This story seems straightforward. A city is the victim of a ransomware attack. They repeatedly lie to the media about the severity of the breach. A security researcher repeatedly proves their statements to be lies. The city gets mad and sues the researcher.
Let’s hope the judge throws the case out, but—still—it will serve as a warning to others.
mark • September 4, 2024 10:36 AM
Interesting, and a city government CYA. I will note, however, the story has a major boo-boo: Columbus does not have a million more people than, say, Philadelphia. A 30 sec google says its population is just over 900k.
Clive Robinson • September 4, 2024 10:38 AM
I thought we had got beyond this misuse of the legal system back last century. But it appears to have resurfaced with politicians / legislators (Texas being just one case in point that has been covered before).
I guess as there will always be “idiots that are litigious”, especially when others are paying, the only way to stop them bringing frivolous cases, is to start striking lawyers off and even jailing them. As well as “Malfeasance in Public Office” for the idiots (misfeasance is the non criminal equivalent where you can get damages and hopefully bankrupt the idiot).
I’m not sure on the status of Anti-SLAPP in the US, but it’s something that needs to be made very strong legislation throughout… But as it’s legislators seeking to do this idiocy and they make the law…
As I’ve mentioned before the UK Government under “Mad Maggie” Thatcher tried to do it to me, and it was only due to deep suspicion and bl@@dy mindedness by me, and good advice by others, that it did not happen. Robert Schifreen and Steve Gold despite being warned by me and others, tried to be helpful and thus paid the price for others political machinations.
This misuse of the law for ICTsec related stuff appears to never stop just roll in and out like the waves and tide on a beach.
On a side note under UK law you are generally not allowed under “contempt of court” rules to talk about cases before they have reached a conclusion (sometimes not even then).
Which is why this other case,
https://www.bleepingcomputer.com/news/legal/admins-of-mfa-bypass-service-plead-guilty-to-fraud/
Has just hit the ICTsec news.
The lesson for everyone to take away from it is Telegram is not a “secure messaging app” and mostly does not do E2EE and very definitely not for more than a “two party communication” like a chat (the same is true for nearly all “Secure Messaging” especially those that “conference”).
Jordan Brown • September 4, 2024 11:37 AM
“Only individuals willing to navigate and interact with the criminal element on the
dark web, who also have the computer expertise and tools necessary to download data
from the dark web, would be able to do so.”
It’s OK. Only bad people would be willing to access the data.
scot • September 4, 2024 11:41 AM
E pur si muove.
Matt • September 4, 2024 2:58 PM
A little googling about the “security researcher” led to the fact that he has a pretty sketchy history (such as an alleged arrest for carrying a gun into an airport), and potentially grooming a teen for a “relationship…” I think despite the seemingly harsh nature of the Ohio suit, if the “researcher’s” personal life gets mentioned in the court the case may stand, because of his alleged past criminal history…
Sources:
[1] https://en.wikifur.com/wiki/Connor_Goodwolf
[2] https://kiwifarms.st/threads/connor-goodwolf-david-leroy-ross-jr-insane-kangaroo-cgoodwolf.35981/
Sean • September 4, 2024 3:04 PM
So what this Mayor is saying is that only criminals can use this information, and that all the information is out there, in the hands of criminals, and the townspeople can do nothing about it at all, because the city will sue them for being told that the information is out there, and also that the city will not compensate them for this either.
Wonder just how many criminals are out there at the moment taking this information, which surely includes all the details of all the city council, and is busy making false bank accounts in their name, and also buying property while claiming to be the city, and buying online with the city cards and accounts as well.
Roc • September 4, 2024 6:47 PM
Don’t see what legal grounds the city has to sue the researcher, his ego and abrasive personality aside.
rontea • September 5, 2024 11:24 AM
Definitely a case of silencing the researcher. Goodwolf should be celebrated as a whistleblower instead. I think it would look better for the city.
ResearcherZero • September 6, 2024 3:18 AM
The researcher used “special tools”. A web browser and eyeballs. Deployed vision.
C U Anon • September 6, 2024 9:05 PM
As someone has linked to Kiwifarms above others might not realise it for what it is.
The penultimate post Prof Ross Anderson of both Cambridge and Edinburgh Universities made to the lightbluetouchpaper.org blog was about the hate site Kiwifarms,
https://www.lightbluetouchpaper.org/2023/11/09/how-hate-sites-evade-the-censor/
JTC • September 15, 2024 6:05 PM
The problem with this kind of lawsuit is the City of Columbus has a lot more essentially free legal power and the security guy has very little. Once upon a time, governments actually served the people. Now they are the power and if they lie, they do not like being called out on it. Of course, the solution is to tell the citizens the truth. Why is this so hard?
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
John Faber • September 4, 2024 9:08 AM
It’s my opinion that both parties – the city of Columbus and Goodwolf – erred here. False statements about the data and its impact were made by the city of Columbus, and Goodwolf disseminated that data on a more publicly trafficked network.