Hacker Group Demands "Idiot Tax" From Payday Lender

snydeq writes "Hacker group Rex Mundi has made good on its promise to publish thousands of loan-applicant records it swiped from AmeriCash Advance after the payday lender refused to fork over between $15,000 and $20,000 as an extortion fee — or, in Rex Mundi's terms, an 'idiot tax.' The group announced on June 15 that it was able to steal AmeriCash's customer data because the company had left a confidential page unsecured on one of its servers. 'This page allows its affiliates to see how many loan applicants they recruited and how much money they made,' according to the group's post on dpaste.com. 'Not only was this page unsecured, it was actually referenced in their robots.txt file.'"

Strange sense of morals

[mwvdlee]

Just because I left my door open, doesn't mean it's okay to steal.

Re:Strange sense of morals

[mirix]

'Not only was this page unsecured, it was actually referenced in their robots.txt file.'

Sounds more like they took the door off the hinges, and put up a big sign saying "NO DOOR! COME ON IN!".

Customers?

[Vintermann]

[We] are cooperating fully with the authorities to protect our customers and bring these criminals to justice.

First time protecting their customers was part of these people's business model.

Re:Strange sense of morals

[Bert64]

It's not stealing, since they didn't delete the original file...

By putting a file on a public webserver, they were PUBLISHING that data. Wether they did so intentionally or not is irrelevant, they did publish it.

Anyone who accessed it did nothing wrong, they were simply using the website for the function it was intended, to access data made available to the public on it. They did not have to exploit any vulnerable services, nor did they bypass any form of access control.

The fault lies purely with the company for publishing such information.

The only thing the "hacking" group have done wrong is the attempted blackmail, they got the actual information fair and square.

Re:No laws borken?

[Anonymous Coward]

Even if the publishing of the data itself has no legal implications, I suspect the extortion would be enough to get these guys into a sh*tload of trouble,.

Re:Strange sense of morals

[Anonymous Coward]

Not stealing, no. Extortion, blackmail, whatever you want to call it, yes, and still very illegal and rightfully so.

Re:No laws borken?

[goodmanj]

You're kidding, right? This is clear-cut extortion. You don't have to threaten to commit a criminal act to be guilty of extortion: all you need to do is threaten to do something unpleasant and demand something in exchange for not doing it. "Give me $5 or I'll punch you" is extortion, but so is "Give me $5 or I'll tell everyone you have a crush on Suzie", even though saying so is not a crime, and even though Suzie may already know.

http://en.wikipedia.org/wiki/Extortion [wikipedia.org]

My heroes!

[goodmanj]

So basically, they're coming to the defense of customers being ripped off by this lender, and are they're going to show 'em who's boss by widening the customers' exposure to identity theft? Wow, there's some moral high ground there. The customers must be so grateful.

"Howdy neighbor. I happened to hear you beating your wife last night. You can give me $1000 and I'll go away quietly. Otherwise, I'll give her another beating myself."

Re:Strange sense of morals

[EdIII]

Even if they did delete the original file it would not be stealing, but destruction of property.

Thank you for pointing out the flaw in the open door analogy that always gets trotted out. Although intent does play a factor, the important word in the law is "unauthorized" or whether or not actions "exceeded authorization".

Web servers are not open doors, and they are not like TRON.

They simply serve documents. Sometimes they will ask for security credentials before serving the document, or check internal policies (htaccess/session based authorization and ACL), but always end up serving a document even if it is a simple response in a header like a 404.

The only thing these hackers did was ask for a file (robots.txt) and notice that it mentioned another file and then asked for it directly.

"Exceeded authorization" would be an interesting argument because computers always do what you tell them to do, not what you meant for them to do. So while this company may not have intended to give authorization, they did in fact, give authorization to download the file. At the very least, they did not deny the hackers the ability to download the file, and were at no time confused about the identity of the hackers (representing public users).

If there is any appropriate analogy here it is that the company had a moron executive walking around with a briefcase full of business data, some random person asked if it was the business data and if they could have it, and the moron executive said why not, here it is. After the fact, random person contact company, informs them of said stupidity, and attempts to assess "idiot tax".

Idiot tax is highly appropriate here.

I would not prosecute these so-called hackers for computer crimes, but simple extortion.

Re:Customers?

[NoobixCube]

A farmer might protect his cattle herd, doesn't mean he isn't going to eat them.

Re:Strange sense of morals

[Nyder]

Not stealing, no. Extortion, blackmail, whatever you want to call it, yes, and still very illegal and rightfully so.

Sort of like the current pay up or i take you to court that is all the rage these days?

