Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking the Governator

Posted by ryuzaki0 on from the call-that-a-hack? dept.

mytrip writes, "The Democratic rival to California Gov. Arnold Schwarzenegger acknowledged that his aides were responsible for obtaining a controversial audio file, in which the Governator was heard disparaging members of other races, in a move that has led to allegations of Web site hacking. A source close to Angelides told CNET News.com that it was possible to 'chop' off the Web links and visit the higher-level 'http://speeches.gov.ca.gov/dir/' directory, which had the controversial audio recording publicly viewable. No password was needed, the source said." And jchernia notes, "As an aside, the California Highway Patrol is running the investigation — maybe the Internet is a truck after all."

21 of 382 comments (clear)

  1. If that's hacking by Anonymous Coward · · Score: 5, Funny

    then my grandma is a copyright violator. Oh, wait ...

  2. Wow, they must be really good... by Anonymous Coward · · Score: 5, Funny

    Chopping off URLs.... oh my, these h4x0rz are scary as shit! Hide your megabytes, kids!

  3. Deep linking, move alone by kherr · · Score: 4, Insightful

    Gee, content freely accessible via URLs on the WWW? What a novel concept.

    This is simply a matter of deep linking. Just because there's no page with a link to a URL doesn't magically make the accessible URL off-limits. Security through obscurity isn't. If the governator didn't want people to get it they shouldn't have posted it on their web site. Or at least put some form of authentication on it.

    1. Re:Deep linking, move alone by TWX · · Score: 4, Insightful

      I'd counter with the RFC for HTTP. The protocol is designed to provide content located in a designated directory structure on the file system. Anything located in that file structure that isn't specifically covered with a password is supposed to be available to any browser. And as for someone saying that it wasn't provided in an index or referrer page, I'd compare it to large college textbooks or anthologies that don't have every single entry itemized in a table of contents or index, and how published content (which I believe the Web has been acknowledged as) would compare.

      Fact of the matter is that this audio clip was put in a place that was easily found and was obviously placed there intentionally. If it wasn't there intentionally, the webmaster is responsible through negligence, not the opponent's campaign.

      Oh, there's also the little matter of it being posted on the government's web site, which is supposed to belong to every resident of California...

      --
      Do not look into laser with remaining eye.
    2. Re:Deep linking, move alone by cpuffer_hammer · · Score: 4, Insightful

      I would say that the individual sent a request for a copy of the recoding to the governors office. The office was foolish and send a copy of the speech to the requestor. Sounds to my like a staff training problem. Staff member will have to go for reeducation, and be reprogrammed.

  4. Not "Hacking" by MarkusQ · · Score: 5, Insightful

    I'm sorry, this is not "Hacking," it's the way the web works. They sent the web server a URL, requesting a document, and the web server gave it to them. They didn't do anything nefarious, underhanded, or tricky. The didn't claim to be anybody they weren't, there was no phishing or pretexting or anything like that involved.

    Imagine they had called the governor's office and said "Hi, got anything incriminating about the guv on file?" and when told "Sure, would you like a copy?" they said "Yes please!" What would people think then? It's the same darned situation here.

    --MarkusQ

    1. Re:Not "Hacking" by MarkusQ · · Score: 5, Insightful
      I'm sorry, this is not "Hacking," it's the way the web works. They sent the web server a URL, requesting a document, and the web server gave it to them. They didn't do anything nefarious, underhanded, or tricky. The didn't claim to be anybody they weren't, there was no phishing or pretexting or anything like that involved.
      I don't know how you can be so supportive of this activity as it's a dangerous and unclear line to take. Exactly what separates this from an SQL injection attack or spoofing a session ID within a URL? Afterall, you're just sending the webserver a URL/packets, how it responds is their problem, right? I don't think so. It's not like they were just choosing URLs at random. Even if the accused did the most basic form of this attack (i.e. server directory listings), they were still intentionally using URLs designed to trick the server into giving them access to material they knew they weren't authorized to access.

      The difference, as I stated, is that they were using the system the way it was designed to work. The whole reason browsers have address bars is so that you can type in URLs. The reason web servers respond with a list of the files in a directory is so that users can type in a partial URL and get a comprehensible list of alternatives to choose from.

      Spoofing, SQL injection, etc. involve using things in ways that they were never intended to be used, breaking them in order to get access to something that the system was designed to prevent access to. It is the exact opposite of what happened here.

      And as for your final point, how are they supposed to know that they aren't supposed to have access to something, when it is made available to them using the basic public interface as it was designed to be used, and none of the dozen or so ways to prevent them from gaining access were used? That seems to me to be a much more dangerous precedent, since you could retroactively criminalize almost any use of a web site by saying "Well, you should have known that you weren't supposed to look at that page!" and suddenly you've made somebody into a cyberterrorist by fiat.

