return to table of content

City of Columbus sues expert who exposed extent of cyberattack

sillysaurusx
73 replies
1d

Former pentester here. Though I’m largely sympathetic with Goodwolf, note that releasing actual data is almost always a bad idea. It’s why bug bounty programs have limited scope.

The city seems upset that he shared data about ongoing investigations and undercover police reports. Depending on what exactly he shared, it’s hard to fault the city for that. It doesn’t really matter where the data currently exists; grabbing it and handing it off to others is obviously not a good idea.

If his goal was to prove to the reporters that such data existed and was available for download, he had many options that didn’t require accessing the data: screenshot the forum posts, send links to the reporters, detail what kind of data was there without actually showing any of it, and so on.

Now, if that’s what he did, and the city is still reacting this way, that’s obviously abuse. But it doesn’t seem unreasonable to order someone to stop disseminating data about ongoing investigations to reporters. Would you want your private cases to be more widely spread?

I’m really sympathetic to him, because this is an easy mistake to make. Before I got into the industry, I thought that this was white hat hacking; it’s obviously good that he’s spreading awareness about the breach. But how you do it really matters.

(Caveat: I worked in the industry for about a year in 2016, so maybe things have changed. But I’d be shocked if distributing actual data from any breach was condoned by anyone who works as a pentester, even today.)

the city says Goodwolf is threatening to publicly share the city's stolen data in the form of a website that he will create himself. Goodwolf previously told 10TV he does plan to set up a website, but it would only allow people to see if their name was part of the data breach.

This isn’t the same as setting up a site to see if your password was compromised. It could let anyone type in someone’s name and see whether they’re a witness in a criminal investigation.

AmericanChopper
25 replies
1d

According to what I read in that article, Goodwolf didn’t release the data. The hackers released the data, the city lied about it, Goodwolf went and retrieved the publicly accessible data and gave it to journalists to prove the city’s lie.

Unless that article is seriously mischaracterising what happened, I can’t see how this is anything other than a massive civil liberties infringement by the city, who are just trying to scapegoat this Goodwolf person. All of the damages they are describing were caused by their own negligence.

sillysaurusx
24 replies
1d

Retrieving publicly accessible data and then giving it to anyone else is the problem when the data contains the identities of witnesses for ongoing criminal investigations.

I’m really far on the side of hackers here, but I’m having trouble justifying sending any data whatsoever to journalists related to criminal investigations. Even one witness’s name, sent merely to prove that the breach happened, could be enough to cause direct harm to that case if the reporter decided to reveal it. You don’t need to do that to show a reporter that the breach happened. And it’s up to the reporter themselves to prove the breach is real.

dccoolgai
14 replies
1d

But that "harm" was caused by the City failing to secure the data - not this one person who said "the city failed to secure the data - anyone can get it".

sillysaurusx
12 replies
23h49m

Intent matters. The city was incompetent, but distributing data about active criminal investigations is malicious, or at least dangerous. And unlike Snowden, he wasn’t trying to expose abuses by sending the documents to reporters.

Here’s an example from my own life: I created books3, an AI training dataset of almost 200k books. This was thanks to The Eye, who hosted a copy of Bibliotik, a popular shadow library. But everyone is suing the AI companies themselves for using the training data, even though the original harm was caused by The Eye and Bibliotik.

not this one person who said "the city failed to secure the data - anyone can get it".

If he simply said that, there wouldn’t have been a problem. He sent actual data related to ongoing criminal investigations, and was on the record saying he might set up a website to more widely disseminate information about that data — which could include names of witnesses in those investigations.

throw10920
9 replies
16h14m

And unlike Snowden, he wasn’t trying to expose abuses by sending the documents to reporters.

Snowden was, according to all available evidence, not trying to expose abuses. He was trying to commit espionage against the US, and it's extremely clear to anyone who has passing experience with the leaks and a shred of intellectual honesty, because the vast majority of the files were completely unrelated to domestic surveillance programs, and instead concerned foreign surveillance programs.

Stop bringing up Snowden; all of the evidence indicates that he was lying about his motive.

aguaviva
4 replies
14h12m

He was trying to commit espionage against the US, and it's extremely clear to anyone who has passing experience with the leaks and a shred of intellectual honesty,

Just the pugnacious way you choose to phrase this ("It's sooo obvious, and if you don't simply full-on agree you must be clueless and/or a lying scumbag yourself") makes me doubt this version of events. That, plus the fact that (even after all this time) no one has come forward with any actual dispositive evidence for such a narrative.

It's all just speculation.

throw10920
3 replies
14h8m

There's the intellectual dishonesty - I literally described the evidence in the exact same sentence, that you cut off in your citation because it was inconvenient for you:

because the vast majority of the files were completely unrelated to domestic surveillance programs, and instead concerned foreign surveillance programs.

