Slashdot Mirror
Reporters Threatened, Labeled Hackers For Finding Security Hole
colinneagle writes "Scripps News reporters discovered 170,000 records online of customers of Lifeline, a government program offering affordable phone service for low-income citizens, that contained everything needed for identity theft . Last year, the FCC 'tightened' the rules for the program by requiring Lifeline phone carriers to document applicants' eligibility, which led to collecting more sensitive information from citizens. A Scripps News investigative team claims it 'Googled' the phone companies TerraCom Inc. and YourTel America Inc. to discover all of the files. A Scripps reporter asked for an on-camera interview with the COO of TerraCom and YourTel after explaining the files were freely available online. That did not happen, but shortly thereafter the customer records disappeared from the internet. Then, the blame-the-messenger hacker accusations and mudslinging began. Although the Scripps reporters videotaped the process showing how they found the documents, attorney Jonathon Lee for both telecoms threatened the 'Scripps Hackers' with violating the Computer Fraud and Abuse Act (CFAA)."
That will teach you to use responsible disclosure.
In America, two business principles apply:
1. It is none of your business when shit hits the fan, and
2. It is never our fault.
goes unpunished.
Company Spokesman: Surely you don't think it's our fault.
Company Spokesman: Especially if it's going to cost us money.
Sheesh, evil *and* a jerk. -- Jade
Stephen Heymann and Carmen Ortiz to make sure these neferious cyber criminals get what they deserve!
I honestly can't understand the point of shooting the messenger here. Is it entirely to try to convince their customers (who are likely not very tech savvy) that they have nothing to worry about? I can understand the letter they sent out blaming the reporters for that, but to actually sue them doesn't make sense. Do they actually believe they can spin this to the FCC as the reporters going all James Bond to access files that were reasonably secured? Or is this just a lawyer who is racking up more billable hours, and his clients are too stupid to realize what a waste it is? Is this actually a roomful of executives saying "FUCK THOSE GUYS! Send the lawyers after them! That'll learn the press to google us!"
I realize these companies have made some seriously bad decisions, and dumb decisions by committee are even worse, but this makes no sense.
Lee added that the Scripps Hackers eventually used Wget to find and download "the Companies' confidential files." (Wget was the same tool used by Facebook's Mark Zuckerberg in the film The Social Network to collect student photos from various Harvard University directories.) The rest of the letter pretty much blamed the "Scripps Hackers" for the cost of breach notifications, demanded Scripps hand over all evidence as well as the identity and intentions of the hackers, before warning that Scripps will be sued.
Folks, there was a big bad security breach. Now, *adjusts his massive belt buckle* we're investigating this like we would any other serious crime. And right now we're just trying to identify weapons used in this heinous attack. Now, we've discovered that the hackers were using a very vicious mechanism in this attack. In a murder, you might find a revolver used to put two bullets into the back of a poor old defenseless lady's skull in order to get all her coupons and a couple of Indian head pennies out of her purse. Or perhaps in a pedophile case, you'll find the "secret candy" that was used to lure the children into a white panel van with painted over windows.
... let's go down to Scripps and put all this computer business behind us. Okay?
*expels a long tortured sigh*
Well, I gotta say, in my thirty years on the force, I wish we were only dealing with something like that today, honest to God Almighty I really do. Instead this artifact was discovered at the scene of the crime. Now, I'm not asking you to understand that -- hell, I'd warn you against even openin' up your browser to the devil's toolbox. But let me, a trained law enforcement professional, take the time to explain the gruesome evidence just one HTTP request away from you and your chillun'. The page is black. Black as a moonless night sky when raptors swoop from the murky inky nothing to take your kids and livestock back up with them silently. On it is a bunch of white text that makes no sense to any God fearun' man on this here Earth. That's what they call a "man page" probably because it is the ultimate culmination of man's sin and lo and behold it displays a guide to exact torture on innocent web servers across this great and holy internet.
Even if you want to use this "man page" for WGET to learn how to use Satan's server scythe, you would have to read through almost twenty pages of incomprehensible technobabble like what that kraut over in Cali -- the one who took his wife's life -- spoke. And if you want to just see an example, it's not at the top! No, why, it's all the way down at the bottom. For this one, they don't even have examples. Just enough options to kill a man. Probably gave Steve Jobs cancer, they never proved all these options in these pages didn't. Buried in the mud of a thousand evils lie more evils.
And why, oh why are we even wasting taxpayer money on these Scripps Journos? Who needs a trial when the evidence is in the tools they used? Folks, I think it's time we WGET one last thing, I'll WGET a rope and you WGET your pitchforks and torches
My work here is dung.
Call 'em hackers enough time, and people will be distracted by their alleged malice to the point where they forget or don't even believe anymore that the files were literally just out there for anyone to see. It's like leaving a $100 bill on the sidewalk and waiting to see who turns it in at the lost and found so you can call 'em a thief to distract from your own leaving it lying around.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
the nerve of those... terrorists?
The management of First & Only Bank would like to let everyone know that all the money has been piled on the front lawn, and also that they're very upset that it has been disappearing.
So if you are a robber, please don't the take the money. It's very rude.
The money has been placed on the front lawn to get it out of the way while the vault is being repaired.
...should be a course in Computer and Internet Obviousness (naughty words omitted to make it sound more official, fucking god dammit). And certified as passing this course should be a requirement to be a judge or lawyer in the US with a 6 month renewal term. Any lawyer not holding a certificate should be disbarred post haste and any judge should be removed from his/her seat post haste. Post haste. Haste.
You can dance if you want to.
I read this in the voice of Sheriff J.W. Pepper (see The Man with the Golden Gun and Live and Let Die)
Mon chien, il n'a pas du nez. Comment scent-il? TrÃs mauvais!
