The city seems upset that he shared data about ongoing investigations and undercover police reports. Depending on what exactly he shared, it’s hard to fault the city for that. It doesn’t really matter where the data currently exists; grabbing it and handing it off to others is obviously not a good idea.
If his goal was to prove to the reporters that such data existed and was available for download, he had many options that didn’t require accessing the data: screenshot the forum posts, send links to the reporters, detail what kind of data was there without actually showing any of it, and so on.
Now, if that’s what he did, and the city is still reacting this way, that’s obviously abuse. But it doesn’t seem unreasonable to order someone to stop disseminating data about ongoing investigations to reporters. Would you want your private cases to be more widely spread?
I’m really sympathetic to him, because this is an easy mistake to make. Before I got into the industry, I thought that this was white hat hacking; it’s obviously good that he’s spreading awareness about the breach. But how you do it really matters.
(Caveat: I worked in the industry for about a year in 2016, so maybe things have changed. But I’d be shocked if distributing actual data from any breach was condoned by anyone who works as a pentester, even today.)
> the city says Goodwolf is threatening to publicly share the city's stolen data in the form of a website that he will create himself. Goodwolf previously told 10TV he does plan to set up a website, but it would only allow people to see if their name was part of the data breach.
This isn’t the same as setting up a site to see if your password was compromised. It could let anyone type in someone’s name and see whether they’re a witness in a criminal investigation.
I agree that creating a website where you can look up a name and see if they've been part of a police investigation is a bad idea, but he didn't actually do that, he only had plans to.
Note that showing the data to the reporter counts as distribution. He didn’t need to do that to prove to the reporter that the data was out there. Even sending screenshots of the data would’ve been ok if he’d redacted anything remotely confidential (it would be obvious from context that the document is probably legit, and the reporter would dig in further).
If he didn’t send any sensitive data to anyone, then I completely agree with you. But pentesters generally don’t send actual data to prove a breach exists to anyone but the target of the breach. Publicizing the breach itself is fine, but the article is pretty clear that’s not why they’re going after him.
He still should. The dispatch article has more information, this was data that has already been leaked, there is no means of protecting it anymore. The only thing to do is release it so people know if they've been exposed.
https://www.dispatch.com/story/opinion/columns/2024/08/30/co...
Like it sucks that this is the best option but you can't make it go away, the data is free.
You can sue for prior restraint if someone is threatening you.
Unless that article is seriously mischaracterising what happened, I can’t see how this is anything other than a massive civil liberties infringement by the city, who are just trying to scapegoat this Goodwolf person. All of the damages they are describing were caused by their own negligence.
I’m really far on the side of hackers here, but I’m having trouble justifying sending any data whatsoever to journalists related to criminal investigations. Even one witness’s name, sent merely to prove that the breach happened, could be enough to cause direct harm to that case if the reporter decided to reveal it. You don’t need to do that to show a reporter that the breach happened. And it’s up to the reporter themselves to prove the breach is real.
Hell, I am in infosec and it would probably take me a few hours or more to find raw data. A grandma can click a website on CBS and type a name.
It's not hard at all. The people like the decisionmakers here inflict violence upon people's willingness to help them with very bad cybersecurity issues. Which are everywhere. If we lived in a healthy society, whoever decided to prosecute this would be sacrificed to a volcano (metaphorically).
But redistributing a police database (even just to reporters) is obviously going to cause the city to file a restraining order to stop further distribution. Especially when he said he plans to make a site that would share details related to that database.
If nothing else, it was probably a bad idea to do what he did. I was only trying to caution overeager outsiders against doing similar things.
What do you make of all this? The lawsuit itself seems dubious, even if the restraining order made sense.
I'm not quite certain what law he's accused of violating. He didn't download the info from the gov website so there couldn't be allegations of unauthorized access. He didn't hack the website either.
What gives?
The city lied about the breach, so getting a restraining order immediately looks petty and abusive.
But you make a good point that such a website would not actually be useful. Anyone who is in those documents knows it, and allowing the public web the ability to look people up by name is dangerous.
The "hacker" is correct to speak loudly about the lies the city told. He would be incorrect to create a lookup.
Not if the lookup simply acknowledged whether a name exists in the records, without giving other context (e.g. property tax, DMV, criminal investigation, etc.).
He’s about as far from an ethical hacker as you can be. He’s on a crusade.
Now that doesn’t mean this should be illegal but I’m not on his side.
I read this and immediately suspected that he is a furry
You should be able to be the worst person in the world and not hung for it. There's no reason to not be on his side, it doesn't mean you endorse him. The other side is an embarrassed government throwing their weight around to hang him for what isn't and shouldn't be a crime.
