Chris Roberts, the security researcher who tweeted from a plane about hacking a plane by using the on-board Wi-Fi, had his digital devices seized by the FBI in April. The EFF said the FBI has now returned all his devices – numerous thumb drives and hard drives, a MacBook Pro and iPad. Although April to November would be a long time to wait for your electronics to be returned, an eight-month wait is shorter than a year that security researcher and system admin Christian Haschek had to wait.
Haschek, founder of Haschek Solutions, says he is a “tech geek from Austin, Texas, living in Vienna, Austria.” He recently related a cautionary tale about the dangers of clicking on a link sent from someone you don’t know.
When LulzSec was busy hacking high-profile targets, many curious people hopped on IRC channels to find out the latest buzz. Being a security researcher, Haschek said he was interested in the topic and joined one of the official LulzSec servers. At one point, he chatted briefly with a “script kiddie.” Hours later the skiddie sent Haschek a link, via IRC private message, along with the text “lol, check this out.”
The link, according to Haschek, went to a real domain but was similar to “http://political-party-website/stuff.” Although he usually doesn’t click on links, he didn’t believe it looked “suspicious at all since it was the real domain.”
After clicking, Haschek discovered the ‘stuff’ folder “had directory listing enabled so you could see all files in that folder from your browser.” He clicked a few things before shutting down his PC for the night, but believed it was “just some directory where the admin put files up that were linked somewhere on the page.”
In the morning, the first thing he saw on the news was that the political website he had visited the night before had been hacked; “usernames, emails and hashed passwords were published on Pastebin.” He most likely had an unpleasant blast of adrenaline since he was on the site around the time it was hacked and he had used neither a VPN nor a proxy because he “only wanted to talk on IRC.”
As time passes, so would a person’s paranoia…until four months later when Haschek entered his home and was greeted by seven strangers – police, counterterrorism agents and a prosecutor. They had a search warrant and claimed to have evidence that he “hacked the website of a political party.”
They thought that I was the script kiddie and that my VPN failed for a moment and that's why they saw my public IP address.
Law enforcement asked for his password and if he had any encrypted data on his PC. Haschek explained what happened and a counterterrorism agent took his statement. He was told that the police “had no intention in jailing” him – since they had been surveilling his phone calls and movements “for weeks.” They didn’t think he was a “big fish,” but thought “they might find the real bad people through” him. He wrote, “Little did they know that I was just some dude who clicked a link he shouldn’t have clicked.”
Cops seized everything, kept all for a year
So what did law enforcement seize? “Everything” electronic, Haschek said.
They took all my computers, spare hard drives, USB drives and laptops – all my equipment. They were sighing when they saw how many computers and hard drives I owned since they said they had to look through every one of them, look at all images, skip through all videos and had to document everything.
The cops said it would take about a year before he would get his stuff back and that’s about how long it did take. After his devices were returned, Haschek found an image on one thumb drive – perhaps of the script kiddie – that the federal agency must have put there by accident.
A year and a half after I clicked the link, the case was dropped because no evidence pointed at me and what I did (clicking a link) was not illegal.
At least it’s not illegal yet, although the powers-that-be have proposed revisions of the Computer Fraud and Abuse Act (CFAA) that could make “innocent” behaviors – like sharing your Netflix password with family or clicking on a link that leads to unauthorized content – into felonies.
The moral of a Haschek’s story…“Don't click on links from random people on the Internet!” Other takeaways from his tale might include encrypt everything and use a VPN.
You can read his full accounting of “That (not so) awesome time the police raided my home.”