Hacker Tinkering With Yahoo Stories

Lifter writes "A hacker named Adrian Lamo had access for three weeks to the web-based content control system for Yahoo!'s news section, according to a story at SecurityFocus. He tinkered with a couple of stories without anyone noticing, then edited an August Reuters story about Dmitry Sklyarov, so that it said that Dmitry's program raised "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope." He also added a quote by John Ashcroft,"They shall not overcome. Whoever told them that the truth shall set them free was obviously and grossly unfamiliar with federal law." Funny stuff in itself, but the SecurityFocus story explores the harm that could come from a trusted news site being easily hacked in these times."

URGENT NATIONAL SECURITY BULLETIN

10 ways to tell if you or someone you know may be a potential terrorist:

1. They are shy or antisocial;
2. They spend a large percentage of their free time on a computer;
3. They are quick to criticize the government or corporations, often complaining about their "rights online";
4. They are obsessed with privacy;
5. They have a tendency to play violent computer games;
6. They frequently illegally copy music, movies, or software;
7. They listen to aggressive, "alternative" music;
8. They have an aversion to going outside;
9. They like to reverse-engineer, or "hack", anything they can for no substantive reason;
10. They use software such as Linux, which is designed by and for hackers.

For the sake of national security, please report all potential terrorists to the NSA.

How do we know?

[ichimunki]

How do we know the Security Focus story wasn't actually the hacker-planted story, and that anything happened over at Yahoo at all?

Re:How do we know?

[fobbman]

Hell, this /. submission by CmdrTaco was suspiciously missing any added comments that are usually riddled with misspellings and cheap shots at Microsoft. Has anyone checked the back doors at Andover?

Security?

[x-empt]

The problem with security today is the lack of it. Generally security on the Internet today is the same as how secure businesses are physically. Many businesses leave filing cabinet doors unlocked, rooms open, and papers unshredded.

Now in the company where you work, how hard would it be for a person in the general public to walk-in and act like a new client or staff member and gain access to sensitive information?

The problem with computing security in general is that it is more often exploited than flaws in physical security. IT departments don't know how to read www.microsoft.com/security and RedHat's update/errata page. They find security too difficult and do not place it high on their priority lists.

- x-empt

MD5/PGP Signing could prevent this.

[Rope_a_Dope]

Is there any reason that the major news organizations don't PGP or MD5 sign their stories as posted on the web, to verify they are posted and mirrored correctly? It could easily be ascertained that the site was being changed if Yahoo News were to include a signature at the bottom to check the veracity of the article. Obviously this guy was making minor changes to the stories early on, just to see if he could get away with it. A simple spider/crawler that checks the signature could be run by Yahoo against any and all of their posted stories, and if they don't match the copy editor's , then a flag can be raised! The AP could do this as well for any stories that go across the newswire, and are posted across the Internet.

Re:Flight announcement

[alen]

Don't forget about parachutes. Once you exit the aircraft you have the rest of your life to open it.