Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Reporters Threatened, Labeled Hackers For Finding Security Hole

samzenpus posted about a year and a half ago | from the keep-your-mouth-shut dept.

Security 120

colinneagle writes "Scripps News reporters discovered 170,000 records online of customers of Lifeline, a government program offering affordable phone service for low-income citizens, that contained everything needed for identity theft . Last year, the FCC 'tightened' the rules for the program by requiring Lifeline phone carriers to document applicants' eligibility, which led to collecting more sensitive information from citizens. A Scripps News investigative team claims it 'Googled' the phone companies TerraCom Inc. and YourTel America Inc. to discover all of the files. A Scripps reporter asked for an on-camera interview with the COO of TerraCom and YourTel after explaining the files were freely available online. That did not happen, but shortly thereafter the customer records disappeared from the internet. Then, the blame-the-messenger hacker accusations and mudslinging began. Although the Scripps reporters videotaped the process showing how they found the documents, attorney Jonathon Lee for both telecoms threatened the 'Scripps Hackers' with violating the Computer Fraud and Abuse Act (CFAA)."

Sorry! There are no comments related to the filter you selected.

Try to do something right (5, Insightful)

Anonymous Coward | about a year and a half ago | (#43776767)

That will teach you to use responsible disclosure.

Re:Try to do something right (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43776811)

I'll beat the others to this.

This is one of the reasons for why being anonymous is important. This lawsuit is stupid, and since they have a video showing the method, it should be easy to throw out the charge.

Could the reporter have a rebuttal about them taking down the evidence, saying they destroyed evidence pending the lawsuit?

Re:Try to do something right (5, Insightful)

Anonymous Coward | about a year and a half ago | (#43776879)

But the reporter can't be anonymous and trustworthy. The press are as full of shit as every other profession, so a reporter needs to put her/his name to it or it's worth as much as an empty cup of coffee. By attaching their reputation (good or bad) to a story they can defend (rightly or wrongly) what the've published.

Re:Try to do something right (5, Insightful)

kasperd (592156) | about a year and a half ago | (#43777101)

But the reporter can't be anonymous and trustworthy.

Sometimes the evidence itself is more important than the source. In the particular case, it sounds like the evidence was strong enough that it wouldn't matter which source it came from.

But the trend with threats and lawsuits against those, who discover security holes, must stop. That trend is a major threat against data security across the entire IT industry.

People will keep finding security holes. Sometimes you just stumple upon them, without even looking. What are you going to do, once you have found a security hole? Report it and try to get it fixed? Ignore it? Abuse it? If those who do the right thing are going to be the target of threats and lawsuits, that certainly removes incentive to do the right thing. So fewer people will report security holes. And some of those who would have reported it, might instead decide to abuse it.

If we ever get to the point where doing the right thing is more likely to get you into a lawsuit than abusing the security hole for personal gain is, then the industry is in big trouble.

Luckily a few companies are taking steps in the opposite direction and are offering cash rewards to those who find security holes. At some point users will have to start taking that into account when deciding what software to trust. But it is a very real problem, when the systems you don't trust are those used by any branch of government. You can't just go somewhere else. And the lack of competition has lead to situations where security concerns are just ignored.

Re:Try to do something right (2)

Synerg1y (2169962) | about a year and a half ago | (#43777165)

Or you know... people could start writing decent secure code to begin with... :)

I mean SQL Injection attacks, and buffer overflows aren't exactly zero days at this point.

Re:Try to do something right (4, Insightful)

Ungrounded Lightning (62228) | about a year and a half ago | (#43777257)

Or you know... people could start writing decent secure code to begin with... :)

Did you ever write a program? Did it work the first time, doing exactly what it was supposed/specified to do?

Took a lot of debugging and error correction, didn't it? Even if you are a programming expert.

Now write a program where "what it's supposed to do" includes "not get cracked and used by any malware, known or unknown, past or future".

Think you'll get THAT right the first time? Even if you are a security expert?

Re:Try to do something right (2)

kiwisteve (1463755) | about a year and a half ago | (#43777383)

Things are rarely "right" the first time. That's why we test stuff before putting it live. Sounds like there wasn't much testing done if it was that easy and obvious to hack.

Re:Try to do something right (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43777607)

if by "not get cracked and used by any malware, known or unknown, past or future" you mean
"not list people's SSN addresses and financial data in a google search result"

then yes i think i can get that right on the first try.

Re:Try to do something right (1)

Big Hairy Ian (1155547) | about a year and a half ago | (#43779517)

"not list people's SSN addresses and financial data in a google search result" then yes i think i can get that right on the first try.

And will that stop some fucktard fax monkey from uploading a spreadsheet full of this info to your DMZ where google & everyone else can read it? We don't even know if this was a software fault.

Re:Try to do something right (1)

Midnight Thunder (17205) | about a year and a half ago | (#43777749)

This is why a good QA team is always worth having. Sure it won't isolate you from every issue, but it should protect you from some of the obvious stuff.

Sometimes the problem isn't even to do with software, but with information policy and what can be placed on a server that is on the outside of a firewall.

