Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
News

WarTalking Arrest 396

Posted by Hemos from the get-yer-cuffs-on dept.
PhotonSphere writes "Having helped organize HoustonWireless.org, this really caught my attention! A Houston computer security analyst has been charged with 'hacking' after demonstrating the insecurity of a court's wireless LAN! This happened Wednesday and is only now getting the attention of the wireless community. The Register has the full story."
This discussion has been archived. No new comments can be posted.

WarTalking Arrest More

WarTalking Arrest

Comments Filter:

  • Mmhmm. (Score:3, Insightful)

    by Renraku ( 518261 ) on Saturday July 27, 2002 @04:43PM (#3965175) Homepage
    We all know that its illegal to teach things to people that could possibly be used for malicious purposes. We also know that pointing out flaws or weaknesses in computer systems is an activity reserved for terrorists and other 'undesirables'.

    • Re:Mmhmm. (Score:2, Insightful)

      by gad_zuki! ( 70830 )
      Heaven forbid he goes through proper government channels or sues for various violations of privacy laws if they have open access to private data. What he did was stupid and no one should be that naive today, especially someone in IT.
    • He sounds like a "security professional" who "demonstrates a flaw in the system" to a potential client. This is not the smartest way to win clients. It is embarassing.

      Had he called their IT director, described the flaw to him in private, he chose to take it to the press first. He might actually have won business from the IT director had he been a little more professional about it.

      Unfortunately, he chose to try and shock not only them, but the public as well.

      He pulled an incredibly stupid stunt: did something illegal and told people about it. Don't you think he should've been arrested, too?

      - A.P.

  • Deserved it. (Score:3, Insightful)

    by Jonny 290 ( 260890 ) <{brojames} {at} {ductape.net}> on Saturday July 27, 2002 @04:44PM (#3965176) Homepage
    Unless he was hired for the job, he deserves it.

    Just because you *can* do something doesn't mean you *should*.

    Tired of having all these people act like "well, it's not secure, so I should poke around."

    • Re:Deserved it. (Score:2, Insightful)

      by rdean400 ( 322321 )
      Whether he deserved it or not depends totally on the context. If he brought it to their attention "as a concerned citizen", knowing that insecurities of wireless networks can be exploited intentionally or accidentally, then they should have heard him out and then fixed it. However, if he brought it to their attention in more of a "look what I can do" fashion, then he deserved what he got.
      • If he brought it to their attention as a concerned citizen, he wouldn't have brought the reporter. He wanted to get in the papers.

        • Re:Deserved it. (Score:3, Insightful)

          by GlassUser ( 190787 )
          If I were to do something like this, I would want a reporter there. If I didn't have one, I'm sure it would be easy for the government to sweep something under the table. Either the issue, just ignoring me, or me entirely. I'd want a third party with an inclination to make everything public.

          As I heard this morning, they arrested him because they found a single pr0n file on the server that they think was planted by him.

      • Re:Deserved it. (Score:3, Insightful)

        by nehril ( 115874 )
        from time to time my company offers security scanning and consulting services. before doing ANYTHING to a system we get extensive permission from top management (NOT just the IT monkey) and we notify their ISP.

        "free security scans" are NOT welcome by anyone. Management types (IT and non-IT) cannot distinguish them from "real" hack attempts. CYA extensively or don't rattle the locks. 'Nuff said.

    • Re:Deserved it. (Score:5, Funny)

      by Khazunga ( 176423 ) on Saturday July 27, 2002 @04:57PM (#3965239)
      It just depends on *how* insecure it really was. If it was really bad, driving around with a wireless-enabled laptop running XP could result in a five-year jail sentence. With XP's automatic wireless lan setup and all.

      His biggest error probably was talking about it. He should have sold the info to some mobster gang. They'd probably be much more gratefull.

    • Re:Deserved it. (Score:4, Insightful)

      by wandernotlost ( 444769 ) <{moc.cigamliart} {ta} {todhsals}> on Saturday July 27, 2002 @06:07PM (#3965478)

      > Unless he was hired for the job, he deserves it.

      That's absolutely absurd. The man simply brought to the attention of the clerk the fact that its network was insecure. That a person is prosecuted for trying to point out a potentially dangerous security flaw shows the extent to which this country has fallen into a legal and intellectual paralysis. He should be hailed as a good samaritan looking out for the safety of the county's information!

      From the original article:

      District Clerk Charles Bacarisse said no files were compromised, but the county had to shut down the wireless system about a month after it was set up.

      It appears that there was no malicious action or intent on the part of Mr. Puffer, but rather that the clerk's office is upset because someone discovered its incompetence. What would have happened if someone truly malicious had stumbled upon this network? To what ends could he or she have used the information found?

      If you broadcast your network all over your block unprotected, you shouldn't be surprised when someone discovers it and pokes around. Plain and simple. What about those that willingly open their networks to the public? Should we make free public access illegal, so that fools like this can remain under their rocks and pretend that no one can see their secrets?

    • Re:Deserved it. (Score:3, Insightful)

      by WEFUNK ( 471506 )
      Based on the account in the article your response is simply ridiculous. Although the story is brief and somewhat biased ("Ethical Hacker" etc.) NOWHERE does it indicate that he *poked* around or otherwise exploited the security gap.

      Even if he had, there are many who would argue that a little poking around is natural and innocent when someone discovers such a thing (and one might not even know that they have stumbled into a restricted space without a little exploring).

