Slashdot Mirror
Any Half-Decent Hacker Could Break Into Mar-a-Lago (alternet.org)
MrCreosote writes: Properties owned and run by the Trump Organization, including places where Trump spends much of his time and has hosted foreign leaders, are a network security nightmare. From a report via ProPublica (co-published with Gizmodo): "We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained. A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation. We have also visited two of President Donald Trump's other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information. The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises."
But heaven forbid, should he be mislead into using a personal email server no one tells him isn't locked down properly.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Now. Show me that you were able to do more than break into the equivalent of Starbucks public network.
If you're scared of your govt then you need to further restrict its powers
Vote 3rd Party in 2016 and beyond
In other words, you know that violating the CFAA has draconian penalties and you want some stupid script kiddie to take the risk for you....
Dumb news organization admits it broke the law!
Did they? I don't know the specifics of the law in regards to WiFi, but this seems(according to the first half of TFS) no different than someone turning on their laptop in the parking lot of a hotel and noticing that the hotel is one network that they could potentially log onto w/o encryption.
That being said, if that's all they did, then it also doesn't prove one way or the other how secure it is. Most resorts and such have public WiFi. Many don't require any log on at all. As long as all they can do is access the internet and no internal systems, it's working as intended. I've stayed in places that also have unsecured printers outside of the regular network for guests to use.
Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.
Open WiFi and printers are to be expected for guests to use, as long as they are on a separate network from anything that's not intended to be public. The rest of this statement contradicts the previous statement of:
We resisted the temptation.
Either they did log onto the network and were doing some snooping (in which case they may have broken the law), or they didn't and made this up.
Yes it is "just a country club". The real question you should be asking is should such a place be used for business that needs to remain secret? No governmental official should be conducting sensitive business in their home office or anywhere else.
We resisted the temptation.
Either they did log onto the network and were doing some snooping (in which case they may have broken the law), or they didn't and made this up.
Or, another thing they could have done, is idly listen to the network, and notice that there was printer communication on the network.
Some people encrypt by using rot-13 twice. I prefer the more secure method of using rot-1 a total of twenty six times.
They went all James Bond on folks and pointed their " hacker-antenna " at the building and found weak or unprotected access points.
And ?
Guest access is typically open access which would explain the latter pretty quickly.
Weak access could be any number of networks, but not necessarily one that would be useful to anyone.
I swear, the media is going full Autistic when it comes to trying to destroy EVERYTHING that is Donald Trump. If the information is negative, or can be spun into a negative light, they are making sure the entire world hears about it. 24/7 Regardless if there is any truth to it or not.
Lots and lots of rumors, " secret sources ", and whatnot, but not a shred of concrete evidence.
WTF has happened to journalistic integrity ?
I hope nobody here thinks that this is a Trump-exclusive. He's in really good company, the more exclusive and elitist a club or establishment, the more likely their non-physical security sucks big time. Why? Same reason as everywhere, nobody who could sensibly demand it knows jack shit about it, so why bother throwing money at it? Worse, securing something invariably cuts into its usability. I'm actually surprised those access points had any kind of security. None of the oh-so-important people complained yet that they're too stupid to configure their toy to connect? Oh, sorry, let me rephrase it: None of them complained yet that you idiots cannot configure your computer thingie right so their expensive and highly intelligent device can connect to it? Because MY thing was expensive and it's very high tech, so if it doesn't work, it OBVIOUSLY has to be that you're too stupid to configure YOUR end!
This is basically why security sucks in such places. Not the physical, mind you. But IT security usually is a mess. And as long as there are computer illiterates who dictate what has to be and what must not be, this also will not change.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Most resorts and such have public WiFi.
Most resorts are not used by the President of the United States to conduct his business.
For the same reason he has international meetings and talks about air strikes in between the main course and dessert in the completely open and unvetted surroundings of the maralago public dining room.
Because he's a venal moron who wants government money to come directly to him.
You make a pretty significant assumption that he uses the same network thats configured for use by any schmoe that is at the resort. You also assume that the whole network is not layered and secured appropriately for the level of business being conducted.
This article is itself a rather glaring misdirection, giving limited information in the context of it being all inclusive of the resort's security posture. It's like saying that because every reputable hotel in the world has freely accessible wifi that all hotel chains are easily hackable to their core. This is a hack job of a "report" done with blatantly biased slant and omission of detail.
This is the equivalent of saying that because there are 1000's of US Government websites that face the public domain on port 80 that the federal government as a whole is ripe for intrusion.
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
This whole story screams spin to me, by simple omission of critical details and wording. Humans tend to fill in the blanks with their imaginations. Note that the article states only that they "found 3 weakly encrypted WLANs". Not a word on what other WLANs they may have found (or maybe couldn't detect). So why assume the 3 that they mentioned that they found are the **only** 3 WLANs that they actually found? This article is likely a half-truth, made to create a particular impression. "Hey, we detected 5 WLANs at Mar-a-lago, but look, 3 of them are a security joke! Let's harp on that. " People are going way out of their way to bash Trump with glee, so this seems not at all improbable.
They don't say anything like, "all of the WLANs we found were insecure", or even, "all three WLANS we could detect were insecure", nor do they say, "3 out of the 4 WLANS we found were weakly encrypted" either. This is vague-speak.
Obviously, there are going to be a few normal consumer grade WLANs there, it's a freaking public resort, first and foremost. It's also possible that Trump doesn't use the wireless at all if he's conducting business there, it seems likely his WH security people would recommend using cabled LAN only. He may not be that tech saavy, but the staff should be.
Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
Why would a hacker need to break in though? All you need to do is just talk with Trump to get classified info.
You're considering the wrong issue. It's not about what visitors might transmit over those networks (which don't appear to be for visitor use in the first place), but the records stored within. There is literally no way a VPN is relevant here.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Because information that would not be sensitive if it relates to an average person or business is sensitive when it relates to the office of the President of the United States.
Things like location and movements of regular people are merely a privacy concern, not a security concern, but movements of people who work for or are meeting with the President of the United States are important secrets. Whatever backend services are connected to the hotspots, they contain sensitive information relating to national security! That's true even if it is just for off-hours internet access. Just having people connected in some way to the office of the President walking in range of a hotspot with electronics in their pocket could be a risk, even if they aren't "connecting" intentionally to any network.