I am pleased they might move forward with this prosecution. Keep in mind the legal costs incurred to do this, in addition to the already employed 12-15 FBI agents who were probably paid overtime to heroically rescue that poor family from this monster was already well worth the cost. Spending more money and resources here is obviously the right thing to do. Really, the resources expended to handcuff this man in his boxers in front of his 9-year-old daughter were a very well allocated by one of our most important government agencies, the FBI.
I'm also very much glad to see the incredible foresight and knowledge that the FBI is displaying here. What better way to show us why we should not responsibly disclose data vulnerabilities than to arrest and raid someone's home for doing so?
Stories like this really influence me to put my faith in the capabilities of law enforcement. What that means for our individual rights and freedoms, and for the future of the US economy is sure to be nothing but excellent! I would never think about moving away from such a country!
Other places aren't much better either. In my country, you don't get to reach the courts. If some official doesn't like you, and you aren't a descendant of a well-known lineage and don't have connections, you will accidentally fall down a couple of flights of stairs, repeatedly.
And should you by some miraculous series of events manage to get your case heard in a court (have $$$ to burn), they'll just appeal the verdict (and win).
Not necessarily. I've spent the last few years fighting various hacking charges in Finland and will most likely continue to do so for several years to come.
The law enforcement here will consistently take anything the FBI tells them as a fact, even when the information provided by them has been consistently shown to be false or even maliciously fabricated.
I spent 3 months in jail in 2014 because the FBI emailed the Finnish NBI and alleged that I had perpetrated various attacks against large US tech companies, they provided some information vaguely connecting me to the crimes and claimed to have further evidence they'd deliver shortly. They requested that the Finnish police arrest me and seize my equipment, they did so without question.
Based on that single contact from the FBI the Finnish NBI held me in jail for 3 months and banned me from using the phone or in any manner communicating with anyone outside the jail. After the 3 months had passed the FBI had still failed to deliver any evidence, and the Finnish police had failed to discover any. In fact, they had unquestionably discovered heaps of evidence against the aforementioned allegations since the very day they arrested me. Just a few days before Christmas they were forced to very reluctantly release me.
Now it's 2016 and I just recently got a letter stating that most of those charges have been dropped as the FBI has failed to deliver the promised evidence. I've also received letters informing me of various covert surveillance techniques utilized against me after my release. These are supposed to require an even higher standard of proof than keeping someone in investigative custody, but obviously they're hard to contest when you aren't told about them.
Incompetent fucks desperately hoping to score big wins for their careers or with personal vendettas are hardly an US only problem, but at least in the US I could've fought the FBI in court. That's hardly an option here. The only thing that's better here are the sentencing policies.
That's sounds like quite an interesting story if what you are saying is taken as true and at face value. Have you tried contacting press, or lawyers in the US who would want to take on your case?
Honestly, going after the FBI for lying to the Finnish police would probably be a pretty hard case to win. Especially considering how blatantly unreasonable the behaviour of the .fi authorities has been.
It's possible that I could win. But that wouldn't really achieve anything, it wouldn't make the .fi authorities stop.
The best option I have available is to keep fighting my charges in Finland, as no matter whether I win or lose it'll be significantly harder for any other country to prosecute me for those same crimes. The courts here are fairly reasonable, while they require ridiculously low standards of proof, you essentially have to kill someone to actually go to prison here. Perhaps that makes it easier to say "guilty" just to play safe, keep the LE and prosecutors happy.
Majority of Europe you will see SWAT team on TV once a year when they do a huge bust of over 100 drug dealers or terrorist. It would be a public shame, heads with rolls and never ending phone-calls from constitutes asking and demanding answers why their money was spent on performing a raid on a hacker who broke into publicly open computer.
I will also bet (as long as we are somewhere legal to do so like LV) a $100 that you won't find an example in Europe when SWAT team killed a dog or threw a flash grenade into a crib with a baby in it... something that happens in US and that noone can be reasonably held accountable.
The outcome of a trial is secondary. Have you ever been sued by the government? How much money, time, effort and nerves do you think you will lose, no matter the outcome? The act of being sued is plenty of punishment. If they really want to destroy you they can keep going through the courts even after losing - they could not care less if they win or lose.
This is so true and so many people don't realize it.
It's easy to be idealistic about these things until it actually happens to you.
Being "in the right" doesn't mean you'll win ("right" according to your morals/ethics and "right" legally are often two completely different things) and it doesn't mean that the costs of fighting - financial, personal, etc. won't ruin you, especially when the plaintiff is stubborn, vindictive and has deeper pockets than you do.
More often than not, you'll end up settling civil cases, and the tangible and intangible costs that you accrued while fighting your case are usually victory enough for the plaintiff.