      You may disagree that intentional hacking can fall into such a grey area, sometimes described as analogous to checking the locks and then walking into an unlocked house. Fair enough. However, unless you have some additional facts to the contrary, the events in the article are more akin to walking by and noticing someone's door is wide open with the keys left in the lock. Any snooping might have been equivalent to peering inside as you walk by. You might even have ethical obligation to report it to a neighbour or the police and perhaps even take them the keys for safe keeping.

      Finally, does anyone have any idea how we can educate the public and the law that pointing out a flaw or security issue is NOT the same as causing damage? He is being charged with forcing their system down and costing $5000 to install a secure system. Why is this the standard in the computing, but not in the real world?

      • Re:Deserved it. (Score:5, Funny)

        by flonker ( 526111 ) on Saturday July 27, 2002 @06:30PM (#3965543)
        In related news, a local terrorist was arrested today, after he pointed out to the bank that their safe had a huge gaping hole leading to a back alley. He is charged with causing $50,000 worth of damage, the cost of repairing the hole.
      • Based on the account in the article your response is simply ridiculous. Although the story is brief and somewhat biased ("Ethical Hacker" etc.) NOWHERE does it indicate that he *poked* around or otherwise exploited the security gap.

        from the Houston Chronicle [chron.com] article...

        In a Chronicle article about the demonstration, Puffer said he noticed he could access the county network in early March, when he scanned for weaknesses throughout Houston.

        He said he could also access numerous home, government, university and business computer systems. ...
        County Attorney Mike Stafford said he will resume his investigation into whether the security breach was corrected as promptly as county officials learned of it and the origin of a pornographic picture found on the clerk's office server in March.

        Noting a network is open/accessable is one thing.. noting you can access a number of specific systems leans more toward the probing side of things. And, as for the last paragraph, I would suspect either he found that or the subsequent audit after the intrusion.

        Overall, the Houston article is rather vague as to his exact actions, so inference on his intent/whatnot is nigh impossible and therefore simple ASSumption.
  • Comment removed based on user account deletion
    • I took the $5000 figure to mean that the original wireless network equipment cost them $5000 and since they had to take it down because of the intrusion, it was $5000 down the drain. now that is a bullshit claim, but it wouldn't surprise me if that is exactly what that figure represents.

  • Ignorance is bliss. (Score:4, Insightful)

    by papasui ( 567265 ) on Saturday July 27, 2002 @04:48PM (#3965190) Homepage
    He went about this wrong, he should have mentioned that he believed it was insecure and then with explict permission demonstrated why he believes this is the case. If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?

    • Re:Ignorance is bliss. (Score:4, Insightful)

      by gilroy ( 155262 ) on Saturday July 27, 2002 @05:00PM (#3965254) Homepage Journal
      Blockquoth the poster:
      If I walked up to a cop and said "This pop machine is insecure" and proceeded to kick it and then drink the soda that fell out do you think the cop would be happy I showed him that?
      If I go up to a soda-machine owner and say, "This machine gives out free Cokes", then press a button and watch a Coke drop, should I expect to go to jail?? Maybe I'm old fashioned, but I would expect the soda-machine owner to be grateful that someone pointed out the flaw, so that it could be fixed.

      But of course, in this case, it would require the government to admit that there had been a mistake, that confidential data conceivably might have gotten out without them knowing it, and that they weren't competent enough to detect the hole themselves. And that's why, instead, he's being charged.

      • Re: (Score:3, Insightful)

        by account_deleted ( 4530225 )
        Comment removed based on user account deletion
        • This is more like putting saltwater down the coin dispenser of the coke machine and telling the owner it was insecure and anyone dumping a bucket of the stuff could clean the thing out.

          How is this considered even a remotely cogent analogy?
          Salt water destroys (or used to) parts of said machines. Accessing a network destroys it how?

      • If I go up to a soda-machine owner and say, This machine gives out free Cokes, then press a button and watch a Coke drop, should I expect to go to jail?? Maybe I'm old fashioned, but I would expect the soda-machine owner to be grateful that someone pointed out the flaw, so that it could be fixed.

        At least, you ougha keep the Coke...

        But, nowadays, you'd be perhaps labelled as a terrorist.

    • Yep. One would think Randal Schwartz's similar experience at Intel would have left all of us a lot more cautious about how we report vs. demonstrate security weaknesses.
  • This is a very interesting case, a guy that was showing a newspaper, and someone working for the county how easy it would be for a hacker to break into the court's system. Then he gets arrested for the act. And this is because they had to take the thing down for a month because of there being a break. I would say with that kind of security, it should have never been brought up in the first place. Also I would say that it was better that they found out that the system could be broken before the network was actually used for a critical task, and could get hacked during a court proceeding, that could be a very embarrassing thing for a court to have to face. Being the ones that where hacked into while court was in session. Hopefully, at least they learned from what he did and at least secured the thing. Although since he is being possibly jailed for it, perhaps he should have told his superiors about how shoddy the security was before he did a demonstration.
    • Actually it took them a month to take the system down, and it will remain down until they can find a way to secure that network.

      -Rusty

  • Hmmm. (Score:3, Funny)

    by NoMoreNicksLeft ( 516230 ) <john.oylerNO@SPAMcomcast.net> on Saturday July 27, 2002 @04:51PM (#3965206) Journal
    Maybe they should upgrade the charges to treason and sedition. Hacking is terrorism, after all, and this was rather insulting to the court.

