AOL Employee Arrested in Spam Scheme 428
LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."
That's a lot of names... (Score:4, Interesting)
Re:Fired? (Score:3, Interesting)
Now do the same over at MSN/Hotmail (Score:5, Interesting)
Re:That's a lot of names... (Score:2, Interesting)
Re:Double standards.. (Score:1, Interesting)
its a sad world we live in where our email address has more protection than we do
This reminds me (Score:4, Interesting)
% wc -l /etc/passwd /etc/passwd
184533
What about those screennames? (Score:5, Interesting)
In the article AOL didn't seem to mention what they are doing to protect the victims, except "they are thoroughly reviewing and strengthening our internal procedures".
Is this good enough? Sometimes you can punish the offender enough to compensate the victims.
You've got Bail! (Score:4, Interesting)
i've confirmed this. (Score:5, Interesting)
it seems to really only happen on new accounts though. old hotmail accounts dont seem to get spam, if you dont publish them anywhere.
it's entirely possible someone has recently (within the last few years) backdoored hotmail's account creation system to notify them of new accounts, which would explain why old accounts dont get any spam.
Re:huh? (Score:4, Interesting)
I'd love a world where I had a guaranteed job, but just like everyone else, I work for mine. I was just explaining the difference to the original poster between "innocent before proven guilty" and "we can fire you if we damn well want to."
$25,000 ? For 92 million verified addresses? (Score:4, Interesting)
Honeypotting with stolen names (Score:5, Interesting)
Re:That's it?!?!?!?!? (Score:3, Interesting)
For breaking what law?
I don't mind so much that my employer can fire me for pretty much any reason they like. I can quit for pretty much any reason I like, too. But I sure don't want to live in a world where my employer can send me to prison.
AOL has to tell California customers (Score:5, Interesting)
If I understand correctly, California has a law that requires a company to contact each customer that was affected by disclosure of information due to a security problem. I wonder what that'll cost AOL.
I'm also interested if the spammers the casino guy resold the list(s) to will also be prosecuted for purchasing stolen goods. At a minimum, they should be publicly identified.
Re:Now do the same over at MSN/Hotmail (Score:3, Interesting)
Re:That's it?!?!?!?!? (Score:5, Interesting)
Personally, I think the dweeb should be staked out on an ant-hill or drawn and quartered but I've been accused of being a little extreme when it comes to spam, spammers and people who disclose e-mail addresses without the owners's permission.
Too late (Score:3, Interesting)
Re:This reminds me (Score:3, Interesting)
Re:That's a lot of names... (Score:3, Interesting)
--
9 Gmail invitations availiable [retailretreat.com]
RICO AOL out of business (Score:3, Interesting)
Oops, that's right - they have no security system. That's why some idiot can swipe 92meg of users and sell them to some other idiot who wants to spam us with his own (did I say these guys were idiots?) gambling scheme and then resell the 92meg of users to the other vile spammers.
AOL can't be let off the hook. They had a duty to protect the user base as certainly as every one of us has a duty not to leave loaded guns where 5 year-olds can play with them. This is a clear example of AOL permitting a dangerous instrumentality to fall into the hands of the incompetent.
BUT, we should also tell Ashcroft that the two idiots are "the terrorists' friends" and let Ashcroft make them disappear (along with their families, friends and dogs).
smathie.net | thesmathers.com (Score:2, Interesting)
check the forum
Re:An observation. (Score:1, Interesting)
Re:An observation. (Score:1, Interesting)
Re:Honeypotting with stolen names (Score:1, Interesting)
anyone caught using or selling them is guilty of accepting or selling stolen property.
Please don't confuse intellectual property with actual property. You cannot steal IP.
This confusion is what the RIAA and MPAA capitalise upon to accuse people of theft in their press releases (but not in court).
would prison be a good enough deterrent? (Score:3, Interesting)
Re:Security? (Score:5, Interesting)
As it happens however he has been caught. How was he caught? I don't know, but it's not beyond the realm of possibility that the aforementioned database had triggers and an audit trail that says who did what and dumps it in a log somewhere. Or perhaps he tripped over by querying for everything including the flagged accounts - accounts that AOL regularly sacks people for looking at because they belong to celebs and so forth.
It would not surprise me at all if the alarm bells didn't start ringing as soon as the DB ground to a halt while it was returning 92000000 rows.
Re:That's a lot of names... (Score:4, Interesting)
Re:An observation. (Score:4, Interesting)
Actually, I wouldn't be terribly surprised if the counter-point you offer to try to discredit my argument is, itself, true. By the way, my observation is derived not from a single article but experience from my experience working in IT. The article simply providing an interesting context.
IT is a younger field, therefore more IT guys are younger. Granted, it's been around for the last 40 years, but for about half of that time, you needed a lot of money to get a computer. The generation that got to use truly cheap computers came of age just ten years ago. It's natural that there is now an explosion of younger IT workers.
