Reporters Threatened, Labeled Hackers For Finding Security Hole 120
colinneagle writes "Scripps News reporters discovered 170,000 records online of customers of Lifeline, a government program offering affordable phone service for low-income citizens, that contained everything needed for identity theft . Last year, the FCC 'tightened' the rules for the program by requiring Lifeline phone carriers to document applicants' eligibility, which led to collecting more sensitive information from citizens. A Scripps News investigative team claims it 'Googled' the phone companies TerraCom Inc. and YourTel America Inc. to discover all of the files. A Scripps reporter asked for an on-camera interview with the COO of TerraCom and YourTel after explaining the files were freely available online. That did not happen, but shortly thereafter the customer records disappeared from the internet. Then, the blame-the-messenger hacker accusations and mudslinging began. Although the Scripps reporters videotaped the process showing how they found the documents, attorney Jonathon Lee for both telecoms threatened the 'Scripps Hackers' with violating the Computer Fraud and Abuse Act (CFAA)."
Try to do something right (Score:5, Insightful)
Re: (Score:2, Insightful)
I'll beat the others to this.
This is one of the reasons for why being anonymous is important. This lawsuit is stupid, and since they have a video showing the method, it should be easy to throw out the charge.
Could the reporter have a rebuttal about them taking down the evidence, saying they destroyed evidence pending the lawsuit?
Re:Try to do something right (Score:5, Insightful)
But the reporter can't be anonymous and trustworthy. The press are as full of shit as every other profession, so a reporter needs to put her/his name to it or it's worth as much as an empty cup of coffee. By attaching their reputation (good or bad) to a story they can defend (rightly or wrongly) what the've published.
Re:Try to do something right (Score:5, Insightful)
Sometimes the evidence itself is more important than the source. In the particular case, it sounds like the evidence was strong enough that it wouldn't matter which source it came from.
But the trend with threats and lawsuits against those, who discover security holes, must stop. That trend is a major threat against data security across the entire IT industry.
People will keep finding security holes. Sometimes you just stumple upon them, without even looking. What are you going to do, once you have found a security hole? Report it and try to get it fixed? Ignore it? Abuse it? If those who do the right thing are going to be the target of threats and lawsuits, that certainly removes incentive to do the right thing. So fewer people will report security holes. And some of those who would have reported it, might instead decide to abuse it.
If we ever get to the point where doing the right thing is more likely to get you into a lawsuit than abusing the security hole for personal gain is, then the industry is in big trouble.
Luckily a few companies are taking steps in the opposite direction and are offering cash rewards to those who find security holes. At some point users will have to start taking that into account when deciding what software to trust. But it is a very real problem, when the systems you don't trust are those used by any branch of government. You can't just go somewhere else. And the lack of competition has lead to situations where security concerns are just ignored.
Re: (Score:3)
Or you know... people could start writing decent secure code to begin with... :)
I mean SQL Injection attacks, and buffer overflows aren't exactly zero days at this point.
Re:Try to do something right (Score:5, Insightful)
Or you know... people could start writing decent secure code to begin with... :)
Did you ever write a program? Did it work the first time, doing exactly what it was supposed/specified to do?
Took a lot of debugging and error correction, didn't it? Even if you are a programming expert.
Now write a program where "what it's supposed to do" includes "not get cracked and used by any malware, known or unknown, past or future".
Think you'll get THAT right the first time? Even if you are a security expert?
Re: (Score:2)
Re: (Score:2, Insightful)
if by "not get cracked and used by any malware, known or unknown, past or future" you mean
"not list people's SSN addresses and financial data in a google search result"
then yes i think i can get that right on the first try.
Re: (Score:2)
"not list people's SSN addresses and financial data in a google search result" then yes i think i can get that right on the first try.
And will that stop some fucktard fax monkey from uploading a spreadsheet full of this info to your DMZ where google & everyone else can read it? We don't even know if this was a software fault.
Re: (Score:2)
This is why a good QA team is always worth having. Sure it won't isolate you from every issue, but it should protect you from some of the obvious stuff.
Sometimes the problem isn't even to do with software, but with information policy and what can be placed on a server that is on the outside of a firewall.
Re: (Score:2)
Think you'll get THAT right the first time? Even if you are a security expert?
Well, yes, that's what makes me an expert. However, TFA is abiout a company putting all of its customer records online, unencrypted and searchable through a simple Google query. There is no excuse for that level of malfeasance.
Re: (Score:2)
Did you ever write a program? Did it work the first time, doing exactly what it was supposed/specified to do?
