Slashdot Mirror
Trump's Cyber Security Advisor Rudy Giuliani Runs Ancient, Utterly Hackable Website (theregister.co.uk)
mask.of.sanity writes from a report via The Register: U.S. president-elect Donald Trump's freshly minted cyber tsar Rudy Giuliani runs a website so insecure that its content management system is five years out of date, unpatched and is utterly hackable. Giulianisecurity.com, the website for Giuliani's eponymous infosec consultancy firm, runs Joomla! version 3.0, released in 2012, and since found to carry 15 separate vulnerabilities. More bugs and poor secure controls abound. The Register report adds: "Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open -- from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. It also runs a rather old version of FreeBSD. 'You can probably break into Giuliani's server,' said Robert Graham of Errata Security. 'I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses. 'But that doesn't matter. There's nothing on Giuliani's server worth hacking.'"
The Russians are only interested in hacking Democrats servers.
He's not storing mountains of classified emails on his server.
lol, this owns
I never new the man was so talented! How many other ex-politicians have the skillz to be a web admin, even if he's apparently not quite up to speed on website security?
Robert Graham explained it succinctly: http://blog.erratasec.com/2017... .
The real story here is that Giuliani is now a goddamn cybersecurity advisor, not that this personal site is crap. The guy was hired not because of competence but because he spent the entire campaign kissing Trump's ass.
Can anyone think of anything more appropriate?
there's nothing else to talk about. /THREAD
Does his server contain highly classified e-mail messages too?
Actually the website is apparently ran by a company called datarocket, which has an amazing website designed from the early 90s. (https://whois.icann.org/en/lookup?name=giulianisecurity.com & datarocket.com). I doubt Rudy even know what a webserver really is, let alone how to configure it.
/s
So he will be a great fit as a Cyber Security Advisor.
"So we had to get very, very tough on cyber and cyber warfare. It is a huge problem. I have a son—he’s 10 years old. He has computers. He is so good with these computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe, it's hardly doable. But I will say, we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester. And certainly cyber is one of them."
I don't respond to AC's.
9-11, never forget
other than his professional reputation.
"giulianisecurity.com’s DNS address could not be found."
Rick B.
[P]If someone wants to prove a point they can hack it. Someone will have an egg on their face, another will look bad, maybe someone will get fired, and some meetings will be scheduled to fix it. [/p]
[P] Call me if he starts trying to run an email server to pass classified infomartion to skirt federal record keeping rules on that same box, THEN you might have a story. [/p]
lets all have a good laff at this dude using vbb tags on the ole slashdot
Giuliani has been hired to endorse and push laws that further Trump's administration's ability to invade the privacy of those they dislike, and to prosecute those who dare to use technology or the internet to speak out against them.
Require Muslim citizens to register their devices before being allowed to sign up for broadband? Sounds like cybersecurity to me! Emailing someone an article disparaging Trump? Sounds like CYBERTERRORISM right Rudy?
Working for InfoSec firm here. Up until very recently we were in the same boat, and not because we didn't understand the situation. This is because our web services were outsourced to a third-party on a long contract and they refused to do anything about security unless it was visibly broken. We actually had to hire a third-party to provide us report stating the obvious, despite being able to get to web server's root ourselves in under 5 minutes.
looks like he pulled DNS, but the site is still reachable by ip...
The DNS entry has been removed, but the server continues to run:
http://209.238.99.227/index.ph...
beware!
4wdloop
Is that guy something; or is that guy something? I mean, you gotta give this crew credit. They are so fucking good... Know what he's looking at?
Us. The L.A.P.D. The Police Department. We just got made...
Hanna
Heat (1995)
So I am sure all of these anti Trump/Giuliani posts are perfectly content with the job the Obama administration has done, what with the millions of accounts hacked at OPM and hundreds, if not thousands of cyber foreign cyber attacks on US companies and contractors???
Anyone who thinks that Giuliani, a very active public figure, is going to update the Giuliani web site himself is an idiot. He paid someone to put that site together, and if it gets hacked, so what, i'ts not like he is storing classified government documents on it like someone else we know did... Part of any good security is knowing what is worth protecting and what can be isolated and wiped and restored more economically than putting a lot of effort into protection.
