Slashdot Mirror
Comcast Briefly Loses Control of Its Domain Name
Fallen Andy notes that Comcast, one of the largest US ISPs, lost control of its domain name to what appeared to be juvenile social engineers of the old school — i.e. not in it for the money. The intruders got into Comcast's registrar account at Network Solutions and repointed the domain's DNS records. A blog entry at SANS points out how trivially easy this can be. Reader ElvenKnight points out an insightful interview up at Wired with the two young guys who perpetrated the hack.
the two kids who perpetrated the hack
How much do you bet the feds will come down hard on the kids and charge then with felony, cyber-"terrorism" or some other preposterous computer crime? I used to do harmless hacks for fun in years past, but these days it's not really wise.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Other websites that I know of have had this happen in the past, and the common trend seems to be that Network Solutions has been their domain registrar. The largest site in recent memory that this occurred to other than Comcast was SomethingAwful.
Perhaps it's a sign of a more underlying flaw in Network Solutions' security?
Wanna know why? Because they called Comcast and could get in touch with a HUMAN!
Now *THAT'S* hacking.
Imagine what would happen if one central host were to host widely used AJAX libraries to help with caching and that host got its DNS mangled.
It wasn't even that Comcast's domain expired. The pair involved in this managed to gain access to Comcast's Network Solutions control panel and had full authoritative control over the domains.
Apparently, according to the linked articles, they pulled it off twice, too. This wasn't a case of "oh sweet, that's not registered anymore, yoink", it was a case of actual wresting of control.
The question is if the weakness in security lies with Comcast (i.e. a weak password for the panel) or Network Solutions (i.e. weakness in their portal, weak transmission of passwords, etc).
It was the Slowskys.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
FTFA: "A brute force password attack is one possibility"
Right.... it was probably 1234 (same as most slashdotter's luggage)
Beauty is in the eye of the beerholder.
Recent memory, my eye. This same thing happened to my old zine in 1999, and the trick was already old hat back then. We even published a how-to article about it, since our specialty was old tricks everyone already thought were lame.
The best part: Network Solutions were of absolutely no help to us in getting our own domain back from the hijackers, so we ended up having to use the same trick to just steal it back again. Three times.
Slashdot Burying Stories About Slashdot Media Owned
My blog
not commenting on the hack, but the fact that a human being actually set up a tricorder in his(or his parents) bathroom to take a picture of himself using a bong, and then posted it on myspace.....
Monstar L
They shouldn't have just broken it. I would have pointed it toward a server that disrupted 5% of connections at random, rising 1% each day. Would have been more fun to see how long it took them to notice...
-1 not first post
Comment removed based on user account deletion
Comcast.net was acting weird all day yesterday. First the portal page was changed into a search-only page, which required a login to access all portal features. Then some features weren't working properly.
Need an automatic screenshot taker? Try here.
If Comcast has any sense they will try to hire the guys rather than drag them through the courts. We need people like this looking for and fixing flaws rather than exploiting them.
I read the article. I'm just pointing out a couple of the lessons for the next person who does this (or anything like this).
I don't give a shit about corporations, but I do give a shit about people getting caught up in the injustice system just because they fucked around with a corporation.
I wank in the shower.
Taking it may have been easy, but the shocker is that Network Solutions + Comcast don't have any kind of response time... 5 hours of someone else controlling a whole swath of high-traffic names sounds like a breach of contract to me. Shouldn't Network Solutions have re-aimed those back to the default values within seconds? There's nothing that they're using to keep track of huge changes like that? Weird... that's what i would do if I were running a domain registrar.
stuff |
If it were up to me, they'd get a few years of deferred-adjudication probation, but as a condition of probation:
1) They would spend at least 30 days in jail
2) They would have at least a year where all their network computer and phone activity other than voice would be monitored. If necessary, this would include monitoring their computer if their computer used SSL to connect to web sites, which it almost certainly would.
3) Every month for at least a year, they would have to read several white-papers on how much computer crime is costing companies and individuals, either directly or in preventative or other indirect costs, and write a summary of what they read. I'd make them write it longhand, with pen and paper. I'd grade it like an English assignment and make them correct it.
4) They would finish their high school diploma and either enroll in college, a job-training program, or something similar.
5) They would have to distance themselves from the underground/illegal-cracking community for the duration of their probation.
The deferred adjudication is so they have a chance to get a fresh start if they keep their nose clean for a few years.
By the way, if they were minors I'd give them a similar sentence only with shorter time frames.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You have to give them some credit though. Despite the truth in what you've said, if there was indeed a social engineering aspect to this, it doesn't just take anyone to be able to pull off such a task.
I know I probably couldn't or at least wouldn't want to, simply because of my personality and hatred for talking on the phone.
From a technical perspective though, you're probably right. They're likely just script kiddies who at most can add 2 + 2 together.
Couldn't have happened to a nicer company. Fuck you Comcast for killing my TechTV. I am glad this happened, good to get some egg on their face.
Technically they didn't break into Comcast, they broke into Network Solutions. They're the weak link. I like to bash Comcast as much as the next, but it was a breakdown in security at Network Solutions that allowed them to get into Comcast's registar and repoint their URLs.
If you've never been modded as "flamebait" or "troll," you've never tried to argue a minority viewpoint here!
There is only one option that could keep these guys from jail time. They are likely the only people who know about their so-called hack method. If they don't publish it, they can enter a plea bargain to turn over their method (likely in addition to some money) in an attempt to stay out of jail.
