Security Researcher and Alleged Spam Operator To Square Off In Court In Ugly Lawsuit (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Security Researcher and Alleged Spam Operator To Square Off In Court In Ugly Lawsuit (bleepingcomputer.com)

Posted by BeauHD on Monday May 1, 2017 @03:30PM from the sit-back-and-enjoy-the-show dept.

An anonymous reader writes: River City Media, the company accused of running a huge spam operation, has filed a lawsuit against the security researcher and the journalist who exposed their activities. In a ludicrous lawsuit complaint, the company claims the security researcher didn't just stumble upon its unprotected Rsync server, but "perpetrated a coordinated, months-long cyberattack," during which it skirted firewall rules to access its server, used a VPN to disguise his identity, deleted critical files, and published his findings to make a name for himself as an elite security researcher. The company claims the researcher accessed Dropbox and HipChat logs, and even its PayPal account, from where it used funds to purchase various domains. The only evidence the company has is that the person who purchased the domains used a ProtonMail email, just like the researcher, who also uses a ProtonMail email. Remind you, this is the same security researcher, Chris Vickery, who discovered a Reuters database of supposed terrorism suspects, national voter databases for various U.S. states and Mexico, and various other companies.

33 of 56 comments (clear)

Min score:

Reason:

Sort:

Streisand effect by TimSSG · 2017-05-01 15:41 · Score: 2

https://en.wikipedia.org/wiki/... Tim S.
1. Re:Streisand effect by Frosty+Piss · 2017-05-01 15:50 · Score: 1
  
  How so?
  
  --
  If you want news from today, you have to come back tomorrow.
I can see it now by Brockmire · 2017-05-01 15:41 · Score: 2

Defender's lawyers send over 1 billion boxes of documents after prosecution requested related materials.
1. Re: I can see it now by saloomy · 2017-05-01 19:26 · Score: 5, Interesting
  
  This happened to a client, they received a truckload of documents. We paid an outsourcing company a couple grand to scan them into an OCR program and used text search to find the proverbial nails for their coffin. With the newest bad-ass document solutions from big printer manufacturers. This isn't really that much of an issue anymore. Just drop a thousand sheets into the loader and press the button. A few days with a few temps, and you have your digital versions.
2. Re: I can see it now by Registered+Coward+v2 · 2017-05-02 00:42 · Score: 1
  
  This happened to a client, they received a truckload of documents. We paid an outsourcing company a couple grand to scan them into an OCR program and used text search to find the proverbial nails for their coffin. With the newest bad-ass document solutions from big printer manufacturers. This isn't really that much of an issue anymore. Just drop a thousand sheets into the loader and press the button. A few days with a few temps, and you have your digital versions.
  I never understood why companies save everything; especially emails, working papers, etc. I worked for a company that had a strong document retention policy. We destroyed everything but our final inspection report once the final report was approved. Notes, electronic media, drafts, etc. were collected and shredded and HD were securely erased as well. Email was not used to discuss our inspections. This way, the only material available was our final report so nothing could be taken out of context in a suit against a client. The only exception was if a client notified us before a final report that a suit was probable. At that point all the material was turned over to our attorneys who fought against disclosure.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
3. Re: I can see it now by gmack · 2017-05-02 00:56 · Score: 1
  
  Without those emails who gets blamed? Recently, I had someone tell me they didn't ask for what I did, what saved me? A months old email from them telling me to do exactly what I did. In another case, a judge sent a demand for a bunch of 3 year old emails(old sysadmin, old mail server), and we could not provide them the lawsuit with the customer did not go well after that.
  And then there are government retention laws, For example, we are required to keep call records for some countries for 10 years and we have had demands for 7 year old information in the past.
  Not to mention it's sometimes just nice to go back and see how you did something a couple of years ago when a similar project happens again
4. Re: I can see it now by Anonymous Coward · 2017-05-02 01:26 · Score: 1
  
  The company I used to work for were so "afraid" of IT that EVERYTHING was copied and printed out. Even the receptionist had to write down thousands of callers telephone numbers everyday. They spent $100,000 on building a new archive building to put all these paper records in and in 2 years later they had to build an even bigger one and so on and so on.
  The biggest joke was that no one ever went to the archive to retrieve anything.
  Then 1 year ago the archive burnt down but the CEO then set about rebuilding until the other shareholders put a stop it all. Over $800,000 had been spent in total on purchasing all this paper, storage boxes and archive buildings and no one ever used the archive in over 17 years.
5. Re: I can see it now by Woldscum · 2017-05-02 02:56 · Score: 1
  
  That is why you have a document retention policy. Because if you do not. You have no reason NOT to produce old documents. If you have missing "old" documents needed in a court case. It looks like you destroyed evidence. But if all the records are gone so are your liabilities.
6. Re: I can see it now by Registered+Coward+v2 · 2017-05-02 03:03 · Score: 1
  
