City of Columbus Sues Man After He Discloses Severity of Ransomware Attack (arstechnica.com) 37
An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: A judge in Ohio has issued a temporary restraining order against a security researcher who presented evidence that a recent ransomware attack on the city of Columbus scooped up reams of sensitive personal information, contradicting claims made by city officials. The order, issued by a judge in Ohio's Franklin County, came after the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city's data. A ransomware group known as Rhysida took credit for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to find a bidder, Rhysida released what it said was about 45 percent of the stolen data on the group's dark web site, which is accessible to anyone with a TOR browser.
Columbus Mayor Andrew Ginther said on August 13 that a "breakthrough" in the city's forensic investigation of the breach found that the sensitive files Rhysida obtained were either encrypted or corrupted, making them "unusable" to the thieves. Ginther went on to say the data's lack of integrity was likely the reason the ransomware group had been unable to auction off the data. Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence that showed the data Rhysida published was fully intact and contained highly sensitive information regarding city employees and residents. Ross, who uses the alias Connor Goodwolf, presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims. Some of the data spanned years.
On Thursday, the city of Columbus sued Ross (PDF) for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him "interacting" with them and required special expertise and tools. The suit went on to challenge Ross alerting reporters to the information, which ii claimed would not be easily obtained by others. "Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so," city attorneys wrote. "The dark web-posted data is not readily available for public consumption. Defendant is making it so." The same day, a Franklin County judge granted the city's motion for a temporary restraining order (PDF) against Ross. It bars the researcher "from accessing, and/or downloading, and/or disseminating" any city files that were posted to the dark web. The motion was made and granted "ex parte," meaning in secret before Ross was informed of it or had an opportunity to present his case.
Columbus Mayor Andrew Ginther said on August 13 that a "breakthrough" in the city's forensic investigation of the breach found that the sensitive files Rhysida obtained were either encrypted or corrupted, making them "unusable" to the thieves. Ginther went on to say the data's lack of integrity was likely the reason the ransomware group had been unable to auction off the data. Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence that showed the data Rhysida published was fully intact and contained highly sensitive information regarding city employees and residents. Ross, who uses the alias Connor Goodwolf, presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims. Some of the data spanned years.
On Thursday, the city of Columbus sued Ross (PDF) for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him "interacting" with them and required special expertise and tools. The suit went on to challenge Ross alerting reporters to the information, which ii claimed would not be easily obtained by others. "Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so," city attorneys wrote. "The dark web-posted data is not readily available for public consumption. Defendant is making it so." The same day, a Franklin County judge granted the city's motion for a temporary restraining order (PDF) against Ross. It bars the researcher "from accessing, and/or downloading, and/or disseminating" any city files that were posted to the dark web. The motion was made and granted "ex parte," meaning in secret before Ross was informed of it or had an opportunity to present his case.
SLAPP (Score:5, Insightful)
Strategic Lawsuit Against Public Participation
Re: (Score:2)
Re:SLAPP (Score:4)
Could argue whistleblower protection
In America, whistleblowers go to prison or flee the country to avoid prison.
Re:SLAPP (Score:4, Informative)
Or die in suspicious circumstances...
Re: (Score:2)
Re:SLAPP (Score:5, Interesting)
Yes, but as someone currently being sued in an over 200 page SLAPP suit [w9cr.net], you still have to defend it. I'm about 65k into this and 2+ years of time has elapsed. I've recently become aware of the same suit being filed by the same Plaintiff in another state now, but I've not been served in this new, parallel, litigation.
The system assumes the Plaintiff's complaint is truthful and it is the responsibility of the defendant to prove otherwise. A defendant must pay for and retain expert witnesses to refute each claim. As an example:
Reading this makes my head hurt, but if it gets to court, I'll need to hire an expert witness (likely 10-20k USD) to refute that. This is just one of the many idiotic claims made in such a SLAPP suit.
Most people do not have the financial resources necessary to defend such a case. Also if you get it dismissed on jurisdictional or anything before a full trial (summary judgement), you generally are unable to recover attorney's fees.
This entire action is from a small business owner selling products in the radio enthusiast community who went off over some facebook meme. Basic research found out he was a convicted felon and had made up multiple lies on his public resume. He's suing over publishing his records from PACER [uscourts.gov].
I wish this researcher the best of luck.
Re:SLAPP (Score:5, Interesting)
Krebs will pick it up and probably the EFF will step in. Possibly also the ACLU. The Streisand effect is going to be in full force and IT at the city is going to get screwed, but we can at least hope it also ends the political careers of those idiots.
Re: (Score:3)
Re:SLAPP (Score:5, Informative)
Many states have Anti-SLAPP legislation on the books, whereby a suit can be dismissed with prejudice with the filing of a (relatively) simple pre-trial motion by defendants.
Ohio is not one of them. They did have bills before their house and senate this summer to implement such... but not yet. They do have a law on the books that allows defendants to recoup costs if they successfully defend against a SLAPP.
It sucks that you are not in a jurisdiction with strong Anti-SLAPP laws. Good luck to you.
Re: (Score:3)
IANAL, but my brother is. I agree that there's a kind of general assumption that plaintiffs are truthful. Who would ever file a false lawsuit based on a lie? (that was sarcasm for those who don't grasp sarcasm). That would be fraudulent, perjurous, and frivolous, right? And maybe more? Hopefully you'll have a strong counter case and will file a case against plaintiff.
