OT: Helper or Hacker?

RaySun2Be

Lifer
Oct 10, 1999
16,565
6
71
Article here: Alleged hacking of county's system

Now obviously we don't know the entire story, but on the surface, I'm puzzled.

1. How is someone coming to you and demonstrating that you have severe security issues committing fraud?
2. If he had asked for a fee, depending on the circumstances, it might be considered extortion, but not fraud.
3. If he hadn't discovered the security issue, and they did, wouldn't they spend the same amount (or more) to fix the problem? How does his discovery of the security hole cost them money that they wouldn't have to spend anyway?
4. It's stated that a security breach was noticed on the 8th of March. And yet THEY DID NOTHING ABOUT IT. So he was able to demonstrate the security breach to them on the 18th. Who's really at fault here?

I swear, the people who feel they are out there trying to HELP companies and organizations uncover security issues, who don't do any damage and just find the holes and try to help the companies out, should just stop and let the real hackers have at them. Then the companies/oraganizations will understand what real hacking is all about, and the true COSTS of hacker attacks.

I remember one guy getting charged who found a security issue with a website he was helping develop for a company, and they turned around and charged HIM with hacking.

And to top it all off, now the Recording Industry may have "safe harbor" to hack, intrude, spy, and do anything they want without fear of prosecution, in order to ferret out what they believe to be copyright violators.

Something is really out of sorts. Maybe I'm just ticked off again about what Georgia tried to do to Dave McOwen, (and did to some extent due to the blackmail of "We are a government with lots of money, and we can drag this out for years. We can ruin you financially, so accept our plea bargain, so our huge egos and small brains can feel ok") :|
 

CADsortaGUY

Lifer
Oct 19, 2001
25,162
1
76
www.ShawCAD.com
<snip>
And to top it all off, now the Recording Industry may have "safe harbor" to hack, intrude, spy, and do anything they want without fear of prosecution, in order to ferret out what they believe to be copyright violators.
<snip>

Yes - THAT concerns me...not that I have anything to worry about because I don't use those "sharing" progs, but It still gives them free pass to hack peoples computers:Q WHICH IS AGAINST THE LAW ITSELF! The end does NOT justify the means....

I'll stop now before I get too mad:|

CADkindaGUY
 

IJump

Diamond Member
Feb 12, 2001
4,640
11
76
I believe the government is paranoid about all of this stuff. They take things and blow them way out of proportion.

If this guy had kept this information to himself, he could have been much more dangerous. The government would have also been vulnerable.

It seemed like he was scanning for open networks, not intruding one them. Is that illegal? That is basically the same, in my opinion, as using a scanner and listening to police radio transmissions, etc. If the city was dumb enough to set up a wireless network without doing the research to make sure it is secure, they should be thankful that a guy like this found it before someone who really had malicious intent.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
*I havent read the article yet because Im about to leave, just wanted to post a few points.

How do they know what this guy is telling them is true? Maybe he did change things. Maybe he left himself a backdoor. Maybe he took confidential information. There are very few ways to find out, even fewer after he has been inside the system. They should rebuild the servers he may have accesses. Everyone of them. From the ground up. That will cost money and time.
 

networkman

Lifer
Apr 23, 2000
10,436
1
0
Having read the article, the only thing I can attribute to the this guy's bad luck is his choice of witnesses:

On March 18, Puffer showed a county official and a Chronicle reporter how he was able to use his laptop computer and a $60 to $75 wireless card to tap into the clerk's system.

First, if you're going to demonstrate a weakness, showing it off in front of the press is not the brightest idea. Obviously, somebody or multiple sombody's went to great lengths to implement a wireless solution. The fact that they didn't put enough effort into the securing that network is bad enough.. to have it concurrently displayed in the media really makes the county look bad.
rolleye.gif


Second, you don't do something like this on a whim. Scheduling an appointment with a manager of the County's IT department would be a wise course of action.

