Man indicted in alleged hacking of county's system

A Houston man who once showed a Harris County official how easy it was for an outsider to access a county computer system was accused by a federal grand jury Wednesday of doing just that.

Stefan Puffer, 33, was indicted on two counts of fraud for allegedly hacking into the county district clerk's wireless computer system that has been taken out of operation because of its vulnerability.

Puffer is accused of accessing the system March 8, costing the county $5,000 to clean up after the alleged breach.

Puffer, a computer security analyst who worked briefly for the county's technology department in 1999, could get five years in prison and a $250,000 fine on each count if he's convicted. Puffer declined to comment Wednesday and referred questions to his attorney, who was not available.

District Clerk Charles Bacarisse said no files were compromised, but the county had to shut down the wireless system about a month after it was set up.

The county, he said, had intended to use the wireless service to connect personal computers used by court clerks at the Civil Courts Building, 301 Fannin, to their network. The old courthouse can no longer sustain more computer lines, he said.

"I'm hopeful we can determine an appropriate way to secure that system well enough to use wireless service," Bacarisse said.

On March 18, Puffer showed a county official and a Chronicle reporter how he was able to use his laptop computer and a $60 to $75 wireless card to tap into the clerk's system.

In a Chronicle article about the demonstration, Puffer said he noticed he could access the county network in early March, when he scanned for weaknesses throughout Houston.

He said he could also access numerous home, government, university and business computer systems.

The article quoted Bacarisse as saying his staff was alerted when someone tried to access the system March 8. He also characterized Puffer's demonstration as a "low-level intrusion" that did no permanent damage.

As for Puffer's March 18 demonstration, Bacarisse said Wednesday, "Normally you secure a contract with an entity before you hack into a system, if that's what you're saying your expertise is."

County Attorney Mike Stafford said he will resume his investigation into whether the security breach was corrected as promptly as county officials learned of it and the origin of a pornographic picture found on the clerk's office server in March.

The man is being indicted for showing the county that their system was unsecured and could be hacked easily.

He is being charged because it is costing the county $5,000 to "clean up" the system so that it isn't vulnerable to this.

Would the county have preferred that he didn't tell anybody and let someone drive up with their laptop and wireless card, do damage, and drive off?

The man is being indicted for showing the county that their system was unsecured and could be hacked easily.

Well, essentially, I guess. He is probably being prosecuted for unauthorized access. That is something he should be aware of. It’s sort of like breaking into your neighbor’s home and claiming that you were demonstrating his lack of security for failing to keep you out. At 33, this does not look good on a resume.

He is being charged because it is costing the county $5,000 to "clean up" the system so that it isn't vulnerable to this.

And that is another problem. If you do something illegal (like this) and then try to “encourage” them not to charge you or you will make that information public, you look like you are extorting something. You may be, you may not be, but it looks bad. And “they” can tie you in knots for doing so.

Would the county have preferred that he didn't tell anybody and let someone drive up with their laptop and wireless card, do damage, and drive off?

I’d bet that the people involved knew of the potential shortcomings of their system. He broke the law (as I understand it) in accessing it. Pretty cut-and-dried. Again, this does not look good on a resume. I would not suggest it…

Whoever put up an insecure wireless network on a network of that importance should be guilty of criminal negligence. All in all, this guy did a service to the taxpayers by eventually getting it shut down.

Yeah it's the same old crap. The emporer has no clothes.

A couple years ago, a local guy dared to criticize the state's voter registration system - said it was vulnerable to fraud, but our local elections chief publicly poo-pooed the guy - essentially said that he was all wet.

Subsequently, he marched his two pet dogs to the county courthouse, along with their voter registration cards. He is now a convicted felon (and get this - barred forever from speaking ill of the state), and nothing in our voter registration system has changed.

This is the same sort of thing. I think if a person can document that there's been a legitimate attempt to petition for redress of grievance, as is our right, and an actual injured party can not be named, it ought to be an affirmative defense.

The statists here may disagree, but those guys are not crooks in my book.

Dave in Eugene

They would have preferred that he not commit an illegal act. We can all do that. If we all do, the county will be broke in about a week. The county does not make a cent from what I’ve seen. They tax their revenue away from me (mostly). I’d prefer that he approach them with a proposal in hand to secure whatever system they have. I think he went about it in the wrong manner.

So, the right thing would have been for the county to operate a very insecure wireless network, allowing any one with a wireless card to get access to their network, and perhaps costing many thousands, or more in damage? Also, the last time I checked, the 802.11b band is allowed to be accessed by anyone (i.e. it is not reserved for anyone in particular). The county does not have exclusive license for these frequencies.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.