Feds Thwart Extortion Plot Against Best Buy 942
hiero writes "From an article
in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"
Hmmmm... (Score:4, Insightful)
Re:is carnivore bad? (Score:3, Insightful)
Re:I think... (Score:5, Insightful)
But if you reeive an HTML message that includes an IMG link to the senders' site, when Outlook displays the image (even if it's an invisble 1 pixel one) they have your IP. There are ways to block this, but it's on by default. Spammers use this to verify your address.
Re:I think... (Score:3, Insightful)
Where is the line to be drawn? (Score:5, Insightful)
Had he just disclosed the flaw, would he more or less a criminal, ethically and legally speaking? It seems that worse would have come if he had simply published the flaw right away.
Was he justified in asking for compensation for his findings? If not, this seems to obligate us to "work for free" when discovering such a security problem.
What do others here think?
suit talk (Score:5, Insightful)
"Internet Protocol Address Verifyer" sounds like something you'd find in a Movie OS. Of course, like all other buzz words, the name is not related to the alledged function.
They either used a webbug, og checked the IP in the header of the mail he sent with his claim.
Re:Internet Protocol Address Verifier? Pfft... (Score:5, Insightful)
Carnivore? More like overreaction (Score:5, Insightful)
I doubt they have anything as fancy as a IPAV (Score:4, Insightful)
If he wasnt clueless he would have used a dummy email account and checked it via rental computer or at the very least a dial up account using *69 ( which can still leave your number ) and a prepaid credit card / gift card.
This guy reminds me of the old irc script kiddies who would do things from their house and wonder how they were tracked down. While anonomyzers are available it makes me wonder if he,
a. used one
b. had used a computer before
As to the FBI ip verifier i find it hard to believe they have anything more advanced then the current jscript / asp / log parsers to pull ip information.
AFIK the absolute most a email address can yeild is the ip of the server. However with the email headers im sure you can get a ip without too much trouble with a warrant.
Web bug (Handy for job application e-mails) (Score:5, Insightful)
Internet Protocol Address Verifier? Is this Carnivore in action?"
That'll be a tiny 1x1 pixel gif embeded in a HTML e-mail called from the feds server.(AKA web bug... You cant turn off HTML in M$ LookOut and this dude dosent sound very clued up)
Presto, the feds know who opend the mail how long they looked at it etc etc etc.
A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.
Webmail (Score:1, Insightful)
Re:Well, ironic isn't it? (Score:5, Insightful)
Although the article is not very detailed in this aspect, his actions do not speak of someone trying to help BestBuy. Some of the info is not released due to security concerns and pending litigation but this seems more like a black mail scheme more than anything else. If he was serious about helping BestBuy, asking for money ($2.5 million) sent the wrong message because the mafia also used terms like "business relationship" and "offer they can't refuse" when shaking down people as well. Until we know more, all we know is that he said enough in his emails that BestBuy and government thought he was threatening.
Re:Well, ironic isn't it? (Score:1, Insightful)
Hint: Extortion/blackmail is criminal activity which should be and is punishable under the law.
Re:Well, ironic isn't it? (Score:5, Insightful)
Do nothing and MYOB. If companies lose substantial amounts of money because of lax security, then they will do one of two things:
If, as it turns out, that external security consultants are the way to go, then such companies will engage in a business relationship with one of dozens if not hundreds of world class security firms.
What we don't need is whiny "independent security researchers" doing what amounts to unprofessonal blackmail attempts ("let's establish a 'business relationship' or I spill the beans.) Computer tresspass is computer tresspass. We don't need to revise trespass laws to improve security - we need companies to go to legitimate security firms and use their tiger team services and so on.
Re:U.S. government surveillance (Score:5, Insightful)
Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.
George Lucas's fertile imagination is so much more convincing than those ponderous, dusty history books. And you can't eat popcorn and jujubes while reading books, it gets the pages too sticky.
Re:IP Address Verifier == web bug (Score:5, Insightful)
clever criminals don't get caught so you don't hear about them
FBI Files and COPS tend not to show you cases where the perpetrator outwitted the victims *and* the police *and* the FBI.
