Reservoir Hackers

The US District Court for the State of Idaho ruled that an ICS product developer’s computer could be seized without him being notified or even heard from in court primarily because he states on his web site “we like hacking things and don’t want to stop”.


Battelle Energy Alliance is the management and operating contractor for Idaho National Laboratory (INL), and they have brought suit against ex-INL employee Corey Thuen and his company Southfork Security.

It began with the US Department of Energy funding an effort for INL to develop “a computer program aimed at protecting the United States’ critical energy infrastructure (oil, gas, chemical and electrical companies) from cyber attacks.” Corey Thuen was one of the developers of this software program that was later called Sophia.

Sophia identifies new communication patterns on ICS networks. As noted in our 5 Oct 2012 post, this is not novel as Tenable’s Passive Vulnerability Scanner and other products have done this for years. Sophia may have added some intelligence for ICS protocols (I haven’t tested it), and the user interface for a product like this is often the key factor.

Battelle wants to license this technology, NexDefense was selected to negotiate for a license, and the suit states that Corey was pushing for it to be open source. Eventually Corey left INL, created Southfork Security, and wrote a similar “situational awareness” program called Visdom.

In simple terms, the suit alleges that Corey stole the code and violated agreements with INL. I have no idea if he stole the code or what he signed while at INL. He probably had the code, but again the idea is hardly novel. He could have started over with a next generation product on his own. A look at the code would provide the answer, and the answer may be somewhere in the middle as it so often is.


The disturbing part of the ruling is that Battelle asked for and got a restraining order without first notifying Corey/Southfork Security primarily because the Southfork web site said “We like hacking things and we don’t want to stop”. They requested and got an order to knock on his door and seize his computer because he claims to like hacking things on the Southfork web site. From the court decision:

The Court finds it significant that defendants are self-described hackers, who say, “We like hacking things and we don’t want to stop.” …

The Court has struggled over the issue of allowing the copying of the hard drive. This is a serious invasion of privacy and is certainly not a standard remedy, as the discussion of the case law above demonstrates. The tipping point for the Court comes from evidence that the defendants – in their own words – are hackers. By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act. (underline added) And concealment likely involves the destruction of evidence on the hard drive of Thuen’s computer. For these reasons, the Court finds this is one of the very rare cases that justifies seizure and copying of the hard drive.

Another factor in issuing the restraining order without notice was:

Battelle must show that the defendants have “a history of disposing of evidence or violating court orders or that persons similar to the adverse party have such a history.” Id. (citing In the Matter of Vuitton et Fils S.A., 606 F.2d 1, 5 (2d Cir. 1979)).

Battelle asserts generally that defendants who have the technical ability to wipe out a hard drive will do precisely that when faced with allegations of wrongdoing.

It is hard to believe the court bought that as proving Corey/Southfork had “a history of disposing of evidence or violating court orders”. Again, Corey may have had Sophia on his computer and done everything wrong, but the evidence the court used to decide to take away some of Corey’s fourth amendment rights was flimsy. Basically he said he liked hacking things and had the skills to wipe a computer.

There was no evidence in the court order that he had ever done this before or had an intention to do this.

Battelle’s lawyers also played the national security card:

Most broadly, releasing Sophia open-source has national security implications. As Battelle puts it, “Defendants plan to give away the keys to Sophia . . . to the very attackers Sophia is meant to thwart.”

This is laughable, but if you are a lawyer your job is to advocate. The problem is Corey/Southfork and their lawyers were not given an opportunity to shoot this down, and the court mentioned “national security concerns” as part of the rationale for their decision.

Battelle / INL may be convinced that Corey is using the Sophia code, breaking agreements and doing other illegal things that affect their money making opportunities. While I don’t agree with many of their points in the case, the real fault lies with the court buying and making the HACKER argument the determining factor.

In the end, a review of the Visdom code would and will indicate whether it is Sophia or not.

@SCADAhacker it’s time to change your website and twitter handle.

Image by lostevil