by Mike Masnick
Mon, Feb 10th 2014 3:38am
by Mike Masnick
Wed, Feb 5th 2014 12:06pm
from the doesn't-seem-right dept
Chris Weatherhead was sentenced to 18 months in prison for participating in a DDoS against Paypal, Mastercard and Visa (one of the first big Anonymous DDoS attacks, in response to those 3 companies cutting off payments to Wikileaks). Now he's pointing out that GCHQ was DDoSing his own servers, and he wonders how that's right:
My Government used a DDoS attack against servers I owned, and then convicted me of conducted DDoS attacks. Seriously what the fucking fuck?— Chris Weatherhead (@CJFWeatherhead) February 5, 2014
I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing - http://t.co/Y4vo1qeN4I— Jake Davis (@DoubleJake) February 5, 2014
Why do British government spooks so brazenly attempt to inhibit the activities of acephalous online collectives and not, say, the hate-filled Westboro Baptist Church, or chat networks that encourage racism or paedophilia?Others have similarly wondered if GCHQ is going to have to face charges over this, given that these actions appear to be entirely outside of its mandate and mission, and seem more compelled by just general dislike of some kids messing around.
Or maybe the more important question: how can they even be permitted to launch these attacks at all? There's no justification for how nonchalant a democratic government can be when they breach the very computer misuse rules they strongly pushed to set in place.
When we look at what Western governments are doing - snooping on our emails, infecting our computers, intercepting our phone communications, following our avatars around in online games, backdooring our public encryption, discrediting our Internet viewing habits, encouraging illicit activity and even engaging in their own illicit activity - we have to ask ourselves: who are the real criminals here?
by Mike Masnick
Wed, Feb 5th 2014 4:03am
from the picking-the-wrong-target dept
The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder -- and other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.As the report notes, this seems like incredible overkill. While it's true that Anonymous had been somewhat successful in DDoSing some websites, for the most part, those were just basic defacements. They were the equivalent of kids messing around with graffiti -- hardly the sort of thing you send in the intelligence community to disrupt. Similarly, there are some quite reasonable arguments that the kind of attacks that Anonymous was doing were the equivalent of a sit-in, making them a form of expression.
“Targeting Anonymous and hacktivists amounts to targeting citizens for expressing their political beliefs,” said Gabriella Coleman, an anthropology professor at McGill University and author of an upcoming book about Anonymous. “Some have rallied around the name to engage in digital civil disobedience, but nothing remotely resembling terrorism. The majority of those embrace the idea primarily for ordinary political expression.” Coleman estimated that the number of “Anons” engaged in illegal activity was in the dozens, out of a community of thousands.NBC News gets former White House cyber security official Jason Healey to point out how ridiculous this kind of attack is:
Jason Healey, a former top White House cyber security official under George W. Bush, called the British government’s DDOS attack on Anonymous “silly,” and said it was a tactic that should only be used against another nation-state.Further documents show that GCHQ agents more or less infiltrated Anonymous, trying to buddy up with some key members -- and the documents leaked by Snowden show that GCHQ happily explains that the "outcome" of this effort resulted in charges, arrest and conviction against Edward Pearson, who was involved with Anonymous as GZero. Of course, we thought GCHQ was supposed to be focused on non-UK persons. But Pearson is British. The report details a few other UK hackers arrested because of GCHQ spying -- including one who notes that in the documents concerning his arrest, it is never detailed how he was found.
[....] “This is a slippery slope,” said Healey. “It’s not what you should be doing. It justifies [Anonymous]. Giving them this much attention justifies them and is demeaning to our side.”