Third, you want to operate in an official capacity and demonstrate the vulnerabilities you've discovered in a constructive manner. Showing a couple people how you hacked their system is one thing - explaining that the County is publicly broadcasting its information to the world on an un-secured network is another thing entirely. Just because someone happens to be in charge of the IT department, it does not necessarily follow(unfortunately) that they completely understand what the department is implementing.

Being somebody who likes to do the right thing and help others out, believe me, sometimes it's better just to let people make mistakes and let the cr@p happen. Our department is involved in a similar thing at work right now - we're letting a couple managers prove their own incompetence - hopefully, they'll be shown the door right after. ;)

This case, I think, is an example of someone in government being caught with egg on their face, and this is an attempt to re-direct blame.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
I have to agree, better to leave well enough alone. There was a time when people would open a car's door to turn the headlights off for whomever left them on. Nowdays, that's likely to set off a car alarm and get you in trouble. Well, I guess the cars with alarms probably shut their own lights off these days, but you get the idea. Cover your back, let them cover theirs.

Hey, everyone lookit networkman's goodies for sale *points at signature link* Oooo! :D
 

Jeff7

Lifer
Jan 4, 2001
41,599
19
81
Originally posted by: mechBgon
There was a time when people would open a car's door to turn the headlights off for whomever left them on. Nowdays, that's likely to set off a car alarm and get you in trouble. Well, I guess the cars with alarms probably shut their own lights off these days, but you get the idea. Cover your back, let them cover theirs.


Yeah - people try to help, and get in legal trouble for it. Someone I saw on TV, what to do in the event of a burning car with someone in it. If I remember right, the options were to
1) Move the person immediately
2) Check for possibility of explosion
3) Wait for help

Well, they said to do 2 first. The show said that if you move the person, and accidentally injure them, they can actually sue you then. Sure you might have saved them from a burning car, but hey, maybe they can get rich then too. :|
 

Lezboy

Banned
Jul 28, 2002
40
0
0
Ummm....I watched the same show. The survival quiz. You're twisting it to mean whatever you want it to mean and that's sad. What they said was to check for possible explosion. They said if there is no explosion to leave him alone as you could paralize him by moving him. They then said that if there is risk of explosion you should move him. They said that you might get sued but that good samaritan laws would protect you
 

IJump

Diamond Member
Feb 12, 2001
4,640
11
76
Originally posted by: Lezboy
Ummm....I watched the same show. The survival quiz. You're twisting it to mean whatever you want it to mean and that's sad. What they said was to check for possible explosion. They said if there is no explosion to leave him alone as you could paralize him by moving him. They then said that if there is risk of explosion you should move him. They said that you might get sued but that good samaritan laws would protect you


You have to be careful....good samaritan laws only apply to trained medical personnel in some states/areas.

From MO: "This legislation applies to physicians, surgeons, registered professional nurses, licensed practical nurses, and licensed mobile emergency medical technicians in situations when aid is given in an emergency or accident and occur outside of a health care setting."

From TX: an individual who is licensed to practice medicine under the Medical Practice Act...a retired physician who is eligible to provide health care services...a physician assistant licensed under the Physician Assistant Licensing Act ...and it goes on to list other certified personnel.



But I think we are getting away from the original topic of this thread...The guy was right for telling someone about it, wrong in who he chose to tell and how he told them.....
 

RaySun2Be

Lifer
Oct 10, 1999
16,565
6
71
But I think we are getting away from the original topic of this thread...The guy was right for telling someone about it, wrong in who he chose to tell and how he told them.....

I agree.

But even at that, does he deserve to be charged with 2 counts of Fraud, and face five years in prison and a $250,000 fine on each count, just for showing the county they have a security problem? Even if it wasn't the most appropriate method?

For identifying their major security flaw, he could have saved them thousands of dollars and more from damaging hacker attacks.

