Thought I'd post this community announcement here. Snitching has hurt many of the people in the hacking community, let's change that.
Taken from https://hackbloc.org/content/court-docu ... informants" onclick="window.open(this.href);return false;"
Do you know who the informant was? Contact Hackbloc Staff at staff[at]hackbloc.org
For those who haven't been following the story, Daniel Spitler and Andrew Auernheimer, alleged members of the computer security group Goatse have been charged with Conspiracy to Access a Computer Without Authorization and Fraud in Connection with Personal Information for their alleged role in exposing a major flaw in the way AT&T was storing the personal information of iPad users. The email addresses of many in rich and powerful circles was open to exposure including members of the White House Staff.
While the Department of Justice claims these two "hacked into" AT&T databases, the reality is that they simply queried them a number of times. On a public-facing web page, you could ask the database who was associated with which hardware ID and it would tell you.
In a court document posted on Cryptome, it's revealed that a confidential informant provided IRC chat logs to the FBI. According to the affidavit, "Approximately one month after the search of defendant Auernheimer's home, a confidential source (the "CS") contacted federal law enforcement officers and stated, among other things, that the CS routinely monitored "#dominion," one of the IRC channels used by Goatse Security members to communicate with one another. The CS also provided law enforcement officers with chat logs from the "#dominion" channel from on or about June 2, 2010 through on or about June 11, 201 O. Extending over 150 pages, those chat logs conclusively demonstrate that defendants Spitler and Auernheimer were responsible for the data breach and conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security. Excerpts from the chat logs are provided below."
While there was a snitch within IRC channel, it appears that Goatse members have also offered to work with the Department of Justice "hand in hand for a stronger country" which is all somebody would need to not trust the goatse folks. Future informants against other "malicious hackers"? The idea unfortunately isn't that far-fetched.
It shouldn't be hard to figure out who this snitch was in this case given that they were idling in an IRC room for extensive periods of time. We must protect our communities against snitches who will sell their friends down the river in exchange for legal immunity, status, nationalism, or anything else. Snitching only weakens our community, divides it, and sows distrust into our relationships. Find snitches, publicly out them, and excommunicate them from our community!
A statement was posted on the goatse site which is copied below:
"On the heels of the arrest of two of Goatse Security’s researchers, I felt compelled to write a statement reiterating a few points regarding last year’s AT&T breach which I believe are important:
1. The only data gathered was a list of e-mail addresses. No real names, mailing addresses, or any associated data was breached.
2. The data gathered was PUBLICLY AVAILABLE on AT&T’s web server. Any person could say “What is the e-mail address associated with ID XXXXXXXX” and the server would happily reply “johndoe@yahoo.com” or “invalid ID”. The process of doing so was simply automated using random IDs. There was no “real” hacking involved.
3. Through intermediary channels, Goatse Security notified AT&T of the hole in their system and waited until it had been patched before we made our disclosure.
4. Under no circumstances was the data EVER made public. It was only given to Gawker Media under the condition that it would be redacted, just as proof that the data *HAD* been leaked and this was not a fictitious claim.
5. AT&T has pressured the USDoJ and the FBI into building and prosecuting a baseless case because they care more about their own share price than their customers. Stated another way: the American government works at the behest of private corporations.
AT&T, the FBI, and the prosecution have labelled this as a “malicious” attack, directly against AT&T’s interests and their customers. This could not be farther from the truth. The flaw was quite literally stumbled upon; AT&T was never targeted, and upon gathering the data, it was not sold, distributed, or used otherwise (although it certainly had the potential to be used quite maliciously) – it was only disseminated to a single media outlet because we believed it was important enough to share. Were the hole discovered by a malicious party, the data could have been easily sold to the RBN at a very high price, could have been used to target iPad owners with AT&T phishing e-mails, the e-mails could have been sent iPad trojans, or otherwise. The private discussions we had to determine the extent of the flaw will undoubtedly be twisted and redacted by the prosecution to create an appearance of malice, as these were all topics touched upon. This can be damning even though the discussion itself is not a crime.
The case is based entirely upon IRC logs, anonymously submitted, which could be completely fabricated with no method of verification. The transcripts of these logs are solely being used to create an image of malicious intent.
The fact of the matter is quite simple: AT&T put their own customers at risk through negligence, their share price dropped when this fact was exposed, and they have now co-opted the USDoJ and the FBI to attempt to shift the blame from themselves to individuals who were looking out for the public good.
In the end, regardless of how the chat logs are made to appear, the facts do not change: GoatSec researchers found a hole, made sure it was closed, and responsibly disclosed its existence."
