Forgot your password?
typodupeerror
America Online Spam Your Rights Online

AOL Employee Arrested in Spam Scheme 428

Posted by simoniker
from the america-shaking-fist-online dept.
LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."
This discussion has been archived. No new comments can be posted.

AOL Employee Arrested in Spam Scheme

Comments Filter:
  • by Anonymous Coward on Wednesday June 23, 2004 @06:39PM (#9512797)
    "You've Got Spam!"
  • by Anonymous Coward on Wednesday June 23, 2004 @06:39PM (#9512798)
    That they didn't pay more for the list. I mean, the names of 92 million really clueless people who think AOL is "that thar interweb" would probably buy V1@GR@ by the case. Jesus, it would be a spammer's wet dream!
  • by mOoZik (698544) on Wednesday June 23, 2004 @06:39PM (#9512801) Homepage
    And $25,000 seems a tad...low.

    • by bigman2003 (671309) on Wednesday June 23, 2004 @07:15PM (#9513130) Homepage
      Especially for a list of confirmed gullible people.

      The chances of an AOL user falling for a spam-scam are probably good. They already fell for one scam, so they've proven themselves to be targets already.
    • $25,000? (Score:5, Informative)

      by ackthpt (218170) * on Wednesday June 23, 2004 @07:49PM (#9513397) Homepage Journal
      Read the article lately?

      Former AOL employee Smathers sold the initial list for an unmentioned amount to Dunaway (the spammer) then Smathers sold an updated list to Dunaway for $100,000. Dunaway sold lists to other spammers for $52,000.

      Smathers & Dunaway to AOL members: "All your screenname are belong to us!"

      I expect something like this happened at eBay a while back. I changed my email address for eBay to a new mailbox. A few weeks later someone spammed it offering to sell lists of eBay members. Then spam followed, usually from phishers.

    • by mothz (788133) on Wednesday June 23, 2004 @07:55PM (#9513441)
      $52,000 for 92 million addresses is nearly 1800 addresses per dollar. At that price it would cost only $3.6 million to get the address of every man, woman, and child in the entire world. And to think, spammers used to hang out in AOL public chat rooms to collect screennames. Ahh, economic efficiency.
    • by Theatetus (521747) * on Wednesday June 23, 2004 @08:51PM (#9513816) Journal

      Not really. Mailing to AOL is a hit-or-miss thing. We run a lot of mailing lists (bands' fanlists, organiztions' newsletters, etc.) and about half of the time you have AOL addresses on a list they bounce it. And they don't *just* bounce it, they set up a slow-ass connection to your bounce server and time it out (clever idea actually).


      So, if you were a spammer, AOL addresses would be of dubious use.

      • If you were a spammer, you wouldn't ever get even one of the bounces to "your" spoofed address.

        Kiwaiti

      • by bigsteve@dstc (140392) on Thursday June 24, 2004 @03:08AM (#9515789)
        And they don't *just* bounce it, they set up a slow-ass connection to your bounce server and time it out (clever idea actually).

        Clever idea ... but counter-productive in the long run.

        Assuming that the spammer is using a herd of zombie PCs for spam relaying, and each PC can handle multiple mail connections, they are not likely to be slowed down much by this tactic. In addition, spamming PC can be set up to aggressively time out connections to slow mail servers.

        On the other hand, people who run legitimate mailing lists may suffer when a list submission triggers spam detection and slow server counter measures. The mailing list server will typically NOT be able to send huge numbers of emails in parallel, and will NOT want to aggressively time out slow mail servers. As a result, if a mailing is (rightly or wrongly) classified as SPAM and triggers counter measures, mailing list delivery suffers.

  • Welcome! (Score:5, Funny)

    by Motherfucking Shit (636021) on Wednesday June 23, 2004 @06:39PM (#9512802) Journal
    You've Got Jail!
  • Fired? (Score:3, Insightful)

    by 91degrees (207121) on Wednesday June 23, 2004 @06:39PM (#9512806) Journal
    Aren't we supposed to wait for someone to be found guilty before punishing them?
    • Re:Fired? (Score:3, Interesting)

      by mOoZik (698544)
      It never reached the court of law, it seems, so the company is only taking preventative - if premature - actions.

