Former pentester here. Though I’m largely sympathetic with Goodwolf, note that releasing actual data is almost always a bad idea. It’s why bug bounty programs have limited scope.
The city seems upset that he shared data about ongoing investigations and undercover police reports. Depending on what exactly he shared, it’s hard to fault the city for that. It doesn’t really matter where the data currently exists; grabbing it and handing it off to others is obviously not a good idea.
If his goal was to prove to the reporters that such data existed and was available for download, he had many options that didn’t require accessing the data: screenshot the forum posts, send links to the reporters, detail what kind of data was there without actually showing any of it, and so on.
Now, if that’s what he did, and the city is still reacting this way, that’s obviously abuse. But it doesn’t seem unreasonable to order someone to stop disseminating data about ongoing investigations to reporters. Would you want your private cases to be more widely spread?
I’m really sympathetic to him, because this is an easy mistake to make. Before I got into the industry, I thought that this was white hat hacking; it’s obviously good that he’s spreading awareness about the breach. But how you do it really matters.
(Caveat: I worked in the industry for about a year in 2016, so maybe things have changed. But I’d be shocked if distributing actual data from any breach was condoned by anyone who works as a pentester, even today.)
the city says Goodwolf is threatening to publicly share the city's stolen data in the form of a website that he will create himself. Goodwolf previously told 10TV he does plan to set up a website, but it would only allow people to see if their name was part of the data breach.
This isn’t the same as setting up a site to see if your password was compromised. It could let anyone type in someone’s name and see whether they’re a witness in a criminal investigation.
According to what I read in that article, Goodwolf didn’t release the data. The hackers released the data, the city lied about it, Goodwolf went and retrieved the publicly accessible data and gave it to journalists to prove the city’s lie.
Unless that article is seriously mischaracterising what happened, I can’t see how this is anything other than a massive civil liberties infringement by the city, who are just trying to scapegoat this Goodwolf person. All of the damages they are describing were caused by their own negligence.
Retrieving publicly accessible data and then giving it to anyone else is the problem when the data contains the identities of witnesses for ongoing criminal investigations.
I’m really far on the side of hackers here, but I’m having trouble justifying sending any data whatsoever to journalists related to criminal investigations. Even one witness’s name, sent merely to prove that the breach happened, could be enough to cause direct harm to that case if the reporter decided to reveal it. You don’t need to do that to show a reporter that the breach happened. And it’s up to the reporter themselves to prove the breach is real.
But that "harm" was caused by the City failing to secure the data - not this one person who said "the city failed to secure the data - anyone can get it".
Intent matters. The city was incompetent, but distributing data about active criminal investigations is malicious, or at least dangerous. And unlike Snowden, he wasn’t trying to expose abuses by sending the documents to reporters.
Here’s an example from my own life: I created books3, an AI training dataset of almost 200k books. This was thanks to The Eye, who hosted a copy of Bibliotik, a popular shadow library. But everyone is suing the AI companies themselves for using the training data, even though the original harm was caused by The Eye and Bibliotik.
If he simply said that, there wouldn’t have been a problem. He sent actual data related to ongoing criminal investigations, and was on the record saying he might set up a website to more widely disseminate information about that data — which could include names of witnesses in those investigations.
Snowden was, according to all available evidence, not trying to expose abuses. He was trying to commit espionage against the US, and it's extremely clear to anyone who has passing experience with the leaks and a shred of intellectual honesty, because the vast majority of the files were completely unrelated to domestic surveillance programs, and instead concerned foreign surveillance programs.
Stop bringing up Snowden; all of the evidence indicates that he was lying about his motive.
He was trying to commit espionage against the US, and it's extremely clear to anyone who has passing experience with the leaks and a shred of intellectual honesty,
Just the pugnacious way you choose to phrase this ("It's sooo obvious, and if you don't simply full-on agree you must be clueless and/or a lying scumbag yourself") makes me doubt this version of events. That, plus the fact that (even after all this time) no one has come forward with any actual dispositive evidence for such a narrative.
It's all just speculation.
There's the intellectual dishonesty - I literally described the evidence in the exact same sentence, that you cut off in your citation because it was inconvenient for you:
It is exactly because the common response to the evidence is this kind of deceptiveness that I have to point it out.
Bollocks -- the context is right there for anyone to scroll up and see, so there's nothing deceptive about the segment I chose to highlight. And that's all it was -- highlighting, not deceptive quoting.