Did you ever figure that was an adequate excuse?
Not in what you say isn't the truth, because any software that hasn't been shaken down is usually pretty bad, but using the "first time" as an actual reason for insecure software? Completely unacceptable. If you worked for me with that attitude, you might end up in the mail department where you could have an easier job.
Re: (Score:2)
Did you ever write a program? Did it work the first time, doing exactly what it was supposed/specified to do?
Did you ever figure that was an adequate excuse?
Of course not.
Not in what you say isn't the truth, because any software that hasn't been shaken down is usually pretty bad, but using the "first time" as an actual reason for insecure software? Completely unacceptable. If you worked for me with that attitude, you might end up in the mail department where you could have an easier job.
You obviously both
Re:Try to do something right (Score:4, Insightful)
It might take a security expert to write code that works as specified the first time, but it takes a fantastic idiot to put any kind of code in production before it's been debugged and error-corrected.
Re: (Score:2)
"Sometimes the evidence itself is more important than the source. In the particular case, it sounds like the evidence was strong enough that it wouldn't matter which source it came from."
Fortunately there have been a few judges lately who have an actual head on their shoulders, and who have ruled that simply telling somebody their fly is open is not the same as rape.
But these B.S. laws, like CFAA and DMCA, need to disappear. They were ill-conceived and we KNOW that they cause problems. Not little problems, big ones.
I would keep the safe-harbor provisions of DMCA, and scrap all the rest of it. Same with CFAA.
Re: (Score:2)
The law should be modified to ensure the following three properties:
Re: (Score:2)
I have never implied the press should receive special treatment. Anybody who finds a security problem should be free to publish it as they see fit (unless they have entered an agreement about confidentiality, before they found the problem). Of course the right thing to do is to tell the responsible people about it in private, such that they have a chance of fixing
Re: (Score:1)
But the reporter can't be anonymous and trustworthy.
But how can we trust that this is true since you posted as AC?
Re: (Score:2)
and yet people keep falling for the same traps...
Re:Try to do something right (Score:4, Informative)
I want to agree with you here, but what the story simply calls "mudslinging" does give me room for pause. According to their legal representation, this access has happened over the period of several weeks, and they systematically downloaded all the records it could in this period of time while attempting to get into even more nooks and crannies of the servers.
Why would they be sitting on this, continuously prodding the site for over a month while downloading all the records if they were simply practicing responsible disclosure with nothing more than journalistic intent?
You would think accessing even one or a couple of these sensitive files would have been enough to judge that this content is facing the public and should be reported, rather than downloading all they could over the span of a month (and maybe even longer since these access records seemed to be pruned after 30 days).
Re: (Score:1)
Re: (Score:2)
The only responsible disclosure is full public disclosure.
Makes you wonder (Score:2)
Never expose any security holes (Score:5, Insightful)
In America, two business principles apply:
1. It is none of your business when shit hits the fan, and
2. It is never our fault.
Re:Never expose any security holes (Score:4, Funny)
...and when those fail:
3. I need to spend more time with my family.
No good deed... (Score:3, Insightful)
goes unpunished.
But of course. (Score:3)
Company Spokesman: Surely you don't think it's our fault.
Company Spokesman: Especially if it's going to cost us money.
Re: (Score:2)
Company Spokesman: Especially if it's going to cost us money, and don't call me Shirley.
Been to the web site? (Score:5, Insightful)
First of all, both these comapnies web sites are identical. Second of all, they look like some 14 year old put them together.
Look, this is just some sweatshop lawyer who wrote q $200 threatening letter. The threat has no value, and should be ignored.
Re: (Score:1)
The threat has no value, and should be ignored.
No, it should be forwarded to the relevant authorities (and bar association), the lawyer disbarred, whoever ordered it sent to jail (even only a week actual locked up will do, as long as it also brings a lifetime criminal record) and the company fined an RIAA style figure (e.g. millions) for the threat. Then the company should be prosecuted for disclosing the information in the first place with another RIAA type figure ($10k/person's data leaked should do it).
Re: (Score:2)
No, it should be forwarded to the relevant authorities (and bar association), the lawyer disbarred, whoever ordered it sent to jail (even only a week actual locked up will do...
It's nice to be "outraged", but connection to reality generally drives the actions that people who have something to spend and something to lose do.
A lawyer sending a uppity letter alleging this and that is not illegal. Everyone is entitled to an opinion.
But by all means, become "outraged", it's what the Internet is about these days, not rational clear thinking, apparently.