      --MarkusQ

  5. Disparaging members of other races? Hardly by dgerman · · Score: 4, Informative

    Disparaging? hardly. This is just a sensationalist way to report the news. Here is the actual comment (from the Washington Post http://www.washingtonpost.com/wp-dyn/content/artic le/2006/09/08/AR2006090800599.html):

      "I mean Cuban, Puerto Rican, they are all very hot," the governor says on the recording. "They have the, you know, part of the black blood in them and part of the Latino blood in them that together makes it."

    the article continues...

    'Garcia, who is Puerto Rican and the only Latina Republican in the assembly, appeared with Schwarzenegger yesterday and said she was not offended by the governor's comments. Garcia earlier told the Times that she refers to herself a "hot-blooded Latina."

    "I love the governor because he is a straight talker just like I am," she said.'

    1. Re:Disparaging members of other races? Hardly by groman · · Score: 4, Insightful

      Disparaging or not, and Arnold may or may not be racist, it still attributes personality traits based on racial ethnicity. That's racism by definition. It doesn't matter whether or not said traits are good or bad - its still racism.


      Umm, no it's not, at least about as much as targetting Cosmo towards women is sexism. Racism requires either preferential treatment, prejudice or implicit or explicit claim of superiority. Simply attributing a neutral personality trait to a broad ethnic or cultural group and using historical ethnic or cultural heritage as supporting evidence is NOT racist. It's a broad generalization, maybe, but it implies no claim to superiority nor attempt to disparage.

    2. Re:Disparaging members of other races? Hardly by dangitman · · Score: 4, Funny
      "They have the, you know, part of the black blood in them and part of the Latino blood in them that together makes it."

      Actually, Arnie is being racist. His comment implies that those who don't have the "black blood" and the "Latino blood" don't "make it." Whatever the hell that means.

      --
      ... and then they built the supercollider.
  6. Wasn't this a crime in the UK? by ptbarnett · · Score: 4, Interesting
    I vaguely remember someone in the UK that was convicted of the computer equivalent of trespass for doing something like this: manually removing the trailing elements in a URL.

    1. Re:Wasn't this a crime in the UK? by MichaelSmith · · Score: 4, Informative
      I vaguely remember someone in the UK that was convicted of the computer equivalent of trespass for doing something like this: manually removing the trailing elements in a URL.

      When the GST (tax) was launched here in 2000 the tax department had a web site where you could query something about your tax and the cgi script it used had an argument like ?tfn=nnnnnnn where the n's are your tax file number (9 digits).

      So this guy tried a couple of combinations, got the details of others, and took it to the tax people with advice to change their security arrangements.

      So they did, by locking him up.

      --
      http://michaelsmith.id.au
  7. CHP by matt2413 · · Score: 5, Informative

    The CHP merged with the California State Police in 1995. They are the law enforcement authority on CA state property.

    http://www.chp.ca.gov/html/history.html

    --
    Matt
  8. all caught up now by Anonymous Coward · · Score: 4, Funny

    So, someone didn't hack a web site, and someone didn't make racists comments. Right then, all caught up on the news.

  9. Re:gross generalizations by Grym · · Score: 4, Insightful

    That said, it's not a question of whether the adjectives used are 'complimentary' or not, but rather the generalization across an entire race that offends (some) people. They feel that racial generalizations (aka stereotypes) are unhelpful and inaccurate, and have a major history of abuse.

    So what? This was an off-hand remark made in private. Have we come to the point where every word one says must be parsed and examined for any trace of anything that might offend the most hypersensative among us lest he or she be branded a racist?

    -Grym

  10. Ok but pretending all races are the same is stupid by Sycraft-fu · · Score: 5, Insightful

    Seriously, if not being racist means pretending like there are no racial division, then everyone is a racist and you make the term meaningless. Clearly different races are different physically, if nothing else. That's why the whole concept exists in the first place. If we all looked the same, there'd be no concept of race like there is today.

    Well, something else we know is that humans like to use generalities. We like to generalize traits, trends, whatever. Helps us deal with understanding overall patterns in data. Thus it should be no surprise that traits get generalized to races. Happens to other things too, you can see all the traits that get generalized to geeks (like not having girlfriends) here on Slashdot.

    So if you are going to get all bent every time someone makes a race related observation, ask yourself why. Is it because you think they are a bad person, with a malfunctioning brain? Or maybe is it because you yourself find that you generalize based on things like race, but don't want to admit or verbalize it?

    Look the answer to racial division in this country isn't to hide it, to try and pretend like we are all the same and make it taboo to talk about. The answer is to talk about it, to laugh about it, and to understand and accept it. We are all different, physically, mentally, socially, etc. We need to celebrate our differences and understand that they aren't a reason to hate. Trying to hide away from them and make them taboo won't do any good.

  11. Re:gross generalizations by crashcodesdotcom · · Score: 5, Insightful

    Generalizations or stereo-types exist for a reason. If I look at an electric range and one of the burners is red, I am going to try to avoid touching it. It is possible however that the burners are simply painted or dyed red and not currently dangerous. Now when I get closer to the range and I'm able to tell no heat is being emmitted and it's not really glowing, I probably wont be as cautious. Generalizations and stereo-types are useful in filling in some gaps of unknown information until better data is availabe; but ultimately should be treated as unreliable. People shouldn't take serious action just based on a stereo-type. Forget offensive. That's just dumb.

