Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD

timothy posted about 5 years ago | from the please-avoid-mine dept.

Security 205

redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.

cancel ×

205 comments

Sorry! There are no comments related to the filter you selected.

I actually saw one of these.... (5, Informative)

Shakrai (717556) | about 5 years ago | (#29225059)

One of my consulting clients is a small (<$10,000,000 in assets) credit union. The disk was mailed directly to the CEO. According to him the letter contained therein actually resembled the form and structure of NCUA correspondence but had grammatical errors. I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.

Thankfully he knew better than to load random CDs received in the mail and gave me a call. The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously. I hope they catch the bastards. Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

Re:I actually saw one of these.... (5, Funny)

CannonballHead (842625) | about 5 years ago | (#29225075)

Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

We're on Slashdot. At least insult them properly: they probably use Windows.

Re:I actually saw one of these.... (5, Interesting)

Shakrai (717556) | about 5 years ago | (#29225337)

The backend software package used by this particular credit union actually runs on Linux and Oracle. All but one of the workstations run Linux too. The holdout is a Windows 2000 machine that they keep around for some legacy software that they haven't been able to replace. The tellers don't even realize it's Linux because they are locked into the interface for the management system and can't navigate out of it. The loan officers can navigate out of it but the only other applications they have access to are Open Office and a handful of white-listed websites (webmail, credit scoring and a few compliance sites).

That's actually how I got the gig -- I was the only local person who responded to the CEOs bid who had a meaningful amount of Linux experience. He inherited the platform from his predecessor and wasn't inclined to spend the money to migrate to something else. AFAIK the vendor for his software doesn't even offer a Windows server option, although they do have a Windows option for the clients. They had previously used this option until I showed them how much they were spending on software licenses.

I wish I had been able to copy the CD and play around with the trojans in a sandbox but we were instructed not to touch it after we called the proper authorities. It would have been interesting to see what they were all about and where they are phoning home.

Re:I actually saw one of these.... (2, Insightful)

dltaylor (7510) | about 5 years ago | (#29225489)

home-brew apps or off-the-shelf package?

if OTS, whose is it?

Re:I actually saw one of these.... (5, Funny)

shentino (1139071) | about 5 years ago | (#29225179)

Actually, mimicking government incompetence is a necessary step to enhancing its value as a forgery.

Re:I actually saw one of these.... (0, Flamebait)

Jurily (900488) | about 5 years ago | (#29225225)

The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously.

Proving once again that debt institutions have a priority over everything else. Except maybe oil companies.

Re:I actually saw one of these.... (5, Informative)

Shakrai (717556) | about 5 years ago | (#29225383)

Umm, do you know what the definition of a credit union is? It's a member-owned cooperative financial institution. It's not a "debt institution". They loan money at extremely competitive rates and have no direct profit incentive other than the goal of paying a competitive dividend (interest) on their members deposits.

Go find one in your local area. Most of them are much more pleasurable to do business with than any bank. Community banks occasionally match them for customer service but no national bank ever will. I've yet to have one of my calls to my credit union answered in India or to have the interest rate on my credit card jacked up just because they can.

Re:I actually saw one of these.... (1)

maxume (22995) | about 5 years ago | (#29225449)

They generally pay pretty meager interest on deposits though (My primary financial institution is a credit union, I'm just sayin').

Re:I actually saw one of these.... (5, Interesting)

Shakrai (717556) | about 5 years ago | (#29225553)

That really depends on the credit union and how they conduct their business. I just bought a bunch of 10 month CDs from my credit union at 2.75% They run a promotion every year offering a "special" CD rate and it's always been extremely competitive. I couldn't even match this particular offer at the online only banks like ING Direct.

Their standard rates are competitive with the other local brick and mortar institutions. They might get beaten by a few of the big boys and the online-only institutions but the flip side to that is that none of those institutions can even come close to the loan rates offered by my credit union.

Re:I actually saw one of these.... (1)

maxume (22995) | about 5 years ago | (#29225655)

My CU is currently paying 1.9% on a 1 year CD, and 0.25% on a savings account. The former GMAC does pretty good against that (though they offer very few services with an account):

http://www.ally.com/index.html [ally.com]

I have to admit, I haven't shopped it around much (I don't have enough money for 1% to matter a great deal, and my money is earned and spent a great deal faster than it is compounded), but I don't really think I missed the mark.

Re:I actually saw one of these.... (5, Funny)

Mozk (844858) | about 5 years ago | (#29225759)

I just bought a bunch of 10 month CDs from my credit union

Doesn't AOL give out 10-month CDs for free?

Re:I actually saw one of these.... (0, Offtopic)

Hurricane78 (562437) | about 5 years ago | (#29226675)

Problem is: It's still a loan. With a rate. It's still ethically unacceptable, because there is always at least one of those who get one, who will not be able to pay it back. (Where would those extra percents of money come from, when all money is just passed on, and never created?)

I stopped using banks as much as I can. Which means that I immediately withdraw everything that's landing on my one bank account, and only sign a contract for such an account, if they guarantee to me in writing, that they will never ever give me a credit, loan, or any money I don't own. (Which is easy, if you know what kills their trust to lend you money. ^^)

I invest only in real physical things that raise in value. Gold was an excellent thing to invest in, in the last years. Because as in every "recession", it's only a recession, if you are in their game, playing it, and things like gold and silver rise like crazy, giving you huge (relative) profits, if you're not.

