Gizmodo Went Phishing With the Trump Team -- Will They Catch a Charge? (arstechnica.com)

← Back to Stories (view on slashdot.org)

Gizmodo Went Phishing With the Trump Team -- Will They Catch a Charge? (arstechnica.com)

Posted by msmash on Monday May 15, 2017 @04:00AM from the catching-the-wrong-fish dept.

Earlier this month, technology publication Gizmodo published a report on how it "phished" members of the administration and campaign teams of President Donald Trump. The blog said it identified 15 prominent figures on Trump's team and sent e-mails to each posing as friends, family members, or associates containing a faked Google Docs link. But did the publication inadvertently break the law? ArsTechnica reports: "This was a test of how public officials in an administration whose president has been highly critical of the security failures of the DNC stand up to the sort of techniques that hackers use to penetrate networks," said John Cook, executive editor of Gizmodo's Special Projects Desk, in an e-mail conversation with Ars. Gizmodo targeted some marquee names connected to the Trump administration, including Newt Gingrich, Peter Thiel, (now-ex) FBI director James Comey, FCC chairman Ajit Pai, White House press secretary Sean Spicer, presidential advisor Sebastian Gorka, and the administration's chief policymakers for cybersecurity. The test didn't appear to prove much. Gingrich and Comey responded to the e-mail questioning its provenance. And while about half of the targeted officials may have clicked the link -- eight devices' IP addresses were recorded accessing the linked test page -- none entered their login credentials. The test could not determine whose devices clicked on the link. What the test did manage to do is raise the eyebrows of security experts and some legal experts. That's because despite their efforts to make it "reasonably" apparent that this was a test, Gizmodo's phishing campaign may have violated several laws, ignoring many of the restrictions usually placed on similar tests by penetration-testing and security firms. At a minimum, Gizmodo danced along the edges of the Computer Fraud and Abuse Act (CFAA).

43 of 122 comments (clear)

Min score:

Reason:

Sort:

This is the EXACT same thing that "hacked" Podesta by SensitiveMale · 2017-05-15 04:05 · Score: 3, Funny

So I'm guessing that Gizmodo is now Russian.
Expect a devastating tweet by Track07 · 2017-05-15 04:05 · Score: 1

But yes, these guys went too far.
1. Re:Expect a devastating tweet by Shatrat · 2017-05-15 05:37 · Score: 3, Interesting
  
  It was also pretty juvenile and myopic if they think that Comey and Gingrich are part of 'Trump's team'. Comey was investigating his Russian ties and Gingrich is calling for Comey to testify publicly about his firing. I think this is another example of people conflating everyone they don't like as being somehow magically the same person.
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
2. Re:Expect a devastating tweet by whoever57 · 2017-05-15 07:58 · Score: 1
  
  Comey was investigating his Russian ties and Gingrich is calling for Comey to testify publicly about his firing.
  I think that you will find that is fake news.
  According to this article, Comey has declined to testify in private, but has indicated his willingness to testify in public. It's not clear if he has been officially invited to do so.
  
  --
  The real "Libtards" are the Libertarians!
3. Re:Expect a devastating tweet by Enigma2175 · 2017-05-15 09:17 · Score: 1
  
  I'll give you Comey, but Gingrich is certainly part of "Trump's team". He worked as a consultant for Trump's campaign, was considered as a VP candidate for Trump and just had his (3rd) wife appointed to an ambassadorship by Trump. Since she has no diplomatic experience, one would assume it is political compensation to Newt. If that's not on Trump's team I don't know what is.
  It makes a lot of sense for them to align, after all they both created a Contract with America (Newt's) (Donald's) on which they both failed to deliver.
  
  --
  Enigma
Re:This is the EXACT same thing that "hacked" Pode by sycodon · 2017-05-15 04:18 · Score: 3, Insightful

I hope the Secret Service finds some law with which to hang these fuckers.
How is this not different than putting a fake gun in your carry on to "test" security?