  • Once again....security through obscurity... (Score:3, Insightful)

    by GuNgA-DiN ( 17556 ) on Saturday July 27, 2002 @04:51PM (#3965211)
    If we all pretend the problem doesn't exist... maybe it will go away on its own? We'll just prosecute anyone who points out that we have a problem. Then, everything will be fine. I swear -- the intelligence in this country has gone right down the shitter in the last 25 years. We used to respect and honor knowledge. Now me simply make a mockery of it. I weep for my generation.

  • Another 'example' will be made... (Score:3, Interesting)

    by Cruciform ( 42896 ) on Saturday July 27, 2002 @04:52PM (#3965212) Homepage
    It's funny, already I'm seeing people saying this guy deserves what he gets... but if I was sitting on a bench in front of the courthouse with my laptop and found that I could access the network with little or no problem, I'd walk straight in there myself and let them know. I worked as a contractor at the Ministry of Health in Ontario for a bit, and you want to talk shoddy administration. It was hideous. And they have information like registries of people suffering from AIDS, or who is getting drug benefits and what claims they're making. Sure he might just be trying to drum up business, but if the end result is that it closes a serious security hole, more power to him.
    Or do you really want your next door neighbor's son finding out about that fraternity prank that had you arrested for stealing a minivan full of sheep in your boxers or some other weird crime?

  • My questions (Score:5, Insightful)

    by nuggz ( 69912 ) on Saturday July 27, 2002 @04:52PM (#3965214) Homepage
    He did access their network without permission.
    Did they create a public network? Public as in accessible to the public without any reasonable indication or security that it is indeed a private network.

    I think broadcasting a private network and letting people on it is akin to making a public network.

    It isn't this guys fault they had to shut down their network, it is the people who set up the insecure network in the first case.

    • Re:My questions (Score:2, Informative)

      by GryMor ( 88799 )
      Doesn't matter, he had permission:

      The decision was made Tuesday, after a computer security analyst demonstrated to Steve Jennings, head of the county's Central Technology Department, and the Houston Chronicle how the system could be compromised

      Jennings said he was concerned that the system could be accessed from the outside and that he wanted to learn more about the problem before alerting Bacarisse
  • On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card.

    This is his crime?

    I'm glad they've taken prompt measures to make sure nobody else every reports a security hole to them!

    • no, This is his crime:
      He's accused of accessing the system March 8 in an alleged intrusion that cost the county a reported $5,000 to clean up.
      • The article isn't entirely clear, but my take on the "Clean up" costs is that the county spend $5000 putting in a wireless system, and then had to take it down a month later because he showed them it was insecure (thereby making the $5000 a waste of money). Hardly seems like a crime to me.
    • Look, the days of the whiz-kid cracking into systems and then getting hired by the same company as a result is long over. There are professional security consultants that do this sort of thing and if the agency didn't hire them beforehand, well, then, they deserved to get fucked. But it was neither this man's job, his obligation, nor his civic duty to prove to them this fact.

      The fact that this guy called the media out to witness this will damn him in court. He's watched _Sneakers_ too many times. The age of the geeky computer hacker is long gone; if you know a lot about computers these days, you're either a communist, terrorist or both. Ask any ordinary USian. They're *TERRIFIED* of computers. They refuse to give credit cards to my company because "we might be hacked". They constantly think that somebody stole our /etc/passwd because they're getting spam and "they had to get those addresses somehow."

      Ignorance is the key matter at hand. The laws today are ignorant of the 'intent' of the accused, and for good reason. Every computer cracker ever caught has pulled the "i just wanted to show them how insecure their system was" line, and they're sick and tired of letting kids trash networks and getting probation for it.

  • No need for free security consultants (Score:4, Insightful)

    by gad_zuki! ( 70830 ) on Saturday July 27, 2002 @04:56PM (#3965233)
    Why should I even care? A part of me wants to get all loud and stupid about this but Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did). Let them get burned on their own or if they're government go through the usual channels. No need to be 'Captain Wireless.'

    Worst of all, for all we know he did not do this to demonstrate anything. The last time slashdot got up in arms about some supposed 'white hat' hacker it ended up being an excuse. In my experience it usually is an excuse. "Dude, I'm totally looking out for you when I hack your stuff!" No one should be that naive anymore.

    • Re:No need for free security consultants (Score:5, Interesting)

      by corby ( 56462 ) on Saturday July 27, 2002 @05:50PM (#3965425)
      Puffer had no permission to start cracking keys and browsing the microsoft shares (or whatever he did).

      This is true. So why doesn't Harris County prosecute the case on these grounds? They seem to feel that their case is not strong enough without conjuring ludicrous claims that Mr. Puffer caused $5,000 in damages.

      The claim of $5,000 arises entirely from the cost of taking down the network to secure it, not from any actual damage caused by Mr. Puffer. To say that Mr. Puffer caused $5,000 damages is to say that if it wasn't for him the Civil Courts Building could have left their 802.11 free and unsecured forever.

      Worst of all, for all we know he did not do this to demonstrate anything.

      You go, man! You're not afraid to tell it like it is! Now read the article. He accessed the network in a prearranged meeting with a newspaper reporter and a county official in the room. It's pretty safe to say he was taking part in a demonstration.

      It's obvious that an indictment was not sought because of actual damages caused by the defendant. This case went to a grand jury because officials didn't want a newspaper story about how the Civil Courts Building decided to open their computer network to the whole world.
      • >The claim of $5,000 arises entirely from the cost of >taking down the network to secure it, not from any >actual damage caused by Mr. Puffer.

