Hacker News new | past | comments | ask | show | jobs | submit login
FTP Server at LSUHealth New Orleans (samsclass.info)
342 points by nwalfield on Aug 31, 2014 | hide | past | favorite | 95 comments



This is a symptom of an unfortunately very common reaction to system security. Unless businesses are actively encouraging bug hunting, almost unbelievably they will act with a lot of hostility to exposure of weaknesses in their systems and will often shoot the messenger with extreme prejudice, even if they receive the information privately.

There are countless examples of people getting burned rather than rewarded or even thanked for bringing to attention some sort of flaw. My advice is do not bother. There is almost no upside for you and likely very significant downsides.


Nowhere in the original article[1] is the professor accused of hacking and certainly not of having any malicious intent. The headline of the subsequent summary in scmagazine.com[2] is where the word "hacked" came in, and to be fair to the reporters, what the professor did would be considered "hacking" in some legal interpretations of existing laws whether that's right or wrong.

To be clear, we have absolutely zero evidence that the IT staff at the hospital ever accused him of anything or claimed he did anything wrong. Apparently they didn't respond and tell him thanks, but given that they knew who it was, if the hospital thought it was a crime, surely they would have contacted the authorities.

In any case, neither article named the professor until he came forward, so I'm not sure how even the extremely mild misinterpretations of the case could be called libel, exactly.

All in all, this isn't exactly a cut-and-dried case of curious white-hat smeared by the government and media. There are plenty of those to go around. We needn't invent more.

[1] http://www.thenewsstar.com/story/news/local/2014/08/19/conwa...

[2] http://www.scmagazine.com/professor-hacks-university-health-...


Check out the actual HIPAA retaliation complaint:

http://samsclass.info/125/proj11/LSU-HIPAA2.pdf

I had the same initial question about why he was reacting so strongly but people sending letters to your college administration demanding action is something of an existential threat to someone who teaches ethical hacking.


Technically, he did not file a complaint with the office of civil rights. He should file a formal complaint with health and human services since he discovered a HIPAA breach, and since they decided to be assholes about it. They aren't likely to stumble on an article and take action based on that.


So John Poffenbarger -- jpoff@definisec.com -- of definitive data security contacted the admin at ccsf.edu to attempt to get this guy fired.


The headline is: "Professor hacks University Health Conway in demonstration for class" http://imgur.com/M3rdooP

I'd be pretty annoyed to see that written about me after I had emailed the server owners and informed them that they were hosting patients' personal data on an open ftp server. It'd merely be piss-poor coming from some random local newspaper, and we often tend to dismiss it because technology is complicated egghead stuff; but, this is a website that claims its audience is "IT Professionals" which makes it really irresponsible and the reporter ought to know better. caveat: Given that the professor's story is legit.


Wrong on the facts -- the article calls it a "security breach" and names the professor as the responsible party. The article says he did this in front of a class full of students. I'd say he has a pretty good case for libel, and the authors are pretty stupid to ignore his demand for retraction and apology.


I work as a contingent faculty member at a private liberal arts college. When searching for someone's email address recently, I discovered published on the web a list names, email addresses, and ID numbers for all staff and faculty. I notified the responsible department through a trusted tenured faculty member. The response was "oh, that's just test data," which turned out to be false, and then "oh, it's not a big deal anyway." This was also false, for any number of reasons. Among them is the institution's use of swipe cards to control access to buildings and labs, and a ridiculously simple swipe payload (essentially just the unencrypted ID number).

They removed that information from the site and probably no one with ill intent accessed it. However, the security situation at that institution would be in better shape today if there had been an open discussion about this leak and its implications. Because I didn't feel comfortable approaching decision makers about this without risking retaliation against me, that discussion never happened.


It is dangerous to report bugs

A student in Montreal was expelled after informing the college where he studied that there was a security flaw http://business.financialpost.com/2013/07/17/montreal-studen...


I am glad I went to a university that reacted appropriately. I found a bad issue (students passwords for system that held their ssns, grades, financial info etc was world readable) and got a pat on the back for them. I went through a prominent CS professor instead of directly reporting it though.


I dunno... it appears that he was expelled for some other reason, not the original reporting of the bug?

http://news.nationalpost.com/2013/01/20/youth-expelled-from-...


Post hoc ergo propter hoc.


Reading your post makes me wonder why bug-hunters aren't more cautious about this. Sure the sentiment is good, it is a moral obligation to expose a bug that could be harmful to users.

But if you suspect you could get burned for pointing it out, you can take steps to mitigate it. Anonymity for example. Then again if you are in it for the fame and recognition, getting burned is a risk you are taking out of vanity.


Because most of the time, the thought doesn't even occur to someone that it could be an issue. Here you are, going along, and suddenly you find information that shouldn't be public. So, you send a quick email. After all, it was probably an oversight, and it only takes a minute of your time to inform somebody.


Because most people aren't in it for "fame and recognition" or "vanity"?

If I find a bug in a piece of software, or something misconfigured, I tend to report it and move on. I don't try to hide my identity before reporting it. A security vulnerability is just a bug or misconfiguration, that happens to be exploitable for nefarious purposes. The responsible thing to do is to notify those responsible, and anonymity doesn't help with that; they may need to follow up to ask questions to find out more details about it.

While there are some people in the security community who are prima donnas, who try to hype them selves and their exploits to gain recognition, this case does not appear to have anything to do with that. This is someone who sent a private email to those responsible, and then started seeing articles online and getting complaints emailed to his college about irresponsible hacking of other institutions websites in front of students.


The guy was helping others. He should not have to take extra steps to be safe while doing it.


I see this as a symptom of something different. Security researchers have treated press coverage as a desirable commodity for a while now. Journalism has changed though, and so now we are seeing people like zdarski calling out journalists for reporting failures.

The fact is that journalists today are too busy writing linkbait headlines and getting page clicks to bother with details like accuracy or ethics. Researchers need to look at stories like this one and realize that journalists are not your friends, even if they write nice things about you or hang out with you at parties.

This journalist probably thought he was doing this guy a favor by writing about him.


You would think they would have been grateful for the head's up. I guess some people would rather shift blame then accept they made a configuration or security mistake.


That's pretty much the norm in IT. After 15 years or so, I've seen pretty much everyone shift blame or blatantly lie their ass off to cover their own shortcomings...including a very senior person "invent" a completely fictitious rootkit to excuse the fact that the business lost critical data due to his negligence. It doesn't pay off to blow the whistle on this behavior either and provides a blackmail opportunity that I've seen people capitalize on.

Most everyone looks the other way in this business and there's a large amount of lying about credentials & experience to land jobs.


There should be some kind of anonymizing escrow-type service that allows people/info.sec researchers to help companies with security issues (or am I being woefully slow, and there already exists such a thing? This was just a OTTOMH/knee-jerk thought, FFTTMTFO..).


Maybe even a government agency? It could notify the company, follow up on whether they fixed the issue and sanction it if nothing has happened. Then it would allow the researcher to publish an article and protect him from retribution.


The worry there is that such an agency might keep the exploits for itself.


And it would help explain why the disclosure is being made - to help the company the disclosure is being made to, as a free gift.


Yup, agreed. I wasn't clear, but I was thinking/ass-u-me'ing that it would be an entity that would try to act responsibly.


A lawyer can do this. But then _you_ must pay.


> My advice is do not bother.

Second this motion. The number of vendors or administrators who respond well to security or privacy reports is tiny.

Some approximate data from my own emails. I've reported just over 120 security or privacy bugs over the past 4-5 years that this email address goes back (using my real name). I tag the emails, but searching "from:me vulnerability" brings them up. It is like a scoreboard of horrible vendors and site administrators.

From the most recent 100, there are around 25 with no reply at all. I know that some of those, such as government sites were followed up on the phone. Of those with a "(1)" in the thread meaning an additional message, most are me sending a reminder or trying to work out who to contact.

There are then a group of replies where they confirm receipt of the email, but then never confirm the actual contents of what i've reported. Scanning the threads, this looks like another 30 or so emails.

Then there is the group who confirm or deny the bug or parts but get into prolonged technical arguments, with around a dozen threads stretching beyond 10+ emails into arguments about if it is a bug or not.

Last group is those who get the bugs fixed and respond well. In these cases there are only a very small number where the threads are short - most involve long conversations. Some of these are still open - I just reminded myself that I have an open privacy issue with a large web company that still hasn't been fixed. That thread is 30+ emails long.

Overall more than half either didn't reply or didn't confirm the bug (silently fixed or not). There is a messy middle full of long threads and replies that are full of frustration and then only a tiny number of reports where they just get fixed with minimal effort (and you know who these companies are).

There is not a single instance of a non-software company responding well to a bug report (usually from a custom web app), and that includes some well known brands (banks, etc.). The number of good experiences I could count on one hand.

In terms of vendors, recent examples are a 20+ email thread over 3 weeks debating a vendor about severity of a group of bugs (still ongoing), two reasonably well-known vendors with no reply and a well-known vendor who only fixed after more than a month.

You can work out before reporting an issue who the good vendors are. They have a page dedicated to security with contact info, a key and a proper reporting program (preferably with a bounty). With everyone else, you are working for free, wasting your time, not making the internet any more secure and run the risk of getting into trouble - in some countries that could involve legal trouble (there have been a number of raids as a result of security reports in Australia, and the government head of privacy here said there is no such things as a white hat report).


So (and I ask naively) why not just publish? If vendors aren't good, give them 30 days and release?


with vendor bugs publishing after a timer runs out is a good idea. an alternative is full disclosure, which is where you publish right away. another idea is to keep the bug to yourself and use it as part of a product or service or learning experience, another option is to trade the bug with others, or sell it, or just do nothing.

whole range of options, researchers usually find what they prefer and how they prefer to do it organically and opinions (broadly) tend to shift the longer you have been in the field.


> My advice is do not bother. There is almost no upside for you and likely very significant downsides.

Years ago I realised that security bug reporting is a painful experience at best, from about 2006 I decided I'd stop tracking and reporting software security bugs that I find, which while not the optimal solution has made my life a lot less stressful.


Sam, if you're reading this, you need to find the newspapers' ombudsman. You'll probably get better results from him/her than the CEO, since their job is specifically to address these issues and in a decent organization will be given the autonomy to do so (no guarantees here!).

It's not clear to be that LSU is responsible for anything more than shitty security. It's possible that they told the newspaper lies, but it's also possible that they told them the truth and that the newspaper misreported. I think reporting them for a HIPAA retaliation may have been premature, unless you know more about this situation than you wrote on your site (as opposed to reporting a HIPAA violation, which this clearly is).

But best of luck going after the newspapers. I'm getting sick of these "journalists" making up lies about the central figures in their stories without bothering to even check with them first to get their side of the story.

EDIT: Aaand, apparently, neither publication has an ombudsman, which tells you a lot already. Not a big surprise with SCMagazine, which is some kind of trade magazine, but it's too bad that even a small-circulation newspaper like the News Star wouldn't have one.


I spent a time as a HIPAA architect so I know exposing patient information to the public is a violation and should be reported even if accidental. However reporting it and having someone actually investigate it and prosecute is unlikely. It was pretty rare that anything was ever done (been a few years), especially to a large organization. I also know that people inside companies that handle HIPAA covered information rarely care as long as they pass their audits.


This is a case of some idiot who is responsible for the server having to tell management something so they say "oh this guy hacked it".

Management tells the lawyers and PR which forwards it to the "news" who just go for the most sensationalist story possible.

Hope he wins any lawsuit and more importantly his reputation back somehow.

I'm not even sure what would have been the better course here other than to have CC'ed other people on the email.

ps. No way in heck I am going to click on them but those filenames seem to appear in google cache elsewhere.


And that's one of the reasons if you're not a security expert and stumble upon someone's security problems, you do nothing (at least in US).


Not sure why this is downvoted. Reporting a security problem, particularly a significant one, puts you at high risk for unjust prosecution and imprisonment.

Unless lives are at stake due to the security lapse, it's pretty clear to me that the only reasonable response is to go "oh, that's interesting" and then close your browser window and never tell a soul.


What part of "server containing medical data about thousands of patients." indicates to you that lives were not at stake?

edit - the folk saying that this guy was stupid for doing anything are completely irresponsible.


What part of archived medical data would put lives at risk? I mean, it sure as hell puts their privacy at risk, but can you describe what scenario you are imagining that puts lives at risk? Just because it has the word "medical" doesn't mean it's life or death (and this appears not to be).


From my point of view this is what anonymous full disclosure is for.

Naming and shaming typically gets some kind of a response. Keeping quiet does not.

I know not everyone agrees with full disclosure but I assert there is a time and a place, and after a demonstration like this one, IMO this university is one of those places.

Edit: typo


Let's assume that is all true, the "journalist" not contacting the professor before publishing that article seems quite unprofessional.

