Secrets of the City

I would sure hope a judge would see through Lookout’s ridiculous charade.

No, it’s not “unauthorized” if there is no wall in place.

This kind of reminds me of that MySpace harassment case where the girl committed suicide. The harasser was prosecuted in federal court for “accessing protected computers without authorization” (a.k.a hacking) because she was accessing myspace while violating the site’s terms of service (false identity, harassment). Even though there was no barrier to her entry. She was convicted in 2008, but the conviction was overturned.

So I doubt Lookout Services has any ground to stand on.

Someone looked at are confidential data even though there were no barriers to prevent it!

While I can see their point — it is still a crime to steal a car even if one leaves the keys inside — Lookout Services do not have a case. In this analogy, the car was not stolen, MPR just pointed out how easily they could have stolen the car.

@noodleman

So you are saying that I can enter your house if you leave your house unlocked without permission? Party at noodlemans!

(however State of Minnesota workers may be authorized by virtue of the contract)

I think the better analogy would be if you taped your tax returns to a board and mounted it on the front lawn and expected no one to read them.

@yoshi: There is no such thing as “trespassing” within a publicly-open/non-password-protected web site. There are, however, laws in the real world that prohibit trespassing on private property. Such is the difference between the real and the virtual.

I wonder if a Google search of the Lookout site turned up any of the employee data before it (finally) got put behind a wall.

Posting tax returns on your front lawn? Ridiculous! I only post bank statements there.

***FOR IMMEDIATE RELEASE***

CONTACT: Elaine Morley at help@lookoutservices.net or visit http://www.lookoutservices.net

BELLAIRE, TEXAS (December 12, 2009) – Bellaire, Texas-based Lookout Services Inc. (Lookout Services), today announced that limited portions of the company’s proprietary software may have been illegally compromised by The State of Minnesota and Minnesota Public Radio.

The information disclosed as a result of the intrusion was limited in scope both by the amount of data that was accessible and the type of data that was accessible. Lookout has confirmed that with respect to some data only the Minnesota Public Radio reporter viewed the data.

Lookout Services’ customers who would like more information about what data the State of Minnesota and Minnesota Public Radio viewed in Lookout customer’s records may contact us at help@lookoutservices.net for these details. A technical explanation of the portion of the software exploited as well as steps taken to prevent further intrusions is also available to Lookout customers.

Given the circumstances, Lookout does not believe that the purpose of the intrusion was for the purpose of identity theft. However, an investigation may reveal more details about the exact motives in the weeks and months ahead.

“We have contacted the FBI and other law enforcement officials and we are fully cooperating with their investigation into this matter,” said Elaine Morley, CEO of Lookout Services. Lookout Services Inc., filed suit against The State of Minnesota on December 10, 2009. In days prior to filing suit, Lookout Services notified The State of Minnesota with concerns about conduct of numerous attempts at unauthorized intrusions involving computers with IP addresses belonging to The State of Minnesota and Minnesota Public Radio.

“We told the State of Minnesota we were requesting an investigation, due to concerns that federal laws were being violated,” Morley said. ”After expressing concerns to The State of Minnesota, the State agreed to instigate an investigation, but we felt that The State of Minnesota was not taking swift action, so we began blocking IP addresses and shutting down users.”

Since that time, Lookout Services has refused to grant any users at The State of Minnesota access to the software.

“Lookout Services will aggressively seek prosecution of those responsible for this egregious act,” Morley said. “We will not tolerate the illegal disclosure of client information.”

About Lookout Services Inc.

Lookout Services provides fully-customized Web-based form I-9 software and E-Verification automation to America’s largest companies and government agencies. Lookout Services Inc., is a Designated Agent under E-Verify and builds proprietary software for seamless Form I-9 and E-Verify compliance. Lookout Services recommends and installs its proprietary software behind customer firewalls for added security.

The software provides a proven solution to verifying immigration status and enabling efficient completion of legal forms to streamline business and reduce cost. The company is based in Bellaire, Texas. For more information, contact Elaine Morley at help@lookoutservices.net or visit http://www.lookoutservices.net.

Minnesota Independent story: http://minnesotaindependent.com/51754/e-verify-vendor-vows-to-sue-state-mpr

I’m not convinced by the arguments that it’s impossible to trespass on a site that has publishes unsecured data. In the physical world, trespass is about consent, not locks and fences. It might be a bad idea to put private information on an unsecured website, but it seems to me that someone could still trespass on that site if they accessed it with the knowledge that they didn’t have permission to do so. Given that, I’d be less interested in the security of the Lookout site (because that only leads to arguments about whether it’s possible to trespass on a site that has security A, B, and C but not X, Y, and Z) than whether the journalist knew or should have known that she didn’t have permission to poke around.