This is the way it works in business and how it is supposed to work in government. Trump thinks hacking of US companies/government/contractors is way out of hand. Finds a smart guy (Giuliani) who understands geopolitics and security in general, as well as how to lead a team and get shit done. Hires Giuliani. Giuliani puts together a team of experts to work on guidelines for better protecting the US from hacking and what our response should be for foreign and domestic hacks, how to minimize damage, steps to take to block foreign access to sensitive data and prevent phishing etc. etc. Giuliani has to know very little about the actual implementation of any specific instance of cyber security, his job is by an large as a facilitator to bring the right people together and help cover the bases as the team works together.
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
HONEYPOT!!!
I figured it would have to be Joomla. I'm doing maintenance programming on a Joomla site right now, and it's just a complete mess. There is nothing good about any part of the framework and no one should use it for anything. There is no "right way" to do things, and the documentation is beyond awful: obsolete, incomplete, badly written. Beyond the official documentation, most books on Joomla either don't cover the latest major version, or mention it but focus on the legacy interfaces. One is forced to look at the code itself for examples of what to do, and apparently that means make it up as you go along, There is no consistency even in the unit tests, hell, even in which testing framework they're using. And (at least IMO) there is no consistent vision because the fundamental design is crap.
Use of Joomla for any purpose should be a firing offense.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
Wow . . . so this is just like that time Obama hired a tax cheat to be his first US Secretary of the Treasury!
Rudy Giuliani has no idea what FreeBSD even is. He probably thinks it's someone that wants what he calls a handout. On the part of FreeBSD being insecure, the article is just wrong. It has far fewer holes than Linux
It seems most of Trump's appointments have been for people who are the opposite of the best choice for the job.
Hey BeauHD, Hillary lost, get over it. The way she stumbles around these days she must be drinking a lot. I suggest you try it as well - it might dull the deep throbbing butthurt that compels you to post the Trump team hit pieces so often. Go do something productive, like getting cancer.
Robert Graham explained it succinctly: http://blog.erratasec.com/2017... .
The real story here is that Giuliani is now a goddamn cybersecurity advisor, not that this personal site is crap. The guy was hired not because of competence but because he spent the entire campaign kissing Trump's ass.
"Thus historian Vincent J. Cannato concluded in September 2006, "With time, Giuliani's legacy will be based on more than just 9/11. He left a city immeasurably better off — safer, more prosperous, more confident — than the one he had inherited eight years earlier, even with the smoldering ruins of the World Trade Center at its heart. Debates about his accomplishments will continue, but the significance of his mayoralty is hard to deny."
You might be correct, in that Giuliani was not hired because of competence, but you are completely incorrect implying that Giuliani is wholly without competance.
And once again, I have to ask: is [what you said] this important? Is *why* someone is hired more important than their competence?
And once again again, I have to ask: compared to what? Is hiring Giuliani any worse than the practices of the previous administration or the runner-up candidate?
For contrast, note that Bush appointed a crony as head of FEMA who completely fell on his face during Katrina, and Obama appointed Caroline Kennedy as ambassador to Japan, who was completely outmastered in our recent Japanese treaty negotiations(*).
Is it useful *at all* to just throw throws random aspersions around?
(*) Resulting in a treaty which is beneficial to Japan, but a very bad deal for America. I have no opinion about Ms. Kennedy, good or bad, only note that she was unqualified for the position, was apparently appointed because of her ties to a famous family dynasty, and America was worse off because of it.
Slashdot has jumped on the fake news bandwagon.
Aaaaaand it's gone.
The site is off the air, whether taken down by hackers or by the numbnuts that run the site remains to be seen.
Just cruising through this digital world at 33 1/3 rpm...
Better a proven executive who knows he needs to consult experts than a 'guru boss' who doesn't need no stink'n experts.
So Trump spouted off over and over that he would surround himself with the best people for the job. So far I've seen the absolute opposite. Not one single person Trump has put into position is even remotely qualified for that position.