It is exactly because the common response to the evidence is this kind of deceptiveness that I have to point it out.

aguaviva
2 replies
13h45m

Bollocks -- the context is right there for anyone to scroll up and see, so there's nothing deceptive about the segment I chose to highlight. And that's all it was -- highlighting, not deceptive quoting.

throw10920
1 replies
13h30m

That part of my comment that you left out directly disproves what you wrote after:

That, plus the fact that (even after all this time) no one has come forward with any actual dispositive evidence for such a narrative.

It's all just speculation.

I described the evidence, provided by Snowden himself and publicly available for anyone to check, which directly disproves your claim that "it's all just speculative". The actual evidence significantly favors the theory that it was espionage over the theory that it was whistleblowing.

aguaviva
0 replies
13h3m

I described the evidence, provided by Snowden himself and publicly available for anyone to check,

Before I offer anything else -- you are welcome to provide quotes and sources for the respective items of evidence described above.

ToValueFunfetti
3 replies
14h38m

It's a bit surprising that he would choose to disseminate his espionage via uncovering mass secret state surveillence and sending documents to a third party so they could publish them. I am not in espionage, but I expect there are considerably easier and more reliable ways to exfiltrate data. I don't think it is as surprising that he took more files than he should have.

throw10920
2 replies
14h32m

He has also shown narcissistic tendencies, which is consistent with the US government's statements that he did this for publicity and personal recognition/profit. Sorry, when I say "espionage", I mean in the more general sense of dealing damage to the government, not specifically sending the documents to Russia or whatever. There's not a lot of evidence for him being a Russian spy.

I don't think it is as surprising that he took more files than he should have.

It's extremely surprising if he claims to have been acting in the public's interest by uncovering domestic spying programs and then over 90 percent of the files he took were completely unrelated to that stated goal. That's a very strong indicator of dishonesty.

aguaviva
0 replies
14h0m

He has also shown narcissistic tendencies, which is consistent with the US government's statements that he did this for publicity and personal recognition/profit.

"Narcisstic tendencies" is a very common smear / throwaway labelling we hear a lot -- about bosses, exes, manipulative relatives and what not. In some cases it's valid, but in most it's simply not. Unless you can point to specifics, we'll have to include this labelling of Snowden in that category as well.

But even if it did apply -- it would also be perfectly consistent with the possibly that he simply considers himself a fearless do-gooder. I don't rule out your alternatives, but Occam's Razor (combined with the fact that there's no visible evidence of him having profited in any way; and his general bearing and demeanor do not correspond to those of the publicity whore type) does favor the former.

(Not to say that he is or is not a fearless do-gooder; just that it's not at all unlikely that that's what he considers himself to be).

NavinF
0 replies
14h12m

Does anyone else use the word "espionage" like that or is it just you?

mlyle
0 replies
14h41m

but distributing data about active criminal investigations is malicious, or at least dangerous.

Is showing some reporters some sample data to show that the data exists malicious? Because I believe that's all he's been accused of doing.

was on the record saying he might set up a website to more widely disseminate information about that data

As to whether the website he would make one day would contain the information on investigations: this is disputed. To me, it seems the city misconstrues his quotes about letting people determine if names were contained in the entire dataset.

ToValueFunfetti
0 replies
14h49m

If it is okay for him to tell reporters that the data is publically accessible, knowing that they would verify that by downloading it, how is it dangerous or malicious for him to send examples to them directly? The outcomes are the same at worst and at best the reporters have considerably less of the data. There's a legal distinction there, not a moral one.

sigseg1v
0 replies
4h22m

Try telling the police that it's ok that you distributed drugs because it's actually them that failed to secure them against criminals and let me know how that goes.

rockskon
2 replies
23h6m

Unless I'm mistaken, the city lied about the data existing in a form unusable to the hackers. That lie is, itself, giving a false sense of security to witnesses for ongoing criminal investigations. Witnesses whose data is data is accessible on a website primarily (though not exclusively) accessed by criminals.

As is described in the article, this is one of the best cases of responsible disclosure I can think of in recent memory - refuting a government lie that put at-risk people's lives in danger.

t_sawyer
0 replies
32m

You are correct. The Mayor of the city said the data stolen was either encrypted or corrupted and unusable. The mayor also refused to confirm something had taken place for weeks.

I’ve been following this since early August because I grew up in Columbus and still have family there.

Ginther is a terrible mayor and has handled this mess about as poorly as you can. The researcher they’re trying to quiet exposed that Ginther was lying about the data being unusable.

kabdib
0 replies
22h16m

It looks fractally terrible, but:

"This is not about speech. It's not. It's about the actual action of > going on the keyboard, going into the dark web, gathering the information, > downloading it to your computer and then disseminating it to people > who are in the press or otherwise," Klein said.