Re: (Score:2)
There's no threat in there. There's nothing in there actionable for any reason. Even "I find your comments to be so obscene as to be illegal" wouldn't be actionable. Now I'm curious enough, I may have to read the letter in this case. I've seen hundreds, and they are all similarly vague and w
Re: (Score:2)
Actually, if a lawyer letter is incorrect on it's face or with a cursory look at the evidence, it should be grounds for sanctioning. They are supposed to keep crap like that out of the court system. And if they argue they never actually intended to take it to court, they admit to serious ethics violations. Lawyers also aren't supposed to use intimidation to win when they know they couldn't win in court.
Re: (Score:2)
Quick! Someone Call... (Score:1)
Stephen Heymann and Carmen Ortiz to make sure these neferious cyber criminals get what they deserve!
PR, lawyer greed, revenge, or abject incompetence (Score:5, Insightful)
I realize these companies have made some seriously bad decisions, and dumb decisions by committee are even worse, but this makes no sense.
Re:PR, lawyer greed, revenge, or abject incompeten (Score:5, Insightful)
If they were "hacked" then the folks who's data was leaked blame the wily hackers. If they let it stand that the data was just freely available on the web, it's a liability to the telecoms involved; i.e. "it's not our fault, it's THOSE guys."
Re: (Score:3)
I suspect that it's a mixture of technical cluelessness and PR. The people who actually made the mistake that led to the records being exposed probably realize(now, I'm sure it was either an oversight or 'just temporary' at the time) that they fucked up; but they have little to gain by pointing that out.
People higher up the food chain probably have only the haziest distinction between 'something I didn't want happening' and 'something that you circumvented an access control to achieve' and, again, not much
Re: (Score:1)
Reminds me of: http://www.despair.com/meetings.html
WGET? The Devil's Tool! (Score:5, Funny)
Lee added that the Scripps Hackers eventually used Wget to find and download "the Companies' confidential files." (Wget was the same tool used by Facebook's Mark Zuckerberg in the film The Social Network to collect student photos from various Harvard University directories.) The rest of the letter pretty much blamed the "Scripps Hackers" for the cost of breach notifications, demanded Scripps hand over all evidence as well as the identity and intentions of the hackers, before warning that Scripps will be sued.
Folks, there was a big bad security breach [yourtelamerica.com]. Now, *adjusts his massive belt buckle* we're investigating this like we would any other serious crime. And right now we're just trying to identify weapons used in this heinous attack. Now, we've discovered that the hackers were using [documentcloud.org] a very vicious mechanism in this attack. In a murder, you might find a revolver used to put two bullets into the back of a poor old defenseless lady's skull in order to get all her coupons and a couple of Indian head pennies out of her purse. Or perhaps in a pedophile case, you'll find the "secret candy" that was used to lure the children into a white panel van with painted over windows.
... let's go down to Scripps and put all this computer business behind us. Okay?
*expels a long tortured sigh*
Well, I gotta say, in my thirty years on the force, I wish we were only dealing with something like that today, honest to God Almighty I really do. Instead this artifact was discovered at the scene of the crime [huji.ac.il]. Now, I'm not asking you to understand that -- hell, I'd warn you against even openin' up your browser to the devil's toolbox. But let me, a trained law enforcement professional, take the time to explain the gruesome evidence just one HTTP request away from you and your chillun'. The page is black. Black as a moonless night sky when raptors swoop from the murky inky nothing to take your kids and livestock back up with them silently. On it is a bunch of white text that makes no sense to any God fearun' man on this here Earth. That's what they call a "man page" probably because it is the ultimate culmination of man's sin and lo and behold it displays a guide to exact torture on innocent web servers across this great and holy internet.
Even if you want to use this "man page" for WGET to learn how to use Satan's server scythe, you would have to read through almost twenty pages of incomprehensible technobabble like what that kraut over in Cali -- the one who took his wife's life -- spoke. And if you want to just see an example, it's not at the top! No, why, it's all the way down at the bottom. For this one, they don't even have examples. Just enough options to kill a man. Probably gave Steve Jobs cancer, they never proved all these options in these pages didn't. Buried in the mud of a thousand evils lie more evils.
And why, oh why are we even wasting taxpayer money on these Scripps Journos? Who needs a trial when the evidence is in the tools they used? Folks, I think it's time we WGET one last thing, I'll WGET a rope and you WGET your pitchforks and torches
Re: (Score:3)
the nerve of those... terrorists?
Re: (Score:2)
Re: (Score:1)
For me, I heard Buford T. Justice's voice...