--
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Inadvertently? by aardvarkjoe · 2017-05-15 04:26 · Score: 4, Insightful

But did the publication inadvertently break the law?
Maybe they didn't think the consequences through, but I find it hard to believe that nobody involved realized that this sort of thing is illegal.

--

How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
1. Re:Inadvertently? by michaelepley · 2017-05-15 04:41 · Score: 1
  
  The claim this is illegal is too conclusory at this point. I am sure a lot of lawyers were consulted, and I'm sure we'll hear from more in the future. However, even TFA points out the relative illegality is debatable based on a lot of different factors. And the article also points out the government is likely disinclined to pursue a media outlet, and for good reason: as this activity was for the purposes of investigative journalism the 1st Amendment (which supersedes the CFAA) may provide additional protection to the press that other actors may not benefit from.
2. Re:Inadvertently? by argStyopa · 2017-05-15 06:04 · Score: 1
  
  It's something to do with hurting Trump.
  EVERYTHING is justifiable in a tight-enough echo chamber.
  
  --
  -Styopa
3. Re:Inadvertently? by Ichijo · 2017-05-15 08:21 · Score: 1
  
  I find it hard to believe that nobody involved realized that this sort of thing is illegal.
  
  If mimicking the look and feel of an authentic Google sign-in page is a copyright violation, then Google will come after them.
  Or was some other illegal act committed?
  
  --
  Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
4. Re:Inadvertently? by chihowa · 2017-05-15 08:59 · Score: 1
  
  Are you claiming that phishing isn't illegal?
  On a federal level it seems to be prosecuted mostly under wire fraud and identity theft laws, but there are other laws that also apply. There are also various state laws that deal with it. Here is a little information on the state laws that apply. Here is a Justice Dept discussion of federal computer crimes that mentions phishing.
  The law mostly used to prosecute phishing seems to be 18 U.S.C. 1029(e)(1). "Penalties for violations of section 1029 range from a maximum of 10 or 15 years of imprisonment depending on the subsection violated."
  Phishing is not legal and it was not a great idea to publicly confess to attempting a phishing campaign against the US government.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
5. Re:Inadvertently? by Ichijo · 2017-05-15 09:11 · Score: 1
  
  The page was not set up to actually record or retain the text of their passwords, just to register who had attempted to submit login information.
  
  If the page was incapable of storing passwords, was it phishing?
  
  --
  Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
6. Re:Inadvertently? by chihowa · 2017-05-15 10:14 · Score: 1
  
  Beats me; I'm not a lawyer. That distinction sounds like a matter for the courts, as well as the matter of proving that the page was incapable of storing passwords. If you look at some of those laws I linked to, even attempts at solicitation of credentials are listed as offenses, so your competence at carrying out the crime might not be all that important.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
7. Re:Inadvertently? by plague911 · 2017-05-15 10:41 · Score: 1
  
  "'They are free to write articles but freedom of the press doesn't suddenly obliviate their illegalities"
  Long story short. In some cases. It looks like neither you nor I are qualified to comment on the nuance.
Re:HERE COMES MSMASH by Anonymous Coward · 2017-05-15 04:27 · Score: 4, Insightful

A story on how Gizmodo failed to phish the current administration with legally questionable methods == anti-Trump post???
If anything, this story highlighted the fact that nobody in the Trump administration fully fell for the phishing and that they really may have learned from the failures of the Clinton campaign debacle. Methinks the bias may be yours...
While Clinton's site encouraged phishing... by xxxJonBoyxxx · 2017-05-15 04:27 · Score: 3, Interesting

As opposed to the candidate whose official site allowed people to phish their friends?
http://cybertical.com/clinton-phishing.html
Re:This is the EXACT same thing that "hacked" Pode by Glock9mm · 2017-05-15 04:36 · Score: 1, Offtopic

Actually, the record shows that Trump won and America has been starting to win for the first time in 8 years.
First Hulk Hogan's genitals, now Phishing Trump? by Glock9mm · 2017-05-15 04:38 · Score: 4, Insightful

