Hack the Army, Brag About it, Get Raided

SunCrushr was one of many who submitted this. A security company called ForensicTec decided to explore the U.S. government's computer systems, with particular emphasis on the Army. They talked to the press and had their fifteen minutes of fame. And surprise surprise, they immediately got raided by the FBI. What did they expect?

Publicly breakly the law is dumb

[mesocyclone]

even when what you are doing is reasonable!

Re:Publicly breakly the law is dumb

[Kwikymart]

"Publicly breakly the law is dumb"

It is if you think you wont be caught. There are valid reasons to break the law publicly like mounting a case against an unfair law in order to strike it down.

Re:Publicly breakly the law is dumb

[teasea]

That's right! You must be anonomously philanthropic. Spiderman is a good example. Do it. Reveal your results. Don't get caught!

Re:Publicly breakly the law is dumb

[lingqi]

so what about using MacroVision - disabling VCRs?
how about speeding on highways?

IMHO the army and the FBI is taking this *way* too seriously. I mean, fine if they were doing this for criminal intent, then alright. but proceeding with criminal prosecutions? that's 158% bullshit.

the sad fact is unless you generate some publicity, a whole lot of times shit in the govn't does not get done. (same with M$, btw). Illinois had ppl warning them for YEARS that they need to seriously wipe the old PC's hard disks they put on auctions; and what did they do? promptly ignored it until someday ABC channel 7 news (i actually don't remember the channel #, so am making this part up) found out.

i mean, fucking a, i'd appreciate some kind of apology from the army instead of this. instead of "i am tracking down the 'law breakers' and taking a firm stand on unauthorized computer access", i think The Right Thing (tm) to do is actually apologize to ME, Joe Citizen, that they fucked up and should have kept this shit more secure in the first place, and things are being done about it; and they are switching to open source and capable sys admins.

glad my tax dollars are going toward such useful endeavors.

Re:Publicly breakly the law is dumb

If you don't like paying for the prosecution of criminals, I would like you to get the hell off my continent.

Re:Publicly breakly the law is dumb

I broke into the bank cause I thought I was doing a service to my bank account and my bank members to make it more secure.

Was that reasonable ?

Cough cough.

idiots. They should ship them to afghanastan.

Re:Publicly breakly the law is dumb

[RandomCoil]

so what about using MacroVision - disabling VCRs?
how about speeding on highways?

I think the obvious difference here is that when one uses Macrovision-disabling VCRs, one doesn't usually:
a) Send the RIAA/MPAA an email letting them know
b) Tell the press what an easy time you had doing it

Likewise, when speeding on the highways, one doesn't usually give the local police a call to let them know.

Furthermore, I don't know about you, but I expect the law to enforced consistently. You certainly don't want Al Qaeda claiming that knocking down the WTC and was just some proof-of-concept work they were doing to point out inadequacies of airport security in the US.

Re:Publicly breakly the law is dumb

[Buzz_Litebeer]

So, if you leave your door open, I walk in, and don't do anything, and then later sent you a letter telling you your door was unlocked and that I walked around, and that anyone else could have walked around that you wouldn't be angry at the invasion of privacy?

Re:Publicly breakly the law is dumb

[Copperhead]

Your analogy is wrong... Try this.

You're walking down the street in front of the bank where you've got your accounts, and there is a "Closed" sign on the bank front door. You check the door, and it's unlocked, and all the lights are on. You open the door and walk in, and see that there is money laid out in piles, and the safe is open. You still don't see anyone, so you walk out the front door, and you call a press conference saying that the bank is unlocked.

That is what happened.

The silly part on their part was holding the press conference, not checking the door. In this analogy, I would have told the bank officials first. Then, I would have checked the door a few days later. If the door was still unlocked, then I would hold the press conference.

Re:Publicly breakly the law is dumb

[fferreres]

The thing is these people help secure your networks and and do not carry out any real destructive actions. After you put them in jail:

1) Less of this "benign tumors" develop (SecureTech, etc)
2) More of the "malign tumors" develop (Al Qaeda)
3) Security is improved a bit but not revisited thereafter, making the mil computer even more vulnerable.

If some guys tryed to divert a plane and flyby some densely populated scycrapers, then sept 11 would have never happened. Of course, nobody will try that because if the actually survive (ie: they dont get killed while trying) they will be killed after succeding (even though they would have preventing a tragedy).

So as nobody has an incentive to try, because the penalty is so high, nobody does try. But then a real terrorist takes advantage because they don't care about FBI raids. They get in, an gather the information or many launch an Nuke (or something nasty) and that's it.

I'd rather see these guys sentenced to work as free advisors to the mil for 10000 hours than be prosecuted. Actually, It'd be a good policy to offer rewards for hacing ANY mil computer (provided you do report inmediately and in proper way [ie: tell the mil, NOT the press]).

Re:Publicly breakly the law is dumb

[capnjack41]

Question is, did they go around looking at the files they gained access to (analogous to the 'walking around' part of this example)?

If I said to my neighbor, hey, your door's unlocked, they'd be glad I told them; unless I pointlessly walked around and looked at their pictures and put my feet up on their coffee table. If the firm really snooped for their own curiosity (or for any other selfish reason), as opposed to if they looked around to give examples of what kind of sensitive material is exposed (I see examples of radio encryption techniques and so forth), then that's a problem. Otherwise, one may argue that they were doing a "favor" (albeit perhaps illegally).

Of course one may also argue that it would be more sensible to have reported the problem to the appropriate entity, but...

Re:Publicly breakly the law is dumb

[User+956]

Likewise, when speeding on the highways, one doesn't usually give the local police a call to let them know.

Damn, then why did I even get this cell phone?

Re:Publicly breakly the law is dumb

You communist heathen!

Rewarding an intruder (cracker/"hacker") is like giving the keys to your Lexus to the robber that broke into your home.

Re:Publicly breakly the law is dumb

[reallocate]

This makes as much sense as setting fire to the local police department just to test its fire alarm.

You have only this outfit's word about what they did. Who's to know that they aren't a front for a foreign power or other group? (It does happen, you know.)

Lots of vulnerabilities exist everywhere, not just computer networks. Unsolicited and unauthorized attacks on another's property is a crime.

Re:Publicly breakly the law is dumb

How do you know they didn't break into the computers to gather intelligence? The very public admission of their break in could have been a way to cover their asses... people would assume they're grey hats, even if they're black hats!

I completely agree with the concept of having many crackers probing every nook and cranny of the net, trying to find the holes and advise machine owners of where they are. There are two enormous differnces in this case, though. First, they released the vulnerabilities of certain networks to the world without a reasonable attempt to contact those with the responsibility to secure them. Second, it was illegal in this case!

There should be a legal framework in place to probe the 'net for weaknesses and inform the weak links that they need to fix the problem. But, these guys did something quite illegal, and should be investigated and possbibly prosecuted.

Re:Publicly breakly the law is dumb

[mpe]

You're walking down the street in front of the bank where you've got your accounts, and there is a "Closed" sign on the bank front door. You check the door, and it's unlocked, and all the lights are on. You open the door and walk in, and see that there is money laid out in piles, and the safe is open. You still don't see anyone, so you walk out the front door, and you call a press conference saying that the bank is unlocked.
That is what happened.
The silly part on their part was holding the press conference, not checking the door. In this analogy, I would have told the bank officials first. Then, I would have checked the door a few days later. If the door was still unlocked, then I would hold the press conference.

Actually holding the press conference is for CYA. If you just told them they might call you a bank robber or try hard to pretend it never happened.

Re:Publicly breakly the law is dumb

Hmmm? It's utterly foolish to hoist a straw man and expect people help you flog it. Angry, foolish man.

Re:Publicly breakly the law is dumb

I'd rather see these guys sentenced to work as free advisors to the mil for 10000 hours

And I'd rather see them breaking rocks in the hot sun for 10,000 hours. Leave the security consulting to people with the formal training. Believe me, it matters. This romantic notion that 'two kids with a 300 baud modem broke in' is largely a myth.

Re:Publicly breakly the law is dumb

[El+Camino+SS]

SO theft is okay now that you know the special way that others don't to steal somehting?

Exploiting a weakness of others is considered to be "good manners" among the computer community?

Wow. That's a new precedent.

Re:Publicly breakly the law is dumb

[SlamMan]

Bah. Poor analogy. The differnce is the amount of skill and techneique required to do the tasks. Its like saying they had locks on the door, but they were easy to get past, and that you got through their laser tripwire setup by crawling on the ceiling. Do-able, but you need the tools and skill to do it.

Re:Publicly breakly the law is dumb

[Buzz_Litebeer]

You have done a favor when you tell them, hey i noticed your door was unlocked, upon casual inspection. But in the computer world there is no casual inspection. the only way they could get off saying it would be if they accidently broke into the site. the analogy of doing a favor can only be in the mind of the perpetrator because i beleive very few societies could sit down and say "yes it is ok to walk around in someones house if they leave the door open, your doing a favor for them so they know that there house can be broken into and that with casual inspection i could find their kitchen and kill the entire family with a butcher knife" the door is not quite an adaquete example, simply because you can view it being unlocked by casual inspection of walking up and down a road, or hallway. you dont casually attempt to hack into www.fbi.gov or dial up an fbi server. It simply does NOT happen. If you can honestly say you have accidently called up the wrong ISP (back when you have had a modem) and were granted access with your current user name and password then i would be completely amazed and probably call you a liar because its damn near impossible to even concieve.

Re:Publicly breakly the law is dumb

[dunkstr]

Yes... The analogy is sound. Except you might want to add "rooted through a bunch of people's account records and perused the safe-deposit boxes" while you're at it.

Either way, if they found that the door is open they did not need to walk in. They've already proven their point just finding the door. The rest is blatantly criminal.

Re:Publicly breakly the law is dumb

I did happen to scan the wrong system once, purely by accident. It was for a friend, and we had a slight misscomunication regarding his current IP. It did not get too far, mainly becuause I knew he was running at least two services on non-standard ports which I expected to see when I started the scan. This system was running one of those services on the standard port (in this case 80) so I was concerned enough to mention it to him, afterwhich we double checked the target IP and found it to be in error. No harm done I suppose, as I never attempted to gain access to the box and whoever owned it never appeared to notice. But anyway, it can happen, especially if you are slightly dyslexic ;-)

Re:Publicly breakly the law is dumb

Posting anonymously for obvious reasons...

I used to work in Information Assurance (what the Army calls security) and I can tell you that the most serious intrusions seem to be professionals funded by foreign sources. Sure, as you might expect there are countless script kiddies doing portscans all the time (BFD), but the stuff that we watched most closely were the PATTERNS we'd see in the attempts... for example, for months leading up to the exposure of the OpenSSH hole, we saw a ramp-up in port 22 probes, likewise for the MS SQL Server bugs. Often, long before a vulnerability is announced publicly in the whitehat community we'd detect people casually sniffing around ports nobody paid attention to before.

The fact is, the sorts of long term, subtle, well coordinated attacks we'd see and trace back were almost never script kiddies or even domestic blackhats. They almost always turned out to be (likely professional) operations from Eastern Europe and China.

Re:Publicly breakly the law is dumb

its ok to speed? kick ass!

Re:Publicly breakly the law is dumb

[RandomCoil]

So you could call the local police when you see *someone else* speeding, of course! :)

(Especially if their car is nicer than yours...)

Re:Publicly breakly the law is dumb

[RandomCoil]

I'd rather see these guys sentenced to work as free advisors to the mil for 10000 hours than be prosecuted. Actually, It'd be a good policy to offer rewards for hacing ANY mil computer (provided you do report inmediately and in proper way [ie: tell the mil, NOT the press]).

I wholeheartedly approve of that punishment, however I'm less enthusiastic about the general "hack us if you can" policy. I'm hoping the sysadmin(s) responsible for leaving the network open get whacked around a bit too.

Re:Publicly breakly the law is dumb

It's not yours, fucktard.

Re:Publicly breakly the law is dumb

[thecoolbean]

The article states that "Accessing a computer without permission is a violation of Federal Law". My problem with the whole thing is what implies "permission to access" in an era of millions of networked computers. When I send an E-mail and it gets forwarded from server to server am I a felon ?? When I want to access a web server do I need to obtain express written permission from the owners of the site beforehand ?? These poorly written laws that allow for BROAD prosecution of criminals AND the rest of us need to be fixed. Legally E-mail and Web access... hell even typing in the wrong IP address into your browser can be construed as "Access without Permission". At what point do system owners have to take responsibility for their systems and the services they have allowed access to over the internet ?? I think that when you connect to the net... any services you have available that are NOT password protected.. by default IMPLY granting permission for the public at large to go to town. If you don't want people crawling thru your data then secure your systems.... but this "You touched me without permission.... ASSAULT" attitude has got to go. Password crackers.... ok that crosses the line.... but accessing wide open services.... well DUH.

Re:Publicly breakly the law is dumb

Also posting anonymously for obvious reasons...

I have a cousin who is in the "informational warfare" department in China. From what I hear there are tons of these guys over there. not QUITE sure what they do, but two points:

1) my understanding is that the US does and/or fund a lot of attacks on china too (computer-wise), and
2) the "informational warfare" is taken pretty seriously by the chinese govn't. maybe more seriously than a lot of us think it is

Re:Publicly breakly the law is dumb

[aFamiliarFace]

They probably just stumbled into a honey-pot. The feds were probably watching them during the whole hack and just did the bust for form.

now taking bets....

[jeffy124]

... as to how long until they show up here

Re:now taking bets....

I'll bet that Eric Corley will make 'em a hero

and I don't mean sandwich

recompile.org

hrmm

[acehole]

perhaps a free 'Join the army' sticker and an uncle sam hat?

People

People think that hacking isn't cracking and all that BS, breaking into a system is wrong, whether or not you feel you have the write to access that information is irrelevent. You dont have the right to break into a system 'just cause' This makes the whole hacker community look bad, people should really think before they act.

Re:People

[acasto]

That philosophy would be great if all in the world was black and white. Some people tend to forget that the United States government has many many gray-area laws in which are only exploited when they want to exploit them. The government, and corporations for that matter, have done a great job of entangling their laws and moral justification.

If we look at everything as it's either right or wrong, dependant on the technicalities, then we are letting the conformation to society not only manipulate our everyday lives, but the moral justifications that guide our day-to-day actions as well.

Re:People

You might see a lot of grey with your social and moral relativistic glasses, but there ain't a whole lot of grey breaking into the Army's computer system. That is pretty black.

Re:People

[neocon]

What AC said. The idea that this is some sort of `grey area' is, to paraphrase George Orwell, so dumb only an intellectual could believe it.

Re:People

[acasto]

So you say, we will then refer to you when we need moral and social clarification.

Re:People

[acasto]

You know enough about the situation to say that anyone who has 'walked' into the army's network was in wrong? I'm sure others have done the same, yet with no media exposure. If you think you can define the governments actions in a 'black-and-white' statement, from the information contained within a press report, then you must have your eyes closed.

So perhaps the question comes down to, If you step into a government network, and you don't call CNN, but quitely report it, will you get in trouble? are your wrong?

The bottom line is nothing is black and white unless you can take all the data (past cases) and throw it in one of two piles. You don't have all the data...do you?

Re:People

[neocon]

Yes, just as I know enough about the situation to know that anyone who walked into my house is wrong.

Let's get this straight: these people broke the law, in a way which has potential ramifications for national security, they bragged about doing so, and you're surprised that they got raided?

Which part of `it's illegal to crack into other people's systems' is grey to you? Which part of `cracking the army's systems could have an effect on their ability to do their job, whether that's your intention or not' is grey to you?

Re:People

Let's get this straight: these people broke the law

Laws change all the time

in a way which has potential ramifications for national security

Your right, so all the better it can be fixed now

What you fail to grasp for some reason, is the fact that `it's illegal to crack into other people's systems' is such a broad law. Much like other laws in this country. I doubt that finding a flaw was why they were raided. What if a terrorist group tries next week, but they can't, because the holes are plugged. The fact is, if national security is so at risk, the security firm shouldn't have been able to get in the first place. If any body is guilty, it's the Army for dong a half-ass security job in the first place.

Re:People

[neocon]

As I said, your position is so incoherent that only a self-styled intellectual could cling to it. You admit that they broke the law, and knew they were doing so, but think that's okay because sometimes laws change? Really?

So if someone breaks into your house tonight, will you let them go, because, after all, `laws change all the time'? Come on...

Shooting the messenger?

[ergo98]

While I think these guys should be held accountable, at the same time I wonder in the heavy hand of the law is a case of shooting the messenger? Are these people who are so willing to call in the feds equally as willing to actually fix the source of the problem, or are they hoping that by pretending there's no problem it achieves the same effect? Color me a cynic, but I suspect the latter.

Re:Shooting the messenger?

[t0ny]

I disagree. There are proper ways of doing things, and ones that dont publicly embarass the probably very hardworking and overworked people keeping the whole US Army network working. The fact that they dont have time to become completely geeked out security freaks is because they need to do other things that little script kiddies dont have to do, like work, spend time with their families, and complete projects. If they wanted to really help the army, they could have taken their info and given it, without shameless self promotion, to their people and offered suggestions on how to tighten up the whole thing. So I say screw em. If they want their 15 minutes on the back of other people, they get what they get.

Re:Shooting the messenger?

[soulcuttr]

I think that there needs to be a distinction in the law concerning the intent of the action. In a case such as this, the intent was obviously not to steal personal information, or to do harm, but it was for publicity and also to be a wake-up call to government IT departments to start taking their security more seriously.

Since the amount of personal information that the government is capable of gathering seems to be increasing, I don't believe it's an unreasonable expectation that security be increased as well. In cases where the security is so obviously lax, I would rather somebody inform them like this (maybe under some sort of digital security good samaritan law) than to let it go unnoticed.

-Sou|cuttr

Re:Shooting the messenger?

[ergo98]

Do you really think that these rather amateur (or so it seems) security consultants were the first to find these lapses in security? I highly doubt it. Perhaps it was beneficial that they were so public about it simply because it makes it a lot harder to ignore.

And regarding the IT being busy doing other things: If they can't secure the network then they should _GET_OFF_THE_BLOODY_INTERNET_. I'm 100% serious. There are countless government computers and networks that are theoretically publicly accessible with absolutely no justifiable reason but that it was easier for the IT department.

Re:Shooting the messenger?

[brooks_talley]

So, you wouldn't mind if I did a little security research on your home while you're away at work -- or, better yet, in the middle of the night when you *are* at home?

I mean, I wouldn't actually steal anything. Just rifle the place a bit, see what you've got, that sort of thing. Then, I might call the press and see if they're interested in doing a story about the level of security at [insert your address here].

I'm sure you'd appreciate the free research, right?

Cheers
-b

Re:Shooting the messenger?

[DarkZero]

Why even use the real world analogy? How many of us wouldn't be pissed if we got an e-mail saying, "Hi, I cracked your security and got into your computer via --some exploit--. You might want to patch that. Also, some of your financial records are inaccurate, and the girl in 'sylvia_saint_fucking_and_sucking.avi' in the 'C:\Private\GodIHopeMyWifeDoesn'tSeeThis' directory isn't Sylvia Saint, but actually a lesser known porn star. Nice collection, BTW."

I'd want the guy prosecuted for breaking into my personal property and I believe that a lot of you would, too. Why do we expect a lenient, "please, invade our property some more, sir" attitude from anyone else?

Re:Shooting the messenger?

um. They broke the law...

Re:Shooting the messenger?

[paganizer]

I hacked the fuck out of the military, mainly the army, but they asked me to.
I mean....open fingers which would give you the entire list of users, with SSN, phone #'s, and home address, that sort of thing. servers without automatic lockout. that sort of thing.
Scary as hell.
They fixed the problems, almost immediately, as soon as they were pointed out; But if it hadn't been for a security type who actually was concerned that problems might exist, instead of doing his best to just do his job & look good, the problems would almost certainly still be existing.
That is kind of the problem, though; the only thing that matters in the military, really, is that your boss thinks you are doing a good job; it doesn't matter if you actually are or not.

Re:Shooting the messenger?

[AvitarX]

I people could break into systems with non criminal intent and haveshort or no sentances then they would do it. Now we have all sorts of people being good samaritans breaking into networks left and right, and not doing anything wrong.
Now I come along. I say, I want to do something wrong when I am in there, and people are generating so much intrusion noise that I can slip in and out unnoticed within the sea of attacks.

Re:Shooting the messenger?

[geekoid]

and if your locks on your house can be picked, YOU_SHOULD_GET_OFF_THE_BLOODY_STREET_.

Re:Shooting the messenger?

Here's the only poster that has a clue. Man, if you can't take a warning and demonstration of your vulnerability you need to be off the network. Give the parent post a mod up and the gummnt a mod down for being just plain stupid. And not only that, the Army got a lot more bad publicity for their poor security by siccing the FBI on some tiny but well intentioned secruity consultant startup company.

Re:Shooting the messenger?

They were not arrested for publicizing vulnerabilities. They were arrested for breaking into government computers. The fact that they publicized their actions is not part of the charge. (Sure, it's how the government learned about the breakins, but it's not what they are charged with.)

Let's take your views just one step further. Suppose we go easy on them because they wanted to be messengers about gov't weaknesses. Is this not simply rewarding people who brag about their misdeeds.

Facts:

1. They broke into government computers
2. They publicized their breakin, for commercial gain
3. They had no authorization to conduct tests of government computers.
4. They are criminals, and stupid ones at that.

Re:Shooting the messenger?

[capnjack41]

distinction in the law concerning the intent of the action

True, that would be the right way to do it, but then there's the potential for abuse; when I get caught cracking something for not-so-honorable reasons then I can claim that I was "researching" their system and actually trying to help.

Re:Shooting the messenger?

No, what they are saying is that you can't do that to a gummint web site. Do whatever you want to anybody else, in fact if you are a big Corporate conglomerate, you can DDOS them or whatever. Just don't do it to gummint computers. That's all they are saying. And they'll take you down the minute you let them know you've breached their security. Of course, you could just not tell them and try to contact their IT guys just like anybody else to let them know, but that won't fix it. We've seen over and over again that just telling them does not get them to secure it. Only publicity works. Until they get some free press, they won't fix the security holes. This is just another case of tellem and hope for the best but the best turns out to be jail time. I hope the rest of you love your country enough to not let them know of security holes. Let them find out from Al Qaida so they can use the mighty arm of US law against all threats sundry or terrorist.

Re:Shooting the messenger?

[zenyu]

How many of us wouldn't be pissed if we got an e-mail saying, "Hi, I cracked your security and got into your computer via --some exploit--

You'd rather not know?

Back when you were in college you didn't e-mail people that left themselves logged in after they left the terminal?

You never got one?

I never like having my machine cracked, but I do like the fact that it's much easier to find out these days than when my first BBS was cracked. My workplace even hires people to come in and break into as many computers as they can. I wish the military took security as seriously. We have holes we know about, but we do keep at least one machine running a password cracker and port scans at all times. I get at least two attemped breakins into my computer a week, I'm sure their machines were owned many times over. At least these people had the good morals to tell the world.

Re:Shooting the messenger?

[delong]

Back when you were in college you didn't e-mail people that left themselves logged in after they left the terminal?

Loser.

Derek

Re:Shooting the messenger?

[sallen]

Do you really think that these rather amateur (or so it seems) security consultants were the first to find these lapses in security? I highly doubt it. Perhaps it was beneficial that they were so public about it simply because it makes it a lot harder to ignore.

I'd disagree. The 'consultants' certainly did get the publicity, which it seems they wanted. (How beneficial it's going to be at this point though is probably questionable.) They didn't have to go 'public'. This was a case of someone intentionally mucking around inside their systems. I don't care if it's the military, a company, or an individual. Once the breach is made , if intentional, and they continue, it's illegal. Once can accidently end up at a site because of a screw up in routing tables, etc, and that's not intentional. In that case, if they are notified, they'll fix the problem... and I mean fast.. in the case of the military. (On that one I speak from experience.) But the bottom line... this wasn't accidental .. they had 'intent', it seems, from the beginning. I don't have a lot of sympathy from their resulting 'visit' from the FBI.

Re:Shooting the messenger?

[ObitMan]

Back when you were in college you didn't e-mail people that left themselves logged in after they left the terminal?

Hell no, I just emailed everyone I could with the users sexual and drug preferences. Just to help them out socially, really. :)

Re:Shooting the messenger?

Do you think that underpaid, overworked people have priority interest in securing some fucking network running some asshole MS product with as many holes as swiss cheese?

Re:Shooting the messenger?

Excellent! If as the IT person or personell if security isn't #1 priority- everything else waits. then the IT staff are worthless. Sorry, but protecting your equipment and ensuring it is configured properly to begin with is the number one job of IT... adding printers and installing software is number 5.

Re:Shooting the messenger?

[ergo98]

Inappropriate analogy: You can hardly compare a government site with someone's home. One is a heavily identified, highly sought after target (with potentially millions in profits to the successful intruder), and the other you at best might find out that Bob has a fetish for feet. Hardly a good comparison.

However, why not compare the government to a bank: How would you appreciate a bank that instead of a phone has written notes they send by courier, and their vault is a big sack with a money sign on it in the middle of the customer area. Would you say this is reasonable or responsible security given the context of their job?

Re:Shooting the messenger?

[t0ny]

you definitely do NOT have a clue. They didnt make a demonstation of network security; they broke in like a swat team just to show they could, then they bragged about it to everybody who would listen. If they really had noble intentions, they would have worked with the Army to tighten things up, instead of getting in and poking around. Did they get documents and sell them to a foreign power? who knows? maybe they did. That is why they are getting investigated, not just because they made the Army look bad. Dont like the laws? Either change them or move to another country. We have freedom in this country, but that doesnt mean you can violate other peoples person or property. If you want to justify the ease of an action with the right to do it, go sell drugs on the corner to school children. Hey, its easy money, right? and if they really cared they would have police officers at every street corner.

Re:Shooting the messenger?

[MastrBlastr]

Back when you were in college you didn't e-mail people that left themselves logged in...?

Back when I was in school, we didn't "log in". We walked over to the computer lab, waited for the next availably keypunch machine, and then handed a stack of punchcards to the sysop.

The only break-in I can remember involving the government was Watergate. Most of those responsible were punished by making them serve long sentences as radio talk-show hosts. The remaining culprits were forced to publish highly fictionalized accounts of events leading up to the break-in.

(Maybe that type of punishment would be appropriate in this case...)

Re:Shooting the messenger?

[yuri+benjamin]

Back when you were in college you didn't e-mail people that left themselves logged in after they left the terminal?

I work in a call centre. When people finish their shift leaving their workstation logged in, I just quietly log them out.
I hope they'd do the same for me.

Re:Shooting the messenger?

[Ironica]

Except that, theoretically, all those people would be finding the vulnerabilities and then they would be *fixed*... leaving you with a much harder job to break in.

Re:Shooting the messenger?

ROFL! I can only assume that that response is the sting of having this happen to you.

I bet you still haven't changed your ways - your desktop at work is logged in 24/7, waiting for some nere-do-well to wander by, wiggle the mouse, and start doing all kinds of mischief in your name.

A guy I know left his system logged in 24/7. After poking around firewall logs they discovered the cleaning crew was surfing for beastiality, gay porn, and not to mention minors in indecent positions.

On his system. Which contained trade-secret source code & had mission-critical apps running. They're still not sure if any of it was copied & resold to competitors.

Oh, and the company went out of business six months later, driven out by marketplace competition.

Something to think about, nimrod.

Should be rule #1

[ObviousGuy]

Don't hack the military unless you are a hostile foreign power, and even then it's not recommended.

Re:Should be rule #1

This is my rifle, this is my gun, this is my ass, and this is my thumb.

Sound off

Re:Should be rule #1

[Nogami_Saeko]

The point here is that the company made the army security specialists look like idiots to their superiors.

In all probability, they would've prefered to stay vulnerable if it meant saving face.

Typical tactic. When you expose their piss-poor security, they scramble for cover and instead of acknowledging that they don't know security from a hole in the ground, immediately accuse the people who exposed their incompetence.

Re:Should be rule #1

[mseeger]

Rule #1 is: Don't hack unless you get paid for.

Worries about which side pays you are clearly second priotity :-).

Martin

Where's ForensicTec security now?

[WildBeast]

Federal law enforcement authorities searched the computers of a San Diego security firm that used the Internet to access government and military computers without authorization this summer, officials said yesterday.

So it looks like those ForensicTec computers aren't secure enough :)

Re:Where's ForensicTec security now?

[DigitalGlass]

I'm guessing they accessed the terminals themselves. I dont know whether you were joking or not :-)

Re:Where's ForensicTec security now?

[WildBeast]

Well it's still a security problem if people or the government can just go in there and access ForensicTech computers :)

Yeah I was joking, couldn't help it.

Re:Where's ForensicTec security now?

[ninewands]

Errrmmm ... NOTHING is secure against the dreaded Search Warrant exploit.

Re:Where's ForensicTec security now?

[netringer]

Where's ForensicTec security now?

Here. Wanna hire them?

Re:Where's ForensicTec security now?

[Bios_Hakr]

A GPG-encrypted filesystem is. Set it up so that 5 different people have part of the key. If you need to get in, you need at least 3 people there. You could then claim to not remember your keycode.

A small dead-man-switch connected to a packet of gunpowder on your hard drive is even better. Pick up the box and BANG! No more data. Just make sure you have a EULA near the PC stating that moving the box will destroy the contents.

Re:Where's ForensicTec security now?

[DigitalGlass]

Thats what I was guessing, but just wanted to be sure.

Re:Where's ForensicTec security now?

[rabidcow]

No, Rubberhose is much better. They can't even prove you're hiding anything.

Re:Where's ForensicTec security now?

[Scaebor]

How about a big huge magnetic doorway a la Cryptonomicon that scrambles everything on a computer that goes through it? Now everyone should have at least one of those...

Re:Where's ForensicTec security now?

[spacefrog]

Depends how good your encryption is!

Re:Where's ForensicTec security now?

[klieber]

Might be better yet if it had been updated in the last 18 months and/or worked with 2.4 kernels...

Re:Where's ForensicTec security now?

Instead of fucking whining about it, why don't you dust off your compiler, and fucking FIX it. This is what open source is all about.

Re:Where's ForensicTec security now?

[Peridriga]

One word.... BLOWFISH...
Well that all depends on who they pissed off...
You piss off the NSA, I guess the only protection would be an EMP....

Re:Where's ForensicTec security now?

[einhverfr]

Errrmmm ... NOTHING is secure against the dreaded Search Warrant exploit.

Sure it is, if it is protected by public key encryption with passphrase protected public keys (assuming the passphrases are not subject to dictionary attacks), using open source and digitally signed encryption software (so you know there are no deliberate backdoors), etc. Better yet, encrpyt with two public keys, where the private keys have different passphrases.

Such a system would be cumbersome to use to say the least, but it would be reasonably secure from compromise even given the siezure of the computer.

Re:Where's ForensicTec security now?

[T-Ranger]

Given a choice beteween coughing up your passphrase and then going to trial or sitting in jail for contempt indefinitly I think Id rather cough up the passphrase. But thats just me.

Re:Where's ForensicTec security now?

[einhverfr]

(User #10520 Info | http://chebucto.ns.ca/~jeffw) Given a choice beteween coughing up your passphrase and then going to trial or sitting in jail for contempt indefinitly I think Id rather cough up the passphrase. But thats just me.

Depends on what I am protecting ;) If I were to be guilty of more than they could charge me with, I might conveniently forget, or keep the keys further obfuscated using a changed endian order of bytes (so they look corrupt) etc. Maybe I would encrypt the keys ;) Now there's an idea....

Re:Where's ForensicTec security now?

[SCHecklerX]

except perhaps strong encryption and authentication?

what will be just as interesting

[jeffy124]

is if their exploits still work a week from now

Let

Let me guess, they were running windoez! LOL

Re:Let

rofl!!! :) linux d00dz unite, hax0r the poonus, i love you lauren

Re:Let

heh, guess they didnt see the post about the M$ patch then huh????

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Need some advice guys! :o(

Embrace your geekness! Oh, and you could always auction yourself on e-bay! (Virgins bring a premium!!)

They handled it the wrong way

[Damion]

If they were serious about what they were doing, they should have contacted the people who have influence over the systems they compromised. Making their findings public may achieve the same effect in the way of getting the systems fixed, but the end result is a lot of unpleasantness all around. In short, it was a wholly unprofessional way to act.

Re:They handled it the wrong way

[TamMan2000]

They admitted that part of why they were doing this is for publicity for their young company...

effective, I guess, but at what cost...

Re:They handled it the wrong way

[apothoray]

The article suggests that Fort Hood was notified several weeks in advance of the public statment. They've probably got a lot of security issues to fix up, but realistically, how long are you obligated to wait for them to get their act together?

Re:They handled it the wrong way

[Roblimo]

Several years ago, while looking at the Web site for the Ft. Hood-based 312th MI bn, where I was stationed for a while, back when I was in the Army, I came across a whole bunch of wide-open (NT) servers full of confidential and/or classified information.

I didn't do anything to "crack" them; the password forms only worked with MSIE/Windows. Uisng Linux and Netscape I clicked right past the authorization forms and had complete, instant entry to all kinds of information about Ft. Hood units and the people in them, including plenty of stuff that shouldn't have been exposed to public view.

I immediately emailed the Ft.Hood public information office and explained what I had found. I got back a snotty, "We don't have time for this kind of nonsense from civilians" response.

Apparently nothing has changed on the security front at Ft. Hood -- except that now you are a criminal if you report problems.

Oh, my poor country...

- Robin

"Stumbled Upon"...heh

[$carab]

ForensicTec officials said they stumbled upon the military networks about two months ago, while checking on network security for a private-sector client.

Someone new to a Dvorak probably tried to type in "lynx http://www.google.com" but instead got "nmap -v -p 1-1024 -sS -P0 army.mil -T paranoid".

Re:"Stumbled Upon"...heh

[nzhavok]

Not to mention they would have accidently have to su to root before that... Unless they normally browse as root :-/

Re:"Stumbled Upon"...heh

[whereiswaldo]

I think they crossed the line when they :

"...identify vulnerable computers and then peruse hundreds of confidential files containing military procedures, e-mail, Social Security numbers and financial data, according to records maintained by the company."

Now, if _I_ were the one checking the military's security, I wouldn't be stupid enough to LOOK at the files I had access to. It could be top secret, etc...! That's asking for big time trouble (eg. cement shoes). They should have said "hey, we're in", disconnected and reported the problem immediately to the government first. That would have been the responsible thing to do. I think a punishment is reasonable at this point.

Re:"Stumbled Upon"...heh

[Sycraft-fu]

"It could be top secret"

Not likely. Standard military prcedure is to keep anything that is classified on a total seperate network. By that I mean seperate cabling, computers, the whole 9 yards. It is totally off any public network and access is restricted (hence the idea of classified).

It's still retarded, however. You break into someone's systems, you broke the law. You do it to the government and, well, that's beyond stupid.

Re:"Stumbled Upon"...heh

but that would either be
"ptlb jkkr"[[,,,eussupdeism" if you were typing dvorak in a qwerty mapping
or
"nfbq dyylSzz,,,virrin.vjrm" if you were typing ',.pyf in a dvorak mapping

Not so fast...

The government should give these guys back pay and a pat on the back for their work. The government is only as strong as its weakest link. In this case ForensicTec has made them a little stronger, a little more aware. If it hadn't been them it might have been a terrorist breaking into those computers at the cost of 1000s of lives. The government should hire these guys seriously.

Re:Not so fast...

[TheLinuxWarrior]

They should hire some professionals.

The story clearly stated that these people are newbs in the security field. Not someone I want protecting the security of computers belonging to the armed forces.

Additionally, they went about this the wrong way. The right way would have been to contact a responsible party and professionally report the issues they found, not grab a bunch of stuff and call a news team. I know that based on their actions, I wouldn't hire them.

That's just me. I choose to work with professionals.

Re:Not so fast...

I know that based on their actions, I wouldn't hire them.

That's just me. I choose to work with professionals.

you claim this but then you admit to the very non-professional MSCE?

That's like admitting to having herpies... Yes, it's proof that you did it, but it isnt something to be proud of.

They couldn't catch them on their own?

Does this mean that our giant "Big Brother" secret government that monitors all of our phone calls and peeps in your windows while we sleep can't catch some "hacker kid" unless they report the attack on the news?

I suddenly feel alot safer, i'm now removing my tin foil hat... :)

recompile.org

Re:They couldn't catch them on their own?

Better keep the foil hat. It's not like he hacked Major League Baseball or anything...

I think that's what happened

I think the main question is what did they find in those files they got access to? Maybe this could go as a movie where a bunch of people looking to get some cozy defense contracts hack into the army's computers, download some files and boast about it. But, then ... they just downloaded a highly guarded secret ....

Re:I think that's what happened

[drainbamage]

They down loaded the list of what really is in the chicken ala king they serve in chowhalls!

Re:I think that's what happened

[ObitMan]

Thank you of that reminder of the terrible sacrifices made by all who served their country in the armed forces.

Sage advice...

Mr Hand and AstroGlide. 'Nuff said.

interesting point gets made

[Artifex]

Look, it's one thing to find a vulnerability, and another thing to say "oh look, let's see how far this goes and play with it before we tell anyone."

It's like discovering that there's a loose brick in the wall between the boys' locker room and the girls' shower room at school: getting an eyeful before reporting is still wrong.

They probably got searched to see if they did the equivalent of "taking pictures."

Re:interesting point gets made

It's like discovering that there's a loose brick in the wall between the boys' locker room and the girls' shower room at school: getting an eyeful before reporting is still wrong.

No kidding... What kind of fucknut would report the loose brick?

Re:interesting point gets made

[ahaning]

What kind of fucknut bricklayer would make the loose brick low enough that the little boys could look through?

Re:interesting point gets made

[Soko]

*snif* [wipes tear from his eye]

OK, OK, now that I've stoppped laughing aloud to your comment and sig together, think about it.

The obvious answer is "any bricklayer that was 13 once and had a wang." Ha.

Thanks for the laughter, bud.

Soko

Re:interesting point gets made

[jcoy42]

No kidding... What kind of fucknut would report the loose brick?

The kind that went for a peek and saw the principal/janitor/priest staring back?

Re:interesting point gets made

[delong]

What kind of fucknut bricklayer would make the loose brick low enough that the little boys could look through?

Hey man. Midgets need jobs too, you know.

Derek

Re:interesting point gets made

A female one?

Re:interesting point gets made

[ahaning]

I'd like to note that the sig comes from a webpage of a doctor who does no-scalpel vasectomy. Googling for the quote should bring up a link to the page...

http://www.rvt007.com/vasectomy/faq.htm

I found it hilarous at the time so...

this is insanely stupid

[kvx]

If you allow access to data without first password protecting it, as was the case, you are asking for trouble. It's the most obvious form of security. While breaking into it was wrong, and leaking it to the press asking to get raided, whoever admins these computer systems ought to be held accountable. Instead of pissing away money taking away rights in the name of the war on terrorism and throwing around our military might, the government ought to spend the money conducting audits on our computer systems and increasing our own security.

Re:this is insanely stupid

Right, because it was a bunch of ones and zeros that slammed into the world trade center...

Granted, computer security is of great concern, but using the broad brush to paint anti-terror spending as 'pissing away money' is just asinine.

How is this even a story?

In other news, a bank was robbed and the theives were sent to prison.

Re:Need some advice guys! :o(

[crystalplague]

bahahahaha......that just made my day...so much so that I won't even post anonymously...to hell with karma

Probably confiscated every computer

Even if the charges are eventually dismissed, they've probably put their company out of business. I wonder how many computers were seized as EVIDENCE.

Those computers won't be releases until they're worth $50.

-mike

Re:Probably confiscated every computer

That's because the company DID A CRIMINAL ACT, and is BEING PUNISHED FOR THEIR CRIMINAL ACT. If they didn't want to get put out of business, they should not have committed criminal acts.

Fucking nuts, these leftists are.

Re:Probably confiscated every computer

I didn't say what they did was too bright. In fact, the people directly responsible should be punished.

But an incident like this can take down the whole company. Where is the justice in that?

-mike

Re:Probably confiscated every computer

[Clockwork+Apple]

Can you say Enron?

Re:Probably confiscated every computer

[Etcetera]

But an incident like this can take down the whole company. Where is the justice in that?

IDRTA, but I believe it was the Company that issued the press release, not invidual people who happened to work for the company. One of the downsides that comes with the privilege of incorporation is the ability to do things *as an entity*. If "the Company" does something, then it's "the Company" that will suffer for it.

Re:Probably confiscated every computer

[GutBomb]

the people that siezed thier computers are not the ones that are supposed to dole out the punishment. they simply investigate (federal beurau of investigation). The courts are the people who punish them. the permanent seisure of the computer is wrong. If the judge later says that the seizure of the computers should be part of the punishment so be it. But the fbi is not in the kind of power to dole out punishment, and if they do so, it is wrong.

Linux

You are the weakest link, goodbye.

Honestly, I'd have to say they were pretty dumb...

[Qwerpafw]

See, first they point out that the Governement has flaws. Ooooh, criticising those in power... can be risky...

Then they point out specific, make-people-lose-their-jobs flaws. The kind of thing congressmen would love to jump on in order to criticise incompetency. Do it on a widely-read medium. This pisses more people off.

Then make very clear how you did specific illegal acts, giving those you just pissed off a great and simple way to get back at you.

Why not just walk right into jail...? I mean, its like spitting in the face of a police officer who is holding a gun, insulting them, and then making a threatening move while simultaneously pulling out a joint and smoking it. You might as well hand them the rubber hose...

Why taunt someone and then give them an excuse to hurt you? To gain acclaim? Fame? Real hackers are not out to get publicity, but rather to expose vulnerabilities and try to fix them.

Whats this you say? You sympathise with the "security firm?" well, take this quote into account:

The consultants, inexperienced but armed with free, widely available software, identified unprotected PCs and then roamed at will

I dunno about you, but that would be my definition of script kiddie. Especially someone who then brags about it for publicity.

Maybe they attended....

[gilroy]

... Princeton?

Re:Maybe they attended....

more like "banning newsprint to prevent contributory ransom demands." Better analogy. Trust me.

Re:Maybe they attended....

[gilroy]

I don't like to get into arguments over .sigs, but I really have thought about this and have made a journal entry explaining my thinking.

ObShamelessPlug: my journal

Re:Need some advice guys! :o(

Heres to a good friday

Re:Honestly, I'd have to say they were pretty dumb

[WildBeast]

Well they gotta make a point. If the government can monitor our phone calls, internet emails, conversations, etc. then why can't we spy on the government to? Or does the governemnt thinks that its better than us and that it got more rights than us?

I say enough is enough and its time for a change.

What's really scary is..

The fact that the Army had to read about this in the Washington Post. I mean.. come on.. the U.S. military having to learn about hack attacks on their systems through an online newspaper..

They went about it the wrong way....

[josh+crawley]

They way they should have gone was
1: Hack whatever.army.mil
2: Post anonomously to slashdot regarding army's computer problems.
3: Request "large_num" security agreement, else will release to usenet, BugTrac, Slashdot, many newspapers, magazines....
4: Release anyways.

Re:They went about it the wrong way....

[ceejayoz]

5: ????
6: profit!

Re:They went about it the wrong way....

GO BACK TO GBS!

Re:They went about it the wrong way....

What's GBS?

I'm sorry but ...

[ninewands]

This story should be posted on Fark with the "Dumbass" tag.

One thing you DON'T do is screw around with military computer systems and then publicize it.

These guys oughta get the death penalty for criminal stupidity accompanied by a posthumous (is there any other kind?) Darwin award ...

Re:I'm sorry but ...

[Inthewire]

Well, I read the story when they first mentioned it (with a "Scary" tag) last week - of course, that was before those nice boys at the FBI came over and had their chat.

Company find vulnerability in Army network; downloads all of the General's pr0n

Re:I'm sorry but ...

[jpmorgan]

Darwin awards don't have to be awarded posthumously- the simple requirement is that you remove yourself from the gene pool. Killing yourself is one way, but anything that sterilises you is also okay.

Re:I'm sorry but ...

[mwolff]

In a Darwin Award book I got as a present you can also be awarded Honorable Mentions for those who almost die.

So the message is. . .

[tommyServ0]

So the FBI is saying it would have been better to hack the computers and keep quiet about it?

In the future, another company or individual may do the same thing, and then. . . keep their mouth shut.

I agree, just shooting their mouth to the whole country about getting into the network wasn't wise. They probably should have contacted the government secretly, but this raid may scare off any potential tipsters in the future from sharing knowledge.

Re:So the message is. . .

[t0ny]

The problem wasnt the pointing out of the vulnerabilities, its was fooling around in there and then bragging to everyone who would listen.

Re:So the message is. . .

No, the FBI is saying that is would have been better to not hack the computer at all. In the future, another company or individual may not do the same thing.

You seem to be missing the whole point, which is to not hack the system at all. Why is it that because it is a computer system that all of a sudden it is special and different from any other kind of unauthorized access or entry?

The windows joke,

Here it goes... I wonder if they were using Windows!

Re:The windows joke,

Someone beat you to it, you jackass.

mixed signals

[the+way,+what're+you]

Crack!

Don't crack!

What's a cracker to do?

Re:mixed signals

What's a cracker to do?

Sorry, but when I first read that, the first thing that popped into my head was "Wtf does race have to do with this?". I mean, the gov't will assfuck you for something like this until you are black and blue, regardless of what color you were originally.

Government Workers

Why should it surprise anyone? The Army's networks are maintained day-to-day by government workers who don't have the same background and experience as computer pros at a bank, for example. And equipment trickles down from the top, so the ones who really need it... those at the front lines... might still be running the Windows 3.1 default installation.

Rumor has it.....

[lateralus_1024]

...the latest MICRO~1 Windows Update *critical update* patches this problem. News at eleven. ..

Re:Rumor has it.....

That should be:

MICROS~1

RECOMP~1.ORG

Obligatory MasterCard joke

[kko]

-Hacking into the US Army's computers: 2 gazillion dollars
-Divulging their deeds to the press in a justifiably paranoid post 9/11 world: 30 zillion dollars
-Getting fucked in the ass by the FBI for being plain old stupid: Priceless...
For everything else, there's MasturbCard...

After reading about these guys' antics, I can only strengthen my belief that intelligence on this planet is a constant.

Think of it as evolution in action.

[Black+Parrot]

For those objecting to the theory of evolution in the other thread, I submit that this is exactly how the human race got smarter. Those guys are going to miss out on a lot of breeding opportunities - at least, breeding of the kind that produces babies.

Re:Honestly, I'd have to say they were pretty dumb

[Qwerpafw]

its true that people need to make points sometimes, but the point they seem to be making is that people who brag about hacking get busted.

Which is nothing particularly new.

Oh, and the governement is better and has more rights than us. See vigiante justice. Lets say you know someone is a criminal. for example, they are pirating mp3s. You cannot do anything about it, other than maybe tell the governement. The governement can bust them, which almost never happens, because its a minor thing. Record companies want to have the "same rights as the governement," as you put it--they want to be able to search your computer, hack it, and basically fuck you up.

There is a reason why joe billy bob next door is not allowed to do the same things the police is allowed to do. Wouldn't it suck if any old bitchy mom could pull you over for speeding and make you pay $150?

Authorization?

[renehollan]

What part of connecting the computers to the public internet and not firewalling inbound traffic was not authorization?

I don't get it.

Someone buys a house, leaves the door open, and posts a big, honking, lights flashing sign, that says "Enter".

Again, how is subsequent entry not authorized?

If you don't understand the Internet, stay the fuck away.

Re:Authorization?

[Reality+Master+101]

An unlocked door does NOT imply a "big honking sign that says 'enter'". If you walk in my house uninvited, whether I leave the door wide-ass open or not, you are still risking my blowing your head off.

Re:Authorization?

[Faeton]

If you did it in Texas, it would be OK to shoot the guy that came in.

Re:Authorization?

[Scrameustache]

you are still risking my blowing your head off.

This got rated Informative?
Yikes, we've got paranoid moderators...

Re:Authorization?

[NeMon'ess]

Nevertheless I'll reserve the right to post signs all over town in the dead of night saying your door is unlocked because you're really stupid. These folks shouldn't have made a publicity grab or they shouldn't have mucked about inside the army systems. I wish some army heads would roll over this, but they won't.

Re:Authorization?

[rehabdoll]

Ofcourse its informative. I'd like to know when im risking my life :)

Re:Authorization?

[renehollan]

An unlocked door does NOT imply a "big honking sign that says 'enter'".

Ah, but it certainly does, as far as the Internet is concerned. You are making the traditional mistake of comparing cyberspace to meatspace, where your statement would be true.

The internet may not have been intended to be designed in the spirit of an open community, but that's how it turned out: it was used as a collaborative research tool for the exchange of information. Things were made available with the implicit cultural assumption that copies were free to be taken and examined. The meatspace analogy would be a community where the norm was that people were free to wander into any house, and look around, just not damage anything. If there was a door, just jiggle the lock if it's stuck. People asking about FTP passwords weren't rebuffed, they were told about "anonymous" and were gently asked to leave their "email address at the door", as it were.

While some security was available, in terms of password-protected telnet access, the general rule was that you didn't put stuff on an internet connected computer that you'd mind becoming public.

This culture extended to the development of the WWW: it was designed as a way to facilitate the sharing of information enhanced with links to related stuff: all pages were equal. The concept of "deep-linking" didn't make sense -- it mattered more that you could get to a page of interest.

Fast forward to commercialization, constrained-navigation (so you're forced to see ads), and the desire to use the open community's communication mechanism for virtual private communication (VPN, duh, but also plain old SSL and IPSec encrypted traffic). Enhanced privacy, security, and constrained site navigation are exceptions, not the rule. There are legitimate reasons to support these, you can beef up security if you wish, but, and this is the kicker, when it comes to "old-net culture", the onus is on you to lock things down and not presume that the norm is "stay away unless invited". Rather than a community of homes, the analogy is a mall of stores, public libraries, and free art exhibits, inviting and open to all.

This is why I wrote "If you don't understand the Internet, stay the fuck away."

Here was a peaceful, cooperative community, that helped provide the means for secure communication to those that wanted it, and wound up getting culturally hijacked by people who refuse to accept that there are certain customs to follow if you really want people to not look and stay away.

We gave them an "Http-Referrer" field for <insert deity here>'s sake. How arrogant of the "thou shalt not deep link" hounds to not use it. It's like someone building a two-way road and a bunch of idiots insisting on driving on the "wrong" side because it's the "right" side where they came from. Funny, Yanks drive on the left in the U.K., Brits drive on the right in the U.S.A. Perhaps when someone whines about the curious seeing what they oughtn't in an ignorantly open site, the data should be blown to a bunch of mirror sites, like car parts thrown from an auto collision.

You know, those that designed the internet protocols should have patented them (you can patent a protocol, I think), and used the clout to take away the right to play on the net from those that refused to adapt to the lingua franca's idioms. Of course, they probably would have to assign such patents to the DoD and others, so that dream is a bit foolish, but the lesson should be learned: if you don't want others to pollute and poison what you make, you need to protect it from those that would try while making it available to all others (which is why the GPL is so brilliant a concept, though it appear we need to get some clue-clubs to help enforce it).

O.K., I'm out of breath, so this rant is over. Mod me down as you will.

Re:Authorization?

[Reality+Master+101]

Nevertheless I'll reserve the right to post signs all over town in the dead of night saying your door is unlocked because you're really stupid.

Yeah, because who the hell would want to live in society where you could leave your door unlocked? Much better to punish anyone who dares try to make such a society.

Re:Authorization?

[Reality+Master+101]

This is why I wrote "If you don't understand the Internet, stay the fuck away."

In the same vein, let me answer this with: "No, fuck YOU".

I suppose you might make the argument that the "early Internet" was this way (although you're full of crap if you think "anything you can exploit is OK"), but so what? I'm sure you can find early primitive societies where everything was shared. So what? What works for a small community doesn't necessarily work for a large community. And guess what? The Internet is a large community now. The rules have changed, and no one cares what the old rules were, because they're irrelevent.

In other words, let me put it succinctly: STAY THE FUCK OUT OF MY COMPUTER UNLESS I WANT YOU THERE. If some l33t teenager was caught breaking into my computer, I would have absolutely no hesitation in prosecuting him to the fullest extent of the law. We need to make some examples out of these idiots.

Re:Authorization?

[renehollan]

In other words, let me put it succinctly: STAY THE FUCK OUT OF MY COMPUTER UNLESS I WANT YOU THERE

And, my response is, "If you leave a port open, particularly port 80 and other well-known ones, you are saying, 'Welcome! Look, but don't touch, and please don't repeatedly enter and exit the revolving door -- it gets in the way of others'".

There are ways for you to say the equivalent of "keep out". Learn how to use them! The Internet only functions as an effective information exchange medium when the presumption is that one can actively seek things out -- the whole notion of search engines would not exist if this were not possible (and even here, you have the option of controlling spiders with robots.txt).

On a more practical note, I can't keep my traffic out of your computer as I have no control how my packets get routed -- only you can chose to not be a router in the public net.

If you wish to push the idea that access to information available by the Internet should be "by invitation only", then I think a lot of those who believe the opposite would want you to live by your words and stay away from our sites (particularly mine - you are not invited and I'll be watching my access logs). How can you tell where you can and can't surf? You can't. So, just unplug your net connection and go home to your pre-networked life. We don't want your kind here. While I wish you no physical harm, it nevertheless gives me a warm fuzzy feeling to think that there are those who believe that preserving the open nature of the net trumps the right to life of those who would forcefully deny this to us by ultimately threatening our freedom to communicate as we chose.

Re:Authorization?

[NeMon'ess]

Its a very noble idea, but just leaving your door unlocked is the wrong way to go about it. Start by reading my second journal entry and responding. People will commit crimes when they don't know who is the victim and have been victimized themselves, including by society. Offer assistiance to help make sure everyone has the opportunity to succeed, then think about leaving your door unlocked. Unfortunately some humans won't help themselves even when others offer their hands to lift them up. It is these humans who still might steal your stereo when everyone else lives in a near-utopia.

You'd think that...

[SporkKnight]

They would at least let the Army know what they did before publicly telling people how to break into government property.

Re:You'd think that...

they didn't publicly say _how_, you fat idiot

bloody laws

[superpeach]

Under U.S. law, it is a felony to access a computer without permission
Does anyone know what the laws are on this kind of thing in the UK? or where to look them up. Basically, how illegal is it for me to go and delete files from spammers machines who cleverly allow write access to all on their windows boxes.

Re:bloody laws

[beebware]

Check out the Computer Misuse Act - basically, you'll first be breaking into their system (breach of part 2), then you'll be making unauthorised modification of their files (breach of part 3). You'll be looking around 5 years imprisionment and possible a fine.

Re:bloody laws

> Basically, how illegal is it for me to go and
> delete files from spammers machines who cleverly allow write access to
> all on their windows boxes.
Basically my advice as your lawyer would be that you don't want to know and don't need to know if you don't tell me or anybody else about it.

I did a security test this week

[WildBeast]

I placed an unpatched Windows machine on the internet with no firewall protection whatsoever and shared the Inetpub directory. I wanted to know, how long it'll take before someone decides to crack into my machine. Sure enough, it took only two days.

This test really made me realise that there are plenty of crackers and criminals out there that are waiting for a chance to get into your PC.

The point I want to make is that, I'm sure those army computers have been accessed by crackers plenty of times before.

Re:I did a security test this week

[casings]

this is called a honeypot, a system purposely left open for varying reasons.

congratulations on a successful honeypot. Did u log the ips?

Re:I did a security test this week

[kris_lang]

My firewall regularly notes random attempts onto port 80 on an average of 10 times a day, onto port 21 twice a day, 23 twice a day, and of course the standard Microsoft SQL worms on 1433 once to twice a day. My standard nslookup and dig -x _ _ soa note that I get these incursions from around the world.

Back when I was connecting with a Mac Powerbook G3 and using telnet (I know, I know, the sysadmin did not have ssh installed on my uni account back then) I'd always have my ftp log window open. I'd regularly see attempts to connect into the telnet programs FTP port once to twice a day, and that was with me being logged on about one hour per day. And that was with a system that dynamically assigned IP numbers. So there are many many random script kiddies out there attempting to probe whatever IP address they randomly choose.

Re:I did a security test this week

[catfood]

I'm a bit surprised it took two whole days. I would expect more like two hours. The script kiddies are everywhere.

Re:I did a security test this week

[psych031337]

I placed an unpatched Windows machine on the internet with no firewall protection whatsoever and shared the Inetpub directory. I wanted to know, how long it'll take before someone decides to crack into my machine. Sure enough, it took only two days.

Can you elaborate some more? What OS version, what services enabled, what do you mean by "inetpub" dir? My Documents? Sharing by SAMBA?

The point I want to make is that, I'm sure those army computers have been accessed by crackers plenty of times before.

In case you haven't done it already, go get a copy of Clifford Stoll's "Cuckoos Egg". It is a quite easy read for a book concentrating on a hack, but then again it is not quite dense on details. Then you will realize that there were times, when people could actually take CONTROL of army machines from ABROAD and no one even wanted to investigate. FBI quote: "We can't investigate without a loss/damage of more than $1m. How much is that you lost? 75cents in billed cpu time?" Other agencies were not quite as verbose but just as uninterested...

Re:I did a security test this week

Well these things have in fact been measured

• Between April and December 2000, seven default installations of Red Hat 6.2 servers were attacked within three days of connecting to the Internet. Based on this, we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours.
• The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet. Coincidentally, this was the first honeypot we ever setup, in March of 1999.
• A default Windows98 desktop was installed on October 31, 2000, with sharing enabled, the same configuration found in many homes and organizations. The honeypot was compromised in less than twenty four hours. In the following three days it was successfully compromised another four times. This makes a total of five successful attacks in less than four days.
• In May 2000, the first full month we archived Snort Intrusion Detection alerts, the Honeynet recorded Snort 157 alerts. In February 2001, the Honeynet recorded 1,398 Snort alerts, representing an increase of over 890%. This increase may be affected by modifications to the Snort IDS configuration file. However, we also see an increase of activity in the Firewall logs. In May 2000, the first full month we archived firewall alerts, the Honeynet firewall logged 103 unique scans (not counting NetBios). In February 2001, the Honeynet logged 206 unique scans (not counting NetBios). This represents an increase of 100%. These numbers indicate blackhat activity has continued to grow, most likely the result of more aggressive, automated scanning tools and their growing availability.
• In a thirty day period (20 Sep - 20 Oct, 2000), the Honeynet received 524 UNIQUE NetBios scans, averaging 17 unique NetBios scans every day.
• In the month of February, 2001, a total of 27 X86 exploits were launched against the Honeynet. X86 means these attacks were designed for systems using the Intel based architecture. Of these, 8 were launched against a Solaris Sparc system. These exploit attacks cannot work against the Sparc system, as the system architecture is not compatible. This indicates that some blackhats are not bothering to confirm what operating system nor what version of the service you are running. Some blackhats have streamlined their scanning process to merely look for a specific service. If they find the service, they launch the exploit without even first determining if the system is vulnerable, or even the correct system. This active approach allows blackhats to scan and exploit more systems in less time.
• From April 2000 through present, the most popular reconnaissance methods, besides general scanning, was DNS version query, followed by queries to RPC services.
• The most popular attack method was an overflow associated with rpc.statd for Intel based systems.
• The most popular scanning method detected was the SYN-FIN scan to search the entire IP range for specific ports (often in sequential order). This reflects the tactic of focusing on a single vulnerability, and scanning as many systems as possible for the vulnerability. Many blackhats only use a single tool or exploit that they know how to use, or is the most effective.

Data from the honeynet project, emphasis mine, I am a bit sorry for this excessive quoting, reading this paper back gets me as even more scared then the first time, now I know that the US army did not include this in the mandatory reading for admins. btw having a nc -L -p 80 listen around tells you know when its someone in person looking for you or "just" nimda, I would imagene you would see even more of the former in the .mil domain :-(

America America

[catwh0re]

America, America, land of the free...

Re:America America

You sir, are a fucking retard. These people did a criminal act, then told the news about it. Only someone as retarded as you would not expect to be caught.

Re:Honestly, I'd have to say they were pretty dumb

[WildBeast]

This looks like hierarchy to me.

Anyway, I say live and let live. There's just no reason for the government to put his nose in other peoples business.

government

[TamMan2000]

Supposedly, in the USA:

The government of the people, by the people, and for the people. The people who are allowed to spy are of the government, spying for the government. So your own representatives are spying on you... not you spying on someone else, after all the government represents several others as well, not just you personally, spying on the goverment is like spying on them.

So this is the like the difference between holding your camera out at arms lenght to take a photo of yourself and your neighbor taking a photo of you through your window, without your knowledge and posting it on the net...

Re:government

[WildBeast]

So in short, I am required to Open Source my life but the government on the other hand will not open his. Doesn't sound fair to me. Looks more like a friendly dicatorship.

Re:government

[TamMan2000]

Don't you get it? You are not separate from the government. If you would like to be, go live in a dictatorship.

Re:government

[WildBeast]

So I'm part of the government yet I can't know everything about it?

Re:government

[gilroy]

Blockquoth the poster:

So I'm part of the government yet I can't know everything about it?

Well, duh. Do you really think you have a right to know, say, the operational plans of the 101st Airborne division? I'm all for transparency in government but you have to be reasonable. Does that mean in this case there's a reason for opaqueness? I surely do not know. But in some cases, there certainly is.

Just because it's "your" government doesn't mean you own the thing, for Pete's sake.

Re:government

[Etcetera]

Nope. Because a majority of the People have decided to allow the people they place in charge discretion in a few specific areas.

A majority of people feel that it's important to keep the identities of people in witness relocation programs secret.

You don't like it, grab a bullhorn and convince the Rest of Us why we should change.

Re:government

[WildBeast]

Well does the government have the right to know that I'm cheating on my wife? I don't think so.

Re:government

No, you cannot know everything about it. You can find out an awful lot with the Freedom of Information Act, but the government has the right and duty to keep things secret. In your utopian world there might not be other countries outside of your United Federation of Planets, but for the rest of us we like to keep information from the bad guys. To keep things from the bad guys also sometimes means keeping it from morons like you who clearly feel justified in releasing any and all information to the press (you see, our enemies are known to read the paper from time to time).

Re:government

Zoooooom!

That went right over my head. What the hell are you talking about and what does that have to do with this thread?

In any event, lets pretend you are entrusted with sensitive information or access to sensitive areas (and apparently we will have to suppose that once entrusted with this that you wouldn't go running to the highest mountain to shout out what this information is), then the government does have the right to know if you are cheating on your wife because that exposes you as a potential blackmail target.

Re:Need some advice guys! :o(

[Graspee_Leemoor]

Depends if you really think your life sucks because of your own evaluation of it, or whether you think that because of what society has lead you to believe based on what "everybody says".

If you think it's sad that it's Friday night and you're on /. then it's simple- go out and be where people are.

I personally couldn't give a shit. I spend all weekends in browsing the internet, watching anime, masturbating excessively and playing computer games. Now society will tell me that I don't have a life- but I say that society is a bunch of dumb-fucks and I know what I enjoy.

graspee

disarmingly honest since 1862

Definition

[xintegerx]

What?

The government set up honeypots to observe and catch hackers fishing for benign data? Yes. And FTec found one? POSSIBLY. The FBI would have raided the company regardless in due time, because the company might have likely been in a MONITORED government honeypot.

Yes, even real users have easy to guess passwords. But if it was too easy, like the FTEC company states, it could have definitely been a honey pot they accessed.

Definition
honeypot n. 1. An Internet-attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break into a system. Honeypots are designed to mimic systems that an intruder would like to break into but limit the intruder from having access to an entire network. If a honeypot is successful, the intruder will have no idea that s/he is being tricked and monitored. Most honeypots are installed inside firewalls so that they can better be controlled, though it is possible to install them outside of firewalls. A firewall in a honeypot works in the opposite way that a normal firewall works: instead of restricting what comes into a system from the Internet, the honeypot firewall allows all traffic to come in from the Internet and restricts what the system sends back out.

By luring a hacker into a system, a honeypot serves several purposes: The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.)
http://www.webopedia.com/TERM/H/honeypot.html

Simple theory + a suggestion

[cioxx]

FBI (gov't) had to make a move on the company (ForensiTec) to send a message to other would be security people not to test the waters just to get recognition.

They know the network security is lagging behind times in some cases, there are holes. The last thing military needs is bunch of Steve Gibson wannabees portscanning the military servers.

In all, FBI made the right choice by raiding those clowns.

Here's a better suggestion

ForensicTec should get hooked up with omegakidd, and they should conquer new territory and lead us all to the promised land of security where system intrusion no longer illegal.

It's funny how these folks get a tax id, set up a site and adopt the word 'security' thinking it's a license to hack servers, then go public after prolonged periods of time for personal gain.

Re:Simple theory + a suggestion

ForensicTec should get hooked up with omegakidd, and they should conquer new territory and lead us all to the promised land of security where system intrusion no longer illegal

Good connection. The Honeypot Whitepaper is so similar to this story.

It was one of the best threads I've read on /. in a long time. Highly recommended reading.

Re:Simple theory + a suggestion

[Eccles]

The last thing military needs is bunch of Steve Gibson wannabees portscanning the military servers.

No, the last thing they need is Al Queda sympathizers accessing their systems. If the portscanners point out that their systems are susceptible, they should *fix* them.

Re:Simple theory + a suggestion

What really annoys me is the s/Communists/Al Qaeda/g done by the political spin.

Re:2nd

no shit

hmm

[Graspee_Leemoor]

I think the army/fbi/government should welcome people trying to crack their computers. They should give out prizees for people who find holes ala Knuth and errors.

Which would you rather have- "evil" albeit boastful white-hat crackers "on the loose" or gov/mil computers that are insanely easy for terrorists to get into ?

So- to everyone whining about "ohohohoh they did something illegal- they should pay...." SHUT THE FUCK UP YOU ARE WRONG!

heheheh Had to get it out of my system.

graspee

Re:hmm

[gilroy]

Blockquoth the poster:

So- to everyone whining about "ohohohoh they did something illegal- they should pay...." SHUT THE FUCK UP YOU ARE WRONG!

Um, if they were so altruistic -- patriotic, evem -- then why didn't they tell the Army, rather than blabbing it on a public forum? I mean, yay for accountability and the holding of incompetent feet to the fire. But now you gotta pay the cost of your civic virtue...

Re:hmm

[kwishot]

Right now any attempted hack on Government systems would be considered illegal and bad.
As soon as you open the floodgates for "white hat" hackers to help you, a) it becomes much more difficult to discern between "good" and "bad" traffic (meaning some people would be out to help you, some would be out to hurt you) and b) it would bring much more attention to hacking your network in general. I don't know about you, but I'd rather have 100(arbitrary) people trying to hack our government than 1 million people trying to hack our government -- the chance for success is much greater (yes, those numbers are made up and exaggerated).
The only time I can see something like this being effective is when the system being attacked is either a honeypot (see above) or ..... ? You're forgetting that telling people to hack the government isn't just telling someone to hack any old computer -- success is potential disaster.

-kwishot

Re:hmm

What a fscking lame moron you are! Go back to elementary school, learn some basic algebra and first grade logic before coming back on the internet again, you zitface retard!

I don't see what the problem is...

[brooks_talley]

Rent-a-cop company raided after beating up govenment officials
San Diego, CA

Officials at SecureTech expressed surprise over an early morning FBI raid. For the past few months, SecureTech had been waylaying public officials and beating them to a pulp. The raid came just hours after a Washington Post article mentioning the beatings.

Brent Clueless, SecureTech spokesperson, decried the search. "A few months ago, while installing video cameras in a local mini-mall, we realized that some government officials had woefully inadequate security. Some of them drove the same route home every day, and a few of them even left their front doors unlocked at night. By sneaking in and severely beating in their own houses, we hoped to draw attention to this problem and maybe gain some positive publicity for our security firm."

"We only continued the break-ins and beatings because we were surprised that it was so easy, and we were curious about just how much truly malicious people would be able to get away with, " Clueless continued.

Cheers
-b

Re:I don't see what the problem is...

Funny, but the analogy isn't quite accurate. "severely beating in their own houses" would be akin to actually doing damage. This was more like walking in to their houses in the middle of the night and scaring the shit out of them. "severely beating in their own houses" would have been equal to actually doing damage or stealing materials.

Re:I don't see what the problem is...

Yeah, like stealing files full of social security numbers (among other things) ... which the article said they did.

Got raided by the FBI

FBI: "All your stuff are belong to us."

Irony

[echophase]

From their website: "ForensicTec Solutions, in partnership with MicroSkills, proudly announces the development of the ForensicTec Security Certification Program. This certification is one of the first of its kind to be offered at a computer learning facility. The program will teach current and future IT personnel how to implement and maintain secure computer networks. We are excited about the opportunity to develop this certification course because we believe that many IT directors and staff members in the private sector have not received the proper training to adequately protect their respective company's network systems. In a state of heightened alert concerning unauthorized breaches, cyberterrorism, and network vulnerabilities, having a trained security expert on staff will help companies understand the need for greater security measures as well as provide an extra layer of protection for their network systems. For more information about the ForensicTec Security Certification Program, please contact ForensicTec Solutions at (877) 863-3332 or MicroSkills at (858) 348-8001."

What is wrong with you all?

[Henry+V+.009]

My God, what is up with slashdotters? There are a million people posting along the lines of: if I break into someone's house and steal their stuff, then tell them that they need a new lock, it would be just like what these guys did.

Dumbasses.

It wouldn't.

If these people had actually sold the social security numbers they had gained, or sold the secrets to the Russians, that would be one thing. Instead, they simply got on the network to see how far the vulnerabilities went. Anybody see the difference? Any Americans out there think that every foreign country or group out there that happens to hate us hasn't already done this to our Army's computers?

Goddamn, but these people see more like patriots than criminals. I'd feel a lot safer if the FBI raided the houses of the system admins who set up the unsafe networks instead of these people.

Re:What is wrong with you all?

[brooks_talley]

You're right. It's not like breaking into someone's house, stealing their stuff, then telling them they need a new lock.

It *is* like breaking into someone's house, going through their papers and files, then telling the local newspaper that this particular house has a crappy lock that's easy to break into.

Can you justify that?

As for whether "every" group that hates the US has already broken into Army computers, I wouldn't speculate on that. I would say, though, that these folks sure helped anyone who hasn't done so already pick an easy target. How patriotic, eh?

Yes, it could have been worse. However, what they did was 1) illegal (isn't everything these days?), 2) stupid, and 3) amateur. You can almost always get away with one out of those three. Often with two out of the three. Go for three out of three, though, and you're going to see some trouble.

-b

Re:What is wrong with you all?

[Henry+V+.009]

It *is* like breaking into someone's house, going through their papers and files, then telling the local newspaper that this particular house has a crappy lock that's easy to break into.

My God! You don't see any difference between computers connected to a public network and papers locked behind people's closed doors?

But even if I were to allow your point, that would be a privacy violation. The issue here isn't a privacy violation. The issue is illegal hacking. We are being very stupid, not them, if we want these kinds of actions classified as illegal hacking.

As for this company being stupid--I see them as whistleblowers, not stupid. It's dangerous to be a whistleblower, but it is damn moral.

Re:What is wrong with you all?

Bzzt. Wrong, dumbass.

Re:What is wrong with you all?

I don't know about the other guy, but I sure don't see the difference between computers connected to a public network and papers locked behind a closed door. And I hope that the law doesn't see the difference either. I suppose you don't have a problem with the pickpocket who is taking wallets from a public forum and the wallets aren't even secured with a lock! Surely he is doing his victims a service by letting them know how insecure the button on their pants pocket is. If the idea that property is taken, well then I'm sure you then wouldn't have a problem if "Fingers" just rifled through the wallet before giving it back.

I most certainly see these actions as illegal hacking, and the company is not only stupid, but are felons that should be punished accordingly. If they want secure the computer systems and even make a buck at it, they should sign on as security auditors with the Army. Then they could test the system security with the blessing of the Army. If they don't have the blessing, they get busted. And what is a privacy violation? Your view seems to think that if someone breaks into my house or a store and doesn't do anything then it is a privacy violation. Well the law would call it breaking and entering, whether it is my house, a store, or a computer system.

The line a lot of people seem to take is that these actions should be based on intent. Well how the hell do you tell that? Just take their word that they didn't copy any information or take some other undetected action?

Re:What is wrong with you all?

[haystor]

The passwords protecting computers on the public network are much more complex than the locks on most peoples front doors (connect to public streets). That doesn't mean that the next locksmith has every right to wander through your house and leave a note telling you that you need to upgrade to a moat, guard dogs and a laser turret.

A locksmith can get into virtually anyone's house. What happens when they are caught doing it univited? They are arrested.

Even if all these people had to do was guess some passwords, they knew they were guessing passwords that were meant to keep something away from them. That means they knew they were taking something that wasn't theirs.

Re:What is wrong with you all?

[geekoid]

so its like, someone found out a vulnerability to your home alarm, exploited it and just looked through your stuff.
actually its a little different, because they sat at a computer terminal far away, they didn't get shot.

You can bet your butt there will be a calling out onto the carpet for those system admins.

Re:What is wrong with you all?

[AceCaseOR]

Well, not to pick nits, but technically, that's not whistleblowing.

It'd be whistleblowing if the network administrator at the base had told higher ups in the federal government about it, and possibly gotten fired.

It's not whistleblowing if an outside, non-governmental agency, hacks the system and sees how far they can go, goes and tells the press that they've done it and what they were able to find, and then gets the book thrown at them by the government.

They could have handled this a lot better. They should have offered their services as an independant contracter to the federal government, and, *if* they were hired, done the hack. However, they would have been *paid* to do the hack, and given permission to do the hack. That way they would not be stepping on anyone's toes.

Re:What is wrong with you all?

[fermion]

It *is* like breaking into someone's house, going through their papers and files, then telling the local newspaper that this particular house has a crappy lock that's easy to break into.
No, they were not breaking into someone's house. They were walking into an open unguarded government office, and picking up some confidential documents lying on the desk. I believe that confidential documents are traditionally behind locked doors and guards to keep such a thing from happening.

Can you justify that?.
How can you argue that it is acceptable to leave confidential document in an unlocked, unguarded office for anyone to take. Do you live in the real world where confidential documents are securely stored, or in la la land where everyone is trusted to follow the rules?

In this case, the government has not fulfilled their mandate to guard the security of the U.S. and it's citizens. A Citizen of the U.S. discovered this, and went to the press. Citizens of the U.S. have that right.

The Government also has the right to find some way to punishing these citizens for exposing Government incompetence. A cynic would say that was to expected. A more rational person would hope his or her government would spend some time trying to solve the problem instead of engaging in a cover-up. This is especially true as we are suppose to protect whistle blowers to ferret out corruption, although I realize the Bush administration is intent on hiding behind homeland security.

I certainly am not saying that what these people did was strictly legal, but I would hope the U.S. government would take security a bit more seriously. I understand it is a learning curve.

Re:What is wrong with you all?

[fferreres]

As for whether "every" group that hates the US has already broken into Army computers, I wouldn't speculate on that. I would say, though, that these folks sure helped anyone who hasn't done so already pick an easy target. How patriotic, eh?


Exactly how? Are they sending Al Qaeda (generic term for terrorism these days) information on how to get in, are they sending them some information they gathered?

I can only see these break-in that go into the newspapers as way to make sure the right people know they ARE vulnerable, and that you don't need much resources or reserach (no nukes, just an internet link) to do it.

It's a BIG WARN letter. You may not like it, but it's a gift from god these breaking come from these nerds and not from actual terrorists. You will disagree for sure, i just want to express that I do not understand your point of view.

Re:What is wrong with you all?

[viperblades]

did you read the article??? stupid idiots........ "Army investigators had been made aware of the intrusions at Fort Hood weeks earlier and had been looking into the situation when ForensicTec made public what it found, one government official said."

Re:What is wrong with you all?

[O0o0Oblubb!O0o0O]

how naive can people be, to think that just by stating that they had good intentions, the government is freed from their duty to protect its information. it is in the public interest to check whether there has been a leak.

last not least, breaking into someone's house is a crime, and the consent needed for it not to be, cannot be substituted by good intentions.

Re:What is wrong with you all?

[stienman]

No, they were not breaking into someone's house. They were walking into an open unguarded government office, and picking up some confidential documents lying on the desk. I believe that confidential documents are traditionally behind locked doors and guards to keep such a thing from happening.

Which is still tresspassing and is still illegal. Just because the fence isnt very high, and the doors are unlocked doesn't mean you are allowed to enter and shuffle through their stuff.

There are alltogether too many people claiming that the 'online world' is different than the physical world, and should have different rules, laws and regulations. I believe this to be a bunch of bull. While there are a few paradigm changes the basics of freedom, privacy, and reasonable security still apply. The laws that exist currently should be smartly applied to online cases and only when they are found to be severely lacking should we consider new/different rules.

In most cases this is not needed. Trespassing laws (using their equipment w/o their permission for one) should neatly tie this case up.

Even if you did leave your front door open others are still liable for charges if they choose to enter your property without your permission.

-Adam

Re:What is wrong with you all?

[Scratch-O-Matic]

My God! You don't see any difference between computers connected to a public network and papers locked behind people's closed doors?

Yes, there is a difference, but I think all the analogies relating to house-breaking are legitimate.

You seem to be implying that being connected to the public network means that you have less right to privacy and security. But the connection to the public network is for the owner's own use, or the use of others on the terms of the owners. The public connection is analogous to the sidewalk and driveway in front of your house..the fact that those paths exist doesn't give anyone the right to walk up them and through your (inadequately) locked front door.

Re:What is wrong with you all?

[reallocate]

Breaking into government property is against the law. Doesn't make any difference if someone is stupidly exposing shares in the open. Just like it doesn't make any difference if you walk in to someone's office and walk out with the contents of their unlocked filing cabinets.

You can't defend it by claiming some higher moral right. Doesn't make any differencee if the data is in a filing cabinet or on a server. You can't justify breaking and entering or illegal hacking just by claiming to be "testing" security.

You don't want it to be illegal? Ok, suppose you're in charge of your company's network security. I successfully break in and steal data. Tell me how you're going to finese that by pointing to the morality of the thieves.

Re:What is wrong with you all?

[dachshund]

The end result of what these people did is an almost guaranteed improvement in Army security. And that's really the bottom line.

We create laws like trespassing (and its online equivalent) for various reasons; in the case of the military it's to keep sensitive information secure. When those laws are working against their stated purpose, we need to be flexible enough so that we don't wind up cutting off our nose to spite our face.

I might feel differently if this was a private citizen being hacked. A private citizen might have any number of complex reasons for not wanting their stuff examined, and it's not up to a court or public body to judge them and determine whether the benefits outweigh the harm. The military should have only one reason: security. And if the final result is not a loss of security, but hopefully an improvement... then it's illogical to nail people to the wall just because the book says you can.

Re:What is wrong with you all?

I work in FedGov IT. We're not all morons. In fact considering the massive networks we have to ride herd on and the lowball budgets and government-wage salaries we have to pay talent, we do pretty well. But the iron law is clear: the bigger and more complex your systems get, the easier they are to own. I work with/for/around a group of 200+ scientists - I still have to use little words to explain why we enforce password rules. I can't imagine trying to get that idea across to a jarhead! (Attention Marines: Joke! Kidding! Bad stereotype! Semper Fi!)

But in the post-9/11 world, we do have an advantage noted above - the dreaded Search Warrant Exploit. I know the difference between some script kiddie bouncing off my outer firewall and somebody with a clue, and if you come after me with your best shot I'm going to come right back at you with mine. And my best shot is a call to my local FBI field office. And you'd be amazed how agile, responsive and resourseful your local Fed can be when he sees a threat to a .gov or .mil network.

Bottom line: Do not do stupid, illegal things to people who can get you arrested with good cause.

Re:Honestly, I'd have to say they were pretty dumb

[leviramsey]

Lets say you know someone is a criminal. for example, they are pirating mp3s. You cannot do anything about it, other than maybe tell the governement.

You could also make a citizen's arrest.

Dumb, Dumb, Dumb...

[diwolf]

I honestly can't believe that these people thought they could hack in and then brag about their accomplishments and have no recouse?? What did they expect, a congressional medal of honor? I can see it now:

President: Thank God you boys broke into our computer systems and showed us how easily Osama Bin Laden could have done the same thing...

Hacker: No problemo Mr. Prez...

President: I'd like to give you guys EACH a congressional medal of honor--after all, the government just adores people who point out to the world how completely stupid we are!

Hacker: Gee, Thanks! And to think.. This was all because we bragged to the Media of our accomplishments!

uhm, yeah....

Why is this even news?

[Brian_Ellenberger]

If they broke into the base, photocopied some records, and bragged about it noone would have even thought twice about their arrest. But now that it is electronic it is of some sort of interest to Slashdot? Very sad.

Look if you want the virtual world to be treated like the real world (privacy, source code = speech, etc) then you have to accept it works both ways. Breaking in electronically is the same as physically. It doesn't matter how "weak" the security is. Just because I can throw a brick through a window and rob a store, doesn't mean it is somehow the store's fault for having windows.

And sure I am concerned about military security. And it is disturbing someone could hack into it. But that doesn't give ForensicTec the right to go hacking it. I'm worried about airline security but I can't take it upon myself to see if I can get a gun through security.

Brian Ellenberger

Re:Why is this even news?

[Milalwi]

If they broke into the base, photocopied some records, and bragged about it noone would have even thought twice about their arrest. But now that it is electronic it is of some sort of interest to Slashdot? Very sad.

I think this is news because of ForensicTec's attitude. As the poster said: "What did they expect?" The problem is that there are quite of few people out there that see this activity as somehow different than breaking into the base and photocopying records, even though it's not.

And sure I am concerned about military security. And it is disturbing someone could hack into it.

Yes. However, not to lessen the severity of the issue, but I think you would find that the stuff that really needs to be protected, is really protected. From my reading of the article, they mostly got personnel records.

Security is a process, and it looks like the Army has quite a bit of "processing" to do.

Milalwi

Re:Why is this even news?

[nathanh]

Look if you want the virtual world to be treated like the real world (privacy, source code = speech, etc) then you have to accept it works both ways.

And you worked this out all by yourself?

Wow, you must be some kind of visionary.

Re:Why is this even news?

[noamt]

Just because I can throw a brick through a window and rob a store, doesn't mean it is somehow the store's fault for having windows.

But what if they have (MS-) Windows ? Isn't that their fault?

Noam.

Re:Why is this even news?

[reallocate]

Yes, very sad. Judging from reaction to this and similar stories, a great many Slashdot readers believe that the law should treat them differently and that they aren't responsible for their actions.
Probably attributable to Slashdot demographics, but the attitude risks provoking a lot of restrictive legislation.

Re:Why is this even news?

What is very sad is that you are claiming that exploiting 'holes' in Army's computer's security is analogous to a "break into a base" generic case, and hoping that the added impact of the generic case carries your argument beyond the more common "break into a house" case. Unfortunately for you, not only is your analogy as fundamentally flawed as the others', but the extra drama of raiding a secure installation (vs. somebody's house) only serves to highlight the difference between the two generic acts of accessing a networked computer and trespassing.

Re:Need some advice guys! :o(

I have enough trouble with my karma in the real world... so I'm always careful to both post, and shout at people in an anonymous fashion...

recompile.org

Re:Honestly, I'd have to say they were pretty dumb

[Reality+Master+101]

If the government can monitor our phone calls, internet emails, conversations, etc. then why can't we spy on the government to?

Because there are things that the general public should not know. An obvious example would be the list of people in witness relocation program. Obviously there are a lot of military information that is not in our best interest for our enemies to know as well.

Re:Honestly, I'd have to say they were pretty dumb

[WildBeast]

Good enough. Then they should understand that there are things that the government should not know and stop spying on us.

Re:Honestly, I'd have to say they were pretty dumb

[Planesdragon]

Well they gotta make a point. If the government can monitor our phone calls, internet emails, conversations, etc. then why can't we spy on the government to? Or does the governemnt thinks that its better than us and that it got more rights than us?

The government is us. When you or I deal with the will of the people, we are not forced to do so by the whim of the crowd, but by the powers elected and appointed to speak for and act in the interests of the people.

The government, as a nebulous nonpersonal entity, is a slave to every one of its citizens, and exists for no other purpose than for the well being of those it serves.

The problem, of course, arises in that "the government" may be an inpersonal slave, but the people who run the government are very personal, flawed, human beings. It is these people who are put in power that are watched--and they're watched by other people in power who got put there different ways and across different levels, until we get back to the elected representatives and the voters en masse.

If you take away the government's unique right to spy & investigate with legal warrant, documentation, and accountability, (see: the FBI getting smacked for lying to judges), then you're left with either an illicit society of secrets ("If no one can see me do it, then I can get away with it") or a distopian society of eternal spying.

I would rather have some suit who's salary is paid for by my taxes spying on me than some random looney off the street.

Oh--and you (assuming that you're an American citizen) CAN spy on the government. You just need to do it with a time delay. Ever hear of FOIL? The fourth branch of government? The @#$ing drudge report? (slashdot?)

Ethical Hacking

[diwolf]

I've done ethical hacking contracts for large colleges and universities before and know from experience that most of the time the easiest way to hack into a network is from social engineering. Send a message to a list of employees that you stole via. SMB from a hotmail account asking for the passwords to "Help make the network more secure" (ironic, no?) and the flood of passwords you get will keep you busy for days.

Until they make the USERS smarter, network admins face an uphill battle.

Visit: http://www.sisterstreet.com - Bulletin Boards & Community for Women

Re:Honestly, I'd have to say they were pretty dumb

[Reality+Master+101]

Then they should understand that there are things that the government should not know and stop spying on us.

Well, then you'll be happy to know that they aren't spying on "us". They spy on suspected criminals with permission from the judiciary.

Military bureaucracy

[duras]

Army investigators had been made aware of the intrusions at Fort Hood weeks earlier and had been looking into the situation when ForensicTec made public what it found, one government official said.

I find it extremely hard to believe the Army's claim. When possibly sensitive military documents are known to pass into the hands of anyone unauthorized, surely the FBI conducts a raid to find out what's leaked. But to do it in direct response to a public statement, the FBI is only doing it for public relations damage control.

The alternative is even worse... The army was aware of the intrusions a few weeks ago, and has been dicking around for weeks with no progress. Although computers left open like this aren't going to have the most competent admins.

Re:Honestly, I'd have to say they were pretty dumb

[WildBeast]

I don't care about the people, I care about myself and my friends and parents.

Except that the person spying on you may also be working for a criminal organisation. It happened several times here in Canada and I'm sure it's still happening.

Re:Honestly, I'd have to say they were pretty dumb

[WildBeast]

hmmm, from what I understood, since sept. 11, they don't need no permission anymore.

*shrugs*

[NetGyver]

I kind of feel sorry for ForensicTec. True, they did technically break the law, but I don't believe they had any crinimal intent, otherwise I doubt they would have went public about it.

On the other hand, if the Army didn't go after them, then that would send the wrong message to the public too.

ForensicTec made it painfully clear that our government should get off their asses and really impliment stronger security on their systems.

I mean damn, anyone with free software tools and a basic understanding of how to hack could have done this. The Army and other affected government facilities should be so lucky that ForensicTec was just curious, if it were another country doing this for profiling/spying/mounting an attack/sabotage, they'd be up shit creek without a paddle.

It's proof enough for me that the U.S. is more at risk then I previously thought. The amount of taxes taken each year from every citizen is alot, at least they could do is take the time to make sure their password isnt...um.."password" among other things.

I love my country, but it's embarassing to watch it do some of the things it does.

Re:*shrugs*

We outside your country also find it embarassing to watch it do what it does.

It should be a countr with *DUMBASS* next to its name.

Well they (sort of) got what they wanted....

[nizo]

Thus spake the article: They made their findings public, said ForensicTec President Brett O'Keeffe, because they hoped to help the government identify the problem -- and to "get some positive exposure" for their company.
Well they gots lots of exposure, not too sure about the positive part.
And from the mission statement on their website:
ForensicTec Solutions, Inc. intends to be the first name in computer forensics and network security. I think perhaps they left out listed as the defendant in a case brought by NASA and various military branches at the end of their mission statement?

Yes, it is....

[Svartalf]

Somebody at Fort Hood and elsewhere should be cooling their heels in a stockade.

Classified documents are NOT supposed to be on machines exposed to the Internet- PERIOD. Machines of that nature are not considered to be at a trust level sufficient for those sorts of things. Forget the security of the machines; the security of classified documents is supposed to be much higher than this appears to have been handled.

Re:Yes, it is....

there's some pretty boring, uneventful classified information. Sometimes I think they mark stuff classified just to make themselves feel more important.

Not a tipster

[Servo]

I'm sorry, but these guys were not acting as tipsters.

They went in prodding with the intent to see how far they could get. It makes no difference how well or how bad they secured the site, its not only illegal to do what they did, but also very STUPID.

If they had noticed a potential problem, they should have escalated it immediately, not probed further. That would go for any target, not just a Government one.

Why army systems on the internet?

[baywulf]

I've always heard that the military has their own secure network. Why would the Army put any critical systems on the net given that they have their own network?

Re:Honestly, I'd have to say they were pretty dumb

[geekoid]

"I say enough is enough and its time for a change."
then stop saying it, and do something.sheesh.

why persecute our own

[tempny]

The government goes after our own folks making essentially a helpful effort, but what about small undisclosed countries probing government computers in the same way, where's the stink about that one? Perhaps said unidentified little countries happen to possess oil.

Ok, I _HAVE_ to say this.

For some reason this has degenerated into a 'the goverment is BAD' posting. As some people have pointed out the US Goverment is elected by _YOU_ if you dont like it vote for someone else, better yet run for office! change the system from the inside. quit bitching about your loss of rights and how evil the DMCA is and how the black fucking helicopters are going to come and take your paranoid ass away. lets look at these 'ForensicTec' fools for a moment HELLO! they broke into a computer. they got arrested for it. Even if the security on the boxes sucked, it is still deamed illegal by the parties that US Citizens put into power, right or wrong. Saying that the Army 'deserved it because they did a shit security job.' is kinda like me say you DESERVED to have your house broken into you wife/mother/sister/brother/father/whatever raped and all of your stuff stolen because you only used a WOOD door and not a fucking bank vault. I for one am tired of all the bitching about how bad the goverment is. IF YOU DONT LIKE IT RUN FOR OFFICE! GET ELECTED PRESIDENT! veto the DMCA. Make public spying legal. do what ever the fuck you want. We live in a socity that affords us the right to do what ever we want because we are free we _CAN_ change laws and we _CAN_ change the course of history for our nation. We do not live in China, Iraq, Iran, Libia, The Old USSR, or Nazi Germany. We live in the united states and the common person HAS a voice. USE IT do something productive with it. _DO_ _NOT_ waist it bad mouthing the best thing in your life. End Rant. -50 Troll

Re:Ok, I _HAVE_ to say this.

You go ahead and do that. I will laugh at you when you get shot down like the little piece of shit you are.

Honeypots?

[tigga]

I wonder if any of military boxes was honeypots with fake passwords , IDs etc.

Any chance?

Well, Army will not answer, of course ;)

I learned long ago...

[nn43]

to reduce any and all interaction with the government to be:

1) paying taxes
2) buying car licensing

Give the King his tribute and stay away. Citizens need not apply.

This could amount to treason...

[Mister+Transistor]

Hacking the government's computers is stupid.

Hacking the govermnent's computers during time of war is monumentally stupid.

It's conceivable that because we are in a state of War, it might even be considered a treasonous (sp?) act.

It's pretty funny tho, the article quotes the gov't as saying if someone finds a vulnerability, they should report it.

Isn't that exactly what happened?

Re:This could amount to treason...

[RedBear]

It's conceivable that because we are in a state of War, it might even be considered a treasonous (sp?) act.

Maybe that would apply if we were in a state of war, but we aren't, at least not until an act of congress says we are. Just because some dupe spouts the phrase "War on Terrorism" on TV 30 times a day doesn't mean a state of war exists with anyone. Besides which, who would we declare war on, Terrorland?

Just so this isn't offtopic: I haven't seen anyone actually asking or stating what exactly these people did to during their scanning of these networks. If all they did was use passive scanning techniques to look for holes, I would be scared at that kind of reaction to it. You should all be. (What if you accidently passively scan the wrong netblock during your next security audit?) On the other hand, if they were actively using known exploits to find vulnerabilities, then they definitely deserve to get a smack upside the brain-pan for being ess tee double-O process ID.

Re:This could amount to treason...

[sigsegv_11]

It's pretty funny tho, the article quotes the gov't as saying if someone finds a vulnerability, they should report it. Isn't that exactly what happened?

No. ForensicTec found the vulnerabilities, then decided to poke around and see what they could find that would get the Army's attention. What they should have done was called up Fort Hood IMMEDIATELY after noticing what they had stumbled onto. They should have apologized for even touching the boxes, and then offered their services.

On a side note, I'm appalled at the article's misuse of terms related to classified information. "Confidential" information *IS* classified. Sensitive material is NOT classified. So, when I read the following:

Sensitive information includes such items as Social Security numbers, confidential plans and so on, officials said.

..I got a little confused. There are three levels of classification: Confidential, Secret, and Top Secret. Sensitive data (also known as SBU, or Sensitive but Unclassified) is non-classified data that should be protected from unauthorized access. The article says that "confidential disciplinary letters" were found, but it also says that no classified data was found on the computers.. *shrug*

Anyhow, enough of my rant.

Dave

Re:This could amount to treason...

[wannabe]

Ok, regardless of what anyone in Washington decides they want to define it as, the Constitution only specifically defines one criminal act, which is treason. And I quote:

Article III section 3: Treason against the United States, shall consist only in levying War against them, or in adhering to thier Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.

That means that the security company must have provided material aid and comfort to our Enemies, which from a strictly legal standpoint may be difficult without a declared War. And there must be two witnesses that will testify to seeing the actual act or they must confess in open court that they committed Treason.

So lets recap. Just as the saying goes, no body, no crime; no declaration of war, no state of war. Hacking government computers is stupid although don't decieve yourself, it happens every day. Should this company have pursued the course of action it did? No. Should this company be bitchslapped for stupidity...absolutely.

Patriotism, the last refuge of scoundrels

[Artifex]

Goddamn, but these people see more like patriots than criminals.

I'm sorry, but since when are the two mutually exclusive?
Ever heard of Congress? Certain highest-ranking members of the Executive branch? =)

i'm disgusted with the current state of IT

[huinya]

I always had this naive belief that the government wouldn't be dumb enough to have Windows installed on a single machine. I thought it was Solaris and AIX all the way (both passed B-1 level security certifications i think?) I guess Microsoft lobbying is unavoidable even at the top level. The article never explicitly says that the machines that were compromised were running Windows, but judging by these facts:

• "shared files" with no password
  
• easily crackable passwords like "administrator" (default NT root username)
  
• administrators often don't apply any "patches"

you can't do anything but roll your eyes. How about that, not only does the US Government employ WinLAN administrators, but they're particularly aweful ones too. I'm switching careers as fast as I chose Computer Science as my major in College, I've had it. I'll come back when Linux has finally taken over.
--

K.

Re:i'm disgusted with the current state of IT

[mbstone]

Some of the biggest and best-known government agencies, the same ones that make headlines and get called before Congress for their shoddy security practices, are still offering senior IT and INFOSEC people $30-35/hr. And even for those sysadmins that would work for $55K W-2 there are other factors that weigh in, such as the unbelievable hassle, weirdness and subjectivity of the hiring process. This in a Federal Government which is going to lose 40% of its employees to retirement in five years.

Re:i'm disgusted with the current state of IT

[reallocate]

Windows sits on desktops across the government for the same reasons it sits on desktops everywhere. There's no excuse for sloppy security, but the feds cannot offer competitive compensation for IT workers (as well as a lot of other technical occupations). Federal agencies cannot unilaterally decide to fix the problem by increasing compenstation to match the private sector; they're legally bound by gov't-wide guidelines. And, these days, a political effort to raise the pay grade of IT workers across the board will run into the usual firestorm of opposition from the usual suspects.

Re:Honestly, I'd have to say they were pretty dumb

I would say it really depends on the exploits. The fact that the computers are on the publically accessible internet as opposed to the seperate military chunk means that it can't be all that terribly important. Second, they should be using secure systems that can't be so easily penetrated. Third, there's a difference between "exploiting" and "exploring".

However, I'm not sure how you can be a "security firm/consultant" if you're "inexperienced". I also don't see what is illegal about accessing "unprotected PCs". That's like putting a bunch of files in your htdocs directory without password protecting them and then suing me for breaking and entering when I read them over http.

Re:Honestly, I'd have to say they were pretty dumb

[Elbereth]

You're right. They do need permission.

Re:Honestly, I'd have to say they were pretty dumb

[Planesdragon]

I don't care about the people, I care about myself and my friends and parents.

So do I. And I realize that the best way to keep YOUR friends and parents from clashing with MY friends and parents is to have a stable nation with a government strong enough to eliminate the need for "village justice."

Except that the person spying on you may also be working for a criminal organisation. It happened several times here in Canada and I'm sure it's still happening.

Of course it does. That's why there are checks on the system.

I want to limit people spying on me to people that I have a reasonable assumption will leave a paper trail about their spying that someone trusted by the community (that'd be "enough people's friends and families" for you) will be able to tell if they're corrupt or clean.

What I don't want is for every private citizen to be able to randomly spy on me. I want it to be a crime, so I know that if I'm being spied upon, either someone can be put to jail for it, or some judge / general somewhere thinks that I'm someone worth looking into.

Oh, and as a group, I trust both judges and generals. The pay's such in both professions that there are bound to be more fanatics than bad apples.

should have been more discerning

[jdkane]

It is not right that government/military computers were audited for security without express permission from the government.
ForensicTec was able to and *did* read sensitive information which they had no business in doing -- indeed they were not contracted by, and had no agreements with the government to do such a thing.

And it was an "audit" instead of an "attack" because obviously the company had no ill intent; otherwise they would not have gone public.

I speculate that the government probably already knew that such security problems could exist -- most organizations do. ForensicTec acted like a loose canon and did not help matters, but instead simply pointed out the obvious.

Immediately upon stumbling across the government computer network two months ago, ForensicTec should have obtained permission before attempting to "help".
Providing proof afterwards does not justify the means.

Let's hypothesize that ForensicTec did ask to perform a security audit in the first place, and the request was declined by the government. Well, in the words of president O'Keeffe, "We could have easily walked away from it,".

It was a self-serving stunt by ForensicTec for publicity purposes, and they dug themselves in too deep while hoping for the publicity (well, they got publicitly even though it's probably not the exact type they were looking for). The articles quotes: "get some positive exposure for themselves,".
I don't believe any penalty will be too harsh, and it will hopefully set a precedent for other companiess to take a more discerning approach to such a sensitive matter in the future.

I'm not saying that security holes shouldn't be researched when there looks to be a problem. But come on ... it can be done in a much better way than ForensicTec handled it. The government can't be blamed for taking exception to the method.

In the aftermath of ForensicTec

[Ilan+Volow]

The Army suddenly realizes that the string of text "b3 411 7h47 U c4n b3" on its recruitment site was not, in fact, an error message.

No, sorry the analogy is wrong

The us government is not a private citizen. The us government collects and uses information on all of its citizens (supposedly *only* to serve its people). And it is in everyone's interest that 13 year olds who may barely speak english don't have easy access to classified government material (OK, not sure how much I am exagerating here, but I don't think much). This sort of disregard for *really* important details (or just incompetence?) is not just embarrasing (they'll get over it anyways) but shouldn't be tolerated.

So, the moment I start collecting your personal information on my private computer is they day you should demand to know how well I'm protecting that data.

The government as a whole doesn't get the same protections that individuals do (not, supposedly, this governement anyways), nor should it.

I have no business knowing how you balance you checkbook, but the budget, hell yeah we want to know.

Having said all that, though, the only left for me to work out is whether or not the gov. would have acted if it wasn't done publicly (maybe I'm not being fair about this?)

Hmmm ... does this then really just boil down to security-by-obscurity vs. not?

They did the right thing

[zenyu]

If they had reported this to the army it would have never been made public, and they might have been arrested anyway. The only thing I think they should have done differently is get a Senator involved before going to the media, it would have given them some cover. Seriously though they should be given a congressional metal of honor for bravery for informing us of the lax security.

I used to live near a couple military bases so I know it's not exactly geniouses running the place. But they are a very organized bunch and I would have expected a policy on passwords, and that in that culture it should be easy to enforce. Password crackers shouldn't work on the military. Someone who leaves a password of "password" or "administrator" on a computer should be dishonorably discharged at the very least. If any of those machines exposed sensitive data they should get at least a few years on a slab of concrete in Cuba.

The dirty little secret of the military is that sensitive information is a lot more important than classified stuff. Engineering data that was classified in 1950, that made it into every textbook by 1960, is still locked in a safe at night because it's too much work to declassify anything. The day to day functioning of the military tells any enemy everything they might care about and that never gets classified.

Hey even the top secret nuclear stuff doesn' really matter since the information to build a nuke was long ago published, and the high tech stuff the US and Russia have isn't of interest to anyone. It's already expensive to build a nuke that takes out Manhattan, building one that takes out the Jersey City in the same hit is just a waste of money. But what kind of gas masks are being packed for the attack on Iraq, well that could be useful.

Re:They did the right thing

[mpe]

The dirty little secret of the military is that sensitive information is a lot more important than classified stuff. Engineering data that was classified in 1950, that made it into every textbook by 1960, is still locked in a safe at night because it's too much work to declassify anything. The day to day functioning of the military tells any enemy everything they might care about and that never gets classified.

The basic problem is that effective security is hard, it can be easier to give the illusion of security. Hence ending up with locking technical data which is in the public domain up in a safe. Sometimes serious things get overlooked, e.g. the Japanese gathering data on where ships were at Pearl Harbour.

Hey even the top secret nuclear stuff doesn' really matter since the information to build a nuke was long ago published, and the high tech stuff the US and Russia have isn't of interest to anyone. It's already expensive to build a nuke that takes out Manhattan, building one that takes out the Jersey City in the same hit is just a waste of money.

I recall it being said that in the 70's there were something like a million people who knew or could work out the triggering details of a hydrogen bomb. Information which was at that time, and may still be, classified.

But what kind of gas masks are being packed for the attack on Iraq, well that could be useful.

As could the amounts of any type of supply to a war zone. How many gas masks gives an indication of how many soldiers might be involved.

Re:They did the right thing

Someone who leaves a password of "password" or "administrator" on a computer should be dishonorably discharged at the very least.

Well, that depends on what race he is. If it is a white, he will be fired, if it is a nonwhite, he will be promoted. Gotta love those affirmative action quotas!

Re:They did the right thing

[einhverfr]

As could the amounts of any type of supply to a war zone. How many gas masks gives an indication of how many soldiers might be involved.

You can take this too far though. The Army for a while had classified the peanut butter provisionings because they figured that the Soviets could determine how large our army was (Not, I might add, where they were). Of course, the number of People in the army was public knowledge...

Silly People...

[jag164]

Don't they know about the military's "Don't ask, don't tell" policy?

A few words of wisdom for you Henry

Break and Enter
- Break (the passwords meant to keep you out of their computer)
- Enter the premises (in this case, the computers) and wander around to see how far you can get.

Sure, you have not stolen anything, yet it is still illegal (plain and simple)

Just because I have a computer connected to a public network (such as the internet) it does not mean you or anybody has the right to access it and go through my stuff. Same thing as a house with the door open.

What you are saying is that if I leave my door open (since I live on a public street) anybody can come into my house at will and look around...?

You oughtta be kidding me!

Then again, it is ME who doesn't get it...
jeez

Just imagine --

[Jace+of+Fuse!]

Army investigators had been made aware of the intrusions at Fort Hood weeks earlier and had been looking into the situation when ForensicTec made public what it found, one government official said.

I bet the military admins didn't have a clue anything was going on. I've met MANY Army IT workers and most of them are your average old PC user that knows a little about Windows (sometimes). And while not EVERYONE in the Army is incompetant, I think it's safe to assume that even if the intrusions HAD been detected, those involved in the "Investigation" would have just written it off as a "system anomaly" and nothing would have ever come with it.

If they hadn't boasted about what they had done, they wouldn't have been busted, I'm quite sure.

Boasting = Busted. Simple case and matter.

So what we've all learned from this, is that next time you have some fun with those easily rooted Government Boxen, just keep it to yourself afterwards. You can bet this happens all the time, you just don't hear about it because those involved don't talk about it. And they don't get caught (normally.)

Re:Need some advice guys! :o(

Well, that totally sucks. Since the bubble burst, IT types aren't making much money, so you probably don't have enough to go to Amsterdam and get yourself a quality prostitute. Your best bet, then, is probably Tijuana. For about $20US you can get yourself a chubby 40yo Mexican woman, plus enough tequila afterwards to forget the entire experience.

HTH.

The government is run by ostriches!

[Newer+Guy]

See no evil, hear no evil... Therefore, there must BE no evil! Get it?

condensed version

1: Extort the government
2: ???
3: Profit!

They broke rule number two

[Alsee]

Rule number one of hacking dot-MIL:
You do not talk about hacking dot-MIL

Rule number two of hacking .MIL:
YOU DO NOT TALK ABOUT HACKING DOT-MIL!

But then, they also broke rule number zero:
Anyone with half-a-brain stays the FSCK away from dot-MIL.

Funny thing though, I once did an ordinary google search that returned a page that I think was supposed to be internal use only, if not actually classified. It listed the current location of a warship. Hmm, I can't recall if it was when we first sent ships over by Afghanistan, or back during Desertstorm.

-

Re:They broke rule number two

Funny thing though, I once did an ordinary google search that returned a page that I think was supposed to be internal use only, if not actually classified. It listed the current location of a warship. Hmm, I can't recall if it was when we first sent ships over by Afghanistan, or back during Desertstorm.

I'll guess Afghanistan. If you were googling during desert storm, you beat the founders of google by several years. :-)

Re:They broke rule number two

[Alsee]

If you were googling during desert storm, you beat the founders of google by several years. :-)

Shhhh! Don't tell anyone, but my ping times are negative.

-

where its all going?

[zoftie]

NSA starts to develop SE Linux. They get hell for it.
Military staff plops down computers on the
internet, puts confidential files on them, and
then hires a brickhead from barracks to manage
them.

Someone points out they are fucking idiots. What happens?
They get angry. Now their jobs are @stake(pun intended),
they say that they had classified
information on that network, they get immediate
and full cooperation of FBI. Fact is army
can shoot anyone for accessing systems that carry
classified data. And no, they just can cite
terrorism, forge evidence, and viola you got
scentenced for life, with no right for anything.
Screw geneva convention, screw the constitution.
These guys either are really really stupid, or
ballsy. Anyway +5 karma for them doing that.

It seems that miliary is running its offices
looser then any given computer corporation.

Where are the old days when army ran unix
mainframes and fully qualified sysadmins where
manning the networks? Its not that hard to lock
down the network and keep a watchful eye on it.
Whats certain, is that there is definete advantage
to working in corporation, as compared
to government. And so the many minds make a choice.
Perhaps there is a place for reform, we the people, the taxpayers, who pay for their asses to
sit in the offices, would expect them to run pretty smooth operation. Not this hippie shit.

Re:where its all going?

Where are the old days when army ran unix
mainframes and fully qualified sysadmins where
manning the networks? Its not that hard to lock
down the network and keep a watchful eye on it.
Whats certain, is that there is definete advantage
to working in corporation, as compared
to government. And so the many minds make a choice.
Perhaps there is a place for reform, we the people, the taxpayers, who pay for their asses to
sit in the offices, would expect them to run pretty smooth operation. Not this hippie shit.


How funny the phrasing of this. "hippie shit" is too much. The bulk of Unix was developed by hippies. Todays republicans accept kickbacks from MS and then drop all court cases, or perhaps run multi-national corporations while stealing billions from it (Enron, Qwest, Global Crossing come to mind). Hippies are instead doing ethical businesses(I am glossing over the hippie who farms pot for a living - they will do it organically). admittal many of these are small to medium size, but then again the bulk of business is SMB.

Not what happened

The military servers were targeted for hacking. This isn't just a case of a program randomly scanning ports, it was a deliberate attempt to probe a military server.

hmmm...

[i_have_no_name]

image is everthing. if the fbi didnt 'crack' down on these 'hackers' then the army would seem to be weak in some respect and it cant look weak can it? what would russia think? :) instead of raiding and probably taking legal action they should have cash prizes for who finds security flaws and reports them to the army and if person doesnt and using flaw for evil means then you can take legal action.

Making a Point vs a Splash

[_Sprocket_]

Well they gotta make a point.

The bitch to bureaucracies and incompetence is that that a successful bureaucrat covers it up. And often anybody who would make the appropriate whistle-blower is ass-deep in alligators already with all the other crap that's on their plate because their IT budget can't handle proper staffing.

So... sure. Maybe someone does need to make something happen. They need to point a finger. They need to embarrass the bureaucrats in to fixing what is broke. Maybe this kind of act is the Right Thing.

So how does one pull this off? Make the run, collect evidence, find a reputable journalist (No... really) you can trust, and then anonymously dump the evidence in to their laps. Maybe drop it in to a couple journalists' laps just to make sure the story doesn't turtle at that point. When the story hits the papers, nod quietly at your civic duty done and hope that nobody can ever trace it back to you.

You do NOT use this as a vehicle for self-promotion.

Darwin award?

[mseeger]

And surprise surprise, they immediately got raided by the FBI.

Sounds like darwins principles at work.

Is there something like the darwin award for companies? In that case, making an unauthorized security scan of army computers and bragging in the press about it, clearly qualifies for it (like climbing into a tigers cage to pet them does for humans).

Back to serious: If you're in the security business, only talk to the press when your customer wants it and pays for it.

Yours, Martin

Yale-Princeton revisited

These folks remind me of the Princeton admissions officers in the hacking/cracking/unauthorized access debacle in July. Sure, someone might have "just been checking security," but that still doesn't make it legal. We have stupid people here and stupid people at Princeton.

he told them about it......

[viperblades]

the bad thing is they gave the army 1 week if they're still vulnerable for another week they should be hanged. "Army investigators had been made aware of the intrusions at Fort Hood weeks earlier and had been looking into the situation when ForensicTec made public what it found, one government official said."

Baron Von Munchausen... how delightful!

[The+Tyro]

Great quote... most people have never heard of him.

Re:Baron Von Munchausen... how delightful!

[NumbThumb]

So the baron of lies is not known in the US? The guy that rode a cannonball? How sad... But that can be helped..

By the way: the complete name is Karl Friedrich Hieronymus, Freiherr Baron von Münchhausen (1720-1797). That's Münchhausen, with an umlaut and two 'h'... oh, well, never mind... who cares about spelling anyway;) But if you want to google this, it meight help...

Off Topic, i know... to hell with carma...

Re:Baron Von Munchausen... how delightful!

[Gooba42]

I can't see why it would be unknown, our press is all over "Munchhausen's by Proxy" (don't have an umlaut on my keyboard). Better yet we had a movie released about the guy in the 80's.

Re:Baron Von Munchausen... how delightful!

[Rotten168]

My friend went to high school with John Mayer.

better idea

[The+Tyro]

Actually, a crucible of thermite above your hard drive (with something to catch it... can't have that stuff burning through the foundation of your house) would work wonders...

$.02

GODDAMMIT!

[Dthoma]

Those bastards stole my idea! *I* wanted to hack the military and boast to all my 1337 friends about it! Now I'll look like an unoriginal script kiddie if I try it!

Damn.

"If they broke into the base..."

[tlambert]

"If they broke into the base, photocopied some records, and bragged about it noone would have even thought twice about their arrest."

Putting a file on a computer directly on the Internet is a far cry from putting a file in a locked file cabinet in a locked office in a secured building on a military base whose gates are protected by armed military personnel.

It much more like putting a file in a locked file cabinet in a public park.

-- Terry

Re:"If they broke into the base..."

[usr122122121]

It much more like putting a file in a locked file cabinet in a public park.

The article made it seem like the computers themselves were set up with file sharing turned on, many without passwords at all.

This is more analogous to writing all the information in a big black marker on a white board in a locked room that has windows :-)

My 2 cents.

Re:"If they broke into the base..."

Putting a file on a computer directly on the Internet is a far cry from putting a file in a locked file cabinet in a locked office in a secured building on a military base whose gates are protected by armed military personnel.
It much more like putting a file in a locked file cabinet in a public park.

With "US Army" stenciled on the side and a not very good lock.

FYI, Confidential != Classified

[Shalome]

Classified documents are NOT kept on machines that are internet-accessible. Any time a classified document accidently "spills" onto an unclass network, there is a major and immediate clean-up effort. Confidential documents (such as personnel rosters) can be kept on unclassified networks, as can unclassified-but-sensitive (like network maps). Big difference between that and classified documents.

Re:FYI, Confidential != Classified

[FeriteCore]

The legaly defined national security classifications described in executive order 12958 are:

UNCLASSIFIED
CONFIDENTIAL
SECRET
TOP SECRET

The situation gets more complicated with codeword protected documents.

CONFIDENTIAL is classified. I could get fired for a compromise of CONFIDENTIAL information.

Most agencies have information categories that require protection but are not technicaly classified. These get various names depending on the agencies, LIMITED OFFICIAL USE, EFTO (encrypted for transmission only), LAW ENFORCEMENT SENSITIVE etc. It is possible, perhaps probable, that a journalist would use the word confidential to describe information of this sort.

Re:FYI, Confidential != Classified

[reallocate]

Confidential is a classificiation. If you work someplace where people think it isn't, fix it quick.

Re:FYI, Confidential != Classified

[Scratch-O-Matic]

I suspect that this term was misused by the media. Documents in the civilian world are frequently referred to as "confidential," but in the military this is an actual level of classification. If the documents were truly confidential, then someone does need to go to the brig. But I doubt that they were.

Re:Honestly, I'd have to say they were pretty dumb

[Dexx]

Permission? What's that?

These are not bad guys

[m_evanchik]

If I recall, the head of Bush's computer security team said not too long ago that he believed government should take a less belligerent tone with white-hat hackers who crack systems without malice.

While maybe these guys should have approached this exploit differently, the fact is that they meant no harm in their actions and in fact have probably done us all a service by exposing, without exploiting (except perhaps for some cheap publicity), somebody else's fuckup in the US ARMY.

Does anyone really believe that any greater good is served by pursuing criminal sanctions against these guys?

It just seems...

[swaic]

That the army/government is just really embarrassed and somebody will have to pay. If these guys had not gone public, and army determined that no real damage was done, I'm sure they would have gotten away will their balls intact. Now, that's a different story.

They're lucky....

[hubbabubba]

... it was just the FBI breaking down their door instead of an F-16 swooping down and turning their facility into a parking lot.

simple

[thePredator]

isnt this simple, if you find a security hole, tell the admins of the place with the flaw. if they dont reply or do anything about it, tell other security groups.. then maybe go public, but i doubt anyone would support an American publishing how to go through security holes in the US infrustructure. correct?

Re:simple

[Oswald]

Yes, it's exactly as simple as you describe--if your goal is to help some[clueless]body with their security problems. If, on the other hand, your object is to advance your own career, you call the press. They are getting the hassles they deserve.

I like this

[tomstdenis]

"They should contact the government or company that is responsible for that vulnerability and report it."

Specially with that other case that occured in the court house right? Yeah thats because telling someone there doors are wide open makes them want to talk to you.

Tom

My Question

[usr122122121]

Now, if this "company" hadn't bragged about their "accomplishments," do you think the Army would have noticed that their computers had been infiltrated?

I bet they wear tattoos and drink Surge

Sounds like some stupid gen-Xers to me. No respect for other peoples' money.

Too greedy?

[Quixote]

I think the mistake these chaps made was to go public, without giving the DoD folks time to rectify the problem. If they had talked to DoD in secret, and helped them identify the weaknesses and secure their networks, they would have gotten something out of the whole thing. Going public with it was like throwing a stone at a large hornets' nest while standing 6 ft away. Of course the hornets will come after you!

I think these guys got too greedy. They went public in the hopes that they'll get noticed and jump straight to "Step 3. Profit!!".

I hope they learn their lessons.

Re:Too greedy?

[GigsVT]

The sad thing is that being arrested for this might be the best thing to happen to their "career" as "security consultants". Look at how many of the former script kiddies with little real skills get high paying jobs after being arrested.

I won't name any names, but this kind of thing seems to be very common, in fact, this seem to be the way into the "security industry". It's cheezy, but kiddies always seem to end up with high ranking positions this way.

Re:Too greedy?

[bogidu]

Actually, going public was probably the only thing that kept them from just disappearing.

I Am Betting....

[__aadhrk6380]

That they found the vulnerabilities, hacked the boxes for proof, took all the data to the folks involved, and said "Hire us to fix it".

Would you hire somebody that hacked your home pc and left a note that said "I found it, I exploited it, now pay me to fix it"?

My guess is that when no juicy little contract was awarded, they went to plan B, which was the press.

A NEW Ben Folds song...

[i_want_you_to_throw_]

Well I went and hacked the Army.. Dad said son you're fucking high.....

New American Mantra (TM)

...I think these guys should be held accountable...

Thanks for unwittingly bringing up the Root Cause. Between "I think these guys should be held accountable" and "Won't someone please think of the Children!", America will become the worst fascist state in the history of homo sapiens. Seriously folks, not every action falls neatly into the "good" or "bad" category. There has been a lot of discussion today about entanglement of Legal and Moral, and you summed up the cause.

Congratulations my friend, but don't be proud.

Re: Breaking the law in private is dumb

[reallocate]

Violating the law in private is pretty stupid, too. And if you feel inclined to engage in a little civil disobedience because you're "mounting a case against an unfair law", put a good defense attorney on retainer and be prepared for jail time. Laws aren't struck down as unconstitutional all that often. Be prepared to wait out the appeals process.

Just telling the court that you don't "believe" in the law will only produce passing annoyance. Citzenship incurs a legal obligation to obey the laws, or pay the price.

think about it man

If they weren't malicious, why KEEP looking for so long and at so many different docs? They found quite a few things, trivial and notsotrivial, yet they KEPT ON LOOKING. I believe that they were sure someone would catch on to their trail soon after (they are amateurs), and fear led them to seek the shelter of the media under a very suspect story.

Besides, if the govt DOES NOT prosecute, what does that say? "go ahead and crack us, feel free to even leisurely snoop around, as long as you let us know later how you got in. Oh, and TIA for all the help..."

really.....

There is a huge difference.

If you walk in the bank and do something "bad," there's a way to tell. (The bank has less money, and you have more. :)

When a computer is cracked, though, data may be copied without removing it.

So, how do you know these guys didn't break into the computers for "bad" reasons? Publicly announcing a break in sounds like a good way to convince people that you didn't do anything naughty during the break in.

(Not that they necessarily did, but it would be really dumb to assume they are good guys even though they very publicly admitted to breaking the law.)

Re:There is a huge difference.

If you walk in the bank and do something "bad," there's a way to tell. (The bank has less money, and you have more. :)

Oh, all those evil people at ATM should be arrested! I keep seeing them walking away with cash.

Re:There is a huge difference.

[einhverfr]

So, how do you know these guys didn't break into the computers for "bad" reasons? Publicly announcing a break in sounds like a good way to convince people that you didn't do anything naughty during the break in.

Good point, but how do YOU know that there were not other compromises on the same vulnerability? At this point, one would have to assume that the data was compromised whether or not it was compromised by the "security consultants." At the point where you have *any confirmed break-in,* you have to assume that the system has been compromised irreparably.

The gov message is clear ...

discover the errors and don't tell anyone...
Let's apply this to the space shuttle fuel line cracks and wait until one explode to try to find the cause...
Is that the correct behavior?

interesting point

[rehabdoll]

Would the US gun-laws allow you to blow someones head off if they broke in to your computer?

Ofcourse there are som physical issues here, such as not being able to place a bullet in someones head on the other side of the earth. But what if someone just outside r00ted your box with his laptop. Would it allow you to shoot him through the window?

Re:interesting point

Would the US gun-laws allow you to blow someones head off if they broke in to your computer?

Why do you assume it's a gun law? (Do you think there's a law that says, "You can tote a gun and put a bullet is someone if you want?" :)

Where it is legal to shoot an intruder in your house, it is usually actually because of an exception to the murder statues.

Basically, it's sometimes not considered murder to use lethel force against someone who has broken into your house.

It is quite independent of the gun laws. In those states, if you ran a sword through the criminal, you still wouldn't get locked up. :)

Only..

If your life was threatened and the use of deadly force was the only way to defend yourself adequately then you can blow his head off. But I suspect you wouldn't be particularly worried about someone hax0ring j00r mainfr4m3 if your life was in danger.

Close but not quite...

[Scratch-O-Matic]

Although I suspect that we are on opposite sides of this issue, I do think that your analogy is mostly correct. But you need to add the fact that you sat down at several of the desks, opened the files, and read them for a few hours. Loan agreements, account records, etc.

Prosecution is completely appropriate. Let's not forget that the "seriousness" of the actual offense should be reflected in the sentence, eg. a fine and a few weeks in jail rather than years in the slammer.

Re:Honestly, I'd have to say they were pretty dumb

[mpe]

You could also make a citizen's arrest

Wonder how effective one would be were the criminal a law enforcement officer.

Explore MY ASS.

[Mulletproof]

Yeah, Go on. Explore my house without my permission. You're going to get shot, Mr "Curiousity is my only crime". Oh, that's right... Hackers that do that shit are somehow morally exempt from the laws that govern everbody eles. Pardon me for the lack of sympathy.

Flamebait? Troll? What good is Karma if you don't use it?

Re:Honestly, I'd have to say they were pretty dumb

Why is everyone a on slashdot a bunch of paranoid, grade-a nimrod, losers that think the goverment cares about THEIR life?

Duh

[Zapdos]

Good or neutral intent aside, the quickest way for the government to see what was compromised, and to make a full assessment is to obtain the systems involved, and to interrogate the individuals involved. Seems like this should be common sense.

Re:Duh

[gerardrj]

And it seems the fastest way to get ALL the information in a reliable and accurate way is to set up a meeting and ASK those involved to disclose what went on and to turn over any material.

This is the United States, not the Soviet Union. Bashing in doors should be the last resort.

"I am the great wizard, do not look behind the curtain! There is nothing behind the curtain, keep watching what I show you!"

Re:Duh

[Zapdos]

What you are saying is to trust those who broke the law! That is simply unacceptable!

Re:Duh

[Sedennial]

Technically, George Washington was a traitor and broke many, many laws. Yet we hail him as a hero and a founding father of our nation here in the US.

Gahndi also broke many laws using civil disobedience tactics. yet wouldn't you trust Gahndi over former Presidents Clinton who apparently didn't break any laws?

Re:Duh

[gerardrj]

Our government breaks laws every day. YOU (whoever is reading this) broke dozens of laws today. Yet we (the collective population) trust the government, and I'm sure many people trust you, despite your tendency to violate laws.

Law abiding and trustworthy are not a cause/effect or any other sort of mutual relationship. It would be very convienient to label them as such, but it just isn't the case.

Hell yes!

[Not+One+Of+Us]

Ah sweet! I've got to try thi-

Oh, THAT kind of "raided."

Damn, I thought the Army was going to Raid my computer for me. :(

No Harm, No Foul

Whatever happened to "No Harm, No foul"?

Accessing computers/data shouldn't be illegal. CHANGING data should be. Destroying data even more so.

Being able to guess a password certainly sounds like authorization to use a computer -- I know that I don't have a little piece of paper "authorizing" me to use machines; I know a password, which is sufficient to show that I am authorized to use that machine.

Re:No Harm, No Foul

[reallocate]

Here are some pointers:

1. "No harm, no foul" is not enshrined as a legal precept.

2. There's plenty of data inside and outside the government, on paper or on computers, that it is illegal for you to look at If you get caught looking at it, that's often called espionage. If someone screwed up and made it easy for you to spy, they'll face charges, too.

3. Changing or destroying someone else's data, i.e., property, will set you up for anything from vandalism to sabotage.

4. Guessing a password isn't authorization, any more than guessing a safe combination is. How about calling it attempted breaking and entering?

*smacks self in forehead* That's what I meant!

[Shalome]

Agreed. You exactly what I meant better than what I could come up with as early as it was when I replied.

Re:mounting a case against an unfair law

[reezle]

I think I see your point.

MAKE SURE that the Army web site had copyrighted information somewhere, anywhere in their network. Then your bases are covered. Either you go to jail, and there is a precedent against the new RIAA Bill, or you get out scott-free under the same bill.

You can't make US laws that cover just one company, last I checked...

It's win-win. (Except that you'll be in jail.)

Fix where I work?

[Shalome]

Oh, believe me, I'm trying to fix where I work. If you know anyone whose hiring a geek with military systems experience and a TS clearance, let me know!

Schmidt

Wasn't he in charge of Microsoft security when they were compromised and had their source code stolen?

Now he's "Vice Chairman of the White House Critical Infrastructure Protection Board", and nothing's being changed.

I think Bush has done a pretty decent job since 9/11, but he really needs people in charge who understand security, not politically-minded talking heads who's only claim to fame is giving talks at ISSA seminars.

pointing out holes is good right?

lessay some neive person puts controls of a nuclear sub/plant online and its flawed security wise... then lets say securit3k hacks it and tells the world...

wouldnt it be good to show the flaws? before some nafarious person hacked in and did something bad?

shoot first, ask questions later is my motto. what ever happened to innocent until PROVEN guilty? its just raid and conquer. sounds like PILLAGING to me!@ i cant spell, deal with it.

WHO RUNS THE GOVERNMENT

ONE WORD: AIPAC

This can't be good for free software

[gillbates]

Perhaps this is OT, but I couldn't help but notice this: (emphasis mine)

The searches began hours after The Washington Post reported that ForensicTec consultants used free software to identify vulnerable computers and then peruse hundreds of confidential files containing military procedures, e-mail, Social Security numbers and financial data, according to records maintained by the company.

This can't be good for Linux, and other free software projects. Granted, we could rant about how "free software" isn't necessarily the same free software that these folks used, but I think that we would do better to distance ourselves from the term "free software" - which conjures up images of pirated, illicit, or otherwise illegal software in the minds of the average user.

Given that the FBI now considers guilt-by-association probably cause, we should make the effort to use the term "open source" rather than "free software". I know there are ideological differences, but if we want to be accepted by the computing community at large, we need to appeal to them with terms that are unambiguous and easily understood.

Re: Breaking the law in private is dumb

[einhverfr]

Violating the law in private is pretty stupid, too. And if you feel inclined to engage in a little civil disobedience because you're "mounting a case against an unfair law", put a good defense attorney on retainer and be prepared for jail time. Laws aren't struck down as unconstitutional all that often. Be prepared to wait out the appeals process.

Civil disobedience only makes sence when one is comfortable with the idea that if they are sentenced harshly, that too is a political statement of conviction and a path toward victory. I was raised a Quaker so I knew a lot of people that were willing to go to jail as political statement. No, it is not dumb unless you are not willing to accept the jail time for your actions. What makes civil disobedience work is that you ARE willing to go to jail for your beliefs. Stoicism is the key.

That analogy is also bad...

[samsara]

Instead, try this:

You're walking down the back alley at a bank and notice that there is a rear entrance. The is a lock on the door, but you have a set of general lockpicks available so you say, "why not?"

After fooling with the lock you open the door. You're amazed that there are no cameras watching this hallway. There a few bags laying on the floor, you wonder what's in them. You open a bag to find stacks of 20's. You count the money to note over 2 grand.

Leaving the same way you came in, you immediately place a huge poster on the back of the building letting anyone passing by know that you could get 2 grand easily if you bring your own lockpick.

Re:That analogy is also bad...

[lingenfr]

Close, but try this:

You are sitting at home spanking the monkey or whatever these gloryhounds do, when you decide what a neat idea it would be to go check the security at your bank.... ....and while you are their, you make copies of the photos on all of the desks and post them to the Internet when you are through.

For those open-minded individuals who will start down the 'they were performing a public service' path, I hope that you check the box to donate an extra $100 on your next tax return to help pay the bill for this stupidity.

If these knuckleheads had went straight to the Army or the DoD, I would have no problem. They would still have been taking a risk. I want our networks to be secure, but I don't buy this as a method to get there. Flame on Toro!

Doesn't suprise me.

My brother in law is in the Army. He is very knowledgeable about computers and networking, however he's an optician in the Army. When he was stationed in Korea, he befriended the network techs. They would often come to him for help on solving their basic problems with the network. The computer division in the Army is sorely lacking in ability.

Welcome to the Real World

[Osty]

Yes, very sad. Judging from reaction to this and similar stories, a great many Slashdot readers believe that the law should treat them differently and that they aren't responsible for their actions.

Probably attributable to Slashdot demographics, but the attitude risks provoking a lot of restrictive legislation.

This just proves that /.'ers aren't as different from others (non-geeks, non-techies, non-however-you-happen-to-identify-yourself) as they like to think they are. In the "Real World" (ie, that thing outside of your bedroom, not on the internet or tied to some computer somewhere), people routinely feel that the law should apply to others and not themselves, and rarely (if ever!) take responsibility for their actions. Ever heard a bleeding-heart liberal cry, "There should be a law!"? Or a soccer mom complaining because the schools don't do a good enough job of babysitting her kids? That is (American) society, and it sucks. Many /.'ers complain about it, yet as we see with this article, they fall into the exact same traps. It may be different circumstances, but the ideas and actions are the same -- "I'm above the law" "The law only applies to criminals, and I'm not a criminal" "It's their fault for not locking their door/car/computer, not mine for breaking into it."

Obligatory Conspiracy Theory...

[mcflaherty]

I don't suppose there is any hope that this was just a honeypot left open as bait for non-friendly crackers? I mean the company was pretty much using script kiddie tech to get in there. With homeland security as it is now, there just might be bait and observe units out there...

say it now: A-N-A-L-O-G-Y

Some people really do not get the point of an anology. ANY analogy will fall apart under close scurtuny and camparison with what it represents. Why? Becuase it is an ANOLOGY. It is NOT the same. It is not suposed to be. It is supposed to simply clarify one possible view, crystalize it.

Slightly OT - Medal of Honor

[Isaac-Lew]

I always thought that the proper name of the medal was simply Medal of Honor (like the video game), not "Congressional" Medal of Honor (who else issues a Medal of Honor besides Congress?). However, I can't google a site to confirm this. Anyone know for sure either way?

Re:Slightly OT - Medal of Honor

[Em+Emalb]

Full name:

Congressional Medal of Honor
common name: Medal of Honor

AKA Get out of my way bitch! ;)

STOP MAKING /. LOOK BAD

[xintegerx]

I was the first to introduce the possibility of the hacked computers being honeypots... So it's modded down because it's a different view point. Some moderators gotta stop making /. look bad.

You get screwed either way...

There just HAS to be a clear concensus on an established procedure for reporting security flaws. The laws are just not clear on that.

Obviously, in the interest of securing a network, scans are necessary and for the most part not illegal, especially if the network you scan is your own. But doing IP scans, are most certainly going to uncover other machines NOT in your control.

Some say you are breaking the law, others aren't sure... But these scans DO pick up on security problems... and that leaves one in a delemma. If you make an attempt to contact the owner of the network, how is the best way to approach them without getting locked in the slammer.

These actions are doing nothing to help the IT Security community, instead, it is just discouraging people from bringing it to their attention.

Is it illegal to walk up to a door in someone's house and try to open the door? Would that be considered "breaking and entering", just to test if the door is locked?

What ARE the laws on scanning for active IP's or ports? I don't believe I've ever gotten a clear answer on that.

Is running a Nessus scan on a network not owned by you, a violation of the law?

Any LEGAL buffs out there in ./land want to comment on this?

Deja Vu

On Dec. 5, 2001, the U.S. Department of Interior was disconnected from the Internet by court order.

The Court appointed special master was able to view and change information stored on DOI computers.

That should have been a wake up call for the U.S. government, but I guess they slept through it.

This doesn't surprise me. It won't surprise next year when another Departments computers gets hacked. I won't be suprised the year after that, when it happens again.

Government IT managers are incompetent. Go figure.

Bad analogy

[Mateorabi]

But public institutions are held to a higher level of scrutiny and accountability than privately owned property.

The public has a vested intrest in the security of what are esentialy it's agencies. I am personaly more vulearble when my country has a weaker army. I am not made more vulnerable by my neighbor forgetting to lock his door.

How would you feel?

[autopr0n]

If someone found a weakness in your system, and then spent hours looking through your old emails, Instant message chats, documents, financial spreadsheets, etc.

And then had a press conference saying how much of a dumbass you are. Would you consider it "free research"?

Stupidity vs. Ballsy

[pondermon]

Some inexperienced consultants totally got high from this hack. Right now, sitting in prison, they don't realize it. They don't care...

"Dude, I totally hacked the Army, man. Oh yeah." And then she high-fives her buddy.

There's only one acceptable reason to do what they did the way they did: pure adulterated fun.

After all, we all know that as soon as the Army plugs those leaks all their buddies will follow suit, thus putting an end to hacking and spying around the world. Finally we'll have national security.

BOTTOM LINE: A tighter, more secure system requires only a more imaginative hacker.

But dang! Wasn't it a great read?!

My Vote: Ballsy hacking, stupid advertising. Enjoy the high well it lasts.

I'M SORRY YOUR POST IS INCORRECT

and irrelevant to slashdot. Females? What on earth do they have to do with anything?

I can't believe peoples comments.

[rasputan]

These guys did the military a favour by going public. If they didn't go public this problem wouldn't have been fixed. Like this the problem is being fixed. You can't fix a problem until you know its there. These guys made sure that the people in charge know the problem was there. I think the people who should be arrested are the ones who allowed such security holes in the first place.

You must be joking...

[Mulletproof]

So if I pick the lock on the front of your house and start rifling through your belongs without my permission, it's "ok" as long as there was no harm done in the process? Let's go one step further. Let's say my house is unlocked. Or that you "found" a key to my house. What F%^$@# right do you have to enter my house without my consent? YOU DON'T. You are going to get the police called on you and arrested. That's if your lucky enough not to be shot by me in the process. "Curiosity is my only crime!" No, breaking an entering or unauthorized entry or trespassing is your crime. Oh, and that of being a dumbass.

You would have told the bank officials first.

"Army investigators had been made aware of the intrusions at Fort Hood weeks earlier and had been looking into the situation when ForensicTec made public what it found, one government official said."

Re:Public[k]ing breaking the law is dumb

Mesocyclone really must have gone temporarily blind (mentally?) to post such a silly spelling...

Re:Honestly, I'd have to say they were pretty dumb

[Ironica]

So, security through honesty? We just *shouldn't* spy on the government, so it doesn't matter whether they have protections against spying?

It is an interesting question, and does go well with the discussion a few days ago about governments requiring themselves to use open source software. The government has a responsibility (several, in fact) to us... shouldn't we be able to find out if they're keeping it? Or is it just going to be "Oooo, mustn't touch!" for us (while random-joe-terrorist is finding out the secret identities of the CIA guys monitoring their terrorist cell)?

Not that I think these guys did the "right thing," but I do think that maybe the government should be under public scrutiny.

china cyber warfare

--from what I understand, just recently (last year maybe?) china created an entire new branch of the military, devoted exclusively to cyber warfare, ie, army, navy, airforce, cyber. Our (US) efforts are individual within each branch, with weird paramilitary divisions like NSA etc.

With that said, I fully expect china to attack sometime between the years 2010 and 2015. All the signs point to it, population pressures and demographics, oilfields peaking, their rate of military expansion well beyond "defensive", manufacturing expansion, rate of decline of western nation's manufacturing and lowering of the numbers of "still working" young people in the western nations, fresh water needs of china, projected critical industry mineral needs,etc, etc. I expect a full out total first strike effort, to include trojan horse style attacks from smuggled in devices and commandos, not only in the US but across europe as well, ICBM and cruise missile attacks, cyber attacks, etc. I am also thinking that russia, iran, north korea and perhaps a few more will participate at the same time. I do NOT think that any amount of "free trade" will result in the chinese leadership abandoning totalitarian rule, it will simply make them stronger in their efforts at controlling their populations and becoming the worlds premier super power. Their tech advances-with the full cooperation of naieve profits at any cost western businessmen and governments are immediately put into place in command and control efforts, and they show no desire to not do that. china would not be as successful in the "great firewall of china" project without the connivance of western geek companies, for a glaring example.

I give them better than even odds of pulling this attack off successfully, too, for that matter, at this time anyway.

-zogmeister

Privacy Act of 1974

[MyNameIsMok]

hi,
Doesn't the Privacy Act of 1974 (and its ammendments) require the government agency which holds the sensitive information (SSN, Credit Info, and all other personally identifying information) to protect the information from unautorized release? Couldn't the US Army (and any other Federal Agency) be liable under this Act for unautorized release of this information?
sTc

Honeypot

[kenp2002]

Who want's to bet the high and mighty security flaws are part of a new data security program that the federal government implemented. The brilliant minds have always suggested the honeypot system. Perhaps that would explain the 1000+ consultants hired nation wide by the gov't since 9-11 that have been setting up honeypots and audit DMZ as of late in federal networks. Not every hack is a successful breach of security. In fact 50% of them are breaching honeypots and audit DMZ. How would I know? I just installed 3 (2 audit DMZs and a honeypot) The local feds gave me a 300 page guideline that I had to follow for my client and McDAMN they have there act together on the guideline. I'd bet dimes to donuts that those dorks did nothing but hit an Audit DMZ. The military has always had an "Open Air" policy on all critical data systems. It is impossible to hack those machines (it is open-air after all) The worse case scenario that could happen hitting military machines would be purchase orders and troop emails. Big deal, CNN is doing a great job of leaking the same shit as it is.... :)

-- I am proud to be a savage in a Brave New World --