... sounds a lot like free expression (especially when the city is lying)

nick238
2 replies
23h55m

I mean, if the city keeps saying, "no, there wasn't any data released", then maybe backs up and says "there wasn't any sensitive data released", and keeps backing up, at some point you need to cut to the chase and be like, "OK, here's the most salacious shit possible. Explain that."

I don't know how to do that responsibly (just share it with a reputable reporter?), but I definitely get the feeling if you're constantly subjected to bad faith.

sillysaurusx
1 replies
23h44m

Oh, I agree. But let the reporters do that. It’s their job. Just point them towards the data and they’ll do the rest.

If someone’s butt is going to be on the line, it should be a corporation’s (the news agency), or perhaps an individual investigative journalist. Not you. Not for something like this, anyway. If it was just social security numbers I might agree with you, but police databases are obviously dangerous to disseminate, even if it’s just to prove they exist. He could’ve sent redacted screenshots.

Point being, we don’t know what he sent, but sending anything at all from a police database is a bad idea. No lawyer would ever say that that’s legal, let alone ethical.

rolph
0 replies
23h38m

i think i get it.

you are in danger but you dont need to know that, its not your job to protect yourself, thats our job.

zadokshi
0 replies
19h7m

Reputable news organisations are only reputable because of the effort made to verify all the claims before publishing. They would need to see examples of the range of types of documents claimed to be in there.

Spivak
0 replies
1d

And that's why you send the data to reporters. Literally the people whose job it is to handle this correctly. They are the next stop when the city doesn't give you the time of day. He didn't send it to some disreputable news podcaster, they're the primary newspaper for the city.

AmericanChopper
0 replies
23h17m

The people who compromised and published the data (and the people who allowed them to do that) are responsible for 100% of the harm caused here. Once the data has been published, the harm is already done, and from a legal perspective any questions about accessing it and further communicating it are protected by 1A.

By the time Goodwolf got to the data, it had already been compromised and published. The only way he could have possibly contributed to the harm was by drawing attention to it. If you take that perspective, then the city has further contributed to that harm themselves by taking legal action against Goodwolf. Furthermore, you could also conclude from this argument that the city had some moral responsibility to lie to the public about the nature of the breach, and that all those who knew the truth would also have the moral responsibility to protect that lie.

I would say this is an incredibly perverse position to take. All of the data compromised in this breach was already published, and in the hands of criminals. For anybody whose data was included in this breach, the city lying about it was just putting them in further jeopardy. Now they will at least have the opportunity to learn about the breach. The journalists are hardly likely to abuse it. The only legitimate harm caused by Goodwolf was to harm the integrity of the lying city officials. They deserve that harm, and the other side of that coin is that the public benefits when corruption is exposed.

kayodelycaon
19 replies
1d

I happen to know this guy. He has an extremely bad reputation in the furry community for doxing people and bringing up old criminal records to publicly shame and cancel people. He actively tries to hurt people.

He’s about as far from an ethical hacker as you can be. He’s on a crusade.

Now that doesn’t mean this should be illegal but I’m not on his side.

Spivak
13 replies
1d

This is a bit "what were you doing at the devil's sacrament" but I digress it's not that important.

You should be able to be the worst person in the world and not hung for it. There's no reason to not be on his side, it doesn't mean you endorse him. The other side is an embarrassed government throwing their weight around to hang him for what isn't and shouldn't be a crime.

tourmalinetaco
9 replies
23h37m

You should be able to be the worst person in the world and not hung for it.

Do you just believe that someone should be allowed to do anything they want and not face repercussions?

Spivak
4 replies
23h28m

No, I'm saying your rights aren't conditional on whether or not you're an asshole.

tourmalinetaco
3 replies
22h14m

They are, though, considering how poorly we treat non-violent felons. That’s beside the point though, because his legal rights are not being infringed. Being sued and being charged are completely different. One is civil, the other is criminal.

sbuttgereit
2 replies
22h3m

Civil asset forfeiture is not criminal, but civil, and the legal matter is against the property, not the property owner. Still, I would argue that the property owner's rights are often violated is such actions.

late2part
1 replies
21h34m

"against the property"

You probably think identity theft is a customer's problem, not the bank too.

Just because the narrative calls it something, doesn't make it right.

It's silly for a nation-state to sue cash, it should never have been considered reasonable.

sbuttgereit
0 replies
18h55m

You probably think identity theft is a customer's problem, not the bank too.

Huh? I'm relaying what the law considers civil asset forfeiture to be. It's not my opinion and it is not a "narrative". In fact, here's some commentary addressing the issue I raised.

"Technically, civil asset forfeiture involves a government lawsuit against the personal property itself or, in legal terms, `in rem`. As strange as it may seem, the inanimate property, whether a yacht or a bag of cash, is the defendant in such a proceeding." --- (https://www.findlaw.com/criminal/criminal-rights/what-is-civ...)

