Slashdot Mirror
Contractors Lose Jobs After Hacking CIA's In-House Vending Machines (techrepublic.com)
An anonymous reader quotes a report from TechRepublic: Today's vending machines are likely to be bolted to the floor or each other and are much more sophisticated -- possibly containing machine intelligence, and belonging to the Internet of Things (IoT). Hacking this kind of vending machine obviously requires a more refined approach. The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines. In their BuzzFeed post, the two writers state, "Several CIA contractors were kicked out of the Agency for stealing more than $3,000 in snacks from vending machines according to official documents... ." This October 2013 declassified Office of Inspector General (OIG) report is one of the documents referred to by Leopold and Mack. The reporters write that getting the records required initiating a Freedom Of Information Act lawsuit two years ago, adding that the redacted files were only recently released. The OIG report states Agency employees use an electronic payment system, developed by FreedomPay, to purchase food, beverages, and goods from the vending machines. The payment system relies on the Agency Internet Network to communicate between vending machines and the FreedomPay controlling server. The OIG report adds the party hacking the electronic payment system discovered that severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.
1. They weren't fired for hacking, they were fired for STEALING.
2. Unplugging the network cable doesn't count as hacking.
2. Unplugging the network cable doesn't count as hacking.
Possibly they disconnected it with a hachet, making it literally hacking.
How did they not get a promotion?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Disconnecting the network cable. Really?
And, you know from previous reports, that the real reason gag orders and such are necessary is because the hacked (MTA in this case) are UNABLE to fix the problem in a timely manner.
Sad, but too many organizations employ technology solutions they are unable to maintain.
deleting the extra space after periods so i can stay relevant, yeah.
Amputation for stealing food.
That's moral. Compassionate. A measured response.
deleting the extra space after periods so i can stay relevant, yeah.
If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.
"A plan fiendishly clever in its intricacies"- Homer Simpson
...it's easier to eat the evidence?
Mit der Dummheit kämpfen Götter selbst vergebens
A hacker, on the other hand, uses skill and knowledge, usually in creative and unusual ways, to achieve his goal.
Contractors did not realize the "free" in FreedomPay means free speech not free beer.
Throughout my working life I have amazed that people with good jobs would be willing to jeopardize them for nickels and dimes -- stealing stationery, fudging expense vouchers, and now, apparently, cheating a company vending machine. Don't these people realize that they are putting their livelihoods at risk by stealing from their employer?
A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. But whose fault would this be?
[emphasis mine]
The people who stole the stuff. It's ALWAYS the fault of the person who stole the stuff. 100% of the time. If I don't lock my door and people clean out my house that makes me an idiot, but the person that cleaned it out is still the guilty party. (The insurance company may exercise their "idiot clause" and not reimburse me for my stuff because of my negligence. But that's not relevant to the conversation, the thief is still a thief, and should get the appropriate punishment if caught.)
So why reward the incompetent by expecting an unrequired level of honesty from users?
I agree, this is terrible programming. There are definitely ways around spotty connectivity, and FreedomPay has most definitely let their customer down by not adequately protecting their interest. I'm sure you wouldn't have to hunt around too long for a civil lawyer that would be willing to sue FreedomPay for their negligence, but that doesn't excuse the workers who exploited that negligence.
Agreed. Eye for an Eye may be appropriate in some cases, but this certainly isn't it. I think losing a cushy Government job, with a "got caught stealing" on their permanent record is probably punishment enough. With theft on their record they likely couldn't get a cashier job at WalMart, much less any high security job, for a long time.
It is inexcusable not to have the card broadcast its current credit to a disconnected machine. What possible circumstances would excuse this? And even if you have cards that can start a credit account, yhe machine would remember the card's number and transaction so the data could be updated when the machine was reconnected.
Regardless of how bad the system was designed, the truly inexcusable activity here was not reporting it.
The end result was abusing the shit out of the vulnerability to the tune of $3000+ worth of stolen goods.
The line between a consultant and a criminal is often defined by ethics.
CIA hires break laws then the CIA covers it up.
Really? Except for stealing and getting caught, this activity actually was quite clever, even if it was a crime.
I think I'd be smiling at their cleverness while I was yanking their clearances, badges and escorting them out of the building....
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Think about it. Intelligence agencies routinely do things which violate norms of civilized behavior. Suborning treason (in other countries' nationals) and invading privacy are standard operating procedure. Yet you depend on your employees to scrupulously follow the rules and norms when it comes to your own agency.
So you give people symbols, rituals and training which ground them in the traditions and identity of your service. I expect this works pretty well, because pride and belonging are powerful motivators. You can count on people to obey the meta-rules; like fouling in basketball. It's technically against the rules, but it's also part of the game, something you do to advance the interests of your team. Nobody intentionally fouls their own team.
Except contractors aren't really part of the team, are they? The agency is just a cash cow for them. This leaves the agency vulnerable to honorable people who feel a higher loyalty that lies elsewhere, like Snowden, as well as borderline anti-social people whose not-quite-sociopatic tendencies fly under the radar because they're mainly directed at outsiders.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
That's not how most of them worked. Maybe you found a particularly poorly designed one, but the vast majority wouldn't allow you to watch PPV at all if it couldn't make the phone call to confirm.
The only way to watch PPV without the phone line connected to the box was to phone in to the customer service people and get a code and punch it in on the remote.
Of course the fact that Hollywood's garbage is locked down harder than other items is no surprise.
Why in the HELL are there IoT vending machines in the CIA? Even I know IoT devices are not secure especially if they are coming from a vendor. If anything, the vending machine company should be held responsible for not providing enough security on their device that could have allowed rogue elements to access it and use it for breaking into internal network resources based on it being on-site. WTF!?
-A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. Sure, if you live in a shitty country. Here in Switzerland there are vegetable stands on the roadside by farms where you take your groceries and drop your money into a box, often just a wooden box.
Have gnu, will travel.
Here I expected the story to detail how they analyzed the network traffic and devised a MitM attack to trick the machine into thinking it was getting paid, or discovering an administrative backdoor they managed to crack the root password for, or 3:00am hacking into the firmware through a JTAG connection, decompilation of the firmware, then substituting doctored firmware to enable a secret button-press sequence to enable all selections to be $0.00.. but no! They disconnected a network cable! BORING! I don't think they got fired for stealing from vending machines. I think they got fired for lack of creativity!
They were fired for Theft. Stealing is such a low level sleazy crime
they need to go work in a fast food joint to work off the debt!
"Hacking" is HARDLY what they did - its just theft
I know folks in the defense industry who constantly complain about talent, go on and on about their $100k salaries and ignore Wallstreet's payiing 3-5 times that for these same guys to make High Freq Trading work.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Most Vending machine companies are owned by big corps now.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. But whose fault would this be?
[emphasis mine]
The people who stole the stuff. It's ALWAYS the fault of the person who stole the stuff. 100% of the time. If I don't lock my door and people clean out my house that makes me an idiot, but the person that cleaned it out is still the guilty party. (The insurance company may exercise their "idiot clause" and not reimburse me for my stuff because of my negligence. But that's not relevant to the conversation, the thief is still a thief, and should get the appropriate punishment if caught.)
It's very common for more than one person to be at fault in a situation. The person who stole the stuff is criminally liable, but the person who left the door unlocked is still negligent. Both are at fault.
Real lawyers write in C++
That's true in many parts of the USA too - just not the eastern and western coasts.
satellite systems let you buy a bit before shutting down PPV if it could not make a call maybe at most $10-$20
None of the systems that I have worked with. They all allow for zero purchases without authentication.
The CIA should be providing these snacks and beverages for free, no wonder they have talent leaks. Every company I've worked for since 2011 has provided free drinks, snacks and catered meals. Before anybody asks, I'm not working in the valley or any where near it.
in the past after at least making a few calls you can unhook the phone line / pick up the phone and other some ppv and it will not dial out or say you need a phone to buy this ppv movie now an $29.99 or more event may need to call in right away. Also back then they had the hacked cards.
> Severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.
Is this really what passes for "hacking" these days?
I'm assuming they were hired specifically for this sort of out-of-the-box workarounds. You cannot turn someone into something they are not and telling them to be anything other than what they are impedes them from performing at their best when you need them to. If I was the supervisor that had been made aware of this, I would have found a way to expense payments to the vendor without letting the employee's know. 1) it keeps skills from workers you may need solidly in the 'asset' category, 2) it keeps their focus broader than the specifics of daytoday work, allowing for versatility when the times comes, and 3) this information could even be used later as leverage and blackmail.. this IS the CIA people.... lying, stealing, cheating, backstabbing is par for the course.
Back in the '80s or so I tried to pay for a car repair with a perfectly valid credit card and had it declined. A call to the credit card company disclosed the reason:
When the database was offline the authorization servers would approve charges up to $300 (1980ish dollars) and refuse those above that. This kept them from making all their cards stop working, on one hand, limited the losses to savvy crooks, and only inconvenienced those making the relatively rare high-sticker purchases. (Like me, trying to get my car back from the mechanic. He was willing to accept $300 on the card and other payment for the balance, so it worked out.)
Similarly, the bank machines trusted balance on the mag-stripe card if the server was offline. In the Detroit area this was for a couple of shifts over the weekend. This meant that if you re-wrote the card you could pull out more money, or money from a closed account. I heard that when losses were around $10,000 per weekend they just absorbed it as a cost of business. But when the crooks got organized and losses climbed to $100,000 per weekend they added a shift and kept the servers up 24/7.
Nowadays the cards have a secure chip with rewritable memory, so it's possible for the programmers of the machines to put some trust in the card. But it looks like FreedomPay's system was using the older approach - in an environment where its vulnerability was an issue.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Hacked cards definitely did exist.
But the ability to purchase ANYTHING without connecting to the phone network most certainly did not.
Sure you can unhook the phone cord, and watch normal television, but the only way you'd watch PPV is either with the hacked card, or by calling in and having them set it up remotely.
It's ALWAYS the fault of the person who stole the stuff. 100% of the time.
But maybe not 100% of the fault. More than one person can be at fault.
In college I took an accounting class, and the teacher's favorite subject was "Internal Controls", systems and rules set up to make sure that people can't just steal money. He gave an example:
Suppose a small company has an accounting department with poor internal controls, and the head accountant knows that if he/she just edited one spreadsheet, he could steal a whole bunch of money and the company wouldn't realize. This person shows up for work every day for 20 years and never steals anything, and then one day suddenly snaps and steals the money. Who's to blame?
Clearly the person who stole the money is to blame for stealing the money, but my accounting teacher maintained that the company is also partially to blame for putting him in that position. It's a kind of stress, to have to resist temptation all the time, and it's unfair to put people in the position of resisting it.
Similarly, I put the blame in this case on the guys who stole the vending machine food, but the vending machine should not have been so easy to cheat.
P.S. Presumably they were paid well enough that they could afford to pay for vending machine food, so I'm not very sympathetic. And people who could entrap themselves by serially stealing petty things from a vending machine would seem to be high risks for being suborned by outside parties, so it's probably for the best if they aren't working in the CIA anymore.
lf(1): it's like ls(1) but sorts filenames by extension, tersely
Don't forget MITMing the cards with old PCs, 'dead' cards, unloopers, soldering serial cables to the receiver's card connectors etc. Good times.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
The CIA probably asked for the option that these vending machines still work if there are network outages, on the basis that it's employees and contractors should be trusted enough not to steal shit and they're the only ones with physical access to the machines.
The other options are: No network, no food. Pay with cash.
The last think you want is a hungry IT department trying to fix your broken network.
When I was about 10, my dad caught me emptying two rows of candy out of vending machines, my arm was just skinny enough and long enough. I was up in that candy hole like a vet fertilizing a prize heffer.
He hung around till I got the last of it, then we ran for it.
I haven't seen that model machine in a while, still look for it, though my arm has been too big for decades. I had little bothers though, we got about six years free gum and lifesavers all told, there were years with three of us expropriating.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
This story ran weeks ago and was already on /. once before. STALE!