White House Officials Tricked By Email Prankster

Jake Tapper, reporting for CNN: A self-described "email prankster" in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official's private email address unsolicited. "Tom, we are arranging a bit of a soiree towards the end of August," the fake Jared Kushner on an Outlook account wrote to the official White House email account of Homeland Security Adviser Tom Bossert. "It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening." Bossert wrote back: "Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted). Bossert did not respond to CNN's request for comment; the email prankster said he was surprised Bossert responded given his expertise. The emails were shared with CNN by the email prankster. White House officials acknowledged the incidents and said they were taking the matter seriously. "We take all cyber related issues very seriously and are looking into these incidents further," White House press secretary Sarah Huckabee Sanders told CNN.

He's gonna end up in some camp.

Or in jail. I would never dare to even attempt something like that. Hurting a powerful person's pride/"face" is just about the dumbest thing you can do... if you aren't also (very) powerful..

Re: He's gonna end up in some camp.

If he lived in America, he'd do time. Since he lives in the U.K., nothing will happen.

Re:He's gonna end up in some camp.

I like rules of thumb. You just touched on one of my favorites:

"Never challenge a small-minded man in a position of power."

Re: He's gonna end up in some camp.

[Maritz]

Lauri Love might care to differ. The UK hands people over the US regularly, and ignores humanitarian concerns when doing so. There was another guy a few years before that, think his condition was more severe than this one.

Re:He's gonna end up in some camp.

[Maritz]

That would be the vast majority on men in positions of power.

Re: He's gonna end up in some camp.

Never put a small-minded man in a position of power.

Re: He's gonna end up in some camp.

[RobotRunAmok]

>>Never put a small-minded man in a position of power.

...except they are the only ones who ever seek it...

Re: He's gonna end up in some camp.

He turns them into anonymous cowards on /.

Re: He's gonna end up in some camp.

[Baton+Rogue]

Never put a small-minded man in a position of power.

Then there would never be any men in a position of power.

Re: He's gonna end up in some camp.

You're thinking of Gary McKinnon

Re: He's gonna end up in some camp.

[Aighearach]

The standard for refusing a properly submitted extradition request is somewhat more specific than vague "humanitarian concerns." And hilariously, that link doesn't even cite any humanitarian concerns; or any claims of innocence. All it actually contains is some whining about American prison sentences being longer than British ones, and typical media misrepresentation about the maximum sentence possible under actual American sentencing guidelines.

So what?

[Train0987]

Let me get this straight. John Podesta gets fooled by a phishing attempt and suddenly the Russian government colluded with Trump to steal the election that Clinton was promised, but when someone in the Trump admin gets fooled by an email it's just a harmless prankster.

Re:So what?

I'm not sure what your point is. I'd say that, yes, a foreign power breaking into a campaign's email files is something that is and should be illegal.

This should be illegal, too, but, I agree with the story, it does seem more like a prank, and not a foreign power attempting to change U.S. election results. There is a difference.

Re:So what?

Well, the Russian hackers used the info gained from the phishing to steal files which were then publicly released with the intent to harm Clinton's campaign.

This guy got an email back with the guy's real email address. He didn't steal any files. He didn't release any damaging info. He didn't even request the guy's email address.

One is a phishing attempt for a malicious purpose. From Wikipedia: "Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication."

The other was an attempt to prank a guy to get a response, but there doesn't appear to have been any phishing or malicious intent.

I do find it interesting; however, that the Trump administration and it's supporters find this to be a class 1 Felony attempt which requires the person to be crushed while the actual phishing of Podesta was something that Trump encouraged. Apparently, they only find cyber issues against them to be serious since the Russian meddling in our election (I'm not privy to investigation results so I can't comment on collusion) appears A-OK.

Re:So what?

[WhiplashII]

So you don't think that releasing all this to CNN was political in nature? You honestly don't think this was an attempt to embarrass the Trump administration? Isn't the UK a foreign power?

I think we should just ignore all of this nonsense. It is illegal, sure. So is most spam.

Re:So what?

[Maritz]

The reason you can't see the difference is either (a) you're extremely biased or (b) you're a bit slow. Both is perfectly possible also (likely, in fact).

Re:So what?

[Maritz]

Apparently, they only find cyber issues against them to be serious since the Russian meddling in our election (I'm not privy to investigation results so I can't comment on collusion) appears A-OK.

He's a wannabee tyrant, without the competence to become one. It must be frustrating for him.

Re:So what?

I'm impressed. It is very rare for such a short post to contain so many failures in basic reasoning:

1. This was some idiot prankster, not the UK government. Thus, not a foreign power.

2. Publicizing achievements is not inherently political. Some people just really attention. Most people, in fact.

3. Who cares if the administration is embarassed?

4. Phishing is not illegal under federal law, which is applicable to DC.

5. Ignoring a cyber security breach by a high-ranking member of DHS is stupid. It is his job to do better -- literally.

Re:So what?

[Tablizer]

The Russians made many attempts in many systems using many methods. The "Podesta" incident just happens to be one made public and high profile and is NOT the entirety of the Russia "problem", as you seem to imply. The server logs on many election-related systems have been found full of attempts.

I imagine most attempts made by Russia failed, but if you try enough things on enough servers and enough people, eventually you will find holes. Hacking favors the patient and persistent.

I've fallen for a trick myself, I must admit. I typed in the URL as given (didn't click it, though) rather than go to the main site and regular menus of the intended vendor. After I was bamboozled, I realize I skipped a "safety step", slapped my forehead, and vowed to be more careful next time. (It was a small amount, which is probably why I was less careful than I should have been.)

I've caught tricks before using the regular "safety checklist", but humans are humans and somethings skip steps out of forgetfulness, laziness, distractions, fumble fingers, Mondays, etc.

Re:So what?

[Tablizer]

humans are humans and somethings skip steps

Oh the irony burns. Correction: ...sometimes skip steps...

Re:So what?

[Plus1Entropy]

So what?! Podesta was not and is not the Homeland Security Advisor to the President, that's what!

Re:So what?

Yes, hacking into and stealing droves of emails from a server is equivalent to spoofing an email address, sending out a lunch request and seeing what happens and then turning around and telling the press exactly what you did. That's a little like comparing a jewel thief's substitution of a knock off with a $10,000 ring with a person who simulates the theft of an expensive photo frame by taping two of them together and going through checkout then immediately heading to the customer service desk and pointing out how easy it was before returning the extra frame and waking out the door.

Re:So what?

Apparently, the UK prankster did not solicit something like a credit card number or password. He neither requested the information be submitted by email or via a phishing web site.

IANAL, but it looks like he didn't really commit a crime other than make a high government potentate (or two) look bad.
But the armed drones are on their way to his house though...

Re:So what?

Everybody can distinguish between the two cases, this guy was obviously a harmless prankster whereas the Clinton emails weren't stolen and leaked for the LULZ. It doesn't take much of a brain to recognize the difference. You're just another dishonest bigot.

Re:So what?

It probably was some CNN employee in an attempt to discredit the Trump administration. They wouldn't want to paint him too badly in case he gets found out. "It's just a prank bro!"

Re:So what?

His point is to malign Trump.

Re:So what?

[PopeRatzo]

You honestly don't think this was an attempt to embarrass the Trump administration?

It's funny that you think the Trump administration is capable of embarrassment. After all, embarrassment requires a certain level of self-awareness, and there has been zero of that on evidence.

Trump was right about one thing...

...I am tired of "winning".

It will happen in any administration

Social engineering is easy and to be honest the "prankster" should be a bit more discreet in sharing the information.

But it is very en vogue to be anti-trump so I guess putting this up on CNN and acting like this is the first administration that fell for this sort of scheme is the right thing to do. /S

Re:It will happen in any administration

[Maritz]

"En vogue". lol. The guy redacted the email address. What other information came out of this, apart from revealing the incompetence of a Homeland Security adviser?

Re:It will happen in any administration

[bluefoxlucid]

The fact that people can be fooled in this way in this particular organization. That's actually useful. The guy might be making an ass of folks, but that's harmless; people can do the same thing to cause harm. By his actions, he's made people more-vigilant; however, they need to take this information and instill permanent policies, as that vigilance is only temporary.

Re:It will happen in any administration

[s.petry]

The fact that people can be fooled in this way in this particular organization. That's actually useful.

That would depend on how the facts get presented and what opinions and position accompany the facts.

The guy might be making an ass of folks, but that's harmless; people can do the same thing to cause harm.

Absolutely, this guy could have done this for personal gain and causing harm to others. Oh wait, isn't that exactly what happened?

By his actions, he's made people more-vigilant; however, they need to take this information and instill permanent policies, as that vigilance is only temporary.

Right on, CNN is now out educating people about the dangers of fishing and teaching everyone how to read mail headers and verify! Oh wait, that is not what they are doing. They are using it to bash an administration that they dislike and have bashed since election day.

I'll close similar to how I opened. The fact that this worked is not a surprise really, because we see successful fishing attempts all the time. How the information of a successful attack is used differs. The Media could have done this differently, but I expect nothing but repeated bashing from not just CNN but all US media without any public service (education).

Re:It will happen in any administration

[s.petry]

s/fishing/phishing/ good grief, sometimes multitasking is really bad.

Re:It will happen in any administration

orange skin
  orange skin orange skin
    its orange orange skin orange
      stop orange skin orange help orange orange

Re:It will happen in any administration

Right on, CNN is now out educating people about the dangers of fishing and teaching everyone how to read mail headers and verify! Oh wait, that is not what they are doing. They are using it to bash an administration that they dislike and have bashed since election day.

I'll close similar to how I opened. The fact that this worked is not a surprise really, because we see successful fishing attempts all the time. How the information of a successful attack is used differs. The Media could have done this differently, but I expect nothing but repeated bashing from not just CNN but all US media without any public service (education).

Until the person who did the mistake (leak the info to prankster) shows that the person sincerely admits the fault and has learned from it, I could careless if any media or whoever wants to keep bashing this mistake. Silence is not a proper form of the right action but rather shows entitlement and push the blame on others (e.g. prankster).

Re:It will happen in any administration

[bluefoxlucid]

Absolutely, this guy could have done this for personal gain and causing harm to others. Oh wait, isn't that exactly what happened?

Even criminal hacking is delineated by financial damage and, usually, criminal intent (mens rea). If you can't show more than $5,000 of damage, the FBI generally doesn't care.

Calling you a giant douchebag causes harm to others: you get your feelings hurt and feel bad for a little while. Psychological pain tends to cause maturation--even traumatized soldiers develop more mature defense mechanisms (they grow up and become actual adults) compared to people in the service with less or less-traumatic combat experience--but that's not generally a good excuse for tormenting people. Typically, we scale the torment: are you an asshole, or a malicious actor inflicting extreme psychiatric harm?

This guy's "personal gain" was some Internet fame. That's distinct from the usual meter of personal gain as a transfer from others: criminal "personal gain" implies you took something from someone else, so their loss is your gain. That's how scams work: you invest a bunch of money and I run away with it without delivering to you the benefit of which I've convinced you you'll receive.

So there isn't a viable harm or personal gain argument here; there's only a possible procedural complaint.

Right on, CNN is now out educating people about the dangers of fishing and teaching everyone how to read mail headers and verify! Oh wait, that is not what they are doing. They are using it to bash an administration that they dislike and have bashed since election day.

CNN is attempting to draw attention for personal gain, and laying out a narrative to influence thought. The Internet vigilante in this story was being a huge dork to amuse himself. The question was what information came out of this, not what service he offered; he didn't release private information (which shows an intent to not cause harm), and didn't provide a service. What's left? Only what we can derive from the experience--and it is an observable fact that the people and the staff around those people who got caught up in this are now asking questions beyond "how do we hang this guy for embarrassing us?", so they have themselves derived specific information. The fact that they need to continue this process to make use of said information is also important.

Re:It will happen in any administration

[s.petry]

This guy's "personal gain" was some Internet fame.

Not quite. You do realize that TV shows quite often _pay_ for people to appear. There is of course what you mention with internet fame, but I'll add that the person also gained "media" fame for paid appearance even if he didn't get paid this time. Book deals, interviews, etc... That he didn't get information to hack into a bank account or commit direct blackmail does not mean he doesn't gain financially by releasing the information to a media outlet.

If the motivation was truly altruistic as you are attempting to imply, he could have released the information anonymously.

CNN is attempting to draw attention for personal gain, and laying out a narrative to influence thought

On this we agree.

I think we disagree on principle, where I don't subscribe to moral relativism. You may not see this issue as moral relativism if you assume the person released the information because of altruism. I gave the reason why I don't believe it was altruistic.

Re:It will happen in any administration

Indeed, you are a moral absolutist, and your position is simple: Anything that supports your agenda is good and proper anything that challenges or questions your agenda is double-plus-badwrong.

Your partisan bias is quite evident.

Re:It will happen in any administration

[bluefoxlucid]

You're going out to ridiculous lengths. It's like when ProPublica claimed Red Cross's "real overhead" is 40%, not the 9% they publish, because "they hire contractors, who have overhead." Well shit, son, the people doing the work get paid; that's overhead, and they should work for free!

I think we disagree on principle, where I don't subscribe to moral relativism.

Moral relativism is a matter of whether the same exact action is moral or amoral based on the society's culture and, essentially, how common it is, and if the society at large accepts it. The large problem with moral relativism is you can oppress a subculture (e.g. all women, blacks, Jews) and have your society at large accept things like rape and murder, while as an explicit part of the social structure a definable group of people are not afforded the security society is supposed to offer.

Moral relativism doesn't have anything to do with scale or intent, which is what's described here. You claim that, somewhere down the line, this guy profited. Well, you profit from having a job, and there are limited jobs available due to demand economics, and more people than jobs. People are suffering and dying because they don't have jobs; by your extreme reasoning, you are a murderer for taking a job which would have otherwise supported another person who now struggles to find food, or who is now dead.

Re:It will happen in any administration

[s.petry]

Wait, you accuse me of going to ridiculous lengths talking about the same guy and his actions while you have to jump to a NGO which didn't do anything at all similar to this person? Who is going to ridiculous lengths to justify their opinion exactly? What we have here is called a case of projection.

I don't believe you fully understand moral relativism. Moral relativism is changing the rules when you believe it suits your position or beliefs instead of from a position of pure good/evil, true/false, justice/injustice. Scale can be a factor used in moral relativism, but certainly not the only way people manipulate morality to fit their particular belief.

I gave the example of the person who gave the information to CNN being altruistic. Doing so anonymously. I further gave how media could have used the information in a positive way. Not altruistic by any stretch of the imagination, but more beneficial to society. You have not countered my example of those two entities (the only two in the story). You use gross generalizations which include the famous appeal to emotion "people are suffering and dying because they don't have jobs" and an NGO. WTF?