    Taking offense at someone voicing or defining their own stereo-type. Bah! Sounds kinda silly to me. How bout I get really pissed the next time someone offers me sunblock? "OMG, they assume because I have white skin that I'm prone to sunburns! How dare them!" Hehe, yeah that would be pretty silly.

    So, I think I get what your saying about history of abuse and all; but it's the abusers that should be punished not the concept of stereo-types.

    My two cents.

  12. Try the real version by Quiet_Desperation · · Score: 4, Insightful

    1. Republican (barely) makes SLIGHTLY off color remark that bothers no one, especially the woman the remark was about, who thought it was funny.

    2. L. A. Times prints the story from an "anonymous" source without bothering to do any verification.

    3. Despite no one with a functioning brain thinking the comment was anything to even care about, extensive media coverage is given to the blubbering hand wringing and panty soiling histrionics of various key Democrats, including Arnold's opponent, who act as if he was caught eating babies on video.

    4. It is revealed that the file was taken from a computer by members of the Phil Angelides staff, possibly illegally, and that the L. A. Times probably knew more about the source than they originally let on, suggesting political dirty tricks collusion.

    5. Not one mainstream reporter asks the Phil Angelides campaign what happpened to their pledge of "sticking to the issues".

    The leftists on Slashdot and elsewhere torture logic to the point that the UN considers issuing a stern finger wagging.

  13. The Governor's sharing audio files? by Panaqqa · · Score: 5, Funny

    Shouldn't the RIAA be suing over this?

  14. Re:gross generalizations by Sylver+Dragon · · Score: 4, Informative

    You do realize that he is up for re-election in November, and that his major opponent is none other than the person who passed the information on to the LA Times? And that the LA Times went on to quote Phil Angeledies as being very outraged, in the same article that they broke the story. Those of us in California, with more than half a brain (which does eliminate a large portion of the state's population), realized it for what it was: election year mud-slinging. The LA Times is generally expected to be a left slanted newspaper, and they do what they can to attack Schwarzenegger at any possible time. So, running a story, on the front page, about an off-color comment, made in a closed door meeting, (which didn't even offend the person who was being talked about. She actually took it as a point of pride, being called "hot blooded.") is absolutly no suprise.

    --
    Necessity is the mother of invention.
    Laziness is the father.
  15. You'd be surprised by Moraelin · · Score: 4, Interesting

    I've seen big corporation programming consultants for which changing a URL was an unheard of concept, so I'm less surprised that a layperson considers it elite hacking.

    Seriously. Being as generic as I can for NDA reasons, let's just say that the corporation I work for paid good bucks to a BIG corporation's consultants to write a web application for them. Well, not even the whole app, but think more or less just the part where you register and set your data and preferences, with a bit of a hierarchy thrown in. (Some users could be, basically, managing others and giving or revoking rights to them.)

    The thing ended up years overdue, and needing a whole server farm just to support a modest number of users. (The joys of clueless Buzzword Driven Architecture at its finest, really.) They had to be started and shutdown in a given sequence too, as the modules on one machine depended on those on a second, which depended on those on a third, and so on. As a result, shutting down and restarting the whole system (e.g., for maintenance) took almost a whole day. But that's not the important part. The important part were the endless security issues, such as:

    1. yes, failure to account for URL editing. Rights were checked when generating the URLs on a page (e.g., which products, messages, whatever, you can click on), but not when actually accessing the linked page. So you could literally access any data in the database by just typing in its ID in one of those URLs.

    2. rights escalation. Did I mention editing URLs? The same went for the "change your password" page. You could just type in another user's id, change their password, and log in as that user. The "super-user" had id 0. 'Nuff said.

    3. wide open to cross-site scripting exploits. They hadn't figured out how to quote strings when displaying them on a web page. (Then when they "fixed" that, it encoded them twice and displayed them broken. So they disabled the fix again and tried to downplay the risks of anyone injecting JavaScript.)

    4. had obviously never heard of non-repudiation. (Security isn't just about who you let in, but also making reasonably sure who signed that contract or generally did what.) While in the old system a deleted user was just, basically, flagged as disabled, their clever system just deleted the user and his data. And because of foreign key constraints, it cascaded through the tables and erased any data connected to that user. Messages they posted or sent, contracts they signed, everything. Users could delete themselves too. (If anyone has trouble understanding why this is dangerous, think what you could do if your bank had something like that. Take a big loan, move the money somewhere else, delete your user.)

    And so on, and so forth.

    So, well, if "experts" hadn't heard of such elementary stuff, I can't be that surprised that the governor or a couple of journalists consider them advanced hacking.

    --
    A polar bear is a cartesian bear after a coordinate transform.