If you don't believe that, maybe you'd believe the Justice Department on issue:

"Civil Judicial Forfeiture: In rem (against the property) court proceeding brought against property that was derived from or used to commit an offense, rather than against a person who committed an offense." --- (https://www.justice.gov/afp/types-federal-forfeiture)

What you ignored is the only opinion I expressed and the context of that expression: "Still, I would argue that the property owner's rights are often violated is such actions." How does this square with anything about identify theft responsibility?

It's silly for a nation-state to sue cash, it should never have been considered reasonable.

Actually, the historical origin of civil asset forfeiture has some rational basis, though, as with most sensible legal moves, gets corrupted by those willing to exploit the letter of the law in spite of its spirit.

Nonetheless, unless there's something I'm missing I don't find your retort particularly coherent. I urge you to reread the original comment to which I replied and my reply and try again.

kbelder
2 replies
23h28m

Well, they should be able to do anything they want that's legal without facing legal repercussions.

tourmalinetaco
1 replies
22h17m

He’s facing civil repercussions. He, as a worker of the city, disseminated information to the press that reveals undercover police reports, witness names and testimonies, and various other sensitive information. That may not be illegal, but if he broke a contract or other agreement then it’s expected that he faces repercussions.

The city may be in the wrong for downplaying the severity, but he’s in the wrong for directly handing over the hacked information he has to journalists.

axus
0 replies
14h53m

Did the journalists publish or share the details that could harm witnesses or investigations? Our default assumption is that journalists keep these kind of details confidential and secure from spreading... more than the city did.

I think they city would need to actually believe witnesses or investigations were actually harmed, and I don't mean picking whatever belief is most convenient for them. Maybe they do believe it. If they can prove it, they should win their suit.

yimmothathird
0 replies
23h6m

Only if that person is me

foundry27
1 replies
23h30m

It's easy to downvote and move on, but I don’t think that does justice to the valid underlying concerns this parent comment raises. I don’t agree with the idea that there’s “no reason” to question the guy’s actions - because his methods do raise serious ethical and safety concerns - but I think it’s right to caution against kneejerk reactions that might lead to government overreach. We should be wary of how power can be used to silence people, even if those people did shitty things in the past or are controversial figures.

Ignoring the underlying point being made won't make it go away, and won’t help educate any of our peers who might take some of this stuff at face value.

andrewflnr
0 replies
22h3m

My recommended remedy is to write your own sibling comment that makes the same point in a less downvotable way. Most of us are against government overreach, but we're against logical overreach too, and the GP comment did a lot of that. Just not very well argued on a very sensitive topic.

kayodelycaon
0 replies
23h16m

Law isn't black and white. Motives do matter in the US legal system.

For an extreme example, murder requires intent. Most computer crimes also fall into this.

In this case he crossed the line a professional security researcher would not have by showing the data to a third party.

superkuh
1 replies
22h55m

Do you though? I could say the same about kayodelcaon, but it'd be against HN rules just like your unsupported character attack that addresses none of the legal claims against him is.

The facts of it are that he did not do the hacking and did not make the information information online. He's just mirroring the easily available information because the city was lying about it. That's journalism. If the city wants to sue someone they should look internally and at the initial hackers/posters of the information in public.

kayodelycaon
0 replies
22h36m

Take a look yourself at what others have said. Go to en.wikifur.com and look at the Connor_Goodwolf page. That doesn't even begin to scratch the surface. Even if you think some of his causes are good, he does not do his due diligence and does not care if he's wrong.

My personal experience is from my own conversations with him and conversations with people in Cincinnati, Dayton, and Columbus.

someguydave
1 replies
1d

It could be that there are assholes on four sides here (blackhat guys, city, whitehat guy, journalists)

ta988
0 replies
17h42m

It is often the case yes... Which is why picking sides without beeing involved is often a mistake.

summermusic
0 replies
23h45m

Goodwolf is the name he uses for interviews and is not his legal name.

I read this and immediately suspected that he is a furry

ang_cire
7 replies
23h28m

This was not "releasing" information, though, it was already public. The "dark web" isn't someplace you require some special invite-only connection to, it's just regular websites (even if they use TOR) that anyone can access if they know where to look.

unethical_ban
3 replies
22h34m

It is naive to suggest that it is equally easy for the general public to search the dark web for an illicit data breach vs. go to a a publicized website.

