Security Researcher and Alleged Spam Operator To Square Off In Court In Ugly Lawsuit (bleepingcomputer.com) 56
An anonymous reader writes: River City Media, the company accused of running a huge spam operation, has filed a lawsuit against the security researcher and the journalist who exposed their activities. In a ludicrous lawsuit complaint, the company claims the security researcher didn't just stumble upon its unprotected Rsync server, but "perpetrated a coordinated, months-long cyberattack," during which it skirted firewall rules to access its server, used a VPN to disguise his identity, deleted critical files, and published his findings to make a name for himself as an elite security researcher. The company claims the researcher accessed Dropbox and HipChat logs, and even its PayPal account, from where it used funds to purchase various domains. The only evidence the company has is that the person who purchased the domains used a ProtonMail email, just like the researcher, who also uses a ProtonMail email. Remind you, this is the same security researcher, Chris Vickery, who discovered a Reuters database of supposed terrorism suspects, national voter databases for various U.S. states and Mexico, and various other companies.
Streisand effect (Score:2)
Re: (Score:2)
How so?
I can see it now (Score:2)
Re: I can see it now (Score:5, Interesting)
This happened to a client, they received a truckload of documents. We paid an outsourcing company a couple grand to scan them into an OCR program and used text search to find the proverbial nails for their coffin. With the newest bad-ass document solutions from big printer manufacturers. This isn't really that much of an issue anymore. Just drop a thousand sheets into the loader and press the button. A few days with a few temps, and you have your digital versions.
Re: (Score:2)
This happened to a client, they received a truckload of documents. We paid an outsourcing company a couple grand to scan them into an OCR program and used text search to find the proverbial nails for their coffin. With the newest bad-ass document solutions from big printer manufacturers. This isn't really that much of an issue anymore. Just drop a thousand sheets into the loader and press the button. A few days with a few temps, and you have your digital versions.
I never understood why companies save everything; especially emails, working papers, etc. I worked for a company that had a strong document retention policy. We destroyed everything but our final inspection report once the final report was approved. Notes, electronic media, drafts, etc. were collected and shredded and HD were securely erased as well. Email was not used to discuss our inspections. This way, the only material available was our final report so nothing could be taken out of context in a suit ag
Re: (Score:2)
Without those emails who gets blamed? Recently, I had someone tell me they didn't ask for what I did, what saved me? A months old email from them telling me to do exactly what I did. In another case, a judge sent a demand for a bunch of 3 year old emails(old sysadmin, old mail server), and we could not provide them the lawsuit with the customer did not go well after that.
And then there are government retention laws, For example, we are required to keep call records for some countries for 10 years and we h
Cuts both ways. Documents reveal the truth. Misund (Score:2)
Yep, that goes both ways. If you have the documents, you can see and prove what was said. When you're right, that's a win.
The big bonus of having documents is that when you have them, most conflicts can be resolved at the "minor misunderstanding" stage, well before it becomes a law suit. Somebody says "I told you X". You reply "oh, I'm sorry, I thought you said 'not X' in your email on January 3rd. Did I misunderstand? Let's discuss changing that. I guess I misunderstood your email, copied below."
Re: (Score:2)
That is why you have a document retention policy. Because if you do not. You have no reason NOT to produce old documents. If you have missing "old" documents needed in a court case. It looks like you destroyed evidence. But if all the records are gone so are your liabilities.
Re: (Score:2)
Without those emails who gets blamed? Recently, I had someone tell me they didn't ask for what I did, what saved me? A months old email from them telling me to do exactly what I did. In another case, a judge sent a demand for a bunch of 3 year old emails(old sysadmin, old mail server), and we could not provide them the lawsuit with the customer did not go well after that.
And then there are government retention laws, For example, we are required to keep call records for some countries for 10 years and we have had demands for 7 year old information in the past.
Not to mention it's sometimes just nice to go back and see how you did something a couple of years ago when a similar project happens again
While you raise valid points, the documents I was referring to involved specific inspections for clients. The final report contained all the information needed and thus we destroyed all the working papers, inspectors notes etc. so that they couldn't be used in court and misinterpreted or otherwise used to paint a false picture of what we saw. For example, I might write in my notes while observing operations "The operator did not (do some critical step) ..." only to discover in the reconstruction later that
Re: (Score:1)
The company I used to work for were so "afraid" of IT that EVERYTHING was copied and printed out. Even the receptionist had to write down thousands of callers telephone numbers everyday. They spent $100,000 on building a new archive building to put all these paper records in and in 2 years later they had to build an even bigger one and so on and so on.
The biggest joke was that no one ever went to the archive to retrieve anything.
Then 1 year ago the archive burnt down but the CEO then set about rebuilding un
Firewall rules... (Score:3)
Re: (Score:3)
Confidentiality can be perfected by eliminating availability. That's by no means any news.