Assistance Requested in Identifying People who Snitched on G
Re: Assistance Requested in Identifying People who Snitched on G
http://online.wsj.com/article/SB10001424052748704312104575299111189853840.html?mod=WSJ_hpp_MIDDLETopStories
--------
http://gawker.com/5560542/fbi-investigating-ipad-breach?skyline=true&s=i
---------
http://cryptome.org/0003/spitler/spitler-001.pdf
ATTACHMENT A
Count 1
(Conspiracy to Access a Computer without Authorization)
From on or about June 2, 2010 through on or about June 11,2010, in the District of New Jersey, and elsewhere defendants
DANIEL SPITLER and
ANDREW AUERNHEIMER
knowingly and intentionally conspired with each other and others to access a computer without authorization and to exceed authorized access, and thereby obtain information from a protected computer, namely the servers of AT&T, in furtherance of a criminal violation of the laws of the State of New Jersey, specifically, N.J.S.A. 2C:20-31, contrary to Title 18, United States Code, Sections 1030(a)(2)(C) and 1030(c)(2)(B)(ii), in violation of Title 18, United States Code, Section 371.
-
AT&T's servers are protected computers as defined in Title 18, United States Code, Section 1030(e){2).
-
Count2
(Fraud in Connection with Personal Information)
From on or about June 2, 2010 through on or about June 11,2010, in the District of New Jersey, and elsewhere defendants
DANIEL SPITLER and
ANDREW AUERNHEIMER
knowingly transferred, possessed, and used, without lawful authority, means of identification of other persons, including means of identification of thousands of New Jersey residents, in connection with unlawful activity, specifically, the unlawful accessing of AT&T's servers contrary to Title 18, United States Code, Section 1030(a)(2)(C), in violation of Title 18, United States Code, Section 1028(a)(7).
-----------
"On the same day the Gawker Article appeared, June 9, 2010, a post was made to the Live Journal web log, http://weev.livejournal.com which read: "Oh hey, my security consulting group just found a privacy breach at AT&T[.]"s The post further linked to the Gawker Article and stated: "[T]his story has been broken for 15 minutes, twitter is blowing the fuck up,we are on the forntpage of google news and we are on drudge report (the big headline). The "User Profile" for the LiveJournal weblog, http://weev.livejoumal.com listed the user as "weev" with the name "Escher Auernheimer."
--
On or about June 15, 2010, pursuant to a search warrant signed by the Honorable Erin L. Setser, U.S.M.J. in the Western District of Arkansas, law enforcement officers conducted a search of defendant Auernheimer's home, located in Fayetteville, Arkansas. During the execution of the search warrant, defendant Auernheimer agreed to speak with federal law enforcement officers and stated, among other things, that he and the other members of Goatse Security often communicated with one another using an online medium known as Internet Relay Chat, or "IRC."
--
Approximately one month after the search of defendant Auernheimer's home, a confidential source (the "CS") contacted federal law enforcement officers and stated, among other things, that the CS routinely monitored "#dominion," one of the IRC channels used by Goatse Security members to communicate with one another. The CS also provided law enforcement officers with chat logs from the "#dominion" channel from on or about June 2, 2010 through on or about June 11, 201 O. Extending over 150 pages, those chat logs conclusively demonstrate that defendants Spitler and Auernheimer were responsible for the data breach and conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security. Excerpts from the chat logs are provided below.8
--
On or about June 5, 20 I 0, defendant Spitler was chatting with "Nstyr" and "Pynchon," and the three considered the possible benefits of harvesting ICC-IDle-mail pairings:
Spitler:if you enter valid ICCIDs in this website you can get iPad subscriber email addresses I dont see the point unless we phish9 for passes even then that's boring
Nstyr:data minig *mining you could put them in a database for spamming for example sell them to spammers ...
Spitler:tru ipad focused spam
Pynchon:harvest all the emails then expose it publicly
Spitler: hahaha
Pynchon: tarnish at&t
Spitler: true
Nstyr: or sell if for thousands to the biggest spammers
--
the IRC logs go on to print off the cuff convo about criminal acts like shorting AT&T stock, selling the addresses to spammers, conspiracy to harm the reputation of At&T, bragging about harming other companies.
Why would anyone chat in a public IRC about crminal activities?
--
"Through their investigation, federal law enforcement officers have learned that Goatse Security is a loose association of Internet hackers and self.professed Internet "trolls."7 Indeed, defendant Auernheimer has previously been public and outspoken about his trolling activities."
So are you one of the hackers or one of the trolls?
you are all worried about who the snitch was? If you guys have access to your OWN logs (if you are a legit goatse member) you could check the DATE (its in the FBI report) along with the names of everyone who was logged in to IRC during that convo - in your LOGS. Pretty simple.
So I say this is a troll to pump up goatse (or this hackbloc??) and incite FUD, "oh the meanie FBI is harassing innocent hackers, here comes the black helicopters and they took my rights!" Congratulations dumbass, here is the attention you always wanted!