Re:Try to do something right (1)

dcollins117 (1267462) | about a year and a half ago | (#43777879)

Think you'll get THAT right the first time? Even if you are a security expert?

Well, yes, that's what makes me an expert. However, TFA is abiout a company putting all of its customer records online, unencrypted and searchable through a simple Google query. There is no excuse for that level of malfeasance.

Re:Try to do something right (1)

Ol Olsoc (1175323) | about a year and a half ago | (#43778433)

Did you ever write a program? Did it work the first time, doing exactly what it was supposed/specified to do?

Did you ever figure that was an adequate excuse?

Not in what you say isn't the truth, because any software that hasn't been shaken down is usually pretty bad, but using the "first time" as an actual reason for insecure software? Completely unacceptable. If you worked for me with that attitude, you might end up in the mail department where you could have an easier job.

Re:Try to do something right (1)

Ungrounded Lightning (62228) | about a year and a half ago | (#43779155)

Did you ever write a program? Did it work the first time, doing exactly what it was supposed/specified to do?

Did you ever figure that was an adequate excuse?

Of course not.

Not in what you say isn't the truth, because any software that hasn't been shaken down is usually pretty bad, but using the "first time" as an actual reason for insecure software? Completely unacceptable. If you worked for me with that attitude, you might end up in the mail department where you could have an easier job.

You obviously both misparsed my statement and aren't aware
of how *I* do software development.
It includes beating the HELL out of any piece of software before
releasing it (with a full coverage test suite built into the make
mechanism in a way that causes the build to fail if a unit test
fails.)

I've developed a methodology that lets me deliver such a fully
debugged software components, with test suite blazingly fast,
as well. It takes me about three times as long as it takes a
more typical programmers to get a new component of similar
size and complexity to successfully compile and link (but not
run correctly) after a moderate feature change.

And I'm thus familiar with some of the pathologies of
people who administer programmers with insufficient
insight into what they're doing and their modes of talking
about it. Because I'm so fast I don't generally report
progress until a component is DONE. Result: Some
administrators have compared my delivery of a complete,
polished, from-scratch, component to one debug iteration
of other team members. This lead to actual publication of
a statement to this effect: "[Ungrounded Lightning Rod]
takes three times as long as anyone else, but his stuff
usually works the first time."

I've been referred to as "a god" in hushed tones (over a
nearly non-existent bug rate in a ten thousand line application),
and had a colleague comment that I was the only person he'd
rust to program an artificial heart for him.

So I'm quite aware of how to make software solid.

My point was not making excuses for poor programmers.

My point was that commercial software operations usually
have management pathologies that lead to measuring
function and not measuring (or rewarding) security.
There's a lot of WORK involved in making software secure
and doing it is usually penalized rather than rewarded. So you
have to expect commercial software to USUALLY be riddled
with security bugs.

(Which is why I migrated to hardware design about 15 years ago.
The non-recurring costs of a bug-fix respin as SO high that
administrators often appreciate and reward solid design and
execution.)

Re:Try to do something right (3, Insightful)

Sam H (3979) | about a year and a half ago | (#43779225)

It might take a security expert to write code that works as specified the first time, but it takes a fantastic idiot to put any kind of code in production before it's been debugged and error-corrected.

Re: Try to do something right (0)

Anonymous Coward | about a year and a half ago | (#43779897)

The second time I made a website I got the permissions right the first time

Re:Try to do something right (0)

Anonymous Coward | about a year and a half ago | (#43779375)

Great idea, bro! If you find that mythical person (I doubt there's more that one - actually, I know there isn't even one) please post below. I've got a London based finance role paying £200,000 + health, etc waiting for him/her.

Re:Try to do something right (1)

Jane Q. Public (1010737) | about a year and a half ago | (#43777227)

"Sometimes the evidence itself is more important than the source. In the particular case, it sounds like the evidence was strong enough that it wouldn't matter which source it came from."

Fortunately there have been a few judges lately who have an actual head on their shoulders, and who have ruled that simply telling somebody their fly is open is not the same as rape.

But these B.S. laws, like CFAA and DMCA, need to disappear. They were ill-conceived and we KNOW that they cause problems. Not little problems, big ones.

I would keep the safe-harbor provisions of DMCA, and scrap all the rest of it. Same with CFAA.

Re:Try to do something right (0)

Anonymous Coward | about a year and a half ago | (#43777305)

telling somebody their fly is open is not the same as rape.

Nice analogy.

Re:Try to do something right (0)

Anonymous Coward | about a year and a half ago | (#43777531)

there needs to be an outside agency or association which rewards those who expose these security holes and maybe even funds the court case against those targeting the messenger. This way, it will not be up to corporations to do the right thing because they will do what is right for those failing and cover their behinds. They think it's in the best interest of their business, investors, and customers to hide their failures. Therefore, an outside org needs to back protecting those who find the security holes and possibly even make public those trying to hide the failures.

Re:Try to do something right (1)

kasperd (592156) | about a year and a half ago | (#43777687)

there needs to be an outside agency or association which rewards those who expose these security holes and maybe even funds the court case against those targeting the messenger.

