When you’re prosecuting a hacker for exposing private information to the world, you really shouldn’t do the same thing yourself. In the never-ending case of United States v. Deric Lostutter, US attorneys utterly failed to meet that simple standard.
If Lostutter’s name vaguely rings a bell, you may be remembering the notorious Steubenville, Ohio rape case we covered three years ago.
Quick backstory: Lostutter, then affiliated in some way with the Anonymous hacking group, is charged with illegally helping to expose the behavior of two members of the Steubenville High football team who’ve since been convicted of raping a 16-year-old girl.
At the time, the rapists were being protected and defended by the small-town team’s passionate supporters.
As Mother Jones reported in 2013, in connection with an interview with Lostutter:
…he obtained and published tweets and Instagram photos in which other team members had joked about the incident and belittled the victim. He now admits to being the man behind the mask in a video posted by another hacker on the team’s fan page, RollRedRoll.com, where he threatened action against the players unless they apologized to the girl.
In April 2013, an FBI SWAT team raided Lostutter’s home and took his computers pursuant to a warrant. That July, the government charged him with “intentionally and without authorization accessing… and thereby obtaining information from a protected computer, in furtherance of a criminal and tortious act in violation of the laws of the states of Ohio and Kentucky, specifically invasion of privacy, libel…” in violation of the federal Computer Fraud and Abuse Act.
(The CFAA has been deeply controversial for years, but that’s another story.)
Three years later, Lostutter’s case is finally moving towards trial. In the meantime, Tech.Mic reports that someone:
…inadvertently published a trove of Lostutter’s personal information – including his and his wife’s Social Security numbers, his phone number, the login and passwords for his private email and chat accounts and his laptop and PC passwords – on PACER, a publicly accessible database of federal court documents.
Tech.Mic reports that Lostutter’s lawyers discovered the disaster when some of his personal enemies spread the info on social media, where he’s been harassed by folks who don’t think he deserves all the credit he’s been given for revealing what happened in Steubenville.
The exposure evidently arose from the government’s simple misunderstanding of how PDFs work – so there’s a lesson for anyone who ever has to redact one.
Prosecutors simply copied black boxes on top of the text they were trying to hide, not knowing that these could be removed in a basic PDF reader, or that the hidden text could be copied into the clipboard and read in any word processor.
The government admits its mistake and says it’s trying to seal the document. But the barn door’s open and the horses are long gone.
This isn’t the first time anyone’s fouled this up. According to The Balance, the Transportation Safety Administration recently inadvertently posted secret information about its airport screening processes the same way.
(There’s a right way to redact PDFs: here’s how to do it in Acrobat DC, and here’s how to do it in other versions.)
Tech.Mic can’t say for sure who made the mistake. However:
…the user who created the redactions in the object metadata is ‘NGupta,’ indicating that whoever redacted the document was using software registered to Assistant US Attorney Neeraj Gupta, the leading prosecutor.
Tech.Mic dryly observes that this “development… calls into question prosecutors’ technical savvy.” We dryly tend to agree.