Re:It will happen in any administration

[bluefoxlucid]

You use gross generalizations which include the famous appeal to emotion "people are suffering and dying because they don't have jobs" and an NGO. WTF?

No, I'm comparing the non-government organization (ProPublica)'s arguments to yours, and carrying them to completion, as a way to demonstrate your argument in a more-relatable context.

You claim that this person's actions can provide him a potential monetary benefit somewhere down the line, thus he has taken action for personal gain, regardless of all other factors or circumstance. I pointed out a similar claim made by someone else about cost overhead, and carried it out to its conclusion (that people's wages are also "overhead" and they should just work for free), and then carried that conclusion even farther into the absurd to demonstrate that your personal actions are the cause of somebody's suffering and, likely, somebody's death, all for your own personal financial gain by securing employment.

Your argument was that ridiculous. I made a square comparison to it.

I don't believe you fully understand moral relativism. Moral relativism is changing the rules when you believe it suits your position or beliefs

Actually,

Moral relativism may be any of several philosophical positions concerned with the differences in moral judgments across different people and cultures.

Moral relativism requires that exactly the same situation placed into the context of two different cultural groups be viewed as differently-moral. If you're trying to re-define air as "the liquid form of dihydrogen monoxide, generally occurring at standard atmospheric pressure between 0C and 100C", nobody's buying it.

Re:It will happen in any administration

[s.petry]

No, I'm comparing the non-government organization (ProPublica)'s arguments to yours, and carrying them to completion, as a way to demonstrate your argument in a more-relatable context.

Okay, I'll play along for now.

You claim that this person's actions can provide him a potential monetary benefit somewhere down the line, thus he has taken action for personal gain, regardless of all other factors or circumstance.

What other factors or circumstances? The person did, or did not take action for personal gain. As stated twice previously, if the action was not for personal gain they would have reported in a different fashion, and probably to a different location.

Your "other factors or circumstances" is exactly what I referred to as moral relativism.

Example: If you see a 100 dollar bill on the ground and pick it up and keep it, you either did or did not commit the act. Whether the 100 dollar bill came out of a millionaires pocket, or is the life savings of a homeless addict on the street makes no difference.

I pointed out a similar claim made by someone else about cost overhead, and carried it out to its conclusion (that people's wages are also "overhead" and they should just work for free), and then carried that conclusion even farther into the absurd to demonstrate that your personal actions are the cause of somebody's suffering and, likely, somebody's death, all for your own personal financial gain by securing employment.

What is absurd is trying to establish this persons actions as a moral equivalence to an NGO's overhead.

Simple questions we can arrive at using the Socratic method. I didn't elaborate this at the start, but assume most people can get to them on their own. No moral equivalences or relativity, simple yes or no.

1. Did the person release this information for personal gain?

2. Did the media use the information as a public good to teach people the dangers of phishing and how to avoid being a victim, or or to put out a negative message about the information source?

I have yet to see you actually defend the person who gave the data to CNN or defend the Media for their altruistic use of the data.

Re:It will happen in any administration

[bluefoxlucid]

What is absurd is trying to establish this persons actions as a moral equivalence to an NGO's overhead.

You're dodging that I've used your own reasoning to equate your continued existence as murder.

What other factors or circumstances? The person did, or did not take action for personal gain.

A person may, knowingly and willingly, hack into a bank, steal credit card numbers, and make purchases. This will deprive a retailer of money (the person whose card they use will be compensated; the merchant takes the burden). That, in turn, reduces revenue streams. In aggregate, this acts as a form of risk, increasing costs, thus increasing prices of goods. That lowers the number of goods people can afford. In the case of critical basic-needs goods like food, it pushes adequate means of survival out of the reach of some people. In any case, this lowering of affordability of goods reduces the number of jobs supportable, thus causing unemployment, poverty, suffering, and death.

This person has, knowingly and willingly, inflicted harm on others: he has transferred the property and the means of survival away from another person to himself through his intentional actions.

In this case, a person, knowingly and willingly, framed himself as someone else to amuse himself and embarrass another person. His actions were constructed to not deprive the other person of any material good or draw additional harm to them (such as release of e-mail addresses et al, which would lead to the destruction of a personal account which has now become general public knowledge--kind of like if I posted your phone number all over Reddit so you get shitloads of text messages). Thus he has not taken action to forcibly transfer an asset from one person to himself, or to cause injury to a person or institution and draw a profit to himself through said infliction.

There are also equivalents, such as political satirists who draw cartoons which criticize a party or policy. As with this guy, they cause public thought and dialogue for which the administration must answer.

There's a difference between all three of these, really. The latter two are fairly-similar, and each carry enormous distinctions from credit card fraud.

No moral equivalences or relativity, simple yes or no.

I can do that too.

1. Do you consume the resources of survival (employment, monetary compensation, food, shelter) which are available in limited quantity and of which another person is deprived?

2. Are other people suffering and dying due to not having access to the limited resource which you consume?

If yes, you are a murderer. As such, our social justice system should tie you to a large rock and throw you into a river. By using the Socratic method as you've portrayed it, I have proven you deserve to die.

You cannot defend yourself against this conclusion without sacrificing your position.

Re:It will happen in any administration

[MercTech]

Was the email provided the one used for official communication or just the personal one on the work server?
I have email for biz and email for other stuff. I have no compunctions about sharing my "other stuff" email address even if that means I need a third party spam manager on that address. (gad, the GP email gets a couple of hundred posts a day of which about 20 are of interest - including the daily cartoons I like. The work email; about six posts and those are very pertinent to projects.)

Someone contacts you. Claims to have worked with you on Project ABC. Sharing an email for further contact and vetting seems reasonable to me. It is not like having an email address gives access to a network. I think the telling thing is the fellow was fooled into sharing his "PRIVATE" email address. Who cares if a person's private email gets put on the megaspam list?

Re:It will happen in any administration

[s.petry]

You're dodging that I've used your own reasoning to equate your continued existence as murder.

Perhaps in your own mind, but no you have not. Your assertion that this person doing something and giving that data away for personal gain is the equivalent to a person who works for an NGO and counts as overhead is simply ludicrous. The reductio ad absurdem to claim I am a murderer is based on your former fallacious logic. Fallacy of a Fallacy != logical, it makes you more irrational..

I have repeatedly provided the way to reference my point in debate, and given you two questions to answer. Lets see if you did, or if you are just running in circles as to avoid a basic moral question.

And reading further, you simply ignored the basic questions about TFA and continue on your ludicrousness. If your position was close to rational I'd say "good troll", but as is I can't tell if you are trolling or mentally deranged.

Good luck to you, and I hope you find medication.

Don't worry

Trump has a sonâ"heâ(TM)s 10 years old. He has computers. He is so good with these computers. Itâ(TM)s unbelievable.

Re: Liberal treason

You are a nutjob

Seems like the wording is dead give away.

"I promise food of at least comparible (sic) quality to that which we ate in Iraq"
Really, who talks like that. This a is a member of the Trump White House staff.

"Good food, better food than Iraq. Food will be greatest food, simply the best, I promise." seems a little less suspect.

Not surprised though t it could have been worse...

[bogaboga]

"Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted).

A "food" promise will work most of the time.

Now, just suppose it were something to do with [propositioning] the fairer sex! Now, that would have been a scandal big time.

My take: Those folks are lucky, for now.

Sensitivity training...

[__aaclcg7560]

Looks like some people need training on how to spot phishing email attempts.

Re:Sensitivity training...

your a doosh

Re:Sensitivity training...

You're a douche.

Re:Sensitivity training...

[DigiShaman]

SMIME certificates do help. :)

Re:Sensitivity training...

Yore a gouache

Re: Sensitivity training...

Mmm. A message that's complete goulash.

Re:Sensitivity training...

[unrtst]

SMIME certificates do help. :)

Could help, but they don't.
My company uses them and requires us to use them, except when they don't. The problem, IMO, is that the email clients don't alert when there is no signature. They add a tiny icon if a signature is present and valid. They add a warning if the signature is present but invalid.

What is needed is something akin to HTTP's Strict-Transport-Security header. IE. once your email client receives a valid signed email from a particular user, it will then require all email from that user to be signed, or it will put up a giant error/warning. Otherwise, a forged email will come through and look perfectly fine, just no sig, which the user never really cares about anyway.

After that is put in place, then have an option to warn on the lack of a sig from all emails, and maybe a way to whitelist some (ex. for automated emails from amazon).

Re:Sensitivity training...

Year o' mousse

Re: Sensitivity training...

How gauche

Re:Sensitivity training...

[DigiShaman]

True. But the entire point is to validate an incoming e-mail isn't a phishing message with forged headers. An SMIME cert will help shed light on that. So yes, it does require a level of situational awareness by the end-user of the e-mail client including knowledge that x-employee is configured for using SMIME as well. In a small office, it's a non-issue. In a fortune 500, yeah, major PITA I would imagine.

FYI, if your e-mail is hosted in Office 365, you an minimize phishing attempts via the following Exchange settings.

Exchange admin center --> protection --> spam filter --> (edit default policy) --> advanced option -->
SPF record: hard fail: On
Conditional Sender ID filtering: hard fail: On
NDR backscatter: On

Re:Sensitivity training...

[unrtst]

the entire point is to validate an incoming e-mail isn't a phishing message with forged headers. An SMIME cert will help shed light on that.

Close, but wrong.
The S/MIME signature applies to the message body. That does NOT include any of the headers (and note, "Subject" is a header, not part of the message body).
As an example, I have actually done the following and can assure you this is not only possible, but trivially easy:
* have someone send you an S/MIME signed email
* send that back out, forge the FROM address to that users address rather than your own, and modify the Subject to something obscene, and set the TO address to anywhere you like
* that email will send just fine, it will go to an unintended recipient, and the subject will be altered, but the message signature will say it's valid.

That scared the crap out of some of the IT folks I know, who assumed that the to/from/subject were also protected by the signature. It's scary because the recipient will very likely assume that the original author wrote that subject line and sent it to them, because the little lock icon says so. Fixing this should only require education so people know that's the case, but we (as tech folks) should be doing a better job in that area.

If you live in glass houses...

[Tablizer]

A good many Republicans trashed the DNC for their "lax security". Crow soup anyone?

Re:If you live in glass houses...

Exactly.

As a disinterest observer who lives in another country, the fact that Republican White House officials are being hacked via email is the second funniness thing about this whole affair.

The funniest is the clown you guys elected.

Oh wait, the second funniest is the Russian meeting thing. The third funniest is the Sarracuzzi what's-his-name guy. The fourth funniest was pussygate. The fifth funniest was....

Anyway I lose track.

But this email hack is easily in the top ten funny things that have happened in US politics this week, if not in the last fortnight.

So funny.

Re:If you live in glass houses...

I meant "disinterested".

Re:If you live in glass houses...

They weren't hacked. They responded innocuously to innocuous emails that they mistook as coming from someone other than the prankster.

"cyber related issues"

[Kergan]

Poor kid is going to get swatted in 3... 2... 1...

Re:"cyber related issues"

[neo-mkrey]

He's going to pound-you-in-the-ass prison.

Re: "cyber related issues"

[KGIII]

Black-bagged and dumped out the back of a C-130, somewhere over the mid-Atlantic. That's my guess.

Well, no... He will probably just get a stern talking to.

Re: "cyber related issues"

Well, no... He will probably just get a stern talking to.

This is the Age of Trump, it'll be six tweets and five new hashtags.

One question

How did he get their email addresses in the first place? Are they publicly available?

I'd hope that they have separate "front facing" email addresses which are monitored by their flunkies, and private ones for official communications. If not then this will probably happen again (if it hasn't already) only it won't be a "prankster" next time.

Re: One question

Front side email, monitoref by flunkies, isn't that how the DNC got hacked?

Re:One question

[ichimunki]

Front-facing vs. "private" emails... and expecting that to prevent this sort of thing is security through obscurity. Even the private addresses would probably follow a pattern or be discoverable by some relatively benign process. As to any objection like "these people don't have time for all this email": I would guess a lot of these people have all too much downtime available for checking emails when they are flying around the world, waiting for meetings to start, etc, especially since the devices necessary to do this stuff now fit in your pocket and can connect to the network from almost everywhere. And since they are often extreme narcissists and the like, of course they are going to want to connect with their fellow power hungry weirdos.

I see a trend here

Any time a corporation or government screws up and gets hacked, they say "We take security very seriously". Any time a corporation is caught hoovering up customer data, they say "We take the privacy of our customers very seriously". Any time a country says "We want peace and safety for all people", you can be sure they just unloaded a pile of bombs somewhere and killed many people.

Is the prankster named Trump?

...cuz that's who they got tricked by first...

Re:Prank vs. Cyberattack

[Maritz]

One bloke in the UK = the UK did it? This place gets dumber all the time. Holy shit you live in a fucking cartoon world, dumbass.

Re:Liberal treason

[Maritz]

lol for your sake I really hope this is a clever troll. If so, 10/10.

Sarah Sanders

[Khyber]

Has never been known for being tight-lipped.

Take that as you will. It literally works both ways. The unspoken way is likely true given her behavior.

Re:Sarah Sanders

[93+Escort+Wagon]

Are you saying that friends of the prankster should check up on him every so often to make sure he's still breathing?

Re:Sarah Sanders

[ayesnymous]

> Has never been known for being tight-lipped. It literally works both ways.

So she has a big mouth too?

Use PGP/GPG

[mars-nl]

PGP was introduced in 1991. Now it's 2017 and we still don't know how to make sure we are talking to the person we think we are talking to. *weep*

Re:Use PGP/GPG

Probably because the usability of PGP really hasn't been improved since...well, 1991. When software is hard to use, people don't use it, who would have thought!

Re:Use PGP/GPG

Hard to setup not hard to use.

But people in sensitive and important positions should probably learn how to use it. It's worth the time it takes to learn to guard against something like this.

Re:Use PGP/GPG

[Zontar_Thing_From_Ve]

PGP was introduced in 1991. Now it's 2017 and we still don't know how to make sure we are talking to the person we think we are talking to. *weep*

I work in what might best be described as an internal IT support job for a US based Fortune 500 company. Every now and then the particular product I support has a customer with a problem and I have to jump in and try to help. We only sell this product in North America and the vast majority of that within the USA. I say that because when there are problems I have to talk to IT staff who work for our customers and I want it understood that I'm not talking about dealing with companies in undeveloped countries here.. You would not believe how many companies out there can't get PGP working, which we do support in our product. Many times we've had to change over to another file transfer method that uses encrypted channels for communication because the customer can't decrypt anything we send them that was PGP encrypted. We've had a few customers who actually built a server on their site from scratch so we could drop files off to it and avoid using PGP because they decided that they'd rather do that than learn how to use PGP/GPG. So yes, I totally get how PGP was introduced in 1991 and some people still don't know how to use it.

Re:Use PGP/GPG

[Shakrai]

PGP was introduced in 1991. Now it's 2017 and we still don't know how to make sure we are talking to the person we think we are talking to. *weep*

And you still wouldn't, even if PGP was in widespread use, because there's no easy way to verify that the public key you've been issued actually belongs to the person you're communicating with. This is the same pitfall that all public key cryptography faces. It only works with https because we trust the root certificate authorities.

Cryptography is useless if you don't have a secure channel to exchange keys before the communication that you wish to secure/authenticate.

Re:Use PGP/GPG

So use S/MIME instead? Pretty much the same thing, but supported in all good email clients.

Re:Use PGP/GPG

It is not difficult to use, it's just that the standards of computer literacy have fallen so low that most people are unable to do anything with a computer if not given a single icon to push with their thumb.

Re:Use PGP/GPG

[ichimunki]

That's what private key servers are for, and nothing is stopping the feds from setting one up for their own people to use.

Re:Use PGP/GPG

Of course there is.

[Suspected Spam]

It was tagged [Suspected Spam], how could it NOT have been a legit email?

How much stupider can these people get?

Re:[Suspected Spam]

[neo-mkrey]

I'm sure they're just getting started with the idiocracy...

Re:[Suspected Spam]

[ItsJustAPseudonym]

Tom, we are arranging a bit of a soiree towards the end of August.

Tom assumed they would be serving Spam.

Re:[Suspected Spam]

[antdude]

I have seen legit e-mails that were marked spams. :(

The expertise of Tom Bossert ..

[najajomo]

"A self-described "email prankster" .. wrote to the official White House email account of Homeland Security Adviser Tom Bossert .. the email prankster said he was surprised Bossert responded given his expertise"

What expertise? Have these people never heard of encryption and digital signatures, cause using standard email mean anyone can read your email or impersonate a real person. But then again these are the same people who decided to run Homeland Security on Microsoft Windows.

Shock

[American+AC+in+Paris]

You elect amateur hour, you're gonna get amateur hour.

Re:Shock

[hey!]

Yes, I was surprised that the prankster thought Bossert had "expertise". He's a lawyer.

Now a lot of lawyers are very smart, and the best are information sponges who do manage to acquire impressive depth of knowledge in fields outside the law. But Bossert's only security experience was working as Deputy Homeland Security Advisor under Bush, a position he was utterly unqualified for; as for experience he picked up in that position, this was a period when the department was new and notorious for security theater and expensive boondoggles. Oh, yes he did serve as Director of Infrastructure Protection under Bush as well, during a period where nothing significant was accomplished.

I wouldn't be the least surprised if he got suckered by a phishing campaign.

Re:Prank vs. Cyberattack

Trumpsters live in a different world from reality.

Anything done to embarrass the fuhrer is worthy of death, anything done to embarrass his enemies should warrant the medal of honor, even if it includes committing treason like the fuhrer himself did

Better investigate their use of email!

Hey if Whitehouse staffers are so dumb and uninformed when it comes to basic OPSEC then I think we'd better have the FBI investigate whether they're using private email for official purposes, too, just in case!

Re: Happy Tuesday from The Golden Girls!

You're welcome.

camp gimo and you are not an USC so no jury!

[Joe_Dragon]

camp gimo and you are not an USC so no jury!

Re: camp gimo and you are not an USC so no jury!

So ingrischen finally what excuse me barroom!

ROF

Our new government is fucking retarded as they come.

Information hiding

[Script+Cat]

Jared Kushner

He probably just saw light blue "Jared Kushner". This kind of information hiding crap is getting more pervasive all the time. The same goes for file extensions "FamilyPhotos.jpg.exe"

Re:Information hiding

Problem is, the email was tagged as [Suspected Spam], at that point the reader should have been suspicious. I've worked for several not very big companies that appear to have better email security in place than the freaking White House, how the hell does that happen???

Re:Information hiding

[orgelspieler]

If the server settings are shitty, almost all outside emails get tagged as suspect. When servers cry wolf, that's a problem. Windows is bad about this, too. If I'm trying to move a file from a shared drive on a company-owned server, the Windows "This file could harm your computer." warning pops up. How is that useful?

"Looking into these incidents"

"We take all cyber related issues very seriously and are looking into these incidents further,"

Given this administrations ranting about "leakers" & "treason" I would bet that is code for "we plan to harass/prosecute these people for pointing out our ineptitude".

Seth Rich

Meanwhile a Fox reporter is suing Hannity and Fox 'News' for making up the Seth Rich story.

Apparently it was cooked up to kill the Russia inquiry and he didn't like them faking quotes from him to give it credence.