Re:Strange sense of morals

[tehcyder]

If those hackers get caught and fined

These geniuses will get more than a fucking fine if they're caught. Blackmail and extortionare serious criminal offences, so fthey'll be spending some quality time in prison.

Re:Strange sense of morals

[tehcyder]

That is like saying that if I drop my credit card in the street I have "published" its details for everyone to see due to my own carelessness.

I really hope people like you get their bank accounts cleared out by criminal twats like these idiots, then you'll see whether "just copying" information is so fucking harmless. Want to share your bank login and password information with me?

Re:robots.txt

[psiclops]

and then someone came and looked under the shelf anyway, found embarrassing photos that would be incredibly embarrassing to you and thousands of your friends. made copies of the photos and tried to illegally extort money from you.

Re:No laws borken?

[tehcyder]

Among other elements, extortion requires a threat to the person or property of the victim, or someone associated with the victim. There is none here.

Bullshit, if I say "pay me $20,000" or I'll do X" that is extortion (demanding money with menaces in the UK i.e. what gangsters do)..

Re:Strange sense of morals

[10101001 10101001]

That is like saying that if I drop my credit card in the street I have "published" its details for everyone to see due to my own carelessness.

More accurately, it's like accidentally posting a photocopy of your credit card on a bulletin board, presumably with a variety of other documents.

I really hope people like you get their bank accounts cleared out by criminal twats like these idiots, then you'll see whether "just copying" information is so fucking harmless.

Interestingly enough, if you were to do the above and be so careless, I'm not entirely sure if the bank would be obligated to refund your money. Certainly, most banks/credit card companies have policies speak about only 24 hours to report "stolen" credit card information to maintain minimal liability on the card holder's part. Having said that, the criminal is still, well, criminal.

Want to share your bank login and password information with me?

Considering the GP didn't speak about "just copying" information being harmless, I'd gather the answer is no. After all, the point isn't that blackmail or clearing out someone else's bank account isn't illegal and unethical/immoral. It's that one can't charge the person with "hacking" just because you're careless anymore than you could charge people with theft because they took a photo of your photocopied credit card. I mean, a lot of people may have accessed the information and done little or nothing with it; but certainly, there's a lot of legal things you could do, like mock the person who was so careless with their personal/company details.

Re:Strange sense of morals

[Ginger Unicorn]

That is like saying that if I drop my credit card in the street I have "published" its details for everyone to see due to my own carelessness.

Yes, that's precisely what you've done.

"just copying" information is so fucking harmless

Correct. It's what's done with the information afterwards that inflicts the harm.

Re:Scum fighting scum.

[gl4ss]

no, the reason to hate them is that they're giving loans to people who shouldn't be given loans in the first place. otherwise they could be getting it from the bank for 15% apr.

usually it's just plain old usury.

(I guess in usa you can bankrupt yourself and really walk away from the loan though? or is it like europe where you can't pretty much walk away from it short of stopping to paying taxes and having legal income totally).

Re:Strange sense of morals

[argStyopa]

OK, pedantry +1.

I know people on slashdot LOVE to 'game' legalities in this sort of situation (let's do one about copying music without paying for it next!), but to suggest that people who accessed it did 'nothing wrong' you have a pretty fucked-up moral code.

I'll absolutely agree that the company putting it up unsecured was at fault for doing something staggeringly dumb.

But having to 'exploit' something, or 'bypass' things isn't the line by which I measure whether something is 'wrong' or not. Ethically, perhaps, but certainly not morally. Sometimes, things simply ARE wrong, and no amount of sophomoric hair-splitting really changes that.

It's unfortunate that today's society seems more concerned with what they can 'get away with' or how closely they can skate to the rules, than simply recognizing the difference between right and wrong.

Re:Strange sense of morals

[Mordermi]

Really? If someone illegally obtains information, they should be allowed to ask for money to keep quiet?

Re:Strange sense of morals

[Sarten-X]

"Exceeded authorization" would be an interesting argument because computers always do what you tell them to do, not what you meant for them to do. So while this company may not have intended to give authorization, they did in fact, give authorization to download the file.

One of the core principles of American law is that the intent matters. You can kill someone in a horrifically gruesome manner, but if it was purely accidental, you'll get a much smaller punishment, if any. Here, if the system administrators made any effort to restrict access to the data (such as explicitly blocking it from search engines, for example) they can make the case that it was their intent to keep the information hidden, so any attempt to access it is unauthorized.

Authorization does not stem from what you can do, but what you have been explicitly given the authority to do. Putting a thin veneer of technology over "might makes right" doesn't change the underlying principle.

Here's another appropriate analogy. A moron executive is walking around with a briefcase full of business data, and some random person comes up, grabs the briefcase, and runs off. The thief wasn't given permission to take it, so it's theft, regardless of the executive's inability to stop it, and regardless of the fact that the briefcase was visible to the world.