Re: (Score:2)
I read this in the voice of Sheriff J.W. Pepper (see The Man with the Golden Gun and Live and Let Die)
Buford T. Justice is also acceptable.
Re: (Score:2)
Is this a screenplay? CIS:Tennessee?
Re: (Score:3)
Re:WGET? The Devil's Tool! (Score:5, Interesting)
Wow, I'm scared to fire up my console now. GUIs only from now on for me - I had no idea that I was invoking the devil with my black backround and myriad switches and parameters passed!
Having been a "builder" from a very young age, I can identify with being considered "heathen" for being able connect things that other people had no idea could work together (yet obviously could work together - for example I've used a decent amp and speakers with whatever source was playing since I left home, but using the AUX input with my NICAM video recorder was blasphemy to my parents - and connecting the computer (Amstrad CPC464) to the speakers must have been like summoning demons - because they put a stop to that quickly - and no, it wasn't loud either.)
This perception of me as "hacker" carried on through school and college. Despite me having more integrity than anyone else around me at the time, and an innate sense of "right" and "wrong" and natural justice, I found myself distrusted because people couldn't understand how I did the things I did with so little (and such a crap background. Computer books were NOT on any shopping lists. I had the CPC464 manual, and POKE.)
Re: (Score:1)
Re: (Score:2)
Are you sure about the genesis of PEEK/POKE? I was using them in Integer BASIC, before MS came out with Applesoft.
Re: (Score:2)
Locomotive Software called. They want their code back...
Typical distraction (Score:5, Insightful)
Call 'em hackers enough time, and people will be distracted by their alleged malice to the point where they forget or don't even believe anymore that the files were literally just out there for anyone to see. It's like leaving a $100 bill on the sidewalk and waiting to see who turns it in at the lost and found so you can call 'em a thief to distract from your own leaving it lying around.
Re: (Score:2)
Click this link from your seats... ...
That's right!
You get to be a Hacker,
And You get to be a Hacker,
And You get to be a Hacker
Re: (Score:2)
Re: (Score:2)
What the fuck. Entrapment of the worst kind. I guess they're following the FBI's game, catching made up criminals is far easier than actually catching criminals.
Left the goods out for anyone to see (Score:1)
The management of First & Only Bank would like to let everyone know that all the money has been piled on the front lawn, and also that they're very upset that it has been disappearing.
So if you are a robber, please don't the take the money. It's very rude.
The money has been placed on the front lawn to get it out of the way while the vault is being repaired.
Mandatory study for Lawyers and Judges... (Score:5, Insightful)
Re:Why use wget? (Score:5, Insightful)
1. wget is just a means to automate. Would you type all the URLs manually?
2, 3, 4. As insecure as anybody else downloading it. They have no duty of care that publicly available data that shouldn't be publicly available is not publicly available.
5. A blurred screenshot allows plausible deniability. After all, the blurred bits could be anything. It could even be a completely different page blurred in Photoshop to smear the good name of these dickheads^W fine upstanding members of the community.
If they have a complete data dump, it is most likely someone else does as well. Someone who is more interested in profiting from shoddy practices.
over the top but! (Score:1)
Re: (Score:2)
And the other side of that coin is finding it and reporting it. Then checking back x time later. Where they did nothing then say, why were you looking again?
How about:
1) To find out if the data was pulled down yet.
2) To be even nicer guys by waiting until the data WAS pulled down to run the story that would give tens of thousands of identity thieves a valuable present.
Re: (Score:2)
So you would prefer they'd taken all the data and kept quiet about it?
No. Full disclosure is warranted because full access was granted. It's not like just a few details were available. Fuck them for allowing this to happen. Fuck them serially and severally.
First they came... (Score:4)
First they came for Weev. ...
Then they came for the reporters.
Re: (Score:3)
Then they came for the reporters.
This is good news (Score:5, Interesting)
Re: (Score:2)
FA (Score:1)
Good Deeds (Score:2)
No good deed goes unpunished
Good luck with that... (Score:1)
Using google (Score:1)
Use google to find information, use that information to exploit certain weaknesses in a system. Isn't that exactly what hackers do? How are they not hackers? Because they also wear the hat of news reporters? Maybe that's what current hackers have been doing wrong. They need to get jobs as reporters.
Streisand calls in Anonymous? (Score:2)
The records were never there (Score:1)
Re: (Score:2)
I feel with the people in the affected areas and wish the religious intolerant (or is it intolerable?) would no longer be allowed to use others' misery for their own sick agenda.