Re:Carnivore? More like overreaction (Score:4, Insightful)
Re:is carnivore bad? (Score:3, Insightful)
So who would you rather have spying on you. The FBI who has to deal with Tons of paper work to even start spying on you then needs to make a strong case that you are a criminal, worthy of prosecution. Or some random Hacker/Cracker guy who just randomly found your IP address and spies on you. Then is willing blackmail you into whatever morally questionable thing you do on the internet (say your job is a minister and you have been viewing adult porn sites (Which is legal but you don't want it to be public)).
I much rather have FBI spying on me and then realizing well he is not doing anything illegal. Compared to a random hacker going, Ohh I bet he doesn't want people to know that he does that.
This doesn't make sense (Score:5, Insightful)
You have to realize that we are getting our information about this incident from a NEWSPAPER, which the very least reliable source for technical topics. Remember this [slashdot.org] clueless newspaper article?
I'd say we know little about what actually happened here.
His Email Address (Score:2, Insightful)
Re:Webmail (Score:5, Insightful)
Please Think Before Exposing Paranoia (Score:5, Insightful)
It's also rather similar to your local mail carrier knowing where you live. Is that surveillance, too, or are you simply paranoid?
If Best Buy had received the same threat via snail mail, and the FBI looked at the return address on the envelope, would you be screaming about surveillance?
The Internet is not some mystical land that exists apart from reality and the law, contrary to the constant stream of silly
Next time, please think bekore exposing yourself as a paranoid llon, OK?
If you break in to someone's system (Score:5, Insightful)
This seems perfectly reasonable and there is plenty of precident in the physical world:
My house has many known security flaws. The largest would be the windows. They are easily broken with just a rock, allowing access. My door would also be a flaw, it's solid, but nothing a battering ram in experienced hands couldn't break down in a few minutes. My lock is aslo a flaw. IT's better than most, a high security lock that is much harder to pick than normal, but it still is pickable.
So, if someone breaks into my house and demands money to fix it, should I honour that? No, I'd by perfectly jsutified in holding them at gun point and calling the police to have them punished. Regardless of thier intent, it's MY house and you'd better not enter it without my permission.
It is similar for computer systems. If I pay you to hack my stuff and report on it, great. YOu are providing a valuable service and I thank you. IF you break into my stuff without my permission, you are a criminal pure and simple.
Also, demanding money ex post facto is something else we have a law against, it's called balckmail and is illegal.
Look, if you want to find flaws in stuff, do it legally. Contact the owner and ask if you may hack them. If they say no, move on. IT is not your duty or right ot mess with their stuff without permission.
What he did is still illegal (Score:5, Insightful)
People who illegally break into systems deserve no more respect or consideration than people who illegally break into houses. You have no right at all to enter or use other people's property without their permission. Don't pretend like because it is a computer system that makes it any better.
IT's like lock picking. IF you want to learn to pick a lock and find out its venurabilities, go right ahead. But do it on a lock you own. But the lock in question and play with it. To go to someone else's house and try on their lock without permission is illegal and immoral. You've no right to mess with their property.
So if you get asked/hired to test someone's security (physical or virtual), great. Do what you can and give them a report. If you have something you own (physical or virtual) and you discover a security flaw, great, make it known so a fix can be developed. But do NOT presume you have the right to invade the property of others. It doesn't matter if it is venurable or not, it's not yours so you keep out.
wont last long (Score:4, Insightful)
"Where the heck are my images? Please make it act like the old Outlook."
Its good MS is doing this by default, but most users couldn't care less about security/privacy especially when it inteferes with "purty pictures."
Re:Please Think Before Exposing Paranoia (Score:2, Insightful)
--But since it's Best Buy (big corporation) the Issue gets Handled.
--Respond, don't mod pls.
Re: Hmmmm... (Score:5, Insightful)
I presume that your friend is referring to the typical criminal who is regularly apprehended? Unless he's actively involved with successful criminals, how would he know how stupid or otherwise they actually are?