  Without those emails who gets blamed? Recently, I had someone tell me they didn't ask for what I did, what saved me? A months old email from them telling me to do exactly what I did. In another case, a judge sent a demand for a bunch of 3 year old emails(old sysadmin, old mail server), and we could not provide them the lawsuit with the customer did not go well after that.
  And then there are government retention laws, For example, we are required to keep call records for some countries for 10 years and we have had demands for 7 year old information in the past.
  Not to mention it's sometimes just nice to go back and see how you did something a couple of years ago when a similar project happens again
  While you raise valid points, the documents I was referring to involved specific inspections for clients. The final report contained all the information needed and thus we destroyed all the working papers, inspectors notes etc. so that they couldn't be used in court and misinterpreted or otherwise used to paint a false picture of what we saw. For example, I might write in my notes while observing operations "The operator did not (do some critical step) ..." only to discover in the reconstruction later that it was in fact done so it was not an issue, but a lawyer could pull my note out of context to make it seem the operators were not properly trained.
  As for retention, while it may differ in our case our lawyers said as long as we had a written policy and enforced it we were OK. It's when it is done on an ad-hoc basis that problems arise.
  We kept all the routine stuff it was just the inspection stuff that was carefully handled to ensure we followed our policy. That way we could reconstruct internal work and at the same time protected our clients.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
Firewall rules... by freeze128 · 2017-05-01 16:29 · Score: 2

Well, some firewall rules cannot be skirted. For instance, DENY ALL TRAFFIC TO PORT 22.
1. Re:Firewall rules... by Opportunist · 2017-05-01 19:00 · Score: 2
  
  Confidentiality can be perfected by eliminating availability. That's by no means any news.
  And guess what, if you unplug the computer from power and hide the power cord, it cannot even be abused locally!
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Goose and Gander by Archfeld · 2017-05-01 17:21 · Score: 2

We'd be up in arms if it was the FBI breaking into the systems to gather evidence of illegal activity with out a writ or warrant. Without the backing of the law the 'hacker' is and should be guilty of digital crimes, but that doesn't abrogate the guilt of the spammer, who should be relegated to a special hell for spammers and phishers. Private entities can get away with things law enforcement can't.

--
errr....umm...*whooosh* *whoosh* Is this thing on ?
1. Re:Goose and Gander by Opportunist · 2017-05-01 19:01 · Score: 4, Insightful
  
  Vigilantism arises whenever law enforcement drops the ball. People are generally lazy and wouldn't go out of their way to do that "job" if it was already done.
  Of course police doesn't really approve of it. Do you like to be shown that you suck at your job?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:Goose and Gander by Anonymous Coward · 2017-05-01 20:38 · Score: 1
  
  Those that have a monopoly on force, special protections, and special privileges within society should be held to a higher standard.
3. Re:Goose and Gander by FudRucker · 2017-05-01 21:56 · Score: 1
  
  the FBI would have just sent a goon squad over with guns to their offices and confiscated servers along with any other hardware and took them to a lab to analyse
  
  --
  Politics is Treachery, Religion is Brainwashing
4. Re:Goose and Gander by Muros · 2017-05-02 04:15 · Score: 1
  
  We'd be up in arms if it was the FBI breaking into the systems to gather evidence of illegal activity with out a writ or warrant. Without the backing of the law the 'hacker' is and should be guilty of digital crimes
  I'm not sure that accessing a server exposed to the internet with no password on it really counts as "breaking in".
5. Re:Goose and Gander by Opportunist · 2017-05-02 04:31 · Score: 1
  
  Yeah, that's TOTALLY the same thing.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Goose and Gander by avgjoe62 · 2017-05-02 08:24 · Score: 1
  
  One man's vigilante is another man's outlaw. The problem with a vigilante is that they start out on the same side of the law as those they want to punish.
  The definition of vigilante would seem to depend more on your perspective than any established facts, and that to me is the whole problem with being a vigilante. Remember the guy that showed up at Planet Pizza, independently investigating Pizzagate?
  
  --
  How come Slashdot never gets Slashdotted?
7. Re:Goose and Gander by MoaDweeb · 2017-05-02 09:05 · Score: 1
  
  Hey the fat German is still here in NZ.
  When are you coming to get him?
  
  --
  New Zealanders are well balanced with a chip on each shoulder. One represents Australia, the other the rest of the world
8. Re:Goose and Gander by Archfeld · 2017-05-02 13:40 · Score: 1
  
  Umm so it is ok for a private individual to come into your house to check and make sure you are not stealing things or using pirated services without any documentation or supporting evidence ? You are a hypocrite at best and a danger to the rest of society otherwise...
  