        Legal cases in general inflate the damage and/or include all damages associated with the action. I'm sure this will be an issue in court.

        >You go, man! You're not afraid to tell it like it >is! Now read the article

        No, you read the article. He first broke in on March 8th then arranged his big expose on the 18th. Ten days of silence. I'm not suggesting he broke in purpose but it is a possibility. Did he really expect the government to say 'good job citizen' and pin a medal on him. Imagine the precedent that would set. Kiddies would be pouding networks right and left for the good of the nation and expecting to be written up in the paper as local heroes.

        It can't be stressed enough that he did this in the stupidest manner possible. He could have taken this to a City Council meeting, started a class-action suit against the county for violating privacy laws, etc. Instead he supposedly went for the glory that the supposed white hat hacker seeks. Naive and stupid. Hopefully, the court will see his supposed true intentions and not lock him up.

  • Serious Consequences fo InfoSec People (Score:5, Insightful)

    by Inexile2002 ( 540368 ) on Saturday July 27, 2002 @04:57PM (#3965240) Homepage Journal
    This is something that many people in the InfoSec industry are worried about and more so in the current political environment. EVERY seminar, conference or training event I've been too, there has been someone standing there for twenty minutes lecturing everyone on covering your ass.

    What bothers me is that the reason things like this happen is ignorance of non-techies and refusal to see things in a reasonable light. If you were in a bank with a locksmith, and he showed the bank manager that the locks they were using were insecure, the manager would thank the locksmith and change the locks. Show a business manager the exact same thing with their network and they might decide to have you arrested.

    Whenever I'm going to show a client ANYTHING I get full written approval ahead of time to discuss or test their security, and I get written approval to discuss my findings. There have been times when I've found vulnerabilities and not said a damn word because the client refused to sign off.

    It's sad, there are people out there - and I've worked for and with them often - who really believe in security through anonymity and believe they are acting in their best interests by alienating and prosecuting the people who can really protect their networks.

    What I will admit however is that part of the problem rests with people who try to look smart and show off the security vulnerabilities in a smart-assed kind of way. As annoying as it sometimes is, you need to manage people's expectations, fears and prejudices.
    • If you were in a bank with a locksmith, and he showed the bank manager that the locks they were using were insecure, the manager would thank the locksmith and change the locks.

      If you're Richard Feynmann and you go up to the general in charge of the Los Alamos nuclear bomb research stuff and tell him (and indeed show him) that the safes all the top secret research is in are insecure and can be picked if you can get at it with the door open (which was relatively easy to do), the general would (did) order that all safes be kept closed when Feynmann is in the room...

      Not everybody in power appreciates weaknesses being shown; nor do they always get the point you're trying to make when you demonstrate the weaknesses. This applies to any field.

  • Damning evidence? (Score:5, Insightful)

    by balthan ( 130165 ) on Saturday July 27, 2002 @05:02PM (#3965261)
    At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th. Now maybe he was unable to get an appoitment to see anyone, or maybe he took 10 days to poke around in the network and see what was there. He should have reported the insecurity immediately. The fact that he didn't is suspicious.

    • Re:Damning evidence? (Score:4, Insightful)

      by geoswan ( 316494 ) on Saturday July 27, 2002 @08:20PM (#3965880) Journal
      At first I thought they were being a bit harsh until I took a closer look at the dates. He's accused of breaking into the network on the 8th, but not reporting it until the 18th.

      I read the July 24th Houston Chronicle article [chron.com] and the March 21st article [chron.com] too. The Cheif County Clerk seems to be saying that one (1) pornographic picture found on one (1) of his department's poorly secured computers was the sole damage found. He claims it cost $5,000 to fix the damage he accuses Puffer (the whistleblower) of causing.

      With a network as poorly secured as his practically anyone with a wifi card could have uploaded that picture.

      If any repercussions should come anyone's way over this incident I don't understand why the first candidate isn't Charles Bacarisse, the County's District Clerk. Bacarisse claims that none of the computers under his administration could have been seriously damaged by the penetration of war-drivers. Okay, but am I mis-reading the Chronicles quotes from him? Doesn't he seem to have been completely oblivious to the vulnerability his insecure testing was opening to the rest of the computers on the County's system?

      We have seen this before, with Randal Schwartz's ordeal at Intel. [matrix.net] This comp.security article contains a contemporary account [google.ca] of his "crimes".

      The lesson seems to be that no matter how well intentioned you are, the only safe way to report a security vulnerability is if you can find a way to do so anonymously.

  • Easy problem to solve!!! (Score:3, Funny)

    by NoFX ( 231408 ) on Saturday July 27, 2002 @05:06PM (#3965274)
    So, just break back in, and erase the record of the charge.. duh..
  • Some details would be nice. Did the LAN have no password, was the password easy to crack, or was there some other kind of security flaw? If he went all around the city, trying to brute force the password on every wireless LAN he could find, then I doubt he has a legal leg to stand on. If he simply powered on his laptop and noticed he had link, that's different.

    -a
  • Remember, never point out someone's security holes so they can fix things before real damage is done. If you do these things, you are nothing more than an evil terrorist! And according to Gestapo... err Attorney General John Ashcroft, you must be an Al Qaeda operative deserving of the death penalty!!

  • People are afraid of being proven wrong (Score:4, Insightful)

    by Ride-My-Rocket ( 96935 ) on Saturday July 27, 2002 @05:10PM (#3965294) Homepage
    What is it going to take for people to realize that they need to lock down their systems -- the digital equivalent of 9/11? Honestly, it seems the government can't accept any criticism of its systems, or act on the information at all........ and instead of fixing the problem, they decide to prosecute instead.