> The FBI is going to have a hell of a time arguing that accessing a public FTP server with no password protection is a crime.
Why? Andrew "Weev" Auernheimer was prosecuted AND CONVICTED for accessing a public HTTP server with no password protection. They apparently didn't have any trouble pursuing that with a straight face. The conviction was overturned because they had prosecuted him in the wrong state.
Except this guy didn't leak a bunch of emails like weev did? Right? If he does go down, that would be terrible for him and his family, but he would be a better poster child for government overreach than weev is.
"He is an upstanding family man, with 4 children. He accessed a publicly available server on the Internet, the kind of server you could access at any time by clicking a hyperlink on Facebook, and now he is a felon and rotting in jail." Or something like that.
I believe that it is still considered unauthorized access even if they don't have a password set up. I think it goes back to law that existed before computers where if you entered someones home without permission you can't simply argue that there wasn't a lock on the door.
Edit: ProAm above reminded me of the Andrew Auernheimer case that was nearly identical to this and was resolved as I describe.
Please stop with home / lock / etc. metaphors. This is a very simple situation and there is no need to analogize.
When you analogize to a separate situation like keyed locks or zeppelin airspace access rules you're attempting to say something about similarities between the reasoning in resolving the rule on both sides, which requires you to actually make a contention about what aspects of the situation are compatible, and which of those aspects are salient to the definition in question.
Computer behavior patterns are different enough that if you want to analogize, for the love of god explain the aspect you are analogizing. Even the notion of a "protocol" doesn't really exist in meat space.
Something like "transit through third-party routers is a form of access easement"? OK, I could maybe roll with that as a premise if we get into the weeds about what that would imply.
"It's like an unlocked door!" Jesus christ, stop. No, it's not. Even particular unlocked doors aren't what you're thinking of as an archetypical unlocked door, because "unlocked door" isn't a legal concept.
I was merely theorizing that in 1986 when the Computer Fraud and Abuse Act was written that was the reasoning behind why it was written in that way. I assumed that the readers here understand the underlying tech involved.
It sure sounds like there wasn't a "lock on the door". There is a significant difference between FTP and other protocols: FTP has specific support for "anonymous" sessions. There is even an entire RFC (1635, "How to Use Anonymous FTP")[1] on the topic.
From the article:
I actually remember them having a passworded FTP site
back in 2006. To get the password you would call tech support
at Eaglesoft\Patterson Dental and they would just give you the
password to the FTP site if you wanted to download anything.
It never changed. At some point they made the FTP site anonymous.
While there so no mention of the username involved in the anonymous access, it sounds like they switched from handing out a common password (stupid, but probably qualifying as "unauthorized access" for CFAA purposes. However, if the change where they "made the FTP site anonymous" involved the standard username "anonymous", then the server is offering access.
A more accurate analogy for an FTP server is a machine that sends you letters on demand.
It's like Shafer wrote a letter to their office asking for their list of patients, and lo and behold, they've sent him back an envelope containing that list.
Yea. This would be a felony that a 4 year old child, your tech ignorant grandmother, and any other random Facebook user could commit by clicking on a link.
Yes, the law on the subject is mostly nonsense. That said, I've thought a lot on the subject and this is what I think the law should have been -
For 'unauthorized access' to a computer system you (should) need to knowingly access a protected system in a way not permitted by the rights granted to you by the computer system, or by deliberate deception of either the computer systems or people.
So for 'knowing' we have to actually know (via banners, etc.) that we're somewhere we shouldn't be. For 'protected' it has to be actually protected (none of this "I found unprotected files lying around with no password" nonsense). The last two clauses cover privilege escalation attacks and social engineering. So it should matter if you're operating the system normally or if you accidentally just click/type something wrong and found your way in vs. you were deliberately hacking / social engineering your way in.
I'd also add a safe harbor for anyone who in good faith reported the issue to the site operators, police, or government regulatory bodies to prevent reprisal like this ugly case.
Yeah, somehow people forget that the act of connecting a computer to the Internet is an implicit permission for all the Internet to access it unless specified otherwise (by e.g. requiring authentication). That's, like, the fundamental principle of the Internet.
The problem with this is summed up with the phrase "you can beat the rap, but you can't beat the ride."
Sometimes that's just the time, expense, job and reputation loss, etc. of the arrest, but sometimes (e.g. Freddie Gray) the ride is a'rough ride' and you can't beat that either.
I'm also very much glad to see the incredible foresight and knowledge that the FBI is displaying here. What better way to show us why we should not responsibly disclose data vulnerabilities than to arrest and raid someone's home for doing so?
Stories like this really influence me to put my faith in the capabilities of law enforcement. What that means for our individual rights and freedoms, and for the future of the US economy is sure to be nothing but excellent! I would never think about moving away from such a country!