Slashdot Mirror
Reporters Threatened, Labeled Hackers For Finding Security Hole
colinneagle writes "Scripps News reporters discovered 170,000 records online of customers of Lifeline, a government program offering affordable phone service for low-income citizens, that contained everything needed for identity theft . Last year, the FCC 'tightened' the rules for the program by requiring Lifeline phone carriers to document applicants' eligibility, which led to collecting more sensitive information from citizens. A Scripps News investigative team claims it 'Googled' the phone companies TerraCom Inc. and YourTel America Inc. to discover all of the files. A Scripps reporter asked for an on-camera interview with the COO of TerraCom and YourTel after explaining the files were freely available online. That did not happen, but shortly thereafter the customer records disappeared from the internet. Then, the blame-the-messenger hacker accusations and mudslinging began. Although the Scripps reporters videotaped the process showing how they found the documents, attorney Jonathon Lee for both telecoms threatened the 'Scripps Hackers' with violating the Computer Fraud and Abuse Act (CFAA)."
That will teach you to use responsible disclosure.
In America, two business principles apply:
1. It is none of your business when shit hits the fan, and
2. It is never our fault.
goes unpunished.
Company Spokesman: Surely you don't think it's our fault.
Company Spokesman: Especially if it's going to cost us money.
Sheesh, evil *and* a jerk. -- Jade
Stephen Heymann and Carmen Ortiz to make sure these neferious cyber criminals get what they deserve!
I honestly can't understand the point of shooting the messenger here. Is it entirely to try to convince their customers (who are likely not very tech savvy) that they have nothing to worry about? I can understand the letter they sent out blaming the reporters for that, but to actually sue them doesn't make sense. Do they actually believe they can spin this to the FCC as the reporters going all James Bond to access files that were reasonably secured? Or is this just a lawyer who is racking up more billable hours, and his clients are too stupid to realize what a waste it is? Is this actually a roomful of executives saying "FUCK THOSE GUYS! Send the lawyers after them! That'll learn the press to google us!"
I realize these companies have made some seriously bad decisions, and dumb decisions by committee are even worse, but this makes no sense.
Lee added that the Scripps Hackers eventually used Wget to find and download "the Companies' confidential files." (Wget was the same tool used by Facebook's Mark Zuckerberg in the film The Social Network to collect student photos from various Harvard University directories.) The rest of the letter pretty much blamed the "Scripps Hackers" for the cost of breach notifications, demanded Scripps hand over all evidence as well as the identity and intentions of the hackers, before warning that Scripps will be sued.
Folks, there was a big bad security breach. Now, *adjusts his massive belt buckle* we're investigating this like we would any other serious crime. And right now we're just trying to identify weapons used in this heinous attack. Now, we've discovered that the hackers were using a very vicious mechanism in this attack. In a murder, you might find a revolver used to put two bullets into the back of a poor old defenseless lady's skull in order to get all her coupons and a couple of Indian head pennies out of her purse. Or perhaps in a pedophile case, you'll find the "secret candy" that was used to lure the children into a white panel van with painted over windows.
... let's go down to Scripps and put all this computer business behind us. Okay?
*expels a long tortured sigh*
Well, I gotta say, in my thirty years on the force, I wish we were only dealing with something like that today, honest to God Almighty I really do. Instead this artifact was discovered at the scene of the crime. Now, I'm not asking you to understand that -- hell, I'd warn you against even openin' up your browser to the devil's toolbox. But let me, a trained law enforcement professional, take the time to explain the gruesome evidence just one HTTP request away from you and your chillun'. The page is black. Black as a moonless night sky when raptors swoop from the murky inky nothing to take your kids and livestock back up with them silently. On it is a bunch of white text that makes no sense to any God fearun' man on this here Earth. That's what they call a "man page" probably because it is the ultimate culmination of man's sin and lo and behold it displays a guide to exact torture on innocent web servers across this great and holy internet.
Even if you want to use this "man page" for WGET to learn how to use Satan's server scythe, you would have to read through almost twenty pages of incomprehensible technobabble like what that kraut over in Cali -- the one who took his wife's life -- spoke. And if you want to just see an example, it's not at the top! No, why, it's all the way down at the bottom. For this one, they don't even have examples. Just enough options to kill a man. Probably gave Steve Jobs cancer, they never proved all these options in these pages didn't. Buried in the mud of a thousand evils lie more evils.