    • Re:Fired? (Score:5, Informative)

      by Kiryat Malachi (177258) on Wednesday June 23, 2004 @06:42PM (#9512822) Journal
      Only in criminal court. Unless the guy had an employment contract that stated otherwise, he was employed "at the pleasure of the employer" - i.e. he can be fired for just about anything, barring discriminatory or retaliatory firings.

      And I don't think anyone can argue that there's cause here.
    • Re:Fired? (Score:5, Insightful)

      by EvanED (569694) <evaned@gmailPASCAL.com minus language> on Wednesday June 23, 2004 @06:43PM (#9512841)
      Firing someone has a lower burden of proof (and rightly so) than a criminal conviction; if there's enough for an arrest and charges to be brought, then there's probably enough evidence to warrant a firing.
      • Re:Fired? (Score:5, Interesting)

        by chimpo13 (471212) <slashdot@nokilli.com> on Wednesday June 23, 2004 @08:07PM (#9513498) Homepage Journal
        Enough to fire him in a private company. For the first three offenses at a state or federal job it'd be a written warning.

        Some guy brought in a gun to work with him at the UC Davis monkey lab, allegedly with a list of people he was mad at (gun for sure, not sure about the list). He's one of the same 2 people who "lost" a monkey. That one made national news, and the other guy got a promotion. Anyway, he got 30 days of "administrative leave" for the gun, which meant they were going to fire him.

        Security was told, "Hey, we had to suspend this guy. If he shows up, wave, let him through, and call the police because he knows he's not supposed to be here". No point in actually telling the security why they were looking for him. And no point in telling employees what was going on. This was during the period when UC Davis was trying to get the Level IV Biohazard Lab, so that *might* have been part of the secrecy, but I think it's because all state jobs usually have A Giant State Head up their ass all the time. In the meantime, this guy got arrested in Wyoming, with the gun, with filed off serial numbers, and illegal drugs. He was in a car his mom rented that wasn't supposed to leave the state. Not sure how much time he's serving. But being black in a Wyoming prison can't be fun. He was a nice guy before he started taking drugs.
    • Re:Fired? (Score:5, Insightful)

      by Motherfucking Shit (636021) on Wednesday June 23, 2004 @06:46PM (#9512878) Journal
      Aren't we supposed to wait for someone to be found guilty before punishing them?
      My guess, and this is only a guess, is that Mr. Smathers was almost certainly confronted by HR or security (do they still call it OpsSec?). My second guess is that he probably admitted what he did.

      In any case, AOL doesn't have an opportunity to wait around and find out whether or not this guy is guilty in a court of law. This is a huge privacy breach affecting millions of people. According to CNN's version of the story, not only did the list contain screen names, it also had each user's telephone number, ZIP code, etc. AOL has no choice but to take immediate and harsh action, i.e. terminating the employee and alerting the authorities. If they hadn't fired the employee they'd be sued faster than you can say "1099 Hours Free."

      There may be lawsuits anyway. Millions of people entrusted their information to AOL, and now it's floating around in the hands of who knows how many spammers.
      • Re:Fired? (Score:4, Insightful)

        by Ratbert42 (452340) on Wednesday June 23, 2004 @09:43PM (#9514166)
        My guess, and this is only a guess, is that Mr. Smathers was almost certainly confronted by HR or security ...

        I didn't read through the whole thing, but my guess is that an informant approached the secret service and the case began outside of AOL. AOL really has no interest in this case being prosecuted. The bad publicity will cost them much much more than any restitution they'll get out of an unemployable 24 year old.

    • by Anonymous Coward
      ... each one of those 92 million victims should be allowed to kick him in the nuts.
    • Re:Fired? (Score:3, Insightful)

      by gcaseye6677 (694805)
      Are you for real? If you were the guy's manager and you had evidence that he was selling company data, convincing enough evidence to get him arrested, you would keep him on the payroll until he was convicted? Yes, the guy is entitled to a fair trial before being punished by the legal system, but as many other posters have pointed out, a company can fire someone for almost any reason they want. And when there's clear evidence of misconduct, an employee doesn't have a chance with a wrongful dismissal suit, ev
  • Security? (Score:5, Insightful)

    by shadowkoder (707230) on Wednesday June 23, 2004 @06:40PM (#9512814)
    You would think there would be limitations on HOW an employee could access such a large database. I mean, does AOL throw out CDs with conveniently formatted lists of all the screen names of its customers?
    • Re:Security? (Score:5, Insightful)

      by isthisthingon (785412) on Wednesday June 23, 2004 @07:01PM (#9513017) Homepage
      Hmmm...just a guess, but it probably went something like this:
      SELECT *

      FROM customer_list
      ORDER BY last_name ASC;
      [zoom to scene of employee nervously looking over his shoulder and tapping his fingers impatiently]

      92,213,798 rows returned.

      [employee thinks to self]: "Dude! Cool! Bonus! We only had 91,125,553 last time I ran this. I'll have to thank the marketing department for sending out those CDs!"
    • Re:Security? (Score:5, Interesting)

      by DrXym (126579) on Wednesday June 23, 2004 @07:46PM (#9513372)
      I suppose it depends what the guy was working on. If it was on their accounts database, what limits can you impose on someone like that? He might have a legitmate reason for running through every screen name, for example to gather statistics or whatnot.

      As it happens however he has been caught. How was he caught? I don't know, but it's not beyond the realm of possibility that the aforementioned database had triggers and an audit trail that says who did what and dumps it in a log somewhere. Or perhaps he tripped over by querying for everything including the flagged accounts - accounts that AOL regularly sacks people for looking at because they belong to celebs and so forth.

      It would not surprise me at all if the alarm bells didn't start ringing as soon as the DB ground to a halt while it was returning 92000000 rows.

      • Re:Security? (Score:3, Interesting)

        by 1u3hr (530656)
        It would not surprise me at all if the alarm bells didn't start ringing as soon as the DB ground to a halt while it was returning 92000000 rows

        Since the FA says he did this at least twice, either they don't check their audit files very often, or he was ratted out by someone later, or did something stupid with his ill-earned cash to attract attention.

      • Re:Security? (Score:3, Insightful)

        by tomhudson (43916)
        So instead of doing a select on the db he just copies the raw data files ... not even all the data files (doesn't need any of the indexes, for example). No need to query the dbms, no alarms going off, no audit trail in the sql logs.

        And, by piping it through gzip, he wouldn't end up with a huge intermediary file:

        cat customer_data_table | gzip > /home/crooked_employee/stolen_data.zip

        Well, that's how I would have done it. Actually, I would have done it using someone else's account :-)

        • Re:Security? (Score:3, Interesting)

          by tftp (111690)
          Large databases usually don't use files, they use raw partitions, with a weird combination of striped and RAIDed volumes for speed and reliability. So it may well be difficult to copy the database - and then to recreate it at home.
  • Double standards.. (Score:5, Insightful)

    by BlueLines (24753) <slashdot@@@divisionbyzero...com> on Wednesday June 23, 2004 @06:43PM (#9512838) Homepage
    ..didn't a bunch of airlines admit to (basically) the same thing? no arrests there..

    • by drinkypoo (153816)
      It's one thing to feed the information to the government and another to feed it to spammers. The first is scarier, but the second is illegal. Under PATRIOT, the first might be seen as mandatory.
    • Every situation is unique, and sometimes different situations require different actions. You see the simularities between two situations, and your opinion is that differences are nonconsequential, but that doesn't mean the other person thinks they same way. They might think that the differences are very important and the simularities are nonconsequential. That doesn't mean that they have a double standard or are hypocritical, it just means that they put different value on the various aspects of the situatio
  • by kfg (145172) on Wednesday June 23, 2004 @06:43PM (#9512846)
    with large, easily searched and copied databases of highly consolidated private data.

    The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.

    The same goes for backdoors. I'm not half so worried about some script kiddie hacking my router as I am some employee/former employee of Cisco simply walking right in.