  --
  errr....umm...*whooosh* *whoosh* Is this thing on ?
9. Re:Goose and Gander by Opportunist · 2017-05-02 23:06 · Score: 1
  
  But I hope we can agree that bricking a device is a wee bit different from killing a person, yes?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
10. Re:Goose and Gander by avgjoe62 · 2017-05-03 03:35 · Score: 1
  
  Absolutely. And in this case specifically I would think that a security researcher is the equivalent of a journalist - as long as he himself did not break the law he is free to publish whatever has been freely given to him. For example, see the Pentagon Papers. If someone gave this info to Chris Vickery and all he did was confirm the authenticity of it then he was merely performing due diligence.
  But think about bricking a device. If someone's IP phone accesses the internet via some cheap crappy router and they need to call 911, do we blame the person that bricked the device for the failed call? The main problem I have with vigilante security fixes is the cascade of consequences that follow from the good intentions. Most of those consequences won't affect the vendors that sold the crappy router in the first place, just the poor slobs that tried to save a few bucks on a router. In theory vigilante bricking sounds great but in reality it can be a much different story.
  
  --
  How come Slashdot never gets Slashdotted?
If there is truly no evidence... by StevenMaurer · 2017-05-01 18:41 · Score: 4, Interesting

Then Chris Vickery not only will be able to defend himself, but may be able to countersue under New Jersey's anti-SLAPP laws (SLAPP = Strategic Lawsuits Against Public Participation - exactly what this suit seems to be). The penalties can be quite substantial, $280K in a recent case. Not only that, but there is another New Jersey law that allows a judge to dismiss a case with prejudice within 45 days of the SLAPP filing. This is all cogent, because RCM is a New Jersey corporation.
Furthermore, there is a shareholder group engaged in a proxy battle right now, saying that they see this as a desperate attempt to distract shareholders from corporate mismanagement. So this may not even get filed, depending on how the existing shareholders see this action>
1. Re:If there is truly no evidence... by Picodon · 2017-05-02 01:28 · Score: 5, Informative
  
  This is all cogent, because RCM is a New Jersey corporation.
  You are probably thinking of another company, RCM Technologies, located in Pennsauken (New Jersey). There are other unrelated companies with similar names, including a River City Media located in Portland (Oregon).
  The spam operation operated by Matt Ferris and Alvin Slocombe seems run from Washington state, along with other companies that they have registered there under names like “Acetech USA”, “Cyber World Internet Services” and others, according to SpamHaus.
Re:Vigilante Security is Harmful by Opportunist · 2017-05-01 19:03 · Score: 1

Dear law enforcement,
do your fucking job or at least don't stand in the way.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Eye of the beholder by John.Banister · 2017-05-01 22:40 · Score: 1

It looks like a beautiful lawsuit to me. It should be much more entertaining than most of 'em.
Re:Vigilante Security is Harmful by cavreader · 2017-05-02 00:18 · Score: 1

Every time they attempt to do their job they are pilloried as jack booted Nazi's infringing on peoples god given rights to engage in criminal activities.
Re:Vigilante Security is Harmful by davecb · 2017-05-02 00:45 · Score: 1

Ihere is nothing in the articles suggesting that Mr. Vickery did anything except find the unsecured data and publish reports, so the accusation of vigilantism and/or improper behavior is strictly a claim by RCM, as yet unproven.

--
davecb@spamcop.net
Cuts both ways. Documents reveal the truth. Misund by raymorris · 2017-05-02 01:17 · Score: 1

Yep, that goes both ways. If you have the documents, you can see and prove what was said. When you're right, that's a win.
The big bonus of having documents is that when you have them, most conflicts can be resolved at the "minor misunderstanding" stage, well before it becomes a law suit. Somebody says "I told you X". You reply "oh, I'm sorry, I thought you said 'not X' in your email on January 3rd. Did I misunderstand? Let's discuss changing that. I guess I misunderstood your email, copied below."
Re:Vigilante Security is Harmful by Opportunist · 2017-05-02 04:26 · Score: 2

Then they should probably stop beating up protesters and start protecting people instead of assets and investments.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:Vigilante Security is Harmful by gweihir · 2017-05-02 04:57 · Score: 1

I completely agree on this one. Hacking somebody without permission is hugely unprofessional. I attribute it to a superiority complex on the side of the "security researcher". It has gotten to bad that actual IT security consultants have to assure their customers that they will of course stay strictly within their mandate and that they will of course not give any information about their findings to anybody besides the customer (much as a medical professional would and with much the same reasoning). It is quite ridiculous. In the end a security expert is somebody that helps customers with problems, it is not their task to save the world.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Skirting Firewall Rules? by gweihir · 2017-05-02 04:58 · Score: 1

Naaaa, in order to do this you just need to be big on the bullshit and small on the actual facts.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Common Sense by tailgunner_050 · 2017-05-02 20:48 · Score: 1

Judges love criticising people for their lack of common sense, now lets see how their common sense works out.