The IRC chat logs, the FBI court doc, and even the interviews in the press - all point to you guys. You guys are not professionals, you guys are not even security advocates - you had initally intended to harm the reputation of At&T - bragging about (You guys - I use loosely, meaning 'those kinds of hackers')
"In an August 3, 2008 interview with The New York Times, defendant Auernheimer admitted: "I hack, I ruin, I make piles of money. I make people afraid for their lives. Trolling is basically Internet eugenics. I want everyone off the Internet."
"Auernheimer posted several "sermons" in the guise of the "iProphet." One such video was entitled "Sermon on Fear and The Men In BlacklDirect Democracy." During this video, Auernheimer stated: "Trolling can frequently have large economic repercussions as, as I learned, 1 learned when I trolled Amazon. I saw a one billion dollar change in their market capitalization. That's the most monetary affection [sic] ofa publicly traded stock that I've ever personally done. I mean, I've caused a more dramatic shift in price, but never market capitalization." Auernheimer continued: "So a billion dollars changed hands as a result of my trolling, and I'm very, very glad to know that such insignificant things on the Internet can have drastic, far reaching effects."
--
Yep - About $73,000 in cost to At&T, some stock loss, and the FBI is on your ass - those are the 'drastic, far reaching effects" What did you expect - a gold medal? a nice watch, or maybe some tickets to a show? An IT SecTec job trusted to protect networks?
Why so surprised? I was just embarrassed you guys were so stupid to discuss a major felony crime in progress, on IRC? (again, you guys is used loosely for misguided hackers)
(killed your Poll, why the fuck did you need a poll for your troll?)
DNR
--------
http://gawker.com/5560542/fbi-investigating-ipad-breach?skyline=true&s=i
---------
http://cryptome.org/0003/spitler/spitler-001.pdf
ATTACHMENT A
Count 1
(Conspiracy to Access a Computer without Authorization)
From on or about June 2, 2010 through on or about June 11,2010, in the District of New Jersey, and elsewhere defendants
DANIEL SPITLER and
ANDREW AUERNHEIMER
knowingly and intentionally conspired with each other and others to access a computer without authorization and to exceed authorized access, and thereby obtain information from a protected computer, namely the servers of AT&T, in furtherance of a criminal violation of the laws of the State of New Jersey, specifically, N.J.S.A. 2C:20-31, contrary to Title 18, United States Code, Sections 1030(a)(2)(C) and 1030(c)(2)(B)(ii), in violation of Title 18, United States Code, Section 371.
-
AT&T's servers are protected computers as defined in Title 18, United States Code, Section 1030(e){2).
-
Count2
(Fraud in Connection with Personal Information)
From on or about June 2, 2010 through on or about June 11,2010, in the District of New Jersey, and elsewhere defendants
DANIEL SPITLER and
ANDREW AUERNHEIMER
knowingly transferred, possessed, and used, without lawful authority, means of identification of other persons, including means of identification of thousands of New Jersey residents, in connection with unlawful activity, specifically, the unlawful accessing of AT&T's servers contrary to Title 18, United States Code, Section 1030(a)(2)(C), in violation of Title 18, United States Code, Section 1028(a)(7).
-----------
"On the same day the Gawker Article appeared, June 9, 2010, a post was made to the Live Journal web log, http://weev.livejournal.com which read: "Oh hey, my security consulting group just found a privacy breach at AT&T[.]"s The post further linked to the Gawker Article and stated: "[T]his story has been broken for 15 minutes, twitter is blowing the fuck up,we are on the forntpage of google news and we are on drudge report (the big headline). The "User Profile" for the LiveJournal weblog, http://weev.livejoumal.com listed the user as "weev" with the name "Escher Auernheimer."
--
On or about June 15, 2010, pursuant to a search warrant signed by the Honorable Erin L. Setser, U.S.M.J. in the Western District of Arkansas, law enforcement officers conducted a search of defendant Auernheimer's home, located in Fayetteville, Arkansas. During the execution of the search warrant, defendant Auernheimer agreed to speak with federal law enforcement officers and stated, among other things, that he and the other members of Goatse Security often communicated with one another using an online medium known as Internet Relay Chat, or "IRC."
--
Approximately one month after the search of defendant Auernheimer's home, a confidential source (the "CS") contacted federal law enforcement officers and stated, among other things, that the CS routinely monitored "#dominion," one of the IRC channels used by Goatse Security members to communicate with one another. The CS also provided law enforcement officers with chat logs from the "#dominion" channel from on or about June 2, 2010 through on or about June 11, 201 O. Extending over 150 pages, those chat logs conclusively demonstrate that defendants Spitler and Auernheimer were responsible for the data breach and conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security. Excerpts from the chat logs are provided below.8
--
On or about June 5, 20 I 0, defendant Spitler was chatting with "Nstyr" and "Pynchon," and the three considered the possible benefits of harvesting ICC-IDle-mail pairings:
Spitler:if you enter valid ICCIDs in this website you can get iPad subscriber email addresses I dont see the point unless we phish9 for passes even then that's boring
Nstyr:data minig *mining you could put them in a database for spamming for example sell them to spammers ...