This is one of the things that makes me laugh about law enforcement. When you hear them being interviewed on Cops or some such rubbish, they're always going on about how dumb these losers are -- not realizing that it's only that group who are dumber than they are able to catch. Epidemiologists refer to it as the clinician's bias. Because doctors only see sick people, they assume everyone is sick.
When they want more resources or additional powers though, they go on at great length about how cunning and sophisticated modern criminal organizations are, and how these new measures are essential to capture them and make the world safe for mom and apple pie.
The truth is that criminals are just like the regular population. Some are smart, some are dumb and some are just average.
Re:If he had used spammer techniques.. (Score:2, Insightful)
German law used to require actually catching the perpetrator in the act (see Cliff Stoll's "The Cuckoo's Egg"). When I see cases like this, I start to understand that reasoning more. Not that I condone breaking down doors, or that it is even necessary, in order to catch black hats!
I'm sure there's more than meets the eye to what we're hearing here in the masses (and hopefully more than just a GIF bug!). Hopefully more will become public knowledge.
Re:is carnivore bad? (Score:5, Insightful)
So to answer your question, I would rather have some guy off the street spying on me than the goverment ANY DAY OF THE WEEK! There is something that you don't understand about the government--any government. Governments are far more powerful than 1000 people put together! They have immense power. The illusion of a legal system--which IS an illusion--does not change any of this. One just needs to look through the history of the government that you live under to see what I mean (I picked USA but you can pick any govt).
Sivaram Velauthapillai
Re:Google appears to be stumped too (Score:2, Insightful)
Dumb journalist converting IP to Internet Protocol to make it look like he's technosavvy
Re:Please Think Before Exposing Paranoia (Score:3, Insightful)
Double Standard (Score:5, Insightful)
Here is a nice hack done for a good reason by the same law enforcement that is supposed to investigate and stop such crimes as extortion. And how do we react? Government spying! Conspiracy!
Really. That's just not very reasonable on our part.
Re:What are you supposed to do? - options (Score:5, Insightful)
My rule of thumb is that if a piece of information can be obtained and tracked to a specific individual, it's dangerous. That's the rule I use in my work as well.
When I decide the situation warrants it, I send a professional, formal email to the company ( also the web admin if there is one ), stating what I found, screenshots and leave it at that. Sometimes I will point out that I intended to place an order, but halted when I saw the issue. I also let the company know they may contact me if more information is needed.
This is what has happened in the past following these emails:
1. Almost all companies send me an email thanking me and letting me know the problem has been corrected, and it has been. Case closed.
2. I get a nasty email from the company ( usually this is with SMALL operations) telling me to take my business elsewhere. At first I would attempt to politely explain the risk, but soon realized that some sites have no intention of listening to me, and gave up. In that case, I may notify the BBB or other organization just to get someone else on their tail. I don't have time to chase down other people's security holes, so the best I can hope for is to let others know.
In any case, I always use the Enron rule: What if I later had to explain my actions to a grand jury?
Re:However, a bug says: "you're being bugged" (Score:5, Insightful)
Only when you're doing mass mailings. If it's targeted, it is indistinguishable from a standard image... e.g.
http://corporate.bestbuy.com/images/corporatelo
could be a web bug if you only send that URL to one person. The reason it's more obvious in mass mailings is because they require a unique identifier to have something to map back to the email address such that they can verify the address as live.
Re:Please Think Before Exposing Paranoia (Score:4, Insightful)
Re:IP Address Verifier == web bug (Score:2, Insightful)
Jeremy
Re:Web bug (Handy for job application e-mails) (Score:2, Insightful)
Obviously I just defended MS against outdated and uninformed
I think you'll find this was carnivore's "chain of evidence" feature in operation, and guessing at how they verified the recipient IP won't do you much good. Remember that NSA still measure computing power in acres.
Re:Internet Protocol Address Verifier? Pfft... (Score:5, Insightful)
Re:Well, ironic isn't it? (Score:2, Insightful)
OK so right off the bat we're not talking about a security hole in Best Buy's systems; rather, someone's threatening to hijack their DNS registration.
Yah, contacting a company and requesting 2.5 mil in exchange for fixing a nonesistent security hole while claiming to be affiliated with a nonexistent company is always sound business.
And now the story changes. This isn't a whitehat trying to get compensated for their assistance. This is extortion and dishonesty at its finest, and this tool is such a disgrace he makes script kiddies look good. Shame on any of us who feel sympathy for this guy.
Re:I think... (Score:4, Insightful)
Why not?
They'd get just as much information from the IP address of his ISP's web server as they would from his actual IP address. (Hint: Your IP address does _not_ typically broadcast who you you are, it announces who your ISP is.)
Even with the IP address of the user, they'd still have to subpoena the ISP to get the user account information - which the ISP would have to look up in their logs. If they got the IP address of the ISP's proxy, the ISP would simply look in the proxy logs first.
Now, if the user was uing an off-shore open proxy (say in Asia somewhere) then they might have a problem.
all new versions of outlook (including XP SP2d versions) will not serve up remote assets in HTML emails unless specifically instructed to do so.
Well I guess that he wasn't using a new version of Outlook then.
Re:Well, ironic isn't it? (Score:5, Insightful)
Computer trespass is computer trespass.
I'm so sick of this crap, I don't even know where to begin.
Best Buy is NOT the entire Internet. Best Buy's security problems could potentially be used to inconvenience or incapacitate innocent sites nearby or, even, innocent sites with no connection to Best Buy whatsoever. Best Buy has a responsibility to fix their security problems when they're made known. If Best Buy's lumbering managerial morons see fit to ignore contacts and help offers, there is nothing wrong with exposing Best Buy's problems to force their hand (blackmailing them is a totally different story).
This ridiculous attitude with these clueless businesses is tantamount to politely telling someone their fly is unzipped and getting your nose punched in gratitude (as the person continues to wander around with the fly unzipped, punching people who are trying to help them). If you find a security problem, you let them know about it. If they ignore you, you let everyone else know about it to force their hand. It's not like if someone who's looking to cause trouble right off the bat is going to give a warning shot over the bough and let them prepare. Hmmm... say I'm poking around a form on a popular retailer's website and accidentally type in a "funny character" and submit it. What's this? SQL error? Oh? I guess I should just keep my mouth shut, right? I shouldn't bother to try and report this glaring vulnerability? After all, I have no obligation to their customers, and, since I have no moral compass at all, I shouldn't even think of those poor, trusting fools, right? Give me a break...
You're a real riot. Are you on one of these "tiger teams", perchance? Mad because all your training doesn't amount to a hill of beans more than someone with a lot of book reading and practice and they're stealing your business by giving out free advice? Or do you just not know what you're talking about? I assume that you believe these "tiger teams" are infallible and could never make a mistake? I guess that once someone goes to a security firm, there's no possible way someone could miss something or something could change after the audit and review? I guess the "tiger team" couldn't possibly have someone on it that has, for some reason, not been acutely focused on the task at hand due to illness, fatigue, personal issues, etc.? I guess this "tiger team" has experienced every possible security problem there will ever be and has taken steps to eliminate all of them forever and there's no possible way a hole will ever be found that they didn't already psychically perceive and patch?
in either case, the consumer wins
I guess the consumer wins when their credit card number, name, and address get stolen too, right? I know that last time MY credit card number got stolen thanks to an utterly stupid retailer, I was REAL pleased about it. In fact, give me your address, I'll mail you all my credit cards and photo id because it's so great when people get them that shouldn't have them.
Here's your passport, sir. Welcome to the real world. Please do try to fit in in some capacity. A good step would be to stop suggesting that knocking the lock off someone's door and walking into an unprotected computer system are the same thing. People who actively break secured systems without invitation are one thing, people reporting obvious flaws or a total lack of security in general are another. Stop lumping them altogther as "computer trespass".
Re:Double Standard (Score:2, Insightful)
Learn somethin' new each day... (Score:4, Insightful)
I read this and was foolishly thinking (probably like many do) that "oh, if I don't download an attachment and execute it there really is no danger. I mean really, if I don't "run" anything, how would anyone know?"
Silly wabbit is right. It's another case myself of not being able to see the forest for the trees.
