Slashdot Mirror
White House Officials Tricked By Email Prankster (cnn.com)
Jake Tapper, reporting for CNN: A self-described "email prankster" in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official's private email address unsolicited. "Tom, we are arranging a bit of a soiree towards the end of August," the fake Jared Kushner on an Outlook account wrote to the official White House email account of Homeland Security Adviser Tom Bossert. "It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening." Bossert wrote back: "Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted). Bossert did not respond to CNN's request for comment; the email prankster said he was surprised Bossert responded given his expertise. The emails were shared with CNN by the email prankster. White House officials acknowledged the incidents and said they were taking the matter seriously. "We take all cyber related issues very seriously and are looking into these incidents further," White House press secretary Sarah Huckabee Sanders told CNN.
Or in jail. I would never dare to even attempt something like that. Hurting a powerful person's pride/"face" is just about the dumbest thing you can do... if you aren't also (very) powerful..
Let me get this straight. John Podesta gets fooled by a phishing attempt and suddenly the Russian government colluded with Trump to steal the election that Clinton was promised, but when someone in the Trump admin gets fooled by an email it's just a harmless prankster.
Trump has a sonâ"heâ(TM)s 10 years old. He has computers. He is so good with these computers. Itâ(TM)s unbelievable.
"I promise food of at least comparible (sic) quality to that which we ate in Iraq"
Really, who talks like that. This a is a member of the Trump White House staff.
"Good food, better food than Iraq. Food will be greatest food, simply the best, I promise." seems a little less suspect.
"Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted).
A "food" promise will work most of the time.
Now, just suppose it were something to do with [propositioning] the fairer sex! Now, that would have been a scandal big time.
My take: Those folks are lucky, for now.
A good many Republicans trashed the DNC for their "lax security". Crow soup anyone?
Table-ized A.I.
Poor kid is going to get swatted in 3... 2... 1...
One bloke in the UK = the UK did it? This place gets dumber all the time. Holy shit you live in a fucking cartoon world, dumbass.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
lol for your sake I really hope this is a clever troll. If so, 10/10.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
Has never been known for being tight-lipped.
Take that as you will. It literally works both ways. The unspoken way is likely true given her behavior.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
PGP was introduced in 1991. Now it's 2017 and we still don't know how to make sure we are talking to the person we think we are talking to. *weep*
It was tagged [Suspected Spam], how could it NOT have been a legit email?
How much stupider can these people get?
"En vogue". lol. The guy redacted the email address. What other information came out of this, apart from revealing the incompetence of a Homeland Security adviser?
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
SMIME certificates do help. :)
Life is not for the lazy.
"A self-described "email prankster" .. wrote to the official White House email account of Homeland Security Adviser Tom Bossert .. the email prankster said he was surprised Bossert responded given his expertise"
What expertise? Have these people never heard of encryption and digital signatures, cause using standard email mean anyone can read your email or impersonate a real person. But then again these are the same people who decided to run Homeland Security on Microsoft Windows.
You elect amateur hour, you're gonna get amateur hour.
Obliteracy: Words with explosions
Hey if Whitehouse staffers are so dumb and uninformed when it comes to basic OPSEC then I think we'd better have the FBI investigate whether they're using private email for official purposes, too, just in case!
The fact that people can be fooled in this way in this particular organization. That's actually useful. The guy might be making an ass of folks, but that's harmless; people can do the same thing to cause harm. By his actions, he's made people more-vigilant; however, they need to take this information and instill permanent policies, as that vigilance is only temporary.
Support my political activism on Patreon.
camp gimo and you are not an USC so no jury!
Jared Kushner
He probably just saw light blue "Jared Kushner". This kind of information hiding crap is getting more pervasive all the time. The same goes for file extensions "FamilyPhotos.jpg.exe"
The fact that people can be fooled in this way in this particular organization. That's actually useful.
That would depend on how the facts get presented and what opinions and position accompany the facts.
The guy might be making an ass of folks, but that's harmless; people can do the same thing to cause harm.
Absolutely, this guy could have done this for personal gain and causing harm to others. Oh wait, isn't that exactly what happened?