Spitler:tru ipad focused spam
Pynchon:harvest all the emails then expose it publicly
Spitler: hahaha
Pynchon: tarnish at&t
Spitler: true
Nstyr: or sell if for thousands to the biggest spammers
--
the IRC logs go on to print off the cuff convo about criminal acts like shorting AT&T stock, selling the addresses to spammers, conspiracy to harm the reputation of At&T, bragging about harming other companies.
Why would anyone chat in a public IRC about crminal activities?
--
"Through their investigation, federal law enforcement officers have learned that Goatse Security is a loose association of Internet hackers and self.professed Internet "trolls."7 Indeed, defendant Auernheimer has previously been public and outspoken about his trolling activities."
So are you one of the hackers or one of the trolls?
you are all worried about who the snitch was? If you guys have access to your OWN logs (if you are a legit goatse member) you could check the DATE (its in the FBI report) along with the names of everyone who was logged in to IRC during that convo - in your LOGS. Pretty simple.
So I say this is a troll to pump up goatse (or this hackbloc??) and incite FUD, "oh the meanie FBI is harassing innocent hackers, here comes the black helicopters and they took my rights!" Congratulations dumbass, here is the attention you always wanted!
The IRC chat logs, the FBI court doc, and even the interviews in the press - all point to you guys. You guys are not professionals, you guys are not even security advocates - you had initally intended to harm the reputation of At&T - bragging about (You guys - I use loosely, meaning 'those kinds of hackers')
"In an August 3, 2008 interview with The New York Times, defendant Auernheimer admitted: "I hack, I ruin, I make piles of money. I make people afraid for their lives. Trolling is basically Internet eugenics. I want everyone off the Internet."
"Auernheimer posted several "sermons" in the guise of the "iProphet." One such video was entitled "Sermon on Fear and The Men In BlacklDirect Democracy." During this video, Auernheimer stated: "Trolling can frequently have large economic repercussions as, as I learned, 1 learned when I trolled Amazon. I saw a one billion dollar change in their market capitalization. That's the most monetary affection [sic] ofa publicly traded stock that I've ever personally done. I mean, I've caused a more dramatic shift in price, but never market capitalization." Auernheimer continued: "So a billion dollars changed hands as a result of my trolling, and I'm very, very glad to know that such insignificant things on the Internet can have drastic, far reaching effects."
--
Yep - About $73,000 in cost to At&T, some stock loss, and the FBI is on your ass - those are the 'drastic, far reaching effects" What did you expect - a gold medal? a nice watch, or maybe some tickets to a show? An IT SecTec job trusted to protect networks?
Why so surprised? I was just embarrassed you guys were so stupid to discuss a major felony crime in progress, on IRC? (again, you guys is used loosely for misguided hackers)
(killed your Poll, why the fuck did you need a poll for your troll?)
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
Re: Assistance Requested in Identifying People who Snitched on G
WordDNR wrote: Why would anyone chat in a public IRC about crminal activities?
DNR
^^ Funniest thing I've read this morningDNR wrote: So I say this is a troll to pump up goatse (or this hackbloc??) and incite FUD, "oh the meanie FBI is harassing innocent hackers, here comes the black helicopters and they took my rights!"
DNR
knuffeltjes voor mijn knuffel
[img]http://i911.photobucket.com/albums/ac320/stuphsack/Sig.jpg[/img]
[img]http://i911.photobucket.com/albums/ac320/stuphsack/Sig.jpg[/img]
Re: Assistance Requested in Identifying People who Snitched on G
Just a few thoughts on this in response to mainly DNR. I think to classify this as trolling is a little overbroad, I'm simply posing this question to people here because I think it warrants discussion. In the hacker community, this is a really hot button issue and to me that says it's something that warrants discussion. The uproar that surrounded the Adrian Lamo/Bradley Manning incident is one of the recent incidences I can think of where such discussion was valuable.
It seems to me that in 99% of communities that are targeted for persecution by the government (whether you're talking about activists or gang members is irrelevant here), they quickly learn to adopt a social code against snitching because of the harm it causes to them. Hackers are targeted by law enforcement, some of us have been charged with crimes we never committed, things which shouldn't be considered crimes, or things which actually aren't even considered crimes. One only needs to look at cases like Bernie S, Adrian Lamo, or the history of Operation Sundevil to draw this conclusion.
As somebody who has been in court documents before and knows people who has served time, I'd caution people against taking what is in these court documents as the truth. A good handful of the "facts" in this document are disputed by those in Goatse (according to their public announcement). Prosecutors and cops routinely make shit up or alter facts to do better in court as anybody who has had much experience in the court system will tell you. IRC logs, which make up the main part of their indictment, are incredibly easy to falsify. We're talking about a text file, something which I could have made on my own computer and submitted to the FBI.
