Reporters Threatened, Labeled Hackers For Finding Security Hole 120
colinneagle writes "Scripps News reporters discovered 170,000 records online of customers of Lifeline, a government program offering affordable phone service for low-income citizens, that contained everything needed for identity theft . Last year, the FCC 'tightened' the rules for the program by requiring Lifeline phone carriers to document applicants' eligibility, which led to collecting more sensitive information from citizens. A Scripps News investigative team claims it 'Googled' the phone companies TerraCom Inc. and YourTel America Inc. to discover all of the files. A Scripps reporter asked for an on-camera interview with the COO of TerraCom and YourTel after explaining the files were freely available online. That did not happen, but shortly thereafter the customer records disappeared from the internet. Then, the blame-the-messenger hacker accusations and mudslinging began. Although the Scripps reporters videotaped the process showing how they found the documents, attorney Jonathon Lee for both telecoms threatened the 'Scripps Hackers' with violating the Computer Fraud and Abuse Act (CFAA)."
Try to do something right (Score:5, Insightful)
Never expose any security holes (Score:5, Insightful)
In America, two business principles apply:
1. It is none of your business when shit hits the fan, and
2. It is never our fault.
No good deed... (Score:3, Insightful)
goes unpunished.
Re:Try to do something right (Score:2, Insightful)
I'll beat the others to this.
This is one of the reasons for why being anonymous is important. This lawsuit is stupid, and since they have a video showing the method, it should be easy to throw out the charge.
Could the reporter have a rebuttal about them taking down the evidence, saying they destroyed evidence pending the lawsuit?
PR, lawyer greed, revenge, or abject incompetence (Score:5, Insightful)
I realize these companies have made some seriously bad decisions, and dumb decisions by committee are even worse, but this makes no sense.
Typical distraction (Score:5, Insightful)
Call 'em hackers enough time, and people will be distracted by their alleged malice to the point where they forget or don't even believe anymore that the files were literally just out there for anyone to see. It's like leaving a $100 bill on the sidewalk and waiting to see who turns it in at the lost and found so you can call 'em a thief to distract from your own leaving it lying around.
Re:Try to do something right (Score:5, Insightful)
But the reporter can't be anonymous and trustworthy. The press are as full of shit as every other profession, so a reporter needs to put her/his name to it or it's worth as much as an empty cup of coffee. By attaching their reputation (good or bad) to a story they can defend (rightly or wrongly) what the've published.
Mandatory study for Lawyers and Judges... (Score:5, Insightful)
Re:PR, lawyer greed, revenge, or abject incompeten (Score:5, Insightful)
If they were "hacked" then the folks who's data was leaked blame the wily hackers. If they let it stand that the data was just freely available on the web, it's a liability to the telecoms involved; i.e. "it's not our fault, it's THOSE guys."
Been to the web site? (Score:5, Insightful)
First of all, both these comapnies web sites are identical. Second of all, they look like some 14 year old put them together.
Look, this is just some sweatshop lawyer who wrote q $200 threatening letter. The threat has no value, and should be ignored.
Re:Why use wget? (Score:5, Insightful)
1. wget is just a means to automate. Would you type all the URLs manually?
2, 3, 4. As insecure as anybody else downloading it. They have no duty of care that publicly available data that shouldn't be publicly available is not publicly available.
5. A blurred screenshot allows plausible deniability. After all, the blurred bits could be anything. It could even be a completely different page blurred in Photoshop to smear the good name of these dickheads^W fine upstanding members of the community.
If they have a complete data dump, it is most likely someone else does as well. Someone who is more interested in profiting from shoddy practices.
Re:Try to do something right (Score:5, Insightful)
Sometimes the evidence itself is more important than the source. In the particular case, it sounds like the evidence was strong enough that it wouldn't matter which source it came from.
But the trend with threats and lawsuits against those, who discover security holes, must stop. That trend is a major threat against data security across the entire IT industry.
People will keep finding security holes. Sometimes you just stumple upon them, without even looking. What are you going to do, once you have found a security hole? Report it and try to get it fixed? Ignore it? Abuse it? If those who do the right thing are going to be the target of threats and lawsuits, that certainly removes incentive to do the right thing. So fewer people will report security holes. And some of those who would have reported it, might instead decide to abuse it.
If we ever get to the point where doing the right thing is more likely to get you into a lawsuit than abusing the security hole for personal gain is, then the industry is in big trouble.
Luckily a few companies are taking steps in the opposite direction and are offering cash rewards to those who find security holes. At some point users will have to start taking that into account when deciding what software to trust. But it is a very real problem, when the systems you don't trust are those used by any branch of government. You can't just go somewhere else. And the lack of competition has lead to situations where security concerns are just ignored.
Re:Pray for Oklahoma City (Score:0, Insightful)
He's parodying certain religious leaders who say this exact same shit about Florida, California, New York, or the US in general.
Go look up Poe's Law.
Re:Try to do something right (Score:5, Insightful)
Or you know... people could start writing decent secure code to begin with... :)
Did you ever write a program? Did it work the first time, doing exactly what it was supposed/specified to do?
Took a lot of debugging and error correction, didn't it? Even if you are a programming expert.
Now write a program where "what it's supposed to do" includes "not get cracked and used by any malware, known or unknown, past or future".
Think you'll get THAT right the first time? Even if you are a security expert?
Re:Try to do something right (Score:2, Insightful)
if by "not get cracked and used by any malware, known or unknown, past or future" you mean
"not list people's SSN addresses and financial data in a google search result"
then yes i think i can get that right on the first try.
Re:Try to do something right (Score:4, Insightful)
It might take a security expert to write code that works as specified the first time, but it takes a fantastic idiot to put any kind of code in production before it's been debugged and error-corrected.