And why, oh why are we even wasting taxpayer money on these Scripps Journos? Who needs a trial when the evidence is in the tools they used? Folks, I think it's time we WGET one last thing, I'll WGET a rope and you WGET your pitchforks and torches
My work here is dung.
Call 'em hackers enough time, and people will be distracted by their alleged malice to the point where they forget or don't even believe anymore that the files were literally just out there for anyone to see. It's like leaving a $100 bill on the sidewalk and waiting to see who turns it in at the lost and found so you can call 'em a thief to distract from your own leaving it lying around.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
the nerve of those... terrorists?
The management of First & Only Bank would like to let everyone know that all the money has been piled on the front lawn, and also that they're very upset that it has been disappearing.
So if you are a robber, please don't the take the money. It's very rude.
The money has been placed on the front lawn to get it out of the way while the vault is being repaired.
...should be a course in Computer and Internet Obviousness (naughty words omitted to make it sound more official, fucking god dammit). And certified as passing this course should be a requirement to be a judge or lawyer in the US with a 6 month renewal term. Any lawyer not holding a certificate should be disbarred post haste and any judge should be removed from his/her seat post haste. Post haste. Haste.
You can dance if you want to.
You know, I think the cell phone company is being over the top and idiotic, however why did Scripps use wget to download all of that data? At some point you have to realize that showing someone that they left the filing cabinet open is a lot different than photocopying every freaking document in there and making off with it. Knowingly taking possession of that data means that they have to take care not to let it get out to other sources. How secure was that download? Where were the files stored? Who had access to those files? What was the journalistic purpose in pulling all of those files? Why not just take some screen shots, blur the important bits, and run the story that way? A complete data dump of the exposed information really seems like a bit much just to prove that there's a problem...
Or post a sign in the Boston office: "Fresh Meat."
I read this in the voice of Sheriff J.W. Pepper (see The Man with the Golden Gun and Live and Let Die)
Mon chien, il n'a pas du nez. Comment scent-il? TrÃs mauvais!
It's deflection.
If they were "hacked" then the folks who's data was leaked blame the wily hackers. If they let it stand that the data was just freely available on the web, it's a liability to the telecoms involved; i.e. "it's not our fault, it's THOSE guys."
Solving Unix problems since 1989...
Is this a screenplay? CIS:Tennessee?
Faster! Faster! Faster would be better!
And here is me, with no mod points for the day.
threaten the attorney for the phone companies by telling them that a class action suit is on the way for having compromised such sensitive information
While the threats are over the top people need to get it right. They didn't just report a security hole, they EXPLOITED the hole after discovering it and downloaded the data, that is where they crossed the line. It is like the difference between pointing out to a bank that their bank vault was left unlocked and walking in and taking all the money and saying "look guys I can walk in and take everything because your door was open". One will get embaresment from them the other will invoke rage and you in handcuffs.
I suspect that it's a mixture of technical cluelessness and PR. The people who actually made the mistake that led to the records being exposed probably realize(now, I'm sure it was either an oversight or 'just temporary' at the time) that they fucked up; but they have little to gain by pointing that out.
People higher up the food chain probably have only the haziest distinction between 'something I didn't want happening' and 'something that you circumvented an access control to achieve' and, again, not much incentive to clarify the situation. "Getting hacked" isn't good; but it's a bad thing that just happens sometimes. "Being massively irresponsible" sounds like something that might incur liability.
Wow, I'm scared to fire up my console now. GUIs only from now on for me - I had no idea that I was invoking the devil with my black backround and myriad switches and parameters passed!
Having been a "builder" from a very young age, I can identify with being considered "heathen" for being able connect things that other people had no idea could work together (yet obviously could work together - for example I've used a decent amp and speakers with whatever source was playing since I left home, but using the AUX input with my NICAM video recorder was blasphemy to my parents - and connecting the computer (Amstrad CPC464) to the speakers must have been like summoning demons - because they put a stop to that quickly - and no, it wasn't loud either.)
This perception of me as "hacker" carried on through school and college. Despite me having more integrity than anyone else around me at the time, and an innate sense of "right" and "wrong" and natural justice, I found myself distrusted because people couldn't understand how I did the things I did with so little (and such a crap background. Computer books were NOT on any shopping lists. I had the CPC464 manual, and POKE.)