And this is how they thank him. :|
 

CADsortaGUY

Lifer
Oct 19, 2001
25,162
1
76
www.ShawCAD.com
I want to know if the System Admin(or whoever is incharge of that part of their network) lost his/her job or not.

I know a system admin for a county courthouse and she said that security is their #1 priority - and that is in the sticks of Wisconsin:p She also said that she'll have to go wireless for some new projects they are doing but that they have to have a "burn-in/test" phase of 3-4 months before attaching it to their real servers, so they can test for weaknesses and problems.

Should the guy have kept his mouth shut? No.
Should he have called the press? Maybe not.
Should he have called an attorney before telling them? YES:p;)
Should the County be kissing his @ss instead of prosecuting his @ss? YES!(provided he really didn't "look" at files;))

enough for now:p:D

CADkindaGUY
 

MoFunk

Diamond Member
Dec 6, 2000
4,058
0
0
So when I walk down the street and see someone get slammed by a car, I walk away....why....don't want to get sued!
If I happen to uncover a hole in someones network, I dont tell them...why...dont want to go to jail!

This is what things have boiled down to! This sucks!

Assuming that this guy didn't do any "naughty" things while in, he should have been thanked, but instead could go to jail. These companies are just going to get themselvs in a bind someday if they keep doing crap like this. People wont want to help out, and they are going to leave themselves WIDE open for bad things to happen!

My Father in Law once gave a woman the heimlick (spelling?) because she had a HUGE chunk of steak logged in her throat and turned blue, she tried to sue him for the pain a suffering she endured because he bruised a couple of ribs. So from now on he will probably just let someone choke!

And regarding the recording industry, I have grown so angry with them that I vow I will NEVER purchase a cd again in my entire life. (if you want to support your favorite artist, go see them live. That is where they make their money, not by album sales.) If I want an album from an artist I WILL "STEAL" IT from somewhere! Being that I was once in the recording industry and know that MOST of what they are spouting off is total BS, I can't tolerate them any longer! Just watch, if they start hacking into users computers, they are going to stir up a hornets nest.
 

LANMAN

Platinum Member
Oct 10, 1999
2,897
128
106
Originally posted by: MoFunk
Just watch, if they start hacking into users computers, they are going to stir up a hornets nest.

I would have rasied their suspicion at one time or another for Hollywood to have a reason to attempt (I did say attempt :) ) to hack me. If I ever see the "Music Industry" attempt to hack my systems, they better have all their ducks in a row, because I'll go after them with no remorse. :| (Now back to our program)

*******************************

This reminds me of a hunter in Montana who was dang near killed by a bear. After taking hits from this pissed off bear, which almost killed him, he finally managed to draw his weapon and kill it. He was then fined $10,000 for poaching and hunting bear without a license. If it's me or the bear, sorry but the bear is going down. I'd rather be tried by 12 then carried by 6. So now you have just three rights: 1) Shoot 2) Shovel and 3) Shut up.

See the relationship?

It looks like to me the county he was trying to notify doesn't want to take the embarrassment of everyone finding out they had a "security hole" in their network. They need to grow up!! Face the facts that your network admin's didn't do their job and applogize to the tax payers who trusted you. Thanks for the link Ray, becuase this just adds to the already huge pile of stories on how our federal and state governments try to convict innocent citizens.

And they want to take away our rights to bear arms? (Oooo.. that's another story in itself. Sorry, I don't call 911 at my house.. your on your own.) :D

--LANMAN
 

networkman

Lifer
Apr 23, 2000
10,436
1
0
Speaking of 911.. I was on the expressway the other day and witnessed an accident(overturned trailer) that ended up blocking both lanes. No one seemed to be injured, but since I was right at the front(actually watched it happen), I figured I'd better call 911.

I was put on HOLD for over EIGHT MINUTES!!! I never did manage to get through and report the accident - fortunately, a patrolling state police car arrived and things proceeded from there.