I'm not sure what relavence this statement has to my point. This is all true on the face of it, but neither supports nor detracts from my hypothesis. What I will say, assuming your statement is true, is that the impact mistakes made by anyone in IT has the potential to be greater than at any time in history. Would, 40 years ago, a couple of 20somethings have had the tools to commit a crime that impacted as many 93 million people? What if he weren't at AOL, but Bank of America?
Marital, family, religious, and civic ties to society, IMHO, are much more likely to keep people honest than their age, even counting the fact that younger workers may be less experienced.
Thank you for help in supporting my point. Much of my point is predicated on the fact that younger people are more likely not to have the same connections and convictions that older people do. How many professional 24 year olds are married as compared to say married 45 year olds? How many have their own families (a strong connection than to just mom & dad)? Never did I mention experience: I was careful to say mature.
And if you don't believe me, check a newspaper and see how many older, powerful men are at this moment headed to Club Fed because they weren't any better at ethics than the AOL dimwits mentioned in this article. Most of Congress is composed of older men, and I'd almost rather have Sanford Wallace (of Cyber Promotions infamy) representing me than some of these folks.
I find trouble in using the newspaper to uncover trends, there are too many other factors to consider them useful sources of this kind of information. Older people are more likely to have roles in more sophisticated, larger stakes games. But what we don't see in the papers are how many people are being put away for $50K in embezzlement here, $75K in kickbacks there... in fact, if it weren't for the 93 million users, you would probably have never heard of this either in the papers. I still maintain that younger workers will have higher security issues as compared to the population as a whole. By the way... how many older people do we hear about getting put away writing viruses and worms? Don't confuse high profile for quantity or even severity.
I work in a government agency, so I see a large proportion of older workers. Some are smart, hard workers; others are idiots. I see no larger proportion of idiots among younger people than I do among older ones, nor do I see any indication that the intelligence or ethics of the old have anything to do with the fact that they are old.
Don't get me wrong... avarice comes in all ages. But the selection process for congress is slanted to those that are most likely to be less than honest and government workers are place, in my experience, by other less than optimal hiring methodologies. Though, sure there are older idiots as well. But I find the young, smart, but overly ambitious types to be the ones to keep an eye on.
Well argued nonetheless. And for the record I'm an old guy in tech terms... mid 30s!
Cheers!
SCB
Re:Fired? (Score:5, Interesting)
Some guy brought in a gun to work with him at the UC Davis monkey lab, allegedly with a list of people he was mad at (gun for sure, not sure about the list). He's one of the same 2 people who "lost" a monkey. That one made national news, and the other guy got a promotion. Anyway, he got 30 days of "administrative leave" for the gun, which meant they were going to fire him.
Security was told, "Hey, we had to suspend this guy. If he shows up, wave, let him through, and call the police because he knows he's not supposed to be here". No point in actually telling the security why they were looking for him. And no point in telling employees what was going on. This was during the period when UC Davis was trying to get the Level IV Biohazard Lab, so that *might* have been part of the secrecy, but I think it's because all state jobs usually have A Giant State Head up their ass all the time. In the meantime, this guy got arrested in Wyoming, with the gun, with filed off serial numbers, and illegal drugs. He was in a car his mom rented that wasn't supposed to leave the state. Not sure how much time he's serving. But being black in a Wyoming prison can't be fun. He was a nice guy before he started taking drugs.
AOL Lax Security __TAKE 2__ (Score:3, Interesting)
Hack Your Way to Hollywood [wired.com]
You know, the word "hack" above really bothers me.
the cat is 1,200 miles from the bag (Score:4, Interesting)
1) Restrict mobile/personal storage and technology within the IT core;
2) search employees entering and leaving the IT facilities for CDs, storage dongles, smart cards, USB-enabled watches and lapel pins, MP3 players, laptop computers, palmtop devices, etc;
3) workstations used by developers have no Internet access whatever;
4) no public/personal email access from developer workstations;
5) the firewalls and other IT are managed by people who never come into contact with someone who themselves has access to data, and IT people have no access to data themselves;
6) all data traversing the LAN is AES encrypted;
7) there is no wireless access anywhere in the business, period.
Did AOL do *any* of this? Even one thing? I doubt it. Why would they? these aren't even standard practices except maybe at the NSA.
And that's just the AOL IT people. What do you then do with the marketing and sales folk? Presumably, they don't have the right kind of access to bulk data in the first place and/or cannot save data to storage that they can pull up in the normal course of work, but that's another policy to set up and more restrictions (ie, they cannot save files to their workstation, and cannot burn CDs, and cannot bring laptop computers home, etc.) And what if AOL decided to outsource customer support? What path does data take then?