The law should be modified to ensure the following three properties:

  • It should be illegal to deploy a system, which stores personal data in an insecure way. But as long as security holes are only left open accidentally, and are patched when pointed out, violations should only be punishable by fine.
  • It should be legal for an outsider to take the necessary steps in order to verify the existence of a security problem in the system, as long as such action cannot be expected to damage data in the system.
  • Any attempt by the owner of the system to persuade the finder of a security problem to keep it secret should be illegal. Such action should be punishable, plus the finder should receive compencation.

All of this is only applicable when the security problem is found by an outsider. It is reasonable to apply different rules when the security hole is found by an insider. If the security problem is found by an insider, it is acceptable if the company try to keep the problem secret indefinitely. But it is still not acceptable to leave the vulnerability unpatched.

Re: Try to do something right (0)

Anonymous Coward | about a year and a half ago | (#43777973)

I would say, with regards to the specific content, the source is completely irrelevant.

I take everything I hear or read with a massive grain of salt. And no, I'm really not that cynical.

Example would be a mainstream media headline being absolutely wrong. Why? Cause I witnessed what they reported and they were dead wrong. Does it matter? As far as me trusting them as future soure, yes. When I know it's happened several times, it's time to write them off as a legitimate source.

Remember I'm not talking about individuals here but the major source. Individual reporters are mostly irrelevant because they aren't on the scene, and are just parroting what they've been handed.

True news and information is irrelevant of who reports it. It's better to measure the number of source exchanges than who is doing the reporting.

Re:Try to do something right (0)

Anonymous Coward | about a year and a half ago | (#43778915)

People will keep finding security holes. Sometimes you just stumple upon them, without even looking. What are you going to do, once you have found a security hole? Report it and try to get it fixed? Ignore it? Abuse it? If those who do the right thing are going to be the target of threats and lawsuits, that certainly removes incentive to do the right thing. So fewer people will report security holes. And some of those who would have reported it, might instead decide to abuse it.

If we ever get to the point where doing the right thing is more likely to get you into a lawsuit than abusing the security hole for personal gain is, then the industry is in big trouble.
 

We already are at that point. The best thing is to sell the hole anonymously ( use lots of bitcoing accounts for example, think of is as selling a weapon ). That way the hole _will be_ used, and hopefully discovered, and you'll get a compensation for finding it ( as you should ). Nobody will get sued ( well the person who used it might, but who cares, what he does is wrong, he should report the hole and wait for compensation :D )

Re:Try to do something right (1)

Synerg1y (2169962) | about a year and a half ago | (#43776815)

and yet people keep falling for the same traps...

Re:Try to do something right (3, Informative)

flimflammer (956759) | about a year and a half ago | (#43777355)

I want to agree with you here, but what the story simply calls "mudslinging" does give me room for pause. According to their legal representation, this access has happened over the period of several weeks, and they systematically downloaded all the records it could in this period of time while attempting to get into even more nooks and crannies of the servers.

Why would they be sitting on this, continuously prodding the site for over a month while downloading all the records if they were simply practicing responsible disclosure with nothing more than journalistic intent?

You would think accessing even one or a couple of these sensitive files would have been enough to judge that this content is facing the public and should be reported, rather than downloading all they could over the span of a month (and maybe even longer since these access records seemed to be pruned after 30 days).

Re:Try to do something right (0)

Anonymous Coward | about a year and a half ago | (#43778599)

No it will teach you to do it covert, sell the records to criminals and let the shit hit the fan big time. Then watch how the companies are destroyed.

Re:Try to do something right (1)

Bloem (528155) | about a year and a half ago | (#43778883)

A defense is easy: Does the so-called hacker have a handle? If not, it is not a hacker! Seriously most reporters spend more time recovering handles or other goes-by-the-name-of-references than describing the issue at hand.

Re:Try to do something right (1)

oreaq (817314) | about a year and a half ago | (#43779605)

The only responsible disclosure is full public disclosure.

Makes you wonder (1)

ThatsNotPudding (1045640) | about a year and a half ago | (#43780071)

How many anonymous 'hackers' are decent folks just pointing out glaring flaws while wisely protecting themselves from idiot lawers and lawmen?

Never expose any security holes (5, Insightful)

Anonymous Coward | about a year and a half ago | (#43776773)

In America, two business principles apply:
1. It is none of your business when shit hits the fan, and
2. It is never our fault.

Re:Never expose any security holes (3, Funny)

game kid (805301) | about a year and a half ago | (#43776903)

...and when those fail:
3. I need to spend more time with my family.

No good deed... (3, Insightful)

Anonymous Coward | about a year and a half ago | (#43776779)

goes unpunished.

But of course. (2)

Black Parrot (19622) | about a year and a half ago | (#43776787)

Company Spokesman: Surely you don't think it's our fault.

Company Spokesman: Especially if it's going to cost us money.

Re:But of course. (1)

t0qer (230538) | about a year and a half ago | (#43776999)

Company Spokesman: Especially if it's going to cost us money, and don't call me Shirley.

Been to the web site? (4, Insightful)

Frosty Piss (770223) | about a year and a half ago | (#43777065)

First of all, both these comapnies web sites are identical. Second of all, they look like some 14 year old put them together.

Look, this is just some sweatshop lawyer who wrote q $200 threatening letter. The threat has no value, and should be ignored.

