Hacker News new | past | comments | ask | show | jobs | submit login
Hacker Claims Feds Hit Him with 44 Felonies When He Refused to Be an FBI Spy (wired.com)
351 points by ghosh on Feb 19, 2015 | hide | past | web | favorite | 108 comments

This reminds me of a The Florida case of Rachel Hoffman [1]. In short Rachel was arrested for marijuana (and 4 ecstasy pills), and flipped as a CI in a sting requiring here to buy ounces of cocaine, ecstasy and a gun. Rachel disappeared during the sting under watch of LEO and found murdered. It is similar to charging a "hacker" for scanning websites and cyberstalking (I don't know all the charges) then asking that hacker to obtain information on drug cartels and politicians, it is dangerous and unrelated to the underlying crime. At least in Florida as a result of Hoffman we have enacted Rachel's law to protect people in such a situation in the future (but it does not outlaw CIs totally just gives them protection, such as training for officers and right to a lawyer).

[1] http://en.m.wikipedia.org/wiki/Rachel_Hoffman

A little background on Rachel, from that fine New Yorker article, "The Throwaways" (12/09/03):

By the time Rachel was twelve, she had been a ballerina, a Brownie, an equestrian, and a Weeki Wachee Springs Little Mermaid contestant; by eighteen, she had learned to play the flute and the piano, gone skydiving, and hiked the Grand Canyon. By twenty-three, she had completed an undergraduate degree in psychology, interned at a mental-health institute, and travelled internationally. She loved to cook—she’d prepare elaborate multicourse meals for friends and deliver homemade matzo-ball soup to an ailing classmate. She was given to hatching big plans: She had initially dreamed of going into counselling, but decided to apply to culinary school. She would invent a new form of therapy, she told her dad; perhaps troubled kids who hated talking to a therapist from an overstuffed couch would open up as she taught them how to bake cakes and make spaghetti carbonara.

and the police who arranged the sting, mishandled the situation, resulting in her kidnapping and eventual murder?

I will hazard a guess, not guilty on all charges. She was a druggy after all and got everything she deserved.

That is some serious messed up state of affairs that allowed this to happen.

Per the WP article:

The officers involved in the operation were suspended with pay, and the family filed a wrongful death lawsuit against the city.

Message to the officers, and to their brethren colleagues in the profession being, in so many words: "Aw shucks, it was just a little misunderstanding. After all, she didn't follow instructions, did she? Don't beat yourselves up over it."

Cops need to get jail time.

Can you please define 'druggy', in this context and in general? Also, would you be comfortable listing all of your medications and past experiences so i can fit you into a generalized subgroup and decide what you deserve? k thanks

She was a druggy after all and got everything she deserved.

The user above may have meant it as sarcasm, but the funny part is, this is in fact pretty much what the cops were saying about her in the weeks after her murder.

Which is extremely disconcerting but not at all unexpected. They have to believe their own rhetoric; otherwise the few cops with conscience + intellect would quit.

I just hate that a person's life can be boiled down to a sentence or two based on a few activities they were purportedly involved. The feel is bad.

user_00001 doesn't really mean it. They forgot to add the /sarcasm tag.

I remember reading about this case around the time the charges were originally filed and those are pretty much the charges. The guy ran nmap (or equivalent) on the website, and submitted some attempts at SQL injections in a few forms. That was pretty much the entirety of his "hacking". Honestly what he got on the plea bargain is at the far end of what I'd consider appropriate for what he did. Something like a small fine, say $500 and a "don't do that again" would probably be more appropriate honestly. Had he actually gotten somewhere with the SQL injection, or actually gained access to something I'd say more might be warrented.

FYI the 44 counts were arrived at by charging each form submission individually, so it was really just 1 charge, just counted 44 times.

I don't see any reason why attempting SQL injections on a few forms on the County website should be treated any differently than trying a few ways to pick the lock on a county building. Should the punishment for the latter depend on the sophistication of the lock-picking techniques the intruder uses?

Web servers are other peoples' property, and there's no "right to tinker" with them. All you have is an implied license to use the site in the way the owner expects you to use it, the same as with a physical storefront.

Yes but there are degrees with these things. If you attempt to open a locked door they don't charge you with armed robbery, even if that door has a sign that says "employee's only". I'm not suggesting attempting a SQL injection should just be ignored, but it should clearly be at worst a misdemeanor and not a felony, about on par with trespassing in terms of severity. Now, if you then use that SQL injection to steal protected data, gain further access, or delete data, then yeah you're talking about moving into felony territory.

Web servers are other peoples property, but they're also a public space when you open then up to the public by hosting public services on them. A private server is different from a public server in the same way private property is different from a public storefront. By making your server accessible to the public you lose some of the expectations of privacy and implicitly allow a certain degree of access.