Re: Lookout’s threat to sue: CYA.

How do you ascertain on the web that you don’t have permission if there’s not even a simple used id/password control?

It is the internet. Everything is open that is not behind a firewall or password protected. If it required hacking of a password or some other trickery, I would agree that it was trespassing. However, you can’t say, “My site: http://blog.lib.umn.edu/deg/campfire/ is private. No one go to it!” without putting some protection in place. It may have been difficult to get to without a link, but if it is in the public sphere…

It might be a bad idea to put private information on an unsecured website, but it seems to me that someone could still trespass on that site if they accessed it with the knowledge that they didn’t have permission to do so.

But the Web does not operate the same as the Real World. No one needs permission to visit a publicly available site. None.

There are no equivalents to “No Trespassing” signs — short of ID/PW requirements or other accessibility limitations. If there are no limitations in place, then it is useless to proclaim a site is “private.”

I think that if they had done anything to attempt to restrict access, no matter how feeble, they would potentially have a case. I would like to know who hired this firm and why they still have a job.

Would it be okay for a journalist who wanted to write a story on burglary to actually burglarize a house for the purpose of the story?

@Ashley: There is no comparison to be made between burglarizing someone’s house and visiting a publicly-available Web site. That the Web site administrators left open some portion of their site to the public that they shouldn’t have left opened is their problem.

If I were to put a nude photo of you in a publicly-accessible directory of Web site, and that photo then was viewed by any of a number of visitors, the visitors could not be charged with any voyeuristic crime. It’s not the same as if someone tried to get a peek at through your bedroom window.

I think that if they had done anything to attempt to restrict access, no matter how feeble, they would potentially have a case. I would like to know who hired this firm and why they still have a job.

Exactly.

Even a brief disclaimer attached to the data — e.g. “No unauthorized use of this data is permitted” — would give them something to base a claim of privacy on.

@mnblrmkr, @noodleman: Maybe we just have a disagreement over the definition of “publicly available.” I think that if Lookout didn’t require user logins but had posted the disclaimer described by noodleman in his 2:44 post, they’d have a colorable argument that it was sufficient to put an unauthorized user on notice that she doesn’t have permission to copy the data. If they didn’t have any disclaimers (or any other sign that access was restricted) I don’t see how they’d prove their claim (even setting aside the issue that it’s unclear how they’d prove damages).

Of course, having a tort claim against a trespasser wouldn’t get Lookout off the hook for any of the claims against it. And some claims or legal violations could definitely be based on Lookout’s failure to take sufficient technical precautions to protect the data. It’s interesting strategery (because we’re all discussing it) but I doubt it will do much for Lookout in the long run.

@mike_s: I’m not sure (not having RTFA) if any of the data was copied or if any of the data specifics was ever communicated to anyone. It would appear to me, the layman, that someone noticed the information was out there for all the world to see and notified the site administrators.

So IMHO unless there were other “unauthorized” users viewing the data during the time it was publicly viewable, you can’t necessarily fault the State for confirming the data visibility nor MPR for investigating the stupid lapse of security.

By the way, my understanding is that the part of the story regarding access to the site without a password is false.

Source?

Because not only would that change the legal picture, it would seriously undercut the premise of the reporter’s story.

(and Neither Bob Collins or David Brauer seem to have reported that allegation.)

Collins and Brauer have only defended their reporter. The truth will have to come out in litigation. Brauer said: “As a wise lawyer once told me, anyone can sue for anything, and a prosecutor would need to sign off on any charges, no matter how mad Lookout is right now.” Well, any reporter can say virtually anything, no matter how unfair. The power of the press is enormous and virtually unchecked.

“There is no such thing as “trespassing” within a publicly-open/non-password-protected web site.”

I make very positive, aggressively super-confident assertions just like this one to judges on a regular basis, secure in my own knowledge that I am advocating for the only result that doesn’t do actual violence to the concepts of rationality and intellectual investigation in the situation in controversy, and also secure that the positions and arguments advanced by the other side are laughable in their obvious contrived irrelevance.

Sometimes I win.

Make sure you’re not confusing “this is the only rational position” with “this is the current legal holding.” Sometimes the two don’t even know each other.