Re:I actually saw one of these.... (2, Informative)

lysergic.acid (845423) | about 5 years ago | (#29225831)

Yea, I think more people would bank at credit unions if they knew about them. I'd never heard of a credit union myself until I went to college (in Urbana-Champaign, IL of all places). Actually, I thought that "credit union" was just the name of a popular banking chain in the Midwest, like Wells Fargo or Bank of America or something. It wasn't until my roommate explained to me what a credit unit was that I actually learned what they were.

Frankly, I'm kinda surprised that the Midwest has so many power co-ops and credit union while the part of Southern California I live in has neither. Maybe the poorer communities here have never heard of them or don't have the resources to set them up, while the rich communities just don't care for that sort of cooperative community organization (I suppose stocks, private equities, and off-shore bank accounts pay better).

Next we just need to extend the idea of credit unions & power co-ops to telecommunications, so we'll finally have decent broadband and mobile phone service that doesn't screw over consumers.

Re:I actually saw one of these.... (1)

Ron Bennett (14590) | about 5 years ago | (#29225895)

What you describe is what credit unions are supposed to be. The reality for many of them is very different.

Many credit unions spend a bundle on advertising, including in public schools, and charge numerous fees much like for-profit banks do.

A prime example is Discovery Federal Credit Union in Berks County Pennsylvania - they aggressively advertise, charge lots of fees ( https://www.discoveryfcu.org/disclosure-main.html [discoveryfcu.org] ), and even bought naming rights to the Wilson *public high school* gymnasium.

In regards to the malware CDs, they are in a sense, though not intended as that by the theives, a great training tool on computer security; test of how well their computer policy is followed, including by high-level management, who often feel none of the policies apply to them; very costly mistake in the computer realm.

Ron

Re:I actually saw one of these.... (1)

Shakrai (717556) | about 5 years ago | (#29226537)

Many credit unions spend a bundle on advertising, including in public schools, and charge numerous fees much like for-profit banks do.

I wouldn't say "many" but there are a few that behave in this manner. Our local large credit union [visionsfcu.org] behaves like this. They charge you a fee each time you swipe your debit card and use the pin instead of signing for it. They charge a fee for their billpayer service. They charge you a fee for exceeding a certain number of teller transactions per month. They have a huge advertising budget. TV Commercials, billboards, promotions with local businesses, etc, etc.

By contrast, the credit union from the small town in which I grew up does none of this. Every single service they offer is fee-free. Free billpayer, free debit card regardless of how you use it, free ATM usage, etc, etc. They advertise a little bit but mostly in the small town fashion, i.e: on placemats/coffee mugs at local restaurants, in the town newspaper, at the little league field, etc. They are still my primary financial institution in spite of the fact that I have long since moved out of that town and have to conduct the bulk of my business by mail. I keep a savings account at a local bank so I can cash checks but other than that everything goes through my credit union.

I think like any institution a credit union is more prone to losing sight of it's original mission as it grows. Eventually it becomes more about protecting the institution than it does fulfilling the original mandate. It doesn't happen all the time but the behavior that you describe seems to be more common among the larger credit unions than the smaller ones, at least in my experience. The nice thing with credit unions is that you can still find ones that are committed to serving their members and which haven't lost sight of the reason why they exist.

Re:I actually saw one of these.... (1, Offtopic)

rtechie (244489) | about 5 years ago | (#29225947)

It's not a "debt institution". They loan money at extremely competitive rates and have no direct profit incentive...

They are a "debt institution" because they loan money at interest (usury). Their non-profit status is not relevant.

To argue that they have "no profit incentive" is highly misleading. Like most nonprofits and charities most credit unions have EXTREMELY well-compensated executives whose compensation is based on how much money the credit union makes. So the employees (not the members per se) have a profit incentive. I'd also point out that in most nonprofits executive nepotism is rampant (it's not uncommon for ALL of a nonprofit's executives to be related somehow).

Re:I actually saw one of these.... (1, Interesting)

SixGunMojo (177687) | about 5 years ago | (#29226717)

A few caveats on this post
1. I belong to a credit union
2. I do not believe in name calling in posts
3. I am about to violate caveat #2 like a bitch

YOU STUPID IGNORANT LUDDITE MOTHERFUCKER
Your whole premise is wrong, credit unions are not non-profits they are not-for-profits. Non-profits don't operate for money, not-for-profits operate to make enough money to pay for their services and distribute that money among its (as far as credit unions are concerned) members and employees . This is how that pretty teller gets paid and why the interest on my loans is higher than the interest I earn on my savings account. As far as your claim of executive compensation, show us some facts. If the guy running my credit union is well compensated I have no problem with that. I am pretty sure he is not making millions and getting share options as I read the newspaper down here and they have an annual richest business ranking and I'm pretty sure he's never been on it. As far as your claims about nepotism in non-profits, once again show me the facts, but if I am forming one, its going to probably start out small and the people I'm going to be looking to are family and friends.

Re:I actually saw one of these.... (5, Informative)

fuzzyfuzzyfungus (1223518) | about 5 years ago | (#29225407)

I agree with the general sentiment; but I think the story a few days back about the FBI picking up that quant accused of stealing code(or heck, our exciting bailouts and pretty much anything the federal reserve does) was a better example.

