Wednesday, February 28, 2007

The Problem With Planting Spyware

(Updated 3/2/07)

The potentially troubling legal issues facing Overstock.com and Judd Bagley, its director of social media, are illustrated by a case that received some attention today involving MySpace.

According to a Newsday article on the subject,
Shaun Harrison, 19, of Ronkonkoma, and Saverio Mondelli, 20, of Oakdale, were given three years' probation for illegal computer access. Each had faced up to nearly 4 years in prison.

Harrison and Mondelli . . were offering a means to acquire e-mail addresses and Internet protocol addresses of users, prosecution said.
Another article adds further detail:

The popular MySpace social-networking site — where people create elaborate profiles and personalize them with photos, music and video — is supposed to offer anonymity to visitors who browse the pages.

But Harrison and Mondelli's program collected e-mail addresses and Internet Protocol addresses, prosecutors said. Such information could have been used by stalkers trying to locate MySpace users, said Deputy District Attorney Jeffrey A. McGrath.

Hmmm... does this sound familiar? As in, for instance, all the instances of spyware-planting uncovered by Internet sleuth "ScipioAfricanus" (see his blog here and items in my blog tagged "spyware").

And then we have this boast by Bagley on the Investor Village message board:

"The cool thing I figured out was using ActiveMeter on remote sites. Maybe its been done before (In fact, I'm sure it must have) but this iteration was developed independently by me and you have no idea the insights it has yielded."
Guess it was done before.

As recently as five days ago, Bagley pointed the finger at himself yet again, bragging about "IV traffic data gathered by those who did the gathering" -- an obvious reference to purloining IP addresses from people reading posts on InvestorVillage. That kind of data is legitimately gathered by people running websites, whether it be IV or MySpace, but not by third parties like Bagley or those two MySpace users. (IV, typically, did nothing in response to this latest outrage.)

Sure, slipping codes into message board posts to gather data on puters comes in handy when you're running a smear campaign -- you use 'em to spin fairy tales, as Bagley did for Overstock.com's antisocialmedia.net corporate smear site. But there's a wee problem -- it's called the "penal code," at least in California.

Here's the press release that was issued when the two MySpace guys were arrested last year. Note in particular the reference to Sections 502(c) (1) and 502(c) (2) of the California Penal Code.

Section 502 (c) (2) says it's a crime when someone:

Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
Prosecutors in Los Angeles applied that statute to a couple of guys harvesting IPs and email addresses from MySpace users. Most states have similar laws. The New York anti-hacker law is here -- note the "computer trespass" section.

Will regulators and law enforcement apply the anti-hacking statutes against Bagley? Beats me. I wonder if it beats Bagley too. I'll bet that this issue has the potential to beat him, and his employer, pretty badly.

* * *

UPDATE: Bagley reacted to the above post and others in O-Smear in typical "strategic messaging" fashion, posting a crude frameup attempt on Overstock's antisocialmedia.net corporate smear site.

Bagley or a confederate created spyware and inserted it in a post in the Investor Village Apple message board, and then Bagley claimed on antisocialmedia.net that it was from me. The O-Smear blog has a good analysis of this latest Overstock fabrication, suitably titled "O-Frame O-Lame."

The smear, which was posted at http://antisocialmedia.net/?p=74, was so far-fetched that even the tinfoil hat crowd found it hard to swallow, and it was taken down after a few hours. But I preserved it for posterity, needless to say.

This latest idiocy demonstrates the extent to which Bagley, Patrick Byrne, and their accomplices in the cyberstalking endeavor are in very deep trouble. Since Byrne usually trots out crackpot diversions before announcing bad news, to maintain unity among his "followers," it makes me wonder: could the 10-K possibly be that bad?

© 2007 Gary Weiss. All rights reserved.

Digg this!


-----------

Wall Street Versus America was published by Penguin USA on April 6.
Click here for its Amazon.com listing and here for more information on the book, from my web site.

Labels: , , , , , ,