It's deflection.
If they were "hacked" then the folks who's data was leaked blame the wily hackers. If they let it stand that the data was just freely available on the web, it's a liability to the telecoms involved; i.e. "it's not our fault, it's THOSE guys."
Solving Unix problems since 1989...
Is this a screenplay? CIS:Tennessee?
Faster! Faster! Faster would be better!
And here is me, with no mod points for the day.
While the threats are over the top people need to get it right. They didn't just report a security hole, they EXPLOITED the hole after discovering it and downloaded the data, that is where they crossed the line. It is like the difference between pointing out to a bank that their bank vault was left unlocked and walking in and taking all the money and saying "look guys I can walk in and take everything because your door was open". One will get embaresment from them the other will invoke rage and you in handcuffs.
I suspect that it's a mixture of technical cluelessness and PR. The people who actually made the mistake that led to the records being exposed probably realize(now, I'm sure it was either an oversight or 'just temporary' at the time) that they fucked up; but they have little to gain by pointing that out.
People higher up the food chain probably have only the haziest distinction between 'something I didn't want happening' and 'something that you circumvented an access control to achieve' and, again, not much incentive to clarify the situation. "Getting hacked" isn't good; but it's a bad thing that just happens sometimes. "Being massively irresponsible" sounds like something that might incur liability.
Wow, I'm scared to fire up my console now. GUIs only from now on for me - I had no idea that I was invoking the devil with my black backround and myriad switches and parameters passed!
Having been a "builder" from a very young age, I can identify with being considered "heathen" for being able connect things that other people had no idea could work together (yet obviously could work together - for example I've used a decent amp and speakers with whatever source was playing since I left home, but using the AUX input with my NICAM video recorder was blasphemy to my parents - and connecting the computer (Amstrad CPC464) to the speakers must have been like summoning demons - because they put a stop to that quickly - and no, it wasn't loud either.)
This perception of me as "hacker" carried on through school and college. Despite me having more integrity than anyone else around me at the time, and an innate sense of "right" and "wrong" and natural justice, I found myself distrusted because people couldn't understand how I did the things I did with so little (and such a crap background. Computer books were NOT on any shopping lists. I had the CPC464 manual, and POKE.)
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
First they came for Weev. ...
Then they came for the reporters.
When information is power, privacy is freedom.
Usually reporters tell stories of "hackers" finding such things and we wonder weather the reporters understand how "non-hacking" the activity really was. Well in this case it's abundantly clear to them since it was they who discovered the data in plain sight. No question the reporters see the absurdity of the "hacker" label in this case.
First of all, both these comapnies web sites are identical. Second of all, they look like some 14 year old put them together.
Look, this is just some sweatshop lawyer who wrote q $200 threatening letter. The threat has no value, and should be ignored.
If you want news from today, you have to come back tomorrow.
1. wget is just a means to automate. Would you type all the URLs manually?
2, 3, 4. As insecure as anybody else downloading it. They have no duty of care that publicly available data that shouldn't be publicly available is not publicly available.
5. A blurred screenshot allows plausible deniability. After all, the blurred bits could be anything. It could even be a completely different page blurred in Photoshop to smear the good name of these dickheads^W fine upstanding members of the community.
If they have a complete data dump, it is most likely someone else does as well. Someone who is more interested in profiting from shoddy practices.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
In my opinion, attorney Jonathon Lee is a fucking asshole.
No good deed goes unpunished
For me, I heard Buford T. Justice's voice...
Why is it that most of the people that I encounter seem to have been shat from the Sphincter of Mediocrity?
Reminds me of: http://www.despair.com/meetings.html
"...attorney Jonathon Lee for both telecoms threatened the 'Scripps Hackers' with violating the Computer Fraud and Abuse Act (CFAA)." Good fucking luck with the subterfuge assholes. You shit the bed and now you are trying to say it was the guy from the next town over. So typical of companies now days. I agree that the more anonymous you can stay the better. We seldom if ever give our info to anyone unless it can't be helped. Most of the time it can be and so we don't. I worry more about these shit bag companies having my info more than I do nefarious characters now days.
I read this in the voice of Sheriff J.W. Pepper (see The Man with the Golden Gun and Live and Let Die)
Buford T. Justice is also acceptable.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
PEEK and POKE are on the short list of Bill Gates' truly original contributions. Clearly tools of the Devil.
Use google to find information, use that information to exploit certain weaknesses in a system. Isn't that exactly what hackers do? How are they not hackers? Because they also wear the hat of news reporters? Maybe that's what current hackers have been doing wrong. They need to get jobs as reporters.
The Streisand Effect will be in place here. Cue Anonymous hacking these companies upside down in 3...2...1......
I was promised a flying car. Where is my flying car?
I feel with the people in the affected areas and wish the religious intolerant (or is it intolerable?) would no longer be allowed to use others' misery for their own sick agenda.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
How many anonymous 'hackers' are decent folks just pointing out glaring flaws while wisely protecting themselves from idiot lawers and lawmen?
I worked for an outsourcing IT company, and one of the guys I work with filed invoices for the customer. The application he was using (SAP if I recall), also was used by payroll. At some point he got access to view quite a few peoples payroll records. He called the customers SAP support and they denied that he could possibly have access to those records. So he told them, well, why don't we ask some of the people in this list if this is what they make and see if it is accurate. They declined, and the records disappears shortly after. When he called them back about it, they were like we didn't do anything, you must have been mistaken about having access
Are you sure about the genesis of PEEK/POKE? I was using them in Integer BASIC, before MS came out with Applesoft.
Locomotive Software called. They want their code back...
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen