets into the loader and press the button. A few days with a few temps, and you have your digital versions.

    2. Re: I can see it now by Registered+Coward+v2 · · Score: 1

      This happened to a client, they received a truckload of documents. We paid an outsourcing company a couple grand to scan them into an OCR program and used text search to find the proverbial nails for their coffin. With the newest bad-ass document solutions from big printer manufacturers. This isn't really that much of an issue anymore. Just drop a thousand sheets into the loader and press the button. A few days with a few temps, and you have your digital versions.

      I never understood why companies save everything; especially emails, working papers, etc. I worked for a company that had a strong document retention policy. We destroyed everything but our final inspection report once the final report was approved. Notes, electronic media, drafts, etc. were collected and shredded and HD were securely erased as well. Email was not used to discuss our inspections. This way, the only material available was our final report so nothing could be taken out of context in a suit against a client. The only exception was if a client notified us before a final report that a suit was probable. At that point all the material was turned over to our attorneys who fought against disclosure.

      --
      I'm a consultant - I convert gibberish into cash-flow.
    3. Re: I can see it now by gmack · · Score: 1

      Without those emails who gets blamed? Recently, I had someone tell me they didn't ask for what I did, what saved me? A months old email from them telling me to do exactly what I did. In another case, a judge sent a demand for a bunch of 3 year old emails(old sysadmin, old mail server), and we could not provide them the lawsuit with the customer did not go well after that.

      And then there are government retention laws, For example, we are required to keep call records for some countries for 10 years and we have had demands for 7 year old information in the past.

      Not to mention it's sometimes just nice to go back and see how you did something a couple of years ago when a similar project happens again

    4. Re: I can see it now by Anonymous Coward · · Score: 1

      The company I used to work for were so "afraid" of IT that EVERYTHING was copied and printed out. Even the receptionist had to write down thousands of callers telephone numbers everyday. They spent $100,000 on building a new archive building to put all these paper records in and in 2 years later they had to build an even bigger one and so on and so on.
      The biggest joke was that no one ever went to the archive to retrieve anything.

      Then 1 year ago the archive burnt down but the CEO then set about rebuilding until the other shareholders put a stop it all. Over $800,000 had been spent in total on purchasing all this paper, storage boxes and archive buildings and no one ever used the archive in over 17 years.

    5. Re: I can see it now by Woldscum · · Score: 1

      That is why you have a document retention policy. Because if you do not. You have no reason NOT to produce old documents. If you have missing "old" documents needed in a court case. It looks like you destroyed evidence. But if all the records are gone so are your liabilities.

    6. Re: I can see it now by Registered+Coward+v2 · · Score: 1

      Without those emails who gets blamed? Recently, I had someone tell me they didn't ask for what I did, what saved me? A months old email from them telling me to do exactly what I did. In another case, a judge sent a demand for a bunch of 3 year old emails(old sysadmin, old mail server), and we could not provide them the lawsuit with the customer did not go well after that.

      And then there are government retention laws, For example, we are required to keep call records for some countries for 10 years and we have had demands for 7 year old information in the past.

      Not to mention it's sometimes just nice to go back and see how you did something a couple of years ago when a similar project happens again

      While you raise valid points, the documents I was referring to involved specific inspections for clients. The final report contained all the information needed and thus we destroyed all the working papers, inspectors notes etc. so that they couldn't be used in court and misinterpreted or otherwise used to paint a false picture of what we saw. For example, I might write in my notes while observing operations "The operator did not (do some critical step) ..." only to discover in the reconstruction later that it was in fact done so it was not an issue, but a lawyer could pull my note out of context to make it seem the operators were not properly trained.

      As for retention, while it may differ in our case our lawyers said as long as we had a written policy and enforced it we were OK. It's when it is done on an ad-hoc basis that problems arise.

      We kept all the routine stuff it was just the inspection stuff that was carefully handled to ensure we followed our policy. That way we could reconstruct internal work and at the same time protected our clients.