They're definitely going to face some kind of consequences since they didn't do a very good job of concealing their identity, which I'm surprised about considering they call themselves hackers and attempt to conceal their location.
Did you read TFA? There is no l33t speak at all. They sounded like two typical teenagers. Quit spreading lies.
I don't give a shit about corporations, but I do give a shit about people getting caught up in the injustice system just because they fucked around with a corporation.
What about all the customers who got screwed? No access to email etc, the hassle of sitting on the phone with tech support trying to figure out why nothing works. Comcast didn't lose much but a huge number of people were quite seriously inconvenienced, all for no good reason.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Actually, what you describe (violent act intending to cause intimidation) is not necessarily terrorism. It could be the legitimate use of force, the result of an armed robbery, or a simple assault.
This is why I developed:
Ubuwalker's 6 pronged guide to determining if a person or entity is a terrorist:
1) Did they intend to cause mass terror? [This is an objective test; just because something is scary, doesn't make it terrorism.]
2) Did they use violence or threat of violence? [This rules out non-violent protesters, but includes activities related to violence, like arson]
3) Did they deliberately (and routinely) target non-combatant civilians? [Actions that target military personnel aren't terrorism. An entity which is involved in isolated and infrequent acts which meet criteria 1-6 are more characteristic of war crimes, rather than terrorism, as they might be revenge attacks or guerrilla attacks of opportunity, or of splinter cells, or accidental engagements of civilian target, or engagements of legitimate military targets where civilian combatant are killed, and thus would not be indicative of a systematic policy of engaging in terrorism]
4) Are they a non-governmental organization? [otherwise the action is a war-crime or crime against humanity or piracy or the actor is a State Sponsor of Terrorism]
5) Did they have a political goal? [This rules out ordinary criminals and vandals and street thugs and normal military action]
6) Do they disguise themselves or pretend that they are ordinary civilians? [This goes to the fundamentally unlawful nature of terrorism, by not acting under the color of the laws of war or international law, and thereby putting civilians at risk of attack or collateral damage]
If you don't meet all of these criteria, or find yourself arguing that a group doesn't meet a prong, then you might be dealing with something other than terrorism. Like Piracy (missing prong 5), ordinary military action (lacking 3 and 4 and 6), covert government operations (lacking 4), war crimes (lacking 4), paramilitary/freedom fighters/insurgents (lacking 1, 3).
A State Sponsor of Terrorism provides support to non-governmental entities engaged in terrorist activities. It is fair to say that a leader who supports terrorism is himself a terrorist, sort of like how its fair to say an accessory to murder is a murderer. However, deliberately targeting civilians/ethnic cleansing/genocide is a war crime, and calling war criminals terrorists just confuses the issue.
Hackers and script kiddies are just ordinary criminals. If Al Queda launched a cyber attack to knock out a hospitals computer infrastructure, that would be terrorism.
> "Nobody was listening in on the ports to try and get usernames and password," says Defiant. "We could have, but we didn't." (On this point, Comcast and the hackers agree).
/really/ want to screw Comcast, they should change their story later on to help victims of identity theft prove Comcast's culpability.
These guys are either total idiots for getting themselves in a lot of trouble with no gain for themselves or they are lying. Comcast, on the other hand, clearly has no way of knowing if customer information was compromise. They're relying on the word of two criminals who clearly don't like the company. Comcast's agreement in the statement above is irresponsible and negligent. The very least they can do is advise all customers to reset their passwords immediately. If it comes to light that personal information was stolen as a result of this attack, and Comcast customers (or others with whom Comcast customers communicate) can demonstrate financial loss*, I think Comcast should be held partially financially responsible due to their irresponsible response to this event.
* Yes, clearly that would likewise be near impossible to demonstrate, but if these guys
They can use the injustice system and sue the bastards perhaps?
Or maybe they can accept that email is not an instant communication tool, that sometimes it does take hours for an email to go around the world (if it ever gets there).
It happened in the middle of the night right? How many people were affected?
Not only that, if I have to mourn the customers every time a corporation got hurt, I wouldn't go out smashing windows, or whatever. The "what about the customers" argument is as flawed as the "what about the workers" argument that is used against people who damage property.
I wank in the shower.
Best advice? Don't use your own computer to do the hacking from.
Has the author ever heard of any of the dozen password management tools? I use Password Safe to store my passwords. This way I can log into my registrar account without actively remembering the password. If I need to see the password, though, Password Safe lets me edit the entry and see the password. Considering that Password Safe is free (as are many of the other programs), it seems to be a no brainer. If you are having that much trouble remembering your registrar password then install a password management program and save yourself the hassle of requesting the password each time you go to your registrar's website.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
This has happened before. Anyone remember the story about sex.com.
I'm not insane! My mother had me tested.
Best advice? Don't use your own computer to do the hacking from.
But they won't let me take a bong into the library.
to police my traffic!
Dont want to harbour, Id just rather have people with the ability to do this on our side rather than hacking maliciously. I do think they should be punished but putting them to use afterwords dosent seem like a reward they still have suffered in Jail (or at least most likely jail).
paranoia.com
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
See here for an explanation on how it was likely done. Basically, they were using email authorization and all it takes is a bogus return address. Technically a Network Solutions issue, but Comcast does deserve some of the blame for using a weak authorization method for their domain.
Nobody expects the British Columbia Human Rights Tribunal.