AOL Employee Arrested in Spam Scheme

LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."

Fired?

[91degrees]

Aren't we supposed to wait for someone to be found guilty before punishing them?

AOL Crooked ... How can this be ?

[Anonymous Coward]

Now imagine how much personal info is being sold overseas from outsourced companies.

Security?

[shadowkoder]

You would think there would be limitations on HOW an employee could access such a large database. I mean, does AOL throw out CDs with conveniently formatted lists of all the screen names of its customers?

That's it?!?!?!?!?

[theJerk242]

All they did was just fire him?!?!?!? He should have sent to prison for 25 years too!

Double standards..

[BlueLines]

..didn't a bunch of airlines admit to (basically) the same thing? no arrests there..

Re:Fired?

[EvanED]

Firing someone has a lower burden of proof (and rightly so) than a criminal conviction; if there's enough for an arrest and charges to be brought, then there's probably enough evidence to warrant a firing.

And this is the inherent problem . . .

[kfg]

with large, easily searched and copied databases of highly consolidated private data.

The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.

The same goes for backdoors. I'm not half so worried about some script kiddie hacking my router as I am some employee/former employee of Cisco simply walking right in.

KFG

Re:Fired?

[Motherfucking Shit]

Aren't we supposed to wait for someone to be found guilty before punishing them?

My guess, and this is only a guess, is that Mr. Smathers was almost certainly confronted by HR or security (do they still call it OpsSec?). My second guess is that he probably admitted what he did.

In any case, AOL doesn't have an opportunity to wait around and find out whether or not this guy is guilty in a court of law. This is a huge privacy breach affecting millions of people. According to CNN's version of the story, not only did the list contain screen names, it also had each user's telephone number, ZIP code, etc. AOL has no choice but to take immediate and harsh action, i.e. terminating the employee and alerting the authorities. If they hadn't fired the employee they'd be sued faster than you can say "1099 Hours Free."

There may be lawsuits anyway. Millions of people entrusted their information to AOL, and now it's floating around in the hands of who knows how many spammers.

Maybe there're more?

[oberondarksoul]

What worries me is that there could easily be many more employees doing this - not just at AOL, but at other ISPs as well. However, I'm willing to bet that AOL isn't going to hunt for any other people like this doing it. Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.

An observation.

[steve buttgereit]

An interesting way to look at this is consider the age of the people involved. The engineer was 24 and the Casino guy was 21. IT, notorious for age discrimination in favor of young, brighteyed types, may actually be introducing a greater security risk with the practice.

I remember when I was in my early 20s and lets just say I didn't have a lot to lose... and everything to gain from taking a chance here and there. By placing less mature workers into places where personal ethics and great responsibility collide, you're asking for issues just like this.

I don't mean in indict all younger workers. Certainly most are good employees; I've hired many younger people without trouble. But as a percentage of population, the younger I expect to make more 'mistakes' both simple errors and errors in judgment.

My two bits...
SCB

Re:Fired?

[Nahor]

And I don't think anyone can argue that there's cause here.

You want to bet? This is America, where people dry their cat in the microwave and then sue manufacturer for not telling them it would kill it!!

What a crime!

[CHaN_316]

This AOL employee only made $0.0005652174 per e-mail address he sold. Is that anywhere near the fair market list for e-mail lists? Seems a bit low, but then again IANAS (I am not a spammer).

Re:Double standards..

[drinkypoo]

It's one thing to feed the information to the government and another to feed it to spammers. The first is scarier, but the second is illegal. Under PATRIOT, the first might be seen as mandatory.

Re:Security?

[isthisthingon]

Hmmm...just a guess, but it probably went something like this:

SELECT *

FROM customer_list
ORDER BY last_name ASC;

[zoom to scene of employee nervously looking over his shoulder and tapping his fingers impatiently]

92,213,798 rows returned.

[employee thinks to self]: "Dude! Cool! Bonus! We only had 91,125,553 last time I ran this. I'll have to thank the marketing department for sending out those CDs!"

Re:An observation.

[Telastyn]

Error in judgement? Come on, this is pretty obviously a 'bad thing'. No mistake; criminal intent.

Not in Virginia - a "Right to Work" state

[Anonymous Coward]

In Virginia, you're literally employed at the whim of your employer. It's officially called "Right to Work". It's more like "Right to be Fired".