      --
      I'm a consultant - I convert gibberish into cash-flow.
    7. Re: I can see it now by Anonymous Coward · · Score: 0

      But they had a backup, right?

  3. Whoohoo first ever by Anonymous Coward · · Score: 0

    Whoohoo first ever

  4. Interesting by Anonymous Coward · · Score: 0

    Will like to see what happens with this case.

  5. Firewall rules... by freeze128 · · Score: 2

    Well, some firewall rules cannot be skirted. For instance, DENY ALL TRAFFIC TO PORT 22.

    1. Re:Firewall rules... by Opportunist · · Score: 2

      Confidentiality can be perfected by eliminating availability. That's by no means any news.

      And guess what, if you unplug the computer from power and hide the power cord, it cannot even be abused locally!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Goose and Gander by Archfeld · · Score: 2

    We'd be up in arms if it was the FBI breaking into the systems to gather evidence of illegal activity with out a writ or warrant. Without the backing of the law the 'hacker' is and should be guilty of digital crimes, but that doesn't abrogate the guilt of the spammer, who should be relegated to a special hell for spammers and phishers. Private entities can get away with things law enforcement can't.

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
    1. Re:Goose and Gander by Anonymous Coward · · Score: 0

      Yeah, lets punish this guy for doing law enforcement's jobs for them.
      Sorry, youre an imbecile

    2. Re:Goose and Gander by Anonymous Coward · · Score: 0

      Vigilantism is actually strongly discouraged by the police. Haven't you ever seen a Batman movie?

    3. Re:Goose and Gander by Opportunist · · Score: 4, Insightful

      Vigilantism arises whenever law enforcement drops the ball. People are generally lazy and wouldn't go out of their way to do that "job" if it was already done.

      Of course police doesn't really approve of it. Do you like to be shown that you suck at your job?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Goose and Gander by Anonymous Coward · · Score: 1

      Those that have a monopoly on force, special protections, and special privileges within society should be held to a higher standard.

    5. Re:Goose and Gander by FudRucker · · Score: 1

      the FBI would have just sent a goon squad over with guns to their offices and confiscated servers along with any other hardware and took them to a lab to analyse

      --
      Politics is Treachery, Religion is Brainwashing
    6. Re:Goose and Gander by Anonymous Coward · · Score: 0

      Or stalled the analysis until the company went bankrupt - like the Kim Dot Com case.

    7. Re:Goose and Gander by avgjoe62 · · Score: 0

      Vigilantism arises whenever law enforcement drops the ball. People are generally lazy and wouldn't go out of their way to do that "job" if it was already done.

      George Zimmerman

      --

      How come Slashdot never gets Slashdotted?

    8. Re:Goose and Gander by Muros · · Score: 1

      We'd be up in arms if it was the FBI breaking into the systems to gather evidence of illegal activity with out a writ or warrant. Without the backing of the law the 'hacker' is and should be guilty of digital crimes

      I'm not sure that accessing a server exposed to the internet with no password on it really counts as "breaking in".

    9. Re:Goose and Gander by Opportunist · · Score: 1

      Yeah, that's TOTALLY the same thing.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    10. Re:Goose and Gander by avgjoe62 · · Score: 1
      One man's vigilante is another man's outlaw. The problem with a vigilante is that they start out on the same side of the law as those they want to punish.

      The definition of vigilante would seem to depend more on your perspective than any established facts, and that to me is the whole problem with being a vigilante. Remember the guy that showed up at Planet Pizza, independently investigating Pizzagate?

      --

      How come Slashdot never gets Slashdotted?

    11. Re:Goose and Gander by MoaDweeb · · Score: 1

      Hey the fat German is still here in NZ.
      When are you coming to get him?

      --
      New Zealanders are well balanced with a chip on each shoulder. One represents Australia, the other the rest of the world
    12. Re:Goose and Gander by Anonymous Coward · · Score: 0

      Remember the guy that showed up at Planet Pizza, independently investigating Pizzagate?