If you try to break into a building under the cover of darkness, you're going to get hit with more than a trespass charge.

Would you mind explaining which charges you'd get hit with? As a non-laywer, trespassing and entering (not breaking and entering, since you didn't break anything) are the only charges that would make sense to me in that context.

If the intent is there, then Attempted Burglary would be the charge in California at least. Penal codes; 663, 459.



Most of the US has laws that define B&E like the CFAA defines hacking.

"unlawful entry" is usually the common denominator.


just trying to break into a building would likely be classified as burglary

From wiki: " or loitering unlawfully with intent to commit any crime, not necessarily a theft – for example, vandalism."[1]


I agree, but I do see one distinction that I find interesting: if someone tries to pick a lock on a county building and they try 44 different lock picks, is that one charge or 44?

Even once is a serious charge, but I'm not sure there were 44 crimes committed.

A better analogy than lock-picking: the door has a sign that says "turn knob to the right to enter", he was arrested for unsuccessfully turning the knob to the left to see if it would opened into another room.

There is an interesting disconnect in the "HN perspective" in that online data is incredibly important and should be subject to all sorts of legal protections from the government (even if it's shard in plain text with all sorts of 3rd parties) but at the same time it should be completely OK for an individual to try to steal it just for fun.

Uh oh. I might be in trouble for finding out the entire list of people in the local jail by looking up Mr. %

The 44 counts thing is kind of ludicrous unless he literally made 44 separate attempts at SQL injection at different times rather than 44 separate HTTP requests. Having said that, I think the punishment for "attempted hacking" should be fairly harsh in the way "attempted robbery" is. He was likely attempting to steal copies of information or perhaps even destroy information that could've cost thousands or perhaps even millions to recover depending on who he'd gone after.

The problem is that "attempted hacking" is kind of a fuzzy thing. To go with your example is it "attempted robbery" if they catch you on camera scoping out the bank exits and camera angles? At what point does something go from looking around to "attempted hacking". He didn't actually succeed in anything he tried, so basically what they have him for is running a port map which shouldn't ever be illegal, and sending some garbage form data.

Because this is the law here and they'll always apply it as broadly and wrongly as they possibly can you have to consider the extremes on this. At what point do you draw the line? To go with the hypothetical worst case scenario, what if little bobby tables goes to sign up for a account somewhere, does he get charged with "attempted hacking"? This also puts grey and white hat hackers in a dangerous place as well (particularly grey hats which are already on shaky ground as is).

Someone didn't just get bored and fill a form field with random garbage. We're talking about attempting a SQL injection attack which shows clear intent.

>Someone didn't just get bored and fill a form field with random garbage.

Yes they do.

>clear intent

Intent of what, exactly? Intent to make the site do something it wasn't explicitly designed to do, yes, but that does not imply exceeding authorized bounds or causing any harm.

I'm not saying that people never put random garbage in a form field. We're talking about a specific incident where a person apparently made at least 44 requests attempting to perform SQL injection. The intent of unauthorized access or destruction of information. When you get caught trying to pick the lock at your bank you can argue you weren't trying to exceed authorized bounds or cause harm all you want but I doubt it will get you very far.

"SQL Injection" can be as simple as including an apostrophe.

It depends on the details.

Deliberately injecting "SELECT * FROM customers" can potentially exceed authorized bounds. (Even then the intent might not be there in all cases.)

Injecting "SELECT 1=1" to see if the system is broken is clearly not exceeding authorized bounds.

While I may have disagreed with you, I felt your original position was a reasonable one. Now you're attacking the straw man of someone being brought up on charges for an apostrophe in a form field. When that happens I'll gladly join you in declaring the ludicrousness of those charges.

No, I'm not making a straw man, I'm pointing out that "SQL Injection" is very vague, and attempted SQL injection even more so.

There is a huge gulf between checking for access and abusing access.

And that's why we have DAs, grand juries, judges, and juries. If someone gets brought up on charges for literally putting an apostrophe in a form field on a website the system has failed because there's no clear intent to perform an attack of any kind in that case. When that happens, let's talk.

That is exactly what happens.

is it? Citation please.

Intent to cause harm?

By checking all the locks, and not just a handful of them?

I don't think it's enough to show he was thorough to establish there is actual mens rea for a crime to have been committed.

I bet that site had at least 44 separate form inputs. No sense checking just a handful of them. None of the third-party certifications you suggest looking for to assess a vendor's worthiness are even roughly analogous to a bank with, for example, FDIC insurance.

If I have never undergone the certification processes myself (or perhaps even if I have, more so) they are the information-security equivalent of "tiger repellent" to me. I can only take the word of "experts" that they are good.

If I can't tug on all the exposed levers, then I guess at least I can be assured only people who are paid to do that (or people who are breaking the law) have actually tugged on them.

Can you understand how this kind of assurance would not reasonably instill any confidence of a system's security? The law does not forbid one from looking over one's own shoulder, so why should it be any more criminal to do that at every single corner you passed, even in an airport?

There is a reason info-sec experts are sometimes seen as paranoid, it's because you don't know if you don't check.

The remark about there being 44 instances was in direct reference to the idea that it could have just been random stuff put into form fields. I've already stated I think that being brought up on 44 counts is abuse and shouldn't have stood up in court. However, even if it's just 44 form fields that's far more than enough to show intent to perform SQL injection and not just an oopsie bad copy/paste or errant form entry. It seems clear that he was attempting to gain unauthorized access to information. What he intended to do with that information is irrelevant.

While 3rd party certifications might not hold the vigor of FDIC insurance you are unlikely to put information on a website that is as valuable or irreplaceable as what you put into a safe deposit box. Most of time we're talking about a name, address, and potentially credit card information as the maximum damage possible. Well, your name and address are almost certainly already public record. Your credit card similarly has excellent protection and aside from some incredibly rare nightmares most people who have their CC info stolen are back to normal within a few days of calendar time and less than an hour of time actually spent dealing with the issue. If you're putting something more valuable on the website you're perfectly within reason to contact the vendor and request permission to perform a security analysis or have your own trusted security analysis vendor perform such tests. This happens all the time in business.

You can feel assured that only people who are paid to tug on the levers or people who are breaking the law are the only people tugging the levers at every company you conduct business with.

And the literal "tuggin on the lever" analogy is really poor. A closer analogy would be, "I know many locks are vulnerable to being opened with a specially crafted bump key. I will walk around the building after hours and attempt to use a bump key on all the doors to ensure it's safe to conduct business here."

The "after hours" part doesn't help draw any real parallels either and only clouds things further. When is "after hours" for a website? All access is logged, at any time of day.

We are going to have to agree to disagree. You seem to think that performing SQL injection, even just to see if it is possible and with no intent to steal information or in furtherance of any crime, should be criminally prosecuted.

I think that SQL injection is such a basic attack that they should teach everyone how to perform it in introductory CS courses or earlier, as only through awareness of these basic forms can we all stamp out the threat of our own global systemic ignorance of those kind of forms.

It's not a kind of magic. Nobody is born with the knowledge that "SELECT * FROM Table WHERE #{userdata}" is completely and perfectly wrong approach to taking input from users in any production system. You have to learn it somehow, and the law practically forbids you from learning it through application in the wild. So I suppose only criminals will get to have guns, then.

> You can feel assured that only people who are paid to tug on the levers or people who are breaking the law are the only people tugging the levers at every company you conduct business with.

I understood that already, and it didn't make me feel warm and fuzzy. I don't really think there's a ghost's chance that I'm in the majority here, either, and I do find that to be a shame. Even many otherwise smart people are just totally ignorant of computers.

The word "SQL injection attack" has the word "attack" right there in the name. It's not innocuous. And there are plenty of places you can go where you're permitted to perform the types of analysis you're talking about without repercussions. If you want to be a locksmith you don't wander your neighborhood randomly attempting to break into houses as part of your training.

Yes, it's called an attack, and defenses are a thing too. You can't learn to block if all comers are expressly forbidden from punching or feigning punching. This need not be a violent attack, it will not incorporate any weapons, and there is furthermore no concept of assault and battery against computer equipment. One should avoid any destruction of property when wearing the white hat. They are not "unauthorized" accesses, however. The supposed authorization controls have failed and the doors are really unlocked if the attack succeeds.

Which situation is preferable:

a) As a new business, I am contacted by a good Samaritan who informs me that my public website is vulnerable to a common attack. I take this information to my development staff and they verify that we are indeed vulnerable, then we fix it. Millions are saved. I send a thank-you note to my new friend in Samaria and maybe even write a check.

b) Good Samaritans are prevented from helping by laws that divide adept lever pullers into only two groups: the paid kind and the unauthorized kind. There are then never good Samaritans because every Samaritan needs to take steps to remain anonymous themselves before performing any deeds which could constitute "an attempt to obtain unintendedly authorized access".

It's clear that "The only reason to obscure the origin of a packet is in order to not be the one caught sending it." Anyone who does not want to get caught doing whatever they are doing, I think it follows obviously, can't possibly be helping but only up to no good. Now all Samaritans with knowledge of SQL injection are at odds with web service companies and all good and rational Samaritans do the smart thing and cease all helping. If anyone helps, they will do so anonymously; if they are identified, they will have to swear they only found the issue by accident and didn't even really know what to look for.

In (B), your ability to secure yourself is directly at odds with the amount of spare time those (real) hordes of bad Samaritans or other nationalities behind seven proxies can spare. Got unlimited money? If you can't pay for enough pen testing, well I hope you did security right because nobody is going to help you now. Is that really the preferable scenario?

We have varying degrees of laws protecting certain kinds of "Good Samaritans" in cases of medical emergency, they are on the books in every state. Unless or until it's an issue of something wrong on a computer. There is no such similar protection for any security pros or curious tinkerers.

People who legitimately stumbled onto vulnerable services are best advised to never report them to anyone and forget whatever issue they saw, or they are persecuted by the FBI and prosecuted through CFAA and other legal channels. This cannot be considered optimal!

The intent between

    Username: Lawtonfogle
    Password: hunter2' OR 1 = 1;

    Username: admin
    Password: hunter2' OR 1 = 1;
is quite different. Should these be treated equally as hacking?

Or (to present an alternative explanation for why one might try to see what ports are open and whether some rudimentary attacks can succeed) maybe he was trying to evaluate a potential vendor and decide whether or not to put his secure personal or company information into the system.

You know, rudimentary attacks that should not succeed on any type of vendor system that has been through the most basic security audit or pen testing?

I guess we should either trust the vendor or don't. No real reason why would anyone want to see if other hackers with basic knowledge can get access to a system? I'm sure there are plenty vendors with transparent public records of the authorized penetration tests that they have ordered which have been done, you can trust!

There are a number of passive things you can do to gain some trust in an online vendor. You can, for example, look for certifications from a service like SiteLock. To maintain the brick and mortar analogy, you wouldn't try to pick the locks of a storefront after hours just to determine whether or not you should do business with them. And if you get caught doing that, I dare say you deserve to be charged with a crime.

Sending packets with strings which are commonly known to cause serious problems if systems are vulnerable to well-known exploits should not be a crime. If your system solicits users to input their private data and is vulnerable to easy attack vectors or common exploits like basic SQL injection, you are the one who should be charged.

So, the only problem left is how to establish your standing to sue the lazy vendor. It is a problem since you can't actually bring them up on negligence charges if you were not actually damaged.

Well, if picking the lock is thus illegal per your analogy, then the only way to have standing would be to first submit yourself to potential unknown harm and wait for the day when a bad hacker comes!

I think your analogy falls down too, because a brick-and-mortar storefront holds its own assets and is liable (or insured) for their own losses in the event of theft. You rarely store your own private things inside a brick and mortar storefront. If you did and they are stolen, the store would normally be liable and reimburse you.

People store their private data "in the cloud" all the time, but because of arcana in law which does not correctly distinguish between pulling on the handle and picking the lock, they are not allowed to check and see if the cloud-monger actually locks the door when he goes home at night?

There are ways to determine if a site is secure without attempting to gain unauthorized entry. You can look for third party certifications, a valid SSL certificate, etc. This is similar to the analogy of looking around at your bank to see they have a security person, locks, cameras, etc. protecting your safe deposit box. You don't go try to break into the bank to determine if it's reasonable to put your assets in the box there.

That's an absurd analogy. A more apt analogy would be to check if the bank had bothered to lock it's back door, while waving at the security cameras.

Prevent this kind of scan makes all of us less safe, since it encourages negligent behavior like taking risks with data that's not yours. Frankly, I think website owners should be held liable for security vulnerabilities.

This kind of culture of systematically undermining a secure internet only serves those who abuse our trust. Do you honestly think the FBI has a chance in hell of actually catching more than a minute fraction of all malicious hackers? Not to mention the fact that their motives here and elsewhere are rather questionable - if anything, they're less benign than the hackers they're chasing, seeing as they're essentially untouchable for whatever damage they cause.

No, not really. It's the wild west. SSL certs don't do anything to prevent SQL injection. That's done at the application layer, not the transport layer. You seem to be out of your depth.

This is equivalent to "checking to see if the door is unlocked when it should be locked" not "trying to pick the lock after hours"

I'm not out of my depth, this is what I do for a living. Verifying that a site is using valid SSL is one of the myriad of tools at your disposal to make sure a site is taking reasonable safety precautions with your data. That, accompanied by a third party trusted certification that indicates some basic penetration testing has been performed is reasonable protection for almost any data you'd be putting on the internet.

If you think that verifying that a site is using valid SSL is a tool to make sure that a site is taking reasonable safety precautions with your data, you most definitely are entirely out of your depth.

As to trusted certification - please elaborate; because many of these "certifications" are entirely worthless (some indeed indicate that a site is less likely to be safe).

Yeah, it's like driving by a house and seeing a sign on the lawn "This house is protected by Brinks" and from that concluding that none of the doors or windows have been accidentally unlocked.

It does show some kind of theoretical preference for security but it by no means assures one -- nevermind making any kind of a guarantee -- that said preference has been successfully translated into reality.

I would suspect that the rate windows or doors left accidentally unlocked between houses with security systems and without isn't a substantial enough difference to be meaningful. Sure the right might drop in half, but if it's from 4% to 2% that doesn't do much.

Having an SSL certificate is really the bare minimum that someone can do to have even a hope of a prayer of keeping data safe. There are about a dozen steps beyond that which must be taken. Worse, the effects are not additive, but multiplicative. If any one particular defense is handled improperly the properly handled other portions lend little/no assistance.

Naively one might assume that the total security score might be tabulated this way:

( 1 + 1 + 1 + 0 + 1 + 1 ) / 6 = 0.833

But in fact, it's this way:

1 * 1 * 1 * 0 * 1 * 1 = 0

Haha. It's like stabbing someone 44 times and getting 44 counts of attempted murder.

It also reminds me of Randy Weaver.

Fortunately, in this case, no one died.

He may be too young to have a family for the Feds to threaten and murder.

Otherwise sounds identical except for the entrapment angle. Weaver specifically refused to become an informant against the targeted white separatists because they knew and completely loathed each other. The offer made to Salinas sounds like one that could very easily result in his getting tortured to death. For that matter, do some of these cartels go after their target's families?

In Weaver's case, it seems that even the judge was in on the pressure.

If I remember the details correctly, he was erroneously informed that if he was convicted, his property would be seized because he had used it as bond collateral.

When I was a child I became a member of a cracking group of friends that disassembled and broke protections just for fun(we did not share or sell our cracks although we published info about how to do it).

The other day I met them again, now as an adults. It seems like one of the members of the old group took the bait and now is working for secret services or something shady. His life is miserable.

You start selling vulnerabilities for easy money and you could end badly. Those entities have so much power and too few scruples.

It doesn't always go bad. I worked for the Secret Service for two years as a CI. At the end they screwed me out of a few hundred dollars but I also didn't have to serve the eight years in prison I was facing. They never asked me to rat on someone, I built up new online identities and trained them.

The lead is buried in the last paragraph,

> vindictive indictment after a refusal to cooperate... very troubling and very improper

How is this different than indicting first and then dropping charges after obtaining cooperation? The threat is the same: work with us or go to jail.

In this case, the charges were clearly bogus, and they were dropped in the end (except for 1). It's not the same as facing a real conviction threat for something you are clearly guilty of.

The treat of financial ruin is the same though. Regardless of how bogus the charges may be lawyers are expensive and it's not like if 44 out of 45 charges are bogus they need to pay 44/45 of the defendants attorneys fees.

This is just like throwing shit at the wall and seeing what sticks. It should be illegal.

I agree. The pro bono lawyer is the real good guy, here.

If he were left to decipher the mess of laws and charges himself, I'd agree that it is improper. But once charged you either get a lawyer or a federal public defender[1]. Even if the attorney didn't know if the stalking charges were going to stick, the lawyer would know the "440 years" isn't accurate. That number is the max for each charge, sentenced back to back to back to ....

But the federal sentencing guidelines are very easy to understand. It is essentially a matrix where you look up different factors. Also, the sentences would run at the same time. So 1 charge or 44 wouldn't really make a difference.

So he was realistically facing a few years and plead down to 6 months. Not as draconian as 440 years to six months huh?

My wife got a speeding ticket on a highway in a federal park. It was a reckless driving misdemeanor charge because she was going 33 over the limit. Max sentencing is like 1 year and 10k dollars. We didn't even bother getting a lawyer because they pled down to regular speeding and a fine of 330 bucks.

[1]State public defender quality varies, but the feds are very good.

> "[1]State public defender quality varies, but the feds are very good."

Somebody who is in unfamiliar territory in this sort of situation, which would be just about everyone who isn't a lawyer, very likely would not know that. This makes the threat of financial ruination effective, even if financial ruination isn't actually their only option.

It's the same and still troubling and improper.

How stupid are the FBI?

Do they really want to bring someone "in the fold" in a coercive manner like this? Someone who's entire ###existence### is about cracking systems and spreading information on what they find? They want to invite him into their own living room, knowing that he hates them and feels they screwed him?

The arrogance of these people to think they could actually manage and control someone like him, and not get burned.

'Sometimes,' she said, 'they threaten you with something something you can't stand up to, can't even think about. And then you say, "Don't do it to me, do it to somebody else, do it to so-and-so." And perhaps you might pretend, afterwards, that it was only a trick and that you just said it to make them stop and didn't really mean it. But that isn't true. At the time when it happens you do mean it. You think there's no other way of saving yourself, and you're quite ready to save yourself that way. You WANT it to happen to the other person. You don't give a damn what they suffer. All you care about is yourself.'

- Julia, 1984

Rumor has it that they have some experience turning people. The scary part is that it may not be all that hard to manipulate people.

Now excuse me I have to go buy a Lenovo from Best Buy...

> Now excuse me I have to go buy a Lenovo from Best Buy...

What am I missing?

Elsewhere on the HN front page is an article about Lenovo putting adware on their computers, and Best Buy is notorious for their shady practices.

It's not just adware, it's a piece of crapware that defeats SSL on your machine, allowing anyone to pretend that they're e.g. your bank.

This is fairly naive.

Some of the best... ahem... clandestine intelligence work is done by bringing the absolute least trustworthy sort of person into the fold. Namely, the spies of other countries or accomplished persons in some underground or another.

Assuming it happened as he described, it's really tough to know if they were being honest. If they really wanted his help to investigate corruption and drug trafficking then I can see why they'd ask. The only people who support corrupt politicians are those who pay them. I know I'd help in a corruption investigation.

That said, often LE uses false pretenses. It's quite possible they actually wanted him for his Anonymous connections. Had he worked for them they could have pigeonholed him into ratting.

Keep your friends close, keep your enemies closer.

All this and the six month sentence just for "repeatedly scanning the local Hidalgo County website for vulnerabilities"? Scanning?

It's selective enforcement based on who he is and his associations. That is, they were being opportunistic. Whether that was to send a message or otherwise. It's also possible they were tracking his activity and they chose to pursue it because from early on they wanted to convert him to do work for them.

Wait, he ended up with 44 charges for just scanning a police website with a vulnerability scanner?

It's kinda similar to the post I've submitted yesterday. Shows how us government is playing. It's kinda disturbing: https://news.ycombinator.com/item?id=9071148

The transformation of the already morally culpable role of confidential informant to morally abhorrent confidential provocateur is one that many agencies are forcing upon the useful yet to be convicts.

If this guy gets six months for scanning a website the WebSense execs should be in prison for life. WebSense repeatedly scans websites for security vulnerabilities without permission.

So, "do our dirty work or we'll hit you with all the legal loopholes we can find". Lovely.

Outside of computers this has been going on for decades in the FBI/ATF's drug and gun business. This is and has been the modus operandi for at least 30 year (that I know of) and probably far longer, and it works well. Get caught with a joint and they'll try to stick distribution on you (with 10+ year sentences) unless you narc someone out. Some with gun violations, they will think of 10s or 100s of very questionable charges and place them against you, threaten jail time in the centuries. Reminds me of the Aaron swartz case.

consider that for years before 1989 and after, there was this intense campaign against STASI, KGB, Securitate and other eastern European intelligence services who served the "Evil Empire" and which were using their power to oppress, had millions of informants, were planting microphones in people's houses at the smallest suspicion and were recording any conversations they could. And now you realize the "free world" uses the same methods or worse.

You know the saying, "If you can't join us, we'll beat you."

Why is probing for weaknesses against the law? If I walk up to a house and jiggle the door handle, and figure out whether it's unlocked or not, and do not actually enter, what crime did I commit? What precedent caused this to be the case? If I am a salesperson who probes for weaknesses in a customer to my own gain, am I also violating the law? What if I am an employee who figured out how to reduce my workload but didn't inform my boss, so I get to surf Hacker News more?

I'm a website developer who patched 11 security holes after a security audit in my last contract gig. I think there is nothing wrong with probing. Actually breaking in and taking is another story.

Is this legally distinct from blackmail, and if so, how?

Blackmail involves not revealing something compromising or injurious. This is legally distinct both because they are not "revealing" anything, and is legal because they're supposedly just enforcing the laws you broke.

The government generally works like the mafia, but in reverse: instead of using intimidation tactics to get you to break the law, they use intimidation tactics to get you to put other law breakers in jail. The difference is that the mafia would at least pay you for your efforts. The government just threatens you more.

They are choosing whether or not to reveal evidence at a potential trial. With cooperation, they do not reveal damaging evidence at trial. Without cooperation, they reveal everything. This is exactly how blackmail works in a lot of mafia movies.

If you broke the law, you can, should and will be punished for it; this is not usually negotiable, and they are doing you a favor by not prosecuting you.

The moral/ethical grey area here is that forcing someone to work for the government in exchange for not seeking what the law would call 'justice' is the equivalent of indentured servitude, a form of slavery.

With blackmail, you might normally have a reasonable expectation of privacy, and a reasonable expectation that someone will not intentionally harm or injure you. The government is not seeking to harm or injure you (well, not theoretically) when it enforces the law.

We've all signed the social contract that says that if we break a law, we will suffer the consequences, so it's not unfair for the government to prosecute crimes you have actually committed. It is also fair for them to give you a way out of them, as most cases are pleaded down, prosecutors change offenses to lesser degrees for a good track record, etc.

It's also definitely a grey area how prosecutors will often tack on "trumped-up" charges in the expectation that a judge will knock them down to a smaller list but still apply some. Both these practices need to end, or be curtailed greatly.

Oh, that happened to a friend in Russia as well.

Superpowers - they are all the same and never learn.

