Speculated reasoning in the comments on the article was that it then gives an admissible account of who owns the twitter name. Otherwise the assertions about who owns it are inadmissable hearsay. That said it's still really weird that the accounts were subpeonaed
EDIT: fixed link. Just noticed it went to an old article. Apparently the new one is up but not listed on the homepage? (Similar topics so I didn't notice right away)
Thanks just fixed mine. Didn't realize that it was the wrong one since the topics were similar and i grabbed it off the homepage. That's one thing popehat has always suffered from, weird caching/publishing their rss feed was running a few weeks out of date for a while.
To intimidate Ken White? I have to imagine there are easier targets to intimidate than a former USDA. Then again, I'm confused why they sent these to begin with.
Also, if I were trying to intimidate people who read a lot of Ken White's opinions, I wouldn't try to do it by filing questionable legal things about Ken White, thereby forcing him (as you say, a former USDA with a wide network) to enter into legal proceedings with me and inviting him to discuss my actions to his audience.
To a first approximation, that seems like it has a high likelihood of backfiring.
What amazes me is somewhere along the process someone with power didn't notice and think "Hey you know this all seems like a bit much considering what we're looking at here..."
I used to tell my son that there will always be work for computer security specialists and that he should go for that. This makes me wonder about my advice.
I assume that if you're freelance you're at more risk of finding yourself on the receiving end of a CFAA violation. What I wonder is that if security researchers who work for domestic companies face the same degree of scrutiny that these freelance researchers do.
I guess that if you work for a company you're probably not looking at anyone's website that's not explicitly paying you/your company and under some contract.
While what you posted makes sense with the right definitions, I think you might understand better if you're careful with your definitions of "security specialist" (what SubiculumCode said), "security researcher" (what you said), and the other classifications.
Not all specialists or researchers are doing penetration testing. Of those, not all of them are penetration testing third party stuff, and of those, not all of them are doing it without permission. That's the only one that will get you into trouble.
I'm not, technically, a "security specialist" of any stripe, but I take a very careful interest in the defensive side of security, and am currently in the middle of implementing a fairly security-sensitive system. I don't worry that the FBI is going to bust down my door at 2am because I've tweaked the API of my code to make it harder to write cross-site scripting attacks, or because I fixed the architecture so that authentication is done very early in the request cycle instead of ad-hoc and inconsistently very late in the request cycle in a way that requires every developer of every individual web page to have to enforce all authentication. Most security work is going to involve internal matters and the fixing thereto, and, yeah, the job isn't going anywhere any time soon.
(Though it does have the eternal challenge of convincing people they need to pay for it, and the problem that even in companies where programming is the major product like Facebook and Google, you're still going to be a cost center.)
Working for Intel didn't stop Intel getting a conviction against Randal Schwartz (which was eventually quashed, but he ended up being " felon" for over 10 years...)
Well the last 20 years was ridiculous good to security specialists. If you could spell nmap, you would get a 6 figure job. It's ridiculous. The gravy train has to end sooner or later but who knows when.
I can't even anymore. If this story is anywhere near true -- and I have no reason to believe it is not -- then what the hell do we as citizens DO about it?
How can we put an end to ridiculous infringements on rights and wasteful use of resources?
It certainly starts with voting for representatives that won't allow thus, but damn. There aren't a lot of good choices out there. And even if there are, how do we fix the issues that allow the bad actors to get elected over a "good" rep?
The problem isn't the government, it's the "citizens." We're a society of cowards, who are afraid of everything and want the government to do something about it. E.g. crime rates are at historic lows, but more than half of Americans say that they worry a "great deal" about crime: http://news.gallup.com/poll/190475/americans-concern-crime-c....
But if you are in the Chicago area, you should know that like wealth, crime is incredibly unevenly distributed. There are communities that have effectively zero risk of violent crime, and communities within 30min drive that have violent crime rates that rival the most dangerous cities in the world.
>Not[e] true that crime rates are at historic lows, particularly violent crime which is over double the 1960 rate:
Which ignores the context of the data that while still double the 1960 rate, it is also half the peak 1991 rate, and has generally been decreasing since then. The murder rate is similar to the early 1960's, after it's peak in the 70s/80s.
I have nothing to disagree with your comment on Chicago, which sounds plausibly accurate.
Well now hold on, I think I can pass it right back out of the hands of the citizens
>Americans say they worry a "great deal" about crime
Maybe because in a country with profit-driven media and little in the way of media laws (arguably a good thing in many ways), media companies are beholden to their shareholders to maximize profit above all else - doing research, they discovered that the most profitable thing is fear mongering and "riling up the masses." Reminding news-readers every single day about the Vegas shooter, for instance. For example, here's the very first link on news.google.com for me this morning: http://www.latimes.com/local/lanow/la-me-ln-bruce-paddock-20... "Brother of Las Vegas shooter Stephen Paddock arrested in child porn case". "Did you forget about the MASS SHOOTING YET?! Don't forget about MASS SHOOTINGS!!!!!!"
>Millenials
Hmm, I'm skeptical whenever I see this word now. Looking at your article:
>Is iGen so different from the millennials because the former faces more chronic, long-term stress? Have the country’s colleges suddenly become brutal, toxic places, increasingly hostile to members of various identity groups?
Appears that your source isn't referring to an entire generation, but rather some college students. Also, I don't see anything that unilaterally supports your claim that "millenials don't see anything wrong [with being arrested for a tweet]." In fact, I've yet to meet a member of the nebulous "millennial" class that isn't appalled by this thought.
Saying that people are ok with someone "being arrested for a tweet" is pushing it.
Saying that people think the most trivially "bad for society" behaviors should be in some way criminal is by no means pushing it. Have you been on Reddit lately?
>We're a society of cowards, who are afraid of everything and want the government to do something about it. E.g. crime rates are at historic lows, but more than half of Americans say that they worry a "great deal" about crime:
That's not a contradiction. You can have a situation where people have to deploy numerous countermeasures[1] to head off crime, and where criminals pounce if any of these aren't active, but where the aggregate effect is to keep crime at bay. In that case, crime warrants being worried about, even if the rate is low.
You might as well say it's irrational to "worry a great deal about crime" in Brazil "because you can just stay in your gated enclave, what's the problem?"
[1] Locking your possessions, carrying little of value, traveling in groups, steering clear of strangers, living far out in suburbia where it's inconvenient for crime to reach, preventing buses (disproportionately used by the poor and criminal) from having stops near your home, etc.
I know I've disagreed with you on many topics in the past but here I think you've hit the nail on the head.
I'd add an addendum that confuses me and adds to the problem at hand; not only is there a culture of fear, there isn't even the empiricism to ask for accountability. No one seems to be asking what the outcomes of these various efforts are, and a handwavey "we've caught SOME people despite ruining the lives of others and catching millions in a massive dragnet" seems to be enough for many electorates.
I had written a much longer response, but I can be more concise to summarize as: "I think there are other incentives that serve to worsen the fear"; our election process and media finance structure are two components of this. I have no good ideas on how to decouple all of these without throwing out various babies with the bathwater, but right now the fear seems to benefit the status quo and is thus going to be rather hard to displace, especially alongside an often shaky education system.
Since every government official or employee is a citizen too, there's less of a divide than you think, and that includes the cowardice. I agree there's cowardice here, but in this case the problem is cowardice of a few citizens who hold posts in the government, specifically the Dallas FBI, and even more specifically, dis fuckin guy Hopp. (Use your "Stevie Van Zandt as Silvio" face here.)
What kind of weak, fussy little scaredy-cat acts like that? Saying he doesn't have enough to do is being too nice about it. Judging from the facts of this story alone, he sounds like a vain petty bitch. Exactly the kind of person you don't want behind a badge, and a discredit to everybody else in law enforcement.
I'm as upset as you, but the abuses of federal law enforcement are nothing new. In fact they may have improved compared to the past, but it's impossible and pointless to compare too closely.
The internet age changes the dynamics and visibility, so that is actually some comfort. In decades past, this exact same action to "protect their own" would have gone down without a blip on the national radar. It should be noted, however, the agency's power to use all the data they're wanting (phone IDs, in particular) to conduct ongoing intrusive surveillance at low cost is new and worrisome.
It should also be noted that prosecutorial power works both ways: reading about the tactics used by Mueller against Trump, et al, is both encouraging and scary to me. It's nice when your friends are powerful, but scary when you realize their loyalty is fleeting.
Call your Congressperson [1], U.S. Senator [2] and state representatives. Tell them why you think this is ridiculous, in a calm and collected manner. Ask them, politely, for written follow-up.
I do this about issues I care about. In my urban district of three-quarters of a million people, I'm almost always the only person calling about tech-related issues. Multiple times, the LA has asked me to email them supporting materials I reference.
More like what can we do, which is essentially nothing besides begging elected officials to do something about it (spoiler: they won't).
Alternative is court cases, but those take a lot of time and money, and rulings won't necessarily have the reach you want even if they're in your favor.
you are right, they won't do anything once they are elected..
Try making it clear to candidates that you would not support such behaviour in an elected official, and that if their interests are aligned with such causes you will not vote for them.
We're probably indefinitely fucked. The future is an abject morass straddled between 1984 and Brave New World.
A violent uprising looks to be the only way. The problem is that it's against the mightiest military humanity has ever seen. Now watch me get subpoenaed for this...
And this is why you should be very careful what you tweet. Once its out there it can never be deleted. Even with a fake name and handle. Your ip address, mac address, location, etc.
So a security researcher who was angry about getting raided and hit with a CFAA accusation after an unauthorized access of private medical data started doxxing the FBI agent responsible on Twitter. And in response the FBI is requesting information about the Twitter users that were part of the conversation.
Doesn't seem quite as sensational once you know the backstory. The author is right that the charges aren't the strongest but we can't be obtuse and pretend that posting the personal information of the officer and his family couldn't meet the bar for intimidation or harassment.
the FBI is requesting information about the Twitter users
that were part of the conversation.
What an exceptionally flippant dismissal of what is clearly an overstep. "FBI is requesting information" i.e. the FBI is subpoenaing Twitter about "users that were part of the conversation" -- users who discussed a case on twitter.
I feel like your use of the phrase "part of the conversation" -- a phrase often used as euphemism for actual involvement -- is a subtle deception to anyone reading your comment. The totality of their involvement is tweets discussing the case.
You go even further by following up claiming it "doesn't seem quite as sensational once you know the backstory" and in the next sentence you mention the alleged crime that they were talking about, not that they were involved in.
To me, it feels like your comment is either missing the point that these 5 were simply talking about the case; or you are being willfully deceptive.
Doxxing? Hardly. Looking at the Twitter thread, he did far less than a lazy casual fan of a TV star would do on an average Google/Facebook search.
> Doesn't seem quite as sensational once you know the backstory.
Though your summary was sensationalised by the addition of the term doxxing (usually negative connotations there), whether you meant it to be or not. It is all about how the spin is put on it. An innocuous situation can be played up, or down, by either side.
P.S. @Spivak, it's your 1024 days anniversary on HN! :-)
actually if you read the attachments at the end of the referenced complaint[1] the FBI is claiming he did a bit more then look up the agent and his family. He also sent various semi-threating messages to them on facebook.
Still not sure why that gives them grounds to subpoena everyone on the thread.
DOJ's insanely broad subpoena aside, this is the real lesson. If you're going to harass, even in a joking way, an FBI agent and their family, don't do it using your real name!
First definition of "dox" that came up for me on google:
> search for and publish private or identifying information about (a particular individual) on the Internet, typically with malicious intent.
Sounds appropriate, doesn't it? If you still disagree, here's a thought experiment: If someone were searching and posting that info about you, or anyone else reading this very thread, wouldn't we call that doxxing?
Years ago, I was contacted by a person who was very upset I "published" his name in connection with a domain name.
It was information I obtained from "whois".
I also wonder how many people are unaware that many counties in the US make property records available over the Internet. It is, after all, public information.
Isnt it private information only if its not plastered all over facebook and Google? How is it doxxing if the information is willfully exposed by the person online? Isnt it then just linking the results of a Google search? Doxxing usually involves posting information that person is trying to hide. If theyre posting it online themselves, it hardly counts as doxxing
Private or identifying. This case is the identifying side of that, not necessarily the private side.
Doxxing is a bit more than just posting information someone’s trying to hide. It’s identifying that person to basically aid in harassment. If the doxxers provide private info to aid in the harassment, even better (for the doxxers/harassers), but the doxxing doesn’t need to be private info to b doxxing.
The FBI takes counterintelligence really really seriously and their job involves protecting their agents. And I'd bet those dudes don't have much to do most of the time, at least compared to their supposed importance. So if anything it's largely the side effect of a bureaucratic system rather than some malicious attack.
I'm sure they'd say they take any 'threats' against their agents seriously, even seemingly benign ones. It's possible most of this stuff is automated anyway, so they can do deep searches with all identifiers into their NSA-fueled databases on anyone talking about FBI agents on social media.
Hasn't unauthorized access of a server with weak or no security measures been proven illegal many times in court already, though? Admittedly, I'm not a legal expert of any kind, but I could swear that's a common thing.
The analogy is a little twisty, but yeah, seeing the files in the directory is probably like looking in through the door, and actually opening them is probably more like trespassing.
An ftp client downloads a list of files as soon as you connect.