First they go after Hulk Hogan's genitals, now they're phishing Trump? Do they realize how stupid and illegal that is? The entire Gizmag/Gizmodo/Jezebel syndicate is a load of politically sponsored crap.
Quit fooling yourself by onyxruby · 2017-05-15 04:39 · Score: 4, Insightful

They didn't dance along the edge of legality. They danced over and never looked back. Legitimate pen test services are painfully aware of this and have the paperwork to prove it.
Ars should have enough sense to check things out for the sake of their own credibility. If Ars Technica bothered to ask anybody who's ever worked in the security industry they would have quickly learned the indemnification is taken very seriously.
http://www.isaca.org/chapters3...
https://pen-testing.sans.org/b...
Hell, even metasploit has been talked about this for years!
https://dev.metasploit.com/pip...
The only people fooled by Gizmodo's phishing logic were the editors who signed off on this to begin with. Next time ask a pro before you publish, it will help you avoid looking the fool.
Re:What We Believe by Anonymous Coward · 2017-05-15 04:40 · Score: 1, Insightful

Trolls like you are so obvious you do not deserve to be heard out.
Trolls are quickly modded down, so most people will only see the troll's post because YOU RESPONDED TO IT.
Do not feed the trolls. If you do, you are part of the problem.
Didn't Prove Much? by 31415926535897 · 2017-05-15 04:45 · Score: 3, Insightful

Makes it sound "inconclusive"--that's not a great way of putting it. The test was a success from the perspective of the administration and a failure on the part of Gizmodo. Gizmodo surely wanted to prove that Trump's administration is as inept as the DNC, and it's clear that nobody fell for it.
I don't really care that Gizmodo did the test, though it seems like they were pretty dumb to go for it without checking on the legality first, but they should be punished in the court of public opinion for failing at a blatantly partisan attack.
1. Re:Didn't Prove Much? by Anonymous Coward · 2017-05-15 05:01 · Score: 1
  
  Yeah, this just seems ridiculous. Even if they want to claim clicking the link is bad, they can't even prove it was the recipient that clicked the link. Some of them may have forwarded the email to one of their IT staff who opened the link in a sandbox.
  If no one entered their login details then no one got phished.
2. Re:Didn't Prove Much? by 31415926535897 · 2017-05-15 06:56 · Score: 2
  
  Sure, you jump to dumb conclusions and I'm the problem.
  I literally said that I didn't care that they did the test, but that's the first thing you attack in response. It's partisan because if Hillary had won, Gizmodo would not have conducted this "test".
  When I smell partisan BS, I'm going to call it out. Reds and Blues being at each other's throats is not going to solve anything in this country.
  PS You're pretty naive if you don't see the bias and partisanship in this and most of the world. I wouldn't go so far as to say that everything is partisan, but it's pretty darn close, unfortunately, and sticking your head in the sand about that doesn't help anything.
Re:This is the EXACT same thing that "hacked" Pode by Tulsa_Time · 2017-05-15 04:58 · Score: 4, Insightful

Sure... call them names... pretend you are smarter than your opponents...
Strong argument.

--
5 out of 6 people enjoy Russian Roulette & 6 out of 7 Dwarfs are not Happy
Re:It was wrong for Trump to pay the Russians... by ganjadude · 2017-05-15 05:00 · Score: 1

i never thought id say this brian, but you smoke entirely too much reefer

--
have you seen my sig? there are many others like it but none that are the same
Had this been Russian hackers by MarkWegman · 2017-05-15 05:06 · Score: 2

instead of Gizmodo clicking on a link would likely have compromised the target's machine. There's been indication that Russia compromised the RNC in the same way it got into the DNC, they just didn't publish the results because they wanted to asymmetrically influence the election. This just re-enforces that had the Russians wanted to they could have gotten through.
What's mildly surprising is that after everyone knew the DNC was hacked and that it was by way of phishing still a lot of these key players still clicked on the links. Some of the potential targets have not only partisan information but probably have access to national security information. If they don't then by compromising them, it would be possible to further spread malware to those who do.
Gizmodo may have run afoul of a law designed to prevent thieves from knowing just how vulnerable some targets actually are. But it's also true that along with thieves learning the general public should learn to be more wary of clicking on links.
Re:This is the EXACT same thing that "hacked" Pode by syn3rg · 2017-05-15 05:24 · Score: 1

I have mod points, but can't find the "Irony" tag...