By his actions, he's made people more-vigilant; however, they need to take this information and instill permanent policies, as that vigilance is only temporary.
Right on, CNN is now out educating people about the dangers of fishing and teaching everyone how to read mail headers and verify! Oh wait, that is not what they are doing. They are using it to bash an administration that they dislike and have bashed since election day.
I'll close similar to how I opened. The fact that this worked is not a surprise really, because we see successful fishing attempts all the time. How the information of a successful attack is used differs. The Media could have done this differently, but I expect nothing but repeated bashing from not just CNN but all US media without any public service (education).
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Meanwhile a Fox reporter is suing Hannity and Fox 'News' for making up the Seth Rich story.
Apparently it was cooked up to kill the Russia inquiry and he didn't like them faking quotes from him to give it credence.
If Seth leaked the emails to Wikileaks, then the Russians are innocent, which was the aim of Hannity, clear the Russians of involvement in the hack by pinning it on Seth:
"Congress, investigate Seth Rich Murder! @JulianAssange made comments u need to listen to! If Seth was wiki source, no Trump/Russia collusion https://t.co/QPHZwypU34
— Sean Hannity (@seanhannity) May 22, 2017"
Which is why it is such a big deal that Hannity, Mooch, Trump and a former Fox executive were having a dinner. It explains why Mooch flew off the handle over what should have been an innocent meal.
Sigh. It's always the same, there are always people who will side with Putin if he offers them money or power, even if they are undermining their own country. Hannity should be ashamed, but he is ashamed all the way to the bank.
s/fishing/phishing/ good grief, sometimes multitasking is really bad.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Front-facing vs. "private" emails... and expecting that to prevent this sort of thing is security through obscurity. Even the private addresses would probably follow a pattern or be discoverable by some relatively benign process. As to any objection like "these people don't have time for all this email": I would guess a lot of these people have all too much downtime available for checking emails when they are flying around the world, waiting for meetings to start, etc, especially since the devices necessary to do this stuff now fit in your pocket and can connect to the network from almost everywhere. And since they are often extreme narcissists and the like, of course they are going to want to connect with their fellow power hungry weirdos.
I do not have a signature
What's with US politicians and email?
Don't they know it's like postcards that can be written by any idiot?
I guess not.
One bloke in the UK = the UK did it?
But we know the UK did it; the attack came from a UK IP, and we have many reasons to believe the UK could benefit from it. They probably have lots of evidence, we're just not allowed to see it because we're just common citizens.
Of course, I wouldn't trust a paid UK astroturfer to see reason.
SMIME certificates do help. :)
Could help, but they don't.
My company uses them and requires us to use them, except when they don't. The problem, IMO, is that the email clients don't alert when there is no signature. They add a tiny icon if a signature is present and valid. They add a warning if the signature is present but invalid.
What is needed is something akin to HTTP's Strict-Transport-Security header. IE. once your email client receives a valid signed email from a particular user, it will then require all email from that user to be signed, or it will put up a giant error/warning. Otherwise, a forged email will come through and look perfectly fine, just no sig, which the user never really cares about anyway.
After that is put in place, then have an option to warn on the lack of a sig from all emails, and maybe a way to whitelist some (ex. for automated emails from amazon).
Pretty sure that spear phishing is a crime [...]
It probably comes under the generic catch-all, "Fraud." I'm not sure there's anything specific about spear-phishing...
"So we had to get very, very tough on cyber and cyber warfare. It is a huge problem. I have a son—he’s 10 years old. He has computers. He is so good with these computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe, it's hardly doable. But I will say, we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester. And certainly cyber is one of them."
My beliefs do not require that you agree with them.
he went to CNN with the intention of damaging the organization that he attacked
Exposing stupid actions is not "damaging".
Absolutely, this guy could have done this for personal gain and causing harm to others. Oh wait, isn't that exactly what happened?
Even criminal hacking is delineated by financial damage and, usually, criminal intent (mens rea). If you can't show more than $5,000 of damage, the FBI generally doesn't care.