That being said, even accepting that everything in that document is irrefutable fact, the "well fuck them because they were dumbasses" response is not considering the context this situation occurs within. What these members of goatse are accused of is disclosing a vulnerability that put a large number of iPad users at risk. The prosecutor calls it hacking but as most people who look at this case will say, what they did wasn't hacking. There were no passwords to break through, no system to penetrate. What they did could be better compared to querying a database. The reason they got in legal trouble, ultimately, is that they pissed off some people at AT&T. The "some people" are the same people who put their entire userbase at risk through an extremely insecure setup. They didn't improperly hash their passwords, use a weak SSL certificate, or make any other mistakes which would be considered "acceptable", they simply put their entire database online to anybody smart enough to ask for it. Those some people (or likely, those some people's bosses) are high-powered executive who run a giant telecommunications company. They know people in the FBI and, like other corporate execs, at the drop of a hat they can sell a story to them and get somebody felony charges.
Maybe it wasn't that smart to fuck with AT&T, maybe it was even overly risky, but that doesn't mean it was wrong. Maybe it was stupid to talk about it in IRC in front of people who weren't involved. Maybe they shouldn't have made jokes or speculated about all the bad things they could have done with this information (even according to the court filings, there's no evidence they intended to go through with this plan). Maybe they fucked up 99% of what they did in exposing this security flaw but does that mean they should be facing several years behind bars and that we should, instead of trying to support these people, be ostracizing them and supporting the sentence they will be getting? People will find 99 problems with a defendant before they ever look at the prosecutor.
You're quoting articles about how this guy enjoys trolling but did no research on the prosecutor themselves. I'm not going to lie, I would get some jollies if I caused such a big embarrassment to AT&T or any other large company, but if users get better security who really cares how hard my dick got from it? C'mon...
Back to snitching though, we're talking about somebody who hangs out in IRC channels that other hackers hang out in. They might even know some in real life, maybe they've even been to your house. Unfortunately, we can't know unless we can identify who that person was. It could be this person is in several other cases, maybe they've got motivations like trying to work off a sentence of their own, we can't know that until we can identify them.
I've seen people got to jail due to the testimony of somebody who entrapped them or made up evidence. As long as we have people in our circles who have done that, we can expect them to do it again.. and again.. and again. Sure, we can't get rid of everybody who may potentially snitch on us, but the least we can do is kick out the ones we do know about.
And it's not just people who are relaying information on crimes they saw or didn't see, we're talking about people who could be informants. People who are providing seemingly innocuous information to the FBI, DHS, SS, or other agencies on our hacker friends. Information that may, in the future, be used to target those hackers, entrap them, justify a wiretap on them, make them suspects in a case, or god knows what. We don't trust the government to have an internet kill switch, monitor everybody's phone line, etc but we do trust (or simply don't care about) people who actively provide information to them?
Hackers are not simply a bunch of randos who happen to congregate on forums and IRC channels, we're a community. Not everybody knows everybody but we have some type of social networking. Some are more connected than others, but most of us share some common ideas such as the hacker ethic. Some of us do things that are illegal but not wrong. Some of us are involved in projects like Wikileaks, the Tor Project, bittorrent trackers, or other examples I'm sure you could think of us. Some of us publish magazines and things the government and corporations would rather us not publish because it's inconvenient. All of those "some of us" and whoever gets lumped in with us are people who are targeted, in some way, by law enforcement. Maybe it's not direct for many of us, but for some us it is very direct (ask anybody involved in the scene for a while such as the 2600 crew and they've surely got stories). What community in their right mind would allow known snitches to roam about in their ranks? People who have put their people in jail?
And as a final note, I'm not in goatse or hackbloc. I just posted the goatse link because I thought it was important to discuss the case and find the informant.
It seems to me that in 99% of communities that are targeted for persecution by the government (whether you're talking about activists or gang members is irrelevant here), they quickly learn to adopt a social code against snitching because of the harm it causes to them. Hackers are targeted by law enforcement, some of us have been charged with crimes we never committed, things which shouldn't be considered crimes, or things which actually aren't even considered crimes. One only needs to look at cases like Bernie S, Adrian Lamo, or the history of Operation Sundevil to draw this conclusion.
As somebody who has been in court documents before and knows people who has served time, I'd caution people against taking what is in these court documents as the truth. A good handful of the "facts" in this document are disputed by those in Goatse (according to their public announcement). Prosecutors and cops routinely make shit up or alter facts to do better in court as anybody who has had much experience in the court system will tell you. IRC logs, which make up the main part of their indictment, are incredibly easy to falsify. We're talking about a text file, something which I could have made on my own computer and submitted to the FBI.
