December 20, 2006 4:00 AM PST
Police blotter: Google searches nab wireless hacker
- Related Stories
Police blotter: Fired over 'Wicked Weasel' photoDecember 8, 2006
Police blotter: Child porn in Web cache OKNovember 24, 2006
Police blotter: Florida judges target Net sexNovember 17, 2006
Police blotter: Prison inmate wants personal ad repliesNovember 10, 2006
Police blotter: Child porn blamed on computer virusNovember 3, 2006
Police blotter: Web cookies become defendant's alibiOctober 27, 2006
Police blotter: Flap over nude photos of Cameron DiazOctober 20, 2006
Police blotter: Prosecutors want reporters' hard drivesOctober 13, 2006
Police blotter: Sex offender demands Playboy on PCOctober 6, 2006
Police blotter: When can cops seize your computer?September 29, 2006
What: Wireless hacker pleads guilty when his Google searches are used as evidence against him.
When: 7th Circuit Court of Appeals rules on October 27.
Outcome: Prison sentence of 15 months upheld.
What happened, according to court documents:
Matthew Schuster began work as a computer technician for Alpha Computer Services in Wausau, Wisc., in 2000. Schuster provided technical support for a wireless Internet system called CWWIS and also was a paying subscriber to CWWIS for his home.
Schuster was fired in May 2003. His home CWWIS account was terminated and the balance of his monthly payment refunded. But he continued to use CWWIS by using "access information" belonging to Alpha customers such as the Central Wisconsin Convention and Visitors Bureau--and, according to the FBI, he intentionally disrupted CWWIS as well.
Alpha claimed that Schuster's unauthorized use interfered legitimate customers and blamed him for some denial-of-service attacks against them that summer. In October 2003, police armed with a search warrant showed up and seized his computer (PDF). Schuster was charged with a violation of 18 USC 1030, which prohibits accessing a networked computer "without authorization" and recklessly causing damage.
Schuster pleaded guilty and was sentenced to 15 months in prison, $19,060 in restitution and three years of supervised release. He appealed to the 7th Circuit on grounds that Alpha's claimed loss was overly high (which, if true, would yield a shorter prison stay). The 7th Circuit rejected his appeal.
What makes this case relevant to "Police blotter" is that Schuster's own Google searches were used against him.
Court documents say that Schuster ran a Google search over CWWIS' network using the following search terms: "how to broadcast interference over wifi 2.4 GHZ," "interference over wifi 2.4 Ghz," "wireless networks 2.4 interference," and "make device interfere wireless network."
Court documents are ambiguous and don't reveal how the FBI discovered his search terms. That could have happened in one of three ways: an analysis of his browser's history and cache; an Alpha employee monitoring the company's wireless connection; or a subpoena to Google from the police for search terms tied to his Internet address or cookie.
Google has confirmed that it can provide search terms if given an Internet address or Web cookie, but has steadfastly refused to say how often such requests arrive. (Microsoft, on the other hand, told us that it has never received such queries for MSN Search, and AOL says it could not provide the information if asked.)
This isn't the first time that Google search terms popped up in a criminal case: Last year, prosecutors in a North Carolina murder case introduced as evidence phrases culled from a seized hard drive. The defendant was found guilty in part because he searched for the words "neck," "snap," "break" and "hold" before his wife was killed.
Excerpts from 7th Circuit's opinion (PDF):
At the sentencing hearing, the district court heard testimony from two witnesses: Curt Brodjieski, who testified on behalf of Alpha and CWWIS, and Robert Fischer, who testified on behalf of T.D. Fischer. Both witnesses testified regarding the existence of technologically unexplainable problems with CWWIS' Internet service and T.D. Fischer Group's Internet connection. They testified that these problems were consistent with Schuster's use of T.D. Fischer's Internet access information. These problems arose before September 30, 2003, and ended once Schuster's equipment was removed from his home in connection with the search warrant. Such evidence was sufficient to raise the reasonable inference that Schuster had caused the inexplicable problems before October 1, 2003.
The inference that Schuster caused the pre-October 1, 2003, problems is supported further by the existence of "denial-of-service attacks" against CWWIS' customers throughout the summer. The PSR reported that Brodjieski had received a customer complaint on October 3, 2003, that the customer's Web site was down. Brodjieski investigated the computer that hosted that company's Web site. He discovered that the computer was under a "denial-of-service attack," which, in this instance, had occurred because the computer was overwhelmed with information or requests and could not keep up with the demand. Brodjieski had encountered similar denial-of-service attacks during the summer. Aware that Schuster was connected to CWWIS' network, Brodjieski terminated Schuster's connection and saw that the denial-of-service attack had ended.
Schuster argues, however, that the district court's finding that he was responsible for problems occurring before October 1, 2003, was contrary to the evidence. He asserts that from the day he was fired until September 30, 2003, he used CWWIS' Internet service like any other customer by using the same "MAC address" and "IP address" that CWWIS had given him as a paying customer. In support of this assertion, Schuster points to Brodjieski's testimony at the sentencing hearing that Schuster had continued to use the same MAC address that he had been assigned previously by CWWIS before CWWIS terminated his access to the service on September 30, 2003. Brodjieski's testimony, however, is not evidence that Schuster only used the MAC address that CWWIS had assigned him. Moreover, this testimony fails to substantiate Schuster's claim that he used the same IP address.