Why is some old dumb fucker with no technical background or skills running a "security" company to begin with?
Why is some uneducated trained monkey butcher, er I mean neurosurgeon, going to be the head of HUD?
Considering how many Trump cabinet appointees are openly opposed to the missions - or even existence - of the departments he is aiming to appoint them to head, why would it be a surprise that a "cyber security advisor" is running an atrociously insecure site?
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
[i]I know rite?[/i]
would just be wrong. I cannot recommend to anyone that they hack Giuliani's website to expose how little he knows or cares about computer security, since he's now Trump's cyber czar ...
"Easily hacked and nothing on it". Have to be pretty stupid to not see it as bait for wannabe hackers. Hook, line, and sinker. Here's your sign.
His company ONLY offers LEGAL advice.
Giuliani probably thinks the big 'E' on his desktop is THE internet.
So what are you waiting for?
Apparently he can't even do that.
Why would anyone engrave "Elbereth"?
He's storing them on the Kremlin's server?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
How else can you expect to push tougher cybersecurity laws if you can't get compromised at the highest levels?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
It's almost like Trump wants the dumbest and most awful people he can find to run the country. It falls apart and we are all stuck yelling "Wolverines!"
but we're not talking about Obama, we're talking about Giuliani and Trump. You know, the shmucks your kind just elected.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Of your points, this is one that I wanted to address because this sort of protectionism is something which really resonates with people who don't think too hard about it. It seems so simple: "Protect American jobs! The only cost is screwing some foreigners! Why haven't we been doing this all along? Our government must be corrupt or stupid or something." It's a topic which demagogues can latch onto, but the only people who protectionism really benefits are the people in control of the industry in question. Even to the peons in that industry the benefit from protectionism is questionable.
Finally, a cogent argument and the start of a discussion.
You say that protectionism seems good on the surface, but ultimately hurts the country.
Firstly, I think you're drawing a black-white distinction between protectionism and globalism, as if there are no middle ground positions or other policies. We could easily be protectionist in one industry and globalist in another, or "slightly" protectionist (through tariffs, for instance), or isolationist (like North Korea) in some circumstances(*).
Secondly, you're repeating an economist meme without citing references or analysis or even rationale, and making your point by making an emotional appeal.
I claim that the economist meme "globalism is better for a country" is false, in the mathematical sense.
I'm familiar with the globalism rationale as set forth by economists, and I agree that the mathematics show that globalism is better, but the analysis is based on a model that makes many assumptions. Even though the mathematics pans out, when the assumptions don't match the model you can't rely on the conclusions.
It's like Nate Silver predicting Hillary would win the election. It was based on sound statistical models with no calculation errors, but the assumptions were faulty.
In the specific case of globalism, the model assumes an economic and citizen equality between the two nations. Specifically, if both nations allow citizens to acquire and keep wealth, the model works as planned. When this is not true, all the wealth flows out of the wealth-building nation and into the poor nation, where it is squandered and lost.
To be even more specific, someone from Poland or Greece could emigrate to the UK and take a high-paying job (lab tech, dentist, programmer, or similar), but a Brit cannot expect to emigrate to Poland or Greece and do the same. Poland and Greece are rife with corruption, which makes it almost impossible to build wealth. For contrast, a Brit and a Norwegian could realistically swap places, in the economic sense.
Someone in China could do the same manufacturing jobs as Americans, but after a lifetime of work would have almost nothing to show: No paid-off house, or car, or retirement funds. Most of the wealth in China goes to the government, which spends it on infrastructure, much of which is unwisely spent.
Furthermore, a Chinese can emigrate to the US and take a job or start a company, but it's impossible for an American to go to China to do this, even if you live there and are married to a local. The difference in model completely reverses the effects of globalism on the US: It puts the US is in decline, while China experiences impressive growth.
And finally, the idea of "good for the country" in the minds of economists is based on the wealth of the corporations. The welfare of the citizenry is an afterthought in these models, as unemployment rate, and that only because of its effect on the corporations.
