Slashdot Mirror
Hack the Army, Brag About it, Get Raided
SunCrushr was one of many who submitted this. A security company called ForensicTec decided to explore the U.S. government's computer systems, with particular emphasis on the Army. They talked to the press and had their fifteen minutes of fame. And surprise surprise, they immediately got raided by the FBI. What did they expect?
even when what you are doing is reasonable!
The only good weather is bad weather.
... as to how long until they show up here
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
While I think these guys should be held accountable, at the same time I wonder in the heavy hand of the law is a case of shooting the messenger? Are these people who are so willing to call in the feds equally as willing to actually fix the source of the problem, or are they hoping that by pretending there's no problem it achieves the same effect? Color me a cynic, but I suspect the latter.
Don't hack the military unless you are a hostile foreign power, and even then it's not recommended.
I have been pwned because my
Federal law enforcement authorities searched the computers of a San Diego security firm that used the Internet to access government and military computers without authorization this summer, officials said yesterday.
:)
So it looks like those ForensicTec computers aren't secure enough
Comment removed based on user account deletion
If they were serious about what they were doing, they should have contacted the people who have influence over the systems they compromised. Making their findings public may achieve the same effect in the way of getting the systems fixed, but the end result is a lot of unpleasantness all around. In short, it was a wholly unprofessional way to act.
Common sense is what tells you the world is flat.
ForensicTec officials said they stumbled upon the military networks about two months ago, while checking on network security for a private-sector client.
Someone new to a Dvorak probably tried to type in "lynx http://www.google.com" but instead got "nmap -v -p 1-1024 -sS -P0 army.mil -T paranoid".
Look, it's one thing to find a vulnerability, and another thing to say "oh look, let's see how far this goes and play with it before we tell anyone."
It's like discovering that there's a loose brick in the wall between the boys' locker room and the girls' shower room at school: getting an eyeful before reporting is still wrong.
They probably got searched to see if they did the equivalent of "taking pictures."
Get off my launchpad!
Then they point out specific, make-people-lose-their-jobs flaws. The kind of thing congressmen would love to jump on in order to criticise incompetency. Do it on a widely-read medium. This pisses more people off.
Then make very clear how you did specific illegal acts, giving those you just pissed off a great and simple way to get back at you.
Why not just walk right into jail...? I mean, its like spitting in the face of a police officer who is holding a gun, insulting them, and then making a threatening move while simultaneously pulling out a joint and smoking it. You might as well hand them the rubber hose...
Why taunt someone and then give them an excuse to hurt you? To gain acclaim? Fame? Real hackers are not out to get publicity, but rather to expose vulnerabilities and try to fix them.
Whats this you say? You sympathise with the "security firm?" well, take this quote into account: I dunno about you, but that would be my definition of script kiddie. Especially someone who then brags about it for publicity.
... Princeton?
The Mongrel Dogs Who Teach
Well they gotta make a point. If the government can monitor our phone calls, internet emails, conversations, etc. then why can't we spy on the government to? Or does the governemnt thinks that its better than us and that it got more rights than us?
I say enough is enough and its time for a change.
The story clearly stated that these people are newbs in the security field. Not someone I want protecting the security of computers belonging to the armed forces.
Additionally, they went about this the wrong way. The right way would have been to contact a responsible party and professionally report the issues they found, not grab a bunch of stuff and call a news team. I know that based on their actions, I wouldn't hire them.
That's just me. I choose to work with professionals.
They way they should have gone was
1: Hack whatever.army.mil
2: Post anonomously to slashdot regarding army's computer problems.
3: Request "large_num" security agreement, else will release to usenet, BugTrac, Slashdot, many newspapers, magazines....
4: Release anyways.
This story should be posted on Fark with the "Dumbass" tag.
...
One thing you DON'T do is screw around with military computer systems and then publicize it.
These guys oughta get the death penalty for criminal stupidity accompanied by a posthumous (is there any other kind?) Darwin award
utter rubbish
For those objecting to the theory of evolution in the other thread, I submit that this is exactly how the human race got smarter. Those guys are going to miss out on a lot of breeding opportunities - at least, breeding of the kind that produces babies.
Sheesh, evil *and* a jerk. -- Jade
its true that people need to make points sometimes, but the point they seem to be making is that people who brag about hacking get busted.
Which is nothing particularly new.
Oh, and the governement is better and has more rights than us. See vigiante justice. Lets say you know someone is a criminal. for example, they are pirating mp3s. You cannot do anything about it, other than maybe tell the governement. The governement can bust them, which almost never happens, because its a minor thing. Record companies want to have the "same rights as the governement," as you put it--they want to be able to search your computer, hack it, and basically fuck you up.