That being said, even accepting that everything in that document is irrefutable fact, the "well fuck them because they were dumbasses" response is not considering the context this situation occurs within. What these members of goatse are accused of is disclosing a vulnerability that put a large number of iPad users at risk. The prosecutor calls it hacking but as most people who look at this case will say, what they did wasn't hacking. There were no passwords to break through, no system to penetrate. What they did could be better compared to querying a database. The reason they got in legal trouble, ultimately, is that they pissed off some people at AT&T. The "some people" are the same people who put their entire userbase at risk through an extremely insecure setup. They didn't improperly hash their passwords, use a weak SSL certificate, or make any other mistakes which would be considered "acceptable", they simply put their entire database online to anybody smart enough to ask for it. Those some people (or likely, those some people's bosses) are high-powered executive who run a giant telecommunications company. They know people in the FBI and, like other corporate execs, at the drop of a hat they can sell a story to them and get somebody felony charges.
Maybe it wasn't that smart to fuck with AT&T, maybe it was even overly risky, but that doesn't mean it was wrong. Maybe it was stupid to talk about it in IRC in front of people who weren't involved. Maybe they shouldn't have made jokes or speculated about all the bad things they could have done with this information (even according to the court filings, there's no evidence they intended to go through with this plan). Maybe they fucked up 99% of what they did in exposing this security flaw but does that mean they should be facing several years behind bars and that we should, instead of trying to support these people, be ostracizing them and supporting the sentence they will be getting? People will find 99 problems with a defendant before they ever look at the prosecutor.
You're quoting articles about how this guy enjoys trolling but did no research on the prosecutor themselves. I'm not going to lie, I would get some jollies if I caused such a big embarrassment to AT&T or any other large company, but if users get better security who really cares how hard my dick got from it? C'mon...
Back to snitching though, we're talking about somebody who hangs out in IRC channels that other hackers hang out in. They might even know some in real life, maybe they've even been to your house. Unfortunately, we can't know unless we can identify who that person was. It could be this person is in several other cases, maybe they've got motivations like trying to work off a sentence of their own, we can't know that until we can identify them.
I've seen people got to jail due to the testimony of somebody who entrapped them or made up evidence. As long as we have people in our circles who have done that, we can expect them to do it again.. and again.. and again. Sure, we can't get rid of everybody who may potentially snitch on us, but the least we can do is kick out the ones we do know about.
And it's not just people who are relaying information on crimes they saw or didn't see, we're talking about people who could be informants. People who are providing seemingly innocuous information to the FBI, DHS, SS, or other agencies on our hacker friends. Information that may, in the future, be used to target those hackers, entrap them, justify a wiretap on them, make them suspects in a case, or god knows what. We don't trust the government to have an internet kill switch, monitor everybody's phone line, etc but we do trust (or simply don't care about) people who actively provide information to them?
Hackers are not simply a bunch of randos who happen to congregate on forums and IRC channels, we're a community. Not everybody knows everybody but we have some type of social networking. Some are more connected than others, but most of us share some common ideas such as the hacker ethic. Some of us do things that are illegal but not wrong. Some of us are involved in projects like Wikileaks, the Tor Project, bittorrent trackers, or other examples I'm sure you could think of us. Some of us publish magazines and things the government and corporations would rather us not publish because it's inconvenient. All of those "some of us" and whoever gets lumped in with us are people who are targeted, in some way, by law enforcement. Maybe it's not direct for many of us, but for some us it is very direct (ask anybody involved in the scene for a while such as the 2600 crew and they've surely got stories). What community in their right mind would allow known snitches to roam about in their ranks? People who have put their people in jail?
And as a final note, I'm not in goatse or hackbloc. I just posted the goatse link because I thought it was important to discuss the case and find the informant.
Re: Assistance Requested in Identifying People who Snitched on G
So I just read a ton of data... I hate reading data that, in the end, amounts to a colossal waste of time. You complain about snitches, ok well let's look at that.
They exaggerated their abilities and motives.
They made a nuisance of themselves to American industry (I say this loosely as an indicator of both private and government industry)
They talked about exploits over unencrypted channels. I know these records can be falsified, but unless either of the other two points where true in excess, why bother.
I remember when Keven Mitnick went to court. Did you know that a prosecutor convinced a jury of his peers, that Kevin was so dangerous he could start a nuclear war by whistling into a pay-phone?
It was bullshit then, and it's bullshit now... In fact, that you can't trust anything you read in the paper is about the only useful information I gleaned from your post which leads to only a few possible solutions as I see it.
The records where falsified, and this poor bastards are going to be made into an example... look at the bright side, even Mr. Mitnick turned his life's practice into a successful business in the end.
The records where true, and these stupid bastards should have been discussed the topics under some means of encryption.
Was there a snitch... perhaps.
Was that snitch a fellow 'hacker' or was he a government employee... who's to say. I've never been indicted... probably because I don't participate in illegal activities, and if I did you can be damn sure I wouldn't share about it around the IRC campfire.
In truth, the logs exist, the people who should be closest to the situation have them, and if someone is to be chastised and castigated thereof, it is none of my concern. (the snitch) can cry himself to sleep on his big pillow, and then wake up refreshed to know that he can always just make up a new name, with a new proxy and do it all over again.
Spitler and Auernheimer put themselves on the stand, and whether they take responsibility for that is a moot point. they aren't the first people to think they where untouchable, and they wont be the last. As for what to o with snitches?
Don't put yourself in a position to give them power over you perhaps... that'll probably work
They exaggerated their abilities and motives.
They made a nuisance of themselves to American industry (I say this loosely as an indicator of both private and government industry)
They talked about exploits over unencrypted channels. I know these records can be falsified, but unless either of the other two points where true in excess, why bother.
I remember when Keven Mitnick went to court. Did you know that a prosecutor convinced a jury of his peers, that Kevin was so dangerous he could start a nuclear war by whistling into a pay-phone?
It was bullshit then, and it's bullshit now... In fact, that you can't trust anything you read in the paper is about the only useful information I gleaned from your post which leads to only a few possible solutions as I see it.
The records where falsified, and this poor bastards are going to be made into an example... look at the bright side, even Mr. Mitnick turned his life's practice into a successful business in the end.
The records where true, and these stupid bastards should have been discussed the topics under some means of encryption.
Was there a snitch... perhaps.
Was that snitch a fellow 'hacker' or was he a government employee... who's to say. I've never been indicted... probably because I don't participate in illegal activities, and if I did you can be damn sure I wouldn't share about it around the IRC campfire.
In truth, the logs exist, the people who should be closest to the situation have them, and if someone is to be chastised and castigated thereof, it is none of my concern. (the snitch) can cry himself to sleep on his big pillow, and then wake up refreshed to know that he can always just make up a new name, with a new proxy and do it all over again.
Spitler and Auernheimer put themselves on the stand, and whether they take responsibility for that is a moot point. they aren't the first people to think they where untouchable, and they wont be the last. As for what to o with snitches?
Don't put yourself in a position to give them power over you perhaps... that'll probably work
knuffeltjes voor mijn knuffel
[img]http://i911.photobucket.com/albums/ac320/stuphsack/Sig.jpg[/img]
[img]http://i911.photobucket.com/albums/ac320/stuphsack/Sig.jpg[/img]
Re: Assistance Requested in Identifying People who Snitched on G
I read all of the articles and some things just stick out.
Let me see if I fully understand this, they managed to find a flaw in at&t's system that they did not have to hack into. They asked questions and the computer system freely gave out information. They managed to inform at&t about the problem and waited to release information of what they had found until the program was patched. However they are guilty of fantasizing in a irc chat room about what they COULD DO with the information that they obtained.
I think that what bothers me the most of of all this is one of the points in the first article that DNR posted that stated,
"Computer Fraud and Abuse Act generally prohibits unauthorized access to computers. The question is whether typing information into a public website is unauthorized, she said."
Depending on how this is eventually defined it could be quite interesting for anyone typing information into a public website. Post on face book commit a felony and go to jail. A little extreme I know but I had to add that last line. However, is that not typing information into a public website?
The next thing that I picked up on is that they are going to get in trouble for discussing what they could with the information not what they did with the information. So now it is possible to get busted for thinking and talking about doing something weather or not you do it.
I can see it now, I will be talking about how I should drive my Chevelle down the road at 100+ and the next day get a ticket for speeding. Even though I have not started or drove the car the day before. But because I stated that I could do it i'm guilty of doing it.
The last thing that bothers me is that we have a world of snitches, at least in the US the local and state governments are trying to make this behaviour profitable. It started with a local poll I recently seen on one of the local tv stations, "Would you turn someone in for doing something you think is illegal if you got a reward for it?" a good percentage said that they would. The new career snitching for profit everyone is a possible pay check so watch your neighbour.
The people in the article are getting busted for being stupid. It is how they are getting busted that I find interesting and have a few problems with. For what it is worth it is just my two cents.
Let me see if I fully understand this, they managed to find a flaw in at&t's system that they did not have to hack into. They asked questions and the computer system freely gave out information. They managed to inform at&t about the problem and waited to release information of what they had found until the program was patched. However they are guilty of fantasizing in a irc chat room about what they COULD DO with the information that they obtained.
I think that what bothers me the most of of all this is one of the points in the first article that DNR posted that stated,
"Computer Fraud and Abuse Act generally prohibits unauthorized access to computers. The question is whether typing information into a public website is unauthorized, she said."
Depending on how this is eventually defined it could be quite interesting for anyone typing information into a public website. Post on face book commit a felony and go to jail. A little extreme I know but I had to add that last line. However, is that not typing information into a public website?
The next thing that I picked up on is that they are going to get in trouble for discussing what they could with the information not what they did with the information. So now it is possible to get busted for thinking and talking about doing something weather or not you do it.
I can see it now, I will be talking about how I should drive my Chevelle down the road at 100+ and the next day get a ticket for speeding. Even though I have not started or drove the car the day before. But because I stated that I could do it i'm guilty of doing it.
The last thing that bothers me is that we have a world of snitches, at least in the US the local and state governments are trying to make this behaviour profitable. It started with a local poll I recently seen on one of the local tv stations, "Would you turn someone in for doing something you think is illegal if you got a reward for it?" a good percentage said that they would. The new career snitching for profit everyone is a possible pay check so watch your neighbour.
The people in the article are getting busted for being stupid. It is how they are getting busted that I find interesting and have a few problems with. For what it is worth it is just my two cents.
Re: Assistance Requested in Identifying People who Snitched on G
I can traverse directories by mistyping the URL string, but THEY ran a bruteforcer on the ICC ID URLs - to find positive matches.
Like lilrofl said - they could have reported the flaw to At&t in a professional manner - there are PLENTY of hackers out there that have found exploits in major networks and successfully reported them without being arrested. To say that 99% of us are persecuted is wrong. Lets be honest - play with fire, you might get burned. This security/Netsec/grey hat hacking is not for children who do not know when to stop, who do not understand when it is time to move on. Security work is about security, it is not appropriate to use this skill or information for ego power trips or fantasy chit chat. If you asked me, I say 99% of REAL hackers are undetected or allowed as they operate in a professional manner. The ones that get caught, were using 'hacking' as a part of a criminal plan, not a hacking ideology. The ones that get caught, are the posers - the people that trip on creating havoc with other people's networks and money - their misguided sense of hacktivism turned into a child's game of thrills - akin to throwing a snowball at moving cars and running.
If I was still working at this bank's international wire transfer colocation facility, and I started chit chatting about at the lunch counter next door about how easy it would be to rob the bank - I should expect - 1. Loss of trust 2. Loss of professional image 3. terminated for 'not meeting professional standards'.
Working security means you keep secrets. If you are smart enough to find flaws in critical systems, the real test is what you will do with your knowledge. Will it be wisdom?
All this talk about snitches - all the FBI had to do was check the guys blog - his damn profile had his real name, I am sure his friends connected on the blog, and they had incriminating statements. Then the warrant - rule #1. SHUT THE FUCK UP - YOU HAVE THE RIGHT TO REMAIN SILENT, use it. Don't try to make deals with the FBI while they trash your house, they don't have permission to make deals, and you should SHUT THE FUCK UP! Telling the FBI about your hacker website, chat room, friends - that was pretty close to snitching. They snitched on themselves.
Yea, suck-o is a hard forum sometimes. Suck-o means you keep secrets..
DNR
Like lilrofl said - they could have reported the flaw to At&t in a professional manner - there are PLENTY of hackers out there that have found exploits in major networks and successfully reported them without being arrested. To say that 99% of us are persecuted is wrong. Lets be honest - play with fire, you might get burned. This security/Netsec/grey hat hacking is not for children who do not know when to stop, who do not understand when it is time to move on. Security work is about security, it is not appropriate to use this skill or information for ego power trips or fantasy chit chat. If you asked me, I say 99% of REAL hackers are undetected or allowed as they operate in a professional manner. The ones that get caught, were using 'hacking' as a part of a criminal plan, not a hacking ideology. The ones that get caught, are the posers - the people that trip on creating havoc with other people's networks and money - their misguided sense of hacktivism turned into a child's game of thrills - akin to throwing a snowball at moving cars and running.
If I was still working at this bank's international wire transfer colocation facility, and I started chit chatting about at the lunch counter next door about how easy it would be to rob the bank - I should expect - 1. Loss of trust 2. Loss of professional image 3. terminated for 'not meeting professional standards'.
Working security means you keep secrets. If you are smart enough to find flaws in critical systems, the real test is what you will do with your knowledge. Will it be wisdom?
All this talk about snitches - all the FBI had to do was check the guys blog - his damn profile had his real name, I am sure his friends connected on the blog, and they had incriminating statements. Then the warrant - rule #1. SHUT THE FUCK UP - YOU HAVE THE RIGHT TO REMAIN SILENT, use it. Don't try to make deals with the FBI while they trash your house, they don't have permission to make deals, and you should SHUT THE FUCK UP! Telling the FBI about your hacker website, chat room, friends - that was pretty close to snitching. They snitched on themselves.
Yea, suck-o is a hard forum sometimes. Suck-o means you keep secrets..
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
Re: Assistance Requested in Identifying People who Snitched on G
Pulling a gray hat usually helps in the long run. Disclosing vulnerabilities is good for you in the long run. Especially if you are dumb enough to talk about hacking illegally in a public irc.....
~[Lykos]~
~[Lykos]~