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
First they came for Weev. ...
Then they came for the reporters.
When information is power, privacy is freedom.
Usually reporters tell stories of "hackers" finding such things and we wonder weather the reporters understand how "non-hacking" the activity really was. Well in this case it's abundantly clear to them since it was they who discovered the data in plain sight. No question the reporters see the absurdity of the "hacker" label in this case.
First of all, both these comapnies web sites are identical. Second of all, they look like some 14 year old put them together.
Look, this is just some sweatshop lawyer who wrote q $200 threatening letter. The threat has no value, and should be ignored.
If you want news from today, you have to come back tomorrow.
In my opinion, attorney Jonathon Lee is a fucking asshole.
What an asshole.
Funny how being a progressive somehow seems to translate into laughing at the suffering and misery of hundreds of thousands of people who don't think exactly the same as you. It's almost like you're worse than the people you're snickering about.
Oh, just pastebin it anonymously over some open WiFi and submit to a few news sites. That works way better than what you did.
No good deed goes unpunished
For me, I heard Buford T. Justice's voice...
Why is it that most of the people that I encounter seem to have been shat from the Sphincter of Mediocrity?
Ah yes. We should always assume the voice and cadence of a Foghorn Leghorn-sounding southern character when somebody makes a dumb comment. Because no literate, educated northern lawyer would ever be so ignorant. amirite?
Lawks a mercy, mammy, you think eldavohjohn might could lapse into a negro patois next, wit' a bit a' blackface? I sho' do like that, it's POWERFUL good, lawd! POWERFUL good! Amen and HALL-AY-LOO-YA!
(Hey guys, let's be enlightened progressives! That means we can bash anybody who comes from an area of the country that doesn't always vote the way we'd like, right!?)
He's parodying certain religious leaders who say this exact same shit about Florida, California, New York, or the US in general.
Go look up Poe's Law.
And those certain religious leaders are assholes, too. Fuck you, apologist.
Reminds me of: http://www.despair.com/meetings.html
also WGET is the new WMD
"...attorney Jonathon Lee for both telecoms threatened the 'Scripps Hackers' with violating the Computer Fraud and Abuse Act (CFAA)." Good fucking luck with the subterfuge assholes. You shit the bed and now you are trying to say it was the guy from the next town over. So typical of companies now days. I agree that the more anonymous you can stay the better. We seldom if ever give our info to anyone unless it can't be helped. Most of the time it can be and so we don't. I worry more about these shit bag companies having my info more than I do nefarious characters now days.
This has been another episode of Projection Theater, performed by Anonymous Coward. Thank you for your support.
"affordable phone service for low-income citizens"
LOL - meaning "for third world invaders".
So, making a parody of people puts you on the same level or worse than the people that you're parodying?
I'm never going to the world that exists in your head. Fuck that place.
Prove it. If you think you have evidence that they broke the law, then bring the law into it and prove your case. If you can't, then shut the hell up. We all have better things to do than listen to your saber-rattling.
I read this in the voice of Sheriff J.W. Pepper (see The Man with the Golden Gun and Live and Let Die)
Buford T. Justice is also acceptable.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
PEEK and POKE are on the short list of Bill Gates' truly original contributions. Clearly tools of the Devil.
Use google to find information, use that information to exploit certain weaknesses in a system. Isn't that exactly what hackers do? How are they not hackers? Because they also wear the hat of news reporters? Maybe that's what current hackers have been doing wrong. They need to get jobs as reporters.
No, making a parody of people that makes light of the suffering of real, innocent people makes you an asshole.
In other words, the asshole preachers and the assholes parodying the preachers on the backs of real peoples' real suffering are both assholes, and deserve to catch ass cancer & die.
Fuck you.
Read what he wrote.
"massive belt buckle"
"chilluns"
"god fearun' man on this here earth"
repeated invocations of fire & brimstone-style religious imagery
It's very clear what he meant to evoke: "small minded, ignorant religious southern rube who just don' understand nothin' about no technical stuff, because book learnin' is for dem faggots and heathens, unless you're talkin' about dat GOOD BOOK! YEEHAW!"
In reality, the lawyer writing the letter on behalf of the companies who leaked the data is from Washington DC. The journalists work for an organization headquartered in Cincinnati.
Where, exactly, does "small town southern hick sheriff" come into this? Right. It doesn't.
If eldavojohn's joke above had been done in his best pickaninny impression while he rubbed some shoe polish on his face, Slashdot would be aghast at his disgusting, casual racism. But I guess it's okay to be a stereotyping douchebag as long as you avoid stereotyping people who think like you, eh?
Thanks for playing, chief. Go fuck yourself.
They are just Oklahomans, what's the problem.
This is why you should just sell the information on the black market. The financial and legal incentives are such.
The Streisand Effect will be in place here. Cue Anonymous hacking these companies upside down in 3...2...1......
I was promised a flying car. Where is my flying car?
Pick some tools to mask your wlan-card's MAC-address, randomize your address, go wardriving to find an open wlan. There, create a bogus blog or website, upload results there. As a bonus, create a bogus email account and email a "tip off" to your colleague and yourself, or something. Turn off computer, go home. "Find" your new website and be one of the first ones to report it. Or if you want it to be fixed more than just to write a story about it, email just some high profile journalists.
I feel with the people in the affected areas and wish the religious intolerant (or is it intolerable?) would no longer be allowed to use others' misery for their own sick agenda.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Use of 'Googledorks' to gain access to (intended-to-be) 'private' information, is, however trivial, a form of hacking (i.e. cracking).
Essentially, this is equivalent to running a port scan on the server (legal) and then connecting, seeing there is no authentication (and relatively signs that this is not intended to be public), pokes around for a while, eventually disclosing this weakness (very much not legal).
It becomes illegal somewhere around the moment the 'intruder' no longer can be reasonably said to have a good faith belief that they are accessing information that they are intended to have access to, and then continues to do so.
How many anonymous 'hackers' are decent folks just pointing out glaring flaws while wisely protecting themselves from idiot lawers and lawmen?
"but the sweatshop lawyers writing them generally have a better grasp of legal than some Internet A/C."
Not only look at the Prenda stuff, showing that even if the lawyers DO know the law better than any AC, they don't actually have to obey it, do they (similarly with the police). But also in personal experience. I was in a contract dispute with a plumber and talking about it to a friend of mine who is a fully paid-up lawyer after I'd researched the laws of the case, and he said "You know a lot more about this than I do" after I cleared up a few incorrect assumptions he'd made about the rights and obligations of trade.
This is why they have paralegals.
The lawyer is mostly a legal secretary who will know how to present the case (not the law) and will fill in the forms and present them correctly (not the law) but when it comes to the law, not even lawyers know it, and they use paralegals and a huge library of case law and statute instead of memorisation.
What would you expect them to do?
Satan's server scythe
OK, I need to borrow this.
So, Obama and his goons recently went after a few reporters at AP, and now we see more government officials going after some more reporters.
Time for some more exposure, not less. After all, if the goones are not doing anything wrong, they should have nothing to hide, isn't that the phrase they like to use on the rest of us?
"If you embarrass or make extra work for someone with power, then the powerful person will use his resources to hurt you"
Once you realize that "civilization" is just a cover for sociopaths to exercise power over others without consequences while simultaneously maximizing their personal comfort and safety then everything suddenly makes sense.
Don't think for a minute any of our "leaders" wouldn't behave exactly like those in North Korea if they thought they could get away with it.
Anonymity is the only defense the weak have against the powerful , which is why the powerful work so hard to suppress it.
ha!
Yeah, that'll work.
I worked for an outsourcing IT company, and one of the guys I work with filed invoices for the customer. The application he was using (SAP if I recall), also was used by payroll. At some point he got access to view quite a few peoples payroll records. He called the customers SAP support and they denied that he could possibly have access to those records. So he told them, well, why don't we ask some of the people in this list if this is what they make and see if it is accurate. They declined, and the records disappears shortly after. When he called them back about it, they were like we didn't do anything, you must have been mistaken about having access
Are you sure about the genesis of PEEK/POKE? I was using them in Integer BASIC, before MS came out with Applesoft.
And they wont tell if or when they want you to - you have to be able to figure it out/read their mind/some other ridiculous bullshit
Locomotive Software called. They want their code back...
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
I think all who's information was freely available online have cause for a damages claim against the telecoms. I think the more they threaten, the more a counter threat should be provided noting that if they persist in their bullshit claims (in an attempt to try and cover up their faults), they could end up losing A LOT .. LOT LOT LOT of money when they are forced to pay damages to over 100K users!