From the Secret Service website [secretservice.gov] :

"1984 Congress enacted legislation making the fraudulent use of credit and debit cards a federal violation. The law also authorized the Secret Service to investigate violations relating to credit and debit card fraud, federal-interest computer fraud, and fraudulent identification documents."

"2001 The Patriot Act (Public Law 107-56) increased the Secret Service's role in investigating fraud and related activity in connections with computers. In addition it authorized the Director of the Secret Service to establish nationwide electronic crimes taskforces to assist the law enforcement, private sector and academia in detecting and suppressing computer-based crime; increased the statutory penalties for the manufacturing, possession, dealing and passing of counterfeit U.S. or foreign obligations; and allowed enforcement action to be taken to protect our financial payment systems while combating transnational financial crimes directed by terrorists or other criminals. "

Having the secret service investigate a cracking attempt at a bank is about as natural as having the local cops investigate a burglary. These guys are, in essence, the counterfeit currency and bank haxx0ring police, the protecting the president gig is just a flashy sideline. The fact that we have a dedicated counterfeit currency and bank haxx0ring police force does indeed say something about our priorities; but the fact that a police force does exactly what it was set up to do isn't much of a demonstration in itself.

Re:I actually saw one of these.... (1)

Ohrion (814105) | about 5 years ago | (#29225257)

Interesting, sounds like the "penetration testers" are trying a snail mail version of whaling. Make sure your customers know not to plug in miscellaneous USB sticks they find laying around the parking lot. It's just another way for "pen testers" to bypass your security.

Pen testers (2, Funny)

Anonymous Coward | about 5 years ago | (#29226189)

I'm in favor of it; I think that banks really need pen testers.

Their pens usually are broken off of those little chain things, and when you do find one that's still attached, it doesn't write.

Re:I actually saw one of these.... (1)

Hurricane78 (562437) | about 5 years ago | (#29226581)

What? A story with a CEO turning out not to do the dumbest thing in history?? Unpossible!

Are they by any chance... hiring?

.
.

If I were the attacker, I'd do it again. This time properly with no errors at all. And with a special warning included, that fake mailings are in circulation, and with a big official seal of trustworthiness, etc. Something that C?Os love. The whole package of "*drool* want". With no fingerprints, genetic material, etc, but real pressed CDs, with professional labels. I'd let the real NCUA send me some presentational CDs as templates. (Of course to a fake place with no traces on the mailbox.) Oh and the trojan... oh the trojan... I wouldn't even start attacking their network! I would straight out start with making the banks attacking each other for alleged fraud, industrial espionage, etc. It would be a wonderful mess with everybody accusing everybody. A psychological fight club finale.
But I guess criminals and ideas like mine, are usually mutually exclusive. ;)

Training (4, Funny)

sexconker (1179573) | about 5 years ago | (#29225065)

Did the penetration testing "training" CDs at least provide a helpful "Lesson Number 1: Never do what you just did." video?

Mailing is to customers (-1, Troll)

Rainbird98 (186939) | about 5 years ago | (#29225097)

I don't think they are mailing them to the Credit Unions. Instead, maybe to the Credit Union customers?

Re:Mailing is to customers (1, Informative)

Anonymous Coward | about 5 years ago | (#29225137)

You're wrong. That is all.

Re:Mailing is to customers (2, Informative)

Orion Blastar (457579) | about 5 years ago | (#29225239)

Actually Credit Union customers get "Phising" emails that pretend to be from the Credit Union and goes to a fake web site that looks like the Credit Union but steals their password, user ID, account number, etc.

This happened to a friend of mine, and he phoned it in and the Credit Union asked him to come into their nearest branch and present ID and get his account changed to verify who he is, only the Credit Union near him closed down and he didn't know it and the next one was 100 miles away. He had to drive that far to resolve the problem and eventually switched to a different Credit Unions. It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.

Re:Mailing is to customers (3, Informative)

Shakrai (717556) | about 5 years ago | (#29225485)

It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.

Where are you getting your information from? There's been a handful of credit unions that have failed but taken as a whole they've failed at a significantly lower rate than the banks. This is actually a boom time for credit unions and local community banks because the big boys are cutting back and people are looking for an alternative. The big players are closing accounts, jacking up interest rates and imposing all sorts of new fees. The credit unions are humming along with the same business model they've had for the last few decades: Slow sustained growth backed by proper lending standards and an emphasis on member service

Go through the NCUA/FDIC data some time and compare the percentage of "well capitalized" credit unions to the percentage of similarly capitalized banks. I think you'll find that credit unions are doing just fine.

Re:Mailing is to customers (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29226247)

You're just sucking the cocks of credit unions all OVER this thread! Hilarious. You, morgan_greywolf, and mcgrew are probably all masturbating into the upturned, wide-open, awaiting mouths of prostitutes.

I mean, I know that you feel that you owe it to this "small credit union", which bailed out your shitty "consultancy" business by giving you a pathetic contract, to defend them, but come on. Syyyyyycophannnnnnnt!

Re:Mailing is to customers (1, Flamebait)

Shakrai (717556) | about 5 years ago | (#29226577)

Go fuck yourself

Re:Mailing is to customers (1)

toejam13 (958243) | about 5 years ago | (#29225649)

If the credit union was a member of the CUService co-op, your friend should have been able to go to a closer branch. For the most part, any member credit union is practically as good as his own.