That part of my comment that you left out directly disproves what you wrote after:
I described the evidence, provided by Snowden himself and publicly available for anyone to check, which directly disproves your claim that "it's all just speculative". The actual evidence significantly favors the theory that it was espionage over the theory that it was whistleblowing.
I described the evidence, provided by Snowden himself and publicly available for anyone to check,
Before I offer anything else -- you are welcome to provide quotes and sources for the respective items of evidence described above.
It's a bit surprising that he would choose to disseminate his espionage via uncovering mass secret state surveillence and sending documents to a third party so they could publish them. I am not in espionage, but I expect there are considerably easier and more reliable ways to exfiltrate data. I don't think it is as surprising that he took more files than he should have.
He has also shown narcissistic tendencies, which is consistent with the US government's statements that he did this for publicity and personal recognition/profit. Sorry, when I say "espionage", I mean in the more general sense of dealing damage to the government, not specifically sending the documents to Russia or whatever. There's not a lot of evidence for him being a Russian spy.
It's extremely surprising if he claims to have been acting in the public's interest by uncovering domestic spying programs and then over 90 percent of the files he took were completely unrelated to that stated goal. That's a very strong indicator of dishonesty.
He has also shown narcissistic tendencies, which is consistent with the US government's statements that he did this for publicity and personal recognition/profit.
"Narcisstic tendencies" is a very common smear / throwaway labelling we hear a lot -- about bosses, exes, manipulative relatives and what not. In some cases it's valid, but in most it's simply not. Unless you can point to specifics, we'll have to include this labelling of Snowden in that category as well.
But even if it did apply -- it would also be perfectly consistent with the possibly that he simply considers himself a fearless do-gooder. I don't rule out your alternatives, but Occam's Razor (combined with the fact that there's no visible evidence of him having profited in any way; and his general bearing and demeanor do not correspond to those of the publicity whore type) does favor the former.
(Not to say that he is or is not a fearless do-gooder; just that it's not at all unlikely that that's what he considers himself to be).
Does anyone else use the word "espionage" like that or is it just you?
Is showing some reporters some sample data to show that the data exists malicious? Because I believe that's all he's been accused of doing.
As to whether the website he would make one day would contain the information on investigations: this is disputed. To me, it seems the city misconstrues his quotes about letting people determine if names were contained in the entire dataset.
If it is okay for him to tell reporters that the data is publically accessible, knowing that they would verify that by downloading it, how is it dangerous or malicious for him to send examples to them directly? The outcomes are the same at worst and at best the reporters have considerably less of the data. There's a legal distinction there, not a moral one.
Try telling the police that it's ok that you distributed drugs because it's actually them that failed to secure them against criminals and let me know how that goes.
Unless I'm mistaken, the city lied about the data existing in a form unusable to the hackers. That lie is, itself, giving a false sense of security to witnesses for ongoing criminal investigations. Witnesses whose data is data is accessible on a website primarily (though not exclusively) accessed by criminals.
As is described in the article, this is one of the best cases of responsible disclosure I can think of in recent memory - refuting a government lie that put at-risk people's lives in danger.
You are correct. The Mayor of the city said the data stolen was either encrypted or corrupted and unusable. The mayor also refused to confirm something had taken place for weeks.
I’ve been following this since early August because I grew up in Columbus and still have family there.
Ginther is a terrible mayor and has handled this mess about as poorly as you can. The researcher they’re trying to quiet exposed that Ginther was lying about the data being unusable.
It looks fractally terrible, but:
... sounds a lot like free expression (especially when the city is lying)
I mean, if the city keeps saying, "no, there wasn't any data released", then maybe backs up and says "there wasn't any sensitive data released", and keeps backing up, at some point you need to cut to the chase and be like, "OK, here's the most salacious shit possible. Explain that."
I don't know how to do that responsibly (just share it with a reputable reporter?), but I definitely get the feeling if you're constantly subjected to bad faith.
Oh, I agree. But let the reporters do that. It’s their job. Just point them towards the data and they’ll do the rest.
If someone’s butt is going to be on the line, it should be a corporation’s (the news agency), or perhaps an individual investigative journalist. Not you. Not for something like this, anyway. If it was just social security numbers I might agree with you, but police databases are obviously dangerous to disseminate, even if it’s just to prove they exist. He could’ve sent redacted screenshots.
Point being, we don’t know what he sent, but sending anything at all from a police database is a bad idea. No lawyer would ever say that that’s legal, let alone ethical.
i think i get it.
you are in danger but you dont need to know that, its not your job to protect yourself, thats our job.
