Slashdot Mirror
Contractors Lose Jobs After Hacking CIA's In-House Vending Machines (techrepublic.com)
An anonymous reader quotes a report from TechRepublic: Today's vending machines are likely to be bolted to the floor or each other and are much more sophisticated -- possibly containing machine intelligence, and belonging to the Internet of Things (IoT). Hacking this kind of vending machine obviously requires a more refined approach. The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines. In their BuzzFeed post, the two writers state, "Several CIA contractors were kicked out of the Agency for stealing more than $3,000 in snacks from vending machines according to official documents... ." This October 2013 declassified Office of Inspector General (OIG) report is one of the documents referred to by Leopold and Mack. The reporters write that getting the records required initiating a Freedom Of Information Act lawsuit two years ago, adding that the redacted files were only recently released. The OIG report states Agency employees use an electronic payment system, developed by FreedomPay, to purchase food, beverages, and goods from the vending machines. The payment system relies on the Agency Internet Network to communicate between vending machines and the FreedomPay controlling server. The OIG report adds the party hacking the electronic payment system discovered that severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.
1. They weren't fired for hacking, they were fired for STEALING.
2. Unplugging the network cable doesn't count as hacking.
Russians hire US contractors to figure out how to hack CIA via their candy machines.
CIA: "We are keeping a close watch on our PayDay bars, Cheetos and Doritos. The President has informed the Russian that if they touch our Doritos, there will be retaliation."
Hacking = disconnecting the vending machine's network cable
2. Unplugging the network cable doesn't count as hacking.
Possibly they disconnected it with a hachet, making it literally hacking.
How did they not get a promotion?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
A few years ago a Defcon presentation was "canceled" because some guys figured out how to get unlimited rides on Boston subway buying 2 tickets and using the 2 in an odd way. A judge put a do not talk about it order on them it was such a big "hack", literally buying 2 tickets at different stops is all it was.
Big hacking controversy. We got to hear how it works because their lawyer understood the hack and wasn't under the judge's silence order.
For more fun, look up the hacker Captain Crunch and let us know if using a toy whistle in a cereal box counts as hacking. I think unplugging a network cable and using an unfunded card is more technical hacking than some of the more notorious ones I've read about.
Its even more fun because of how simple it is.
It is inexcusable not to have the card broadcast its current credit to a disconnected machine. What possible circumstances would excuse this? And even if you have cards that can start a credit account, yhe machine would remember the card's number and transaction so the data could be updated when the machine was reconnected.
But let's say a 'new' card is used to start an account- but can obtain snacks from a disconnected machine in the first place. So the first transaction is unpaid and 'anonymous'. Well when the machine is reconnected the card number can be 'blacklisted' by the network of machines until the account details are finalised.in future. And if the vendor allows too many new cards to be used once on disconnected machines- well that's an issue with the vendor system that needs to be fixed- and represents early warning of malfeasance anyway.
The point is the vendor has a duty to do their job correctly. A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. But whose fault would this be?
A modern vending machine can contain vast amounts of computer power and data storage at minimum cost these days. This ain't the 20th century. This means that even when the network is down, the vending machine can make excellent choices to prevent simple-minded fraud. So why reward the incompetent by expecting an unrequired level of honesty from users? We should want positive pressure on computer systems to make them more robust.
I am against Sharia law in general, however in this case, I think a hand removal would be appropriate. It would also discourage recidivism. Look into these a-holes for connection to the Wanna-Cry leaks as well.
Disconnecting the network cable. Really?
Should have seen this coming
In the early 2000s, some cable tv providers offered Pay-per-view that you could order thru your cable box. In order to process the order, the cable box had to be hooked up to phone (land line) via a phone cable. (these were the days before wi-fi was common). If you simply disconnected the phone cable, the cable box had no way to tell the cable company that you ordered pay per view. So you could order movies at your heart's content... for free.
Apparently the CIA is not as good at gathering intelligence as they claim to be...
If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.
"A plan fiendishly clever in its intricacies"- Homer Simpson
...it's easier to eat the evidence?
Mit der Dummheit kämpfen Götter selbst vergebens
Your tax dollars, hardly at work.
Cuz the people gotta know, information like this has to be free!
A hacker, on the other hand, uses skill and knowledge, usually in creative and unusual ways, to achieve his goal.
Contractors did not realize the "free" in FreedomPay means free speech not free beer.
Throughout my working life I have amazed that people with good jobs would be willing to jeopardize them for nickels and dimes -- stealing stationery, fudging expense vouchers, and now, apparently, cheating a company vending machine. Don't these people realize that they are putting their livelihoods at risk by stealing from their employer?
Not trying to take any blame away from those that abused it, but the fact that these machines allowed for purchases without checking funds first is pretty dumb on the part of the manufacturer. When the network is down you should not allow any purchases other than cash. Are they really surprised that people would abuse this?
Of course, "hacking" doesn't mean anything any longer so anything at all will count as "hacking". Including pulling a network plug. YOU'RE A HACKER NOW, BABY! Welp, better go report to jail. You've just branded yourself a criminal forevermore.
And I'd read about this days ago, without the "hacking" bullshit. Slashdot is losing its touch.
I've got to say this: Leave him alone idiot - what's your problem? He got the better of you & you can't handle it?? You fools do it to me too, so I am sure I am speaking for both of us - FUCK OFF & grow up!
* I SEE YOU DO THIS TO HIM ALL THE TIME LATELY via UNIDENTIFIABLE weasel troll posts & I AM SURE I AM NOT ALONE IN SEEING IT (& I'd bet I am correct on WHY you do above... get over it, butthurt weasel!).
APK
P.S.=> See, I've even "had it out" w/ him but he (afaik under his registered lusername @ least) doesn't constantly do it (though creimer says he likes trolling + does me - which I have bookmarked as a record, showing I don't start the crap, I just end it on valid technical grounds & facts - I do this w/ ALL of "your kind" (unidentifiable lowest of the low ac trolls & yes, registered "lusers" too)) - grow up, get over yourself & your DEFLATED EGO (which I have no doubt he's burnt you before & why you do it), ok?? apk
Dr. Strangelove is supposed to be satire not reality
Submitter managed to get the words "Hacking" and "CIA" in the title, while what really happened has very little to do with hacking or even the CIA.
CIA hires break laws then the CIA covers it up.
Think about it. Intelligence agencies routinely do things which violate norms of civilized behavior. Suborning treason (in other countries' nationals) and invading privacy are standard operating procedure. Yet you depend on your employees to scrupulously follow the rules and norms when it comes to your own agency.
So you give people symbols, rituals and training which ground them in the traditions and identity of your service. I expect this works pretty well, because pride and belonging are powerful motivators. You can count on people to obey the meta-rules; like fouling in basketball. It's technically against the rules, but it's also part of the game, something you do to advance the interests of your team. Nobody intentionally fouls their own team.
Except contractors aren't really part of the team, are they? The agency is just a cash cow for them. This leaves the agency vulnerable to honorable people who feel a higher loyalty that lies elsewhere, like Snowden, as well as borderline anti-social people whose not-quite-sociopatic tendencies fly under the radar because they're mainly directed at outsiders.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
They were just "borrowing" from the rich so that they could feed the poor.
CIA contractors get paid on average $14k a year, and it is CRIMINAL.
If you oppose wealth redistribution, you probably voted for Trump, and you might be a capitalist. I hope an antifa protester breaks into your house, rapes your children, burns all of your books, and then kills you while being forced to look into the crying eyes of your kids.
It was Hillary's turn!!!
We found that just kicking our machines in the right place worked perfectly well,service door would fly open and you just helped yourself..
I even got ordered by the boss to go do it because the fool who was meant to be in charge of restocking etc the machines was on holiday,with the keys in their pocket !!
When other directors found that out,we had to learn how to first pick the cheap padlocks they had fitted,then kick em !!
Why in the HELL are there IoT vending machines in the CIA? Even I know IoT devices are not secure especially if they are coming from a vendor. If anything, the vending machine company should be held responsible for not providing enough security on their device that could have allowed rogue elements to access it and use it for breaking into internal network resources based on it being on-site. WTF!?
Have gnu, will travel.
Sure they were fired for hacking/stealing.
That's the CIA's story and they're sticking with it. And the fired contractors are going to go along with it because they don't want to get busted for a kiddie p0rn ring instead.
Here I expected the story to detail how they analyzed the network traffic and devised a MitM attack to trick the machine into thinking it was getting paid, or discovering an administrative backdoor they managed to crack the root password for, or 3:00am hacking into the firmware through a JTAG connection, decompilation of the firmware, then substituting doctored firmware to enable a secret button-press sequence to enable all selections to be $0.00.. but no! They disconnected a network cable! BORING! I don't think they got fired for stealing from vending machines. I think they got fired for lack of creativity!
They were fired for Theft. Stealing is such a low level sleazy crime
they need to go work in a fast food joint to work off the debt!
"Hacking" is HARDLY what they did - its just theft
I know folks in the defense industry who constantly complain about talent, go on and on about their $100k salaries and ignore Wallstreet's payiing 3-5 times that for these same guys to make High Freq Trading work.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Most Vending machine companies are owned by big corps now.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. But whose fault would this be?
[emphasis mine]
The people who stole the stuff. It's ALWAYS the fault of the person who stole the stuff. 100% of the time. If I don't lock my door and people clean out my house that makes me an idiot, but the person that cleaned it out is still the guilty party. (The insurance company may exercise their "idiot clause" and not reimburse me for my stuff because of my negligence. But that's not relevant to the conversation, the thief is still a thief, and should get the appropriate punishment if caught.)
It's very common for more than one person to be at fault in a situation. The person who stole the stuff is criminally liable, but the person who left the door unlocked is still negligent. Both are at fault.
Real lawyers write in C++
satellite systems let you buy a bit before shutting down PPV if it could not make a call maybe at most $10-$20
If someone is willing to download content without payment, "do you really want to trust them with information if unauthorized disclosure of that information can cause exceptionally grave damage to the nation's security?" ;-)
None of the systems that I have worked with. They all allow for zero purchases without authentication.
The CIA should be providing these snacks and beverages for free, no wonder they have talent leaks. Every company I've worked for since 2011 has provided free drinks, snacks and catered meals. Before anybody asks, I'm not working in the valley or any where near it.
in the past after at least making a few calls you can unhook the phone line / pick up the phone and other some ppv and it will not dial out or say you need a phone to buy this ppv movie now an $29.99 or more event may need to call in right away. Also back then they had the hacked cards.
> Severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.
Is this really what passes for "hacking" these days?
I'm assuming they were hired specifically for this sort of out-of-the-box workarounds. You cannot turn someone into something they are not and telling them to be anything other than what they are impedes them from performing at their best when you need them to. If I was the supervisor that had been made aware of this, I would have found a way to expense payments to the vendor without letting the employee's know. 1) it keeps skills from workers you may need solidly in the 'asset' category, 2) it keeps their focus broader than the specifics of daytoday work, allowing for versatility when the times comes, and 3) this information could even be used later as leverage and blackmail.. this IS the CIA people.... lying, stealing, cheating, backstabbing is par for the course.
Wait. The CIA still uses network cables??
Back in the '80s or so I tried to pay for a car repair with a perfectly valid credit card and had it declined. A call to the credit card company disclosed the reason:
When the database was offline the authorization servers would approve charges up to $300 (1980ish dollars) and refuse those above that. This kept them from making all their cards stop working, on one hand, limited the losses to savvy crooks, and only inconvenienced those making the relatively rare high-sticker purchases. (Like me, trying to get my car back from the mechanic. He was willing to accept $300 on the card and other payment for the balance, so it worked out.)
Similarly, the bank machines trusted balance on the mag-stripe card if the server was offline. In the Detroit area this was for a couple of shifts over the weekend. This meant that if you re-wrote the card you could pull out more money, or money from a closed account. I heard that when losses were around $10,000 per weekend they just absorbed it as a cost of business. But when the crooks got organized and losses climbed to $100,000 per weekend they added a shift and kept the servers up 24/7.
Nowadays the cards have a secure chip with rewritable memory, so it's possible for the programmers of the machines to put some trust in the card. But it looks like FreedomPay's system was using the older approach - in an environment where its vulnerability was an issue.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Hacked cards definitely did exist.
But the ability to purchase ANYTHING without connecting to the phone network most certainly did not.
Sure you can unhook the phone cord, and watch normal television, but the only way you'd watch PPV is either with the hacked card, or by calling in and having them set it up remotely.
Is this article suggesting the US has any kind of advanced vending machine? Because we're 30 years behind Japan in that regard.
Don't forget MITMing the cards with old PCs, 'dead' cards, unloopers, soldering serial cables to the receiver's card connectors etc. Good times.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
The CIA probably asked for the option that these vending machines still work if there are network outages, on the basis that it's employees and contractors should be trusted enough not to steal shit and they're the only ones with physical access to the machines.
The other options are: No network, no food. Pay with cash.
The last think you want is a hungry IT department trying to fix your broken network.
I just read this entire article and nobody is curious as to how... er why this got stole $3k in snacks?!?! That is enough snacks to last me like 10 years at work...
This story ran weeks ago and was already on /. once before. STALE!