Re:Mailing is to customers (1)

Runaway1956 (1322357) | about 5 years ago | (#29225419)

whoosh

No capitals, no exclamation mark, just a quiet little whoosh. Just about the volume of a tired gnat flying past a dog's ass. Had you bothered to read ANYTHING before you commented, then you might warrant a real whoosh.

Windows Autorun (3, Insightful)

Anonymous Coward | about 5 years ago | (#29225185)

The problem here is Windows Autorun. As soon as you insert a CD, Windows checks for the presence of an "autorun.inf" file, and if it exists, it can specify a binary program on the disc to execute immediately, as whatever user is currently logged in. Thus, killing your security immediately.

Re:Windows Autorun (1, Informative)

CannonballHead (842625) | about 5 years ago | (#29225193)

Recent versions of Windows prompts and asks if you want to run it.

Re:Windows Autorun (4, Informative)

sexconker (1179573) | about 5 years ago | (#29225217)

Easily disabled or dismissed.

The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".

Re:Windows Autorun (4, Insightful)

0123456 (636235) | about 5 years ago | (#29225577)

Easily disabled or dismissed.

Uh, no; there are so many different places where autorun is configured in Windows that the average clueless user has no hope of managing to completely disable it. The whole thing is a disaster.

Re:Windows Autorun (5, Informative)

Vancorps (746090) | about 5 years ago | (#29225685)

ummm... there is one place to disable autorun on removable media although there are multiple methods available for accomplishing this task. Are you referring to auto-execution of other vectors? Like emails? Here's a reference [microsoft.com] for you to help you out. Windows XP or above you just modify it in the local security policy and you're done. Of course with Vista and Win7 they ask you if you want to run autorun so you don't really have to do anything.

Re:Windows Autorun (0)

wgoodman (1109297) | about 5 years ago | (#29226327)

uhm.. hold down shift while you stick the cd in.. it's not that complicated. yes, that doesn't disable it for more than that one insertion, but you get used to just hitting shift when you end up bouncing around to several computers a day.

Re:Windows Autorun (3, Informative)

iYk6 (1425255) | about 5 years ago | (#29225661)

Easily disabled

Easy for an experienced computer user, yes. We can just look up on the internet which registry key needs to be changed, and to what, and then we do it. For most users this is too much, and the registry is pretty scary to them.

or dismissed.

For some versions of Windows, yes. For the most popular version in credit unions (based on my limited anecdotal experience) "dismissing" is not an option. Windows 2K just runs whatever the CD tells it to.

The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".

Users will do silly things, but that is no reason to just give up on security and make an OS insecure by default.

Re:Windows Autorun (1)

CSMatt (1175471) | about 5 years ago | (#29226159)

Easy for an experienced computer user, yes. We can just look up on the internet which registry key needs to be changed, and to what, and then we do it. For most users this is too much, and the registry is pretty scary to them.

Of course, you could also just hold down the shift key.

Another scam (3, Insightful)

Orion Blastar (457579) | about 5 years ago | (#29225205)

like those Emails from Microsoft with attachments that say they are operating system patches you must install to prevent a virus.

Instead of being from @microsoft.com they are from @hotmail.com or @yahoo.com using a free throwaway webmail address.

The attached files usually have malware in them.

Microsoft does updates via Windows Update or Microsoft Update or via their web site in downloading patches, they never attach the patches to email.

I also get mail saying I won the UK Microsoft lottery and other BS as well. I am keeping a "Scams" folder for that sort of stuff.

I'd expect Credit Unions to have better sense than to run random CDs on their systems without verifying that the NCUA sent them. "What? We didn't send them to you."

Re:Another scam (1)

Pentium100 (1240090) | about 5 years ago | (#29225621)

Instead of being from @microsoft.com they are from @hotmail.com or @yahoo.com using a free throwaway webmail address.

Can't you spoof an email address if you do not need to receive a reply? I remember doing this a few years ago. Maybe they patched it now, with the spam filters and such...

Re:Another scam (5, Funny)

Kozz (7764) | about 5 years ago | (#29225931)

Yep, trivial.

Years back (about 1995 or so) I configured my MTA to provide "president@whitehouse.gov" as the "From" address when I sent an obvious prank to a co-worker. He replied (!) cussing me out and joking, "I'm going to kill you". You can imagine he quickly realized what he'd done and sent another email explaining himself. Who knows if he managed to get himself on an FBI watchlist or not. ;)

Re:Another scam (2, Funny)

nihongomanabu (1123631) | about 5 years ago | (#29226199)

A friend of mine in university got in a bit of trouble when he spoofed the reply address in a joke email. The IT dept wasn't happy they had to explain to a student that they didn't really get an email from god@heaven.com.

Re:Another scam (-1, Troll)

Anonymous Coward | about 5 years ago | (#29226273)

Okay, this is interesting. Because I know a GIRL, who went to PITT, and her friend did exactly this to her. And she responded in exactly the same way, with the "I'm gonna kill you" thing. And the Secret Service did, indeed, come talk to her.

So my question is... DO YOU KNOW CARA?!

