« Just a good day... | Main | Im in Ogden, Utah »

June 23, 2004

A thing about privacy...

It's amazing. No matter how many locks you put on the door, you are ultimately only as safe as the people inside, or those with the keys to the locks.

I just finished reading the official complaint, AOL and the United States of America vs. one Jason Smathers and one Sean Dunaway.

In a nutshell, Smathers - an AOL employee since 1999, obtained and sold upwards of 92 million AOL customer email addresses. AOL only has maybe 20-30 million customers, but most customers have more than one "screen name" or email address tied to their account.

92 million! There are what, 230 some odd million people in the USA?

This Smathers, he obtained the data and then sold it to a Las Vegas Internet Casino operator Proprietor - Dunaway. Sold in various rounds of updates, some of the files fetched as little as $32,500 - others as much as $100,000.

For a spammer, I imagine nothing could be worth more than a full list of current, active, accurate AOL email addresses. Smathers biggest mistake may have been only selling to this one spammer. Seems like a pretty small take given the risk.

In reality, he had several big mistakes, mostly pertaining to the easily revealed path through AOL's system he took in obtaining the information.

The Complaint is mostly a deposition by Peter Cavicchia of the US Secret Service. In it, he details the almost too easy to trace path that Smathers used to obtain the information. Email threads using his longtime and primary AOL employee account: JasonS2e@@aol.com. AOL Instant Messenger threads, between Smathes and Dunaway detailing the conspiracy - and intentionally send via email from [email protected] to [email protected] to specifically "archive" the information. As mentioned in the deposition, because of a 30 day cliff in old message storage in some AOL versions, many have adopted a "mail it to your self" practice to keep information saved. Duh.

Finally, tracking down the queries to the AOL Data Warehouse to a particular space in time and set of users was seemingly easy.

What I find remarkable about the case are a few things.

First, it was an inside job. I guess with many types of crime, this is the case - from theft, burglary, kidnapping, and even homicide. Those with the most knowledge, information, access, and know-how are the most dangerous. This is where things like employemnt contracts, non-disclosures and other legal documents are needed to cover the corporat bases, but ultimately it comes down to trust.

The trust level you have with employees is a direct result of good hiring processes, a good employee culture and many other factors, but that is for another blog entry some other day I suppose.

Second, any trust that was earned over time by Smathers - he was an employee since 1999 - he likely violated in various ways on his way to carrying out this theft.

It is probably that he used "social engineering" as a tactic. Social Engineering is hacker-speak for tricking a person into revealing their password. Kevin Mitnick wrote the book on it.

A large organization, such as AOL, seems likely to be more vulnerable to this tactic. In general it appears that Smathers mostly acted on his own - but atleast some of the database queries were made via an account that was not his - and either was obtained through theft, coercion, collusion, or trickery (social engineering).

I suppose small companies are suscept to the same issues, but as a company grows, I'd be concerned with the increased opportunity for internal trusted persons to share or distribute private company or customer information.

While technology abounds for leaking information easily - web, email, ftp, IM, etc... there are also more "forensics" left for folks to get caught.

As for Smathers and the United States of American and AOL - it will be interesting to see how this plays out. It appears to me that the Can Spam Act may be applicable - and I presume other US Codes. I'd expect hefty fines and likely jail time. It will be interesting to see who does time.

Posted by gcrgcr at June 23, 2004 10:57 PM

Trackback Pings

TrackBack URL for this entry:
http://www.tombartel.com/mt/mt-tb.cgi/1

Comments

Post a comment