And guess what, if you unplug the computer from power and hide the power cord, it cannot even be abused locally!
Goose and Gander (Score:3)
We'd be up in arms if it was the FBI breaking into the systems to gather evidence of illegal activity with out a writ or warrant. Without the backing of the law the 'hacker' is and should be guilty of digital crimes, but that doesn't abrogate the guilt of the spammer, who should be relegated to a special hell for spammers and phishers. Private entities can get away with things law enforcement can't.
Re:Goose and Gander (Score:5, Insightful)
Vigilantism arises whenever law enforcement drops the ball. People are generally lazy and wouldn't go out of their way to do that "job" if it was already done.
Of course police doesn't really approve of it. Do you like to be shown that you suck at your job?
Re: (Score:1)
Vigilantism arises whenever law enforcement drops the ball. People are generally lazy and wouldn't go out of their way to do that "job" if it was already done.
George Zimmerman
Re: (Score:2)
Yeah, that's TOTALLY the same thing.
Re: (Score:2)
The definition of vigilante would seem to depend more on your perspective than any established facts, and that to me is the whole problem with being a vigilante. Remember the guy that showed up at Planet Pizza, independently investigating Pizzagate?
Re: (Score:2)
But I hope we can agree that bricking a device is a wee bit different from killing a person, yes?
Re: (Score:2)
Absolutely. And in this case specifically I would think that a security researcher is the equivalent of a journalist - as long as he himself did not break the law he is free to publish whatever has been freely given to him. For example, see the Pentagon Papers. If someone gave this info to Chris Vickery and all he did was confirm the authenticity of it then he was merely performing due diligence.
But think about bricking a device. If someone's IP phone accesses the internet via some cheap crappy router and
Re: (Score:2)
Umm so it is ok for a private individual to come into your house to check and make sure you are not stealing things or using pirated services without any documentation or supporting evidence ? You are a hypocrite at best and a danger to the rest of society otherwise...
Re: (Score:1)
Those that have a monopoly on force, special protections, and special privileges within society should be held to a higher standard.
Re: (Score:2)
Re: (Score:2)
When are you coming to get him?
Re: (Score:2)
We'd be up in arms if it was the FBI breaking into the systems to gather evidence of illegal activity with out a writ or warrant. Without the backing of the law the 'hacker' is and should be guilty of digital crimes
I'm not sure that accessing a server exposed to the internet with no password on it really counts as "breaking in".
Re: (Score:2)
Dear law enforcement,
do your fucking job or at least don't stand in the way.
Re: (Score:2)
Every time they attempt to do their job they are pilloried as jack booted Nazi's infringing on peoples god given rights to engage in criminal activities.
Re: (Score:3)
Then they should probably stop beating up protesters and start protecting people instead of assets and investments.
Re: (Score:2)
Re: (Score:2)
I completely agree on this one. Hacking somebody without permission is hugely unprofessional. I attribute it to a superiority complex on the side of the "security researcher". It has gotten to bad that actual IT security consultants have to assure their customers that they will of course stay strictly within their mandate and that they will of course not give any information about their findings to anybody besides the customer (much as a medical professional would and with much the same reasoning). It is qu
If there is truly no evidence... (Score:5, Interesting)
Then Chris Vickery not only will be able to defend himself, but may be able to countersue under New Jersey's anti-SLAPP laws (SLAPP = Strategic Lawsuits Against Public Participation - exactly what this suit seems to be). The penalties can be quite substantial, $280K in a recent case [scarincilawyer.com]. Not only that, but there is another New Jersey law that allows a judge to dismiss a case with prejudice within 45 days of the SLAPP filing. [law360.com] This is all cogent, because RCM is a New Jersey corporation.
Furthermore, there is a shareholder group engaged in a proxy battle right now, saying that they see this as a desperate attempt to distract shareholders from corporate mismanagement [staffingindustry.com]. So this may not even get filed, depending on how the existing shareholders see this action>
Re:If there is truly no evidence... (Score:5, Informative)
This is all cogent, because RCM is a New Jersey corporation.
You are probably thinking of another company, RCM Technologies [rcmt.com], located in Pennsauken (New Jersey). There are other unrelated companies with similar names, including a River City Media [rivcitymedia.com] located in Portland (Oregon).
The spam operation operated by Matt Ferris and Alvin Slocombe seems run from Washington state, along with other companies that they have registered there under names like “Acetech USA”, “Cyber World Internet Services” and others, according to SpamHaus [spamhaus.org].
Re: (Score:2)
Naaaa, in order to do this you just need to be big on the bullshit and small on the actual facts.
Eye of the beholder (Score:2)
Common Sense (Score:1)