--
The contents of this message have been doubly encrypted by ROT13
Re:Government has a license... by mi · 2017-05-15 05:26 · Score: 2

First of all, post with your real name to undo the downmod you've just done to my post. You can either participate in a discussion or moderate it — doing both is dishonest.

The NSA has violated the Constitution.
Following the same logic, NSA should be left alone until much larger offenders — like city and state governments — are prosecuted for violating the Second Amendment and the damage done by the violations is undone. Forget "assault rifles" — one can't carry a freaking knife or a slingshot in some locales.
Also, NSA has not obviously violated the Constitution — only someone's understanding of it. For example, there is a seriously put forth line of reasoning, that the above-mentioned Second Amendment only covers arms contemporary to its approval: muskets, single-shot pistols, swords (never mind that many places ban even those). Under that logic, electronic communications are not protected by the Fourth Amendment at all. Perhaps even more importantly, even if we stipulate NSA is breaking it, the Constitution prescribes no punishment for violations. There is no law, under which a "reasonable prosecutor" (wink-wink) can prosecute them.
For all intents and purposes, NSA are allowed to do, what they are doing. It may have been Reagan's executive order, that started it, but neither Carter nor Obama (much less Clinton) has repealed it since.
USMC and other military branches are similarly allowed to kill people — no judge, no jury. Hence my analogy...

--
In Soviet Washington the swamp drains you.
All they have to do... by prisoner-of-enigma · 2017-05-15 05:47 · Score: 1

Why doesn't he just set up his own independent email server that's totally against departmental rules and traffic classified information through it? Then the media would excuse anything he ever did and the FBI would leave him alone completely!

--
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
False Positives?? by xanthos · 2017-05-15 05:51 · Score: 4, Informative

Just because the email was opened, doesn't mean it was done intentionally by an actual human being.

It can be difficult to distinguish between a human being opening an email and a malware scanning engine opening a email. Modern systems will actually follow links and run executables in sandboxes before releasing the actual email to the end user. What looks like someone opening the email, usually a callback via a pixel image or js include, doesn't involve a human actually opening the email. In fact, just using a preview pane can make it seem like the email has been opened.

Sorry to be a kill joy, but this phishing test proved absolutely nothing.

--
Average Intelligence is a Scary Thing
1. Re:False Positives?? by prisoner-of-enigma · 2017-05-15 06:27 · Score: 3, Insightful
  
  Sorry to be a kill joy, but this phishing test proved absolutely nothing.
  
  Now now...don't be cruel to the children. They wanted to have their little tantrum/party and if you tell them it was a complete failure they'll just cry, scream, call you racist/sexist/homophobic/xenophobic, demand a safe space, and petition to have you fired so they can prove they're more tolerant than you.
  
  --
  In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
2. Re:False Positives?? by Lost+Race · 2017-05-15 16:56 · Score: 1
  
  It can be difficult to distinguish between a human being opening an email and a malware scanning engine opening a email. Modern systems will actually follow links and run executables in sandboxes before releasing the actual email to the end user. What looks like someone opening the email, usually a callback via a pixel image or js include, doesn't involve a human actually opening the email. In fact, just using a preview pane can make it seem like the email has been opened.
  [citation needed]
3. Re:False Positives?? by Anonymous Coward · 2017-05-15 18:32 · Score: 1
  