I mean aren't real journalists meant to check sources and get both sides of a story (or outside of America anyway)?


> aren't real journalists meant to check sources and get both sides of a story

No, they are meant to sell as much ads as possible.


Steady on.

The journalists I know do indeed meet society's expectations for fairness and accuracy, and make calls and pound beats, but there are also a lot more people who project themselves as journalists who are a long way from this ideal. Sadly market pressures mean there are a lot of the latter about.


That's the theory but remember how badly journalism has been mismanaged into a death spiral. This article smells of someone with less experience (i.e. cheaper) being told to churn out a certain number of stories a week, given less support for editing and fact checking than they'd have had a generation ago, and – most importantly – they'd better sound interesting so people click and boost page views and as impressions.


It looks like the source article did not name the professor. I'm unsure how the SCMagazine article author was supposed to contact said professor. Should they have just contact City College for a comment[1]?

[1] the original article said it was an unnamed professor of Computer Science at City College


The follow-up article ( http://www.scmagazine.com/professor-says-google-search-not-h... ) has the most ironic line in it:

> At press time, Sam Bowne had not responded to a Thursday email and Friday phone call from SCMagazine.com for comment.


Falsely accusing someone of a crime often isn't just libel, it's per se libel, meaning that that there's liability even if the aggrieved party can't prove damages. Running a newspaper article that turned out to be false without even attempting to contact you might clear the negligence hurdle here.


I like the fact that the article stated that no patient information had been accessed. How many times have you heard that line when news of a breach is made public? It makes me think that these folks would rather cover up a breach than actually take responsibility for it.


Yeah. Having been caught storing private information on an open ftp server disqualifies your authority to claim that you know/knew who else may have accessed the data.


Technically they said "no patient information was lost", which is one of those weasel phrases they can "clarify" if anyone calls them on it.

"Oh we meant it wasn't lost, as in it wasn't deleted off our servers!"


Read: logging=off


I can give some personal experience on this - I started bug/vuln reporting mid-last year. I've reporting a bunch of web-applications bugs that ranged from simple XSS and CSRF to RCE and directory transversal in a range of applications (Enterprise software is rampant with holes).

I've only encountered two non-respondents. Everyone else has thanked and patched within a month and I even gained employment from one encounter! Yet to get a reward, however I do this for a hobby, rather than money.

Although one day I hope to do this professionally! There isn't much work in New Zealand for it though.

EDIT: To clarify, my process is: report to vendor with suggested patches, follow-up 1 week later if no response, follow-up two weeks after response to see if it's patched, ask permission to use my bug report publicly. In some cases there'll be a phone call from the respondent to ask about my background and see what my intentions are. Occasionally they schedule a coffee/meeting.


The journalist's twitter account is here: https://twitter.com/writingadam


Let's not turn this into a reddit-style witch hunt.


Umm... too late? The witch hunt began with the man targeting the professor.


Mom, he started it!


And for anyone considering writing to the source of the problem: http://www.lsuhsc.edu/ContactUs/


One can only hope our friends at UHC are undergoing a proper procto-scoping by the regulators at this point.

As for the reporting side of this (note I did not use the word 'Journalism'...)..this is the quality level that has become the standard in the world of junk news. One must have the sensationalism in the title to get the click...that's it. The actual quality of the content is pretty much irrelevant..


If the linked recitation in any way corresponds to reality, and it seems to, the professor has a legitimate complaint, but he should have consulted an attorney before publishing his responses to the various parties involved. The reason I say this is because, even though he appears to be in the right and has a reason to be outraged, he could be sued for libel himself.

As one example, if he describes a named or identifiable person as a "liar" online, the subject could sue for defamation of character if it turns out that they didn't know what they said was false (which fails the definition of "lying"). That's a simple case where an extreme, emotional term places someone in a false light.

http://en.wikipedia.org/wiki/False_light

Remember, in this litigous society, no one is immune from legal actions, even those clearly wronged, as the facts seem to indicate in this case.


I'm not sure why people inform organizations about vulnerabilities. All what they will get from informing them is to get shock when they slap you on the face and call the police for the alleged hack!

it is better to sell the vulnerability in the underground forums


No it is better to do absolutely nothing, and quietly divest yourself from them because that's not illegal.

But what we really need are some damn whistleblower protections for cybersecurity - buzz-wordy enough for government funding and command centers, but no actual help for the people who want to help because it feels like the right thing to do.


There are protections for cybersecurity here. From the article:

> HIPAA explicitly forbids LSU from retaliating against me for reporting a HIPAA violation, so I filed a federal complaint against them for their illegal retaliation.


Consider it a ethics thing. Willing to take the risk to protect those innocent people's data or sell a grandma's SSN to the highest bidder. I think identity theft takes a certain amount of self centeredness and lack of empathy that I could never deal with. The option to do nothing is a strong one as well. I would say its best to report it but do it anonymously.


Reading through this, it seemed like a pretty clear-cut case where Bowne had done things right from start to finish. And then I got to this:

"Apparently, committing libel is a common thing for them, and they are comfotable completely ignoring the protests of their victims."

I understand that he's likely under tremendous stress as a result of the allegations that LSU has made, but I'm a bit concerned that in his expression of shock and outrage he has turned to making what appear to be potentially libelous statements of his own.

I hope that his goal of having the accusations withdrawn is not hindered by this momentary slip into hyperbole.


Hm, not really. That's just you being pedantic. When you've been a victim of someone else's incompetence you assume that he is an incompetent because, the only reason you know of his existence is because of his incompetence.

Given the fact that many of us believe that the two magazines do not really care about what happened, as much as they prefer getting clicks - a view which is supported by the course of action this story took - it's not a far-fetched claim at all. Especially for a man in his position.

NOTE: They didn't took any action even when notified. The only way for them to remove the article would a letter from a lawyer (or at least that's what I'm getting).


Neither his position nor his circumstances provide factual backing for the claim that "committing libel is a common thing for them" or that "they are comfotable completely ignoring the protests of their victims".

Being a victim of their incompetence does not give him free license to imagine ways he things that they are incompetent and then express them as fact.

They have not yet taken any action. It's just as likely that they haven't seen his tweet.

They are certainly in the wrong here. But his jab at their moral standing weakens his position, and given the state of business <-> individual relations when it comes to disclosing security vulnerabilities, he wants his position to be as strong as possible in case they do turn out to be malicious and attempt to make the case that he violated their security.


You have to consider the full sentence and the context.

He has not said;

"committing libel is a common thing for them"

He has said;

"My comments on the SC Magazine article were deleted. The "journalist" who invented the article has not altered it or contacted me in any way.

The two CEOs have also remained silent.

Apparently, committing libel is a common thing for them, and they are comfotable completely ignoring the protests of their victims."

The word "Apparently" is doing a lot of heavy lifting here.

It is essentially saying "In light of this stated behaviour, it would seem reasonable to assume that...".

He is not making a statement of bald fact however, which is what you are presenting it as by removing the context. Amusingly, you are possibly being slightly libellous here by suggesting that he is.


There is a good chance a judge would find that the reporters are guilty of libel. Then the professor would be in a pretty good position to defend libel counter-charges.

I thought you'd get more meat from his reference to their crimes. Libel is civil.


> There is a good chance a judge would find that the reporters are guilty of libel. Then the professor would be in a pretty good position to defend libel counter-charges.

That's true, but in many cases like this, on weighing the evidence and seeing evidence for mutual libels, the judge will throw out both actions. The professor should have consulted an attorney before calling people liars -- all the subjects need to do is show that they didn't publish statements that they knew were false (thus failing the definition of "lie"). Failing a reasonable test of due diligence may be deplorable, but it doesn't make one a liar.

> I thought you'd get more meat from his reference to their crimes. Libel is civil.

All true. One of the ironies of modern times is that a civil action can do more to undermine one's life than a criminal one, depending on the circumstances.


The follow-up article is a bit better. But I don't like the way the original title is presented as fact:

"Professor hacks University Health Conway in demonstration for class"

While the follow-up is titled as "Professor says..."

"Professor says Google search, not hacking, yielded medical info"

http://www.scmagazine.com/professor-says-google-search-not-h...


> This is a very strange way to run a news blog.

He doesn't seem to realize all that matters to the blog is getting page views...


I think the first article is just an sponsored article by University Health Conway. By trying to convince public opinion that it was hacking, University Health Conway probably want to skip charges for negligence, reveal and distribute personal data publicly...


I think the thing to be careful of here is the method(s) one uses to reveal a vulnerability.