Calling you a giant douchebag causes harm to others: you get your feelings hurt and feel bad for a little while. Psychological pain tends to cause maturation--even traumatized soldiers develop more mature defense mechanisms (they grow up and become actual adults) compared to people in the service with less or less-traumatic combat experience--but that's not generally a good excuse for tormenting people. Typically, we scale the torment: are you an asshole, or a malicious actor inflicting extreme psychiatric harm?
This guy's "personal gain" was some Internet fame. That's distinct from the usual meter of personal gain as a transfer from others: criminal "personal gain" implies you took something from someone else, so their loss is your gain. That's how scams work: you invest a bunch of money and I run away with it without delivering to you the benefit of which I've convinced you you'll receive.
So there isn't a viable harm or personal gain argument here; there's only a possible procedural complaint.
Right on, CNN is now out educating people about the dangers of fishing and teaching everyone how to read mail headers and verify! Oh wait, that is not what they are doing. They are using it to bash an administration that they dislike and have bashed since election day.
CNN is attempting to draw attention for personal gain, and laying out a narrative to influence thought. The Internet vigilante in this story was being a huge dork to amuse himself. The question was what information came out of this, not what service he offered; he didn't release private information (which shows an intent to not cause harm), and didn't provide a service. What's left? Only what we can derive from the experience--and it is an observable fact that the people and the staff around those people who got caught up in this are now asking questions beyond "how do we hang this guy for embarrassing us?", so they have themselves derived specific information. The fact that they need to continue this process to make use of said information is also important.
Support my political activism on Patreon.
This guy's "personal gain" was some Internet fame.
Not quite. You do realize that TV shows quite often _pay_ for people to appear. There is of course what you mention with internet fame, but I'll add that the person also gained "media" fame for paid appearance even if he didn't get paid this time. Book deals, interviews, etc... That he didn't get information to hack into a bank account or commit direct blackmail does not mean he doesn't gain financially by releasing the information to a media outlet.
If the motivation was truly altruistic as you are attempting to imply, he could have released the information anonymously.
CNN is attempting to draw attention for personal gain, and laying out a narrative to influence thought
On this we agree.
I think we disagree on principle, where I don't subscribe to moral relativism. You may not see this issue as moral relativism if you assume the person released the information because of altruism. I gave the reason why I don't believe it was altruistic.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
True. But the entire point is to validate an incoming e-mail isn't a phishing message with forged headers. An SMIME cert will help shed light on that. So yes, it does require a level of situational awareness by the end-user of the e-mail client including knowledge that x-employee is configured for using SMIME as well. In a small office, it's a non-issue. In a fortune 500, yeah, major PITA I would imagine.
FYI, if your e-mail is hosted in Office 365, you an minimize phishing attempts via the following Exchange settings.
Exchange admin center --> protection --> spam filter --> (edit default policy) --> advanced option -->
SPF record: hard fail: On
Conditional Sender ID filtering: hard fail: On
NDR backscatter: On
Life is not for the lazy.
You're going out to ridiculous lengths. It's like when ProPublica claimed Red Cross's "real overhead" is 40%, not the 9% they publish, because "they hire contractors, who have overhead." Well shit, son, the people doing the work get paid; that's overhead, and they should work for free!
I think we disagree on principle, where I don't subscribe to moral relativism.
Moral relativism is a matter of whether the same exact action is moral or amoral based on the society's culture and, essentially, how common it is, and if the society at large accepts it. The large problem with moral relativism is you can oppress a subculture (e.g. all women, blacks, Jews) and have your society at large accept things like rape and murder, while as an explicit part of the social structure a definable group of people are not afforded the security society is supposed to offer.
Moral relativism doesn't have anything to do with scale or intent, which is what's described here. You claim that, somewhere down the line, this guy profited. Well, you profit from having a job, and there are limited jobs available due to demand economics, and more people than jobs. People are suffering and dying because they don't have jobs; by your extreme reasoning, you are a murderer for taking a job which would have otherwise supported another person who now struggles to find food, or who is now dead.
Support my political activism on Patreon.
Wait, you accuse me of going to ridiculous lengths talking about the same guy and his actions while you have to jump to a NGO which didn't do anything at all similar to this person? Who is going to ridiculous lengths to justify their opinion exactly? What we have here is called a case of projection.