    Pretty deranged, IMHO.
  • FYI: Texas Computer Crime Law

    TEXAS PENAL CODE TITLE 7. OFFENSES AGAINST PROPERTY
    CHAPTER 33. COMPUTER CRIMES
    33.01. Definitions
    In this chapter:
    (1) "Access" means to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer
    software in, or otherwise make use of any resource of a computer,computer system, or computer network.

    (2) "Communications common carrier" means a person who owns or operates a telephone system in this state that includes equipment or facilities for the conveyance, transmission, or reception of
    communications and who receives compensation from persons who use that system.

    (3) "Computer" means an electronic, magnetic, optical,
    electrochemical, or other high-speed data processing device that
    performs logical, arithmetic, or memory functions by the
    manipulations of electronic or magnetic impulses and includes all
    input, output, processing, storage, or communication facilities
    that are connected or related to the device.

    (4) "Computer network" means the interconnection of two or more
    computers or computer systems by satellite, microwave, line, or
    other communication medium with the capability to transmit
    information among the computers.

    (5) "Computer program" means an ordered set of data representing coded
    instructions or statements that when executed by a computer cause
    the computer to process data or perform specific functions.

    (6) "Computer security system" means the design, procedures, or other
    measures that the person responsible for the operation and use of
    a computer employs to restrict the use of the computer to
    particular persons or uses or that the owner or licensee of data
    stored or maintained by a computer in which the owner or licensee
    is entitled to store or maintain the data employs to restrict
    access to the data.

    (7) "Computer services" means the product of the use of a computer,
    the information stored in the computer, or the personnel
    supporting the computer, including computer time, data processing,
    and storage functions.

    (8) "Computer system" means any combination of a computer or computer
    network with the documentation, computer software, or physical
    facilities supporting the computer or computer network.

    (9) "Computer software" means a set of computer programs, procedures,
    and associated documentation related to the operation of a
    computer, computer system, or computer network.

    (10) "Computer virus" means an unwanted computer program or other set
    of instructions inserted into a computer's memory, operating
    system, or program that is specifically constructed with the
    ability to replicate itself or to affect the other programs or
    files in the computer by attaching a copy of the unwanted program
    or other set of instructions to one or more computer programs or
    files.

    (11) "Data" means a representation of information, knowledge, facts,
    concepts, or instructions that is being prepared or has been
    prepared in a formalized manner and is intended to be stored or
    processed, is being stored or processed, or has been stored or
    processed in a computer. Data may be embodied in any form,
    including but not limited to computer printouts, magnetic storage
    media, laser storage media, and punchcards, or may be stored
    internally in the memory of the computer.

    (12) "Effective consent" includes consent by a person legally
    authorized to act for the owner. Consent is not effective if:

    (A) induced by deception, as defined by Section 31.01, or induced
    by coercion;

    (B) given by a person the actor knows is not legally authorized to
    act for the owner;

    (C) given by a person who by reason of youth, mental disease or
    defect, or intoxication is known by the actor to be unable to
    make reasonable property dispositions;

    (D) given solely to detect the commission of an offense; or

    (E) used for a purpose other than that for which the consent was
    given.

    (13) "Electric utility" has the meaning assigned by Subsection (c),
    Section 3, Public Utility Regulatory Act (Article 1446c, Vernon's
    Texas Civil Statutes).

    (14) "Harm" includes partial or total alteration, damage, or erasure
    of stored data, interruption of computer services, introduction of
    a computer virus, or any other loss, disadvantage, or injury that
    might reasonably be suffered as a result of the actor's conduct.

    (15) "Owner" means a person who:

    (A) has title to the property, possession of the property, whether
    lawful or not, or a greater right to possession of the
    property than the actor;

    (B) has the right to restrict access to the property; or

    (C) is the licensee of data or computer software.

    (16) "Property" means:

    (A) tangible or intangible personal property including a computer,
    computer system, computer network, computer software, or data;
    or

    (B) the use of a computer, computer system, computer network,
    computer software, or data.

    33.02. Breach of Computer Security

    (a) A person commits an offense if the person knowingly accesses a
    computer, computer network, or computer system without the
    effective consent of the owner.

    (b) A person commits an offense if the person intentionally or
    knowingly gives a password, identifying code, personal
    identification number, debit card number, bank account number, or
    other confidential information about a computer security system to
    another person without the effective consent of the person
    employing the computer security system to restrict access to a
    computer, computer network, computer system, or data.

    (c) An offense under this section is a Class A misdemeanor unless the
    actor's intent is to obtain a benefit or defraud or harm another,
    in which event the offense is:

    (1) a state jail felony if the value of the benefit or the amount
    of the loss or harm is less than $20,000; or

    (2) a felony of the third degree if the value of the benefit or
    the amount of the loss or harm is $20,000 or more.

    (d) A person who is subject to prosecution under this section and any
    other section of this code may be prosecuted under either or both
    sections.

    33.03. Defenses

    It is an affirmative defense to prosecution under Section 33.02 that
    the actor was an officer, employee, or agent of a communications
    common carrier or electric utility and committed the proscribed act or
    acts in the course of employment while engaged in an activity that is
    a necessary incident to the rendition of service or to the protection
    of the rights or property of the communications common carrier or
    electric utility.

    33.04. Assistance by Attorney General

    The attorney general, if requested to do so by a prosecuting attorney,
    may assist the prosecuting attorney in the investigation or
    prosecution of an offense under this chapter or of any other offense
    involving the use of a computer.

    --

    Looks like Mr. Puffer clearly committed the offense described in 33.02(a)

    Now is Harris Country guilty of negligence in adequatelely protecting their computer networks? I'd have to argue that yes, in my opinion they probably are. Anyone who'd carelessly run wide open unprotected wireless ethernet in a local government agency is not only a moron, but also a very poor steward of public records, which is a job taken *very* seriously in Texas.
    • Quite informative, I see your point.

      I would argue that 33.02(a) Effective consent was given in that it the network was publicly broadcast.

      Television broadcasts are free to view, radio free to listen. This is implied in that they are publicly broadcast to any recipient.
    • Here's the strange thing - according to the register article, he was charged with 2 counts of fraud !

  • I'm trying to imagine what was in their minds... (Score:3, Interesting)

    by RyanFenton ( 230700 ) on Saturday July 27, 2002 @05:17PM (#3965324)

    "He says we have a massive security hole in our network and that anyone, with the simple tools needed, could access much of the data we have going through our networks. He even showed us how it could be done."

    "That's amazing! Why weren't we aware that these problems could exist?"

    "Well, aparantly there's a few newly discovered flaws in the programs we've been using with our wireless tools that he was able to confirm..."

    "Wait... how did he confirm this? Did he steal our files?!"

    "Um... I don't think you understand. He had to see if we had these flaws before he could give us a proper warning..."

    "He broke into our systems? That malicious..."

    "Sir, no - this isn't like a lock that he sneaked in against our will to pick or something, these are open protocols that anyone nearby can test and..."

    "Now we'll have to change all our systems... do you know how much it cost to install the last one?! This makes me SO mad!" ...and so on.

    I can't imagine the motive to prosecute outside of pure ignorance of the concepts involved. To twist an old african proverb: No, you don't thank the person who burned down your house because you like the pattern of the ashes - but on the other hand, you don't attack the man who warns you that the house you live in is a dangerous fire hazard after he carefully shows you a non-destructive example of how easilly it could be burnt down. :^)

    Ryan Fenton

  • Bullshit (Score:4, Insightful)

    by autocracy ( 192714 ) <slashdot2007@sto ... .com minus berry> on Saturday July 27, 2002 @05:21PM (#3965339) Homepage
    Mr. Puffer (?) should never have been charged with this crime. The suits at the courthouse are mad because their fancy new wireless network they built to keep up the with the times wasn't taken care of properly and possibly isn't suitable for them. How it cost them $5k to "clean it up" is beyond me. Of course it costs more money to do it right - but how do you expect to claim that as "cleanup?"

    The person charged was not acting maliciously, did not cause any damage (what is claimed is bogus), and his actions were willfully disclosed in good faith. He got the raw deal...

    • How it cost them $5k to "clean it up" is beyond me

      Your outsourced tech support staff of 5 people who bill at $125/hr spend a single 8 hour day working on it. That's how. Money adds up fast in the business world.

      • Re:Bullshit (Score:3, Insightful)

        by antirename ( 556799 )
        Yeah, but that's just doing work that they should have done in the first goddamn place. They did the job, they fucked it up, and then they get paid to do it again correctly. I wish I got paid on those terms. (Assuming they were contract labor... even if they were salaried employees, the point is the same).
      • A cost that should have been paid in the first place then. This man did not cause that cost - he simply brough to attention a flaw that was under-appreciated and expensive to fix.
      • Even at $1000 per hour, I could fix it for less than $5.

        It should take about 5 seconds to walk over and pull the power plug for the WAP.

        Vulnerability fixed.

        For an extra $3.33, I would be glad to turn around and tell the man in charge that he is fired for being such a stupid ass.

        There, for less than $7.00 we've solved the security problem (symptom), and also fixed the root problem - a clueless dolt.

        Cheers!

  • Blame Game (Score:2, Insightful)

    by Ashcrow ( 469400 )
    Embarrassment is what it comes down to. When the courthouses pretty new wireless system, which they paid a good amount for, is found to be vulnurable to an attack they blame the one who found it instead of the admin who put the package together.

  • A different perspective: (Score:3, Funny)

    by mcrbids ( 148650 ) on Saturday July 27, 2002 @05:39PM (#3965394) Journal
    A Houston home security analyst has been charged with breaking and entering after demonstrating the insecurity of a county court office.

    Stefan Puffer, 33, was indicted by a Grand Jury on Wednesday with two counts of burglary for allegedly breaking into Harris County district clerk's offices. It's believed to be the first case of its kind in the US.

    Puffer, who was employed briefly by the county's security department in 1999, could get five years in jail and faces a $250,000 fine on each count if convicted, the Houston Chronicle reports.

    He's accused of accessing the offices March 8 in an alleged intrusion that cost the county a reported $5,000 to clean up.

    District Clerk Charles Bacarisse told the paper that no confidential paperwork was disclosed but the alleged intrusion eventually resulted in the county closing its new offices only a month after they were opened.

    But is the prosecution a case of shooting the messenger?

    On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's offices using only a hammer and paperclip. Puffer first noticed the problem while scanning for insecure homes and offices throughout Houston earlier that month, around the time that the alleged offence took place.

    Would you be upset at the above news story?

    Really folks, with a $4 hammer, you'd be surprised at how "insecure" most homes are! Have you ever heard of a "white hat" burglar?