I remember muttering into the phone(in case they monitor for quality control) that I was glad I wasn't calling to report a heart attack or a fire, 'cuz the people would've been dead already. :disgust:
 

LANMAN

Platinum Member
Oct 10, 1999
2,897
128
106
Originally posted by: networkman
Speaking of 911.. I was on the expressway the other day and witnessed an accident(overturned trailer) that ended up blocking both lanes. No one seemed to be injured, but since I was right at the front(actually watched it happen), I figured I'd better call 911.

I was put on HOLD for over EIGHT MINUTES!!! I never did manage to get through and report the accident - fortunately, a patrolling state police car arrived and things proceeded from there.

I remember muttering into the phone(in case they monitor for quality control) that I was glad I wasn't calling to report a heart attack or a fire, 'cuz the people would've been dead already. :disgust:


"Your call is very important to us, but unfortuately we are experiencing a higher call volume at this time. You can press 1 to leave a message or continue to hold. "

OR

" You are currently number 15 of 40 in the 911 calling queue.... approximate hold time of 6 minutes."

DOH???;)

--LANMAN
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: RaySun2Be
But I think we are getting away from the original topic of this thread...The guy was right for telling someone about it, wrong in who he chose to tell and how he told them.....

I agree.

But even at that, does he deserve to be charged with 2 counts of Fraud, and face five years in prison and a $250,000 fine on each count, just for showing the county they have a security problem? Even if it wasn't the most appropriate method?

For identifying their major security flaw, he could have saved them thousands of dollars and more from damaging hacker attacks.

And this is how they thank him. :|

Like I said before, how do they know they can trust him? I read the article and I would not trust him. I personally wouldnt accuse him of anything directly, but I would be checking my systems a couple of times.

Like someone else said, he is a scape goat. He is also probably being used as an example. Its sad, but thats how things work. Dont help if you dont absolutely have to. I wont be following those words, but for someone who wants to stay out of trouble no matter what should definitely follow them.
 

LANMAN

Platinum Member
Oct 10, 1999
2,897
128
106
Originally posted by: n0cmonkey


Like I said before, how do they know they can trust him? I read the article and I would not trust him. I personally wouldnt accuse him of anything directly, but I would be checking my systems a couple of times.

Like someone else said, he is a scape goat. He is also probably being used as an example. Its sad, but thats how things work. Dont help if you dont absolutely have to. I wont be following those words, but for someone who wants to stay out of trouble no matter what should definitely follow them.

Even given this statement? "Puffer, a computer security analyst who worked briefly for the county's technology department in 1999..."

Maybe after he realized what the county was doing he wanted to ensure the vulnerablity existed, but not until he found it himself. Heck, if I had someone WHO I HIRED IN THE PAST, find a vulerability on my network, I don't think I would pay him back by sending him to jail. He would be hired to ensure it doesn't happen again.

Now granted it would of been nice to been given a courtesy call before he did it, but in either case I think the county going a little to over board.


--LANMAN
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: LANMAN
Originally posted by: n0cmonkey


Like I said before, how do they know they can trust him? I read the article and I would not trust him. I personally wouldnt accuse him of anything directly, but I would be checking my systems a couple of times.

Like someone else said, he is a scape goat. He is also probably being used as an example. Its sad, but thats how things work. Dont help if you dont absolutely have to. I wont be following those words, but for someone who wants to stay out of trouble no matter what should definitely follow them.

Even given this statement? "Puffer, a computer security analyst who worked briefly for the county's technology department in 1999..."

Maybe after he realized what the county was doing he wanted to ensure the vulnerablity existed, but not until he found it himself. Heck, if I had someone WHO I HIRED IN THE PAST, find a vulerability on my network, I don't think I would pay him back by sending him to jail. He would be hired to ensure it doesn't happen again.

Now granted it would of been nice to been given a courtesy call before he did it, but in either case I think the county going a little to over board.


--LANMAN

I did say I agree that they are going overboard. Did he leave the job on good terms? If not, I would be much more suspicious of him. He went about revealing this in the wrong way. He is causing a bunch of work that they would not normally be doing (although it sounds like its waaay past time for an audit). I do hope, however, that the judge knows what he is doing and gives this guy a "slap on the wrist" *if* the information we have is all there is.
 

LANMAN

Platinum Member
Oct 10, 1999
2,897
128
106
<<<<...He is causing a bunch of work that they would not normally be doing ....>


Looks like they should have (done a audit) before connecting to a live system to begin with. The next guy might not of been so nice, possibly resulting in even more then $5,000 of damage. (Humm.. $5,000 worth of damage.. isn't that the minimum to get the FBI involved? I think so... Maybe it was more like $4,900.00.. Politics will do anything to over inflate the truth!! :|

I do agree with you though. I (for all of you out there, I did say " I " ) would have definitely got permission first before doing this audit, just to be on the safe side. Looks like several government offices already have itchy trigger fingers looking for a fall guy.

There is one item the county should be ashamed for! Anyone want to guess? What do you do when you setup a new network, or try technology you don't normally run? ("The old courthouse can no longer sustain more computer lines..") WIRELESS is just greek for HACK ME!!


(((( YOU CONDUCT A SECURITY AUDIT !!! ))))

And even still I can't over emphisize, it doesn't sound like they hired very knowledgeable network administrators. Security isn't a thing you just test once in a while (nor is it just a knowledge you learn over night via "Hackers for dummys"); you test and test and test using the newest vulnerablities possible, read and read some more on yes, security stuff. Patch, and test again. And now they (county) wants to prove how much they lack by ATTEMPTING to convict someone that they hired (in the past) who came clean and he told them the problem.
I agree I would still, for my own personal state of mind, check my own systems to ensure he didn't put the vulerablity there himself, but the county is just creating another embarrassing situation that reflects the same guidelines as what we saw in Georgia. "Security through Obscurity".

And again I can't help but to think that county is just overreacting! " Oh god, he hacked our systems. What if someone finds out? We better take him to court and show our citizens we don't put up with this, instead of telling the public we didn't do our *flippin'* job!"

--LANMAN
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: LANMAN
<<<<...He is causing a bunch of work that they would not normally be doing ....>


Looks like they should have (done a audit) before connecting to a live system to begin with. The next guy might not of been so nice, possibly resulting in even more then $5,000 of damage. (Humm.. $5,000 worth of damage.. isn't that the minimum to get the FBI involved? I think so... Maybe it was more like $4,900.00.. Politics will do anything to over inflate the truth!! :|

It is $5000.

I do agree with you though. I (for all of you out there, I did say " I " ) would have definitely got permission first before doing this audit, just to be on the safe side. Looks like several government offices already have itchy trigger fingers looking for a fall guy.

I would never do one myself. I give out the office phone # if asked about this. ;)

There is one item the county should be ashamed for! Anyone want to guess? What do you do when you setup a new network, or try technology you don't normally run? ("The old courthouse can no longer sustain more computer lines..") WIRELESS is just greek for HACK ME!!


(((( YOU CONDUCT A SECURITY AUDIT !!! ))))

And even still I can't over emphisize, it doesn't sound like they hired very knowledgeable network administrators. Security isn't a thing you just test once in a while (nor is it just a knowledge you learn over night via "Hackers for dummys"); you test and test and test using the newest vulnerablities possible, read and read some more on yes, security stuff. Patch, and test again. And now they (county) wants to prove how much they lack by ATTEMPTING to convict someone that they hired (in the past) who came clean and he told them the problem.
I agree I would still, for my own personal state of mind, check my own systems to ensure he didn't put the vulerablity there himself, but the county is just creating another embarrassing situation that reflects the same guidelines as what we saw in Georgia. "Security through Obscurity".

And again I can't help but to think that county is just overreacting! " Oh god, he hacked our systems. What if someone finds out? We better take him to court and show our citizens we don't put up with this, instead of telling the public we didn't do our *flippin'* job!"

--LANMAN

I can agree with all that. Just wanted to add, you not only read security things, but pretty much *EVERYTHING*. Many security problems are actually misconfigurations which can be solved if you read the general documentation.

I just wanted to say to everyone that you shouldnt get angry at my comments, or think Im an a-hole for them. My original comments were more of a "devil's advocate" sort of thing. I definitely agree these guys are going way overboard, but I also think there is some reason for them being angry at the guy. They need to stop worrying about him, and start worrying about the ones that wont admit to what they have done...
 

LANMAN

Platinum Member
Oct 10, 1999
2,897
128
106
n0cmonkey,

Not angry, just discussion. ;) (Or discussing.. [starts singing the M&M song...] - God? I'm over 30 and I listen to that stuff! LOL!! )

That's what makes us different. After your replies, I think we're on the same wave length. However, did I come across too stong? If I did, please except my applogies in advance. (The boss gets me that way.. " You got to get mean!!" She tells me all the time. :) )

For everyone else out there, if I seem to have fallen off my rocker, please say so. :) I'm not that hard to get along with.

On a good note, lets get that BEOWULF put together!!! :)

--LANMAN
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: LANMAN
n0cmonkey,

Not angry, just discussion. ;)

That wasnt actually directed at you, more at people who would just skim things and think "what an ass." If Im going to be called an ass, I want to called it for something I really deserve ;)

(Or discussing.. [starts singing the M&M song...] - God? I'm over 30 and I listen to that stuff! LOL!! )

That's what makes us different. After your replies, I think we're on the same wave length. However, did I come across too stong? If I did, please except my applogies in advance. (The boss gets me that way.. " You got to get mean!!" She tells me all the time. :) )

Definitely not! After my day to day Im surprised my posts have been civil today (frustrating day, but some how it didnt really affect me as much as it usually does...).

For everyone else out there, if I seem to have fallen off my rocker, please say so. :) I'm not that hard to get along with.

On a good note, lets get that BEOWULF put together!!! :)

--LANMAN

E. WU :p
 

IJump

Diamond Member
Feb 12, 2001
4,640
11
76
to n0cmonkey: what an ass... ;)


to LANMAN: You have fallen off of your rocker... ;)




You guys do make for interesting reading.... :)
 

RaySun2Be

Lifer
Oct 10, 1999
16,565
6
71
It is $5000.

Are you sure? Were you there? There is documented proof that companies and government organizations can inflate "costs" to further their own political, legal, or monetary agendas.
a man faced years in prison for obtaining and publishing an internal BellSouth document initially valued at almost $80,000. The case was dropped after evidence was introduced that it was publicly available for $13.
One of the first cases the EFF was involved with.

I will say that at least it seems like a reasonable amount instead of the 59c a sec and $450,000 Georgia claimed McOwen cost them. :|

However I feel that they would have to spend at least $5,000 whether or not he showed them the security risk. If they had discovered it on their own, they would still have needed to spend the money to check their systems, and fix the security hole.

I'm still trying to figure out the "Fraud" part of this deal though.

Main Entry: fraud
Pronunciation: 'frod
Function: noun
Etymology: Middle English fraude, from Middle French, from Latin fraud-, fraus
Date: 14th century
1 a : DECEIT, TRICKERY; specifically : intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right b : an act of deceiving or misrepresenting : TRICK
2 a : a person who is not what he or she pretends to be : IMPOSTOR; also : one who defrauds : CHEAT b : one that is not what it seems or is represented to be

Now unless he passed himself off as a security consultant working for a non-existant firm, and was requesting a consulting fee, I don't see how they can make that one stick. Hmmm, I need more actual facts on this case. Not that I don't trust the written word... ;);)