Re:Strange sense of morals

[Anonymous Coward]

The web server authorised you to have access to it. Period.

Re:Strange sense of morals

[EdIII]

Intent is rather difficult here.

You got the briefcase analogy wrong. You're forgetting that the executive was asked what the briefcase contained and handed it over without duress . There was no theft, and all times, all actions were authorized by the executive.

The webserver can only do what a company representative told it to do. So the intended level of authorizations needs to match the programmed level of authorizations. The responsibility for that lies entirely with the company.

Pedantic? Not hardly.

Consider this analogy:

You have a food cart. It is staffed by an incompetent employee. Customer walks up and asks if there are hamburgers available. Employee responds yes. Customer asks if just anyone can have it (more accurately the employee never asks who the customer is). Employee responds that it is for everyone. Customer asks for 10 hamburgers. Employee hands over 10 hamburgers.

Now 4 hours later when the police arrive at the customer's home and charge him with theft, is it correct?

I would argue that it is not. The owners of the food cart may not have intended for the hamburgers to be free, or even advertised as available yet, but that is not what their employee said is it? It could even be highly unusual that hamburgers are free, and that a normal person would find it unusual, but once again, the employee handed them over.

It's an important distinction for me because I don't like legislating the protection of the stupid, and don't want corporations to get off lightly. It's a really bad precedent in which logic and reason get thrown out the window to protect the rich and powerful. Standards need to be maintained.

Put the hackers in jail for extortion and fine the crap out of the company for not properly configuring their webserver.

Authorized

[Sloppy]

Federal Law says that if you access their servers and you were not authorized to do so, then you have committed a computer crime, no matter what analogy you come up with.

Right, but I think the point is that it's a stupid law. (And therefore nobody respects it or obeys it, and therefore nobody expects anyone else to obey it, and therefore that law is useless to (and probably even contrary to) the cause of justice.) In a thread titled "strange sense of morals" that's not irrelevant.

Are you authorized to read the data at http://amazon.com/ [amazon.com]? How do you know? Who authorized you? When? What evidence do you have that you were authorized to request that page? What evidence do you have that you were authorized to receive the reply after you request that page?

I know those are all stupid questions, but only because you have not been authorized to read Amazon's page, or if you have, it was done secretly inside Amazon and was never communicated to you. That is why it is a stupid law.

It reminds me of how nobody has ever actually been prosecuted for playing a CSS-protected DVD on a DVDCCA-approved DVD player. Every time you descramble the CSS on a DVD, that's "circumvention" and illegal per DMCA, unless you have authorization by the movie's copyright holder, to do that. But of course, nobody has ever gotten authorization to do that. (Disagree? Prove it, or at least show some modest indirect evidence. This is harder than you think. Hint: purchasing the DVD does not imply permission to descramble the CSS, or else 2600 would have won their DeCSS case.) Every time anyone played a commercial DVD or BluRay, they were breaking the law, and the player manufacturer and the retail store who sold the player, broke the law too. That is, unless there's some sort of secret and uncommunicated authorization.

So how do you know if you're authorized? You don't. You never know, until you moment you die without ever having been called to court.

Same for public web servers. Everyone just assumes that information left in public, and without any notices it shouldnt' be accessed, nor with any even half-hearted ineffective attempts to limit access, is .. well .. publically accessible. But then fuckwits come along with a law saying you need authorization -- something that no one ever has, or at least can never show or demonstrate they have. The only authorization is hidden within the mind of whoever owns the server. It is never revealed, and it's lack is also never revealed, until the moment you get a letter from a lawyer or are confronted by a cop.

They can retroactively say you didn't have authorization, and there's nothing anyone can do about it. Any arguments they make which happen to get applied to clearly valuable or sensitive information (situations where common sense tells you the owner wouldn't want the information to be public -- situations the law was ostensibly intended to cover) apply just as logically to Amazon's home page. It's just that if Amazon prosecuted you for shopping at their store, the judge wouth laugh them out of court despite the technical wording of the law, simply because it's so absurd. Common sense would prevail if Amazon sued you for being a customer -- in defiance of what Congress wrote.

But in between these two extreme examples, is a shitload of gray area. (Nearly everything you did on the web today was technically illegal.) The written law doesn't distinguish between any two points along this spectrum, just as DMCA doesn't distinguish between pirates and people merely playing their DRMed movies on Sony players. It must necessarily comes down to a judge needing to pull an arbitrary decision out of their ass, every single time.

Not that I have any sympathy for the bad guys in this case. The extortion is illegal in itself, and shows some clearly malicious intent. If