back to article Fox News 'hacker' turns out to be journalist whose lawyers say was doing his job

A Florida journalist has been arrested and charged with breaking into protected computer systems in a case his lawyers say was less "hacking," more "good investigative journalism."  Tim Burke was arrested on Thursday and charged with one count of conspiracy, six counts of accessing a protected computer without authorization, …

  1. cyberdemon Silver badge
    WTF?

    and then altered recordings to mask their origin,

    Er, what?

    How can anyone claim that this is "legitimate investigative journalism"? What exactly did he change, and why?

    1. I ain't Spartacus Gold badge

      Re: and then altered recordings to mask their origin,

      What exactly did he change, and why?

      He may just have done something as simple as removed Fox's logo from the footage?

      1. cyberdemon Silver badge

        Re: and then altered recordings to mask their origin,

        Yeah, you are probably right. I had misread it as if he changed something at the remote end, but apparently all he did was download a video from a webserver. Probably all the videos on their site had a sequential ID, or something.

        Still a bit daft of him to edit them before reposting though. If he had simply posted the videos as-found from a publicly accessible URL, then he would have a good defence.

        1. This post has been deleted by its author

    2. Blazde Silver badge

      Re: and then altered recordings to mask their origin,

      It was further part of the conspiracy that, prior to distributing some of the intercepted contents, BURKE took steps to conceal that the intercepted contents had been originally retrieved from the StreamCo- Net by, among other conduct, altering the appearance and metadata of the wire, oral, and/or electronic video communications by re-recording the intercepted communications onto a secondary device and distributing said altered versions of the video communications, rather than the original intercepted contents;

      ( https://storage.courtlistener.com/recap/gov.uscourts.flmd.424438/gov.uscourts.flmd.424438.1.0_2.pdf )

      There appears to be no reference to evidence of intention here. Re-encoding could be done for many reasons.

      It may not matter too much. The indictment has twitter exchanges of them using stolen credentials to access a passworded FTP. If that sticks (his defence is that he believed the credentials were public and the owner invited others to use them) then whether the obscure URIs they got from there which linked to the video (which may or may not have been 'obfuscated with intent') constitute a separate hack is a legal curiosity and a probably quite minor sentencing issue in practice?

      As an aside, I'm always a bit alarmed the way these sort of cases stack up the counts (14 counts: conspiracy, 6 of accessing, 7 of interception). To the layman this is just 2 guys engaging in ONE casual hack. It's a bit like you rob a convenience store cash register and the Feds are like: 45 counts of aggravated theft of a dime, 24 counts of aggravated theft of a quarter, 6 counts aggravated theft of a 20 dollar note, etc..

      I guess we're just missing some smart ass pointing out these 14 counts are potentially 250 years in prison, or whatever.

      1. Ben Tasker

        Re: and then altered recordings to mask their origin,

        > As an aside, I'm always a bit alarmed the way these sort of cases stack up the counts (14 counts: conspiracy, 6 of accessing, 7 of interception).

        > ..

        > I guess we're just missing some smart ass pointing out these 14 counts are potentially 250 years in prison, or whatever.

        It's basically just intimidation isn't it?

        Found an interesting piece on it (which is why I'm actually commenting) which includes some crazy examples:

        > In the 1800s, some defendants failed to keep the town’s streets clean, so officials charged them three or four times, once for each street.

        > Although not entirely a “street” offense, a goat farmer who accidentally let his goats trespass faced 170 misdemeanors — one for each goat — and up to sixty years in prison. His case, though, hailed not from the nineteenth century, but from 2004.

        1. Blazde Silver badge

          Re: and then altered recordings to mask their origin,

          Sounds worse than I thought. My assertion that what constitutes a hack in this case might be a 'minor issue' was probably too optimistically based on UK courts where the stacking issue tends to be finessed quite well at sentencing. Good luck to Tim Burke then (also Conspirator 2 if they haven't already struck a bargain).

      2. jdiebdhidbsusbvwbsidnsoskebid Silver badge

        Re: and then altered recordings to mask their origin,

        "It's a bit like you rob a convenience store cash register and the Feds are like: 45 counts of aggravated theft of a dime, 24 counts of aggravated theft of a quarter, 6 counts aggravated theft of a 20 dollar note, etc."

        Years ago, there was a case in the UK of a driver getting caught speeding on a motorway by multiple cameras, and received multiple fines. In court his defence was that he didn't drop below the speed limit between the cameras so therefore only one offence was committed. It worked.

  2. Ben Tasker

    Temporary Waiver

    > Wallbox was granted a temporary waiver to continue selling the products until June, at which time the devices will be taken off the market because Wallbox "cannot implement the Cybersecurity requirements in full on this product because of a hardware and operating system limitation," the company told [PDF] the OPSS

    This makes no sense... they seem to be saying that it's not possible to update the product to comply with requirements - and yet they'll be allowed to continue selling them for a few more months?

    Surely that means that some poor sod is going to get sold a charger that's got known, unfixable security issues (and then be told, shortly after, that it's EOL and won't be fixed). Unless there's something that's not beenn mentioned, granting a waiver seems like a terrible idea in this case

    1. Evil Scot Bronze badge

      Re: Temporary Waiver

      Since there is an App to track charging there is a Cloud to control it and each box is uniquely identifiable to the loud services. How can you turn ALL on at once?

      1. Doctor Syntax Silver badge

        Re: Temporary Waiver

        "How can you turn ALL on at once?"

        From the server.

        1. cyberdemon Silver badge
          Devil

          Re: Temporary Waiver

          If it was -just- the server, then this could be fixed, by fixing the server.

          But if it's a lack of security in the protocol, then one could simply hijack a DNS record and point all the wallboxes to a new server, which says IF gridfrequency < 50 then ON, else OFF

          1. Ben Tasker

            Re: Temporary Waiver

            That would be my guess too: I've seen IoT stuff in the past where the hardware simply doesn't have the oomph to do TLS.

      2. Pete Sdev Bronze badge

        Re: Temporary Waiver

        Depends on how naive it's been implemented.

        If, for example, it's listening for a UDP packet containing the text TURN ON without any authorisation checking, you could send such a packet to every IP assigned to the UK in a couple of minutes.

        If controlled by a simple Web API, similarly so.

        If its polling the server for a command everycouple of minutes, DNS poisoning or take over to point to your server that always answers "Turn On" regardless who's asking.

    2. Lurko

      Re: Temporary Waiver

      Surely that means that some poor sod is going to get sold a charger that's got known, unfixable security issues (and then be told, shortly after, that it's EOL and won't be fixed). Unless there's something that's not beenn mentioned, granting a waiver seems like a terrible idea in this case

      No - your concerns would be valid if what the article says was all of the context, but there's a bit more here. The non-compliant Wallbox Plus charger hasn't been sold new since 30 December 2022 when the security requirement of the UK's 2021 EV Charging Regulations came into force. This undertaking (which I think dates back to July 2023 anyway) allows Wallbox to replace with new any failed Wallbox Plus chargers under warranty up until the end of June of this year. In terms of the risks of that approach, the non-compliant chargers are already out there because their design pre-dates the UK charging point regulations. If there's warranty claims or repairs after June of this year, then Wallbox either need to try and agree another enforcement undertaking with OPSS, replace the faulty charger with a compliant product (eg their own Wallbox Max which I believe is compliant), or repair it without replacement. Either way the risk to owners, users or the grid is negligible because the numbers will be so small, and I'd guess the chances of a manufacturer wanting to do outright replacement with new on products over 18 months old is negligible anyway.

      https://assets.publishing.service.gov.uk/media/64b69f2071749c000d89edc9/evscp-undertaking-wallbox-03.pdf

      A correct headline would be "Manufacturer complies fully with UK changes in law; Regulator agrees pragmatism for warranty on older products".

      Or maybe "In the year before last's news, EV chargers pulled from UK shelves end 2022 for not meeting new cybersecurity requirements" But those wouldn't get you clicking on the article and commenting here.

      1. Ben Tasker

        Re: Temporary Waiver

        > The non-compliant Wallbox Plus charger hasn't been sold new since 30 December 2022 .... This undertaking allows Wallbox to replace with new any failed Wallbox Plus chargers under warranty up until the end of June of this year

        Ahh, that makes *much* more sense, thanks!

  3. Evil Scot Bronze badge
    Facepalm

    How can firmware enable all units to start together?

    Surely that is a cloud service.

    The Scot in my handle means I would wait 12 hours for charging to start for1/4 cost of other times.

    1. Anonymous Coward
      Anonymous Coward

      Re: How can firmware enable all units to start together?

      I doubt that the problem is the control system and the grid - a far more likely failing is regulations 2 or 3 of Schedule 1 of the regs (link below), and I'm guessing it is something like a default password or secure updating. Think about all the Internet of Tat stuff that comes with passwords like Admin, or password. And if that's baked into the firmware of each unit, then it's problematic and expensive to change, with the result the makers won't do it.

      https://www.legislation.gov.uk/uksi/2021/1467/schedule/1/made

      I could of course ask the people in the office exactly what the issue was, but no, I'm not doing that.

  4. cyberdemon Silver badge
    Devil

    Wallbox

    https://wallbox.com/en_uk/wallbox-copper

    Looks pretty new for an "end-of-life" 22kW charger ...

    Makes me wonder what the "cybersecurity requirements" that they are unable to meet are.. Unsecured bootloader allowing unsigned firmware updates, perhaps? Or no support for encryption in the underlying protocol for their "remote operation"?

    Also, I find it quite amusing that listed under "discontinued products", is "Ethics Channel"

    https://support.wallbox.com/en/ethics-channel/

    1. Doctor Syntax Silver badge

      Re: Wallbox

      Seeing that it's "controlled" with a smart phone it probably means it's actually controlled with a server which isn't secured.

      1. cyberdemon Silver badge
        Devil

        Re: Wallbox

        If that is so, does it mean that customers' existing units will stop working soon?

        "Alexa, open my wallbox" ... "Sorry Dave, but this service has been discontinued. You can purchase a new cloud-device from Amazon! Would you like me to add it to your basket?"

        Popcorn icon needed.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wallbox

          "If that is so, does it mean that customers' existing units will stop working soon?"

          Shouldn't stop charging, all that's been stopped is the new sale of non-compliant products. It's like the vast majority of changes to mandatory standards - they don't have to be applied to existing setups unless you renew the system. Same is true for building and electrical regs.

    2. Andy The Hat Silver badge

      Re: Wallbox

      "could potentially be exploited to turn them all on at the same time, causing a sudden drain on the power grid."

      This would only be an issue if vehicles were plugged in and actually required charging (otherwise there would be no load). Heaven forbid that owners would actually need to go to work in the morning ...

      To be honest, if the grid is that susceptible to load variation I'd not be looking at the chargers but the National Grid resilience plans.

      1. cyberdemon Silver badge
        Facepalm

        Re: Wallbox

        > I'd not be looking at the chargers but the National Grid resilience plans.

        NG resilience plans: Rely on demand-side response i.e. smart chargers and smart meters, to turn off or on loads when needed. Power stations? Nah, we'll keep closing them

      2. katrinab Silver badge
        Meh

        Re: Wallbox

        As I understand it, you plug in your car as soon as you get home, but it doesn't necessarily start charging straight away,

        But you can press a button to tell it you really need your car recharged as soon as possible, and then it will start charging straight away; but you will probably pay a higher per kWh price for the electricity if you do that.

  5. Doctor Syntax Silver badge

    I suppose the test for hacking Fox has to be would they have done it to someone else and called it journalism?

    1. jake Silver badge

      "I suppose the test for hacking Fox has to be how many times have they have done it to someone else and called it journalism?"

      FTFY

  6. Jedit Silver badge
    Devil

    "Rabby, a cryptocurency wallet..."

    "... that's still undergoing App Store approval, had an impersonator make it into the App Store, with subsequent reports by a number of people who reported having their accounts emptied after installing the fake app."

    A spokesman for Rabby added "Have these people no shame? Scamming people is our job!"

  7. Blackjack Silver badge

    Ehem:

    https://web3isgoinggreat.com/

    Seems digital tulips are idiot magnets.

    1. Michael Wojcik Silver badge

      I check every morning to see what Molly has posted. It's one of the highlights of my morning routine.

    2. ecofeco Silver badge
      Pint

      How have I missed this?

      Thanks Interent stranger!

  8. Jules R

    Wall box

    Interesting that the US is so far behind in cyber security laws.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like