Reputable news organisations are only reputable because of the effort made to verify all the claims before publishing. They would need to see examples of the range of types of documents claimed to be in there.
And that's why you send the data to reporters. Literally the people whose job it is to handle this correctly. They are the next stop when the city doesn't give you the time of day. He didn't send it to some disreputable news podcaster, they're the primary newspaper for the city.
The people who compromised and published the data (and the people who allowed them to do that) are responsible for 100% of the harm caused here. Once the data has been published, the harm is already done, and from a legal perspective any questions about accessing it and further communicating it are protected by 1A.
By the time Goodwolf got to the data, it had already been compromised and published. The only way he could have possibly contributed to the harm was by drawing attention to it. If you take that perspective, then the city has further contributed to that harm themselves by taking legal action against Goodwolf. Furthermore, you could also conclude from this argument that the city had some moral responsibility to lie to the public about the nature of the breach, and that all those who knew the truth would also have the moral responsibility to protect that lie.
I would say this is an incredibly perverse position to take. All of the data compromised in this breach was already published, and in the hands of criminals. For anybody whose data was included in this breach, the city lying about it was just putting them in further jeopardy. Now they will at least have the opportunity to learn about the breach. The journalists are hardly likely to abuse it. The only legitimate harm caused by Goodwolf was to harm the integrity of the lying city officials. They deserve that harm, and the other side of that coin is that the public benefits when corruption is exposed.
I happen to know this guy. He has an extremely bad reputation in the furry community for doxing people and bringing up old criminal records to publicly shame and cancel people. He actively tries to hurt people.
He’s about as far from an ethical hacker as you can be. He’s on a crusade.
Now that doesn’t mean this should be illegal but I’m not on his side.
This is a bit "what were you doing at the devil's sacrament" but I digress it's not that important.
You should be able to be the worst person in the world and not hung for it. There's no reason to not be on his side, it doesn't mean you endorse him. The other side is an embarrassed government throwing their weight around to hang him for what isn't and shouldn't be a crime.
Do you just believe that someone should be allowed to do anything they want and not face repercussions?
No, I'm saying your rights aren't conditional on whether or not you're an asshole.
They are, though, considering how poorly we treat non-violent felons. That’s beside the point though, because his legal rights are not being infringed. Being sued and being charged are completely different. One is civil, the other is criminal.
Civil asset forfeiture is not criminal, but civil, and the legal matter is against the property, not the property owner. Still, I would argue that the property owner's rights are often violated is such actions.
"against the property"
You probably think identity theft is a customer's problem, not the bank too.
Just because the narrative calls it something, doesn't make it right.
It's silly for a nation-state to sue cash, it should never have been considered reasonable.
Huh? I'm relaying what the law considers civil asset forfeiture to be. It's not my opinion and it is not a "narrative". In fact, here's some commentary addressing the issue I raised.
"Technically, civil asset forfeiture involves a government lawsuit against the personal property itself or, in legal terms, `in rem`. As strange as it may seem, the inanimate property, whether a yacht or a bag of cash, is the defendant in such a proceeding." --- (https://www.findlaw.com/criminal/criminal-rights/what-is-civ...)
If you don't believe that, maybe you'd believe the Justice Department on issue:
"Civil Judicial Forfeiture: In rem (against the property) court proceeding brought against property that was derived from or used to commit an offense, rather than against a person who committed an offense." --- (https://www.justice.gov/afp/types-federal-forfeiture)
What you ignored is the only opinion I expressed and the context of that expression: "Still, I would argue that the property owner's rights are often violated is such actions." How does this square with anything about identify theft responsibility?
Actually, the historical origin of civil asset forfeiture has some rational basis, though, as with most sensible legal moves, gets corrupted by those willing to exploit the letter of the law in spite of its spirit.
Nonetheless, unless there's something I'm missing I don't find your retort particularly coherent. I urge you to reread the original comment to which I replied and my reply and try again.
Well, they should be able to do anything they want that's legal without facing legal repercussions.
He’s facing civil repercussions. He, as a worker of the city, disseminated information to the press that reveals undercover police reports, witness names and testimonies, and various other sensitive information. That may not be illegal, but if he broke a contract or other agreement then it’s expected that he faces repercussions.
The city may be in the wrong for downplaying the severity, but he’s in the wrong for directly handing over the hacked information he has to journalists.
Did the journalists publish or share the details that could harm witnesses or investigations? Our default assumption is that journalists keep these kind of details confidential and secure from spreading... more than the city did.
