Slashdot Mirror
Hack the Army, Brag About it, Get Raided
SunCrushr was one of many who submitted this. A security company called ForensicTec decided to explore the U.S. government's computer systems, with particular emphasis on the Army. They talked to the press and had their fifteen minutes of fame. And surprise surprise, they immediately got raided by the FBI. What did they expect?
even when what you are doing is reasonable!
The only good weather is bad weather.
Comment removed based on user account deletion
Look, it's one thing to find a vulnerability, and another thing to say "oh look, let's see how far this goes and play with it before we tell anyone."
It's like discovering that there's a loose brick in the wall between the boys' locker room and the girls' shower room at school: getting an eyeful before reporting is still wrong.
They probably got searched to see if they did the equivalent of "taking pictures."
Get off my launchpad!
Then they point out specific, make-people-lose-their-jobs flaws. The kind of thing congressmen would love to jump on in order to criticise incompetency. Do it on a widely-read medium. This pisses more people off.
Then make very clear how you did specific illegal acts, giving those you just pissed off a great and simple way to get back at you.
Why not just walk right into jail...? I mean, its like spitting in the face of a police officer who is holding a gun, insulting them, and then making a threatening move while simultaneously pulling out a joint and smoking it. You might as well hand them the rubber hose...
Why taunt someone and then give them an excuse to hurt you? To gain acclaim? Fame? Real hackers are not out to get publicity, but rather to expose vulnerabilities and try to fix them.
Whats this you say? You sympathise with the "security firm?" well, take this quote into account: I dunno about you, but that would be my definition of script kiddie. Especially someone who then brags about it for publicity.
For those objecting to the theory of evolution in the other thread, I submit that this is exactly how the human race got smarter. Those guys are going to miss out on a lot of breeding opportunities - at least, breeding of the kind that produces babies.
Sheesh, evil *and* a jerk. -- Jade
its true that people need to make points sometimes, but the point they seem to be making is that people who brag about hacking get busted.
Which is nothing particularly new.
Oh, and the governement is better and has more rights than us. See vigiante justice. Lets say you know someone is a criminal. for example, they are pirating mp3s. You cannot do anything about it, other than maybe tell the governement. The governement can bust them, which almost never happens, because its a minor thing. Record companies want to have the "same rights as the governement," as you put it--they want to be able to search your computer, hack it, and basically fuck you up.
There is a reason why joe billy bob next door is not allowed to do the same things the police is allowed to do. Wouldn't it suck if any old bitchy mom could pull you over for speeding and make you pay $150?
Do you really think that these rather amateur (or so it seems) security consultants were the first to find these lapses in security? I highly doubt it. Perhaps it was beneficial that they were so public about it simply because it makes it a lot harder to ignore.
And regarding the IT being busy doing other things: If they can't secure the network then they should _GET_OFF_THE_BLOODY_INTERNET_. I'm 100% serious. There are countless government computers and networks that are theoretically publicly accessible with absolutely no justifiable reason but that it was easier for the IT department.
Don't you get it? You are not separate from the government. If you would like to be, go live in a dictatorship.
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
So, you wouldn't mind if I did a little security research on your home while you're away at work -- or, better yet, in the middle of the night when you *are* at home?
I mean, I wouldn't actually steal anything. Just rifle the place a bit, see what you've got, that sort of thing. Then, I might call the press and see if they're interested in doing a story about the level of security at [insert your address here].
I'm sure you'd appreciate the free research, right?
Cheers
-b
If you did it in Texas, it would be OK to shoot the guy that came in.
You're right. It's not like breaking into someone's house, stealing their stuff, then telling them they need a new lock.
It *is* like breaking into someone's house, going through their papers and files, then telling the local newspaper that this particular house has a crappy lock that's easy to break into.
Can you justify that?
As for whether "every" group that hates the US has already broken into Army computers, I wouldn't speculate on that. I would say, though, that these folks sure helped anyone who hasn't done so already pick an easy target. How patriotic, eh?
Yes, it could have been worse. However, what they did was 1) illegal (isn't everything these days?), 2) stupid, and 3) amateur. You can almost always get away with one out of those three. Often with two out of the three. Go for three out of three, though, and you're going to see some trouble.
-b
Why even use the real world analogy? How many of us wouldn't be pissed if we got an e-mail saying, "Hi, I cracked your security and got into your computer via --some exploit--. You might want to patch that. Also, some of your financial records are inaccurate, and the girl in 'sylvia_saint_fucking_and_sucking.avi' in the 'C:\Private\GodIHopeMyWifeDoesn'tSeeThis' directory isn't Sylvia Saint, but actually a lesser known porn star. Nice collection, BTW."
I'd want the guy prosecuted for breaking into my personal property and I believe that a lot of you would, too. Why do we expect a lenient, "please, invade our property some more, sir" attitude from anyone else?
Well they gotta make a point. If the government can monitor our phone calls, internet emails, conversations, etc. then why can't we spy on the government to? Or does the governemnt thinks that its better than us and that it got more rights than us?
The government is us. When you or I deal with the will of the people, we are not forced to do so by the whim of the crowd, but by the powers elected and appointed to speak for and act in the interests of the people.
The government, as a nebulous nonpersonal entity, is a slave to every one of its citizens, and exists for no other purpose than for the well being of those it serves.
The problem, of course, arises in that "the government" may be an inpersonal slave, but the people who run the government are very personal, flawed, human beings. It is these people who are put in power that are watched--and they're watched by other people in power who got put there different ways and across different levels, until we get back to the elected representatives and the voters en masse.
If you take away the government's unique right to spy & investigate with legal warrant, documentation, and accountability, (see: the FBI getting smacked for lying to judges), then you're left with either an illicit society of secrets ("If no one can see me do it, then I can get away with it") or a distopian society of eternal spying.
I would rather have some suit who's salary is paid for by my taxes spying on me than some random looney off the street.
Oh--and you (assuming that you're an American citizen) CAN spy on the government. You just need to do it with a time delay. Ever hear of FOIL? The fourth branch of government? The @#$ing drudge report? (slashdot?)
The last thing military needs is bunch of Steve Gibson wannabees portscanning the military servers.
No, the last thing they need is Al Queda sympathizers accessing their systems. If the portscanners point out that their systems are susceptible, they should *fix* them.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
I people could break into systems with non criminal intent and haveshort or no sentances then they would do it. Now we have all sorts of people being good samaritans breaking into networks left and right, and not doing anything wrong.
Now I come along. I say, I want to do something wrong when I am in there, and people are generating so much intrusion noise that I can slip in and out unnoticed within the sea of attacks.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
It is not right that government/military computers were audited for security without express permission from the government.
ForensicTec was able to and *did* read sensitive information which they had no business in doing -- indeed they were not contracted by, and had no agreements with the government to do such a thing.
And it was an "audit" instead of an "attack" because obviously the company had no ill intent; otherwise they would not have gone public.
I speculate that the government probably already knew that such security problems could exist -- most organizations do. ForensicTec acted like a loose canon and did not help matters, but instead simply pointed out the obvious.
Immediately upon stumbling across the government computer network two months ago, ForensicTec should have obtained permission before attempting to "help".
Providing proof afterwards does not justify the means.
Let's hypothesize that ForensicTec did ask to perform a security audit in the first place, and the request was declined by the government. Well, in the words of president O'Keeffe, "We could have easily walked away from it,".
It was a self-serving stunt by ForensicTec for publicity purposes, and they dug themselves in too deep while hoping for the publicity (well, they got publicitly even though it's probably not the exact type they were looking for). The articles quotes: "get some positive exposure for themselves,".
I don't believe any penalty will be too harsh, and it will hopefully set a precedent for other companiess to take a more discerning approach to such a sensitive matter in the future.
I'm not saying that security holes shouldn't be researched when there looks to be a problem. But come on ... it can be done in a much better way than ForensicTec handled it. The government can't be blamed for taking exception to the method.
The point here is that the company made the army security specialists look like idiots to their superiors.
In all probability, they would've prefered to stay vulnerable if it meant saving face.
Typical tactic. When you expose their piss-poor security, they scramble for cover and instead of acknowledging that they don't know security from a hole in the ground, immediately accuse the people who exposed their incompetence.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
"If they broke into the base, photocopied some records, and bragged about it noone would have even thought twice about their arrest."
Putting a file on a computer directly on the Internet is a far cry from putting a file in a locked file cabinet in a locked office in a secured building on a military base whose gates are protected by armed military personnel.
It much more like putting a file in a locked file cabinet in a public park.
-- Terry
Although I suspect that we are on opposite sides of this issue, I do think that your analogy is mostly correct. But you need to add the fact that you sat down at several of the desks, opened the files, and read them for a few hours. Loan agreements, account records, etc.
Prosecution is completely appropriate. Let's not forget that the "seriousness" of the actual offense should be reflected in the sentence, eg. a fine and a few weeks in jail rather than years in the slammer.
Evil is the money of root.
Ah, but it certainly does, as far as the Internet is concerned. You are making the traditional mistake of comparing cyberspace to meatspace, where your statement would be true.
The internet may not have been intended to be designed in the spirit of an open community, but that's how it turned out: it was used as a collaborative research tool for the exchange of information. Things were made available with the implicit cultural assumption that copies were free to be taken and examined. The meatspace analogy would be a community where the norm was that people were free to wander into any house, and look around, just not damage anything. If there was a door, just jiggle the lock if it's stuck. People asking about FTP passwords weren't rebuffed, they were told about "anonymous" and were gently asked to leave their "email address at the door", as it were.
While some security was available, in terms of password-protected telnet access, the general rule was that you didn't put stuff on an internet connected computer that you'd mind becoming public.
This culture extended to the development of the WWW: it was designed as a way to facilitate the sharing of information enhanced with links to related stuff: all pages were equal. The concept of "deep-linking" didn't make sense -- it mattered more that you could get to a page of interest.
Fast forward to commercialization, constrained-navigation (so you're forced to see ads), and the desire to use the open community's communication mechanism for virtual private communication (VPN, duh, but also plain old SSL and IPSec encrypted traffic). Enhanced privacy, security, and constrained site navigation are exceptions, not the rule. There are legitimate reasons to support these, you can beef up security if you wish, but, and this is the kicker, when it comes to "old-net culture", the onus is on you to lock things down and not presume that the norm is "stay away unless invited". Rather than a community of homes, the analogy is a mall of stores, public libraries, and free art exhibits, inviting and open to all.
This is why I wrote "If you don't understand the Internet, stay the fuck away."
Here was a peaceful, cooperative community, that helped provide the means for secure communication to those that wanted it, and wound up getting culturally hijacked by people who refuse to accept that there are certain customs to follow if you really want people to not look and stay away.
We gave them an "Http-Referrer" field for <insert deity here>'s sake. How arrogant of the "thou shalt not deep link" hounds to not use it. It's like someone building a two-way road and a bunch of idiots insisting on driving on the "wrong" side because it's the "right" side where they came from. Funny, Yanks drive on the left in the U.K., Brits drive on the right in the U.S.A. Perhaps when someone whines about the curious seeing what they oughtn't in an ignorantly open site, the data should be blown to a bunch of mirror sites, like car parts thrown from an auto collision.
You know, those that designed the internet protocols should have patented them (you can patent a protocol, I think), and used the clout to take away the right to play on the net from those that refused to adapt to the lingua franca's idioms. Of course, they probably would have to assign such patents to the DoD and others, so that dream is a bit foolish, but the lesson should be learned: if you don't want others to pollute and poison what you make, you need to protect it from those that would try while making it available to all others (which is why the GPL is so brilliant a concept, though it appear we need to get some clue-clubs to help enforce it).
O.K., I'm out of breath, so this rant is over. Mod me down as you will.
You could've hired me.