Re:Been to the web site? (1)

Anonymous Coward | about a year and a half ago | (#43777325)

The threat has no value, and should be ignored.

No, it should be forwarded to the relevant authorities (and bar association), the lawyer disbarred, whoever ordered it sent to jail (even only a week actual locked up will do, as long as it also brings a lifetime criminal record) and the company fined an RIAA style figure (e.g. millions) for the threat. Then the company should be prosecuted for disclosing the information in the first place with another RIAA type figure ($10k/person's data leaked should do it).

Re:Been to the web site? (1)

Frosty Piss (770223) | about a year and a half ago | (#43777975)

No, it should be forwarded to the relevant authorities (and bar association), the lawyer disbarred, whoever ordered it sent to jail (even only a week actual locked up will do...

It's nice to be "outraged", but connection to reality generally drives the actions that people who have something to spend and something to lose do.

A lawyer sending a uppity letter alleging this and that is not illegal. Everyone is entitled to an opinion.

But by all means, become "outraged", it's what the Internet is about these days, not rational clear thinking, apparently.

Re:Been to the web site? (0)

Anonymous Coward | about a year and a half ago | (#43778399)

A lawyer sending a uppity letter alleging this and that is not illegal.

If the rest of us make false allegations and threaten people it is illegal.

Re:Been to the web site? (1)

AK Marc (707885) | about a year and a half ago | (#43778587)

"As a lawyer, I find your post annoying and incorrect to the point that Frosty Piss (770223) would likely win a lawsuit against you. I *highly* recommend you remove your post or edit it before Frosty takes action."

There's no threat in there. There's nothing in there actionable for any reason. Even "I find your comments to be so obscene as to be illegal" wouldn't be actionable. Now I'm curious enough, I may have to read the letter in this case. I've seen hundreds, and they are all similarly vague and without meaning. You might as well ask a CIO what he thinks about software as a service in the cloud.

Re:Been to the web site? (1)

AK Marc (707885) | about a year and a half ago | (#43778563)

That's not how threatening letters work. Threatening letters are there to scare, and I didn't read this specific one, but the sweatshop lawyers writing them generally have a better grasp of legal than some Internet A/C. It has no weight, and not a reason for action against the lawyer.

Re:But of course. (0)

Anonymous Coward | about a year and a half ago | (#43777673)

All the companies here have done is to assure two things occur in the future:

1) The next time a white-hat stumbles over private data the companies left in public, instead of reporting it to them to fix the problem, they will simply notify any/all authorities who have the power to make life difficult for said companies - and to send it off anonymously to as many local and national news agencies as possible.

2) The next time a black-hat wishes to break in to one of these companies, it will be that much quicker to do, what with all the extra unfixed security holes the companies won't even know about.

It's not a matter of IF, only of WHEN and how many fines and lawsuits are brought against them for leaking sensitive and private info on their customers.

Plus when the matter of "fault" comes up, the general public will think of it as "You know how if a ton of people come up to you and say 'That isn't a good idea, bad things can happen'? If you willingly and purposely ignore such comments, eventually that DOES make the end results your fault.

Pray for Oklahoma City (-1)

Anonymous Coward | about a year and a half ago | (#43776789)

Tornadoes are destroying this city.

Re:Pray for Oklahoma City (-1, Offtopic)

Anonymous Coward | about a year and a half ago | (#43776851)

It's cuz they're too tolerant there, it makes God angry.

Quick, get a mob together and chase down some gays. Or gay niggers. Or just somebody who might possibly think that the Bible isn't literal.

Re:Pray for Oklahoma City (0, Informative)

Anonymous Coward | about a year and a half ago | (#43777123)

What an asshole.

Funny how being a progressive somehow seems to translate into laughing at the suffering and misery of hundreds of thousands of people who don't think exactly the same as you. It's almost like you're worse than the people you're snickering about.

Re:Pray for Oklahoma City (0, Insightful)

Anonymous Coward | about a year and a half ago | (#43777247)

He's parodying certain religious leaders who say this exact same shit about Florida, California, New York, or the US in general.

Go look up Poe's Law.

Re:Pray for Oklahoma City (0)

Anonymous Coward | about a year and a half ago | (#43777285)

And those certain religious leaders are assholes, too. Fuck you, apologist.

Re:Pray for Oklahoma City (0)

Anonymous Coward | about a year and a half ago | (#43777565)

So, making a parody of people puts you on the same level or worse than the people that you're parodying?

I'm never going to the world that exists in your head. Fuck that place.

Re:Pray for Oklahoma City (0)

Anonymous Coward | about a year and a half ago | (#43778293)

No, making a parody of people that makes light of the suffering of real, innocent people makes you an asshole.

In other words, the asshole preachers and the assholes parodying the preachers on the backs of real peoples' real suffering are both assholes, and deserve to catch ass cancer & die.

Fuck you.

Re:Pray for Oklahoma City (0)

Anonymous Coward | about a year and a half ago | (#43778595)

They are just Oklahomans, what's the problem.