What's not mentioned in the report is that the intelligence community has a history of totally overreacting to Anonymous. Back in 2012, we wrote about NSA boss Keith Alexander's bizarre attempt to spread FUD by claiming that Anonymous was the equivalent of a terrorist group that might shut down power grids -- a move that seems way outside of the kinds of things participants in Anonymous have any interest in. The actions they've taken, historically, have been to expose hypocrisy and wrongdoing -- not to actually put anyone's lives in danger. But it seems that kind of overreaction to Anonymous went beyond just the NSA and across the pond to GCHQ, which didn't just freak out, but actually spent taxpayer funds to launch offensive denial of service attacks on a bunch of mostly innocent teenagers.
by Mike Masnick
Fri, Oct 4th 2013 7:49am
from the questions dept
That said, there's a much bigger question here. While DDoS attacks can be a nuisance, are they really criminal? In the midst of these attacks, we questioned if they were really criminal acts or more like the equivalent of a sit-in, in which people were disrupting a business for the sake of public protest. In fact, some people arrested for DDoS attacks have been making this claim in court -- and there was even a White House petition asking it to recognize DDoSing as a valid form of protest.
Instead, as the indictment shows, the feds are hitting these thirteen individuals with CFAA violations -- the broad, troubling anti-hacking law that is regularly abused by the feds for any crime that involves a computer. In this case, the focus is on 1030(a)(5)(A) which targets people who:
... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;But is a DDoS really "damage"? I can see how there's a reasonable argument both for and against that. But I have trouble seeing how, as the feds claim, these DDoS attacks did more than $5,000 in damage to the various sites they took down. Furthermore, you can make an argument that these weren't done "without authorization," because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded.
Again, I'll make clear that I think DDoS attacks are dumb, counterproductive and immature. But I have trouble seeing how they're criminal acts, that could lead to five years in jail.
Also, there's some oddities, in that one of the lawyers for one of the accused folks claims that he had been working out a settlement, which has now been "scuttled" by the indictment. I imagine that most of the accused will eventually come to some sort of plea bargain deal. The DOJ stacks the deck so that you're often crazy not to plea your way out of these deals. And it's unlikely that any of the individuals will appear particularly sympathetic for their alleged actions here. But I'm still quite troubled by the idea that these actions add up to that much in damage, and a computer hacking crime deserving of significant jail time.
by Mike Masnick
Wed, Mar 27th 2013 8:02pm
from the the-hidden-war dept
We've known for a while that there are a number of people out there who really dislike Spamhaus, one of the more well known providers of a blacklist of spam IP addresses. For what it's worth, there are times when it feels like Spamhaus may go overboard in declaring an IP or range of IP addresses as spammers. And, to some extent, because of that, it seems like some who use the Spamhaus list rely on it a bit too strongly. That said, Spamhaus is doing important work in helping to stop the internet from being overrun with spam, and that's a good thing. But sometimes those who it pisses off aren't particularly nice people. Last week, Spamhaus added hosting company Cyberbunker to its spamlist. Someone didn't like that very much, and thus began a very big DDoS attack using open DNS recursors. Spamhaus went to Cloudflare, who was able to mitigate the worst of the attack.
But... that just lead to round two, in which whoever was behind the DDoS went much, much bigger attacking a bunch of the providers who provide Cloudflare with its bandwidth. Basically, it was massive firepower directed at some key points on the internet. And it was a pretty big deal. Cloudflare's blog post stays away from getting too expressive about the whole thing, but just the fact that they note the attack came close to "breaking" the internet should get you to wake up.
Tier 1 networks don't buy bandwidth from anyone, so the majority of the weight of the attack ended up being carried by them. While we don't have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack. That would make this attack one of the largest ever reported.The attackers say they're protesting Spamhaus acting as the internet's police:
The challenge with attacks at this scale is they risk overwhelming the systems that link together the Internet itself. The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps however, at some point, there are limits to how much these routers can handle. If that limit is exceeded then the network becomes congested and slows down.
Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.
Questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said in an online message that, "We are aware that this is one of the largest DDoS attacks the world had publicly seen." Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for "abusing their influence."Of course, all of this has exposed clearly a big vulnerability in the setup of the internet, and suggest that slowing down the internet on a large scale is entirely possible. But it's also made security folks that much more aware of how urgent it is to fix the a key vulnerability that made this possible: the fact that there are so many open DNS resolvers out there, that can be used to launch massive DDoS attacks. Because of that, security folks are rushing around to see if they can convince people to close as many of the approximately 21.7 million open resolvers out there:
"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet," Mr. Kamphuis said. "They worked themselves into that position by pretending to fight spam."