    KFG
  • by SomePoorSchmuck (183775) on Wednesday June 23, 2004 @06:44PM (#9512861) Homepage
    It's well known that you can invent "unguessable" accounts at hotmail, e.g. rmgdrduckk5arp@hotmail.com, and never join any mailing list or submit your name to any website or allow MSN to list you in the Hotmail User Directory, and yet within a few days or weeks your account will miraculously begin receiving offers from mail order brides, pills, porn, and so on. I've long suspected that someone working for Hotmail is making money on the side by downloading the user list once a week and selling it to spammers. Which is why my hotmail accounts have lapsed and I mainly use my yahoo or Gmail accounts.
    • i've confirmed this. (Score:5, Interesting)

      by bani (467531) on Wednesday June 23, 2004 @06:53PM (#9512951)
      i've created hotmail accounts with crypto-hard random usernames, not listed anywhere, and almost immediately started receiving spam to them.

      it seems to really only happen on new accounts though. old hotmail accounts dont seem to get spam, if you dont publish them anywhere.

      it's entirely possible someone has recently (within the last few years) backdoored hotmail's account creation system to notify them of new accounts, which would explain why old accounts dont get any spam.
    • This is exactly what happened when I had an AOL account. Every day I'd get the 'You've got mail' mantra depite me never having used or distributed my aol email address to anyone. I even used their email client once to have a look at how many messages were in there just out of curiosity. There were about 600, all spam, and that was after about three months.
  • by SkyWalk423 (661752) on Wednesday June 23, 2004 @06:45PM (#9512872) Homepage Journal
    I say make him answer AOL tech support phone calls. He'll beg for jail time after about a week.
  • This reminds me (Score:4, Interesting)

    by thedillybar (677116) on Wednesday June 23, 2004 @06:46PM (#9512884)
    With the value of valid e-mail addresses increasing...how long before /etc/passwd is no longer world readable?

    % wc -l /etc/passwd
    184533 /etc/passwd

    • Re:This reminds me (Score:3, Interesting)

      by Zocalo (252965)
      If you genuinely have *that* many accounts on your *NIX system, then /etc/passwd should probably be almost empty and consist of system accounts only. The user accounts would be much better and securely stored on a dedicated system running a directory/authentication service like an LDAP setup. It might have helped AOL avoid this too, since only a very limited number of people would need access to the entire database if the schema was done right.
  • More details (Score:3, Informative)

    by Gogo Dodo (129808) on Wednesday June 23, 2004 @06:48PM (#9512894)
    More details about the scheme are available at CBS Marketwatch [marketwatch.com].
  • AOL (Score:5, Funny)

    by elbazo (779536) on Wednesday June 23, 2004 @06:48PM (#9512899)
    News just in :

    In response to this 99% of AOL members surveyed who recieved the e-mail clicked on the link and frittered many dollars away at the casino making spam profitable and so continuing the downward spiral of e-mail.

    One user replied saying : "I trust AOL so much when it comes to spam, they always send me the top dollar stuff like penis enlargement pills and always ask me to change my password on non secure sites and ask for my credit card as my account has been hacked. They care so much"
  • by oberondarksoul (723118) on Wednesday June 23, 2004 @06:49PM (#9512905) Homepage
    What worries me is that there could easily be many more employees doing this - not just at AOL, but at other ISPs as well. However, I'm willing to bet that AOL isn't going to hunt for any other people like this doing it. Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.
  • by fembots (753724) on Wednesday June 23, 2004 @06:50PM (#9512917) Homepage
    Okay the guy has been arrested and fired, but what about those names already sold to spammers?

    In the article AOL didn't seem to mention what they are doing to protect the victims, except "they are thoroughly reviewing and strengthening our internal procedures".

    Is this good enough? Sometimes you can punish the offender enough to compensate the victims.
  • An observation. (Score:5, Insightful)

    by steve buttgereit (644315) on Wednesday June 23, 2004 @06:50PM (#9512918) Homepage
    An interesting way to look at this is consider the age of the people involved. The engineer was 24 and the Casino guy was 21. IT, notorious for age discrimination in favor of young, brighteyed types, may actually be introducing a greater security risk with the practice.

    I remember when I was in my early 20s and lets just say I didn't have a lot to lose... and everything to gain from taking a chance here and there. By placing less mature workers into places where personal ethics and great responsibility collide, you're asking for issues just like this.

    I don't mean in indict all younger workers. Certainly most are good employees; I've hired many younger people without trouble. But as a percentage of population, the younger I expect to make more 'mistakes' both simple errors and errors in judgment.

    My two bits...
    SCB
    • Re:An observation. (Score:4, Insightful)

      by Telastyn (206146) on Wednesday June 23, 2004 @07:01PM (#9513018)
      Error in judgement? Come on, this is pretty obviously a 'bad thing'. No mistake; criminal intent.

    • Re:An observation. (Score:5, Insightful)

      by Kphrak (230261) on Wednesday June 23, 2004 @07:21PM (#9513182) Homepage

      Why don't we put it another way? "Note that both people involved were guys. By its traditional discrimination against women (who more civilized) in favor of men (more aggressive and violent), IT is introducing a security risk since men will take more chances." It makes as much sense as the above "these damn' kids screw up all the time" rant (and before some /. feminist says "you go girl!", I should add that I'm male, 23, and consider both arguments completely idiotic).

      IT is a younger field, therefore more IT guys are younger. Granted, it's been around for the last 40 years, but for about half of that time, you needed a lot of money to get a computer. The generation that got to use truly cheap computers came of age just ten years ago. It's natural that there is now an explosion of younger IT workers.

      Marital, family, religious, and civic ties to society, IMHO, are much more likely to keep people honest than their age, even counting the fact that younger workers may be less experienced. And if you don't believe me, check a newspaper and see how many older, powerful men are at this moment headed to Club Fed because they weren't any better at ethics than the AOL dimwits mentioned in this article. Most of Congress is composed of older men, and I'd almost rather have Sanford Wallace (of Cyber Promotions infamy) representing me than some of these folks.

      I work in a government agency, so I see a large proportion of older workers. Some are smart, hard workers; others are idiots. I see no larger proportion of idiots among younger people than I do among older ones, nor do I see any indication that the intelligence or ethics of the old have anything to do with the fact that they are old.

      • Re:An observation. (Score:4, Interesting)

        by steve buttgereit (644315) on Wednesday June 23, 2004 @08:00PM (#9513460) Homepage
        Why don't we put it another way? "Note that both people involved were guys. By its traditional discrimination against women (who more civilized) in favor of men (more aggressive and violent), IT is introducing a security risk since men will take more chances." It makes as much sense as the above "these damn' kids screw up all the time" rant (and before some /. feminist says "you go girl!", I should add that I'm male, 23, and consider both arguments completely idiotic).

        Actually, I wouldn't be terribly surprised if the counter-point you offer to try to discredit my argument is, itself, true. By the way, my observation is derived not from a single article but experience from my experience working in IT. The article simply providing an interesting context.

        IT is a younger field, therefore more IT guys are younger. Granted, it's been around for the last 40 years, but for about half of that time, you needed a lot of money to get a computer. The generation that got to use truly cheap computers came of age just ten years ago. It's natural that there is now an explosion of younger IT workers.

        I'm not sure what relavence this statement has to my point. This is all true on the face of it, but neither supports nor detracts from my hypothesis. What I will say, assuming your statement is true, is that the impact mistakes made by anyone in IT has the potential to be greater than at any time in history. Would, 40 years ago, a couple of 20somethings have had the tools to commit a crime that impacted as many 93 million people? What if he weren't at AOL, but Bank of America?

        Marital, family, religious, and civic ties to society, IMHO, are much more likely to keep people honest than their age, even counting the fact that younger workers may be less experienced.

        Thank you for help in supporting my point. Much of my point is predicated on the fact that younger people are more likely not to have the same connections and convictions that older people do. How many professional 24 year olds are married as compared to say married 45 year olds? How many have their own families (a strong connection than to just mom & dad)? Never did I mention experience: I was careful to say mature.

        And if you don't believe me, check a newspaper and see how many older, powerful men are at this moment headed to Club Fed because they weren't any better at ethics than the AOL dimwits mentioned in this article. Most of Congress is composed of older men, and I'd almost rather have Sanford Wallace (of Cyber Promotions infamy) representing me than some of these folks.

        I find trouble in using the newspaper to uncover trends, there are too many other factors to consider them useful sources of this kind of information. Older people are more likely to have roles in more sophisticated, larger stakes games. But what we don't see in the papers are how many people are being put away for $50K in embezzlement here, $75K in kickbacks there... in fact, if it weren't for the 93 million users, you would probably have never heard of this either in the papers. I still maintain that younger workers will have higher security issues as compared to the population as a whole. By the way... how many older people do we hear about getting put away writing viruses and worms? Don't confuse high profile for quantity or even severity.