Re:Pray for Oklahoma City (1)

Teun (17872) | about a year and a half ago | (#43779651)

Judging by the ideas of these same religious quacks Europe should have been leveled years ago :)

I feel with the people in the affected areas and wish the religious intolerant (or is it intolerable?) would no longer be allowed to use others' misery for their own sick agenda.

Quick! Someone Call... (1)

Anonymous Coward | about a year and a half ago | (#43776825)

Stephen Heymann and Carmen Ortiz to make sure these neferious cyber criminals get what they deserve!

PR, lawyer greed, revenge, or abject incompetence (4, Insightful)

interkin3tic (1469267) | about a year and a half ago | (#43776839)

I honestly can't understand the point of shooting the messenger here. Is it entirely to try to convince their customers (who are likely not very tech savvy) that they have nothing to worry about? I can understand the letter they sent out blaming the reporters for that, but to actually sue them doesn't make sense. Do they actually believe they can spin this to the FCC as the reporters going all James Bond to access files that were reasonably secured? Or is this just a lawyer who is racking up more billable hours, and his clients are too stupid to realize what a waste it is? Is this actually a roomful of executives saying "FUCK THOSE GUYS! Send the lawyers after them! That'll learn the press to google us!"

I realize these companies have made some seriously bad decisions, and dumb decisions by committee are even worse, but this makes no sense.

Re:PR, lawyer greed, revenge, or abject incompeten (4, Insightful)

Doug Otto (2821601) | about a year and a half ago | (#43776951)

It's deflection.

If they were "hacked" then the folks who's data was leaked blame the wily hackers. If they let it stand that the data was just freely available on the web, it's a liability to the telecoms involved; i.e. "it's not our fault, it's THOSE guys."

Re:PR, lawyer greed, revenge, or abject incompeten (2)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#43777001)

I suspect that it's a mixture of technical cluelessness and PR. The people who actually made the mistake that led to the records being exposed probably realize(now, I'm sure it was either an oversight or 'just temporary' at the time) that they fucked up; but they have little to gain by pointing that out.

People higher up the food chain probably have only the haziest distinction between 'something I didn't want happening' and 'something that you circumvented an access control to achieve' and, again, not much incentive to clarify the situation. "Getting hacked" isn't good; but it's a bad thing that just happens sometimes. "Being massively irresponsible" sounds like something that might incur liability.

Re:PR, lawyer greed, revenge, or abject incompeten (1)

Anonymous Coward | about a year and a half ago | (#43777323)

Reminds me of: http://www.despair.com/meetings.html

Re:PR, lawyer greed, revenge, or abject incompeten (-1)

Anonymous Coward | about a year and a half ago | (#43777573)

When is everyone going to learn? This kind of thing is like a female's body, your not supposed to look unless they want you too and even then, most of the time you damn well better keep your mouth shut about it, especially so if you gain access!

WGET? The Devil's Tool! (5, Funny)

eldavojohn (898314) | about a year and a half ago | (#43776841)

Lee added that the Scripps Hackers eventually used Wget to find and download "the Companies' confidential files." (Wget was the same tool used by Facebook's Mark Zuckerberg in the film The Social Network to collect student photos from various Harvard University directories.) The rest of the letter pretty much blamed the "Scripps Hackers" for the cost of breach notifications, demanded Scripps hand over all evidence as well as the identity and intentions of the hackers, before warning that Scripps will be sued.

Folks, there was a big bad security breach [yourtelamerica.com] . Now, *adjusts his massive belt buckle* we're investigating this like we would any other serious crime. And right now we're just trying to identify weapons used in this heinous attack. Now, we've discovered that the hackers were using [documentcloud.org] a very vicious mechanism in this attack. In a murder, you might find a revolver used to put two bullets into the back of a poor old defenseless lady's skull in order to get all her coupons and a couple of Indian head pennies out of her purse. Or perhaps in a pedophile case, you'll find the "secret candy" that was used to lure the children into a white panel van with painted over windows.

*expels a long tortured sigh*

Well, I gotta say, in my thirty years on the force, I wish we were only dealing with something like that today, honest to God Almighty I really do. Instead this artifact was discovered at the scene of the crime [huji.ac.il] . Now, I'm not asking you to understand that -- hell, I'd warn you against even openin' up your browser to the devil's toolbox. But let me, a trained law enforcement professional, take the time to explain the gruesome evidence just one HTTP request away from you and your chillun'. The page is black. Black as a moonless night sky when raptors swoop from the murky inky nothing to take your kids and livestock back up with them silently. On it is a bunch of white text that makes no sense to any God fearun' man on this here Earth. That's what they call a "man page" probably because it is the ultimate culmination of man's sin and lo and behold it displays a guide to exact torture on innocent web servers across this great and holy internet.

Even if you want to use this "man page" for WGET to learn how to use Satan's server scythe, you would have to read through almost twenty pages of incomprehensible technobabble like what that kraut over in Cali -- the one who took his wife's life -- spoke. And if you want to just see an example, it's not at the top! No, why, it's all the way down at the bottom. For this one, they don't even have examples. Just enough options to kill a man. Probably gave Steve Jobs cancer, they never proved all these options in these pages didn't. Buried in the mud of a thousand evils lie more evils.

