The US Department of Justice says a grand jury has indicted Swiss security provocateur Tillie Kottmann over multiple exploits and attempts at fraud, and authorities have quickly moved to rule out free speech as a defence.
Readers may remember Kottman pointed out holes in a security skills assessment website run by Deloitte, dropped 20GB of Intel secrets onto the web and shamed the security of DevOps tool SonarQube by releasing third-party code created with the project. Kottman’s name was also linked to the mass p0wnage of video camera outfit Verkada.
The DoJ now alleges Kottman did all that and more, including:
- Illegally accessing computers belonging to a security device manufacturer located in the Western District of Washington and stealing proprietary data
- Improperly used the credentials of an employee of a “manufacturer of tactical equipment” and accessed the manufacturer’s source code databases
- Hacked a Washington state agency and a U.S. government contractor and stole source code related to various web applications
- Attacked an automobile manufacturer and a financial investment company.
Kottman justified cracking systems and leaking info as whistleblowing rather than a criminal activity.
In 2020 Kottman explained that thinking to The Register as follows:
I do a lot of leaks and releases. My overall motivation is to free information, and I am just very curious. I also love exposing and looking at the (often horrible) things you can find in proprietary code.
The DoJ’s announcement features a canned quote from Acting U.S. Attorney Tessa M. Gorman, to the effect that: “Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech–it is theft and fraud”.
The indictment [PDF] alleges Kottman’s activities went beyond merry pranking and moved into attempts to defraud victims for personal gain.
The USA has an extradition treaty with Switzerland, which rather increases the chances that Kottman will soon see the inside of a US courtroom. ®