Hell, I am in infosec and it would probably take me a few hours or more to find raw data. A grandma can click a website on CBS and type a name.

progmetaldev
0 replies
14h54m

I upvoted you stance, but at this point in technology, it's fairly easy to find articles on how to get on Tor and use a search engine that indexes Onion content. The two are not equivalent, but is it possible that you worry about visiting the dark web, versus the actual difficulty to do so? You are in infosec, so you are probably very conscious of what you can and can't do and track easily. The dark web is more difficult to track, but is it that much more difficult to access if you don't care about general privacy concerns? There are so many "easy" methods online to get you on the dark web, and most don't care too much about privacy like you or I care about. Just food for thought, I don't go searching the dark web, to keep my security to a level I can understand, and I don't think there's anything wrong with that.

jollofricepeas
0 replies
6h34m

You’re wrong.

I’m in infosec as well.

Kids (12+) know how to use Tor because we’ve made the “dark web” a cool place at this point.

And the Rhysida ransomware onion can be found with a simple Google search. The knowledge that’s it was Rhysida is public information .

STEPS TO REPRODUCE:

1. Download and install Tor

2. Search for Rhysida on Google

3. City of Columbus data is on the front page

ang_cire
0 replies
18h24m

Your argument essentially sets up certain websites as being "more public" than others as a legal test for liability, in a way I can only assume would be based on Google index and search results (how Grandma finds it), which is wild to suggest.

How would that even work? You linked to something that Google didn't index, so you're liable for spreading private info, but another person who posted the same data, but whose reference site was indexed by Google, isn't liable?

tourmalinetaco
2 replies
22h8m

Except there is a reasonable chance that he distributed illegally obtained uncensored data to people outside of the investigation, while being part of the investigative team. That’s not something you do, even if it’s not illegal.

bitnasty
0 replies
21h37m

part of the investigative team

The article doesn’t mention this…

ang_cire
0 replies
18h22m

I think you have either found additional context not shown here, or created it erroneously. This person was not part of an investigative team.

tptacek
6 replies
22h13m

For what it's worth, he didn't generate this data from an attack; he's just downloading it from Tor BBSs. The term "cybersecurity expert" contains multitudes.

sillysaurusx
5 replies
14h49m

Downloading it wasn’t really the problem, though. I agree that pentesters should be able to.

But redistributing a police database (even just to reporters) is obviously going to cause the city to file a restraining order to stop further distribution. Especially when he said he plans to make a site that would share details related to that database.

If nothing else, it was probably a bad idea to do what he did. I was only trying to caution overeager outsiders against doing similar things.

What do you make of all this? The lawsuit itself seems dubious, even if the restraining order made sense.

rockskon
2 replies
14h12m

My understanding is that there generally isn't a legal prohibiton on disseminating data you obtained legally even if the person who initially acquired it did so illegally.

cortesoft
1 replies
14h6m

I think it wouldn't be a crime, but you could still be sued to get you to stop distributing it.

rockskon
0 replies
13h19m

Sued under what grounds? "Cause we don't want you to" isn't valid legal grounds.

sigseg1v
1 replies
4h46m

Agreed.

I think something people are getting hung up on here is that just because something is technically public, doesn't mean you can assist in distributing it.

Example: Controlled drugs are public in that you can easily go to a certain area in downtown and obtain them. However, if you do so, and then you start distributing it yourself, you will be charged with a crime. Nobody has issues understanding this but they seem to have issues understanding when it's data instead of physical goods for some reason.

whycome
0 replies
2h50m

The city says it doesn't distribute illegal drugs. He knows they're lying. He goes to a dealer and gets the drugs that are in official city packaging and gives it to reporters.

nostrademons
4 replies
1d

It's somewhat unclear exactly what was shared and how. The article and the linked article about the data breach itself suggested that Goodwolf downloaded the data to verify its contents and then showed the data to a reporter, but he didn't actually release any data, nor distribute it into the permanent possession of the reporter. This is akin to Boeing saying "We had no knowledge of the 737 MAX's problems", and then an employee showing screenshots of confidential memos to the media saying "Yes you did, here is the truth."

I agree that creating a website where you can look up a name and see if they've been part of a police investigation is a bad idea, but he didn't actually do that, he only had plans to.

sillysaurusx
1 replies
1d

Sure, but the fact that it’s unclear is exactly what the city is reacting to. The point of the restraining order is that they have a reasonable belief that he might have distributed it to reporters, and he’s on the record saying he might create a website where anyone can see information related to ongoing criminal investigations or witness identities.

Note that showing the data to the reporter counts as distribution. He didn’t need to do that to prove to the reporter that the data was out there. Even sending screenshots of the data would’ve been ok if he’d redacted anything remotely confidential (it would be obvious from context that the document is probably legit, and the reporter would dig in further).

If he didn’t send any sensitive data to anyone, then I completely agree with you. But pentesters generally don’t send actual data to prove a breach exists to anyone but the target of the breach. Publicizing the breach itself is fine, but the article is pretty clear that’s not why they’re going after him.

oxygen_crisis
0 replies
18h46m

Showing it to a reporter with a reputable news agency shouldn't count as distribution.

Reporters and their editors are meant to be the experts on the ethics and legalities of what should be redacted and what level of detail is in the public interest to report.

You should be able to fork over everything to a reporter securely and let them defer to their ethics, consult with their lawyers, liaise with law enforcement, etc. to determine what level of disclosure is appropriate.

Spivak
1 replies
1d

I agree that creating a website where you can look up a name and see if they've been part of a police investigation is a bad idea, but he didn't actually do that, he only had plans to.

He still should. The dispatch article has more information, this was data that has already been leaked, there is no means of protecting it anymore. The only thing to do is release it so people know if they've been exposed.

https://www.dispatch.com/story/opinion/columns/2024/08/30/co...

Like it sucks that this is the best option but you can't make it go away, the data is free.

DaiPlusPlus
0 replies
22h4m

The only thing to do is release it so people know if they've been exposed.

Are we talking about a Troy Hunt-style (haveibeenpwned) website? If so, I don't consider a giant hashset-of-hashes a "release" because if that data (haveibeenpwnd's database) gets leaked it's of zero use to anyone because it doesn't contain any original data anymore.

But if you mean Wikileaks-style: put it all in a .rar file and publicise it, maintaining that the-ends-justify-the-means approach despite all the irresponsible-journalism, then absolutely no. Yikes. No.

unethical_ban
3 replies
22h38m

This is an important distinction that the city fails to articulate.

The city lied about the breach, so getting a restraining order immediately looks petty and abusive.

But you make a good point that such a website would not actually be useful. Anyone who is in those documents knows it, and allowing the public web the ability to look people up by name is dangerous.

The "hacker" is correct to speak loudly about the lies the city told. He would be incorrect to create a lookup.

kmoser
2 replies
21h43m

He would be incorrect to create a lookup.

Not if the lookup simply acknowledged whether a name exists in the records, without giving other context (e.g. property tax, DMV, criminal investigation, etc.).

unethical_ban
0 replies
12h48m

If the context is a 50% chance "witness in a criminal case" then the implied context is pretty strong.

FireBeyond
0 replies
18h34m

I'm more concerned with "Making it so people can only look themselves up".

Like how was he planning to enforce that? Trust and honesty?

Or maybe you upload your ID to him first?

I think that he's playing all weaselly now that there's some pressure.

lima
1 replies
1d

This is data that criminals already publicly released.

sigseg1v
0 replies
4h43m

If criminals already sell drugs publicly, and you go obtain those drugs and give them away to other members of the public, you will be in trouble. I don't think this is too difficult of a concept to grasp.

rockskon
0 replies
23h11m

????

I'm not quite certain what law he's accused of violating. He didn't download the info from the gov website so there couldn't be allegations of unauthorized access. He didn't hack the website either.

What gives?

rolph
9 replies
1d3h

i really wish the scarewords like darkweb would go away.

the internet is not google, no amount of sand over the head or in the eyes will change that.

Columbus officials chose to invalidate threat to public safety by way of misinformation, then retaliate when the threat and true situation was revealed.

keeping people ignorant of threatscape is not good government.

thinking the 'darkweb' is some sort of containment by obscurity, is beyond naive.

the city of columbus is actually inhibiting a proper response and perpetuating a cavalier security stance.

this is not going unnoticed.

[1] [This is a bigger issue here': Columbus resident wishes the city told residents about the data breach sooner]

https://www.10tv.com/article/news/local/columbus-woman-wishe...

[2] Second class-action lawsuit, representing police and firefighters, filed against city after cyberattack

https://www.10tv.com/article/news/local/second-class-action-...

[3] Ginther confirms personal information of Columbus residents exposed in cyberattack

https://www.10tv.com/article/news/local/ginther-press-confer...

gsk22
6 replies
1d1h

As far as I can tell, darkweb has no actual meaning anymore anyway.

I saw an article recently claiming that something like 80% of people under 30 access the dark web at least once a week. 80% of under-30s use Tor? Seems highly unlikely.

kjkjadksj
5 replies
1d

My understanding is it merely meant sites not indexed by search engines. Your employers internal websites or the sites for your college coursework would count.

Izkata
3 replies
23h58m

"Not indexed" is the deep web. The dark web is ones that use alternate protocols on top of the web so they can't be indexed by web search engines (includes things like Tor and Discord).

I suppose ones that require authentication (like internal employer sites) could also be dark web.

gsk22
2 replies
23h14m

Surely Discord can't be counted as dark web? It's not web at all.

wizzwizz4
0 replies
23h1m

Sure it is. I open my web browser, and Discord is in it.

progmetaldev
0 replies
15h58m

It's definitely hidden behind a login, and is often the source of many controversies including underage users, where it's easier for predators to groom and prey upon these kids. Trying to figure out a label such as "dark web" is less about the actual definition, and more about the intention behind the technology (IMO, of course).

sidewndr46
0 replies
1d

Don't forget bit torrent. There are teenagers out there committing several world GDP worth of piracy on the daily if you believe the entertainment industry

ForOldHack
1 replies
1d1h

Point, point, point, point, point, Game, set, Match.