As a common law nation, legalities that are not rational or logical are often changed and serve as precedents for future legislation. So, there’s always that to work with. But, yes, determining what is, or isn’t, trespassing on the Internet is a confusing issue:

I. Trotter Hardy, The Ancient Doctrine of Trespass to Web Sites, 1996.

in other words, Ashley ain’t got shit. She can’t even cite a published allegation.

Any anonymous commenter can make virtually any claim on the internet too.

And, to be certain, those are some serious libelous) allegations that she’s accusing MPR and Sasha Aslanian of. Not the least of which would be federal and state computer hacking violations, but also professional ethical misconduct, as well as accusing them of explicitly lying to their readers/listeners ( last week’s report included this:

“This week, Minnesota Public Radio was able to access state employee data on Lookout Services’ Web site without using a password or encryption software.”

(BTW, pretty sure Ms. Aslanian is not one of Brauer’s “reporters,” and no doubt that he wouldn’t hesitate to taker her on if there was credible evidence of illegality or unethical practices.)

Ashley is an obvious shill for Lookout and knows NOTHING about how websites work, or internet security. Have fun with your frivolous litigation.

“The power of the press is enormous and virtually unchecked.”

Yeah, that First Amendment just ruins everything, now everyone knows your business is worthless!

I mean really. “My understanding is that the part of the story regarding access to the site without a password is false”?

Ashley says: “Would it be okay for a journalist who wanted to write a story on burglary to actually burglarize a house for the purpose of the story?”

My sociology professor’s mentor did drugs and hung out with upper-level drug dealers in order to research them.

When you grow up, Ashley, you’ll be able to see the world not as black and white, but something more abstract.

Going with the “house” metaphor a bit further, wouldn’t the Web be more akin to a glass house? Password protection or firewall would be akin to window shades or curtains.

Haven’t there been cases taken to court where a defendant was acquitted of Peeping Tom charges because the house occupant had failed to adequately protect their privacy by drawing the blinds?

Here’s an example of what I’m talking about:

WINDOW PEEPING – S.B. 1041 & 1042 (S-1): FIRST ANALYSIS (MICHIGAN)

… After testimony in the man’s trial, the judge instructed the jury: “It is no offense for a person walking along on the sidewalk, and without trespassing upon the premises of another, to look through an uncurtained window or a window partially covered with a curtain …

Should Lookout pursue their threatened legal action, they will have to prove beyond a reasonable doubt that MPR and/or the State of Minnesota “trespassed?” It’s not trespassing to view a publicly-available Web site, so the concept of “trespassing upon the premises of another” is irrelevant.

But if private information on the Web is not to be viewed by the public, the site administrator must put in place the Internet equivalent of blinds or curtains.

The logs that document the very numerous hacking attempts don’t lie. The truth will come out in court. Of course, reporters will protect their own.

I think you guys should read 18 USC 1030, Minn. Stat. § 609.891, Texas Penal Code § 33.02.

By JEREMIAH MARQUEZ

LOS ANGELES – A 25-year-old man has been charged with hacking into the University of Southern California’s computer system and accessing information about student applicants.

A criminal complaint unsealed Wednesday charges Eric McCarty of San Diego with transmitting a code or command to intentionally damage the school’s Internet student application system, federal authorities said.

He could face up to 10 years in prison.

McCarty, a computer network administrator, allegedly earns money by carrying out “penetration testing” to simulate malicious attacks on computer networks.

Last June, prosecutors say he hacked into a USC database containing records on more than 275,000 applicants since 1997, saving names, passwords and social security numbers for seven applicants on his home computer.

He then allegedly reported the computer attack to a Web site, using the e-mail account “ihackeduscgmail.com.” The site later told USC officials of the security flaw.

It was unclear whether McCarty had retained an attorney. A woman who identified herself as McCarty’s mother was surprised to learn of the case, saying her son had cooperated with authorities last year and had even gotten some of his equipment back after federal investigators inspected it.

“My son certainly showed a lot of good will,” Anneliese McCarty said in a phone interview. “He didn’t steal anything, he just tried to point out a problem in the system.”

But authorities said that McCarty’s attack was not done in cooperation with USC, and that he reported it to a Web site instead of school officials.

“Our belief is that he knew that this was an inappropriate way to test someone’s security and clearly this was computer intrusion,” said Ken McGuire, an FBI supervisory special agent.

McCarty, who was not taken into custody, was scheduled to appear April 28 in federal court in Los Angeles.

Source: Associated Press/AP Online

@Ashley: Are you alleging that one of Lookout’s customers was making an attempt to do intentional damage or malicious harm? Was this before or after the alleged display of employee data in an unsecured area of the site?

Btw, just what is the time line for all this? The press release on the Lookout only dates things from 12/10.

yeah, we’ve got a Lookout flack. Still tossing out libelous accusations without any evidence.

None of those statutes appear to apply with the the reported facts. Even if one assumes MPR is outright lying about this, Minnesota has seen several similar situations of security lapses (Coleman’s donor database comes to mind, for one) worse than this that failed to produce any charges.

I fail to see what the McCarty case has to do with the Lookout/MN/MPR situation either.

“The truth will come out in court.”

Oh, I bet it will. Ashley, you and Lookout are magnificently stupid. It seems fitting that you’d be shilling for such a shitty company with piss-poor security in place and a really ugly website. Don’t accuse someone of “hacking” just because you work for a company so shitty it can’t keep information from being seen by pure accident and was, surprise, the lowest bidder. (I guess Minnesota got what it paid for.) Really, a reporter hacking a website? You’d find that funny too, if only you knew what hacking entails.

I would implore either Cristina or one of the Bartels who have access to such info to post Ashley’s IP address. I’ll bet it’s from Texas, and it will be nice for the State of MN and MPR to print this thread out when this goes to court to see exactly the level of ineptitude they are dealing with.

I used some hacker magic thing called “Google” and looked up some information.

CEO of Lookout, Elaine Morley, is also an attorney and has a practice she runs with her husband out of the same address as Lookout (I guess the Texas bar exam is really easy or something)!

5909 West Loop South
Suite 300
Bellaire, Texas 77401

I wouldn’t be surprised if “Ashley” is actually Elaine Morley herself.

It also looks like the Morleys/Lookout were taken to court for nearly $20k last year for ~*~allegedly~*~ not paying their computer consultants

I am too lazy to read through ALL responses but approximately 5 years ago, Harvard Business School recinded the acceptances of students who accessed their own admissions info before the official release date by simple entering a modified url. HBS basically said they were acting unethically by jumping the gun and finding out before their less tech savvy peers. In other news, next time you’re in Winona, at Club Fed, be sure to let Jeff Skilling know that an HBS education now includes ethics, also.

Also, to be fair to. Ashley, “penetration testing” in *any* kind of space, should be illegal. Or should, at the very least, require the sober, of age consent of both parties.

I’ll bet HBS now teaches this as well.

@Bixby, do you consider a site specific search in Google to be penetration testing? Some of these CYA lawsuits have been brought against people who found private files through Google.

@Bixby: Were the State and MPR “penetration testing?” (Why would the State even need to “penetrate” in the first place? It was their data, and they remain owners of that data no matter where it is housed.)

Wasn’t the data they claim to have viewed available without benefit of secured access? Wouldn’t the situation be more akin to uploading a spreadsheet into Google docs and then forgetting to make the information private? A Google search might then reveal the spreadsheet to anyone using search. Whose at fault? The person who happens across an unsecured spreadsheet, or the person who didn’t make sure their data was secure and private?

I can indeed check IP addresses. But will I get sued if I say Sugar Land, Texas?

Of course, anyone is welcome to comment here.

“Sugar Land, Texas?”

Which is just down the road a bit (maybe 10-15 miles) from Belleaire.

“Of course, anyone is welcome to comment here.”

I do wonder about allowing unsubstantiated allegations of federal/state crimes.

I hear you, mnblrmkr, but I think many of us are guilty of “unsubstantiated allegations” on this site. As long as we’re clear where it’s coming from… I can only hope it helps to hear all sides of the argument.

Brauer further investigates “ashley’s” claims:

http://www.minnpost.com/braublog/2009/12/15/14315/texas_company_lays_out_hacking_case_against_minnesota_public_radio

Seems pretty weak sauce to me. Also, all they seem to be doing is highlighting how utterly ignorant and incompetent their company is regarding basic data security.

Hey, Bobby_b is back! Welcome back, Bobby_b.

Ok, apparently people aren’t as lewd as I am. I was kidding re: penetration testing. Good grief, lighten up!

@Bixby: “Penetration testing” is a legitimate term used for information system security audits. It didn’t even dawn on me that you were referring to something on a more, uh, one-on-one level. The interwebs has uncorrupted my mind.