        I work in a government agency, so I see a large proportion of older workers. Some are smart, hard workers; others are idiots. I see no larger proportion of idiots among younger people than I do among older ones, nor do I see any indication that the intelligence or ethics of the old have anything to do with the fact that they are old.

        Don't get me wrong... avarice comes in all ages. But the selection process for congress is slanted to those that are most likely to be less than honest and government workers are place, in my experience, by other less than optimal hiring methodologies. Though, sure there are older idiots as well. But I find the young, smart, but overly ambitious types to be the ones to keep an eye on.

        Well argued nonetheless. And for the record I'm an old guy in tech terms... mid 30s!

        Cheers!
        SCB

  • by Fortunato_NC (736786) <verlinh75 @ m s n . com> on Wednesday June 23, 2004 @06:54PM (#9512956) Homepage Journal
    You have the list with 92 million screennames? Ex----cellent, Smathers.

  • What a crime! (Score:5, Insightful)

    by CHaN_316 (696929) on Wednesday June 23, 2004 @06:54PM (#9512964)
    This AOL employee only made $0.0005652174 per e-mail address he sold. Is that anywhere near the fair market list for e-mail lists? Seems a bit low, but then again IANAS (I am not a spammer).
  • Mr. Burns (Score:3, Funny)

    by techsoldaten (309296) on Wednesday June 23, 2004 @06:55PM (#9512968) Journal
    Smathers! Bring me the list of AOL subscribers!

    *taps fingers expectantly*

    Excellent...

  • Based on a recent e-mail offering 5 million verified addresses for $300, the value of a single address should be 6 thousandths of a cent. The guy who paid $25,000 is the one who got ripped off- proper value of 92 million verified e-mail addresses at 6 thousandths of a cent per name is $5,520.....
    • Those 5 million verified addresses were verified at one time, they're not current. Anyone who sells different is selling something, and since you say it was in an e-mail, well, QED...

      92 million verified AOL email addresses, well, that's pure gold. You know if they're an AOL subscriber, they're a sucker anyway...

  • by G4from128k (686170) on Wednesday June 23, 2004 @06:59PM (#9512991)
    This case presents an interesting opportunty. If some of those 92 million names were faked, AOL-internal-only addresses (i.e., no outsider ever had them or ever could have them) then anyone caught using or selling them is guilty of accepting or selling stolen property. Any email arriving to a never-released, but stolen name would let AOL and authorities track the spammer network and subpeona spam-using e-commerce sites to reveal the identity of marketing affiliates.
  • by Aidtopia (667351) on Wednesday June 23, 2004 @07:03PM (#9513040) Homepage Journal

    If I understand correctly, California has a law that requires a company to contact each customer that was affected by disclosure of information due to a security problem. I wonder what that'll cost AOL.

    I'm also interested if the spammers the casino guy resold the list(s) to will also be prosecuted for purchasing stolen goods. At a minimum, they should be publicly identified.

  • by not_hylas( ) (703994) on Wednesday June 23, 2004 @07:10PM (#9513093) Homepage Journal
    Mr. Burns ...

    Hmmmmm, mmmmm! "SMATHERS!!!! YOU FIRED!"

    Smithers ...

    Emmm, "That's Smithers, Mr. Burns"

    Mr. Burns ...

    Hmmm. "Smithers - Smathers, whatever your reeaaaal name is, hmmmm - GET OUT."

    Smithers ...

    "But Mr. Burns!"

    Mr. Burns ...

    "OUT, OUT, OUT, I say - and no dilly-dallying, scoot, scoot."
  • Too late (Score:3, Interesting)

    by Yurka (468420) on Wednesday June 23, 2004 @07:13PM (#9513117) Homepage
    They can prosecute this guy, and everyone he sold the list to, and everyone they sold the list to, and so on, nine ways from Sunday - won't make any difference for the spammed masses now that the list is out. Nor will AOL's privacy policy (or whatever goes for it over there). The safeguards that are in place are (and always will be) inadequate against a motivated individual who doesn't understand consequences of his/her actions, or doesn't give a whistle about them, or both. AOL? MSN? Yahoo? Ne-ext!
  • by grolaw (670747) on Wednesday June 23, 2004 @07:24PM (#9513201) Journal
    Now, what part of AOL's security system failed?