Someone sued me a couple of years ago. Total fraud / perjury. Of course I won. I thought the system would automatically go after the plaintiff
Re: (Score:1)
I can hear 'LAND - OF - THE - FREEEEEEE' in my mind's ... ear :-)
Re: (Score:3)
You publicly whistleblew on someone in an enthusiast community? Oh god. Buddy, I'm so sorry, you are gonna be dealing with forever. Enthusiast communities attract lots of people who pursue a hobby, borderline-fixated, and are burning time which they literally have nothing else to do with. And you outed one of them for being a past criminal? That guy now has nothing to do with his time, and you just blocked him from do
Re: (Score:2)
How are these farkwits (Score:2)
...not being burned at the stake?
Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web,
ie, every scum-sucking crim out there...
What universe do these chucklefarks live in? Oh, wait. Nevermind....
Re: (Score:2)
They sound like the sort of people who call IT every morning to remind them how to turn the lights on in their office. Does that switch thuingy go up or down, so many confusing choices!
Re: How are these farkwits (Score:4, Insightful)
Your quote is BS. Visiting the dark web requires only moderate computing skills, and the needed tools are free, open source, easy to use and easily obtainable. Proximity to pedophiles, scammers, terrorists and other criminal scum can be unsettling, but personally I feel the same when visiting Microsoft, Facebook and other websites. The light web is just as infested with criminals and assholes as the dark web.
Re: (Score:1)
Well that doesn't make sense! (Score:5, Insightful)
Ginther already claimed the data was encrypted or corrupted. If that's true, how can he claim Goodwolf is showing the data to people?
Oh wait a minute. Was Ginther lying about the data? If so, then it wasn't Goodwolf who made the data public, it was the city.
Ginther probably wanted to keep this quiet, but that doesn't make any sense either because the city is suing the security researcher. Now it's known in every security circle and tech web site on the planet.
Re: (Score:2)
It's the oldest and most used form of cancelling in the book. Look what we can do if you embarrass us.
And also the most hypocritical. But then that's one of the points I guess. We are hypocrites and we don't care because we don't need to follow the rules ourselves.
Re: (Score:3)
Arrest the city council too (Score:2)
And bringing council's lies to light isn't remotely a crime. Covering up their mendacity is the real threat to public order.
Re: (Score:2)
Furries bringing truth to light (Score:4, Interesting)
Not a fan of this specific furry, but I'll give credit where credit is due.
And the State trying to shut hom up is only going to result in bad things for them. Furries will unite hard over common causes. Witness what was done after Dragoneer's recent death - almost 1/4 million dollars total raised, from under 4,000 people. [gofundme.com]
Word will get out and furries will fund this one's defense, and counter-suit.
Also, furries run the internet. Ohio just picked the wrong group to piss off, when it comes to matters of IT.
above board (Score:3, Interesting)
'The motion was made and granted "ex parte," meaning in secret before Ross was informed of it or had an opportunity to present his case.'
Well that certainly sounds kosher and above board. Amerikan, even.
Good old "Guilty until proven Innocent". It saves So much time, huh?
Shooting the messenger? (Score:5, Insightful)
Re: (Score:2)
If what he's saying is true, he has more competence than the city's I.T. department.
As someone who does programming for clients ... there is nothing worse than a client with their own in-house IT department.
(Unless they restrict themselves to merely updating Windows and getting people's mice to work and such.)
Re: (Score:2)
Have you seen what government pays? If they get the best it's because they were down on their luck and couldn't get a better paying job because they had a bad credit score or unexplained gaps in their employment. (I'm just claiming NDAs next time someone asks, fuck this not lying to people shit, there's no reward for honesty.)
Cool (Score:2)
Now, if it were me, I would find and anonymously release evidence that this judge is not fit to be a judge, along with further evidence that Ginther is full of shit from non dark web sources.
Did he report it to the city first? (Score:2, Interesting)
...per normal IT community standards - or did he just go directly to the press?
Isn't this (Score:2)
Again, as usual (Score:1)
Columbus Resident (Score:2)
Columbus Dispatch: [dispatch.com]One month into a ransomware attack against Columbus that the city has now acknowledged may have compromised the personal information of close to half a million private citizens and thousands more city employees, the public still knows precious little about what happened.
Prosecutor's database exposed [dispatch.com]Mayor Andrew Ginther confirmed on Saturday that information in the city prosecutor's database was exposed during the July cybersecurity data breach.
Private citizen lawsuit. [dispatch.com]"(The breach) affects a huge amount of people," said Meador. "Anyone who scanned their ID to get into city hall, crime victims, so the sky is the limit."
Employee lawsuit [dispatch.com]A group of anonymous Columbus police officers and one firefighter have filed the second lawsuit against the city claiming their personal information was stolen and some suffered financial losses from bank accounts and credit cards hacked after the city was the victim of a ransomware attack.
Unfortunately, Ginther was recently re-elected Mayor. We did try and oust him over his proclivity for giving away tax abatements [usatoday.com] that have cost the city school system millions in lost revenue, but we lost by a 2:1 margin.
Timeline and answered questions (Score:2)
https://www.nbc4i.com/news/inv... [nbc4i.com]