While lists of open recursors have been passed around on network security lists for the last few years, on Monday the full extent of the problem was, for the first time, made public. The Open Resolver Project made available the full list of the 21.7 million open resolvers online in an effort to shut them down.Basically, over the last week or so, there's been a war going on, concerning parts of the core of the internet, and while it might not have impacted you yet (or, maybe it did), it's likely that the next round will be even bigger. In the meantime, the race is on to shut down open resolvers to try to keep the internet working, and hopefully to cut down on the power of such attacks.
We'd debated doing the same thing ourselves for some time but worried about the collateral damage of what would happen if such a list fell into the hands of the bad guys. The last five days have made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch. We are in full support of the Open Resolver Project and believe it is incumbent on all network providers to work with their customers to close any open resolvers running on their networks.
by Mike Masnick
Fri, Mar 15th 2013 12:01pm
from the hazards-of-the-job dept
"As soon as I open the front door, I hear this guy yelling at me, behind a squad car, pointing a pistol at me saying: 'Don't move. Put your hands up,'" Krebs, who is a long-time friend and colleague, told me. "The first thing I said was: 'You've got to be kidding me.'"Someone had made a call to the police, pretending to be Krebs, and claiming that "he was hiding in a closet after Russian thieves had broken into his home and shot his wife." And the police sent the SWAT team.
In all, there were at least a dozen officers with pistols, shotguns, and assault rifles pointed at him. They had police dogs circling his house and cruisers had sealed off a nearby street. Krebs, who was dressed in just gym shorts and a T-shirt, complied. Wisely.
"Two different guys were barking orders at me," he continued. "I finally said: 'Which way should I go?'" One officer told Krebs to lie on the ground, but before he could comply the other cop ordered Krebs to walk backwards. Eventually, "they put the cuffs on me and took me up the street. I was freezing the whole time."
Why? Krebs suspects it was a response to a an article he had just posted, which highlighted a Russian website that was used to get easy and cheap access to credit reports (one interesting tidbit, is that he suggests that people are abusing the federally mandated free AnnualCreditReport.com site, which was supposed to reduce identify fraud, but may actually be enabling much more of it). Krebs figures that the people behind that site weren't too happy about the exposure, and tried to send him a message.
Of course, if law enforcement officials weren't so eager to rush in with a SWAT team, such issues might have been avoided as well. In fact, Krebs notes that he warned his local police agency of the possibility of such a thing happening about six months ago, but apparently no one bothered to check on that bit of info until later.
After about five minutes in custody, Krebs explained that he was the victim of a monstrous crime known as swatting. One of the officers asked if Krebs was the person who had filed a report a few months earlier. When Krebs replied yes, the officers did a quick search of his home. With preparations for a dinner party clearly on display, it quickly became apparent that Krebs' home was not a crime scene and that the call was part of a fiendish plot. An officer told him later that they had tried calling him before he opened his front door but no one had answered the phone.As Krebs notes, these are situations where it makes little sense for local law enforcement to rush into these things where they may not understand what's going on.
Often local police are left to investigate, even when the perpetrators may be half a world away. He wants that to change. "Your local police department, the ones that are responding to these distress calls, they don't have the bandwidth," he said. "This is an area where federal law enforcement needs to be coordinating investigations. I'd like to see some sort of recognition or statement from federal law enforcement that this is something they're actively investigating."Of course, I'm not sure how well that would have worked in this case, since the caller suggested it was a local crime issue. Still, hopefully Krebs' situation raises some questions about the eagerness to send in the SWAT team, though given just how common bogus SWAT team raids have become, it seems doubtful that yet another example of a bogus raid will lead to any real change.
by Tim Cushing
Tue, Jan 29th 2013 4:03pm
from the also-does-stuff-with-Asteroids-and-the-Konami-code-because-it-can dept
The action began Friday night when Anonymous took down the U.S. Sentencing Commission website, demanding reform of the justice system and threatening to expose a large number of files "secured" from the website. A very long statement of purpose accompanied this hack, beginning with these paragraphs.