    Oops, that's right - they have no security system. That's why some idiot can swipe 92meg of users and sell them to some other idiot who wants to spam us with his own (did I say these guys were idiots?) gambling scheme and then resell the 92meg of users to the other vile spammers.

    AOL can't be let off the hook. They had a duty to protect the user base as certainly as every one of us has a duty not to leave loaded guns where 5 year-olds can play with them. This is a clear example of AOL permitting a dangerous instrumentality to fall into the hands of the incompetent.

    BUT, we should also tell Ashcroft that the two idiots are "the terrorists' friends" and let Ashcroft make them disappear (along with their families, friends and dogs).
  • by Morgon (27979) <jmy&morgontech,com> on Wednesday June 23, 2004 @07:26PM (#9513225) Homepage
    smather (verb) To have personal information sold to advertisers without your consent or knowledge.
    "Man, I just got this new Hotmail account, but in less than an hour, it's been smathered!"
  • by MrP- (45616) * <rob.elitemrp@net> on Wednesday June 23, 2004 @07:30PM (#9513260) Homepage
    The Smoking Gun has the criminal complaint at http://www.thesmokinggun.com/archive/0623042aol1.h tml [thesmokinggun.com]
  • I WOULD HAVE TOO! (Score:3, Insightful)

    by Anonymous Coward on Wednesday June 23, 2004 @07:34PM (#9513287)
    here in san jose I spend 100% of my pay check on rent, car insurance (good driver), car payment (commuter), phone bill (rarely talk on it), and food (ramen, milk, and eggs).

    If you offered me $52,000 for a list of emails or names and info from my work i'd take itin an instance. I may get fired and sued but hay with that I could afford to move out of this shit whole and be over seas with my family tomorrow.
  • So.... (Score:3, Insightful)

    by Chris Mattern (191822) on Wednesday June 23, 2004 @07:46PM (#9513373)
    Smathers' spam scheme skimmed screennames? A shocking scam.

    Crhis Mattern
  • by Crazen (615089) on Wednesday June 23, 2004 @08:12PM (#9513539)
    Who else remembers this from not too long ago:

    Hack Your Way to Hollywood [wired.com]

    You know, the word "hack" above really bothers me.

  • by theCat (36907) on Wednesday June 23, 2004 @08:23PM (#9513593) Journal
    So AOL lost control of their list. Bah. They never had control. It was only a matter of time, and now that spam is becoming big business now was the time. The only way to manage these things correctly regarding the IT team would have been:

    1) Restrict mobile/personal storage and technology within the IT core;
    2) search employees entering and leaving the IT facilities for CDs, storage dongles, smart cards, USB-enabled watches and lapel pins, MP3 players, laptop computers, palmtop devices, etc;
    3) workstations used by developers have no Internet access whatever;
    4) no public/personal email access from developer workstations;
    5) the firewalls and other IT are managed by people who never come into contact with someone who themselves has access to data, and IT people have no access to data themselves;
    6) all data traversing the LAN is AES encrypted;
    7) there is no wireless access anywhere in the business, period.

    Did AOL do *any* of this? Even one thing? I doubt it. Why would they? these aren't even standard practices except maybe at the NSA.

    And that's just the AOL IT people. What do you then do with the marketing and sales folk? Presumably, they don't have the right kind of access to bulk data in the first place and/or cannot save data to storage that they can pull up in the normal course of work, but that's another policy to set up and more restrictions (ie, they cannot save files to their workstation, and cannot burn CDs, and cannot bring laptop computers home, etc.) And what if AOL decided to outsource customer support? What path does data take then?

    All of this would kinda-sorta make sense when protecting things like source code where there are only a few that need access anyway, and there is no obvious reason for the code to leave the site. But in the case of customer account info, that's not restricted to development and the customers are dealing with very low level employees who need a broad kind of access to customer data to deal with customer issues.

    I don't know if there are very many companies that would put their minimum wage earning sales and support drones (or their outsource suppliers) through that kind of security policy. And the marketing people would simply bite your head off at the very mention of leaving their laptop computers at work.

    Reality: The only personal data that is safe is the data that is encrypted, then the passcode encrypted, then the passcode is lost, then the data is deleted, then the disk containing the data is formatted and overwritten with random bits, then the disk removed from the system and shredded, and then the small bits are randomly distributed over the surface of the sea. At night during a storm.

    Failing all that...well don't expect your personal data to be private for any length of time so long as someone...anyone...the janitor...an intern...a poor working mother in Pakistan...can make a buck (exactly $1US) selling it.
  • by SetupWeasel (54062) on Wednesday June 23, 2004 @09:11PM (#9513926) Homepage
    But you can be sure that if a major company has your information, many employees that are making very little have access to that information.

    At MCI, where I used to work, I would see the personal information including name, address, phone numbers, credit card numbers, birthdays, and email addresses of hundreds of customers a week. Not only that, but every employee was identified in the system by his or her SS#, and your SS# was stamped on every note you placed in the system.

    I earned $8.47 (American) per hour, and the call center contractor had a less than rigorous screening process. I did have a pulse, so I was hired. I have more ethics than the company I worked for, and I would never do such a thing.

    But you have to ask yourself, if a company is willing to hire employees for next to nothing, and hand these employees access to information that they can sell for 3 times what they earn in a year, how long untill the SS# you give the company is compromised?

    Do not give truely sensitive information to companies. If they do not have legal authorization to demand a SS#, they are using it for identification purposes only. Give them a fake one.

    On another note: Anyone want to hire an aspiring writer? Seriously, $8.47/hr is still better than the $0/hr I'm making now. Please! ::sniff::

    Be strong!
  • What is the crime? (Score:3, Interesting)

    by macdaddy (38372) on Wednesday June 23, 2004 @09:38PM (#9514121) Homepage Journal
    What exactly is the crime he's accused of? Taking customer lists from any other business would be actionable in civil court, ie he wouldn't be arrested. What value can they assess on a list of email addresses? Not that I'm defending this jackass. Frankly I'd like to meat [sic] up with him in a dark alley with an old Sun keyboard. Something from the original IPC would do nicely. I'm just curious what the actual criminal crime is that would cause him to be arrested, or if this is another company with $$$ getting the police to handle their civil affairs.
  • by Animats (122034) on Wednesday June 23, 2004 @09:51PM (#9514223) Homepage
    This guy apparently used an AOL-issued laptop to access AOL's data warehouse. Not only did he put the data on his laptop, his e-mails about how he was going to steal the data are on there. Some of the e-mails are in the court filing.

    It's clear from reading them that this guy was not one of the brighter people at AOL.

  • by Artifakt (700173) on Thursday June 24, 2004 @01:22AM (#9515392)
    First, I am not a lawyer. This is a lay opinion only.
    Second, I am not a particularly vengeful person, or at least I don't really want spammers to face the death penalty, castration, or other such suggested punishments.
    Jason Smathers has been charged with theft and fired by AOL. I'm assuming the actual charge is something like felony grand theft, and that the amount his co-conspirator got for the lists will be all the proof AOL will need to offer for a grand jury to agree with that charge.
    According to the article, he also used another employee's ID in the act. That's probably either a separate charge or at least an aggrevating factor to the first charge. Among lots of other effects, this employee probably has standing to sue both men and a fair chance of winning, regardless of whether AOL does (with "winning" limited by the condition that they must somehow have forfitable assets after their prosecution).
    It also looks like there was possibly more than one actual theft, as the article mentions the men either actually obtaining or conspiring to obtain an updated version of the list, which would imply an older version also existed in their posession. One or both men may have made fraudulent promises to a person or persons who bought the list, representing it as legally obtained.
    So, Smathers could well be inditeable with three or more felonies (three strikes rules may apply), and it's possible with multiple persons accused that the whole thing could fall under RICO, either of which could easily make the overall sentence 30 years or more. Even with the usual time off for good behavior type clauses, that means serving a good solid 18 years or so.
    AOL probably wants the whole thing to go away. Since they can't really get that, the next best thing is to get seriously Neolithic on his ass, and hope it has a deterrent effect.

Be sociable. Speak to the person next to you in the unemployment line tomorrow.

Working...