I don't believe you fully understand moral relativism. Moral relativism is changing the rules when you believe it suits your position or beliefs instead of from a position of pure good/evil, true/false, justice/injustice. Scale can be a factor used in moral relativism, but certainly not the only way people manipulate morality to fit their particular belief.
I gave the example of the person who gave the information to CNN being altruistic. Doing so anonymously. I further gave how media could have used the information in a positive way. Not altruistic by any stretch of the imagination, but more beneficial to society. You have not countered my example of those two entities (the only two in the story). You use gross generalizations which include the famous appeal to emotion "people are suffering and dying because they don't have jobs" and an NGO. WTF?
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
You use gross generalizations which include the famous appeal to emotion "people are suffering and dying because they don't have jobs" and an NGO. WTF?
No, I'm comparing the non-government organization (ProPublica)'s arguments to yours, and carrying them to completion, as a way to demonstrate your argument in a more-relatable context.
You claim that this person's actions can provide him a potential monetary benefit somewhere down the line, thus he has taken action for personal gain, regardless of all other factors or circumstance. I pointed out a similar claim made by someone else about cost overhead, and carried it out to its conclusion (that people's wages are also "overhead" and they should just work for free), and then carried that conclusion even farther into the absurd to demonstrate that your personal actions are the cause of somebody's suffering and, likely, somebody's death, all for your own personal financial gain by securing employment.
Your argument was that ridiculous. I made a square comparison to it.
I don't believe you fully understand moral relativism. Moral relativism is changing the rules when you believe it suits your position or beliefs
Actually,
Moral relativism may be any of several philosophical positions concerned with the differences in moral judgments across different people and cultures.
Moral relativism requires that exactly the same situation placed into the context of two different cultural groups be viewed as differently-moral. If you're trying to re-define air as "the liquid form of dihydrogen monoxide, generally occurring at standard atmospheric pressure between 0C and 100C", nobody's buying it.
Support my political activism on Patreon.
No, I'm comparing the non-government organization (ProPublica)'s arguments to yours, and carrying them to completion, as a way to demonstrate your argument in a more-relatable context.
Okay, I'll play along for now.
You claim that this person's actions can provide him a potential monetary benefit somewhere down the line, thus he has taken action for personal gain, regardless of all other factors or circumstance.
What other factors or circumstances? The person did, or did not take action for personal gain. As stated twice previously, if the action was not for personal gain they would have reported in a different fashion, and probably to a different location.
Your "other factors or circumstances" is exactly what I referred to as moral relativism.
Example: If you see a 100 dollar bill on the ground and pick it up and keep it, you either did or did not commit the act. Whether the 100 dollar bill came out of a millionaires pocket, or is the life savings of a homeless addict on the street makes no difference.
I pointed out a similar claim made by someone else about cost overhead, and carried it out to its conclusion (that people's wages are also "overhead" and they should just work for free), and then carried that conclusion even farther into the absurd to demonstrate that your personal actions are the cause of somebody's suffering and, likely, somebody's death, all for your own personal financial gain by securing employment.
What is absurd is trying to establish this persons actions as a moral equivalence to an NGO's overhead.
Simple questions we can arrive at using the Socratic method. I didn't elaborate this at the start, but assume most people can get to them on their own. No moral equivalences or relativity, simple yes or no.
1. Did the person release this information for personal gain?
2. Did the media use the information as a public good to teach people the dangers of phishing and how to avoid being a victim, or or to put out a negative message about the information source?
I have yet to see you actually defend the person who gave the data to CNN or defend the Media for their altruistic use of the data.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
the entire point is to validate an incoming e-mail isn't a phishing message with forged headers. An SMIME cert will help shed light on that.
Close, but wrong.
The S/MIME signature applies to the message body. That does NOT include any of the headers (and note, "Subject" is a header, not part of the message body).