Citizens of the world,Anonymous calls this takedown a "symbolic gesture," aimed at the home of federal sentencing guidelines, which it calls out for advancing "cruel and unusual" punishment, a clear violation of the 8th amendment. The collective also claims it has compromised several other government sites and obtained sensitive files, which it will start releasing to the press in "heavily redacted" form, unless its demands are met.
Anonymous has observed for some time now the trajectory of justice in the United States with growing concern. We have marked the departure of this system from the noble ideals in which it was born and enshrined. We have seen the erosion of due process, the dilution of constitutional rights, the usurpation of the rightful authority of courts by the "discretion" of prosecutors. We have seen how the law is wielded less and less to uphold justice, and more and more to exercise control, authority and power in the interests of oppression or personal gain.
We have been watching, and waiting.
Two weeks ago today, a line was crossed. Two weeks ago today, Aaron Swartz was killed. Killed because he faced an impossible choice. Killed because he was forced into playing a game he could not win -- a twisted and distorted perversion of justice -- a game where the only winning move was not to play.
However, in order for there to be a peaceful resolution to this crisis, certain things need to happen. There must be reform of outdated and poorly-envisioned legislation, written to be so broadly applied as to make a felony crime out of violation of terms of service, creating in effect vast swathes of crimes, and allowing for selective punishment. There must be reform of mandatory minimum sentencing. There must be a return to proportionality of punishment with respect to actual harm caused, and consideration of motive and mens rea. The inalienable right to a presumption of innocence and the recourse to trial and possibility of exoneration must be returned to its sacred status, and not gambled away by pre-trial bargaining in the face of overwhelming sentences, unaffordable justice and disfavourable odds. Laws must be upheld unselectively, and not used as a weapon of government to make examples of those it deems threatening to its power.Threats or no threats, the government took the USSC site offline and restored it to working order by Saturday... at which point it was hacked a second time by Anonymous. This time the hackers weren't screwing around. Instead of a simple vandalization, the entire site was turned into an interactive game of Asteroids.
The U.S. Sentencing Commission website has been hacked again and a code distributed by Anonymous "Operation Last Resort" turns ussc.gov into a playable video game.
Visitors enter the code, and then the website that sets guidelines for sentencing in United States Federal courts becomes "Asteroids."
Shooting away at the ussc.gov webpage reveals an image of Anonymous. The trademark Anonymous "Guy Fawkes" face is comprised of white text saying, "We do not forgive. We do not forget."
The code that turned the site "interactive" is very familiar to gamers.
Will these takedowns have any noticeable effect on those Anonymous is trying to reach? Most likely, no. Hacking a government website just makes it easier for those prosecuting hackers to make their case. Stewart Baker at The Volokh Conspiracy suggests that these actions do more harm than good to the collective's stated aim.
The exploit is probably counterproductive too. Apart from turning those who want reform of computer crime law into the allies of lawbreakers, Anonymous has substantively hurt the case for amending the CFAA. Heavy criminal penalties are entirely appropriate for people who hack a Supreme Court Justice’s account and disclose personal secrets. But it’s not easy to redraft the CFAA so it reflects the difference between Swartz and the Anonymous hackers, at least not without relying on precisely the prosecutorial discretion that the Swartz prosecutors misused.In his take, Scott Greenfield at Simple Justice takes issue with Baker's statement regarding the enthusiasm level of the courts.
Finally, I wonder if this incident won’t affect the Supreme Court’s approach to cybercrime issues. As Frank Rizzo once said, a conservative is a liberal who’s been mugged. If that’s true, every time Anonymous mugs one of the Justices in cyberspace, it could be making the Court just a little less enthusiastic about limiting the tools the government uses to deter computer crime
Not that any of the justices have shown much enthusiasm up to now, but the alternative to bad isn't necessarily good. Things can always get worse.While Baker argues that Anonymous makes things that much tougher for justice reform, Greenfield argues that hacking the USSC is especially pointless, considering how irrelevant the Sentencing Commission is at this point in time.