I think they city would need to actually believe witnesses or investigations were actually harmed, and I don't mean picking whatever belief is most convenient for them. Maybe they do believe it. If they can prove it, they should win their suit.
Only if that person is me
It's easy to downvote and move on, but I don’t think that does justice to the valid underlying concerns this parent comment raises. I don’t agree with the idea that there’s “no reason” to question the guy’s actions - because his methods do raise serious ethical and safety concerns - but I think it’s right to caution against kneejerk reactions that might lead to government overreach. We should be wary of how power can be used to silence people, even if those people did shitty things in the past or are controversial figures.
Ignoring the underlying point being made won't make it go away, and won’t help educate any of our peers who might take some of this stuff at face value.
My recommended remedy is to write your own sibling comment that makes the same point in a less downvotable way. Most of us are against government overreach, but we're against logical overreach too, and the GP comment did a lot of that. Just not very well argued on a very sensitive topic.
Law isn't black and white. Motives do matter in the US legal system.
For an extreme example, murder requires intent. Most computer crimes also fall into this.
In this case he crossed the line a professional security researcher would not have by showing the data to a third party.
Do you though? I could say the same about kayodelcaon, but it'd be against HN rules just like your unsupported character attack that addresses none of the legal claims against him is.
The facts of it are that he did not do the hacking and did not make the information information online. He's just mirroring the easily available information because the city was lying about it. That's journalism. If the city wants to sue someone they should look internally and at the initial hackers/posters of the information in public.
Take a look yourself at what others have said. Go to en.wikifur.com and look at the Connor_Goodwolf page. That doesn't even begin to scratch the surface. Even if you think some of his causes are good, he does not do his due diligence and does not care if he's wrong.
My personal experience is from my own conversations with him and conversations with people in Cincinnati, Dayton, and Columbus.
It could be that there are assholes on four sides here (blackhat guys, city, whitehat guy, journalists)
It is often the case yes... Which is why picking sides without beeing involved is often a mistake.
I read this and immediately suspected that he is a furry
This was not "releasing" information, though, it was already public. The "dark web" isn't someplace you require some special invite-only connection to, it's just regular websites (even if they use TOR) that anyone can access if they know where to look.
It is naive to suggest that it is equally easy for the general public to search the dark web for an illicit data breach vs. go to a a publicized website.
Hell, I am in infosec and it would probably take me a few hours or more to find raw data. A grandma can click a website on CBS and type a name.
I upvoted you stance, but at this point in technology, it's fairly easy to find articles on how to get on Tor and use a search engine that indexes Onion content. The two are not equivalent, but is it possible that you worry about visiting the dark web, versus the actual difficulty to do so? You are in infosec, so you are probably very conscious of what you can and can't do and track easily. The dark web is more difficult to track, but is it that much more difficult to access if you don't care about general privacy concerns? There are so many "easy" methods online to get you on the dark web, and most don't care too much about privacy like you or I care about. Just food for thought, I don't go searching the dark web, to keep my security to a level I can understand, and I don't think there's anything wrong with that.
You’re wrong.
I’m in infosec as well.
Kids (12+) know how to use Tor because we’ve made the “dark web” a cool place at this point.
And the Rhysida ransomware onion can be found with a simple Google search. The knowledge that’s it was Rhysida is public information .
STEPS TO REPRODUCE:
1. Download and install Tor
2. Search for Rhysida on Google
3. City of Columbus data is on the front page
Your argument essentially sets up certain websites as being "more public" than others as a legal test for liability, in a way I can only assume would be based on Google index and search results (how Grandma finds it), which is wild to suggest.
How would that even work? You linked to something that Google didn't index, so you're liable for spreading private info, but another person who posted the same data, but whose reference site was indexed by Google, isn't liable?
Except there is a reasonable chance that he distributed illegally obtained uncensored data to people outside of the investigation, while being part of the investigative team. That’s not something you do, even if it’s not illegal.
The article doesn’t mention this…
I think you have either found additional context not shown here, or created it erroneously. This person was not part of an investigative team.
For what it's worth, he didn't generate this data from an attack; he's just downloading it from Tor BBSs. The term "cybersecurity expert" contains multitudes.
Downloading it wasn’t really the problem, though. I agree that pentesters should be able to.
But redistributing a police database (even just to reporters) is obviously going to cause the city to file a restraining order to stop further distribution. Especially when he said he plans to make a site that would share details related to that database.
If nothing else, it was probably a bad idea to do what he did. I was only trying to caution overeager outsiders against doing similar things.