"this is not going unnoticed." Oh thank god!

"the city of Columbus is actually inhibiting a proper response and perpetuating a cavalier security stance."

"On Aug. 13, Mayor Andrew Ginther said the data stolen by hackers was either corrupted or encrypted, meaning it was likely useless. Hours later, Goodwolf told 10TV that wasn't true and he showed what kind of personal information he was able to access"

"City officials announced they are providing free credit monitoring to Columbus and Franklin County Municipal Court Clerk employees and judges and have asked city employees to use different passwords for their accounts."

Elvis and common sense has left the building.

https://schneiderdowns.com/our-thoughts-on/city-of-columbus-...

progmetaldev
0 replies
15h4m

Appreciate the breakdown! Sounds like the typical cover-up, where it's honest disclosure (in appearance), until it slowly works its way out that it was far more severe than reported, and suddenly we're offering free credit monitoring.

I'm not sure how much data was exposed, but I've recently gotten a warning from Ticketmaster that my SSN (US social security number) was exposed. I absolutely did not provide that information, so it's either an outright lie, or there's a lot more sharing going on behind the scenes than the standard public is to believe.

theginger
5 replies
21h53m

I get access denied to 10tv.com No idea why, do they ban UK / EU readers?

lobsterthief
2 replies
21h42m

A lot of local news publishers in the US do that to save money and not have to deal with compliance in other countries.

It’s beyond stupid and lazy

SpicyLemonZest
0 replies
1h50m

How is it stupid or lazy? I wouldn't expect any random organization in Ohio to invest in European regulatory compliance. It's not like local news is a cash cow, there's gotta be better uses for any marginal dollars they end up with.

BeFlatXIII
0 replies
10m

Why would they care about compliance in other nations? If they don't have assets in the foreign countries, tell them to pound sand when they attempt to collect fines. Unless, of course, Congress stabbed the American public in the back by agreeing to enforce such fines in a trade agreement.

progmetaldev
0 replies
16h23m

I'm not defending the action, but some companies/government officials want to spend very little on their hosting. Often a Cloudflare account is put in front of the website, and all but US, or even local accounts are blocked. I have been forced to do it with clients that are not willing to spend more money on hosting, and they have a site that has regular updates where I can't cache everything, or the cache is commonly "cleared" for making changes to global elements. I have done a lot of work to "section out" parts of a website that update often, and replaced those areas with dynamic JavaScript to bypass page caching. Even then, it's a tough subject because clients often get confused when the content they updated doesn't show up, even with a custom CMS with a page level cache-clearing mechanism (using Umbraco, which has allowed me to start with zero layout, and create anything the designers and clients come up with). I've had to build all the cache breaking mechanisms by hand, using the Cloudflare API.

passwordoops
4 replies
1d

""This is not about speech. It's not. It's about the actual action of going on the keyboard, going into the dark web, gathering the information, downloading it to your computer and then disseminating it to people who are in the press or otherwise," Klein said"

No, this is about how you lied to your public about the nature and format of the data that you failed to protect

sidewndr46
3 replies
1d

I love how politicians invoke "the dark web" like its some bogeyman that hides in the night and preys upon young children. It's literally a bunch of websites. That's it.

superkuh
1 replies
22h57m

Everything not on Facebook/Google/Twitter is the dark web.

kabdib
0 replies
22h16m

Especially sketchy places like Hacker News. Just look at the name!

progmetaldev
0 replies
16h48m

Unfortunately it's how those with less technological knowledge help the government to place restrictions on freedom, because there is a disconnect with reporting accurate news and making a name for yourself. Walled gardens are easier to police (although often allowing more sinister things through than standard websites), and the public is becoming more and more aligned with social media being "the internet" similar to how AOL was setup in the 90's. Those of us that were around in that time period saw how much more was possible outside of these walled gardens, and I believe even those that weren't around in those days that have any tech-literacy are able to see the benefit to being able to exist outside of social media.

There is always going to be some kind of crusade in the name of something that tugs at everyone's heartstrings, but it's only to chip away at the freedoms of those that don't partake in the terrible acts (which there's no doubt terrible acts do occur, but not enough to have us all give up our freedom to make it easier to stop). I hope it's clear that I agree with you, and it is scary how easily swayed the public is (and that's coming from a father that definitely wants protections for our children, but also understand that a lot of that needs to start at home with communication more than limiting technology).

xbar
3 replies
23h58m

Embarrassed city sues annoying jerk who told everyone how full of crap city should was.