I guess ANY HTML email can be malicious in a sense that it can snarf info if it actually interprets and points you to ANY website when you read it in its rendered state.
Talk about eye opening. I'll bet 90% of the general public don't actually realize this can easily be done for targeting purposes. With this in mind it's probably not hard (and don't flame me for not knowing this guys) but targeted spam in order to verify addresses could point to "specially coded"
"The aspects of things that are most important to us are hidden because of their simplicity and familiarity" - Ludwig Wittgenstein
Why is that more concerning? + is it fixed? (Score:3, Insightful)
Interestingly, the article does not mention if there was an actual security flaw or if they fixed it. I would guess that in the process of arresting this idiot they confiscated his computer and can see what tools he was using. If he was very "professional" about his demands he might have had the document describing the exploit all ready to go, so he could send it to them as soon as the $2.5 million showed up in his bank account.
So was there an exploit? This is some pretty shoddy reporting if they are going to simply trumpet what the FBI did without investigating whether this guy posed a serious threat or not.
Re:is carnivore bad? (Score:3, Insightful)
Re:Just a little "bug" in the mail, silly wabbit (Score:5, Insightful)
The guy was smart enough to try to break the site, and he couldn't figure how to get/send email without being traced??? And why would he use anything but plain text email either? And probably using Outlook? He was asking for it...
Re:I think... (Score:3, Insightful)
Re:What he did is still illegal (Score:4, Insightful)
-- You need to think about what "property" is --
*You* put resources on the Internet. Obviously, for *some* reason.
Normally, the reason you would do that is to provide some service to users. Usually anonymous, given that this is the Internet, and not your private Intranet. If you want it private, don't put it on the Internet.
And, in putting in on the Internet, the resource is available for use.
What you *haven't* done is contracted with *me* as to how to use the service or resource.
Let's put this in simpler terms -- if you have a 20 dollar bill in your pocket, it's yours. If someone takes it that's probably theft.
If you put the same bill out in a public place (say, on a public sidewalk) and then go away, and someone takes, it's probably NOT theft.
When does a resource stop being the "property" of someone? The simplest answer is when they have no control on that resource. Another
Currently, legislation is trying to make a distrinction between "authorized" and "unauthorized" use of such a service or resource. "unathorized" if the provider of the resource doesn't like the way its used. [Of course, that's very slippery slope.]
Ratboy.
Re:Just a little "bug" in the mail, silly wabbit (Score:2, Insightful)
Do a Google on Jamie Weathersby and you find he was also involved in some rather nasty cybersquatting attempts.
Dumb, Dumb and Really Dumb
Re:If you break in to someone's system (Score:2, Insightful)
A business website isn't like a personal residence. It's a store. Let's think of it like one.
Imagine a brick-and-mortar store that you frequent, say, Best Buy down the road. And let's say that one day, after spending some hard-earned cash at Best Buy you decide to drive around the back of the store as a shortcut out of the parking lot.
On your way out, you see a filing cabinet sitting outside the Back door of Best Buy. The top drawer is pulled out and there are papers spilling out.
Now, you're not a nosy person. And under normal circumstances, an open filing cabinet would not be an invitation for you to start rifling through things that aren't yours. But this time it's different. It's sitting out in the open, for anyone (that happens to drive around back) to see and/or steal.
Maybe the papers are trash, but maybe not. Maybe they're HR papers. Maybe they're customer records. Who knows? What do you do?
This contrived case is pretty black and white, but it proves the point that businesses are different than personal residences and should be held to a different standard.
I'm not saying that this Ray guy isn't a blackmailing idiot; I'm saying that if I went to BestBuy.com and typed "select * from cc_info" in a comment box and got back 10,000 rows of credit card info I'd be morally obligated to tell them about it. You can Costanza my actions all day long ("Was that wrong? Should I have not done that?), but the truth of the matter is that something that should be secure ISN'T and it needs to be fixed.
--
Mando
Re:Just a little "bug" in the mail, silly wabbit (Score:4, Insightful)
Uh, yeah... The ones who do pay off blackmailers (and it does happen) don't generally advertise it. When a corporation is successfully extorted, it tends to stop there, unless the bastards ask for a second ransom.
Re:Thank you George W Bush. (Score:2, Insightful)
Do you have any idea how much power has been taken away from the Judiciary in the past three years, and been given to the Executive branch?
Have you not noticed the new redistricting, combining Dem districts, and splitting Repub districts? Greatly reducing Dem numbers in Congress? The normal 10-year (agreed) redistricting was re-redistricted after elections that gave Repubs control -- it's a Tom DeLay program. One redistricted precinct in PA was actually shaped like a finger pointing at the home of a Dem congressman. Regardless of your views, do you think a monopoly is the best system? Depending on one source for your food/car/job/news/govt/etc? Because that's where we're going now at breakneck speed, Bucko.
Are you not aware that Gen. Tommy Franks recently said that in the case of another major attack, the Constitution may have to be suspended [workingforchange.com]. So who decides? Hasn't America been through some pretty tough times without suspending the Constitution? Do you have any idea what all of this really means?! Surely you haven't actually thought this through.
There has recently been historic undermining of the US Constitution, intentionally promulgated by the ruling Party, which is bringing us to dictatorship.
You can't cover this up with charges of "paranoia".
Me Too. (Score:3, Insightful)
I am well on my way to making the couple million I would have stolen (spending along the way, so I will miss the one time big pile 'o money) with a comfortable, respectable life style not on the run from authorities.
I see in the paper guys going to jail for robbing a video store. Is jail worth a couple hundred bucks?! The risk/reward is lousy for theft. I don't understand what they ar thinking.
Joe
Re: Hmmmm... (Score:3, Insightful)
Many of the smart ones who still prefer criminal means may indeed be smart, but after a while they get lazy, sloppy, greedy or overconfident and then they risk getting caught. After all, planning the perfect crime can often be quite hard work.
Re:is carnivore bad? (Score:3, Insightful)
This is not necisarilly true. If the FBI wants, they can use the Patriot Act (where applicable, which is almost everywhere), to spy on you with out obtaining a warrant.
Now the FBI neither has the Manpower or the money to monitor everyone on earth or even the USA or Even New York.
This is of course why the Patriot Act gives the Feds there new powers. Of course the counter to that argument, is...
Now the FBI neither has the Manpower or the money to monitor everyone on earth or even the USA or Even New York.
Oh well, at least that caught a scum bag
Re:is carnivore bad? (Score:2, Insightful)
Yet another geek who thought History class wasn't worth his time...
Do yourself a favor. Google "J. Edgar Hoover" and then "Nixon." Read about it for awhile. If you still think the FBI is staffed entirely by Mulder, Scully and Starling, Google, oh pulling one notorious name out of the air, "Pinkerton," and pay close attention to how they often co-opted law enforcement.
The Short Version: The Founding Fathers gave law enforcement very limited powers for extremely good reason.
Re:per-process firewall (Score:3, Insightful)
But I suppose the combination of real OS and per-app firewalls could make sense...
You mean like credit agencies (Score:3, Insightful)
Re:What are you supposed to do? - options (Score:3, Insightful)
The reason I have no fear is documentation. I have full records of everything I've done and did not do. I have every email I've sent. Other organizations also have records. I've told them ( the company) how to contact me if needed. What kind of 'cracker' prosecution is going to hold up against that? I've worked in corporate management before, and documentation is the most difficult thing to combat. Look at the case with SCO. If SCO can't produce evidence against IBM, their case is done. Period. That's documentation in action ( or lack of it in action, more than likely. )
Don't give me a bunch of case histories about companies crushing the individual. It happens, but I'm pretty confident that those individuals were fighting the company in some form. I'm not, and as I said, I turn the information over to other organizations ( FBI, SBI, whatever. ). You can toss out paranoid ideas all you want. I'm speaking from experience. I've done this at least a dozen times.