My serious start in anti-Communism began with reading in 1971 +- a couple of years a Reader's Digest condensed version of one such "spy's" autobiography. He was entrapped and forced into becoming one, was caught almost immediately upon entering the US.

One of the strong and unquestioned implications was this sort of entrapment was wrong, and one of the things that distinguished the US from the USSR. Fast forward to Ruby Ridge, and Randy Weaver's refusal to try to become an undercover agent against a group of white supremacists, which he was not, and they knew that and hated him with a passion, i.e. it would have been suicide, brought the full weight of "the law" on him, resulting in the Feds murdering his wife and son.


I find it very hard to believe that the three letter agencies have such a shortage of netsec professionals that they offer jobs to untrustworthy computer criminals and script kiddies. Its almost an apocryphal male power fantasy - "You're so awesome, we wont even arrest you, we'll just offer you a job!" I wouldn't put it past law enforcement to use such things to their advantage.

It does sound like this was prosecutor... discretion. Probably a ploy to get him to incriminate himself further by having him talk some more or revealing other hacks as a "resume." Sounds like they had a weak case overall. While I'm not happy about such tactics, I think there's a difference between that and forcing people to "work" for the government.

Also, this is his word. We don't know how trustworthy he is. While anti-government sentiment is always high, I'd rather not reflexively side with criminals who paint themselves as anti-government. Its possible both sides suck. In fact, its probably the most likely outcome.

"I find it very hard to believe that the three letter agencies have such a shortage of netsec professionals that they offer jobs to untrustworthy computer criminals and script kiddies."

How many of those "netsec professionals" would be willing to test their skills against "Mexican drug cartels and local government figures accepting bribes from drug traffickers"? Screw up, or just have the notoriously inept FBI screw up, and you're very messily dead.

Wait, I was with you up til blaming law enforcement for this 'male power fantasy'. Isn't it more likely the guy claiming this is living that fantasy. "Yeah, they caught me, then they offered me a job. And I threw it back in their face! They threatened me, but I stood firm and they caved."

Who exactly is living the fantasy in that story? It sounds contrived, I admit, and I think I know who contrived it.

You're right - they don't generally offer them jobs, because jobs implies paying them an actual salary. We know that the FBI does this, though, because we've found out after the fact about some of the members of Anonymous who've taken this offer and co-opted other Anonymous members in hacking foreign governments on behalf of the FBI. In particular, I recall that Sabu did this quite a lot.

My guess is that either his story is BS (entirely possible) or else they were trying to get him to incriminate himself or possibly other members of Anonymous. I know the charges against him were trumped up, and based on what he was arrested for he didn't have any particular skills that would have piqued the interest of the FBI (ability to run nmap and write SQL injections that don't work aren't exactly world class skills) so the only thing they really would have been interested in him for is logically his Anonymous connections. As others have pointed out it also doesn't match the FBIs normal modus operandi, this smells more like an attempt at self incrimination to me.

I will say though that if this story is BS he at least came up with it while he was going through the prosecution not after the fact. The fact that the lawyer (Ekeland) is making statements about it makes me believe that this guy was telling him the FBI was making these offers to him during the uh, pre-trial I guess? Not really sure what the actual term for that is.

Yeah, no shit.

Spying on politicians and cartel members, no thanks. You'd be chained to the FBI forever since they would threaten to dump you in gen pop as a known CI or leverage the safety of your family if you don't do everything they ask.

"And these are only the ones we did not frame you with!"

It's entirely possible that these "cybercrime" divisions are really desperate to justify their funding. Chances are those sorts of entities are not made up of technical wizards. So coercing someone to do their job for them is pretty much the only hope. If they just hired people then those people would end up running the place.

Since when is using nmap or its kin illegal?

He's lucky they didn't plant n.u.d.e photos of young boys in his computer and charge him for...

The American system of piling up charges sucks so hard because it's so easily abused, especially when you live in a country where anyone commits 3 felonies a day [1] due to shitty and complex law.

When things have gotten so bad, Americans should take example from other countries and only count the biggest charge when sentencing someone to prison. Minimum sentences + abusive plea bargains don't help the current system either (they do help vengeful government tax-paid employees, though, in destroying the life of anyone they wish).

[1] - http://www.threefeloniesaday.com/Youtoo/tabid/86/Default.asp...

"3 felonies a day" is more of a marketing tagline for a book than it is any sort of meaningful fact.

edit: http://skeptics.stackexchange.com/questions/22530/does-the-a...

That link is a "worst of" for Stack Exchange. Most of the answers there are from people who admittedly didn't read the book, and are really bad.

If you read the book, the source of the "3 felonies a day" claim, is mostly related to the "honest services" laws, which were narrowed in scope somewhat by the Supreme Court after the book was published. If a prosecutor were to very liberally apply the "honest services" law, typical white lies like calling in sick to work when you're not sick or screwing around on the internet can be elevated to felony status.