The first indication that Anonymous made a left turn when it should have made a right was when it picked the United States Sentencing Commission website to show its might. Nobody noticed, because, well, nobody cares about the USSC anymore.Yes, Anonymous is correct in its observation that the so-called "justice system" in the US is a corrupt and bloated entity, prone to abusing its power and control. But the USSC isn't the problem, not because it's the "good guys," but because the damage it can do is easily outweighed by the public's keen interest in sabotaging its own freedoms.
Had this happened a generation ago, it might have meant something. Yesterday, it likely evoked a chuckle and a face palm. Post Booker and some actual crack reforms, it was a big nothing.
So you guys can hack an outlier agency that has drifted into relative irrelevance. Got it. Have a nice day. The USSC is symbolic of nothing other than government bloat. The guidelines don't enable prosecutors to cheat citizens of their constitutionally guaranteed rights. Citizens do that to each other. We do it each time we elect a legislator who calls for tougher laws. We do it each time we demand the creation of a new crime because of the tragic death of a child. We do it whenever we elevate safety over freedom. And that's what Americans do...As much as we sometimes want an entity like Anonymous to strike back at wrongdoers, the likelihood of this action (especially this one) resulting in any positive change remains near zero. Doubly frustrating is the fact that going through the "proper channels" to effect change has the same low odds. The hope here is that this action keeps the focus on the questionable methods and bad laws that resulted in the prosecution Aaron Swartz's and many others.
By taking out the USSC website, you disturbed nothing while annoying the government. When the head of the FBI cybersecurity squad gets done laughing, he's going to find someone else to prosecute. It may not be one of you, but it will be someone, or more likely, a whole gang of people with computers. And they have guns. Pissing them off over nothing isn't effective. It's just begging for retaliation, and the government has no sense of humor (or irony).
Considering there are many politicians (and many private contractors) that badly want their worst cyberwar fears to be true, this recent bout of hacktivism may give them all the ammo they want to push damaging legislation through while placing a badly needed CFAA update on the back burner.
by Mike Masnick
Mon, Jan 14th 2013 4:20am
from the it's-what-he-would-have-wanted dept
The family had said:
“Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. Attorney’s office and at MIT contributed to his death.”In response, MIT's statement, by president L. Rafael Reif, was actually somewhat self-reflective, admitting that the university needed to look closely at its own role in the situation, and appointing professor Hal Abelson -- someone quite knowledgeable and active in many of the same causes as Aaron -- to lead the investigation.
To the members of the MIT community:I am sure that many will continue to criticize MIT for its actions in this mess -- and some criticism may be well deserved. That said, MIT's response here is a step forward -- and hopefully it creates real change in how MIT handles such things in the future. I think that there are many, many, many reasons to be furious about the Justice Department's actions in the Swartz case (and I felt that long before Swartz's death). However, a DDoS attack on MIT or the DOJ or anyone else is exactly the wrong message to send concerning Aaron. Yes, I was just defending the use of DDoS as a form of expression and protest, but this is not the kind of protest that serves Aaron's memory well.
Yesterday we received the shocking and terrible news that on Friday in New York, Aaron Swartz, a gifted young man well known and admired by many in the MIT community, took his own life. With this tragedy, his family and his friends suffered an inexpressible loss, and we offer our most profound condolences. Even for those of us who did not know Aaron, the trail of his brief life shines with his brilliant creativity and idealism.
Although Aaron had no formal affiliation with MIT, I am writing to you now because he was beloved by many members of our community and because MIT played a role in the legal struggles that began for him in 2011.
I want to express very clearly that I and all of us at MIT are extremely saddened by the death of this promising young man who touched the lives of so many. It pains me to think that MIT played any role in a series of events that have ended in tragedy.
I will not attempt to summarize here the complex events of the past two years. Now is a time for everyone involved to reflect on their actions, and that includes all of us at MIT. I have asked Professor Hal Abelson to lead a thorough analysis of MIT's involvement from the time that we first perceived unusual activity on our network in fall 2010 up to the present. I have asked that this analysis describe the options MIT had and the decisions MIT made, in order to understand and to learn from the actions MIT took. I will share the report with the MIT community when I receive it.
I hope we will all reach out to those members of our community we know who may have been affected by Aaron's death. As always, MIT Medical is available to provide expert counseling, but there is no substitute for personal understanding and support. With sorrow and deep sympathy,
L. Rafael Reif
Aaron -- more than almost anyone else -- did stuff. He built stuff and he created change. Not by taking things down, but by building them up. Not by attacking, but by sharing and informing and educating.
Aaron's memory needs to be preserved, and his death will hopefully be a catalyst for many changes -- to the way the government prosecutes people, to the way computer hacking laws are used today, to the way copyright laws are used and much, much more. But the way to do that is to do something proactive and positive. The organization Aaron founded is called Demand Progress, and that's what we should be doing now.
We should be looking for ways to continue Aaron's work, to build, to share, to create and to create change through sheer will of knowing what's right.
So, don't participate in attacks or takedowns. Look for ways to build something up. Create efforts to change problematic laws like the CFAA or copyright law. Look for ways to share knowledge and expand our ability to learn and to educate each other. Create ways for people to speak out and to enable everyone to do more.
That is the legacy that I believe Aaron would have wanted. It will always be impossible to fill the void that Aaron's death has left in its wake -- but if it inspires each of us to do a little more, to create some positive change, to truly demand progress in the face of ridiculous odds, then that will be the testament to all that Aaron did for the world.
by Mike Masnick
Fri, Jan 11th 2013 7:39pm
from the if-you-have-to-ask-what-a-valid-form-of-protest-is... dept
Slashdot points out that some members of Anonymous have set up a We the People petition on the White House's website, asking the government to recognize DDoS as a valid form of protest.
With the advance in internet techonology, comes new grounds for protesting. Distributed denial-of-service (DDoS), is not any form of hacking in any way. It is the equivalent of repeatedly hitting the refresh button on a webpage. It is, in that way, no different than any "occupy" protest. Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time.(Random aside before I get into the larger discussion: you would think that people posting a petition to the White House would spend at least a little more time proofreading what they write, or getting more input before posting it. While the intent is clear, the typos and grammatical structure of the petition is atrocious.)
It seems unlikely that this petition will get the necessary 25,000 votes. Or that the White House will even care if it does. The problem, as always, is that much of this depends on where you sit as well as your knowledge of technology. You can make a reasonable argument for why a DDoS is just the modern equivalent of a sit-in. But you can also make a reasonable argument for why a DDoS is like hacking a site.
But here's the larger point: When you have to petition the government to get them to tell you what form of protest is "okay," you've probably already lost the battle. And that's part of the larger problem here. It seems clear to me that many of the DDoS attacks done by Anonymous are, quite clearly, done for the purpose of expression. They are trying to make a statement, and it sometimes works (though, it frequently backfires). I'm sympathetic to the claim that it's the modern equivalent of a sit-in, and find it troubling that the government is arguing it's something much, much worse. At the same time, I often think Anonymous' rush to DDoS undermines its larger efforts at times, and simply reinforces in the minds of some that Anonymous is made up of bratty, destructive kids. But, having to ask the government to say your form of expression is legitimate expression suggests that the government has already won.
by Mike Masnick
Tue, Nov 6th 2012 3:51pm
from the massive-fail dept
The security firm, iSIGHT, was hired by PayPal to investigate the attacks, and an employee of the company reached out to Skype seeking information about one user who he thought might be involved. And Skype coughed up the info -- including username, real name, email address and home address -- no questions asked. As the article notes, there was no court order or anything like that. Just a guy from a private company asking and Skype said, "sure, here's all the info."
There are questions about whether this move violated some European privacy directives. At the very least it seems clear that it violated Skype's own policies, which include not providing customer data unless required by law, or if official law enforcement is involved. In this case, neither thing is true. One hopes that this is just a one-off mistake by Skype, but it's worrying nonetheless.