The facts of it are that he did not do the hacking and did not make the information information online. He's just mirroring the easily available information because the city was lying about it. That's journalism. If the city wants to sue someone they should look internally and at the initial hackers/posters of the information in public.
No, this is about how you lied to your public about the nature and format of the data that you failed to protect
There is always going to be some kind of crusade in the name of something that tugs at everyone's heartstrings, but it's only to chip away at the freedoms of those that don't partake in the terrible acts (which there's no doubt terrible acts do occur, but not enough to have us all give up our freedom to make it easier to stop). I hope it's clear that I agree with you, and it is scary how easily swayed the public is (and that's coming from a father that definitely wants protections for our children, but also understand that a lot of that needs to start at home with communication more than limiting technology).
> On Aug. 13, Mayor Andrew Ginther said the data stolen by hackers was either corrupted or encrypted, meaning it was likely useless. Hours later, Goodwolf told 10TV that wasn't true and he showed what kind of personal information he was able to access.
lol - the entire city leadership needs to be recalled. They get caught with their pants down (no security), lie to the public (“it’s encrypted bro!1! trust me I’m a politician!!), lies get rightfully called out, and their response is to pour gas on the fire with this silly lawsuit funded by the local tax payers.
Suing security researchers for investigating the contents of disclosed information is ineffective at protecting anyone.
However some other asshole shows up to the scene claiming jurisdiction (county sheriff?), raises hell, makes a random call (county officials?), then arrest the pen testers on the spot for B&E.
State leave them out to dry in some county jail cell. I think the state ultimately ended up getting embarrassed and tried to sue the company and pen testers for some civil damages and pursue criminal charges.
In the end, they end up getting dropped and reputation of pen testers were ruined for a period of time.
https://arstechnica.com/information-technology/2019/11/how-a...
Follow up a few months later:
https://arstechnica.com/information-technology/2020/01/crimi...
https://arstechnica.com/security/2024/08/city-of-columbus-su...
Public website hosting hacked records: not sued
Lying public servant: not sued
Joe Schmoe for pointing out all three: sued
(blocked in EU)
Lol, unless the article is reporting something off, features like Chrome or Firefox reporting one of your passwords may have been compromised would be illegal.
The reality is that this city is wrong.
It’s beyond stupid and lazy
Then just be like, yeah, there's like 3 TB of data there, maybe it's class-action worthy, hint, hint.
Might there be any lawyers with opinions (& disclaimers, obviously) in the house?
should people be informed, thus enabled to respond, or should people be etoliated, and kept ignorant of even requiring a response.
etoliated: Def 2. literary. weakened; no longer at full strength. "Her voice was thinner than I recalled..."
the internet is not google, no amount of sand over the head or in the eyes will change that.
Columbus officials chose to invalidate threat to public safety by way of misinformation, then retaliate when the threat and true situation was revealed.
keeping people ignorant of threatscape is not good government.
thinking the 'darkweb' is some sort of containment by obscurity, is beyond naive.
the city of columbus is actually inhibiting a proper response and perpetuating a cavalier security stance.
this is not going unnoticed.
[1] [This is a bigger issue here': Columbus resident wishes the city told residents about the data breach sooner]
https://www.10tv.com/article/news/local/columbus-woman-wishe...
[2] Second class-action lawsuit, representing police and firefighters, filed against city after cyberattack
https://www.10tv.com/article/news/local/second-class-action-...
[3] Ginther confirms personal information of Columbus residents exposed in cyberattack
https://www.10tv.com/article/news/local/ginther-press-confer...
"this is not going unnoticed." Oh thank god!
"the city of Columbus is actually inhibiting a proper response and perpetuating a cavalier security stance."
"On Aug. 13, Mayor Andrew Ginther said the data stolen by hackers was either corrupted or encrypted, meaning it was likely useless. Hours later, Goodwolf told 10TV that wasn't true and he showed what kind of personal information he was able to access"
"City officials announced they are providing free credit monitoring to Columbus and Franklin County Municipal Court Clerk employees and judges and have asked city employees to use different passwords for their accounts."
Elvis and common sense has left the building.
https://schneiderdowns.com/our-thoughts-on/city-of-columbus-...
I'm not sure how much data was exposed, but I've recently gotten a warning from Ticketmaster that my SSN (US social security number) was exposed. I absolutely did not provide that information, so it's either an outright lie, or there's a lot more sharing going on behind the scenes than the standard public is to believe.
I saw an article recently claiming that something like 80% of people under 30 access the dark web at least once a week. 80% of under-30s use Tor? Seems highly unlikely.