      You mean the guy who showed up, waving a gun around, who actually fired it?

      At least he's going to prison. Sadly, they didn't manage that for George Zimmerman, despite him raising no defense for his conduct. Nor for Pizzagate guy's instigators.

      Pity.

      At least Walter Scott's murderer agreed to plead guilty.

    13. Re:Goose and Gander by Anonymous Coward · · Score: 0

      Woosh a swing and a miss. Are you actually that obtuse or just trolling ?

    14. Re:Goose and Gander by Archfeld · · Score: 1

      Umm so it is ok for a private individual to come into your house to check and make sure you are not stealing things or using pirated services without any documentation or supporting evidence ? You are a hypocrite at best and a danger to the rest of society otherwise...

      --
      errr....umm...*whooosh* *whoosh* Is this thing on ?
    15. Re:Goose and Gander by Opportunist · · Score: 1

      But I hope we can agree that bricking a device is a wee bit different from killing a person, yes?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    16. Re:Goose and Gander by avgjoe62 · · Score: 1

      Absolutely. And in this case specifically I would think that a security researcher is the equivalent of a journalist - as long as he himself did not break the law he is free to publish whatever has been freely given to him. For example, see the Pentagon Papers. If someone gave this info to Chris Vickery and all he did was confirm the authenticity of it then he was merely performing due diligence.

      But think about bricking a device. If someone's IP phone accesses the internet via some cheap crappy router and they need to call 911, do we blame the person that bricked the device for the failed call? The main problem I have with vigilante security fixes is the cascade of consequences that follow from the good intentions. Most of those consequences won't affect the vendors that sold the crappy router in the first place, just the poor slobs that tried to save a few bucks on a router. In theory vigilante bricking sounds great but in reality it can be a much different story.

      --

      How come Slashdot never gets Slashdotted?

  7. Vigilante Security is Harmful by Anonymous Coward · · Score: 0

    I find no fault with the security researcher and journalist for exposing a spam operation, even if it meant some hacking. However, I'm concerned that, when security researchers engage in activities that are viewed as ethically questionable, they degrade the credibility of security professionals in the eyes of the public. When we tell people they need to take precautions against a certain type of vulnerability, avoid certain software products, and take other steps to be secure, we need the public to take us seriously. When the public sees security researchers engaging in activities like hacking or publishing the source to backdoored ransomware, it makes it look like the researchers are also criminals. We need to be beyond reproach if we want the public to heed our security warnings, especially in an era where apps leak data and IoT is incredibly vulnerable. I'm just concerned that this doesn't help our cause.

    1. Re:Vigilante Security is Harmful by Opportunist · · Score: 1

      Dear law enforcement,

      do your fucking job or at least don't stand in the way.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Vigilante Security is Harmful by cavreader · · Score: 1

      Every time they attempt to do their job they are pilloried as jack booted Nazi's infringing on peoples god given rights to engage in criminal activities.

    3. Re:Vigilante Security is Harmful by davecb · · Score: 1

      Ihere is nothing in the articles suggesting that Mr. Vickery did anything except find the unsecured data and publish reports, so the accusation of vigilantism and/or improper behavior is strictly a claim by RCM, as yet unproven.

      --
      davecb@spamcop.net
    4. Re:Vigilante Security is Harmful by Opportunist · · Score: 2

      Then they should probably stop beating up protesters and start protecting people instead of assets and investments.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Vigilante Security is Harmful by gweihir · · Score: 1

      I completely agree on this one. Hacking somebody without permission is hugely unprofessional. I attribute it to a superiority complex on the side of the "security researcher". It has gotten to bad that actual IT security consultants have to assure their customers that they will of course stay strictly within their mandate and that they will of course not give any information about their findings to anybody besides the customer (much as a medical professional would and with much the same reasoning). It is quite ridiculous. In the end a security expert is somebody that helps customers with problems, it is not their task to save the world.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Vigilante Security is Harmful by Anonymous Coward · · Score: 0

      Admit it. There are some protesters who really do need a hard punch in the mouth. The majority of "protesters" today are more accurately called "complainers". Real protesters work towards focusing attention on the issue in the hopes of generating change. "Complainers" are just professional ass hats who like the sound of their own voices. There goal is to finding who is to blame for their perceived wrongs and move on to the next outrage of the day. And most of the time they end up putting the blame on the wrong party.

    7. Re: Vigilante Security is Harmful by Anonymous Coward · · Score: 0

      I see nothing in the post that removes any 1st Amendment guarantees. The 1st Amendment protections are alive and well in the US. However, the 1st Amendment is a double edged sword. You are free to say damn near anything you want but you also need to take responsibility for your speech. And those who don't agree with the contents of your speech doesn't mean your 1st Amendment rights are being violated.

  8. If there is truly no evidence... by StevenMaurer · · Score: 4, Interesting

    Then Chris Vickery not only will be able to defend himself, but may be able to countersue under New Jersey's anti-SLAPP laws (SLAPP = Strategic Lawsuits Against Public Participation - exactly what this suit seems to be). The penalties can be quite substantial, $280K in a recent case. Not only that, but there is another New Jersey law that allows a judge to dismiss a case with prejudice within 45 days of the SLAPP filing. This is all cogent, because RCM is a New Jersey corporation.

    Furthermore, there is a shareholder group engaged in a proxy battle right now, saying that they see this as a desperate attempt to distract shareholders from corporate mismanagement. So this may not even get filed, depending on how the existing shareholders see this action>

    1. Re:If there is truly no evidence... by Anonymous Coward · · Score: 0

      Question, since RCM is the owner of the so called hacked servers... what would stop them from faking evidence of a cyber-attack, just to get Vickery?

    2. Re:If there is truly no evidence... by Anonymous Coward · · Score: 0

      Gross incompetence?

    3. Re:If there is truly no evidence... by Picodon · · Score: 5, Informative

      This is all cogent, because RCM is a New Jersey corporation.

      You are probably thinking of another company, RCM Technologies, located in Pennsauken (New Jersey). There are other unrelated companies with similar names, including a River City Media located in Portland (Oregon).

      The spam operation operated by Matt Ferris and Alvin Slocombe seems run from Washington state, along with other companies that they have registered there under names like “Acetech USA”, “Cyber World Internet Services” and others, according to SpamHaus.

    4. Re:If there is truly no evidence... by Anonymous Coward · · Score: 0

      NJ law doesn't matter here. The case is filed in Washington _Federal_ court based on federal question and diversity jurisdiction. As alleged in the Complaint, RCM is a citizen of Washington or Wyoming for diversity purposes. (The Complaint says that RCM is incorporated in Wyoming, not NJ.) As alleged in the Complaint, no other party is a citizen of New Jersey.

      NJ law doesn't matter for either federal causes of action or Washington common law claims. Further, a Washington Federal court, absent special circumstances, will apply Washington state law.

      Also, the blue text with a docket number and filing date up top means that, unless someone is forging documents, this Complaint is already filed.

    5. Re:If there is truly no evidence... by Anonymous Coward · · Score: 0

      Falsifying evidence is a felony, so if they faked it and it got found out, whoever was responsible would be in for a really bad 10 years or so. It's a hell of a gamble in hoping you don't get found out.

  9. Skirting Firewall Rules? by Anonymous Coward · · Score: 0

    Teach me how to be a hacker. Even if it takes a whole hour.

    1. Re:Skirting Firewall Rules? by gweihir · · Score: 1

      Naaaa, in order to do this you just need to be big on the bullshit and small on the actual facts.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  10. Eye of the beholder by John.Banister · · Score: 1

    It looks like a beautiful lawsuit to me. It should be much more entertaining than most of 'em.

  11. Obligatory:Intel CPU Backdoor Report (May 1 2017) by Anonymous Coward · · Score: 0

    Aka I FUCKING TOLD YOU SO.

    Newest update: On May 1st 2017, under pressure from the Vault 7 leak, Intel released a "Critical" security bulletin INTEL-SA-00075, admitting Intel Core CPU from 1st gen to 7th gen (2006-2017) all share the same critical vulnerability.

    The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

    What we know about Intel CPU backdoors so far:

    TL;DR version

    Your Intel CPU and Chipset is running a backdoor as we speak.

    The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

    30C3 Intel ME live hack:
    @21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
    [Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
    [Quotes] Vortrag:
    "DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

    "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

    "We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

    "To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

    "We can permanently monitor the keyboard buffer on both operating system targets."

    Backdoor removal:
    The backdoor firmware can be removed by following this guide using the me_cleaner script.
    Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

    Decoding Intel backdoors:
    The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

    If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

    Useful links:
    The Intel ME subsystem can take over your machine, can't be audited
    REcon 2014 - Intel Management Engine Secrets
    Untrusting the CPU (33c3)
    Towards (reasonably) trustworthy x86 laptops
    30C3 To Protect And Infect - The militarization of the Internet
    30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

    1. Introduction, what is Intel ME

  12. Cuts both ways. Documents reveal the truth. Misund by raymorris · · Score: 1

    Yep, that goes both ways. If you have the documents, you can see and prove what was said. When you're right, that's a win.

    The big bonus of having documents is that when you have them, most conflicts can be resolved at the "minor misunderstanding" stage, well before it becomes a law suit. Somebody says "I told you X". You reply "oh, I'm sorry, I thought you said 'not X' in your email on January 3rd. Did I misunderstand? Let's discuss changing that. I guess I misunderstood your email, copied below."

  13. Is there a GoFundMe for this guy? by Anonymous Coward · · Score: 0

    Is there a GoFundMe for this guy's legal expenses in defending himself?

  14. Here's the issue by Anonymous Coward · · Score: 0

    knowing the persons involved through an relationship with the data centers targeted there is no way what transpired was above board in terms of "reporting" purely for the sake of journalism.

    on the same note; it's a spam sending company - right next to sexual abuse of minors that's about as hated as you can get in society.

    here's the rub: the ends don't always justify the means and vickery was most likely used for a mouthpiece, eagerly, to tread where an actual hacker had penetrated and rooted deeply (nuts in their guts deeply) without knowing what he was getting involved in. he was most likely just thrilled that such a greatly righteous breach can gift wrapped with a bow without questioning it.

    i'd like to mention too that i think vickery does important work. extremely important work when you think of the scope he's been able to disclose vulnerabilities in.

    just be sure that being a good reporter and social warrior for the betterment of mankind doesn't end up associating you too closely with the type of criminal you're attempting to snare.

  15. Can't say I'm upset about this by Anonymous Coward · · Score: 0

    "River City is now on the verge of collapse," the complaint reads. "This negative publicity has caused and continues to cause River City to lose contracts, suffer canceled leases, and lay off employees. River City’s business partnerships have been destroyed. In short, Defendants have caused and continue to cause irreparable harm to River City."

    In the meantime my Junk E-mail folder has dropped from 100-150 spams/day to just 3-5 spams/day. No, River City isn't a spammer at all, are they?

  16. Common Sense by tailgunner_050 · · Score: 1

    Judges love criticising people for their lack of common sense, now lets see how their common sense works out.

  17. Don't make me laugh by Anonymous Coward · · Score: 0

    Calling Chris Vickery a security researcher is like calling someone who can put batteries in a TV remote an electrical engineer. Mackeeper is about the only group that would hire him. He does nothing more than scan for open ports and connect to unprotected services. He basically just an overhyped script kiddie. If he had any real skill he would be working for someone other than Mackeeper.