Another key area supporting the claim is that participating in a transaction where a foreign law was broken is also a felony. I believe the (absurd/bizarre) prototype for this was somebody charged with a felony for possessing warm-water lobsters that were inappropriately packages according to the law of some central american country. (I believe they were in wax paper instead of plastic)

The point was that ordinary people in the ordinary course of business and life can be subject to extraordinary punishments for vaguely defined crime. That means that you're freedom is subject to the whims of an all-powerful prosecutor, which is contrary to generally accepted notions of justice and democracy.

They were convicted of conspiracy after 5 years of lobster smuggling, the transport laws were tacked on (and not necessarily ridiculous), see my other comment.

The book reaches super hard to make the argument that we have too many laws. It would do better to simply make the argument that we have too many laws.

It's also the case that the injustice in the US system is not aimed primarily at lobster smugglers and dumb lawyers (two of examples cited at the link).

The point of linking that worst of stack exchange is that you don't even have to read the book to eviscerate the factertisement, so it's not really a great "fact" to introduce into a discussion.

edit: corrected 10 years to 5 years.

The fluffy marketing distracts from the content if you don't read the book. Putting "you can go to jail for not providing honest services" isn't very catchy. The stack exchange link is a personification of "Don't judge a book by it's cover".

The argument of the book is that we have too many vague laws, some of which are nearly meaningless to a lay person. If you're familiar with how the various computer crime statutes are enforced, I think it is difficult to question that assertion.

The other aspect of the book to consider is that your typical middle class working person doesn't see the overreach in things like drug laws as something relevant to them. It's a wake-up call that the fundamental injustice that has been a way of life for the poor and minority community is expanding.

You'll notice I started by objecting to someone claiming the fluffy marketing as a fact.

That's true whether Stack overflow and I have misjudged the book or not.

And yet, if you've ever seen the charges the feds put against people it's not out of line. Lets say you commit one drug felony (transportation for example). Lets say you drive within 1000 feet of 3 schools and pass by a school bus going from point A to point B. Now you have 5 felony charges. What's worse is they will lie to you about the charges, for example if school zone violations are only an enhancement charge, they will put it as a separate charge forcing your lawyer to sift through the paperwork and find faults with them (agents don't get penalized for improper paperwork).

I can think the book is awful at the same time I think that sentencing in the US is probably a mess (I say probably because I'm not a careful observer of it).

The book claims "How can the average American commit three arguable felonies in the course of a given day?". Yet your example of charge stacking is contingent on carrying a felonious amount of drugs, something the average (mean, median and mode!) American avoids doing.

If you click to the website provided above, the first example is of someone "convicted for using plastic bags to transport lobsters". If you look up the case, they were convicted of criminal conspiracy and smuggling, with the horrible plastic bag charge being stacked on:


And the plastic bag charge isn't about the plastic bags, it's about Honduras having laws designed to protect their lobster fisheries from abusive exports (fisheries are harmed by over harvesting, but someone looking to make near term profits might not care about that, so regulation is sensible).

> Yet your example of charge stacking is contingent on carrying a felonious amount of drugs

It's incredibly easy as the felony amounts have been made very small. Further, the police generally weigh the container the drugs were/are in so if you have a plastic container that weighs 1 ounce, prettymuch no matter the quantity of drugs inside it's a felony.

Also, the estimated number or drug users is 23.9 million Americans as of 2012. While that might mean that the "average" American isn't a drug user, it does mean that there are more drug users than say Asians in the US and a very large percentage of the Black or Hispanic/Latino populations.

By your logic, we shouldn't worry about those folks because they aren't the average american (mean, median, mode) and yet the civil rights movement arguably disagrees with you.

Furthermore, when it comes to convictions the average American isn't a felon, won't ever go before the court, etc. And yet we offer these people protections (various Amendments to the Constitution, various Federal, State and local laws, Miranda rights, etc) even though they're not average as per your definition.

Given that the justice system is setup the way it is, your casual dismissal of it seems strange.

EDIT: links



My argument is that a particular statement is not backed up by the book it is used to sell. You've twisted that pretty far to end up with the opportunity to moralize at me.

My logic isn't that we should ignore sentencing problems in the US, my logic is that bringing bullshit book marketing into the discussion is counter productive.

I'd be interested in exactly which of my statements you view as a casual dismissal of the problems with the justice system.

I said The book claims "How can the average American commit three arguable felonies in the course of a given day?". Yet your example of charge stacking is contingent on carrying a felonious amount of drugs, something the average (mean, median and mode!) American avoids doing., but that wasn't to dismiss anything about the sentencing in those situations, it was to point out that you probably don't want to argue the blurb from the book if you are having a discussion about drug sentencing.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact