from Hacker News

City of Columbus sues expert who exposed extent of cyberattack

by hendler on 8/30/24, 2:44 PM with 132 comments

  • by sillysaurusx on 8/30/24, 5:36 PM

    Former pentester here. Though I’m largely sympathetic with Goodwolf, note that releasing actual data is almost always a bad idea. It’s why bug bounty programs have limited scope.

    The city seems upset that he shared data about ongoing investigations and undercover police reports. Depending on what exactly he shared, it’s hard to fault the city for that. It doesn’t really matter where the data currently exists; grabbing it and handing it off to others is obviously not a good idea.

    If his goal was to prove to the reporters that such data existed and was available for download, he had many options that didn’t require accessing the data: screenshot the forum posts, send links to the reporters, detail what kind of data was there without actually showing any of it, and so on.

    Now, if that’s what he did, and the city is still reacting this way, that’s obviously abuse. But it doesn’t seem unreasonable to order someone to stop disseminating data about ongoing investigations to reporters. Would you want your private cases to be more widely spread?

    I’m really sympathetic to him, because this is an easy mistake to make. Before I got into the industry, I thought that this was white hat hacking; it’s obviously good that he’s spreading awareness about the breach. But how you do it really matters.

    (Caveat: I worked in the industry for about a year in 2016, so maybe things have changed. But I’d be shocked if distributing actual data from any breach was condoned by anyone who works as a pentester, even today.)

    > the city says Goodwolf is threatening to publicly share the city's stolen data in the form of a website that he will create himself. Goodwolf previously told 10TV he does plan to set up a website, but it would only allow people to see if their name was part of the data breach.

    This isn’t the same as setting up a site to see if your password was compromised. It could let anyone type in someone’s name and see whether they’re a witness in a criminal investigation.

  • by passwordoops on 8/30/24, 5:33 PM

    ""This is not about speech. It's not. It's about the actual action of going on the keyboard, going into the dark web, gathering the information, downloading it to your computer and then disseminating it to people who are in the press or otherwise," Klein said"

    No, this is about how you lied to your public about the nature and format of the data that you failed to protect

  • by xyst on 8/30/24, 9:08 PM

    This is wild. Researchers are simply pointing out how bad the security system is for the City of Columbus, OH.

    > On Aug. 13, Mayor Andrew Ginther said the data stolen by hackers was either corrupted or encrypted, meaning it was likely useless. Hours later, Goodwolf told 10TV that wasn't true and he showed what kind of personal information he was able to access.

    lol - the entire city leadership needs to be recalled. They get caught with their pants down (no security), lie to the public (“it’s encrypted bro!1! trust me I’m a politician!!), lies get rightfully called out, and their response is to pour gas on the fire with this silly lawsuit funded by the local tax payers.

  • by xbar on 8/30/24, 6:32 PM

    Embarrassed city sues annoying jerk who told everyone how full of crap city should was.

    Suing security researchers for investigating the contents of disclosed information is ineffective at protecting anyone.

  • by edm0nd on 8/30/24, 5:25 PM

    A perfect case for the EFF or ACLU to pickup and help defend against such a silly and weaponized restraining order.

  • by foundart on 8/30/24, 9:47 PM

  • by yieldcrv on 8/30/24, 6:38 PM

    Hacking syndicate: not sued

    Public website hosting hacked records: not sued

    Lying public servant: not sued

    Joe Schmoe for pointing out all three: sued

  • by sva_ on 8/30/24, 5:34 PM

  • by noobermin on 8/31/24, 5:59 AM

    Lived in columbus for many years. This absolutely tracks. There's something about being a blue city in a red state that makes the government rather brazen in protecting themselves.

  • by coding123 on 8/30/24, 6:16 PM

    > This is not about speech. It's not. It's about the actual action of going on the keyboard, going into the dark web, gathering the information, downloading it to your computer and then disseminating it to people who are in the press or otherwise

    Lol, unless the article is reporting something off, features like Chrome or Firefox reporting one of your passwords may have been compromised would be illegal.

    The reality is that this city is wrong.

  • by mmsc on 8/30/24, 9:08 PM

  • by josefritzishere on 8/30/24, 5:20 PM

    This is a very clear case of a restraining order being used punatively. The body of first amendment case law is very clear. The city has no reasonabel expectation that they will win. Their intent is to restrain, and intimidate legitimate criticism.

  • by theginger on 8/30/24, 8:36 PM

    I get access denied to 10tv.com No idea why, do they ban UK / EU readers?

  • by nick238 on 8/30/24, 6:44 PM

    I wonder if the ideal way to expose this would have been to approach some law firm showing that you (just you) were wronged by the City, here's the data, some basic auditing showing where it was from, statements by the city, hackers, etc.

    Then just be like, yeah, there's like 3 TB of data there, maybe it's class-action worthy, hint, hint.

  • by bell-cot on 8/30/24, 3:00 PM

    Sounds like a straightforward 1st Amendment case.

    Might there be any lawyers with opinions (& disclaimers, obviously) in the house?

  • by rolph on 8/30/24, 3:18 PM

    i really wish the scarewords like darkweb would go away.

    the internet is not google, no amount of sand over the head or in the eyes will change that.

    Columbus officials chose to invalidate threat to public safety by way of misinformation, then retaliate when the threat and true situation was revealed.

    keeping people ignorant of threatscape is not good government.

    thinking the 'darkweb' is some sort of containment by obscurity, is beyond naive.

    the city of columbus is actually inhibiting a proper response and perpetuating a cavalier security stance.

    this is not going unnoticed.

    [1] [This is a bigger issue here': Columbus resident wishes the city told residents about the data breach sooner]

    https://www.10tv.com/article/news/local/columbus-woman-wishe...

    [2] Second class-action lawsuit, representing police and firefighters, filed against city after cyberattack

    https://www.10tv.com/article/news/local/second-class-action-...

    [3] Ginther confirms personal information of Columbus residents exposed in cyberattack

    https://www.10tv.com/article/news/local/ginther-press-confer...

  • by jmyeet on 8/30/24, 7:13 PM

    "Let's go burn down the observatory so this will never happen again."