It's the same as fat fingering a website in your browser. Are you saying I should go to jail if I type the wrong website, it loads, and it turns out that site was supposed to be "private"? My browser downloaded the home page and all the files on it.
What if I click the wrong wifi network and use it all day without noticing? Should I get charged for "unauthorized access"?
There needs to be a reasonable standard for security above "so insecure you could do this by accident" to send people to jail. Whoever set up the server that shitty should be charged with negligence.
See, the legal system has this thing called “intent” and courts are decently adept at figuring it out. If you actually did fat finger something, you could probably prove that. Maybe you only connected once for a quick second. But if you connected multiple times over several days, and forensic evidence showed you deliberately downloaded things, well, that’s intent.
I see this all the time in technology: people come up with contrived counterexamples to expose some non-existent flaw in the legal system that they get really defensive about. The legal system isn’t like a computer. If you really did make a mistake, that should become obvious in the ideal case.
Some graphical FTP clients might download a list of files, but certainly not all. It's not a standard part of the protocol to immediately execute 'LIST'.
You may have fat fingered a URL, but your browser still asked for it and any content located there.
I don't agree with prosecution on things like this, but the reality is the best analogies are still doors and locks: My front door is connected to a walkway, which is connected to the public sidewalk. You may see my door is open and unlocked, but you're still trespassing if you walk in. If you did, I may decide not to press charges, but that's my choice. And I'd be mad as hell at anyone who created a law that said I couldn't just because my door is open.
I think the best solution is for people to treat others with a little more goodwill, and find other ways to make society less litigious overall. Unfortunately, corporations drive a lot of that because a corporation's only goal is to make money. People, however, can make different choices.
The "doors and locks" analogy is not perfectly applicable in this case.
In the cases of house front doors in the suburbs, the overwhelming expectation is both that the door is intended to be locked and that the public is not intended to freely come and go from the interior of the residences. This is a custom so well-established that it is essentially universal, and a house with the door open and unlocked is an obvious outlier.
In the case of fileservers on the public internet, the overwhelming expectation is that anyone may connect to them, and if anonymous logins are accepted, access the files on the server. Again, this is well-established custom.
Because the customary behaviour in the two situations are so different, the analogy is inapplicable.
After walking away from this I thought of an analogy to fit the other side: Attractive Nuisance
Maybe a security researcher/group/company could sue on behalf of customers affected by an open FTP server because it's an "Attractive Nuisance" on the Internet. Affecting a company's bottom-line is about the only way to get some to take notice.
> Are you saying I should go to jail if I type the wrong website
No, I'm not saying anyone should go to jail. The person in question did not do this by mistake though.
In general I'm in agreement with you. I'm just making sure we don't mix analogies. Looking through an open door is not the same as connecting to an FTP server and getting list of files.
I'm saying that unauthorized access shouldn't apply to things that are trivial to access even by mistake.
The law needs to be at the same standard as real life. For example the police can search your belongings unless they're locked, then you need a warrant. If you've got a service wide open on the internet with no security it shouldn't be a crime just because somebody found it.
The difference between doors and locks is that going through real life doorways is a lot different than connecting to a service. On the internet the act of connecting to it gives you access to the inside, there's no second act of walking in.
It's like an open door that throws a copy of it's contents at anyone that finds it.
> The law needs to be at the same standard as real life.
Unless you're intending to make the argumet that accessing those files is the same as you leaving all of your personal belongings on the street, I'm not seeing any differences.
> For example the police can search your belongings unless they're locked, then you need a warrant.
The police need a warrant, I [an individual] do not. By your argument, I can come to your house and go through all of your things just because you left the door unlocked.
> If you've got a service wide open on the internet with no security it shouldn't be a crime just because somebody found it.
I don't think anyone here is saying it is. The argument is it's illegal to search through the data made available by that service without permission.
> It's like an open door that throws a copy of it's contents at anyone that finds it.
It's really not. Here's an exercise: Name a protocol used on the Internet that does NOT make a distinction between connecting and the client requesting information.
>Name a protocol used on the Internet that does NOT make a distinction between connecting and the client requesting information.
Http, among almost everything else. In HTTP the browser will call GET / as soon as a TCP connection is established. If you want to go down a level yes TCP doesn't leak info on connect but what kind of client does that?
The L4 protocol doesn't matter, too low level. What matters is what a normal client does. In HTTP, every browser will make a GET request for info immediately on connecting
Say Bob tells me to connect to his ftp server and gives me a different IP. I go into my client, type the IP, and hit connect. I have a directory listing of all the filez now. A crime? You've gotta be kidding.
