Slashdot Mirror
Hacker Tinkering With Yahoo Stories
Lifter writes "A hacker named Adrian Lamo had access for three weeks to the web-based content control system for Yahoo!'s news section, according to a story at SecurityFocus. He tinkered with a couple of stories without anyone noticing, then edited an August Reuters story about Dmitry Sklyarov, so that it said that Dmitry's program raised "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope." He also added a quote by John Ashcroft,"They shall not overcome. Whoever told them that the truth shall set them free was obviously and grossly unfamiliar with federal law." Funny stuff in itself, but the SecurityFocus story explores the harm that could come from a trusted news site being easily hacked in these times."
I'm honestly not too concerned about this kind of hacking. I tend to take _anything_ I hear about any major incident like the Sept. 11 attacks with a grain of salt for a day or two. And I would hope to God that the people making important, irrevocable decisions -- e.g. the U.S. government -- aren't relying on Yahoo! News for information.
...
Consider it freedom of speech, and of the press, and of petition for redress of grievances, updated for the modern age
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
The problem with security today is the lack of it. Generally security on the Internet today is the same as how secure businesses are physically. Many businesses leave filing cabinet doors unlocked, rooms open, and papers unshredded.
Now in the company where you work, how hard would it be for a person in the general public to walk-in and act like a new client or staff member and gain access to sensitive information?
The problem with computing security in general is that it is more often exploited than flaws in physical security. IT departments don't know how to read www.microsoft.com/security and RedHat's update/errata page. They find security too difficult and do not place it high on their priority lists.
- x-empt
Ever need an online dictionary?
Is there any reason that the major news organizations don't PGP or MD5 sign their stories as posted on the web, to verify they are posted and mirrored correctly? It could easily be ascertained that the site was being changed if Yahoo News were to include a signature at the bottom to check the veracity of the article. Obviously this guy was making minor changes to the stories early on, just to see if he could get away with it. A simple spider/crawler that checks the signature could be run by Yahoo against any and all of their posted stories, and if they don't match the copy editor's , then a flag can be raised! The AP could do this as well for any stories that go across the newswire, and are posted across the Internet.
Seriously, though, disinformation and "information terrorism" may not be as lethal as 110 floors of concrete dropping on you, but for precicely that reason, it's much more insidious, with an impact that no amount of bulldozing can ever clear away.
It's also much more common. AFAIK, only two buildings of that size have ever been felled through malice. On the other hand, virtually every political and commercial organization has at least one "spin-doctor" - the popular name for info-terrorists.
If the US is serious about its war on terrorism, it should first prove itself, by eliminating all spin-doctors from the Government, and demanding rigorous honesty and accountability within all sectors not directly tied to national security.
Yes, NS has to be an exception. Otherwise you get into some, ummm, interesting situations:
Passport Control Officer: Are you a foreign spy?
Foreign Spy: Yes. I'm here to learn all your secrets.
Passport Control Officer (into microphone): Psychiatric Unit to Gate 4, please.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
He tinkered with a couple of stories without anyone noticing, then edited an August Reuters story about Dmitry Sklyarov, so that it said that Dmitry's program raised "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope."
;-)
My jaw is left gaping.... Oh, I wish all crackers were this smart! Thank you for restoring my faith in human sarcasm
Some call it "editing."
Ot would be a good idea that all news carry this disclaimer: "For your own protection, please do not depend on a single source for news."
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
Heh, the only thing unusual about this story is that a *hacker* changed the meaning of a story to suit an agenda. It's not as if the news wasn't biased already!
One of the things that worries me greatly when I am brave enough to think about it at length, is how fantastically biased and non-independent our (USA) official news sources are. Almost every traditional media segment (TV, newspapers, radio) are as we speak undergoing a tremendous reorganization, where the vast majority of the markets are controlled by a few private companies whose major line of business isn't journalism.
For an shock for those who haven't done it already, find an international issue and compare how it is covered in the US with how it is covered by far-foreign or minority news sources. You may find the experience similar to discovering Slashdot and Kuroshin after years of Ziff Davis, especially if you read coverage that goes on for a few pages instead of paragraphs. You might not discover the truth but you'll have much better questions.
The bias is subtle to detect without a comparison, because the bias is often in what is *not* reported, or arguments that are *not* published. If you don't mind being being stoned by a flag-waving mob you can even try this experiment with last week's horrible tragedy.
So, as much as I support punishing this hacker for his illegal actions, a part of me also commends him for increasing the average distrust of mainstream news.
Becuase we tend to adjust for this based on previous experiences, personal bias, etc., and unexpected content from some interloper can exploit reader expectations. Everyone trusts somebody to tell us the "truth", and will be unlikely to question that entity even when fed disinformation. Imagine how Yahoo's readership could have been confounded by a fake story on the morning of September 11 about any of the following topics:
- Threats of a new airborne attack in another city, or of lots of unaccounted-for planes in the air
- Release of biological agents in the water supply
- False reports of the demise of public figures
- Widespread shortages of food, water, etc.
Would the bulk of Yahoo's readers question these statements? Would those who did be questioned themselves? Remember, terrorists want to sow FUD. This sort of hole provides an ideal opportunity to do so; planting a critical fake fact in a widely read story won't necessarily create a lasting big lie, but it will create a certain amount of confusion and doubt. (Bear in mind that this effect is exacerbated by the tendency of news giants to report each other's stories, sometimes without checking every fact first...)#!
Using my (pre-yahoo buyout) account at Geocities, I accidently got root level access to one of their servers this past May (via ftpfs in MC, zipslack 3.9) Took them two weeks to figure out the security hole, while they watched me hit their ftp server @ ft6.geo.yahoo.com! They thanked me, but never sent the goodies my way. (ask jkb about that)
For future use, send all Yahoo server e-mail to:
security-core@yahoo-inc..com
5'16" is easy math, so why do so many miss it?
Ditch the semi-autos and give the passengers revolvers. Revolvers are simpler to operate, so the safety brief could be much shorter. They are mechanically simpler, so less preventive maintenance would have to be done on them (i.e. cheaper for the airlines = lower ticket prices). The immediate action drills for revolvers are much simpler as well. The passengers wouldn't have to worry about failure to feed (a problem not uncommon with inexperienced shooters who might "limp wrist" the gun) or failure to extract. Failures to fire are corrected simply by pulling the trigger again, which is probably going to be the passenger's natural response. Semi-Autos are sexy and great for serious shooters, but for inexperienced shooters (or anyone who doesn't like to do preventive maintenance) revolvers are a better choice for self-defense.
I also think the safety briefing should include a warning to only use the airline-approved frangible ammunition for the guns; otherwise some idiot with a few FMJ rounds in his pocket is likely to stick them in the gun and decompress the plane during the firefight. Other than that, I think that is a good briefing.
This is hilarious!
The whole problem is that people DO in fact trust the web as a source of accurate news. Dumb. The web is by it's very nature unreliable. Period. Anybody who gets upset about a little news hacking is a whiner.
It is YOUR RESPONSIBILITY to double, triple and quadruple check and cross reference any information you find on-line. That's the power of the web; for the first time in history, it is actually possible to get something approaching the whole story. But you can't be lazy. I think hackers who send chills of 'insecure feelings' down the spines of the Norms in Suburbia are doing humanity a service by repeatedly demonstrating just how unreliable the web is. By showing that you CANNOT rely on single sources of information. Such repeated hacks might even raise the awareness of people to the point where they take some personal responsibility for the information which they allow into their heads.
But what is the response? (What will be the response?)
An almost unified cry of "Kill the Hackers".
Last week, 95% of the people on this very site were pissed off when Mafia Boy, (a junior highschool kid. i.e., a CHILD!), got a wrist slap rather than capital punishment.
Shocking! -Especially since most Slashdotters fit the hacker profile to a 'T'. It is utterly dumbfounding that people were so embittered towards a 15 year old who didn't do anything more than perpetrate but a little DOD attack and make life interesting for a bunch of tech support monkeys who get paid hourly anyway.
I was even modded down for the mere suggestion that a crime which doesn't hurt anybody, hasn't damaged or removed any property, and hasn't infringed on anybody's civil rights, should rightly be considered a mis-demeanor on the same level as graffiti or vandalism. But people want blood these days.
All I have to say is, "Be careful what you wish for."
-Fantastic Lad