And why, oh why are we even wasting taxpayer money on these Scripps Journos? Who needs a trial when the evidence is in the tools they used? Folks, I think it's time we WGET one last thing, I'll WGET a rope and you WGET your pitchforks and torches ... let's go down to Scripps and put all this computer business behind us. Okay?

Re:WGET? The Devil's Tool! (2)

zlives (2009072) | about a year and a half ago | (#43776873)

the nerve of those... terrorists?

Re:WGET? The Devil's Tool! (1)

Cormacus (976625) | about a year and a half ago | (#43776949)

I read this in the voice of Sheriff J.W. Pepper (see The Man with the Golden Gun and Live and Let Die)

Re:WGET? The Devil's Tool! (1)

Cosgrach (1737088) | about a year and a half ago | (#43777221)

For me, I heard Buford T. Justice's voice...

Re:WGET? The Devil's Tool! (1)

gmhowell (26755) | about a year and a half ago | (#43777783)

I read this in the voice of Sheriff J.W. Pepper (see The Man with the Golden Gun and Live and Let Die)

Buford T. Justice is also acceptable.

Re:WGET? The Devil's Tool! (1)

ColdWetDog (752185) | about a year and a half ago | (#43776953)

Is this a screenplay? CIS:Tennessee?

Re:WGET? The Devil's Tool! (2)

fredgiblet (1063752) | about a year and a half ago | (#43776971)

And here is me, with no mod points for the day.

Re:WGET? The Devil's Tool! (4, Interesting)

webmistressrachel (903577) | about a year and a half ago | (#43777023)

Wow, I'm scared to fire up my console now. GUIs only from now on for me - I had no idea that I was invoking the devil with my black backround and myriad switches and parameters passed!

Having been a "builder" from a very young age, I can identify with being considered "heathen" for being able connect things that other people had no idea could work together (yet obviously could work together - for example I've used a decent amp and speakers with whatever source was playing since I left home, but using the AUX input with my NICAM video recorder was blasphemy to my parents - and connecting the computer (Amstrad CPC464) to the speakers must have been like summoning demons - because they put a stop to that quickly - and no, it wasn't loud either.)

This perception of me as "hacker" carried on through school and college. Despite me having more integrity than anyone else around me at the time, and an innate sense of "right" and "wrong" and natural justice, I found myself distrusted because people couldn't understand how I did the things I did with so little (and such a crap background. Computer books were NOT on any shopping lists. I had the CPC464 manual, and POKE.)

Re:WGET? The Devil's Tool! (1)

Ultracrepidarian (576183) | about a year and a half ago | (#43777803)

PEEK and POKE are on the short list of Bill Gates' truly original contributions. Clearly tools of the Devil.

Re:WGET? The Devil's Tool! (0)

Anonymous Coward | about a year and a half ago | (#43777225)

Ah yes. We should always assume the voice and cadence of a Foghorn Leghorn-sounding southern character when somebody makes a dumb comment. Because no literate, educated northern lawyer would ever be so ignorant. amirite?

Lawks a mercy, mammy, you think eldavohjohn might could lapse into a negro patois next, wit' a bit a' blackface? I sho' do like that, it's POWERFUL good, lawd! POWERFUL good! Amen and HALL-AY-LOO-YA!

(Hey guys, let's be enlightened progressives! That means we can bash anybody who comes from an area of the country that doesn't always vote the way we'd like, right!?)

Re:WGET? The Devil's Tool! (0)

Anonymous Coward | about a year and a half ago | (#43777449)

This has been another episode of Projection Theater, performed by Anonymous Coward. Thank you for your support.

Re:WGET? The Devil's Tool! (0)

Anonymous Coward | about a year and a half ago | (#43778361)

Read what he wrote.

"massive belt buckle"
"chilluns"
"god fearun' man on this here earth"
repeated invocations of fire & brimstone-style religious imagery

It's very clear what he meant to evoke: "small minded, ignorant religious southern rube who just don' understand nothin' about no technical stuff, because book learnin' is for dem faggots and heathens, unless you're talkin' about dat GOOD BOOK! YEEHAW!"

In reality, the lawyer writing the letter on behalf of the companies who leaked the data is from Washington DC. The journalists work for an organization headquartered in Cincinnati.

Where, exactly, does "small town southern hick sheriff" come into this? Right. It doesn't.

If eldavojohn's joke above had been done in his best pickaninny [wikipedia.org] impression while he rubbed some shoe polish on his face, Slashdot would be aghast at his disgusting, casual racism. But I guess it's okay to be a stereotyping douchebag as long as you avoid stereotyping people who think like you, eh?

Thanks for playing, chief. Go fuck yourself.

Re:WGET? The Devil's Tool! (0)

Anonymous Coward | about a year and a half ago | (#43777365)

also WGET is the new WMD

Typical distraction (5, Insightful)

intermodal (534361) | about a year and a half ago | (#43776869)

Call 'em hackers enough time, and people will be distracted by their alleged malice to the point where they forget or don't even believe anymore that the files were literally just out there for anyone to see. It's like leaving a $100 bill on the sidewalk and waiting to see who turns it in at the lost and found so you can call 'em a thief to distract from your own leaving it lying around.