To even know you're connected to the right place in most protocols you need to request information. It's like I said, a door that throws the contents inside to anyone that finds it. It has to be that way because otherwise all the doors look the same and you couldn't find the right one
HTTP _does_ make that distinction, as does just about everything else (off the top of my head, the only thing I could think of that may not was NTP). My point was the client has to request something, that's a search in this context.
> Say Bob tells me to connect to his ftp server and gives me a different IP. I go into my client, type the IP, and hit connect. I have a directory listing of all the filez now. A crime? You've gotta be kidding.
Say Bob gives you the address to his house and says "Open the gate and go in the back yard. My grill is in the corner, you can have it". Unfortunately, you transposed the numbers and took someone else's grill. Is that not trespassing and stealing?
I don't disagree with you that the prosecution in this case probably should not happen, but it's not nearly as simple as making a blanket statement that "Whoops! I connected to the wrong server." is enough to make an act no longer illegal.
As @poorrights commented, a lot of it has to do with intent as well.
> The police need a warrant, I [an individual] do not
Well, you just can't legally break into and search my locked property at all; it's true that the remedy for a police violation (the exclusionary rule) doesn't apply to a private violator of property rights in this way, but that's because regular civil and particularly criminal process is available, without governmental immunities and, at least in theory, without the conflict of interest that arises when government law enforcement agents pursuing law enforcement evidence are the ones violating property rights.
> Well, you just can't legally break into and search my locked property at all;
That's my point and counter-argument to the item I quoted; Just because something is visible, or behind an unlocked door, it is NOT available for someone to search through it.
Sure, that's one way to look at it. But also, since you have to actually interact with the server in order to discover such vulnerabilities in it, it could also be viewed as similar to walking in through an unlocked door and looking around. That, at least, is trespassing, I believe.
Alright if we want to get specific it's like being blind and touching a home's open front door. Incredulous that the door is open you feel around inside for a second and feel a set of keys on the hook. You leave at this point and a week later are arrested for B&E because your fingerprints are on the keys (or you were stupid enough to tell the owner their door was open)
> It's like telling your neighbor his door is open.
I think it's more like your neighbors door being open and you going in side and seeing that the refrigerator is open. Therefore proving that you trespassed on private property. Not legal. Of course in most cases you wouldn't be prosecuted for that I would imagine unless you tramped around the house.
Article says:
"he'd come across an FTP server operated by another dental software company, Patterson Dental, which makes "Eaglesoft," a dental practice management software product. Shafer had discovered an openly available anonymous FTP server with patient data"
In order to determine it had patient data he would have to see the patient data not just connect to the server at the root level and then exit. So at the very least (in theory) he would have cd'd a few directories and perhaps downloaded a few files or noted the directory structure and names. That is entering and looking around.
Occam's Razor would say he logged in, saw a patient_data directory or something similar, and logged out. We don't know anything really about how his perusal or lack thereof had him come to that conclusion. If it was running batch job processing that places like Epic and others do, it could have a recognizable directory structure that would give it a clear fingerprint.
First, I don't believe it is against the law to simply connect to a public FTP server. And I'm certain that I wouldn't bother to notify somebody that their public FTP server was... public. However, if I saw something that clearly wasn't supposed to be public.
It's more like looking across the street and seeing a private act through an open window, and going to the front door and knocking and telling them that the window is open.
There are laws against leaving patient data in the public. There are laws against public indecency.
There are also laws against unauthorized access and laws against being a peeping Tom.
Which one is going on is not necessarily easy to determine.
So if you get @ed in a Twitter thread that meets the bar of irritating DOJ, it's totally reasonable for them to subpoena the times of day you use your Twitter account?
I guess that fits with throwing legal charges at people that laugh at you.
That's the creepiest part to me - it equates "being spoken to" with "speaking about".
The subpoena against the comment poster is questionable, but targeting people who were named in the Tweet is ridiculous. In particular, Dissent Doe never engaged with the thread in any way, but was only named in the exchange.
If you can spawn an invasive data request against someone just by including their handle in a tweet, that's a shocking overreach or a misunderstanding of the communication system.
No one is pretending that it couldn't meet the bar. It doesn't in my opinion, but that's not the point. The point is that Ken et. al. were not harassing anyone.
No. The users were not part of the conversation in which the researcher doxxed anyone. They were part of another conversation, in which his total involvement was a smiley in response to one of their tweets.
As the article makes plain: "Then, to subpoena a ton of info on 5 totally unrelated Twitter users... just because Shafer tweeted a smiley face emoticon at them?"
