Police blotter: Google searches nab wireless hacker
In this week's installment, a wireless provider's disgruntled ex-employee finds his Google searches used against him.
What: Wireless hacker pleads guilty when his Google searches are used as evidence against him.
When: 7th Circuit Court of Appeals rules on October 27.
Outcome: Prison sentence of 15 months upheld.
What happened, according to court documents:
Matthew Schuster began work as a computer technician for Alpha Computer Services in Wausau, Wisc., in 2000. Schuster provided technical support for a wireless Internet system called CWWIS and also was a paying subscriber to CWWIS for his home.
Schuster was fired in May 2003. His home CWWIS account was terminated and the balance of his monthly payment refunded. But he continued to use CWWIS by using "access information" belonging to Alpha customers such as the Central Wisconsin Convention and Visitors Bureau--and, according to the FBI, he intentionally disrupted CWWIS as well.
An article written by a consultant hired by the FBI gives additional details. CWWIS was using MAC address authentication (a unique 48-bit number) and Schuster copied other customers' MAC addresses.
Alpha claimed that Schuster's unauthorized use interfered legitimate customers and blamed him for some denial-of-service attacks against them that summer. In October 2003, police armed with a search warrant showed up and seized his computer (PDF). Schuster was charged with a violation of 18 USC 1030, which prohibits accessing a networked computer "without authorization" and recklessly causing damage.
Schuster pleaded guilty and was sentenced to 15 months in prison, $19,060 in restitution and three years of supervised release. He appealed to the 7th Circuit on grounds that Alpha's claimed loss was overly high (which, if true, would yield a shorter prison stay). The 7th Circuit rejected his appeal.
What makes this case relevant to "Police blotter" is that Schuster's own Google searches were used against him.
Court documents say that Schuster ran a Google search over CWWIS' network using the following search terms: "how to broadcast interference over wifi 2.4 GHZ," "interference over wifi 2.4 Ghz," "wireless networks 2.4 interference," and "make device interfere wireless network."
Court documents are ambiguous and don't reveal how the FBI discovered his search terms. That could have happened in one of three ways: an analysis of his browser's history and cache; an Alpha employee monitoring the company's wireless connection; or a subpoena to Google from the police for search terms tied to his Internet address or cookie.
Google has confirmed that it can provide search terms if given an Internet address or Web cookie, but has steadfastly refused to say how often such requests arrive. (Microsoft, on the other hand, told us that it has never received such queries for MSN Search, and AOL says it could not provide the information if asked.)
This isn't the first time that Google search terms popped up in a criminal case: Last year, prosecutors in a North Carolina murder case
Google's fight with the Justice Department over a subpoena highlighted how sensitive search terms can be, and AOL's disclosure in August reinforced this point. (Advice to "Police Blotter" readers: Consider configuring your browser to refuse cookies from search engines.)
Excerpts from 7th Circuit's opinion (PDF):
At the sentencing hearing, the district court heard testimony from two witnesses: Curt Brodjieski, who testified on behalf of Alpha and CWWIS, and Robert Fischer, who testified on behalf of T.D. Fischer. Both witnesses testified regarding the existence of technologically unexplainable problems with CWWIS' Internet service and T.D. Fischer Group's Internet connection. They testified that these problems were consistent with Schuster's use of T.D. Fischer's Internet access information. These problems arose before September 30, 2003, and ended once Schuster's equipment was removed from his home in connection with the search warrant. Such evidence was sufficient to raise the reasonable inference that Schuster had caused the inexplicable problems before October 1, 2003.
The inference that Schuster caused the pre-October 1, 2003, problems is supported further by the existence of "denial-of-service attacks" against CWWIS' customers throughout the summer. The PSR reported that Brodjieski had received a customer complaint on October 3, 2003, that the customer's Web site was down. Brodjieski investigated the computer that hosted that company's Web site. He discovered that the computer was under a "denial-of-service attack," which, in this instance, had occurred because the computer was overwhelmed with information or requests and could not keep up with the demand. Brodjieski had encountered similar denial-of-service attacks during the summer. Aware that Schuster was connected to CWWIS' network, Brodjieski terminated Schuster's connection and saw that the denial-of-service attack had ended.
Schuster argues, however, that the district court's finding that he was responsible for problems occurring before October 1, 2003, was contrary to the evidence. He asserts that from the day he was fired until September 30, 2003, he used CWWIS' Internet service like any other customer by using the same "MAC address" and "IP address" that CWWIS had given him as a paying customer. In support of this assertion, Schuster points to Brodjieski's testimony at the sentencing hearing that Schuster had continued to use the same MAC address that he had been assigned previously by CWWIS before CWWIS terminated his access to the service on September 30, 2003. Brodjieski's testimony, however, is not evidence that Schuster only used the MAC address that CWWIS had assigned him. Moreover, this testimony fails to substantiate Schuster's claim that he used the same IP address.