Most companies are aware there are "white hats" as well as "black hats", because most companies have tech people on their own staffs. What terrifies big companies is NOT that someone is going to blackmail them. Anyone who tries that WILL GET CAUGHT. What actually scares the heck out of big companies is that someone will start stealing identities and credit card numbers from their warehouse AND IT WILL MAKE THE NEWS. That's their motivation, not crushing me for complaining. When you return something to Best Buy, is it their policy to hit you with a baseball bat and yell at you with a megaphone until you leave?
Yes, what he did is still illegal. (Score:3, Insightful)
Technically, it's either larceny or embezzlement. The money is not yours. If you pick it up intending to keep it for yourself, it's theft. If you pick it up intending to follow the law and report the missing property to the police, you have acquired possession lawfully. If you change your mind once the money is in your pocket, it's not larceny, but it is embezzlement.
Of course, that's under old common law. These days, it's simply theft. The law requires that lost or abandoned property be delivered to the authorities. If it's not claimed by its rightful owners, then you'll get the property back from the cops.
Realistically, however, no one is going to report a $20 bill to the cops, and no one is going to care. But a sack of money? Keep it and you're committing a felony.
When does a resource stop being the "property" of someone? The simplest answer is when they have no control on that resource. Another
"Finders Keepers" is not the law. Also, the law related to the fourth amendment protections against unreasonable searches and seizures (the root of the requirement to obtain search warrants in some cases) has absolutely nothing to do with the definition of property rights, and when those rights end.
Going back to the Internet and theft: Theft usually requires the taking and carrying away of the tangible personal property of another - so you can't really "steal" a web page. But you do need to drop the illusion that it's OK to play around with other people's stuff (homes, web pages, etc.) just because their security can be easily circumvented. I could break into most homes simply by throwing a brick through the window. This "exploit" doesn't give me the right to root around in my neighbor's homes, just because they're too stupid to have their vulnerable windows bricked over. I can photocopy a book I borrow from the library. The fact that the publisher failed to provide adequate security by printing books that can be photocopied does not make my actions legal.
Re:alone? (Score:2, Insightful)
If they're going to do surveillance at all, yes they do. Go back to a basic statistics book and read about false negatives and false positives, and what happens in cases where the event you're trying to detect is unlikely compared to the false-positive rate of your test. For a test sensitive enough to find a handful of terrorists in a large population, the false-positive rate WILL be high. This implies that, not only will they inevitably spy on innocent people, but will falsely accuse a number of them. If their criteria for determining if you're a terrorist give lots of false positives, tens or hundreds of innocents will fall into the net along with each terrorist. This is also why trials on secret evidence are such a great injustice: there are scenarios in which the government could be acting in good faith, using statistically valid techniques, and still lock up far more innocents than bad guys. An independent body needs to review that evidence, since there's no incentive for the government to admit that (say) 95% of the people they accuse are innocent. And based on what I've seen so far, I have little confidence in the good faith of this government-- that only makes the situation even worse.
It's naive to assume that any simple rule (say, spy only on Arab men aged 20-35) is going to significantly improve your rate of success. Too easy to anticipate and circumvent. It's about as misguided as putting massive resources into preventing another 9/11 attack. Successful terrorists are always changing their tactics. Whatever the next one is, you can be assured that it will be different than the last one. They can only succced by hitting us where we're NOT looking, and by forcing us to expend our resources looking for them where they're not.
Note further that the high false positive rate, and the government's refusal to be accountable for it, will lead to a situation where innocent citizens rightly mistrust the government. This will compromise their ability to gather worthwhile information, and will make us all less secure.
These observations do not assume malign intent on the part of the government. Merely the everyday venality of politicians. I, for one, mistrust the Bush administration's motives as well as their methodology. None of this would encourage a rational, well-meaning person to risk their own personal freedom to provide the government with information of unknown quality that might thwart an attack. Odds are it's irrelevant, and even stronger odds say that you'd be putting yourself at risk of continuing harassment and possibly indefinite incarceration by contacting them. Conclusion: police-state tactics can never improve security. They just make life more threatening for innocent people.
We won't get anywhere until we realize that the tradeoff is not freedom versus security, it's justice versus security. And that tradeoff only applies if the government is behaving honestly. Otherwise, both justice and security are lost.