For these reasons, globalism is a terrible idea even though it's repeated by economists a lot, and even though their mathematics and analysis is correct.
That is my rationale, and the logical underpinnings of why that economic meme is wrong.
If you have a counter argument, I'd like to hear it... but just restating your position or saying "most economists agree" isn't a proper argument, and making an emotional appeal (which you've already done) i
Call me if he starts trying to run an email server to pass classified infomartion to skirt federal record keeping rules on that same box, THEN you might have a story.
You mean if he inappropriately revealed classified information, like worthless piece of shit Trump's national security advisor Michael Flynn?
So, Bush and Obama were both shitty Presidents. I think that has been firmly established. Should we just give worthless piece of shit Trump a pass since the other Presidents were shitty, too?
Hillary put one of her big donors on a government intelligence advisory board, even though he had no relevant experience.
Yes, we can give Trump a pass on appointing Giuliani.
And also, why are you insulting our president?
Hillary lost.
Get over it.
I cant seem to visit the site. Either its been hacked or overloaded?
Does someone who heads a cyber-security company have to actually be an admin w/ a good cyber-security certification? That's like demanding that Gates be a whiz at C++ programming and win APIs, or that Jobs should have been a whiz at Objective-C or AppBuilder. Rudy has a security company of his own, and he's recently added cyber-security as an area of focus in their mission. Question is - how much has he outsourced to the company hosting his site vs having his in-house admins managing it?
The server is FreeBSD based, which is not a bad choice. Question is - how essential is it that the FreeBSD version be made current? And how easy is it if they are running FreeBSD - the CLI version, as opposed to PC-BSD? Would it had been better had they based it on OpenBSD? From the summary above, it looks like the organization has let the data center manage that configuration, but if they took that expertise in-house, to what extent could they get rid of the holes in question?
I wouldn't touch that server you know it's protected by the Russian Mob. They are friends via Trump.
"Make America Great Again!" Hackers need love too! As much as oil execs, business execs, people that abuse the environment, anyone that holds loans to Trumps' companies that he will NEVER talk about to his kids while in office *sic* believe him! BELIIIIIIIIIEVE HIM!
Indeed, an LDAP directory answers there, but it has little to say:
$ ldapsearch -xLLLh 209.238.99.227 -s base -b '' +
(nothing!)
You would think that the first thing you would do after accepting the job as cyber security poster child would be to run out and make sure your shit was secure. Being a political appointee I would not expect Rudy J to do it himself, but at least hire someone competent to do a review for you.
errr....umm...*whooosh* *whoosh* Is this thing on ?
I would put a nice honeypot out as a front end and wait to see what beasts came to visit. Even better I might then 'leak' to the media how vulnerable it was just to make sure. Then again they could just be fucking idiots.
Well, but you can't blame him. He's surrounded by well-educated people who think with nuance and consideration.
It's perfectly natural that he didn't account for the fact that there were all these toxic, stupid voters out there.
So give Silver a break.
Rudy needs a long list of people to pick up in the sweep. Even better if you are an illegal. Use the standard trick to appear you are coming from Russia. No way that actually rats you out...
It's a honey trap. Just TRY and hack it!
Did you mean 'disclosure'? I don't see anything disclaimed here.
Obviously he knows how to put up dandboxxed decoy exploitable non-resources. Why not?
Trump: What's the difference between a chickpea and a garbanzo bean?
Me: IDK, what's the difference between a chickpea and a garbanzo bean?
Trump: I never paid money to have a garbanzo bean on my face.
https://www.youtube.com/watch?... 9/11 Suspects: Rudy Giuliani [corbettreport]
Giuliani is the obvious choice for cybersecurity - we all know that fundamentally, computers operate on a series of 9s and 11s.
Perfectly Normal Industries
Anyone who gets hacked deserves it. Hackers get a free pass. Soft on crime.
But only if it benefits you or harms an adversary. And hackers are not the adversary, oh no! And one can never say anything factual about the hackers, because you know, The Internets and suchlike. It's just not, like, possible, man!
LOL