Re:Typical distraction (0)

Anonymous Coward | about a year and a half ago | (#43777467)

No, this is like leaving a phone book with complete names, addresses, and social security numbers lying on the sidewalk and seeing who turns it in at the lost and found and calling them a thief.

Re:Typical distraction (1)

VortexCortex (1117377) | about a year and a half ago | (#43777999)

Click this link from your seats...
That's right!
You get to be a Hacker,
And You get to be a Hacker,
And You get to be a Hacker ...

Re:Typical distraction (1)

Krishnoid (984597) | about a year and a half ago | (#43778623)

Doesn't even have to be all of $100 [nydailynews.com] .

Left the goods out for anyone to see (1)

LaughingRadish (2694765) | about a year and a half ago | (#43776931)

The management of First & Only Bank would like to let everyone know that all the money has been piled on the front lawn, and also that they're very upset that it has been disappearing.

So if you are a robber, please don't the take the money. It's very rude.

The money has been placed on the front lawn to get it out of the way while the vault is being repaired.

Mandatory study for Lawyers and Judges... (5, Insightful)

Moppusan (2837753) | about a year and a half ago | (#43776933)

...should be a course in Computer and Internet Obviousness (naughty words omitted to make it sound more official, fucking god dammit). And certified as passing this course should be a requirement to be a judge or lawyer in the US with a 6 month renewal term. Any lawyer not holding a certificate should be disbarred post haste and any judge should be removed from his/her seat post haste. Post haste. Haste.

Why use wget? (0)

Anonymous Coward | about a year and a half ago | (#43776937)

You know, I think the cell phone company is being over the top and idiotic, however why did Scripps use wget to download all of that data? At some point you have to realize that showing someone that they left the filing cabinet open is a lot different than photocopying every freaking document in there and making off with it. Knowingly taking possession of that data means that they have to take care not to let it get out to other sources. How secure was that download? Where were the files stored? Who had access to those files? What was the journalistic purpose in pulling all of those files? Why not just take some screen shots, blur the important bits, and run the story that way? A complete data dump of the exposed information really seems like a bit much just to prove that there's a problem...

Re:Why use wget? (5, Insightful)

mrbester (200927) | about a year and a half ago | (#43777091)

1. wget is just a means to automate. Would you type all the URLs manually?
2, 3, 4. As insecure as anybody else downloading it. They have no duty of care that publicly available data that shouldn't be publicly available is not publicly available.
5. A blurred screenshot allows plausible deniability. After all, the blurred bits could be anything. It could even be a completely different page blurred in Photoshop to smear the good name of these dickheads^W fine upstanding members of the community.

If they have a complete data dump, it is most likely someone else does as well. Someone who is more interested in profiting from shoddy practices.

Quick! Somebody notify Carmen Ortiz! (0)

Anonymous Coward | about a year and a half ago | (#43776945)

Or post a sign in the Boston office: "Fresh Meat."

class action (0)

Anonymous Coward | about a year and a half ago | (#43776973)

threaten the attorney for the phone companies by telling them that a class action suit is on the way for having compromised such sensitive information

over the top but! (1)

Anonymous Coward | about a year and a half ago | (#43776993)

While the threats are over the top people need to get it right. They didn't just report a security hole, they EXPLOITED the hole after discovering it and downloaded the data, that is where they crossed the line. It is like the difference between pointing out to a bank that their bank vault was left unlocked and walking in and taking all the money and saying "look guys I can walk in and take everything because your door was open". One will get embaresment from them the other will invoke rage and you in handcuffs.

Re:over the top but! (0)

Anonymous Coward | about a year and a half ago | (#43777045)

And the other side of that coin is finding it and reporting it. Then checking back x time later. Where they did nothing then say, why were you looking again?

Re:over the top but! (1)

Ungrounded Lightning (62228) | about a year and a half ago | (#43777313)

And the other side of that coin is finding it and reporting it. Then checking back x time later. Where they did nothing then say, why were you looking again?

How about:

1) To find out if the data was pulled down yet.
2) To be even nicer guys by waiting until the data WAS pulled down to run the story that would give tens of thousands of identity thieves a valuable present.

Re:over the top but! (1)

mrbester (200927) | about a year and a half ago | (#43777151)

So you would prefer they'd taken all the data and kept quiet about it?

No. Full disclosure is warranted because full access was granted. It's not like just a few details were available. Fuck them for allowing this to happen. Fuck them serially and severally.

Re:over the top but! (0)

Anonymous Coward | about a year and a half ago | (#43779391)

no the whole point is you DON'T TOUCH THE DATA. finding and reporting a vulnerability = good. going further to prove you can steal the data using the vulnerability = you deserve everything you get thrown at you. stealing the data was not necessary to report the problem.

Re:over the top but! (0)

Anonymous Coward | about a year and a half ago | (#43779661)

they EXPLOITED the hole after discovering it and downloaded the data, that is where they crossed the line.

I have heard that before.

But just ask yourself: How else would those journalists have proof of a (massive) security-glitch otherwise.

Hint: If nothing can be shown than there is no proof and the company can just claim that "nothing of importance has happened".
If just a small part is downloaded the while thing can be downplayed as a "small intrusion".

No, for those journalists (or any white-hat hackers) to be able to proof that it was done and was indeed massive they needed to obtain as much proof as they could get.

I myself compare it to a court-case: If the accused (in this case the breached company) can scare the accuser (in this case the "hacking" journalists) in not gathering any proof in regard to the accusation the accused can simply claim nothing has happened and walk away ...

Its even worse: If the scaring does not work the "hacker" (like in this case, having no ill intention) accused of violating some law, making the "hacker" look as bad, in effect burrying the actual lack of security.

To a company its simply a win-win tactic.

Back to the top: What do You think a white-hat hacker should do to proof its allegation of a (massive) security-breach ? Against an opponent which would want to deny everything ofcourse.

Not as easy as you might think, isn't it ? [smile]

First they came... (3)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43777027)

First they came for Weev.
Then they came for the reporters. ...

Re:First they came... (2)

PRMan (959735) | about a year and a half ago | (#43777209)

First they came for Weev, and most reporters called him a malicious hacker...
Then they came for the reporters. ...

This is good news (4, Interesting)

gr8_phk (621180) | about a year and a half ago | (#43777037)

Usually reporters tell stories of "hackers" finding such things and we wonder weather the reporters understand how "non-hacking" the activity really was. Well in this case it's abundantly clear to them since it was they who discovered the data in plain sight. No question the reporters see the absurdity of the "hacker" label in this case.

Re:This is good news (1)

PRMan (959735) | about a year and a half ago | (#43777213)

This is good. I still don't understand how weev could have been found guilty, other than that he's a complete sociopath...

Re:This is good news (0)

Anonymous Coward | about a year and a half ago | (#43778223)

You speak of "reporters" as if they are one big monolithic entity such as the Borg, rather than individuals such as you and me. Or do you think that, as Slashdot posters, we are one big monolithic entity and all think the same?

FA (1)

AndyKron (937105) | about a year and a half ago | (#43777095)

In my opinion, attorney Jonathon Lee is a fucking asshole.

Anonymous (0)

Anonymous Coward | about a year and a half ago | (#43777163)

Oh, just pastebin it anonymously over some open WiFi and submit to a few news sites. That works way better than what you did.

Good Deeds (1)

ThePeices (635180) | about a year and a half ago | (#43777217)

No good deed goes unpunished

Good luck with that... (1)

mikeiver1 (1630021) | about a year and a half ago | (#43777415)

"...attorney Jonathon Lee for both telecoms threatened the 'Scripps Hackers' with violating the Computer Fraud and Abuse Act (CFAA)." Good fucking luck with the subterfuge assholes. You shit the bed and now you are trying to say it was the guy from the next town over. So typical of companies now days. I agree that the more anonymous you can stay the better. We seldom if ever give our info to anyone unless it can't be helped. Most of the time it can be and so we don't. I worry more about these shit bag companies having my info more than I do nefarious characters now days.

Third worlders (0)

Anonymous Coward | about a year and a half ago | (#43777535)

"affordable phone service for low-income citizens"

LOL - meaning "for third world invaders".

Threaten all you want... (0)

Anonymous Coward | about a year and a half ago | (#43777653)

Prove it. If you think you have evidence that they broke the law, then bring the law into it and prove your case. If you can't, then shut the hell up. We all have better things to do than listen to your saber-rattling.

Using google (1)

Anonymous Coward | about a year and a half ago | (#43777989)

Use google to find information, use that information to exploit certain weaknesses in a system. Isn't that exactly what hackers do? How are they not hackers? Because they also wear the hat of news reporters? Maybe that's what current hackers have been doing wrong. They need to get jobs as reporters.

This is all wrong (0)

Anonymous Coward | about a year and a half ago | (#43778715)

This is why you should just sell the information on the black market. The financial and legal incentives are such.

Streisand calls in Anonymous? (1)

dutchwhizzman (817898) | about a year and a half ago | (#43779045)

The Streisand Effect will be in place here. Cue Anonymous hacking these companies upside down in 3...2...1......

Just join the anonymous, it's free! (0)

Anonymous Coward | about a year and a half ago | (#43779059)

Pick some tools to mask your wlan-card's MAC-address, randomize your address, go wardriving to find an open wlan. There, create a bogus blog or website, upload results there. As a bonus, create a bogus email account and email a "tip off" to your colleague and yourself, or something. Turn off computer, go home. "Find" your new website and be one of the first ones to report it. Or if you want it to be fixed more than just to write a story about it, email just some high profile journalists.

Its more complicated; meaning no harm isn't enough (0)

Anonymous Coward | about a year and a half ago | (#43779875)

Use of 'Googledorks' to gain access to (intended-to-be) 'private' information, is, however trivial, a form of hacking (i.e. cracking).

Essentially, this is equivalent to running a port scan on the server (legal) and then connecting, seeing there is no authentication (and relatively signs that this is not intended to be public), pokes around for a while, eventually disclosing this weakness (very much not legal).

It becomes illegal somewhere around the moment the 'intruder' no longer can be reasonably said to have a good faith belief that they are accessing information that they are intended to have access to, and then continues to do so.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?