Re:Another scam (1)

Vancorps (746090) | about 5 years ago | (#29225709)

Microsoft will send you direct links to download hotfixes when you request them from their website. Not quite the same as an attachment and you have to request it first but it would be the same result if you got such an email while you were expecting a reply from Microsoft which can sometimes take a few days.

I created a spam account on our domain where users can forward their spam if they are getting it on a regular basis. That way I can extend my filters and content blockers. Keeps the spam pretty low for everyone except the one old lady in the office that actually responds to spam. She then proceeds to come to my office to complain about all the spam she is getting. Gotta love it!

Re:Another scam (1)

Hurricane78 (562437) | about 5 years ago | (#29226691)

Hey! Shhh... I'm twying to hunt wetawds hewe...

*sends out more very obvious scams targeted at IQs below 80*

You know... fow natuwaw sewection and such...

Expect this more in the future (2, Insightful)

improfane (855034) | about 5 years ago | (#29225233)

Expect malware to appear or be in the wild already on/in:

  • pirated DVDs, the ones with dual film and PC content, like the Pokemon DVDs
  • more flash drives
  • mp3 players, iPods (using hard drive mode)
  • Music CDs, the ones with dual PC and audio player content
  • Facebook applications
  • second hand routers (Linux routers)
  • second hand laptops and computers
  • more flash drives
  • Windows install CDs
  • FireFox plugins
  • web development templates
  • Packages (deb, rpm whatever), makefiles etc
  • PDF files

The more I use my laptop, the more I wish to install a hypervisor on the BIOS (preferably based on Linux CoreBOOT or something) and use it to track my laptop and profit from it if it gets stolen.

Hey if someone steals my laptop, sit and cry?

Re:Expect this more in the future (1)

fuzzyfuzzyfungus (1223518) | about 5 years ago | (#29225433)

Don't bother. At the rate malware is proliferating, somebody will install a hypervisor on your BIOS for you. Think of it as a "citizen's automatic update".

Re:Expect this more in the future (2, Insightful)

rtb61 (674572) | about 5 years ago | (#29226135)

At the current price why would anyone bother with second hand routers, switches etc. They would do it with new gear, redo the factory default in a chip programmer and, then offer them at a discount, in the thousands. Especially with countries deeming it appropriate to become involved in large scale computer hacking as intelligence operations and, for the inevitable rogue agents and contractors, a future 'route' to profits.

Hackers can be pen testers (0, Flamebait)

Zero__Kelvin (151819) | about 5 years ago | (#29225281)

The set of hackers and Pen Testers is not disjoint. The summary writer is thinking of crackers. And yes, I know 1200 morons will pipe up to say that Hacker is in common usage, to which I say millions of teenagers say "minute" when they mean a long time, but a minute is still 60 seconds. The world can be divided many ways. One way is those who know what Hacker means, and those who mistakenly think it is a synonym for cracker. I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

On a side note, I happen to see an old Sopranos where Silvio is asking "what are they called, crackers?", and Tony replies "Hackers". I almost laughed my Ass off. Silvio get's it right, and the boss "corrects" him ... ROTFLMAO

Re:Hackers can be pen testers (1, Insightful)

Anonymous Coward | about 5 years ago | (#29225331)

how 'bout you get that stick out yo ass?

Re:Hackers can be pen testers (0)

Anonymous Coward | about 5 years ago | (#29225365)

0 K must be the temperature in your bed

Re:Hackers can be pen testers (5, Insightful)

rafemonkey (152890) | about 5 years ago | (#29225381)

Man I hear ya... It's just like all those fools calling that box on the desk a computer, when we all know a computer is actually a person who performs computations. Anyway, I gotta jump into the old horseless carriage for a spot of motoring. ;)

Re:Hackers can be pen testers (0, Flamebait)

Zero__Kelvin (151819) | about 5 years ago | (#29225469)

That would be a brilliant retort if it were not for the fact that I live on the bleeding edge. I spend a lot more time there than you, and I get cut much less often than you do (I guarantee it.)

Re:Hackers can be pen testers (0)

Anonymous Coward | about 5 years ago | (#29226313)

Did you honestly just write that? THE BLEEDING EDGE? The whole post was epic. You are either parodying, or you are COMPLETELY detached from reality, and humanity (I guarantee it.)

Re:Hackers can be pen testers (1, Informative)

Anonymous Coward | about 5 years ago | (#29225983)

lol. I bet he tells people that he is gay when he is happy too,

Re:Hackers can be pen testers (4, Insightful)

Faylone (880739) | about 5 years ago | (#29225471)

I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

Considering that language is just a bunch of grunts(spoken) or squiggles(written) with agreed upon meanings...yes. As long as the meaning the speaker intended is imparted to the listener, they served their purpose.

Re:Hackers can be pen testers (-1, Troll)

Zero__Kelvin (151819) | about 5 years ago | (#29225495)

"Considering that language is just a bunch of grunts(spoken) or squiggles(written) with agreed upon meanings..."

Since your premise is false, your conclusion is fault ridden. Maybe you missed the part about the 1200 morons? Did you really feel so left out of the conversation that you just had to pipe up?

Re:Hackers can be pen testers (1)

Faylone (880739) | about 5 years ago | (#29225623)

Just because "minute" means 60 seconds, it is not prohibited from gaining other valid meanings.