Think of a brick-and-mortar analogy. You queue up at airport security, you go through, and you notice that their procedures are such that one COULD bring a banned item through and potentially not get spotted. You inform the appropriate authorities that you think there might be a weakness, and you say how and why.

This is probably not going to get you in trouble.

Another scenario: You go through security and make a mental note (as above) of a potential vulnerability. You (as above) report it to the appropriate authorities. Now some time in the future you are going through airport security and you wonder to yourself "I wonder if they fixed it". So you decide to test it out. You bring a banned item through. You get caught. You are in trouble but you say in response "but I was the guy who informed you of the vulnerability and I was just checking to see if it was fixed".

Good luck with that.

My feeling is that if you notice a potential (or actual) vulnerability as part of a everyday, normal use case of a website, or a web service, or network, then fine, you can report it, and you likely won't get into trouble.

On the other hand if you additionally decide to test the system in such a way that could be misconstrued as an attack, then you will probably get into trouble.

Another analogy: you walk into Macy's and on your way in you notice that the security system they are using is outdated, and you know it is vulnerable --- (made up silly example) you know that if you break in while holding a tuna sandwich, the alarm will not go off. So that night after the store is closed and locked, you break in, while holding a tuna sandwich, and you take a pair of $300 shoes. The next day you go to the store and you say "look guys, I was able to break into your store and steal these $300 shoes." You think they will thank you? or will they call the police?


I like your first analogy. Your second analogy, on the other and, seems to me to justify the action. I think Macy's would thank you rather than call the police, but that's just my opinion.


maybe they would thank you. Imagine though the day after, they had noticed security camera footage of a masked intruder wandering the store, and then taking merchandise out the door. They can't identify the intruder. They call the police. There is an investigation. They spend $$$ on a new security system. People are fired. Then some time later you wander in with a smile on your face and tell them how you were the one who cracked their system. I can see a scenario where they are furious with you and call the police, telling them that you have just confessed to a crime. Then police then say, hey buddy you committed a crime, you confessed to it, and now you are trying to say you did it "for a good reason". Good luck with that.


Bad analogy in this case because the school had no idea that their FTP server was even attacked in the first place.

Better analogy to what happened: Imagine you steal the $300 shoes with your new fangled trick and the mall security do not notice at all. You come back the next morning with the $300 shoes in-tow and then they call the police.


This is why I never ever "report" security vulnerabilities without first having a contract with the afflicted party. It sucks, but I am not willing to be burned as a witch just because I understand security.


Next time send the newspaper an anonymous tip.

The guys with the open FTP server clearly don't give 2 fucks about your privacy, but in a sue-happy atmosphere they're trying to place the blame on someone else.


At a minimum the reporter could have googled Sam to find out he teaches security and the range of classes: http://samsclass.info/

... or applied some logic. Instead of contacting them directly he could have:

* broadcasted it to the world (maybe a reporter!) that the FTP server was insecure * do/say nothing


How was the reported supposed to Google this? Looks like he wasn't named in the original article or the SCMagazine.com article. Just a "professor of computer science at City College in San Francisco." Unless he is the only computer science professor there, then they didn't have his name.


I have always loved Sam's work at Defcon. It is sad to see the world "turn" on a good security researcher.


it's sad that institutions act this way. I also stumbled upon a rather nasty vulnerability in the website of a largish company. I left it as is, without notifying anyone, precisely because I didn't want any trouble.

if I found it by accident, I'm sure malicious actors can find it as well.


If you read the article, it was already exploited.


Why don't they lawyer up, and sue them for defmation/libel?


[flagged]


Since you didn't read the article:

He didn't hack them (unless performing a Google search and clicking on the link is "hacking" now) and he didn't tell anyone but LSU about their security problem - until he was attacked for trying to help them out.


Clearly the article was wrong, but the reporter could only go off of what the hospital told him or her, and that does not seem to have included the professor's contact information. Rather, I'm guessing the message that got out of the IT department was "we got hacked by a professor", which then likely mutated via the rumor mill into the details about a class demonstration.

If anything, I think this shows the hospital gave the professor a lot more benefit of the doubt than I would have expected.

The professor did himself no favors with his email:

    I am Sam Bowne, an instructor at City College
    San Francisco, and I found two security problems
    on your server with a Google search.

    Your FTP server has been compromised, and some
    files named "w0000000t" were added to it.
If I'm the IT administrator who receives this message, then after reading the first two sentences, I've already jumped to the conclusion that this professor is the individual who compromised my server! "Hi, I found security issues with your server, and now it's compromised!"

Sure, once you've read the intro by the professor, the meaning is clear, but think of yourself as a sysadmin getting this email, without the context of "I just found this, I had nothing to do with it" in your brain, and how are you going to react? Once the idea that the sender of this email is a hacker who broke into your server has entered your mind, it's going to be very hard to interpret it differently. Given that, the guy got treated pretty nicely by the story and the hospital in the end.


Your first sentence echoes the sorry state of affairs regarding what passes for journalism these days. Getting all angles of the story and doing fact checking is absolutely the responsibility of the journalist. The author had the professors name - all it takes is 5 minutes of research to get contact information to follow up correctly. The journalist really has no excuse in this matter.


> The author had the professors name

No, as far as we know the articles were based on the University Health legal notice http://www.uhsystem.com/Conway/FINAL%20Conway%20-%20Press%20..., which does NOT contain Sam's name.

Can you accuse someone of libel if the accused is unnamed?

This doesn't take away from the fact that the claims in the report are false, of course.


> Can you accuse someone of libel if the accused is unnamed?

Only if the unnamed person can be identified. If a person is unnamed, or given a made-up name, and readers cannot associate the name with a real person, the it's not libel.

Many legal actions revolve around this issue. A plaintiff says, "I'm the person this article is about!" while simultaneously claiming, "The article doesn't describe me accurately!" Only one of those can be true.


Yes, you can accuse someone of anonymous libel. This is how ISPs end up with subpoenas for real identities and attorneys appearing to represent anonymous parties.


"If I'm the IT administrator who receives this message, then after reading the first two sentences, I've already jumped to the conclusion that this professor is the individual who compromised my server! 'Hi, I found security issues with your server, and now it's compromised!'

"Sure, once you've read the intro by the professor, the meaning is clear, but think of yourself as a sysadmin getting this email, without the context of 'I just found this, I had nothing to do with it' in your brain, and how are you going to react? Once the idea that the sender of this email is a hacker who broke into your server has entered your mind, it's going to be very hard to interpret it differently. Given that[...]"

I can't give you that. I've been a sysadmin, and I've gotten emails about things that were misconfigured. Without the intro, the meaning is clear. Even assuming that the professor had added the w00000t files as a PoC, the note is still a nice gesture and a tip, not an indication of terrorism. Interpreting it another way seems a sign of stupidity IMO.

The email starts with his name and place of work. If you read that and think that Sam Bowne, City College, San Fransisco is trying to destroy your servers, you may not be good at thinking.


If you're the IT admin you need to be sacked if you overreact without reading the full e-mail with this line:

  The "w0000000t" file is apparently part of a mass
  compromise of Microsoft FTP servers, which was found
  but not explained by a French security company named
  QuarkLabs in this slide
Nothing in the message implied that the professor was responsible for anything other than trying to be helpful.


No, no, no, no, and no.

If you can easily believe that a professor a) attacked your server, then b) wrote you a smarmy read-between-the-lines email claiming-but-not-claiming responsibility for it, you are a fool. If you can accept/forgive anyone in a system/data-administrative role for the same, you are a fool.

This is not how professionals work. This how good people lead their lives. This is how idiots and bureaucrats win.


"It is outrageous for a journalist to write such lies, accusing me of serious crimes, without even contacting me to find out what happened."

There is little to nothing that can be done about this. It's all about narratives, sensationalism, and agendas today.

Just take a look at the media stories about Ukraine where everyone (in US media) just makes shit up and presents it as the truth. No one questions anything.

Or the Michael Brown shooting. Where the media (CNN, MSNBC) pushed their narrative once more, completely ignoring all facts surrounding the event.

It goes on and on and on, with almost every major story being so biased, misleading, and twisted, that it might as well be seen as a complete fabrication...

Here is another good example of security related stories being "misleading" - http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudul...


This is exactly was has been happening to reports about Israel / Gaza. Same problem. Outright lies.


Outside of U.S. jurisdiction for a libel (civil) case


And while we're being vague cranks, how about the parking on the street around the corner from my house? Is it allowed on weekdays or isn't it? At what time? I can never get a straight answer.


I can remember back when there were ships on the Tyne.

Big ships. With funnels and everything.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: