Slashdot Mirror

← Back to Stories (view on slashdot.org)

Contractors Lose Jobs After Hacking CIA's In-House Vending Machines (techrepublic.com)

Posted by BeauHD on from the irony-at-its-finest dept.

An anonymous reader quotes a report from TechRepublic: Today's vending machines are likely to be bolted to the floor or each other and are much more sophisticated -- possibly containing machine intelligence, and belonging to the Internet of Things (IoT). Hacking this kind of vending machine obviously requires a more refined approach. The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines. In their BuzzFeed post, the two writers state, "Several CIA contractors were kicked out of the Agency for stealing more than $3,000 in snacks from vending machines according to official documents... ." This October 2013 declassified Office of Inspector General (OIG) report is one of the documents referred to by Leopold and Mack. The reporters write that getting the records required initiating a Freedom Of Information Act lawsuit two years ago, adding that the redacted files were only recently released. The OIG report states Agency employees use an electronic payment system, developed by FreedomPay, to purchase food, beverages, and goods from the vending machines. The payment system relies on the Agency Internet Network to communicate between vending machines and the FreedomPay controlling server. The OIG report adds the party hacking the electronic payment system discovered that severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.

6 of 190 comments (clear)

  1. Re: Who wrote this? by Entrope · · Score: 4, Insightful

    If somebody is willing to steal a $1 candy bar, do you really want to trust them with information if unauthorized disclosure of that information can cause exceptionally grave damage to the nation's security?

  2. Re:Who wrote this? by swb · · Score: 5, Insightful

    The CIA or any organization like it wants unicorns. They want the tiny subset of the Venn diagram where people are bold thinkers AND organizationally compliant rule followers.

    Like high-end spec-ops, not only do they want really tough super-athletes, they want high intelligence, independent thinkers AND chain of command rule followers.

    It's a small subset of people that match all those qualities.

  3. FreedomPay by tangent3 · · Score: 3, Insightful

    Contractors did not realize the "free" in FreedomPay means free speech not free beer.

  4. Re:should be thanked not sacked by Pascoea · · Score: 5, Insightful

    A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. But whose fault would this be?

    [emphasis mine]

    The people who stole the stuff. It's ALWAYS the fault of the person who stole the stuff. 100% of the time. If I don't lock my door and people clean out my house that makes me an idiot, but the person that cleaned it out is still the guilty party. (The insurance company may exercise their "idiot clause" and not reimburse me for my stuff because of my negligence. But that's not relevant to the conversation, the thief is still a thief, and should get the appropriate punishment if caught.)

    So why reward the incompetent by expecting an unrequired level of honesty from users?

    I agree, this is terrible programming. There are definitely ways around spotty connectivity, and FreedomPay has most definitely let their customer down by not adequately protecting their interest. I'm sure you wouldn't have to hunt around too long for a civil lawyer that would be willing to sue FreedomPay for their negligence, but that doesn't excuse the workers who exploited that negligence.

  5. Re: Who wrote this? by ScentCone · · Score: 4, Insightful

    It's not about the candy bar. It's about how the willingness to steal something that cheap tells you what you need to know about the value system and ethics of the person who does it. How is this not clear to you?

    --
    Don't disappoint your bird dog. Go to the range.
  6. Re: Who wrote this? by msauve · · Score: 3, Insightful

    "If somebody is willing to steal a $1 candy bar, do you really want to trust them with information if unauthorized disclosure of that information can cause exceptionally grave damage to the nation's security?"

    Depends. If it were limited to "let's try this," and they got a $1 candy bar and it ended there, so what? At that point they should point it out to the vending company. And I would't have any problem with them "stealing" that $1 candy bar.

    But it didn't end there. Not only didn't they report the vulnerability, they continued to abuse it to the tune of $3000. Them, I wouldn't trust.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law