And there are no closed union shops in Virginia - you want to work somewhere, the company wants to hire you - no one can force to you join a union. Heck, even on the Washington Redskins - which is legally a Virginia company - players tend not to pay NFLPA union dues....

Congratulations on completely missing the point

[drkhwk]

About the only useful info a cracker would find in /etc/password is usernames, and if he can see that file to begin with, he's already got a login.

Yeah, and a huge list of email addresses. In the case of the grandparent, about 183,000.

Re:$25,000 ? For 92 million verified addresses?

[drinkypoo]

Those 5 million verified addresses were verified at one time, they're not current. Anyone who sells different is selling something, and since you say it was in an e-mail, well, QED...

92 million verified AOL email addresses, well, that's pure gold. You know if they're an AOL subscriber, they're a sucker anyway...

Re:So? What are their customers gonna do?

[sqrt(2)]

You'd be surprised how many people don't even know that's an option. Remember these people are using AOL, they think it IS the internet.

Re:AOL's New Slogan

[frodo from middle ea]

In the context of mails previously received to/from AOL accounts..
prey explain how's this different from their previous slogan.

Re:Now do the same over at MSN/Hotmail

[Hays]

Dictionary attacks become exponentially harder as your user name becomes longer, assuming that is constructed of random characters.

The likelihood of a dictionary attack hitting a n character random string of characters and numbers is miniscule for n larger than 15 or so, even if the dictionary attacker is trying 1 million combinations a second, because there are (at least) 36^n user names in that space.

my rough calculations say that it would take 7 billion years to dictionary attack the space of 15 character random numbers of and letters, even if you could do so at a rate of one million a second.

So if your 15 character random user name gets spammed immediately after creation without ever being used, it's an inside job.

But I wouldn't be surprised if it was buried in the Hotmail terms of service that they can sell your addresses.

Re:Fired?

[elbazo]

If they hadn't fired the employee they'd be sued faster than you can say "1099 Hours Free."

Hehehe, or would that be 9891 hours free counting the number of those bastard disks I got in the last few months

Re:An observation.

[Kphrak]

Why don't we put it another way? "Note that both people involved were guys. By its traditional discrimination against women (who more civilized) in favor of men (more aggressive and violent), IT is introducing a security risk since men will take more chances." It makes as much sense as the above "these damn' kids screw up all the time" rant (and before some /. feminist says "you go girl!", I should add that I'm male, 23, and consider both arguments completely idiotic).

IT is a younger field, therefore more IT guys are younger. Granted, it's been around for the last 40 years, but for about half of that time, you needed a lot of money to get a computer. The generation that got to use truly cheap computers came of age just ten years ago. It's natural that there is now an explosion of younger IT workers.

Marital, family, religious, and civic ties to society, IMHO, are much more likely to keep people honest than their age, even counting the fact that younger workers may be less experienced. And if you don't believe me, check a newspaper and see how many older, powerful men are at this moment headed to Club Fed because they weren't any better at ethics than the AOL dimwits mentioned in this article. Most of Congress is composed of older men, and I'd almost rather have Sanford Wallace (of Cyber Promotions infamy) representing me than some of these folks.

I work in a government agency, so I see a large proportion of older workers. Some are smart, hard workers; others are idiots. I see no larger proportion of idiots among younger people than I do among older ones, nor do I see any indication that the intelligence or ethics of the old have anything to do with the fact that they are old.

I hate the "double standard" arguement

[pavon]

Every situation is unique, and sometimes different situations require different actions. You see the simularities between two situations, and your opinion is that differences are nonconsequential, but that doesn't mean the other person thinks they same way. They might think that the differences are very important and the simularities are nonconsequential. That doesn't mean that they have a double standard or are hypocritical, it just means that they put different value on the various aspects of the situations than you.

It's just like the Kerry is a waffler fallacy. Votes for PATRIOT act, then when he actually gets to read it, changes his mind. Does not vote for iraq funding, but latter does when the source of the funding is changed. To a conservative pundit, there is not concievable reason not to support things go towards "national security", but Kerry disagreed. The same way a libertarian can't think of any reason to give up privacy, but the conservatives think that that it is sometimes necesarry. That does not mean that they are hypocrites, it means they see things differently than you.

Even if they are wrong :)

Re:That's it?!?!?!?!?