If Seth leaked the emails to Wikileaks, then the Russians are innocent, which was the aim of Hannity, clear the Russians of involvement in the hack by pinning it on Seth:

"Congress, investigate Seth Rich Murder! @JulianAssange made comments u need to listen to! If Seth was wiki source, no Trump/Russia collusion https://t.co/QPHZwypU34
        — Sean Hannity (@seanhannity) May 22, 2017"

Which is why it is such a big deal that Hannity, Mooch, Trump and a former Fox executive were having a dinner. It explains why Mooch flew off the handle over what should have been an innocent meal.

Sigh. It's always the same, there are always people who will side with Putin if he offers them money or power, even if they are undermining their own country. Hannity should be ashamed, but he is ashamed all the way to the bank.

Re:Seth Rich

Seymour Hersh discussing the DNC leaks and Seth Rich
https://www.youtube.com/watch?v=yFQVuGx9lRM

Re: Liberal treason

And you are smug liberal who always uses the genralizations and insults instead of argument. Exactly what us 100% American Trump voters have come to expect and why he will always have 100% of support.

Drone Inbound

And by "taking it seriously" we mean we have launched a drone strike targeting certain individuals and their grandmothers.

Re: Drone Inbound

Thats one way to brexit haha

Re: Liberal treason

Wheres the strong american authority you allege? House of cards....

Re: Liberal treason

He has a good reason to be smug when the nazi nutjobs such as yourself and the OP are so incredibly dumb.

Re: Liberal treason

I'm sorry. I got lost in your generalization of hundred percent tribal oorah.

The stupidity is mind-baffling

[nospam007]

What's with US politicians and email?
Don't they know it's like postcards that can be written by any idiot?
I guess not.

Re:The stupidity is mind-baffling

Given the number of people who think Spicier is Spicer, we have the elected officials we deserve when it comes to technology and the Internet.

Waiting for this "prankster" to get arrested

[LeftCoastThinker]

Pretty sure that spear phishing is a crime, regardless of your success level or whether you self style yourself as a prankster or not. The only way to legally do what was done is to immediately reply back to the targeted official/business/government agency and inform them that you were not who you said you were and that they need to improve their IT security training/systems. This guy may very well wind up extradited and charged with a crime since he went to CNN with the intention of damaging the organization that he attacked which by definition makes his spear phishing a crime.

Re:Waiting for this "prankster" to get arrested

[R3d+M3rcury]

Pretty sure that spear phishing is a crime [...]

It probably comes under the generic catch-all, "Fraud." I'm not sure there's anything specific about spear-phishing...

Re:Waiting for this "prankster" to get arrested

he went to CNN with the intention of damaging the organization that he attacked

Exposing stupid actions is not "damaging".

Re:Prank vs. Cyberattack

One bloke in the UK = the UK did it?

But we know the UK did it; the attack came from a UK IP, and we have many reasons to believe the UK could benefit from it. They probably have lots of evidence, we're just not allowed to see it because we're just common citizens.

Of course, I wouldn't trust a paid UK astroturfer to see reason.

And that's the damn point.

It HAS to be hard to verify that the key you were issued belongs to the person you're communicating with. Guess what? You verify that once, however hard and rigorous, and you never have to worry about anything other than the key being changed without your notice.

If it were EASY to verify, then it is also easy to fake a verification.

But guess what? They all meet in the White House and can personally verify the keys. Better yet, the White House security can create keys for all the personnel in the whitehouse and distribute the public ones in a single read only medium. In actual fact, it would have to be "point a gun at someone as you tell them to follow the list of instructions that create their key, secure it with a passphrase and copy the public key to the medium provided for collecting the people's keys.

And even better, roles rather than people can be given set fixed private keys that "belong" to a position so that multiple people can "speak" as the representative. So they can all sign it as "White House Staff", the head of Homeland security and every secretary and aide of his can sign as "Homeland Security" and therefore add another identification to the list that ensures the source is appropriately and correctly identified.

Spelling mistakes were correct, however.

And that may have been enough. Jared's not quite as stupid as Orangina and may know more words, even if he can't speak them in public.

Let's be perfectly clear - it's a huge problem.

[gosand]

"So we had to get very, very tough on cyber and cyber warfare. It is a huge problem. I have a son—he’s 10 years old. He has computers. He is so good with these computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe, it's hardly doable. But I will say, we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester. And certainly cyber is one of them."

Re:Let's be perfectly clear - it's a huge problem.

You know we have jumped the shark when it is literally impossible to tell if this statement is from the president or Colbert's writers.

Re:Happy Tuesday from The Golden Girls!

Confidant. Not cosmonaut. Seriously, I've been seeing this same error in this copypasta for close to 20 years now. Fucks sake.

Re: Happy Tuesday from The Golden Girls!

And every time, someone corrects it.

Re:Liberal treason

"Re:Liberal treason (Score:2)

lol for your sake I really hope this is a clever troll. If so, 10/10."

That's Trump's response to a debate question during the nationally televised presidential debate with Hillary Clinton, live tv broadcast on multiple channels, late September 2016, think the first one of the three.

It's not liberal treason, it's from candidate Trump, now POTUS, and I'm not sure why you seem to be threatening someone re "for your sake" about it.