There is a reason why joe billy bob next door is not allowed to do the same things the police is allowed to do. Wouldn't it suck if any old bitchy mom could pull you over for speeding and make you pay $150?
I placed an unpatched Windows machine on the internet with no firewall protection whatsoever and shared the Inetpub directory. I wanted to know, how long it'll take before someone decides to crack into my machine. Sure enough, it took only two days.
This test really made me realise that there are plenty of crackers and criminals out there that are waiting for a chance to get into your PC.
The point I want to make is that, I'm sure those army computers have been accessed by crackers plenty of times before.
Depends if you really think your life sucks because of your own evaluation of it, or whether you think that because of what society has lead you to believe based on what "everybody says".
/. then it's simple- go out and be where people are.
If you think it's sad that it's Friday night and you're on
I personally couldn't give a shit. I spend all weekends in browsing the internet, watching anime, masturbating excessively and playing computer games. Now society will tell me that I don't have a life- but I say that society is a bunch of dumb-fucks and I know what I enjoy.
graspee
disarmingly honest since 1862
So in short, I am required to Open Source my life but the government on the other hand will not open his. Doesn't sound fair to me. Looks more like a friendly dicatorship.
Don't you get it? You are not separate from the government. If you would like to be, go live in a dictatorship.
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
Rent-a-cop company raided after beating up govenment officials
San Diego, CA
Officials at SecureTech expressed surprise over an early morning FBI raid. For the past few months, SecureTech had been waylaying public officials and beating them to a pulp. The raid came just hours after a Washington Post article mentioning the beatings.
Brent Clueless, SecureTech spokesperson, decried the search. "A few months ago, while installing video cameras in a local mini-mall, we realized that some government officials had woefully inadequate security. Some of them drove the same route home every day, and a few of them even left their front doors unlocked at night. By sneaking in and severely beating in their own houses, we hoped to draw attention to this problem and maybe gain some positive publicity for our security firm."
"We only continued the break-ins and beatings because we were surprised that it was so easy, and we were curious about just how much truly malicious people would be able to get away with, " Clueless continued.
Cheers
-b
An unlocked door does NOT imply a "big honking sign that says 'enter'". If you walk in my house uninvited, whether I leave the door wide-ass open or not, you are still risking my blowing your head off.
Sometimes it's best to just let stupid people be stupid.
If you did it in Texas, it would be OK to shoot the guy that came in.
If they broke into the base, photocopied some records, and bragged about it noone would have even thought twice about their arrest. But now that it is electronic it is of some sort of interest to Slashdot? Very sad.
Look if you want the virtual world to be treated like the real world (privacy, source code = speech, etc) then you have to accept it works both ways. Breaking in electronically is the same as physically. It doesn't matter how "weak" the security is. Just because I can throw a brick through a window and rob a store, doesn't mean it is somehow the store's fault for having windows.
And sure I am concerned about military security. And it is disturbing someone could hack into it. But that doesn't give ForensicTec the right to go hacking it. I'm worried about airline security but I can't take it upon myself to see if I can get a gun through security.
Brian Ellenberger
If the government can monitor our phone calls, internet emails, conversations, etc. then why can't we spy on the government to?
Because there are things that the general public should not know. An obvious example would be the list of people in witness relocation program. Obviously there are a lot of military information that is not in our best interest for our enemies to know as well.
Sometimes it's best to just let stupid people be stupid.
So I'm part of the government yet I can't know everything about it?
You're right. It's not like breaking into someone's house, stealing their stuff, then telling them they need a new lock.
It *is* like breaking into someone's house, going through their papers and files, then telling the local newspaper that this particular house has a crappy lock that's easy to break into.
Can you justify that?
As for whether "every" group that hates the US has already broken into Army computers, I wouldn't speculate on that. I would say, though, that these folks sure helped anyone who hasn't done so already pick an easy target. How patriotic, eh?
Yes, it could have been worse. However, what they did was 1) illegal (isn't everything these days?), 2) stupid, and 3) amateur. You can almost always get away with one out of those three. Often with two out of the three. Go for three out of three, though, and you're going to see some trouble.
-b
Good enough. Then they should understand that there are things that the government should not know and stop spying on us.
Well they gotta make a point. If the government can monitor our phone calls, internet emails, conversations, etc. then why can't we spy on the government to? Or does the governemnt thinks that its better than us and that it got more rights than us?
The government is us. When you or I deal with the will of the people, we are not forced to do so by the whim of the crowd, but by the powers elected and appointed to speak for and act in the interests of the people.
The government, as a nebulous nonpersonal entity, is a slave to every one of its citizens, and exists for no other purpose than for the well being of those it serves.
The problem, of course, arises in that "the government" may be an inpersonal slave, but the people who run the government are very personal, flawed, human beings. It is these people who are put in power that are watched--and they're watched by other people in power who got put there different ways and across different levels, until we get back to the elected representatives and the voters en masse.
If you take away the government's unique right to spy & investigate with legal warrant, documentation, and accountability, (see: the FBI getting smacked for lying to judges), then you're left with either an illicit society of secrets ("If no one can see me do it, then I can get away with it") or a distopian society of eternal spying.
I would rather have some suit who's salary is paid for by my taxes spying on me than some random looney off the street.
Oh--and you (assuming that you're an American citizen) CAN spy on the government. You just need to do it with a time delay. Ever hear of FOIL? The fourth branch of government? The @#$ing drudge report? (slashdot?)
Um, if they were so altruistic -- patriotic, evem -- then why didn't they tell the Army, rather than blabbing it on a public forum? I mean, yay for accountability and the holding of incompetent feet to the fire. But now you gotta pay the cost of your civic virtue...
The Mongrel Dogs Who Teach
Well, duh. Do you really think you have a right to know, say, the operational plans of the 101st Airborne division? I'm all for transparency in government but you have to be reasonable. Does that mean in this case there's a reason for opaqueness? I surely do not know. But in some cases, there certainly is.
Just because it's "your" government doesn't mean you own the thing, for Pete's sake.
The Mongrel Dogs Who Teach
Then they should understand that there are things that the government should not know and stop spying on us.
Well, then you'll be happy to know that they aren't spying on "us". They spy on suspected criminals with permission from the judiciary.
Sometimes it's best to just let stupid people be stupid.
It *is* like breaking into someone's house, going through their papers and files, then telling the local newspaper that this particular house has a crappy lock that's easy to break into.
My God! You don't see any difference between computers connected to a public network and papers locked behind people's closed doors?
But even if I were to allow your point, that would be a privacy violation. The issue here isn't a privacy violation. The issue is illegal hacking. We are being very stupid, not them, if we want these kinds of actions classified as illegal hacking.
As for this company being stupid--I see them as whistleblowers, not stupid. It's dangerous to be a whistleblower, but it is damn moral.
I don't care about the people, I care about myself and my friends and parents.
Except that the person spying on you may also be working for a criminal organisation. It happened several times here in Canada and I'm sure it's still happening.
Nope. Because a majority of the People have decided to allow the people they place in charge discretion in a few specific areas.
A majority of people feel that it's important to keep the identities of people in witness relocation programs secret.
You don't like it, grab a bullhorn and convince the Rest of Us why we should change.
Hire a Linux system administrator, systems engineer,
hmmm, from what I understood, since sept. 11, they don't need no permission anymore.
I kind of feel sorry for ForensicTec. True, they did technically break the law, but I don't believe they had any crinimal intent, otherwise I doubt they would have went public about it.
On the other hand, if the Army didn't go after them, then that would send the wrong message to the public too.
ForensicTec made it painfully clear that our government should get off their asses and really impliment stronger security on their systems.
I mean damn, anyone with free software tools and a basic understanding of how to hack could have done this. The Army and other affected government facilities should be so lucky that ForensicTec was just curious, if it were another country doing this for profiling/spying/mounting an attack/sabotage, they'd be up shit creek without a paddle.
It's proof enough for me that the U.S. is more at risk then I previously thought. The amount of taxes taken each year from every citizen is alot, at least they could do is take the time to make sure their password isnt...um.."password" among other things.
I love my country, but it's embarassing to watch it do some of the things it does.
A Penny for my thoughts? Here's my two cents. I got ripped off!
Thus spake the article: They made their findings public, said ForensicTec President Brett O'Keeffe, because they hoped to help the government identify the problem -- and to "get some positive exposure" for their company.
Well they gots lots of exposure, not too sure about the positive part.
And from the mission statement on their website:
ForensicTec Solutions, Inc. intends to be the first name in computer forensics and network security. I think perhaps they left out listed as the defendant in a case brought by NASA and various military branches at the end of their mission statement?
I Am My Own Worst Enemy
Somebody at Fort Hood and elsewhere should be cooling their heels in a stockade.
Classified documents are NOT supposed to be on machines exposed to the Internet- PERIOD. Machines of that nature are not considered to be at a trust level sufficient for those sorts of things. Forget the security of the machines; the security of classified documents is supposed to be much higher than this appears to have been handled.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
But an incident like this can take down the whole company. Where is the justice in that?
IDRTA, but I believe it was the Company that issued the press release, not invidual people who happened to work for the company. One of the downsides that comes with the privilege of incorporation is the ability to do things *as an entity*. If "the Company" does something, then it's "the Company" that will suffer for it.
Hire a Linux system administrator, systems engineer,
The last thing military needs is bunch of Steve Gibson wannabees portscanning the military servers.
No, the last thing they need is Al Queda sympathizers accessing their systems. If the portscanners point out that their systems are susceptible, they should *fix* them.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
"I say enough is enough and its time for a change."
then stop saying it, and do something.sheesh.
The Kruger Dunning explains most post on
so its like, someone found out a vulnerability to your home alarm, exploited it and just looked through your stuff.
actually its a little different, because they sat at a computer terminal far away, they didn't get shot.
You can bet your butt there will be a calling out onto the carpet for those system admins.
The Kruger Dunning explains most post on
Any chance?
Well, Army will not answer, of course ;)
Hacking the government's computers is stupid.
Hacking the govermnent's computers during time of war is monumentally stupid.
It's conceivable that because we are in a state of War, it might even be considered a treasonous (sp?) act.
It's pretty funny tho, the article quotes the gov't as saying if someone finds a vulnerability, they should report it.
Isn't that exactly what happened?
-- You are in a maze of little, twisty passages, all different... --
Goddamn, but these people see more like patriots than criminals.
I'm sorry, but since when are the two mutually exclusive?
Ever heard of Congress? Certain highest-ranking members of the Executive branch? =)
Get off my launchpad!
Right now any attempted hack on Government systems would be considered illegal and bad. ..... ? You're forgetting that telling people to hack the government isn't just telling someone to hack any old computer -- success is potential disaster.
As soon as you open the floodgates for "white hat" hackers to help you, a) it becomes much more difficult to discern between "good" and "bad" traffic (meaning some people would be out to help you, some would be out to hurt you) and b) it would bring much more attention to hacking your network in general. I don't know about you, but I'd rather have 100(arbitrary) people trying to hack our government than 1 million people trying to hack our government -- the chance for success is much greater (yes, those numbers are made up and exaggerated).
The only time I can see something like this being effective is when the system being attacked is either a honeypot (see above) or
-kwishot
You're right. They do need permission.
you are still risking my blowing your head off.
This got rated Informative?
Yikes, we've got paranoid moderators...
You can't take the sky from me...
It is not right that government/military computers were audited for security without express permission from the government.
ForensicTec was able to and *did* read sensitive information which they had no business in doing -- indeed they were not contracted by, and had no agreements with the government to do such a thing.
And it was an "audit" instead of an "attack" because obviously the company had no ill intent; otherwise they would not have gone public.
I speculate that the government probably already knew that such security problems could exist -- most organizations do. ForensicTec acted like a loose canon and did not help matters, but instead simply pointed out the obvious.
Immediately upon stumbling across the government computer network two months ago, ForensicTec should have obtained permission before attempting to "help".
Providing proof afterwards does not justify the means.
Let's hypothesize that ForensicTec did ask to perform a security audit in the first place, and the request was declined by the government. Well, in the words of president O'Keeffe, "We could have easily walked away from it,".
It was a self-serving stunt by ForensicTec for publicity purposes, and they dug themselves in too deep while hoping for the publicity (well, they got publicitly even though it's probably not the exact type they were looking for). The articles quotes: "get some positive exposure for themselves,".
I don't believe any penalty will be too harsh, and it will hopefully set a precedent for other companiess to take a more discerning approach to such a sensitive matter in the future.
I'm not saying that security holes shouldn't be researched when there looks to be a problem. But come on ... it can be done in a much better way than ForensicTec handled it. The government can't be blamed for taking exception to the method.
The Army suddenly realizes that the string of text "b3 411 7h47 U c4n b3" on its recruitment site was not, in fact, an error message.
Ergonomica Auctorita Illico!
No, they were not breaking into someone's house. They were walking into an open unguarded government office, and picking up some confidential documents lying on the desk. I believe that confidential documents are traditionally behind locked doors and guards to keep such a thing from happening.
Can you justify that?.
How can you argue that it is acceptable to leave confidential document in an unlocked, unguarded office for anyone to take. Do you live in the real world where confidential documents are securely stored, or in la la land where everyone is trusted to follow the rules?
In this case, the government has not fulfilled their mandate to guard the security of the U.S. and it's citizens. A Citizen of the U.S. discovered this, and went to the press. Citizens of the U.S. have that right.
The Government also has the right to find some way to punishing these citizens for exposing Government incompetence. A cynic would say that was to expected. A more rational person would hope his or her government would spend some time trying to solve the problem instead of engaging in a cover-up. This is especially true as we are suppose to protect whistle blowers to ferret out corruption, although I realize the Bush administration is intent on hiding behind homeland security.
I certainly am not saying that what these people did was strictly legal, but I would hope the U.S. government would take security a bit more seriously. I understand it is a learning curve.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Nevertheless I'll reserve the right to post signs all over town in the dead of night saying your door is unlocked because you're really stupid. These folks shouldn't have made a publicity grab or they shouldn't have mucked about inside the army systems. I wish some army heads would roll over this, but they won't.
If they had reported this to the army it would have never been made public, and they might have been arrested anyway. The only thing I think they should have done differently is get a Senator involved before going to the media, it would have given them some cover. Seriously though they should be given a congressional metal of honor for bravery for informing us of the lax security.
I used to live near a couple military bases so I know it's not exactly geniouses running the place. But they are a very organized bunch and I would have expected a policy on passwords, and that in that culture it should be easy to enforce. Password crackers shouldn't work on the military. Someone who leaves a password of "password" or "administrator" on a computer should be dishonorably discharged at the very least. If any of those machines exposed sensitive data they should get at least a few years on a slab of concrete in Cuba.
The dirty little secret of the military is that sensitive information is a lot more important than classified stuff. Engineering data that was classified in 1950, that made it into every textbook by 1960, is still locked in a safe at night because it's too much work to declassify anything. The day to day functioning of the military tells any enemy everything they might care about and that never gets classified.
Hey even the top secret nuclear stuff doesn' really matter since the information to build a nuke was long ago published, and the high tech stuff the US and Russia have isn't of interest to anyone. It's already expensive to build a nuke that takes out Manhattan, building one that takes out the Jersey City in the same hit is just a waste of money. But what kind of gas masks are being packed for the attack on Iraq, well that could be useful.
Don't they know about the military's "Don't ask, don't tell" policy?
See no evil, hear no evil... Therefore, there must BE no evil! Get it?
Rule number one of hacking dot-MIL:
.MIL:
You do not talk about hacking dot-MIL
Rule number two of hacking
YOU DO NOT TALK ABOUT HACKING DOT-MIL!
But then, they also broke rule number zero:
Anyone with half-a-brain stays the FSCK away from dot-MIL.
Funny thing though, I once did an ordinary google search that returned a page that I think was supposed to be internal use only, if not actually classified. It listed the current location of a warship. Hmm, I can't recall if it was when we first sent ships over by Afghanistan, or back during Desertstorm.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
As for whether "every" group that hates the US has already broken into Army computers, I wouldn't speculate on that. I would say, though, that these folks sure helped anyone who hasn't done so already pick an easy target. How patriotic, eh?
Exactly how? Are they sending Al Qaeda (generic term for terrorism these days) information on how to get in, are they sending them some information they gathered?
I can only see these break-in that go into the newspapers as way to make sure the right people know they ARE vulnerable, and that you don't need much resources or reserach (no nukes, just an internet link) to do it.
It's a BIG WARN letter. You may not like it, but it's a gift from god these breaking come from these nerds and not from actual terrorists. You will disagree for sure, i just want to express that I do not understand your point of view.
unfinished: (adj.)
The bitch to bureaucracies and incompetence is that that a successful bureaucrat covers it up. And often anybody who would make the appropriate whistle-blower is ass-deep in alligators already with all the other crap that's on their plate because their IT budget can't handle proper staffing.
So... sure. Maybe someone does need to make something happen. They need to point a finger. They need to embarrass the bureaucrats in to fixing what is broke. Maybe this kind of act is the Right Thing.
So how does one pull this off? Make the run, collect evidence, find a reputable journalist (No... really) you can trust, and then anonymously dump the evidence in to their laps. Maybe drop it in to a couple journalists' laps just to make sure the story doesn't turtle at that point. When the story hits the papers, nod quietly at your civic duty done and hope that nobody can ever trace it back to you.
You do NOT use this as a vehicle for self-promotion.
"If they broke into the base, photocopied some records, and bragged about it noone would have even thought twice about their arrest."
Putting a file on a computer directly on the Internet is a far cry from putting a file in a locked file cabinet in a locked office in a secured building on a military base whose gates are protected by armed military personnel.
It much more like putting a file in a locked file cabinet in a public park.
-- Terry
If I recall, the head of Bush's computer security team said not too long ago that he believed government should take a less belligerent tone with white-hat hackers who crack systems without malice.
While maybe these guys should have approached this exploit differently, the fact is that they meant no harm in their actions and in fact have probably done us all a service by exposing, without exploiting (except perhaps for some cheap publicity), somebody else's fuckup in the US ARMY.
Does anyone really believe that any greater good is served by pursuing criminal sanctions against these guys?
evanchik.net
No, they were not breaking into someone's house. They were walking into an open unguarded government office, and picking up some confidential documents lying on the desk. I believe that confidential documents are traditionally behind locked doors and guards to keep such a thing from happening.
Which is still tresspassing and is still illegal. Just because the fence isnt very high, and the doors are unlocked doesn't mean you are allowed to enter and shuffle through their stuff.
There are alltogether too many people claiming that the 'online world' is different than the physical world, and should have different rules, laws and regulations. I believe this to be a bunch of bull. While there are a few paradigm changes the basics of freedom, privacy, and reasonable security still apply. The laws that exist currently should be smartly applied to online cases and only when they are found to be severely lacking should we consider new/different rules.
In most cases this is not needed. Trespassing laws (using their equipment w/o their permission for one) should neatly tie this case up.
Even if you did leave your front door open others are still liable for charges if they choose to enter your property without your permission.
-Adam
Now, if this "company" hadn't bragged about their "accomplishments," do you think the Army would have noticed that their computers had been infiltrated?
-braxton
I think these guys got too greedy. They went public in the hopes that they'll get noticed and jump straight to "Step 3. Profit!!".
I hope they learn their lessons.
Well I went and hacked the Army.. Dad said son you're fucking high.....
the people that siezed thier computers are not the ones that are supposed to dole out the punishment. they simply investigate (federal beurau of investigation). The courts are the people who punish them. the permanent seisure of the computer is wrong. If the judge later says that the seizure of the computers should be part of the punishment so be it. But the fbi is not in the kind of power to dole out punishment, and if they do so, it is wrong.
Violating the law in private is pretty stupid, too. And if you feel inclined to engage in a little civil disobedience because you're "mounting a case against an unfair law", put a good defense attorney on retainer and be prepared for jail time. Laws aren't struck down as unconstitutional all that often. Be prepared to wait out the appeals process.
Just telling the court that you don't "believe" in the law will only produce passing annoyance. Citzenship incurs a legal obligation to obey the laws, or pay the price.
-- Slashdot: When Public Access TV Says "No"
Confidential is a classificiation. If you work someplace where people think it isn't, fix it quick.
-- Slashdot: When Public Access TV Says "No"
Although I suspect that we are on opposite sides of this issue, I do think that your analogy is mostly correct. But you need to add the fact that you sat down at several of the desks, opened the files, and read them for a few hours. Loan agreements, account records, etc.
Prosecution is completely appropriate. Let's not forget that the "seriousness" of the actual offense should be reflected in the sentence, eg. a fine and a few weeks in jail rather than years in the slammer.
Evil is the money of root.
You could also make a citizen's arrest
Wonder how effective one would be were the criminal a law enforcement officer.
Windows sits on desktops across the government for the same reasons it sits on desktops everywhere. There's no excuse for sloppy security, but the feds cannot offer competitive compensation for IT workers (as well as a lot of other technical occupations). Federal agencies cannot unilaterally decide to fix the problem by increasing compenstation to match the private sector; they're legally bound by gov't-wide guidelines. And, these days, a political effort to raise the pay grade of IT workers across the board will run into the usual firestorm of opposition from the usual suspects.
-- Slashdot: When Public Access TV Says "No"
I suspect that this term was misused by the media. Documents in the civilian world are frequently referred to as "confidential," but in the military this is an actual level of classification. If the documents were truly confidential, then someone does need to go to the brig. But I doubt that they were.
Evil is the money of root.
My God! You don't see any difference between computers connected to a public network and papers locked behind people's closed doors?
Yes, there is a difference, but I think all the analogies relating to house-breaking are legitimate.
You seem to be implying that being connected to the public network means that you have less right to privacy and security. But the connection to the public network is for the owner's own use, or the use of others on the terms of the owners. The public connection is analogous to the sidewalk and driveway in front of your house..the fact that those paths exist doesn't give anyone the right to walk up them and through your (inadequately) locked front door.
Evil is the money of root.
Yeah, Go on. Explore my house without my permission. You're going to get shot, Mr "Curiousity is my only crime". Oh, that's right... Hackers that do that shit are somehow morally exempt from the laws that govern everbody eles. Pardon me for the lack of sympathy.
Flamebait? Troll? What good is Karma if you don't use it?
You need a FREE iPod Nano
Breaking into government property is against the law. Doesn't make any difference if someone is stupidly exposing shares in the open. Just like it doesn't make any difference if you walk in to someone's office and walk out with the contents of their unlocked filing cabinets.
You can't defend it by claiming some higher moral right. Doesn't make any differencee if the data is in a filing cabinet or on a server. You can't justify breaking and entering or illegal hacking just by claiming to be "testing" security.
You don't want it to be illegal? Ok, suppose you're in charge of your company's network security. I successfully break in and steal data. Tell me how you're going to finese that by pointing to the morality of the thieves.
-- Slashdot: When Public Access TV Says "No"
Ah, but it certainly does, as far as the Internet is concerned. You are making the traditional mistake of comparing cyberspace to meatspace, where your statement would be true.
The internet may not have been intended to be designed in the spirit of an open community, but that's how it turned out: it was used as a collaborative research tool for the exchange of information. Things were made available with the implicit cultural assumption that copies were free to be taken and examined. The meatspace analogy would be a community where the norm was that people were free to wander into any house, and look around, just not damage anything. If there was a door, just jiggle the lock if it's stuck. People asking about FTP passwords weren't rebuffed, they were told about "anonymous" and were gently asked to leave their "email address at the door", as it were.
While some security was available, in terms of password-protected telnet access, the general rule was that you didn't put stuff on an internet connected computer that you'd mind becoming public.
This culture extended to the development of the WWW: it was designed as a way to facilitate the sharing of information enhanced with links to related stuff: all pages were equal. The concept of "deep-linking" didn't make sense -- it mattered more that you could get to a page of interest.
Fast forward to commercialization, constrained-navigation (so you're forced to see ads), and the desire to use the open community's communication mechanism for virtual private communication (VPN, duh, but also plain old SSL and IPSec encrypted traffic). Enhanced privacy, security, and constrained site navigation are exceptions, not the rule. There are legitimate reasons to support these, you can beef up security if you wish, but, and this is the kicker, when it comes to "old-net culture", the onus is on you to lock things down and not presume that the norm is "stay away unless invited". Rather than a community of homes, the analogy is a mall of stores, public libraries, and free art exhibits, inviting and open to all.
This is why I wrote "If you don't understand the Internet, stay the fuck away."
Here was a peaceful, cooperative community, that helped provide the means for secure communication to those that wanted it, and wound up getting culturally hijacked by people who refuse to accept that there are certain customs to follow if you really want people to not look and stay away.
We gave them an "Http-Referrer" field for <insert deity here>'s sake. How arrogant of the "thou shalt not deep link" hounds to not use it. It's like someone building a two-way road and a bunch of idiots insisting on driving on the "wrong" side because it's the "right" side where they came from. Funny, Yanks drive on the left in the U.K., Brits drive on the right in the U.S.A. Perhaps when someone whines about the curious seeing what they oughtn't in an ignorantly open site, the data should be blown to a bunch of mirror sites, like car parts thrown from an auto collision.
You know, those that designed the internet protocols should have patented them (you can patent a protocol, I think), and used the clout to take away the right to play on the net from those that refused to adapt to the lingua franca's idioms. Of course, they probably would have to assign such patents to the DoD and others, so that dream is a bit foolish, but the lesson should be learned: if you don't want others to pollute and poison what you make, you need to protect it from those that would try while making it available to all others (which is why the GPL is so brilliant a concept, though it appear we need to get some clue-clubs to help enforce it).
O.K., I'm out of breath, so this rant is over. Mod me down as you will.
You could've hired me.
Good or neutral intent aside, the quickest way for the government to see what was compromised, and to make a full assessment is to obtain the systems involved, and to interrogate the individuals involved. Seems like this should be common sense.
Get a free ipod.
Nevertheless I'll reserve the right to post signs all over town in the dead of night saying your door is unlocked because you're really stupid.
Yeah, because who the hell would want to live in society where you could leave your door unlocked? Much better to punish anyone who dares try to make such a society.
Sometimes it's best to just let stupid people be stupid.
And, my response is, "If you leave a port open, particularly port 80 and other well-known ones, you are saying, 'Welcome! Look, but don't touch, and please don't repeatedly enter and exit the revolving door -- it gets in the way of others'".
There are ways for you to say the equivalent of "keep out". Learn how to use them! The Internet only functions as an effective information exchange medium when the presumption is that one can actively seek things out -- the whole notion of search engines would not exist if this were not possible (and even here, you have the option of controlling spiders with robots.txt).
On a more practical note, I can't keep my traffic out of your computer as I have no control how my packets get routed -- only you can chose to not be a router in the public net.
If you wish to push the idea that access to information available by the Internet should be "by invitation only", then I think a lot of those who believe the opposite would want you to live by your words and stay away from our sites (particularly mine - you are not invited and I'll be watching my access logs). How can you tell where you can and can't surf? You can't. So, just unplug your net connection and go home to your pre-networked life. We don't want your kind here. While I wish you no physical harm, it nevertheless gives me a warm fuzzy feeling to think that there are those who believe that preserving the open nature of the net trumps the right to life of those who would forcefully deny this to us by ultimately threatening our freedom to communicate as we chose.
You could've hired me.
Its a very noble idea, but just leaving your door unlocked is the wrong way to go about it. Start by reading my second journal entry and responding. People will commit crimes when they don't know who is the victim and have been victimized themselves, including by society. Offer assistiance to help make sure everyone has the opportunity to succeed, then think about leaving your door unlocked. Unfortunately some humans won't help themselves even when others offer their hands to lift them up. It is these humans who still might steal your stereo when everyone else lives in a near-utopia.
Here are some pointers:
1. "No harm, no foul" is not enshrined as a legal precept.
2. There's plenty of data inside and outside the government, on paper or on computers, that it is illegal for you to look at If you get caught looking at it, that's often called espionage. If someone screwed up and made it easy for you to spy, they'll face charges, too.
3. Changing or destroying someone else's data, i.e., property, will set you up for anything from vandalism to sabotage.
4. Guessing a password isn't authorization, any more than guessing a safe combination is. How about calling it attempted breaking and entering?
-- Slashdot: When Public Access TV Says "No"
Perhaps this is OT, but I couldn't help but notice this: (emphasis mine)
The searches began hours after The Washington Post reported that ForensicTec consultants used free software to identify vulnerable computers and then peruse hundreds of confidential files containing military procedures, e-mail, Social Security numbers and financial data, according to records maintained by the company.This can't be good for Linux, and other free software projects. Granted, we could rant about how "free software" isn't necessarily the same free software that these folks used, but I think that we would do better to distance ourselves from the term "free software" - which conjures up images of pirated, illicit, or otherwise illegal software in the minds of the average user.
Given that the FBI now considers guilt-by-association probably cause, we should make the effort to use the term "open source" rather than "free software". I know there are ideological differences, but if we want to be accepted by the computing community at large, we need to appeal to them with terms that are unambiguous and easily understood.
The society for a thought-free internet welcomes you.
Violating the law in private is pretty stupid, too. And if you feel inclined to engage in a little civil disobedience because you're "mounting a case against an unfair law", put a good defense attorney on retainer and be prepared for jail time. Laws aren't struck down as unconstitutional all that often. Be prepared to wait out the appeals process.
Civil disobedience only makes sence when one is comfortable with the idea that if they are sentenced harshly, that too is a political statement of conviction and a path toward victory. I was raised a Quaker so I knew a lot of people that were willing to go to jail as political statement. No, it is not dumb unless you are not willing to accept the jail time for your actions. What makes civil disobedience work is that you ARE willing to go to jail for your beliefs. Stoicism is the key.
LedgerSMB: Open source Accounting/ERP
So, how do you know these guys didn't break into the computers for "bad" reasons? Publicly announcing a break in sounds like a good way to convince people that you didn't do anything naughty during the break in.
Good point, but how do YOU know that there were not other compromises on the same vulnerability? At this point, one would have to assume that the data was compromised whether or not it was compromised by the "security consultants." At the point where you have *any confirmed break-in,* you have to assume that the system has been compromised irreparably.
LedgerSMB: Open source Accounting/ERP
I always thought that the proper name of the medal was simply Medal of Honor (like the video game), not "Congressional" Medal of Honor (who else issues a Medal of Honor besides Congress?). However, I can't google a site to confirm this. Anyone know for sure either way?
If someone found a weakness in your system, and then spent hours looking through your old emails, Instant message chats, documents, financial spreadsheets, etc.
And then had a press conference saying how much of a dumbass you are. Would you consider it "free research"?
autopr0n is like, down and stuff.
So if I pick the lock on the front of your house and start rifling through your belongs without my permission, it's "ok" as long as there was no harm done in the process? Let's go one step further. Let's say my house is unlocked. Or that you "found" a key to my house. What F%^$@# right do you have to enter my house without my consent? YOU DON'T. You are going to get the police called on you and arrested. That's if your lucky enough not to be shot by me in the process. "Curiosity is my only crime!" No, breaking an entering or unauthorized entry or trespassing is your crime. Oh, and that of being a dumbass.
You need a FREE iPod Nano
So, security through honesty? We just *shouldn't* spy on the government, so it doesn't matter whether they have protections against spying?
It is an interesting question, and does go well with the discussion a few days ago about governments requiring themselves to use open source software. The government has a responsibility (several, in fact) to us... shouldn't we be able to find out if they're keeping it? Or is it just going to be "Oooo, mustn't touch!" for us (while random-joe-terrorist is finding out the secret identities of the CIA guys monitoring their terrorist cell)?
Not that I think these guys did the "right thing," but I do think that maybe the government should be under public scrutiny.
Don't you wish your girlfriend was a geek like me?