[dasmegabyte]

Last I knew, AOL's HR department doesn't have juridiction in computer crimes, nor does the state have the right to tell AOL who to fire. AOL's done. The conviction is pending, man.

Re:That's it?!?!?!?!?

[homer_ca]

Not exactly grand theft. He's selling information not stolen property. This would be more like industrial espionage. In past cases people were charged with wire fraud and theft of trade secrets.

I WOULD HAVE TOO!

[Anonymous Coward]

here in san jose I spend 100% of my pay check on rent, car insurance (good driver), car payment (commuter), phone bill (rarely talk on it), and food (ramen, milk, and eggs).

If you offered me $52,000 for a list of emails or names and info from my work i'd take itin an instance. I may get fired and sued but hay with that I could afford to move out of this shit whole and be over seas with my family tomorrow.

Re:An observation.

[j4ck50n]

this line:

"...notorious for age discrimination in favor of young, brighteyed types, may actually be introducing a greater security risk with the practice."

is why you were called an asshole.

but you made up for it with your second line, in particular this:

"By placing less mature workers into places where personal ethics and great responsibility collide, you're asking for issues just like this."

well said, but "less mature workers" can be 20, 30, 40, 50, etc.

"less mature workers" are those that will take that chance by thinking, most times foolishly, that they can *gain* something besides short term cash flow.

whether your pocketing exact change at your summer job scooping ice-cream or selling your employers data, it is poor judgement coupled with greed plain and simple, and any age can participate.

Re:Access?

[CVaneg]

In keeping with the first item with your list, I would advise giving all the money you're spending on consultants who give you three sentence recommendations and give it to the people who actually have to work for a living.

So....

[Chris Mattern]

Smathers' spam scheme skimmed screennames? A shocking scam.

Crhis Mattern

Hate to break it to you all...

[SetupWeasel]

But you can be sure that if a major company has your information, many employees that are making very little have access to that information.

At MCI, where I used to work, I would see the personal information including name, address, phone numbers, credit card numbers, birthdays, and email addresses of hundreds of customers a week. Not only that, but every employee was identified in the system by his or her SS#, and your SS# was stamped on every note you placed in the system.

I earned $8.47 (American) per hour, and the call center contractor had a less than rigorous screening process. I did have a pulse, so I was hired. I have more ethics than the company I worked for, and I would never do such a thing.

But you have to ask yourself, if a company is willing to hire employees for next to nothing, and hand these employees access to information that they can sell for 3 times what they earn in a year, how long untill the SS# you give the company is compromised?

Do not give truely sensitive information to companies. If they do not have legal authorization to demand a SS#, they are using it for identification purposes only. Give them a fake one.

On another note: Anyone want to hire an aspiring writer? Seriously, $8.47/hr is still better than the $0/hr I'm making now. Please! ::sniff::

Be strong!

Re:Fired?

[Ratbert42]

My guess, and this is only a guess, is that Mr. Smathers was almost certainly confronted by HR or security ...

I didn't read through the whole thing, but my guess is that an informant approached the secret service and the case began outside of AOL. AOL really has no interest in this case being prosecuted. The bad publicity will cost them much much more than any restitution they'll get out of an unemployable 24 year old.

Re:Access?

[YU Nicks NE Way]

The problem with your "new" way of doing business is (1) it isn't new and (2) it doesn't work now any more than it ever did.

Having an itch to scratch does nothing for the guy who's gambled his way under a mountain of debt and who goes from being completely trustworthy to being willing to steal from his best friend, to say nothing of his employer. That's not a hypothetical case; I'm thinking of a particular person with whom I worked about a decade ago. (Luckily for me, I wasn't one of his friends, so he didn't rip me off.) People change, and someone who's completely trustworthy today may not be five years from now. Worse, people are not always what they seem, and only observation over a very long term reveals them for what they are.

Who watches the watchers? I don't know -- but they need to be there in any org which handles things of value.

Re:Fired?

[gcaseye6677]

Are you for real? If you were the guy's manager and you had evidence that he was selling company data, convincing enough evidence to get him arrested, you would keep him on the payroll until he was convicted? Yes, the guy is entitled to a fair trial before being punished by the legal system, but as many other posters have pointed out, a company can fire someone for almost any reason they want. And when there's clear evidence of misconduct, an employee doesn't have a chance with a wrongful dismissal suit, even in a non right to work state.

Re:Security?

[tomhudson]

So instead of doing a select on the db he just copies the raw data files ... not even all the data files (doesn't need any of the indexes, for example). No need to query the dbms, no alarms going off, no audit trail in the sql logs.

And, by piping it through gzip, he wouldn't end up with a huge intermediary file:

cat customer_data_table | gzip > /home/crooked_employee/stolen_data.zip

Well, that's how I would have done it. Actually, I would have done it using someone else's account :-)

Appropriate penalties

[Artifakt]

First, I am not a lawyer. This is a lay opinion only.
Second, I am not a particularly vengeful person, or at least I don't really want spammers to face the death penalty, castration, or other such suggested punishments.
Jason Smathers has been charged with theft and fired by AOL. I'm assuming the actual charge is something like felony grand theft, and that the amount his co-conspirator got for the lists will be all the proof AOL will need to offer for a grand jury to agree with that charge.
According to the article, he also used another employee's ID in the act. That's probably either a separate charge or at least an aggrevating factor to the first charge. Among lots of other effects, this employee probably has standing to sue both men and a fair chance of winning, regardless of whether AOL does (with "winning" limited by the condition that they must somehow have forfitable assets after their prosecution).
It also looks like there was possibly more than one actual theft, as the article mentions the men either actually obtaining or conspiring to obtain an updated version of the list, which would imply an older version also existed in their posession. One or both men may have made fraudulent promises to a person or persons who bought the list, representing it as legally obtained.
So, Smathers could well be inditeable with three or more felonies (three strikes rules may apply), and it's possible with multiple persons accused that the whole thing could fall under RICO, either of which could easily make the overall sentence 30 years or more. Even with the usual time off for good behavior type clauses, that means serving a good solid 18 years or so.
AOL probably wants the whole thing to go away. Since they can't really get that, the next best thing is to get seriously Neolithic on his ass, and hope it has a deterrent effect.

Re:Clearly you've never sent bulk mailings...

[kiwaiti]

If you were a spammer, you wouldn't ever get even one of the bounces to "your" spoofed address.

Kiwaiti

Re:Clearly you've never sent bulk mailings...

[bigsteve@dstc]

And they don't *just* bounce it, they set up a slow-ass connection to your bounce server and time it out (clever idea actually).

Clever idea ... but counter-productive in the long run.

Assuming that the spammer is using a herd of zombie PCs for spam relaying, and each PC can handle multiple mail connections, they are not likely to be slowed down much by this tactic. In addition, spamming PC can be set up to aggressively time out connections to slow mail servers.

On the other hand, people who run legitimate mailing lists may suffer when a list submission triggers spam detection and slow server counter measures. The mailing list server will typically NOT be able to send huge numbers of emails in parallel, and will NOT want to aggressively time out slow mail servers. As a result, if a mailing is (rightly or wrongly) classified as SPAM and triggers counter measures, mailing list delivery suffers.

Insider access more of a problem than you think

[gatkinso]

A few weeks ago I came across about 30 old 5 1/4" floppies.

I hooked up an old drive to see what was up and low and behold it worked and on the disks (that could still be read) was vital stats on about 85,000 people - meaning name, SS#, address, health insurance policy numbers, ect. All good, all verified assuming the individual was still alive and hadn't moved.

This was left over from when I worked at an insurance company in 1992: a migration from a THEN ancient mini to a PC based system. There that data was sitting in my basement for 12 years (and I have moved twice since then!)

Being an honest man, out came the scissors... but the ID theft possibilities were really astounding.

How much old data like this is just sitting around on forgotten tapes and disks?

If I were to set up an huge ID theft ring this is the sort of stuff I would look for. Good data, but old. Not in any current database, absolutely no audit trail, individuals have since moved around and changed employers obliterating any or most chance of establishing a pattern to the thefts. Best of all, not only are there no access logs, but the organization wouldn't even miss the old media and if they do someone could just claim that it was thrown out months ago.

Mildly disturbing - but less so than the thought of a dirty bomb I suppose.

Re:huh?

[Alexis de Torquemada]

In any case, selling >90 million customer records to spammers is not a minor incident. You'd get fired even if you had been elected the employee of the year just a week before. Unless you could convince your employer of your innocence.