Suing security researchers for investigating the contents of disclosed information is ineffective at protecting anyone.

xyst
2 replies
21h15m

Reminds me of a story on Dark Net Diaries. Researchers are hired by state to do physical penetration testing at some court house in the middle of nowhere. Pentesters get caught. Pentesters comply with security and local PD and explain situation.

However some other asshole shows up to the scene claiming jurisdiction (county sheriff?), raises hell, makes a random call (county officials?), then arrest the pen testers on the spot for B&E.

State leave them out to dry in some county jail cell. I think the state ultimately ended up getting embarrassed and tried to sue the company and pen testers for some civil damages and pursue criminal charges.

In the end, they end up getting dropped and reputation of pen testers were ruined for a period of time.

progmetaldev
0 replies
16h33m

This is definitely the current state of security within government. I can't say it's anything new, it's just that the technology changed. Now it's about officials protecting themselves from being scrutinized by throwing around the law to aid in silencing those that find issues with technology. In the past it was exactly the same, except it was about officials protecting themselves from being scrutinized by throwing around the law to aid in silencing those that find issues in government policy, or government officials that skirted the law in the name of protection of the US people, etc. I think it's easier to go after people under technology laws than it was over finding information through informants and full whistleblowers. More scenarios to find information come about, and more draconian laws follow.

bell-cot
3 replies
1d3h

Sounds like a straightforward 1st Amendment case.

Might there be any lawyers with opinions (& disclaimers, obviously) in the house?

rolph
2 replies
1d2h

i think it hinges on what is a threat vs what is mitigation.

should people be informed, thus enabled to respond, or should people be etoliated, and kept ignorant of even requiring a response.

ForOldHack
1 replies
23h31m

My compliments on your vocabulary:

etoliated: Def 2. literary. weakened; no longer at full strength. "Her voice was thinner than I recalled..."

courseofaction
0 replies
22h40m

Especially by a lack of sunlight. Fitting.

xyst
1 replies
21h21m

This is wild. Researchers are simply pointing out how bad the security system is for the City of Columbus, OH.

On Aug. 13, Mayor Andrew Ginther said the data stolen by hackers was either corrupted or encrypted, meaning it was likely useless. Hours later, Goodwolf told 10TV that wasn't true and he showed what kind of personal information he was able to access.

lol - the entire city leadership needs to be recalled. They get caught with their pants down (no security), lie to the public (“it’s encrypted bro!1! trust me I’m a politician!!), lies get rightfully called out, and their response is to pour gas on the fire with this silly lawsuit funded by the local tax payers.

progmetaldev
0 replies
16h43m

I agree, and unless someone in a very large city can tell me otherwise, this seems to be how local government works. Everyone is living off the basis that they "did they best they knew how", and that seems to remove them from liability. I have seen lots of crazy things over the years, and I believe that erasing any kind of liability based on someone's account of how security works is at best willful ignorance. If we want local government to hold personal data, then we need local government to be responsible with that data. Saying, "I didn't know any better," is not acceptable in 2024 (and really hasn't been for at least a decade or more).

josefritzishere
1 replies
1d1h

This is a very clear case of a restraining order being used punatively. The body of first amendment case law is very clear. The city has no reasonabel expectation that they will win. Their intent is to restrain, and intimidate legitimate criticism.

zadokshi
0 replies
16h35m

Well they do win by intimidating people who want to whistleblow.

jmyeet
1 replies
23h16m

"Let's go burn down the observatory so this will never happen again."

kabdib
0 replies
22h14m

Our property values were great until they installed the seismographs.

yieldcrv
0 replies
23h52m

Hacking syndicate: not sued

Public website hosting hacked records: not sued

Lying public servant: not sued

Joe Schmoe for pointing out all three: sued

noobermin
0 replies
12h31m

Lived in columbus for many years. This absolutely tracks. There's something about being a blue city in a red state that makes the government rather brazen in protecting themselves.

nick238
0 replies
23h45m

I wonder if the ideal way to expose this would have been to approach some law firm showing that you (just you) were wronged by the City, here's the data, some basic auditing showing where it was from, statements by the city, hackers, etc.

Then just be like, yeah, there's like 3 TB of data there, maybe it's class-action worthy, hint, hint.

edm0nd
0 replies
1d1h

A perfect case for the EFF or ACLU to pickup and help defend against such a silly and weaponized restraining order.

coding123
0 replies
1d

This is not about speech. It's not. It's about the actual action of going on the keyboard, going into the dark web, gathering the information, downloading it to your computer and then disseminating it to people who are in the press or otherwise

Lol, unless the article is reporting something off, features like Chrome or Firefox reporting one of your passwords may have been compromised would be illegal.

The reality is that this city is wrong.