Re:Hackers can be pen testers (1)

Zero__Kelvin (151819) | about 5 years ago | (#29225647)

True, but Gang Bangers are prohibited from doing the defining ;-) Also, clueless reporters are similiarly excluded [slashdot.org] .

Re:Hackers can be pen testers (0, Troll)

Faylone (880739) | about 5 years ago | (#29225723)

Why are they prohibited from doing so? Many languages may have official language regulators, but English does not. What makes you more authoritative than them?

Re:Hackers can be pen testers (-1, Flamebait)

Zero__Kelvin (151819) | about 5 years ago | (#29225787)

The difference is that I actually know what I am talking about [slashdot.org] .

Re:Hackers can be pen testers (0)

Anonymous Coward | about 5 years ago | (#29226193)

Note to self - linking to your own idiotic post four or five times in one thread doesn't make it any less idiotic.

Re:Hackers can be pen testers (0)

Anonymous Coward | about 5 years ago | (#29226331)

Just because "minute" means 60 seconds, it is not prohibited from gaining other valid meanings.

I thought minute meant small?

Re:Hackers can be pen testers (1)

Mozk (844858) | about 5 years ago | (#29225807)

As long as the meaning the speaker intended is imparted to the listener, they served their purpose.

That's the problem. When a word (like "hacker") has different usages and definitions to different people and can be interpreted in various ways, the meaning is not conveyed properly.

Re:Hackers can be pen testers (1)

Hurricane78 (562437) | about 5 years ago | (#29226715)

Interesting... I just noticed, that when you would exchange the quote and the answer of your comment, GP would still be right. I've never seen that before, but it's certainly cool. I'm going to try to reproduce that... ^^

Re:Hackers can be pen testers (0, Troll)

Runaway1956 (1322357) | about 5 years ago | (#29225481)

Mod parent up. Everyone who reads slashdot WANTS to think that they are technically inclined. Those who are unable or unwilling to distinguish between pentesters, hackers, crackers, script kiddies, and the myriad other classes of people out there are only deluding themselves about their technical abilities.

Oh - wait. Maybe I'm deluding myself. Slashdot. I actually read arguments here that Windows is better than Linux for no better reason than an author is afraid of the CLI. Let me shut up and slink out of here - I've done nothing but embarrass myself by talking to the wrong audience.

Re:Hackers can be pen testers (1)

Zero__Kelvin (151819) | about 5 years ago | (#29225539)

"Oh - wait. Maybe I'm deluding myself. Slashdot. I actually read arguments here that Windows is better than Linux for no better reason than an author is afraid of the CLI. Let me shut up and slink out of here - I've done nothing but embarrass myself by talking to the wrong audience."

Maybe you also missed the part of my post about the 1200 morons? It should have conveyed to you I was well aware that there is a faction of the audience that is as ignorant as you describe. There are, however, quite a few people with a clue as well or I wouldn't bother with the site. Presumably you feel the same way, or you wouldn't be posting here either, right?

(Faction is NOT a typo)

Re:Hackers can be pen testers (0)

Anonymous Coward | about 5 years ago | (#29225595)

(Faction is NOT a typo)

+1 Dick

Re:Hackers can be pen testers (1)

maxume (22995) | about 5 years ago | (#29225731)

We all know AC loves dick, but it is a little unusual for one to come right out and say it.

Re:Hackers can be pen testers (1)

spiffmastercow (1001386) | about 5 years ago | (#29225521)

The set of hackers and Pen Testers is not disjoint. The summary writer is thinking of crackers. And yes, I know 1200 morons will pipe up to say that Hacker is in common usage, to which I say millions of teenagers say "minute" when they mean a long time, but a minute is still 60 seconds. The world can be divided many ways. One way is those who know what Hacker means, and those who mistakenly think it is a synonym for cracker. I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

You know there's a whole school of philosophy dedicated to the common usage vs. defined meaning problem. As for which one is right.. Inconclusive.

Re:Hackers can be pen testers (0, Flamebait)

Zero__Kelvin (151819) | about 5 years ago | (#29225569)

... and you needed to quote my whole post to state that? Actually, you again have those with a clue against those without a clue who refuse to admit it. If it is common usage, but not part of defined meaning, we have an actual defined meaning for that ! It's called slang.

Re:Hackers can be pen testers (2, Informative)

maxume (22995) | about 5 years ago | (#29225681)

No, the descriptivists are right. Probably even in France.

If nearly every language had not changed drastically over time, there might at least be an interesting conversation there, but alas.

Re:Hackers can be pen testers (0, Troll)

DerekLyons (302214) | about 5 years ago | (#29225573)

One way is those who know what Hacker means, and those who mistakenly think it is a synonym for cracker. I don't care what percentage of society is cluless in this regard even if it is 99+%.

Get the fuck over yourself. 'Hacker' is a synonym for 'cracker' and has been for nearly thirty years. Language, slang, and jargon - they all mutate and change over time. Grow up and get with the times.

Re:Hackers can be pen testers (-1)

Zero__Kelvin (151819) | about 5 years ago | (#29225613)

"Get the fuck over yourself. 'Hacker' is a synonym for 'cracker' and has been for nearly thirty years. "

What you mean is that almost 30 years ago Steven Levy mistakenly described a cracker as a hacker because he didn't know enough about what he was reporting. Someone said "RTM? He's one of those hackers", and Levy mistakenly reported that hackers are people who break into computers. It is as though he was trying to find out about "Jack the Ripper" and someone said "Oh, he's one of those doctors", so he writes that "Doctors" are people that hack people to bits. Everyone then reads it and the error propogates. No matter how popular the misinformation, it is still misinformation. Now get to bed. You've got to be up for school in the morning.

