The founder of a computer-security Web site who published details of recent hacker penetrations into government systems has been warned by a Defense Department contractor that he may be considered an accessory to the crimes.
John Vranesevich, founder of full-disclosure computer security Web site AntiOnline, posted two emails that he and other AntiOnline members received last week from a contractor with the Defense Information Systems Agency (DISA). The emails, sent by a system administrator at the Denver Defense Megacenter -- a financial administration center run by DISA -- suggested that Vranesevich "had knowledge of a crime and may be culpable."
[Full disclosure? Hardly. The page is nothing more than a half-assed collection of articles on a handful of hacker groups. Many of JP's original articles do not disclose full details of events.]
In recent weeks, AntiOnline has reported several penetrations of DISA systems by crackers, and included screen shots of government programs and sign-on screens as proof of the intrusions.
[Proof of the anonymous public FTP transfer isn't proof of anything.]
Vranesevich received the first DISA email on 28 April. The note, signed by Peter Farrell, alleged that Vranesevich might "be liable for encouraging further criminal activities against US Defense Department systems."
[It is my understanding that unless AntiOnline is considered legitimate media, then having direct knowledge of their events and withholding that information is obstruction of justice. Else, anyone can throw together a web site and claim to be media to avoid that.]
However, Farrell stopped short of threatening specific legal action against Vranesevich.
"We are not here to threaten you but to request your assistance in our investigation of two attacks on one of our machines and to provide, if requested, information on other attacks, successful or otherwise," wrote Farrell.
"Your page also displays a copy of a government log-on screen and you provide an interview with the supposed perpetrators. Their actions have led us to shut at least one server down temporarily as one attacker in particular attempted to spoof mail from the White House," Farrell continued.
Vranesevich said the latter comment exposed the weakness of DISA's case.
"It's very simple to send mail to someone making them think it is from the White House," said Vranesevich, who added that the letters were "ridiculous." To prove the point, Vranesevich sent Wired News an email from "email@example.com."
[Using utils like 'rlytest', you can adequately test a mailer's relay ability without forging mail like this. Any 'security expert' should know this.]
"He [Farrell] wanted me to tell him of every crime against US computers I've ever heard of happening, every attempt I've ever heard someone make -- whether or not it was carried out -- what methods I thought they used, how often I thought people did it," said Vranesevich.
"They want me to become the one-man, Janet Reno-$64-million-computer-crimes task force, is what it sounded like," he said.
In February, Attorney General Janet Reno said that she would be seeking US$64 million to build a National Infrastructure Protection Center, which would fight cybercrime and other threats to the US national infrastructure.
Vranesevich said that he did not have any classified information, and that he only publishes non-classified information about intrusions supplied to him by hackers and crackers.
[Yet he had a copy of the software, and thought it so secretive, he ran it after he disconnected from the Internet (reference _Have Crackers Found Military's Achilles Heel?_ by James Glave). That seems to contradict his claims of thinking it not classified.]
Jennifer Granick, a San Francisco criminal defense lawyer who has defended hackers, said Vranesevich was probably on safe legal ground.
"You are not obligated to report crimes that you know about -- that is not illegal," said Granick. "The mere publication of information that may assist someone in breaking the law is not itself illegal," she added.
"[Vranesevich] is hoping that by providing this information it will help security operators to improve their security," said Granick. "He has a First Amendment issue there; he doesn't have any interest in promoting criminal activity.
[What is he providing that will help? He is not telling anyone which servers are vulnerable, how they were broken into, or how to fix the problem.]
"[These letters] show one of the problems in the way that government has dealt with computer security," she said. "They are hoping to protect themselves by keeping the knowledge secret instead of improving their systems by taking advantage of all the knowledge out there.
"It's like trying not to let the slaves read: If no one has any information you can keep them down," she said.
Vranesevich said that the emails demonstrate "how hard a time the government really has with the security of their systems, and tracking people down after they've been breached."
The author of the emails, Peter Farrell, declined to elaborate. "The matter has been escalated within DISA to a level above me, and I am not authorized to comment," he said.
Meanwhile, officials at DISA headquarters said in a statement that Farrell was not speaking on behalf of the agency. ,/p>
"The Defense Information Systems Agency is aware of the two letters sent by Mr. Peter Farrell, a defense contractor employed at Defense Megacenter-Denver," the statement said.
Farrell's opinions are his own, the statement concluded.