Contractors Lose Jobs After Hacking CIA's In-House Vending Machines (techrepublic.com)

← Back to Stories (view on slashdot.org)

Contractors Lose Jobs After Hacking CIA's In-House Vending Machines (techrepublic.com)

Posted by BeauHD on Wednesday June 28, 2017 @01:00AM from the irony-at-its-finest dept.

An anonymous reader quotes a report from TechRepublic: Today's vending machines are likely to be bolted to the floor or each other and are much more sophisticated -- possibly containing machine intelligence, and belonging to the Internet of Things (IoT). Hacking this kind of vending machine obviously requires a more refined approach. The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines. In their BuzzFeed post, the two writers state, "Several CIA contractors were kicked out of the Agency for stealing more than $3,000 in snacks from vending machines according to official documents... ." This October 2013 declassified Office of Inspector General (OIG) report is one of the documents referred to by Leopold and Mack. The reporters write that getting the records required initiating a Freedom Of Information Act lawsuit two years ago, adding that the redacted files were only recently released. The OIG report states Agency employees use an electronic payment system, developed by FreedomPay, to purchase food, beverages, and goods from the vending machines. The payment system relies on the Agency Internet Network to communicate between vending machines and the FreedomPay controlling server. The OIG report adds the party hacking the electronic payment system discovered that severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.

26 of 190 comments (clear)

Min score:

Reason:

Sort:

Who wrote this? by redback · 2017-06-28 01:03 · Score: 5, Informative

1. They weren't fired for hacking, they were fired for STEALING.
2. Unplugging the network cable doesn't count as hacking.
1. Re:Who wrote this? by oobayly · 2017-06-28 01:12 · Score: 4, Informative
  
  2. Unplugging the network cable doesn't count as hacking.
  It would in the UK. A man was prosecuted here for adding a couple of "../" to a URI, which then provided him access to the root file system. I'm trying to find a reference to it.
2. Re:Who wrote this? by DontBeAMoran · 2017-06-28 01:22 · Score: 4, Funny
  
  2. Unplugging the network cable doesn't count as hacking.
  Sure it does! Look, I'm going to hack my computer right n{#`%${%&`+'${`%&NO CARRIER
  
  --
  #DeleteFacebook
3. Re: Who wrote this? by Entrope · 2017-06-28 01:30 · Score: 4, Insightful
  
  If somebody is willing to steal a $1 candy bar, do you really want to trust them with information if unauthorized disclosure of that information can cause exceptionally grave damage to the nation's security?
4. Re:Who wrote this? by pahles · 2017-06-28 01:32 · Score: 2
  
  It would in the UK. A man was prosecuted here for adding a couple of "../" to a URI, which then provided him access to the root file system. I'm trying to find a reference to it.
  What does that have to do with unplugging a cable?
  
  --
  Sig?
5. Re: Who wrote this? by LordWabbit2 · 2017-06-28 01:53 · Score: 2
  
  You hacker you!
  
  --
  There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
6. Re:Who wrote this? by swb · 2017-06-28 01:56 · Score: 5, Insightful
  
  The CIA or any organization like it wants unicorns. They want the tiny subset of the Venn diagram where people are bold thinkers AND organizationally compliant rule followers.
  Like high-end spec-ops, not only do they want really tough super-athletes, they want high intelligence, independent thinkers AND chain of command rule followers.
  It's a small subset of people that match all those qualities.
7. Re: Who wrote this? by c · 2017-06-28 02:01 · Score: 4, Interesting
  
  If somebody is willing to steal a $1 candy bar, do you really want to trust them with information...
  Yeah. My immediate thought is that it might even be intentional; having known and and easy-to-exploit vulnerability in a non-essential system would be a really great way to weed out these kinds of idiots. I don't think it's unreasonable for intelligence agencies to test their employees in one form or another.
  
  --
  Log in or piss off.
8. Re:Who wrote this? by dreamchaser · 2017-06-28 02:05 · Score: 2
  
  Are you really that dense or are you trolling? They were stealing. That shows a lack of character. I'd fire them as well, even if I were running a startup.
9. Re: Who wrote this? by ScentCone · 2017-06-28 02:24 · Score: 2
  
  If the CIA can't discourage petty theft ...
  They DID act to discourage that petty theft. By firing the people who did it. You know, making them lose their jobs and of course as a result their security clearances. Not that you think that has any impact because you have no idea how the actual world works.
  
  We shouldn't have secrets that dangerous.
  Like I said, you have no idea how the actual world works. There are, for example, entire groups of people - organized at various scales from families up through governments that own nukes - that want you to be dead. You, personally, dead. It's helpful to try to find out how those groups think, what they are capable of, when and how they will conduct certain actions. How we figure those things out can involve a certain amount of secrecy. I know, you'd like the person living in or near those groups to have to have their identity out in the open even as they provide the rest of the world information about how their boss uses poison gas to attack villages. You consider transparency so important that you think that person should die as a result of providing that helpful information. Because you're a sociopathic virtue-signalling troll.
  
  --
  Don't disappoint your bird dog. Go to the range.
10. Re: Who wrote this? by ScentCone · 2017-06-28 02:25 · Score: 4, Insightful
  
  It's not about the candy bar. It's about how the willingness to steal something that cheap tells you what you need to know about the value system and ethics of the person who does it. How is this not clear to you?
  
  --
  Don't disappoint your bird dog. Go to the range.
11. Re:Who wrote this? by WhiplashII · 2017-06-28 02:42 · Score: 2
  
  Nope, its even worse:
  They also want to pay below market rates.
  
  --
  while (sig==sig) sig=!sig;
12. Re: Who wrote this? by infolation · 2017-06-28 03:17 · Score: 2
  
  They're bolted to the floor BECAUSE they have machine intelligence.
  
  Imagine the havok a sentient CIA snax machine could cause!!!
13. Re: Who wrote this? by msauve · 2017-06-28 03:49 · Score: 3, Insightful
  
  "If somebody is willing to steal a $1 candy bar, do you really want to trust them with information if unauthorized disclosure of that information can cause exceptionally grave damage to the nation's security?"
  
  Depends. If it were limited to "let's try this," and they got a $1 candy bar and it ended there, so what? At that point they should point it out to the vending company. And I would't have any problem with them "stealing" that $1 candy bar.
  
  But it didn't end there. Not only didn't they report the vulnerability, they continued to abuse it to the tune of $3000. Them, I wouldn't trust.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
14. Re: Who wrote this? by davester666 · 2017-06-28 07:01 · Score: 3, Funny
  
  Yeah, it sneaks up on you and goes "Here, have a Snickers bar." Pretty soon, everyone is too fat to move.
  
  --
  Sleep your way to a whiter smile...date a dentist!
...Or a hacksaw [Re:Who wrote this?] by XXongo · 2017-06-28 01:13 · Score: 5, Funny

2. Unplugging the network cable doesn't count as hacking.
Possibly they disconnected it with a hachet, making it literally hacking.
Liars, Cheats and Criminals at the CIA? by bill_mcgonigle · 2017-06-28 01:16 · Score: 4, Funny

How did they not get a promotion?

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
1. Re:Liars, Cheats and Criminals at the CIA? by __aaclcg7560 · 2017-06-28 02:26 · Score: 2
  
  They were supposed to hack the vending machines inside the Russian embassy.
Re:Boston subway by rickb928 · 2017-06-28 01:32 · Score: 2

And, you know from previous reports, that the real reason gag orders and such are necessary is because the hacked (MTA in this case) are UNABLE to fix the problem in a timely manner.
Sad, but too many organizations employ technology solutions they are unable to maintain.

--
deleting the extra space after periods so i can stay relevant, yeah.
Fed Contractors vs Fed Employees by acoustix · 2017-06-28 01:47 · Score: 4, Interesting

If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.

--
"A plan fiendishly clever in its intricacies"- Homer Simpson
FreedomPay by tangent3 · 2017-06-28 02:09 · Score: 3, Insightful

Contractors did not realize the "free" in FreedomPay means free speech not free beer.
Risking your job for fifty cents by biggaijin · 2017-06-28 02:12 · Score: 2

Throughout my working life I have amazed that people with good jobs would be willing to jeopardize them for nickels and dimes -- stealing stationery, fudging expense vouchers, and now, apparently, cheating a company vending machine. Don't these people realize that they are putting their livelihoods at risk by stealing from their employer?
Re:should be thanked not sacked by Pascoea · 2017-06-28 02:12 · Score: 5, Insightful

A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. But whose fault would this be?

[emphasis mine]
The people who stole the stuff. It's ALWAYS the fault of the person who stole the stuff. 100% of the time. If I don't lock my door and people clean out my house that makes me an idiot, but the person that cleaned it out is still the guilty party. (The insurance company may exercise their "idiot clause" and not reimburse me for my stuff because of my negligence. But that's not relevant to the conversation, the thief is still a thief, and should get the appropriate punishment if caught.)

So why reward the incompetent by expecting an unrequired level of honesty from users?
I agree, this is terrible programming. There are definitely ways around spotty connectivity, and FreedomPay has most definitely let their customer down by not adequately protecting their interest. I'm sure you wouldn't have to hunt around too long for a civil lawyer that would be willing to sue FreedomPay for their negligence, but that doesn't excuse the workers who exploited that negligence.
Re:should be thanked not sacked by geekmux · 2017-06-28 02:20 · Score: 2

It is inexcusable not to have the card broadcast its current credit to a disconnected machine. What possible circumstances would excuse this? And even if you have cards that can start a credit account, yhe machine would remember the card's number and transaction so the data could be updated when the machine was reconnected.
Regardless of how bad the system was designed, the truly inexcusable activity here was not reporting it.
The end result was abusing the shit out of the vulnerability to the tune of $3000+ worth of stolen goods.
The line between a consultant and a criminal is often defined by ethics.
Re: should be thanked not sacked by comrade1 · 2017-06-28 03:13 · Score: 2

-A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. Sure, if you live in a shitty country. Here in Switzerland there are vegetable stands on the roadside by farms where you take your groceries and drop your money into a box, often just a wooden box.
Re:should be thanked not sacked by steveha · 2017-06-28 06:55 · Score: 2

It's ALWAYS the fault of the person who stole the stuff. 100% of the time.
But maybe not 100% of the fault. More than one person can be at fault.
In college I took an accounting class, and the teacher's favorite subject was "Internal Controls", systems and rules set up to make sure that people can't just steal money. He gave an example:
Suppose a small company has an accounting department with poor internal controls, and the head accountant knows that if he/she just edited one spreadsheet, he could steal a whole bunch of money and the company wouldn't realize. This person shows up for work every day for 20 years and never steals anything, and then one day suddenly snaps and steals the money. Who's to blame?
Clearly the person who stole the money is to blame for stealing the money, but my accounting teacher maintained that the company is also partially to blame for putting him in that position. It's a kind of stress, to have to resist temptation all the time, and it's unfair to put people in the position of resisting it.
Similarly, I put the blame in this case on the guys who stole the vending machine food, but the vending machine should not have been so easy to cheat.
P.S. Presumably they were paid well enough that they could afford to pay for vending machine food, so I'm not very sympathetic. And people who could entrap themselves by serially stealing petty things from a vending machine would seem to be high risks for being suborned by outside parties, so it's probably for the best if they aren't working in the CIA anymore.

--
lf(1): it's like ls(1) but sorts filenames by extension, tersely