  • apparently this is the website [bacarisse.com] of the county clerk quoted in the houston cronicle story. since /. failed to get info from him, perhaps we could each drop him an email to find out the other side of the story.

    however, i do note that the county attorney seems a little selective [chron.com] in what laws he wants enforced.

  • Balmer Steals Access and Brags About It (Score:5, Funny)

    by lincomatic ( 164275 ) on Saturday July 27, 2002 @05:43PM (#3965406)
    The network was totally wide open - no WEP and DHCP on ... anyone w/ an XP computer and built-in WiFi who turned their computer on would have automatically associated to the network, so what is Puffer's "crime?" He was demoing to a county official, don't forget. Meanwhile, Steve Balmer brags about stealing bandwidth with Bill Gates and gets applauded:

    http://www.infoworld.com/articles/op/xml/02/07/2 2/ 020722opcurve.xml

    "For all his success at bringing Microsoft's warring constituencies together, there are still things beyond Bill and Steve's control. "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer.

    "Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him up and said, 'Hey, come over to my room.' So soon everyone is there and connecting to the Internet through my room."

    Chalk up another good day for Steve Ballmer, CEO. Bill Gates may be the chief software architect, but as Microsoft matures in the Ballmer era innovation in software shares the spotlight with teamwork.
    "

  • I am incredibly torn on this... (Score:4, Interesting)

    by tlambert ( 566799 ) on Saturday July 27, 2002 @05:47PM (#3965414)
    On one hand, they are trying to charge him for what it cost them the insecure system, now that they've had to discontinue it. That's really assinine. It's like buying a Corvair, and then suing Ralph Nader after he publishes "Unsafe At Any Speed".

    On the other hand, it sets a nice precedent for when the cable companies come snooping around, trying to enforce against "connection sharing" when people set up unsecured wireless access points on the end of a cable modem connection.

    AT&T: We're disconnecting you for running an insecure access point.

    Customer: I'm suing you for proving my network is insecure; thanks, Stefan Puffer!

    -- Terry

  • I'm interested. (Score:4, Funny)

    by DarkHelmet ( 120004 ) <mark&seventhcycle,net> on Saturday July 27, 2002 @05:49PM (#3965421) Homepage
    Whatever hole he found, I'd be willing to buy it from him. There are a couple speeding tickets I need cleared.

    Damnit, my license is at stake here!

  • The Register is cool and all, but why not just link the Houston Chronicle article [chron.com] that they got it from? Their article is much better.
  • He was demonstrating to a county official AND a reporter. That somewhat implies that this wasn't a behind closed doors, tiger team type evaluation on the network. This wasn't just a "hey, I accidently noticed you left your network wide open. Might wanna fix that". If there was a reporter there, someone's toes were probably getting stepped on. The security analyst doesn't deserve to get charges pressed against him, but he should have gotten something in writing from the officials BEFORE demonstrating illegal activity.

    Although the metaphors aren't identical, if I reported to the police, or a homeowner that they've been leaving their doors unlocked, someone at some point will probably ask me how I know that. Computer security is taken rather seriously these days. There seems to be no effort in making sure there is any, but they sure like to rake you over the coals for any alleged violation of it. When the "victim" happens to be the government, especially the court system, that will just up the stakes even more.

    Its unfortunate that this has to happen. But if your less than legitimate activities happen to result in useful information for somebody, don't think that the simple act of good faith by handing that information over will clear the slate for you. Either do it anonymously or get immunity first. Or just keep your mouth shut.

    -Restil

  • One omission in the articles... (Score:5, Informative)

    by D'Arque Bishop ( 84624 ) on Saturday July 27, 2002 @06:09PM (#3965484) Homepage
    This isn't the first time the Houston Chronicle (which the Register references) has reported on this story. What they're leaving out in this article [chron.com] is that the county official that Puffer demonstrated the breakin to was, in fact, the equivalent of the head of IT for the county. So, one wonders if indeed that could be counted as having permission...

    (I don't remember what his exact title was, and I don't remember the links offhand, but the official was definitely the head of the county's equivalent of an IT department.)

    Just my $.02...

    • Re:One omission in the articles... (Score:4, Informative)

      by D'Arque Bishop ( 84624 ) on Saturday July 27, 2002 @06:15PM (#3965501) Homepage
      (I don't remember what his exact title was, and I don't remember the links offhand, but the official was definitely the head of the county's equivalent of an IT department.)

      I just found an older link. It was Steve Jennings, head of the County Technology Department. Also, the article shows just exactly how badly Bacarisse reacted, inclusing saying "hackers, terrorists or anyone else intending harm would be detected long before they could do any damage or use the system illegally."

      You can read the rest for yourself here. [chron.com]

      Just my $.02...

      • Re:One omission in the articles... (Score:4, Interesting)

        by _Sprocket_ ( 42527 ) on Saturday July 27, 2002 @09:30PM (#3966055)
        This is quite facinating. There are a couple really important statements made in that article:
        The network had not yet been set up, they said, and neither Puffer nor anyone else could have done any damage.

        ...
        But because the county's main system and the independent one run by Bacarisse are connected, Puffer was able to show Jennings that he could get information about the county computer network.
        ...
        Bacarisse said his staff found a pornographic picture on one of its servers Tuesday that he suspected was planted by Puffer. He said he would refer the incident to the District Attorney's Office.
        ...
        Bacarisse accused Jennings of giving Puffer information to help him access the system and hinted that Jennings was trying to use the demonstration to increase his authority over systems that he didn't control.

        Jennings and Puffer vehemently denied that.
        These quotes lead to a lot of questions. If this was a test network that couldn't present any threat to the government's network... how come Puffer was able to access the County network? Furthermore, why is Puffer being convicted? And how would he have been able to post a pornographic photograph?

        This has all the markings of beurocratic infighting. A techie quiting after a short, stormy tenure. A beucrocrat implementing an insecure network and assuring that it was no threat... and then convicting on charges of altering government systems. And that same beurocrat accusing another government worker of moving in on his personal feifdom.

        The only thing I'm suprised is that after having seen the insides of all this, Puffer was stupid enough to make his name known. Big hint to whistle-blowers: use the press and insist on being anonymous.

  • Turn this around (Score:3, Interesting)

    by SeanTobin ( 138474 ) <<byrdhuntr> <at> <hotmail.com>> on Saturday July 27, 2002 @06:22PM (#3965524)
    What if I were to get a directional antenna, and beam my wireless network in the general direction of the court building? And of course, setup a dhcp server and use no encryption and all the default workgroups. Could I then charge them for breaking into my wireless network?

    Same question goes with a neighbor? Can I charge my neighbor for hacking into my network? Is it my responsibility to line my walls with aluminum foil so my signal doesn't go out? Or is it his responsibility to line his walls so he doesn't accidently hack into someone elses network?
  • I read the articles about this yesterday, and as I understand it there was a breach of their wireless lan (they don't specify what happened in the breach, but it sounded like someone did something malicious). This breach happened around a time that the person who is being charged was scanning for insecure wireless networks. If he didn't do anything malicious I don't think he has anything to worry about.

  • Cyberphobia strikes again (Score:5, Interesting)

    by stinky wizzleteats ( 552063 ) on Saturday July 27, 2002 @07:06PM (#3965677) Homepage Journal

    So, let me get this straight. You happy people (non-tech) will put us in jail for attempting to help you use technology in a secure way, because you hate and fear us so much. You actually are prepared to alienate all of us (and imprison some of us) rather than deal with the embarassment of your own inability to use technology, and to willingly make it impossible for anyone to conduct IT security work in good faith. You want to make enemies of all of us, do you?

    ...dusts off black hat...

    Have it your way.

    • Re:Cyberphobia strikes again (Score:4, Interesting)

      by hklingon ( 109185 ) on Sunday July 28, 2002 @12:44AM (#3966533) Homepage
      I want to go to lawschool for this very reason. I had an interesting debate a few months ago, which has expanded onto several threads of thought. Consider the following:
      1. Is it legal if someone hires you to kill them?
      2. Is it legal if someone hires you to destroy some of their property?
      3. If someone hires you to simply annoy them, what then? (i.e. a "crime" that does no measurable damages)
      4. What happens if observe that a crime could easily be commited, and yet you do nothing?
      5. What if you have advance knowledge of a crime, and do nothing?

      There are two things working against techies: 1. Social engineering (direct or indirect) works on law enforcement with reguard to technology issues because they simply aren't trained. If the head of IT for a city or other "important" person calls and tells the law to arrest someone based on some obscure log printout, the law will probably be able to do so. 2. No one understands technology, except you, and well, no one will listen to you when you stand accused. Unlike other scuffles, the cops can't examine the situation and determine for themselves the severity and how to handle it.*

      Clearly, #1 is illegal. Based on many cases in CA, VA it would seem that even if you have papers signed by the CTO and CEO , and you do a full security audit you can still be arrested. (Remember the case in CA where the guy did social engineering and took pictures of the server room -- thats it. He's serving a 1 year prison sentence. The board of directors and the President of the company sent him up -- the CTO and CEO resigned.) "Breaking the law is still breaking the law, irregardless of intent..." is what the prosecution successfully ordered. But whats the analogy for wireless? An english school boy standing on your lawn with a bell yelling about how you never lock your house when you leave that only some people can hear? Or is the better analogy like going up to someone's door, rattling it, then discovering that there is no lock? Its all a matter of politics and twisted truths -- not really the crucible that should burn all that away.
  • You just happily use their network for free access until they figure it out themselves.
  • No, I'm not talking about what happened to Stefan Puffer, but what Harris County is telling everyone.

    In essence, they're telling everyone "don't tell us about any security vulnerabilities we might have. If you do, we'll prosecute you".

    Okay, Harris County, have it your way. If you want to live in ignorance, fine. The end result is that your network will end up being hacked by people who really are black hats and who don't give a shit about the integrity of your computer systems or network.

    It's unfortunate that other entities that are inclined to be more reasonable will suffer, but so be it. Those that are really enlightened will probably put up a statement on their website saying something like "if you manage to hack into our systems or network and notify us immediately of the fact that you did so and how you did it, and do not make any modifications to our data or copy any of it that isn't already published, we'll not only refrain from suing you, but we'll pay you a reward for your efforts" -- the intent being to make it clear to white hat hackers that they really do want to know about security vulnerabilities.

    But the bottom line is that places like Harris County will end up having a lot more problems than more enlightened places. Evolution in action.

    I, for one, am not going to tell anyone a damned thing about any security vulnerability of theirs I stumble across unless I happen to work for them and have gotten prior permission to look for security vulnerabilities. And I'll laugh at anyone who behaves the way Harris County did and manages to get hacked later on.

  • If I ever discover a hole war driving (or war walking.) you can bet your ass I won't tell anybody there about it.

    Though I may give my friends the location...

Slashdot Top Deals

To do nothing is to be nothing.

Close