What do you make of all this? The lawsuit itself seems dubious, even if the restraining order made sense.
My understanding is that there generally isn't a legal prohibiton on disseminating data you obtained legally even if the person who initially acquired it did so illegally.
I think it wouldn't be a crime, but you could still be sued to get you to stop distributing it.
Sued under what grounds? "Cause we don't want you to" isn't valid legal grounds.
Agreed.
I think something people are getting hung up on here is that just because something is technically public, doesn't mean you can assist in distributing it.
Example: Controlled drugs are public in that you can easily go to a certain area in downtown and obtain them. However, if you do so, and then you start distributing it yourself, you will be charged with a crime. Nobody has issues understanding this but they seem to have issues understanding when it's data instead of physical goods for some reason.
The city says it doesn't distribute illegal drugs. He knows they're lying. He goes to a dealer and gets the drugs that are in official city packaging and gives it to reporters.
It's somewhat unclear exactly what was shared and how. The article and the linked article about the data breach itself suggested that Goodwolf downloaded the data to verify its contents and then showed the data to a reporter, but he didn't actually release any data, nor distribute it into the permanent possession of the reporter. This is akin to Boeing saying "We had no knowledge of the 737 MAX's problems", and then an employee showing screenshots of confidential memos to the media saying "Yes you did, here is the truth."
I agree that creating a website where you can look up a name and see if they've been part of a police investigation is a bad idea, but he didn't actually do that, he only had plans to.
Sure, but the fact that it’s unclear is exactly what the city is reacting to. The point of the restraining order is that they have a reasonable belief that he might have distributed it to reporters, and he’s on the record saying he might create a website where anyone can see information related to ongoing criminal investigations or witness identities.
Note that showing the data to the reporter counts as distribution. He didn’t need to do that to prove to the reporter that the data was out there. Even sending screenshots of the data would’ve been ok if he’d redacted anything remotely confidential (it would be obvious from context that the document is probably legit, and the reporter would dig in further).
If he didn’t send any sensitive data to anyone, then I completely agree with you. But pentesters generally don’t send actual data to prove a breach exists to anyone but the target of the breach. Publicizing the breach itself is fine, but the article is pretty clear that’s not why they’re going after him.
Showing it to a reporter with a reputable news agency shouldn't count as distribution.
Reporters and their editors are meant to be the experts on the ethics and legalities of what should be redacted and what level of detail is in the public interest to report.
You should be able to fork over everything to a reporter securely and let them defer to their ethics, consult with their lawyers, liaise with law enforcement, etc. to determine what level of disclosure is appropriate.
He still should. The dispatch article has more information, this was data that has already been leaked, there is no means of protecting it anymore. The only thing to do is release it so people know if they've been exposed.
https://www.dispatch.com/story/opinion/columns/2024/08/30/co...
Like it sucks that this is the best option but you can't make it go away, the data is free.
Are we talking about a Troy Hunt-style (haveibeenpwned) website? If so, I don't consider a giant hashset-of-hashes a "release" because if that data (haveibeenpwnd's database) gets leaked it's of zero use to anyone because it doesn't contain any original data anymore.
But if you mean Wikileaks-style: put it all in a .rar file and publicise it, maintaining that the-ends-justify-the-means approach despite all the irresponsible-journalism, then absolutely no. Yikes. No.
This is an important distinction that the city fails to articulate.
The city lied about the breach, so getting a restraining order immediately looks petty and abusive.
But you make a good point that such a website would not actually be useful. Anyone who is in those documents knows it, and allowing the public web the ability to look people up by name is dangerous.
The "hacker" is correct to speak loudly about the lies the city told. He would be incorrect to create a lookup.
Not if the lookup simply acknowledged whether a name exists in the records, without giving other context (e.g. property tax, DMV, criminal investigation, etc.).
If the context is a 50% chance "witness in a criminal case" then the implied context is pretty strong.
I'm more concerned with "Making it so people can only look themselves up".
Like how was he planning to enforce that? Trust and honesty?
Or maybe you upload your ID to him first?
I think that he's playing all weaselly now that there's some pressure.
This is data that criminals already publicly released.
If criminals already sell drugs publicly, and you go obtain those drugs and give them away to other members of the public, you will be in trouble. I don't think this is too difficult of a concept to grasp.
????
I'm not quite certain what law he's accused of violating. He didn't download the info from the gov website so there couldn't be allegations of unauthorized access. He didn't hack the website either.
What gives?