Slashdot Mirror
Gizmodo Went Phishing With the Trump Team -- Will They Catch a Charge? (arstechnica.com)
Earlier this month, technology publication Gizmodo published a report on how it "phished" members of the administration and campaign teams of President Donald Trump. The blog said it identified 15 prominent figures on Trump's team and sent e-mails to each posing as friends, family members, or associates containing a faked Google Docs link. But did the publication inadvertently break the law? ArsTechnica reports: "This was a test of how public officials in an administration whose president has been highly critical of the security failures of the DNC stand up to the sort of techniques that hackers use to penetrate networks," said John Cook, executive editor of Gizmodo's Special Projects Desk, in an e-mail conversation with Ars. Gizmodo targeted some marquee names connected to the Trump administration, including Newt Gingrich, Peter Thiel, (now-ex) FBI director James Comey, FCC chairman Ajit Pai, White House press secretary Sean Spicer, presidential advisor Sebastian Gorka, and the administration's chief policymakers for cybersecurity. The test didn't appear to prove much. Gingrich and Comey responded to the e-mail questioning its provenance. And while about half of the targeted officials may have clicked the link -- eight devices' IP addresses were recorded accessing the linked test page -- none entered their login credentials. The test could not determine whose devices clicked on the link. What the test did manage to do is raise the eyebrows of security experts and some legal experts. That's because despite their efforts to make it "reasonably" apparent that this was a test, Gizmodo's phishing campaign may have violated several laws, ignoring many of the restrictions usually placed on similar tests by penetration-testing and security firms. At a minimum, Gizmodo danced along the edges of the Computer Fraud and Abuse Act (CFAA).
So I'm guessing that Gizmodo is now Russian.
I hope the Secret Service finds some law with which to hang these fuckers.
How is this not different than putting a fake gun in your carry on to "test" security?
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
But did the publication inadvertently break the law?
Maybe they didn't think the consequences through, but I find it hard to believe that nobody involved realized that this sort of thing is illegal.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
A story on how Gizmodo failed to phish the current administration with legally questionable methods == anti-Trump post???
If anything, this story highlighted the fact that nobody in the Trump administration fully fell for the phishing and that they really may have learned from the failures of the Clinton campaign debacle. Methinks the bias may be yours...
As opposed to the candidate whose official site allowed people to phish their friends?
http://cybertical.com/clinton-phishing.html
First they go after Hulk Hogan's genitals, now they're phishing Trump? Do they realize how stupid and illegal that is? The entire Gizmag/Gizmodo/Jezebel syndicate is a load of politically sponsored crap.
They didn't dance along the edge of legality. They danced over and never looked back. Legitimate pen test services are painfully aware of this and have the paperwork to prove it.
Ars should have enough sense to check things out for the sake of their own credibility. If Ars Technica bothered to ask anybody who's ever worked in the security industry they would have quickly learned the indemnification is taken very seriously.
http://www.isaca.org/chapters3...
https://pen-testing.sans.org/b...
Hell, even metasploit has been talked about this for years!
https://dev.metasploit.com/pip...
The only people fooled by Gizmodo's phishing logic were the editors who signed off on this to begin with. Next time ask a pro before you publish, it will help you avoid looking the fool.
Makes it sound "inconclusive"--that's not a great way of putting it. The test was a success from the perspective of the administration and a failure on the part of Gizmodo. Gizmodo surely wanted to prove that Trump's administration is as inept as the DNC, and it's clear that nobody fell for it.
I don't really care that Gizmodo did the test, though it seems like they were pretty dumb to go for it without checking on the legality first, but they should be punished in the court of public opinion for failing at a blatantly partisan attack.
Sure... call them names... pretend you are smarter than your opponents...
Strong argument.
5 out of 6 people enjoy Russian Roulette & 6 out of 7 Dwarfs are not Happy
What's mildly surprising is that after everyone knew the DNC was hacked and that it was by way of phishing still a lot of these key players still clicked on the links. Some of the potential targets have not only partisan information but probably have access to national security information. If they don't then by compromising them, it would be possible to further spread malware to those who do.
Gizmodo may have run afoul of a law designed to prevent thieves from knowing just how vulnerable some targets actually are. But it's also true that along with thieves learning the general public should learn to be more wary of clicking on links.
First of all, post with your real name to undo the downmod you've just done to my post. You can either participate in a discussion or moderate it — doing both is dishonest.
Following the same logic, NSA should be left alone until much larger offenders — like city and state governments — are prosecuted for violating the Second Amendment and the damage done by the violations is undone. Forget "assault rifles" — one can't carry a freaking knife or a slingshot in some locales.
Also, NSA has not obviously violated the Constitution — only someone's understanding of it. For example, there is a seriously put forth line of reasoning, that the above-mentioned Second Amendment only covers arms contemporary to its approval: muskets, single-shot pistols, swords (never mind that many places ban even those). Under that logic, electronic communications are not protected by the Fourth Amendment at all. Perhaps even more importantly, even if we stipulate NSA is breaking it, the Constitution prescribes no punishment for violations. There is no law, under which a "reasonable prosecutor" (wink-wink) can prosecute them.
For all intents and purposes, NSA are allowed to do, what they are doing. It may have been Reagan's executive order, that started it, but neither Carter nor Obama (much less Clinton) has repealed it since.
USMC and other military branches are similarly allowed to kill people — no judge, no jury. Hence my analogy...
In Soviet Washington the swamp drains you.
It was also pretty juvenile and myopic if they think that Comey and Gingrich are part of 'Trump's team'. Comey was investigating his Russian ties and Gingrich is calling for Comey to testify publicly about his firing. I think this is another example of people conflating everyone they don't like as being somehow magically the same person.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Just because the email was opened, doesn't mean it was done intentionally by an actual human being.
It can be difficult to distinguish between a human being opening an email and a malware scanning engine opening a email. Modern systems will actually follow links and run executables in sandboxes before releasing the actual email to the end user. What looks like someone opening the email, usually a callback via a pixel image or js include, doesn't involve a human actually opening the email. In fact, just using a preview pane can make it seem like the email has been opened.
Sorry to be a kill joy, but this phishing test proved absolutely nothing.
Average Intelligence is a Scary Thing
Gizmag is a respectable tech blog, it wasn't owned by Gawker.