  Why do you think he wants to kill them?
  Is it because you assume he is "racist/sexist/homophobic/xenophobic?"
  Quick better demand a safe space lest someone disagrees with you on the internet!
Re:First Hulk Hogan's genitals, now Phishing Trump by Hentes · 2017-05-15 06:20 · Score: 4, Informative

Gizmag is a respectable tech blog, it wasn't owned by Gawker.
This is what happens... by prisoner-of-enigma · 2017-05-15 06:25 · Score: 1, Insightful

This is what happens when you let your SJW predilections override and interfere with doing journalism. The frothing desire to embarrass members of Trump's administration completely bypassed the normal "is this a good idea?" discussion that should have stopped this ill-conceived venture before it ever started. But it's also totally unsurprising. Gizmodo's not-very-slow descent into left-wing rant rag began a while back. It's clear they have no interest in attempting even the pretense of objectivity anymore. They should just name themselves "Salon" or "HuffPo" so those who like that kind of stuff instead of tech news can feel right at home.

--
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Re:This is the EXACT same thing that "hacked" Pode by Nidi62 · 2017-05-15 06:33 · Score: 1

How is this not different than putting a fake gun in your carry on to "test" security?
Gizmodo actually got caught?

--
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
If the posting is a "what if" question... by davecb · 2017-05-15 06:42 · Score: 1

... the answer is "no"

--
davecb@spamcop.net
Creeping Death by s.petry · 2017-05-15 07:58 · Score: 1

Not just a great Metallica tune, but explains a bunch of what's been going on in the US.
The Progressive/Leftists have been working long and hard at the change, but they played their hand too early and now it's pretty easy to see whats been happening.
Progressives from the 1800s-1940s or so were also known as communists. The term progressive went into hiding for decades, but relatively recently resurfaces. While the term still lacks the negative connotation it had earlier, it is once again becoming a bad word. Same type of person, same ideology, same ideas of a grand Utopia as long as they can rule the world, but more history to argue against them as well.
Hell, in California communists are now welcome.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Re:This is the EXACT same thing that "hacked" Pode by chihowa · 2017-05-15 09:16 · Score: 1

It looks like the laws used to prosecute phishing at the federal level are:
18 U.S.C. 1029 (access device fraud)
18 U.S.C. 1028 (fraud in connection with identification documents and authentication features)
18 U.S.C. 1028A (aggravated identity theft)
18 U.S.C. 1343 (wire fraud)
18 U.S.C. 1030(a)(4) (accessing a computer to defraud and obtain something of value)
18 U.S.C. 1001 (making false statements in any matter within the jurisdiction of the government)
There are a number of state laws that handle it, too.
Not a wise move on their part.

--
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Re:What We Believe by ohnocitizen · 2017-05-15 14:01 · Score: 1

The inane responses to this, and the downmodding of MY comment, only serve to show how far Slashdot has fallen.
Re: This is the EXACT same thing that "hacked" Pod by phayes · 2017-05-15 21:22 · Score: 1

Trump can only do so because he won the election. I voted Clinton (warts and all) but like many I liked neither candidate. Trump was elected because the high percentage of voters last year who liked neither candidate voted in their majority for Trump. They did so in part because enough people were tired enough of being put down by supercilious snots like the one I replied to that it got them over their distaste for trump.
Your partisan hate backfired and will continue to help trump oh but it's never you the problem, it's always them.

--
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Re: This is the EXACT same thing that "hacked" Pod by phayes · 2017-05-15 21:27 · Score: 1

So you want to override her personal choice?!? Roe/Wade is about allowing women to choose for themselves, not forcing either choice upon them!

--
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Re:This is the EXACT same thing that "hacked" Pode by Cederic · 2017-05-16 04:41 · Score: 1

Yeah, you're right. A fake gun is a lump of metal and mostly harmless.
A phishing attempt is an explicit attempt to access secure credentials and could potentially have succeeded.
Cynically I have to ask whether Gizmodo would have used the credentials had they succeeded, and so whether this was even a fake attack at all.
It's much more akin to telling security that you were testing them with the very real and fully loaded gun that they found.