Re: [Prs2002] Re: CRIME EarthLink Password Security Story

From: Zot O'Connor (zot@private)
Date: Wed Jun 19 2002 - 13:40:18 PDT

  • Next message: Lyle Leavitt: "Re: CRIME EarthLink Password Security Story"

    Just a note.  If Max Butler had not released a worm that allowed him
    private access to machines he had not rights to, I doubt he would be
    arrested.
    
    He did.
    
    He was arrested.  He was offered a deal.  The deal went bad.  He was
    convicted (plea) and jailed.
    
    A better title might be "A Black Hat Hacker (who also did good things
    from time to time) goes to jail.
    
    But then it wouldn't be a very good article.
    
    Had he not been an informant prior, or had the deal not be offered,
    would anyone defend him?
    
    He released a worm that gave him private access to machines for which he
    had no rights.  All other factors are mitigating at best, but they do
    not override that.
    
    As for reporting:
    
        Max's arrest in March 2000 followed his refusal to wear a wiretap
        into a meeting with a friend, Matthew Harrigan, then chief technical
        officer of San Francisco security services firm MCR and an ex-hacker
        who went by the handle of "Digital Jesus." 
    
    This is like people on late night radio (Loveline) who say "My boyfriend
    is in jail. "What for?"  "Parole Violation."  As though he was not in
    jail for an actual crime.....
    
    
    
    
    On Wed, 2002-06-19 at 13:27, Lyle Leavitt wrote:
    > Seth,
    > 
    > Good point. I forget that in our court system "white-hat hacker" is an
    > oxymoron. So I should just tell the media that the "rumor" is that
    > default passwords are going unchecked at AT&T. That's my story and I'm
    > sticking to it. End of story. Bad guys win. Why did I waste my time?
    > 
    > A 'White Hat' Goes to Jail 
    > http://www.wired.com/news/politics/0,1283,44007,00.html
    > 
    > Geo - Is this legal stuff covered in the PRS training?
    > 
    > -Lyle
    > 
    > Seth Arnold wrote:
    > > 
    > > On Wed, Jun 19, 2002 at 03:42:09AM -0700, Lyle Leavitt wrote:
    > > > I selected several email addresses from the results. I then tried
    > > > logging into their email with password as the password. Sure enough I
    > > > got in 2 out of the 8 that I tried.
    > > 
    > > Lyle, I'd like to discourage doing this in the future; you've actually
    > > accessed several accounts without proper authorization. Lets not forget
    > > that Randal Schwartz did several years of community service for simply
    > > _finding_ passwords on intel machines -- he didn't even try any of them.
    > > _I_ know your intentions are good, _you_ know your intentions are good,
    > > but proving that to a jury might be difficult or pointless or both.
    > > 
    > > Cheers
    > > 
    > > --
    > > http://www.wirex.com/
    > > 
    > >   ----------------------------------------------------------------------
    > >    Part 1.2Type: application/pgp-signature
    > 
    > _______________________________________________
    > Prs2002 mailing list
    > Prs2002@private
    > http://lists.whiteknighthackers.com/mailman/listinfo/prs2002
    > 
    -- 
    Zot O'Connor
    
    http://www.ZotConsulting.com
    http://www.WhiteKnightHackers.com
    



    This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 14:01:20 PDT