Slashdot Mirror
Hack the Army, Brag About it, Get Raided
SunCrushr was one of many who submitted this. A security company called ForensicTec decided to explore the U.S. government's computer systems, with particular emphasis on the Army. They talked to the press and had their fifteen minutes of fame. And surprise surprise, they immediately got raided by the FBI. What did they expect?
even when what you are doing is reasonable!
The only good weather is bad weather.
... as to how long until they show up here
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Federal law enforcement authorities searched the computers of a San Diego security firm that used the Internet to access government and military computers without authorization this summer, officials said yesterday.
:)
So it looks like those ForensicTec computers aren't secure enough
Comment removed based on user account deletion
ForensicTec officials said they stumbled upon the military networks about two months ago, while checking on network security for a private-sector client.
Someone new to a Dvorak probably tried to type in "lynx http://www.google.com" but instead got "nmap -v -p 1-1024 -sS -P0 army.mil -T paranoid".
Then they point out specific, make-people-lose-their-jobs flaws. The kind of thing congressmen would love to jump on in order to criticise incompetency. Do it on a widely-read medium. This pisses more people off.
Then make very clear how you did specific illegal acts, giving those you just pissed off a great and simple way to get back at you.
Why not just walk right into jail...? I mean, its like spitting in the face of a police officer who is holding a gun, insulting them, and then making a threatening move while simultaneously pulling out a joint and smoking it. You might as well hand them the rubber hose...
Why taunt someone and then give them an excuse to hurt you? To gain acclaim? Fame? Real hackers are not out to get publicity, but rather to expose vulnerabilities and try to fix them.
Whats this you say? You sympathise with the "security firm?" well, take this quote into account: I dunno about you, but that would be my definition of script kiddie. Especially someone who then brags about it for publicity.
Well they gotta make a point. If the government can monitor our phone calls, internet emails, conversations, etc. then why can't we spy on the government to? Or does the governemnt thinks that its better than us and that it got more rights than us?
I say enough is enough and its time for a change.
The story clearly stated that these people are newbs in the security field. Not someone I want protecting the security of computers belonging to the armed forces.
Additionally, they went about this the wrong way. The right way would have been to contact a responsible party and professionally report the issues they found, not grab a bunch of stuff and call a news team. I know that based on their actions, I wouldn't hire them.
That's just me. I choose to work with professionals.
It's like discovering that there's a loose brick in the wall between the boys' locker room and the girls' shower room at school: getting an eyeful before reporting is still wrong.
No kidding... What kind of fucknut would report the loose brick?
5: ????
6: profit!
I placed an unpatched Windows machine on the internet with no firewall protection whatsoever and shared the Inetpub directory. I wanted to know, how long it'll take before someone decides to crack into my machine. Sure enough, it took only two days.
This test really made me realise that there are plenty of crackers and criminals out there that are waiting for a chance to get into your PC.
The point I want to make is that, I'm sure those army computers have been accessed by crackers plenty of times before.
Do you really think that these rather amateur (or so it seems) security consultants were the first to find these lapses in security? I highly doubt it. Perhaps it was beneficial that they were so public about it simply because it makes it a lot harder to ignore.
And regarding the IT being busy doing other things: If they can't secure the network then they should _GET_OFF_THE_BLOODY_INTERNET_. I'm 100% serious. There are countless government computers and networks that are theoretically publicly accessible with absolutely no justifiable reason but that it was easier for the IT department.
Rent-a-cop company raided after beating up govenment officials
San Diego, CA
Officials at SecureTech expressed surprise over an early morning FBI raid. For the past few months, SecureTech had been waylaying public officials and beating them to a pulp. The raid came just hours after a Washington Post article mentioning the beatings.
Brent Clueless, SecureTech spokesperson, decried the search. "A few months ago, while installing video cameras in a local mini-mall, we realized that some government officials had woefully inadequate security. Some of them drove the same route home every day, and a few of them even left their front doors unlocked at night. By sneaking in and severely beating in their own houses, we hoped to draw attention to this problem and maybe gain some positive publicity for our security firm."
"We only continued the break-ins and beatings because we were surprised that it was so easy, and we were curious about just how much truly malicious people would be able to get away with, " Clueless continued.
Cheers
-b
So, you wouldn't mind if I did a little security research on your home while you're away at work -- or, better yet, in the middle of the night when you *are* at home?
I mean, I wouldn't actually steal anything. Just rifle the place a bit, see what you've got, that sort of thing. Then, I might call the press and see if they're interested in doing a story about the level of security at [insert your address here].
I'm sure you'd appreciate the free research, right?
Cheers
-b
An unlocked door does NOT imply a "big honking sign that says 'enter'". If you walk in my house uninvited, whether I leave the door wide-ass open or not, you are still risking my blowing your head off.
Sometimes it's best to just let stupid people be stupid.
If they broke into the base, photocopied some records, and bragged about it noone would have even thought twice about their arrest. But now that it is electronic it is of some sort of interest to Slashdot? Very sad.
Look if you want the virtual world to be treated like the real world (privacy, source code = speech, etc) then you have to accept it works both ways. Breaking in electronically is the same as physically. It doesn't matter how "weak" the security is. Just because I can throw a brick through a window and rob a store, doesn't mean it is somehow the store's fault for having windows.
And sure I am concerned about military security. And it is disturbing someone could hack into it. But that doesn't give ForensicTec the right to go hacking it. I'm worried about airline security but I can't take it upon myself to see if I can get a gun through security.
Brian Ellenberger
You're right. It's not like breaking into someone's house, stealing their stuff, then telling them they need a new lock.
It *is* like breaking into someone's house, going through their papers and files, then telling the local newspaper that this particular house has a crappy lock that's easy to break into.
Can you justify that?
As for whether "every" group that hates the US has already broken into Army computers, I wouldn't speculate on that. I would say, though, that these folks sure helped anyone who hasn't done so already pick an easy target. How patriotic, eh?
Yes, it could have been worse. However, what they did was 1) illegal (isn't everything these days?), 2) stupid, and 3) amateur. You can almost always get away with one out of those three. Often with two out of the three. Go for three out of three, though, and you're going to see some trouble.
-b
Why even use the real world analogy? How many of us wouldn't be pissed if we got an e-mail saying, "Hi, I cracked your security and got into your computer via --some exploit--. You might want to patch that. Also, some of your financial records are inaccurate, and the girl in 'sylvia_saint_fucking_and_sucking.avi' in the 'C:\Private\GodIHopeMyWifeDoesn'tSeeThis' directory isn't Sylvia Saint, but actually a lesser known porn star. Nice collection, BTW."
I'd want the guy prosecuted for breaking into my personal property and I believe that a lot of you would, too. Why do we expect a lenient, "please, invade our property some more, sir" attitude from anyone else?
Well they gotta make a point. If the government can monitor our phone calls, internet emails, conversations, etc. then why can't we spy on the government to? Or does the governemnt thinks that its better than us and that it got more rights than us?
The government is us. When you or I deal with the will of the people, we are not forced to do so by the whim of the crowd, but by the powers elected and appointed to speak for and act in the interests of the people.
The government, as a nebulous nonpersonal entity, is a slave to every one of its citizens, and exists for no other purpose than for the well being of those it serves.
The problem, of course, arises in that "the government" may be an inpersonal slave, but the people who run the government are very personal, flawed, human beings. It is these people who are put in power that are watched--and they're watched by other people in power who got put there different ways and across different levels, until we get back to the elected representatives and the voters en masse.
If you take away the government's unique right to spy & investigate with legal warrant, documentation, and accountability, (see: the FBI getting smacked for lying to judges), then you're left with either an illicit society of secrets ("If no one can see me do it, then I can get away with it") or a distopian society of eternal spying.
I would rather have some suit who's salary is paid for by my taxes spying on me than some random looney off the street.
Oh--and you (assuming that you're an American citizen) CAN spy on the government. You just need to do it with a time delay. Ever hear of FOIL? The fourth branch of government? The @#$ing drudge report? (slashdot?)
Somebody at Fort Hood and elsewhere should be cooling their heels in a stockade.
Classified documents are NOT supposed to be on machines exposed to the Internet- PERIOD. Machines of that nature are not considered to be at a trust level sufficient for those sorts of things. Forget the security of the machines; the security of classified documents is supposed to be much higher than this appears to have been handled.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
If they had reported this to the army it would have never been made public, and they might have been arrested anyway. The only thing I think they should have done differently is get a Senator involved before going to the media, it would have given them some cover. Seriously though they should be given a congressional metal of honor for bravery for informing us of the lax security.
I used to live near a couple military bases so I know it's not exactly geniouses running the place. But they are a very organized bunch and I would have expected a policy on passwords, and that in that culture it should be easy to enforce. Password crackers shouldn't work on the military. Someone who leaves a password of "password" or "administrator" on a computer should be dishonorably discharged at the very least. If any of those machines exposed sensitive data they should get at least a few years on a slab of concrete in Cuba.
The dirty little secret of the military is that sensitive information is a lot more important than classified stuff. Engineering data that was classified in 1950, that made it into every textbook by 1960, is still locked in a safe at night because it's too much work to declassify anything. The day to day functioning of the military tells any enemy everything they might care about and that never gets classified.
Hey even the top secret nuclear stuff doesn' really matter since the information to build a nuke was long ago published, and the high tech stuff the US and Russia have isn't of interest to anyone. It's already expensive to build a nuke that takes out Manhattan, building one that takes out the Jersey City in the same hit is just a waste of money. But what kind of gas masks are being packed for the attack on Iraq, well that could be useful.
Loser.
Derek
The bitch to bureaucracies and incompetence is that that a successful bureaucrat covers it up. And often anybody who would make the appropriate whistle-blower is ass-deep in alligators already with all the other crap that's on their plate because their IT budget can't handle proper staffing.
So... sure. Maybe someone does need to make something happen. They need to point a finger. They need to embarrass the bureaucrats in to fixing what is broke. Maybe this kind of act is the Right Thing.
So how does one pull this off? Make the run, collect evidence, find a reputable journalist (No... really) you can trust, and then anonymously dump the evidence in to their laps. Maybe drop it in to a couple journalists' laps just to make sure the story doesn't turtle at that point. When the story hits the papers, nod quietly at your civic duty done and hope that nobody can ever trace it back to you.
You do NOT use this as a vehicle for self-promotion.
The point here is that the company made the army security specialists look like idiots to their superiors.
In all probability, they would've prefered to stay vulnerable if it meant saving face.
Typical tactic. When you expose their piss-poor security, they scramble for cover and instead of acknowledging that they don't know security from a hole in the ground, immediately accuse the people who exposed their incompetence.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
"If they broke into the base, photocopied some records, and bragged about it noone would have even thought twice about their arrest."
Putting a file on a computer directly on the Internet is a far cry from putting a file in a locked file cabinet in a locked office in a secured building on a military base whose gates are protected by armed military personnel.
It much more like putting a file in a locked file cabinet in a public park.
-- Terry
Although I suspect that we are on opposite sides of this issue, I do think that your analogy is mostly correct. But you need to add the fact that you sat down at several of the desks, opened the files, and read them for a few hours. Loan agreements, account records, etc.
Prosecution is completely appropriate. Let's not forget that the "seriousness" of the actual offense should be reflected in the sentence, eg. a fine and a few weeks in jail rather than years in the slammer.
Evil is the money of root.