As an example, I have actually done the following and can assure you this is not only possible, but trivially easy:
* have someone send you an S/MIME signed email
* send that back out, forge the FROM address to that users address rather than your own, and modify the Subject to something obscene, and set the TO address to anywhere you like
* that email will send just fine, it will go to an unintended recipient, and the subject will be altered, but the message signature will say it's valid.
That scared the crap out of some of the IT folks I know, who assumed that the to/from/subject were also protected by the signature. It's scary because the recipient will very likely assume that the original author wrote that subject line and sent it to them, because the little lock icon says so. Fixing this should only require education so people know that's the case, but we (as tech folks) should be doing a better job in that area.
What is absurd is trying to establish this persons actions as a moral equivalence to an NGO's overhead.
You're dodging that I've used your own reasoning to equate your continued existence as murder.
What other factors or circumstances? The person did, or did not take action for personal gain.
A person may, knowingly and willingly, hack into a bank, steal credit card numbers, and make purchases. This will deprive a retailer of money (the person whose card they use will be compensated; the merchant takes the burden). That, in turn, reduces revenue streams. In aggregate, this acts as a form of risk, increasing costs, thus increasing prices of goods. That lowers the number of goods people can afford. In the case of critical basic-needs goods like food, it pushes adequate means of survival out of the reach of some people. In any case, this lowering of affordability of goods reduces the number of jobs supportable, thus causing unemployment, poverty, suffering, and death.
This person has, knowingly and willingly, inflicted harm on others: he has transferred the property and the means of survival away from another person to himself through his intentional actions.
In this case, a person, knowingly and willingly, framed himself as someone else to amuse himself and embarrass another person. His actions were constructed to not deprive the other person of any material good or draw additional harm to them (such as release of e-mail addresses et al, which would lead to the destruction of a personal account which has now become general public knowledge--kind of like if I posted your phone number all over Reddit so you get shitloads of text messages). Thus he has not taken action to forcibly transfer an asset from one person to himself, or to cause injury to a person or institution and draw a profit to himself through said infliction.
There are also equivalents, such as political satirists who draw cartoons which criticize a party or policy. As with this guy, they cause public thought and dialogue for which the administration must answer.
There's a difference between all three of these, really. The latter two are fairly-similar, and each carry enormous distinctions from credit card fraud.
No moral equivalences or relativity, simple yes or no.
I can do that too.
1. Do you consume the resources of survival (employment, monetary compensation, food, shelter) which are available in limited quantity and of which another person is deprived?
2. Are other people suffering and dying due to not having access to the limited resource which you consume?
If yes, you are a murderer. As such, our social justice system should tie you to a large rock and throw you into a river. By using the Socratic method as you've portrayed it, I have proven you deserve to die.
You cannot defend yourself against this conclusion without sacrificing your position.
Support my political activism on Patreon.
Was the email provided the one used for official communication or just the personal one on the work server?
I have email for biz and email for other stuff. I have no compunctions about sharing my "other stuff" email address even if that means I need a third party spam manager on that address. (gad, the GP email gets a couple of hundred posts a day of which about 20 are of interest - including the daily cartoons I like. The work email; about six posts and those are very pertinent to projects.)
Someone contacts you. Claims to have worked with you on Project ABC. Sharing an email for further contact and vetting seems reasonable to me. It is not like having an email address gives access to a network. I think the telling thing is the fellow was fooled into sharing his "PRIVATE" email address. Who cares if a person's private email gets put on the megaspam list?
NRRPT/RCT
You're dodging that I've used your own reasoning to equate your continued existence as murder.
Perhaps in your own mind, but no you have not. Your assertion that this person doing something and giving that data away for personal gain is the equivalent to a person who works for an NGO and counts as overhead is simply ludicrous. The reductio ad absurdem to claim I am a murderer is based on your former fallacious logic. Fallacy of a Fallacy != logical, it makes you more irrational..
I have repeatedly provided the way to reference my point in debate, and given you two questions to answer. Lets see if you did, or if you are just running in circles as to avoid a basic moral question.
And reading further, you simply ignored the basic questions about TFA and continue on your ludicrousness. If your position was close to rational I'd say "good troll", but as is I can't tell if you are trolling or mentally deranged.
Good luck to you, and I hope you find medication.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.