All of this would kinda-sorta make sense when protecting things like source code where there are only a few that need access anyway, and there is no obvious reason for the code to leave the site. But in the case of customer account info, that's not restricted to development and the customers are dealing with very low level employees who need a broad kind of access to customer data to deal with customer issues.
I don't know if there are very many companies that would put their minimum wage earning sales and support drones (or their outsource suppliers) through that kind of security policy. And the marketing people would simply bite your head off at the very mention of leaving their laptop computers at work.
Reality: The only personal data that is safe is the data that is encrypted, then the passcode encrypted, then the passcode is lost, then the data is deleted, then the disk containing the data is formatted and overwritten with random bits, then the disk removed from the system and shredded, and then the small bits are randomly distributed over the surface of the sea. At night during a storm.
Failing all that...well don't expect your personal data to be private for any length of time so long as someone...anyone...the janitor...an intern...a poor working mother in Pakistan...can make a buck (exactly $1US) selling it.
Clearly you've never sent bulk mailings... (Score:5, Interesting)
Not really. Mailing to AOL is a hit-or-miss thing. We run a lot of mailing lists (bands' fanlists, organiztions' newsletters, etc.) and about half of the time you have AOL addresses on a list they bounce it. And they don't *just* bounce it, they set up a slow-ass connection to your bounce server and time it out (clever idea actually).
So, if you were a spammer, AOL addresses would be of dubious use.
Re:What about those screennames? (Score:3, Interesting)
Re:Fired? (Score:2, Interesting)
I don't know about that particular case (I'm not even sure that it's not an hoax) but the thing is that you can file a frivolous lawsuit and win [cgood.org]
Re:Honeypotting with stolen names (Score:4, Interesting)
Correct, but in this case IP has a parellel to stolen property called stolen trade secrets. Basically, since this is information obtained by illegal means, it's illegal to use this information for profit.
What is the crime? (Score:3, Interesting)
Re:Access? (Score:4, Interesting)
Mind you, the rules have changed today:
But, back to what the posers were saying. It's a balancing act. Each side watches the other. If you've ever worked as an outside consultant, you get used to that sort of dynamic VERY quickly.
Reminds me of one time I was consulting, and the prima donna head coder didn't believe that a query with millions of records would run fast enough on a 486 (this was about 10 years ago). Didn't understand that properly indexed searches scale nicely, instead of linearly.
So, I told everyone that I would prove it tomorrow. Went in after supper, dumped copies of all my code and data onto 2 machines (a server and his box), reformatted, re-installed, and wrote the code to generate my test database. Then went home to bed.
Of course, the next morning, idiot has already complained to management that I must be up to something fishy, because all my code is wiped from my machine (snoopy little snot), and they want to know why they should continue to trust me.
So, I explain that it's all sitting on the idiot's own box, as well as the server, because, remember, we're doing a test today, and I needed all the disk space I could find.
Oh, the reason I call him an idiot? He wanted to continue arguing about whether a query would execute fast enough, when it was easy enough to test. That's just plain stupid. But it's the sort of thing you have to learn to handle if you're going to do consulting :-)
Re:Security? (Score:3, Interesting)
Since the FA says he did this at least twice, either they don't check their audit files very often, or he was ratted out by someone later, or did something stupid with his ill-earned cash to attract attention.
Re:Security? (Score:3, Interesting)
Re:What about those screennames? (Score:2, Interesting)
Ulrik
Re:Arrested and accused... how about convicted (Score:2, Interesting)
Um, a large proportion of people in jail are not convicted; they are on remand.
This proportion rises to 100% when you look at Guantanamo bay.
Re:Maybe there're more? (Score:2, Interesting)
Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.
AOL said that they are thoroughly reviewing and strengthening their internal procedures in response to this.
Re:An observation. (Score:3, Interesting)
The attitudes by older manager types is that wisdom comes with intelligence and technical acumen. My point is that this is a mistake that increases the likelihood of such breaches. Remember my inititial observation: IT, notorious for age discrimination in favor of young, brighteyed types, may actually be introducing a greater security risk with the practice.
Depending on the exact role of this 'engineer' there may be legitimate reasons for that individual to have access to this data. Indeed, even older and higher ranking people within AOL may have been so enamored with this young man that he might have been a team lead or other senior technical resource with the authority himself to be the gatekeeper. Another scenario says maybe he wasn't 'granted' access at all: software engineers are ultimately in control... including the programming of backdoors, exploiting of known flaws, etc.
My point isn't that older workers don't make mistakes, but that they are less likely to be reckless or take as many chances with authority as younger workers.
Finally, the real error with your most recent comments is that the older manager you speak of didn't act with malicious intent; whereas the younger worker clearly did. This is the heart of my point: managers should be more cautious in assigning younger workers to places of high responsibility regardless of skill or qualifications.
Cheers!
SCB