Re:Hackers can be pen testers (1)

DerekLyons (302214) | about 5 years ago | (#29226653)

As I said to the OP, the meanings of words change regardless of the source of that change. Get the fuck over yourself.

Re:Hackers can be pen testers (1)

That's Unpossible! (722232) | about 5 years ago | (#29225637)

Right, right. It's like when my wife goes, "Why do you bother reading what a bunch of frigtards think on some lame site for dorks?"

And I correct her, "Honey, they're FREETARDS, not frigtards. And the site is for nerds, not dorks!"

Then she blows me!

Re:Hackers can be pen testers (0, Troll)

Zero__Kelvin (151819) | about 5 years ago | (#29225897)

"Then she blows me!"

Which begs the questions: "In what country can you marry your dog and what brand of peanut butter does he prefer ? (No hiding behind feminine pronouns for you sweetheart)

Re:Hackers can be pen testers (1)

e9th (652576) | about 5 years ago | (#29226035)

You're really hung up on language issues. So why do you say "Which begs the questions..." when you mean "Which raises [asks] the questions..."? To beg the question is to commit the fallacy of petitio principii.

Re:Hackers can be pen testers (-1, Troll)

Zero__Kelvin (151819) | about 5 years ago | (#29226085)

"You're really hung up on language issues."

This isn't even remotely a language issue. It is a matter of fact [slashdot.org] . I know many people would rather be wrong and popular than right and unpopular. If you fit into that category, go for it. I am under no delusion that millions of people will suddenly get a clue just because they are presented with the facts .

Re:Hackers can be pen testers (0)

Anonymous Coward | about 5 years ago | (#29226161)

If only one could find a way to post a facepalm image... never before have I seen a slashdot post that deserved it so much.

Fucking moron.

Re:Hackers can be pen testers (1)

chis101 (754167) | about 5 years ago | (#29226235)

Language can and does evolve over time. Look up Hacker in the dictionary.

http://www.merriam-webster.com/dictionary/hacker [merriam-webster.com]

4 : a person who illegally gains access to and sometimes tampers with information in a computer system

Just because something started out as a mistake, doesn't make it incorrect now. Try taking a look at the dictionary definition of "nauseous," as I would guess you would be one of those people who say that "I feel nauseous" is incorrect, while "I feel nauseated" is the only correct way to convey the feeling. http://www.merriam-webster.com/dictionary/nauseous [merriam-webster.com]

Those who insist that nauseous can properly be used only in sense 1 and that in sense 2 it is an error for nauseated are mistaken. Current evidence shows these facts: nauseous is most frequently used to mean physically affected with nausea, usually after a linking verb such as feel or become; figurative use is quite a bit less frequent. Use of nauseous in sense 1 is much more often figurative than literal, and this use appears to be losing ground to nauseating. Nauseated is used more widely than nauseous in sense 2.

Note how 'the most frequently used' definition becomes the correct one? Language changes, and sometimes people just make honest word/grammar mistakes. Get used to it.

Re:Hackers can be pen testers (1)

e9th (652576) | about 5 years ago | (#29226239)

You're annoyed because some people confuse hackers with crackers. I'm annoyed because some people confuse begging the question with asking the question. Let's both just let it go, we've lost.

Re:Hackers can be pen testers (1, Insightful)

Anonymous Coward | about 5 years ago | (#29226375)

Your nice little rant there sidestepped the FACT that you INCORRECTLY used the term "begs the question". You used it in a way that DIFFERS from the TRUE DEFINITION, yet has become ACCEPTED into COMMON SPEECH. The irony here is so unbelievable that I must conclude that your whole attitude on this topic is an epic troll, and you don't believe any of the stupid shit you are rabidly babbling about.

Re:Hackers can be pen testers (1)

Mr. Vage (1084371) | about 5 years ago | (#29226143)

For someone who is fighting so strongly that hacker =/= cracker and that language shouldn't change like that, you've horribly misused "begs the question". Begging the question [wikipedia.org] refers not to a statement causing a question to arise, but instead to a circular argument.

Re:Hackers can be pen testers (0)

Anonymous Coward | about 5 years ago | (#29226479)

Wait... we're getting a lecture on language usage from someone who doesn't know what begging the question [wikipedia.org] is?

Oh, the irony.

Give up, while you're not too far behind.

Re:Hackers can be pen testers (1)

maxume (22995) | about 5 years ago | (#29225703)

I'm not sure a large percentage of the populace even has a clear idea what an OS is.

Re:Hackers can be pen testers (0)

Anonymous Coward | about 5 years ago | (#29225747)

You're proud to know the "proper" meaning of hacker? That's trivia at best, akin to knowing all the state capitals, or knowing just how filthy "A Midsummer Night's Dream" can be (lots of double entendres there). You've niche knowledge... congrats we all do. Try to take pride in something a bit more unique.

Re:Hackers can be pen testers (1)

Spy der Mann (805235) | about 5 years ago | (#29225889)

A large percentage of the populace thinks they run the best, most secure OS in the world

Most people think they're runing Linux? Oh, wait...

Racism! (1)

dangitman (862676) | about 5 years ago | (#29226175)

Why are you so down on white people? You could at least call them "honkeys" as it has a more lyrical sound.

Re:Hackers can be pen testers (1)

Jah-Wren Ryel (80510) | about 5 years ago | (#29226451)

I say millions of teenagers say "minute" when they mean a long time, but a minute is still 60 seconds.

Yeah, I don't think so. Your definition of "a long time" is something that YOU have pretty much made up on the spot and in the process ruined any claim to being an authority on english word definitions. Very few teenagers, or anyone else, mean "a long time" when they say "minute" - its pretty rare for anyone to mean anything even approaching an hour when they say "minute." And unless you are a fruit-fly or suffer from ADD, an hour hardly ever qualifies as "a long time."

But, since a "short space of time" is a merriam-webster endorsed standard meaning of the word "minute," you kinda had to make up some BS in order to support your rather unsupportable point. It's ironic that you misused the key word in your own rant on people misusing words. I think its the best case of grammar-nazi karma I've seen to date.

Re:Hackers can be pen testers (-1, Flamebait)

Zero__Kelvin (151819) | about 5 years ago | (#29226651)

"Yeah, I don't think so. Your definition of "a long time" is something that YOU have pretty much made up on the spot and in the process ruined any claim to being an authority on english word definitions. Very few teenagers, or anyone else, mean "a long time" when they say "minute" - its pretty rare for anyone to mean anything even approaching an hour when they say "minute.""

You know about all of the teenagers on the planet??? Who would have thought that Santa Clause posts on Slashdot under the SlashID Jah-Wren Ryel !!!

Re:Hackers can be pen testers (1)

Jah-Wren Ryel (80510) | about 5 years ago | (#29226683)

You know about all of the teenagers on the planet??? Who would have thought that Santa Clause posts on Slashdot under the SlashID Jah-Wren Ryel !!!

You know about all of the teenagers on the planet??? Who would have thought that Santa Clause posts on Slashdot under the SlashID Zero_Kelvin !!!

Re:Hackers can be pen testers (0)

Anonymous Coward | about 5 years ago | (#29226733)

Dude, you're a moron. You are the one claiming you know all of the teenagers on the planet. ZK is saying some of the teenagers (many?) say this. You are claiming that NONE of them do. Only one of you is claiming to know all of the teenagers on the planet.

Where are the jokes? (0)

Anonymous Coward | about 5 years ago | (#29225477)

More than twenty comments and still no penetration joke?

Re:Where are the jokes? (0)

Anonymous Coward | about 5 years ago | (#29225921)

the penetration joke is in your pants.

at least that's what your girlfriend told me.

Bad name for pen-testing (4, Informative)

twistah (194990) | about 5 years ago | (#29225581)

Aside from the usual gripes about the efficacy of pen-testing, this gives pen-testing a bad name. The firm I work for does this exact same ploy, and so do teams from the Big 4 and various security firms, but they are always planned ahead of time. You have to do this sort of thing in a controlled manner (or as controlled as possible.) Usually, these things are dropped in a parking lot, the the payload is innocous, because a customer (or member in the case of a CU) can pick it up. These guys exposed themselves to a lot of liability and can screw it up for honest hardworking sellout hackers such myself and others.

Wait, I've heard this one before. (5, Interesting)

rayd75 (258138) | about 5 years ago | (#29225761)

In fact, I've used it. Until last year I worked for a credit union and frequently described a scenario almost exactly like this to justify things like a least-privilege security model for end users. It's scary to consider what an attacker might be able to accomplish with a scheme like this. The article only touches the surface in pointing out that credit unions are typically smaller than banks and lack security resources. Mine was one of the largest and probably the most technologically progressive credit union in my state but I had a lot of interaction with smaller credit unions due to their cooperative, less competitive nature. (less competitive with each other, that is.) My experience is that most credit unions have IT departments that can be counted on one hand, and no security-oriented individuals on staff at all. (IT or otherwise) In fact, there are many credit unions whose ENTIRE staff can be counted on one hand. Not long before I left, we absorbed a failed credit union's assets and member base at the NCUA's request. This particular example's infrastructure consisted of three desktop computers and an Access database. Credit unions make great financial sense but only the largest ones have the kind of IT and security resources most of us associate with a bank.

Re:Wait, I've heard this one before. (3, Funny)

John Hasler (414242) | about 5 years ago | (#29226033)

> Credit unions make great financial sense but only the largest ones have the
> kind of IT and security resources most of us associate with a bank.

Considering what the banks accomplish with those resources, I'll take the credit unions.

CDs? (1)

Culture20 (968837) | about 5 years ago | (#29225935)

Hostile takeover by Sony?

CU's dont always have securityin mind (1)

rivetgeek (977479) | about 5 years ago | (#29226095)

I've tried repeatedly to warn my own credit union of a security breach in their "self-help" terminal. It's running windows and a modified version of IE (no close out x). The problem is that the "View cookies" menu item open an explorer window in focus and the whole directory can then be traversed and written to. It's also internet friendly and not firewalled for third party sites. Sounds like a perfect recipe for a keylogger to me.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>