In a perfect display of schadenfreude, the FBI might now be getting an idea of why people are reluctant to allow them unfettered access to their private information :)
Not really a useful comment, I know, but I had to show my appreciation for this guy for pulling down the FBI's pants!
I, for one, think privacy concerns over this release are overblown. After all, the news reports I've read only contain metadata about the individuals in question.
That the data is out there isn't important. It's not being looked at by me or other humans reading these news articles.
Furthermore, collection and access to this information is critical to the fight against terrorism. If professionals aren't able to identify individuals who may be endangering this country, that puts all of America at risk.
It appears to have been edited out, but that looks like a remnant of someone probing for cross-site scripting vulnerabilities by putting mismatched quotes and tags into places they don't belong.
> After tricking a department representative into giving him a token code to access the portal, the hacker claimed he used the compromised credentials to log into the portal, where he gained access to an online virtual machine. From here, the cybercriminal was presented with three different computers to access, he said, one of which belonged to the person behind the compromised email account. The databases of DHS and FBI details were on the DOJ intranet, the hacker said.
With public facing sites like Amazon -- who have necessarily engineered and refined security solutions to manage a wide surface area of attack from its customer base -- getting successfully social engineered on occasion, I shudder to think what the situation is at a large, multidecade bureaucracy where internal-only legacy technology stacks and access control procedures have probably resulted in a mindset of "oh just put that on a sticky note" workarounds just to get work done.
You'd think Amazon could afford to run a more competent show. When did this happen? Did you do this or you just had screens lying around? :) Can you recommend any cloud provider that is half sane? I was browsing around lately because I might want to start a project on the side, was disappointed that OVH was hacked recently, now Amazon.
There's screenshots demonstrating access to two different Amazon support terminals (IRC screenshots are from a different terminal), access to both was gained during two successive calls to the main Amazon US number.
This did not require multiple attempts. The employees believed everything they were told and both remained on the calls for as long as they were asked to, demonstrating utter lack of training.
Because generally the 'powers that be' don't go publishing all of your data so anyone can see. You choose what gets publicly published and they keep what they have on you largely to themselves.
Thank Goodness! Since they're competent enough to keep personal info on their federal agents safe from hackers, I feel safe trusting them to keep all my sensitive information secure too!
Doesn't matter if you trust or mistrust the government - everyone leaves a digital back-gate unlocked without realizing it once in a while.
Unfortunately no matter how noble the institution, mistake-prone carelessness humans are behind them all.
I hate this crime, but having said that, your argument doesn't hold water.
As another commenter pointed out, they can't even keep their own stuff secure. In addition, if politically it's useful, you can bet that somehow it'll find a way to get out: the Justice Department aren't the only folks able to do parallel construction. Plus folks in government agencies leak confidential stuff all the time on deep background, or as a way of scoring political points.
This is a terrible thing, but it's a terrible thing because people procuring and owning massive datasets on other people is wrong. I understand that society's morals haven't caught up with that yet, but that's the only solution that makes any sense: I own my data, I store my data, under certain conditions I may lease/lend you my data for a limited time only -- and all other uses of it, whether by private or governmental bodies -- is theft.
The second half of your last paragraph is interesting to me, because what you're basically doing is affirming the political idea of intellectual property.
Out of curiosity, how do you feel about DRM (which is based on exactly the same idea but applied to creative works and not information on a person or people)?
Thank you so much for that comment! I never connected these two. In fact, it was just out of frustration that I even wrote the last paragraph. It was not well-considered.
I don't know. I need to think about this some more. Thanks again.
Intellectual Property is as meaningful as Physical Property. The rules are different for each, of course, but saying "physical property exists, intellectual property does not exist" is an extreme position that shows a lack of understanding of what "property" fundamentally is.
I wasn't trying to say that intellectual property didn't exist. I think it's obvious that it does, at least in some form. (Heck, the patent system is builton the very idea.)
Perhaps in an 'ideal' world, IP wouldn't exist. This is far from an ideal world, though, and besides, the so-called "ideal world" would be extremely boring.
I think DRM takes it too far, though. My computer is my physical property. I may not have built it entirely from scratch, instead relying on vendors like Intel to manufacture the components, but it's mine and if I want it to perform a certain way, then the only thing which should be able to stop me is the law itself - not some DRM designed to help me stay in compliance with some company's idea of the law, which is inevitably biased towards their own needs.
[edit: To be clear, since I realise I sound a little extreme here - EULAs are designed to be legal contracts. As such, if you think I've broken (accidentally or intentionally) a clause in your EULA, then unless it's obvious to all involved parties that I've broken the contract (and thus broken the law), it should be up to a court to decide if a) the EULA is a valid contract, and b) if I have in fact broken said contract. If so, go ahead and punish me. Until then, it doesn't make sense to treat, for example, legal paying customers as if they were pirates when they're not.]
Except that everyone has some data that they want to keep private...
Maybe you want to keep your text messages private from your employer, or your browsing history private from your children, or your maximum driving speeds private from your local law-enforcement, or your sexual preference separate from your wife, or etc, etc.
> A spokesperson for the DOJ told Motherboard on Monday that the department “is looking into the unauthorized access of a system operated by one of its components...
Please don't give us the "we weren't hacked. It was a company we used that was!" Nonsense. I'm tired of hearing this. It's the same thing blue shield said when its/my/your data was pilfered. YOU are responsible for it! If you pass it off to some incompetent third party, then that reflects even more poorly on you!
In this context, "component" means an agency that's part of the DOJ. The FBI, for example, is a component of the DOJ. They're simply stating that Main Justice wasn't hacked.
Oh, you mean like all the personal information I had to submit to the Defense Investigative Service when they did my background check for a security clearance?
Why, it's funny you should ask! I just got a letter from the Office or Personnel Management about three months ago, proudly informing me that all that data is now in the hands of some foreign intelligence service.
Of course, they claimed it was the result of a "sophisticated" attack, which is government fail-speak for "We left your data on a bus, and a hobo took it".
>> Of course, they claimed it was the result of a "sophisticated" attack, which is government fail-speak for "We left your data on a bus, and a hobo took it".
No it isn't. The hack of OPM was very well publicized. It was a long time project of the Chinese government to break into OPM's computers. I don't believe everything I read, but in this case I know is exactly what happened.
My wife got the same letter from her time working at the VA. Fingerprints, social security number and all the other personal details that they required.
I don't wonder. It'll get hacked and stolen, repeatedly. Government isn't technically competent by itself, and doesn't know how to select those who are.
> Government isn't technically competent by itself, and doesn't know how to select those who are.
This is just dead wrong. I think you're conflating "Government" and "Politicians". The government pays tech very well and hires intelligent people. I once did a consulting gig and went in with your exact mindset. It was the only time I've ever been fully confident that I was the dumbest person in the room.
The reason they'll always lose is the sheer quantity of attacks. Every day we have front page posts critical of the US government. That sentiment (clearly) extends far beyond the front page of hacker news. I'd wager you wouldn't have to put much effort into finding anti-governmental rhetoric in the comments section of a cooking website.
Beyond that, the weak link is rarely the technical side, e.g. Snowden. I think we all can be confident they will lose the information, but I really don't believe it's because they are technically incompetent.
As someone who's done DoD contracting for many years working for different agencies... I have to agree with parent. The amount of competent people I ran into, on the government and contractor side, could be counted on a single hand. I've reported and seen so many security holes that were never fixed it's ridiculous. I'd like to imagine the work done by our group was top notch but even if it objectively is it's rare to work on any DoD project without 10+ contractors all with varying levels of competence.
Very true. I did DoD/IC contracting for 16 years before finally getting fed up and going into the "real" world last year. There are some very talented and intelligent people working as govies and as contractors, but for every very good person there are at least 4 turds.
The OPM breach exposing personal data of all cleared individuals (and their friends & families) for the past ~25 years points to management as being grossly incompetent.
>The government pays tech very well and hires intelligent people.
No they don't. Or at least, not the parts I worked in. Maybe the really secure stuff gets paid well, but from what I've seen government jobs are one of the worst paying jobs for an IT individual.
Why? What's the metric? All governments have the same kinds of data and potential for embarrassment. And in terms of GDP, the U.S., E.U. and China are in the same ballpark.
Ca. 1996, the DOJ web server was hacked by somebody. At this point, I don't remember the details--Adolf Hitler as AG, a naughty picture or two. It shouldn't be hard to find.
That makes for nice headlines, but anyone who actually understands this stuff knows that hacking the public-facing web server is not a big deal and not really related to obtaining private info like this.
Edit: I just remembered, there is (of course) a relevant xkcd for this: https://xkcd.com/932/
If, like me, you don't know the term OSINT, it stands for "open source intelligence." What it means is publicly available information: phone books, mailing lists, published documents and other things people can find just by snooping a little and not breaching a security system. (Note: According the Wikipedia, this is a US-centric view of the term and may be different where you live.)
Due to the amount of turnover and lack of upper management effort you can "hack" almost any recruiting company. Most new recruiters have access to all internal records and are using a basic password (12345678 or password123)
It's not uncommon for recruiters to access other companies database to find numbers and email addresses.
Honestly if you have ever sent your resume to a recruiting agency your information is fairly accessible to anyone who cares to look for it. I can find cell phone numbers of most managers in the city because they applied for some recruiting agencies entry level positions 10+ years ago.
Yep. Even the spooky Stratfor[1] would have more information than this. This is nothing like what Snowden or literally hundreds of thousands of people who hold TS/SCI have access to (identities of NCOs or other espionage operatives, access to recruiting databases for foreign nationals who went abroad to the US for graduate studies and are being assessed as potential intelligence assets by their professors, etc). A pissed off 4channer with good Google-fu could get more information than this.
[1] Which I'm sure intelligence agencies are thankful for, because all the tin-foil hatters are misplacing their resources in designing conspiracy theories about an incompetent "private intelligence organization" which amounts to a bunch of people who could easily be outsmarted by a 4chan-er with good Google-fu. You know all those stories you heard about the KGB being incompetent, or now hear about how the Party is in modern China w/r/t information control? Yeah.. the FIVEEYES are about on par when it comes to incompetence.
> recruiting databases for foreign nationals who went abroad to the US for graduate studies and are being assessed as potential intelligence assets by their professors
When I was a research assistant in college in the US, we had an Iranian student apply to work with us several times, even after we told him no the first time. We were researching the properties of yellow cake uranium for the Department of Energy! Obviously there are strict rules on that kind of work, hiring him would have been VERY illegal, but he still kept bugging us even after telling him that.
Here's a sign: there are the names and numbers of members of a secretive FBI counter-terrorism unit in the list. Stuff that, if not actually classified, is held close.
They arent responsible, subcontractor is. As I posted some time ago:
"The very first thing University of Washington Center for Information Assurance and Cybersecurity (accredited by U.S. Department of Homeland Security, whatever that means) teaches you about becoming a CIO is precisely delegating responsibility :)"
So they're teaching idiots to hand off responsibility to other idiots and only cover their asses legally. What sort of irresponsible education do you have in the US?
I fail to see how this brings ANY value to ANYONE, other than those who explicitly wish to engage in abuse of authority. I also fail to see how teaching this as a skill in university is any better than teaching advanced pocket picking skills to school children as part of the standard curriculum.
So, you'll excuse my potty mouth, but I have to repeat myself - EVERYONE engaged on either side of this practice is a certifiable idiot.
The meaning of "personal info" sure has been diluted, this is zoominfo level data (in fact, based on a quick look it could very well be scraped from there).
Yea, I've worked for a few gov't agencies over the years, and most of them have had basically the same info on a public facing "who's who" webpage. The identities and job titles of public employees is public information.
Internal email addresses and phone numbers might be a little more problematic, since they could be spam targets. But it'd be a pretty brave/dumb spammer or prank caller who targets the FBI.
Yes, the problem according to the FBI indeed seems to be more about the unauthorized breach than the information actually contained:
> “This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information,” DOJ spokesperson Peter Carr said in a statement.
Every time I check HN, there's a new crypto tool, encrypted databases, and tips on hardening your servers. No matter how secure your system is technically, there is always the requirement to make parts of it "insecure" (in the sense that people buy enterprise encryption, but expect the company that sells it to keep a spare copy of the keys to recover lost data just in case)
The reality in cyber security is that people provide the weakest and easiest point of entry to compromise any computer system. Until the business side and process side of things improve, shit like this will remain common.
> In any case, a DHS spokesperson said the agency is looking into the reports, though “there is no indication at this time that there is any breach of sensitive or personally identifiable information.”
Except, you know, names. Merely being identified as a person moves you from not existing in the criminal universe to target. From name and other information comes yet other information, comes economic damage, or in this case, possibly life threatening damage.
Names aren't secret or private information. The agents give you their names if you talk with them. A significant portion of them are on linked in. During criminal trials their names are public record. Only four FBI agents died at an "adversaries" hand in the past 20 years, one botched undercover drug bust, an agent who ran into the twin towers on 911 to help people, and two who died in raids.
These guys are cops and detectives, not secret agents and spies.
I called the police for something a couple years ago, and when I asked for a card after it was over she gave me a card where one of her names was pre-scratched out, I forget if it was her first or last.
From the article, "personally identifiable information." A name is personally identifiable information. For crimes that rely on such lists, not being on the list is your best defense.
Anyone else notice that Crytobin appears to be down? Wonder if they took it offline because of this or are they simply blocking traffic in the US to it?
I find it somewhat interesting that this hacker didn't use this information for leverage, if he's indeed some strong supporter of the free Palestine cause. Instead, he just let it loose and raised the middle finger.
It makes me think either the supposed motivation for this hack isn't what it seems, or it was perpetuated by someone who's incredibly naive. It just doesn't seem to add up.
Well, you don't get leverage by not releasing data for no reason...
However, if you're in possession of 20k FBI agents' private information, you could probably contact Palestinian politicians, and they could use it in negotiations. It's valuable information to governments at war.
And then your crime goes from (mere) 'computer misuse' to 'espionage' or even 'treason', with the exciting penalties they draw. I don't think anyone with half a brain wants to go down that road, particularly since the info isn't even that valuable, but the penalties would be the same as TS/SCI information release to an 'enemy government' or similar.
I should also point out, there are probably dozens of parties who are interested in that FBI information, not just Palestinians. He could have sold to the highest bidder but chose not to.
Weev went to jail for literally HTTP GET'ing an AT&T server with a URL that was readily available on any Ipad device. In the RFC there's literally a return code for "Not Authorized", he got a good ol' 200 saying 'come on in' and got convicted of "conspiracy to access a computer without authorization".
Federal prison for what was effectively WGET'ing something that was, again, readily available. Still, in the eyes of the public and the law, hacker and cracker are the same thing. The guy is a racist liar but he didn't deserve federal prison. His conviction was later vacated on a venue technicality, which sucks, because had it been overturned in a higher circuit with the judge offering an Opinion, case law would have been set and Aaron Schwarz would have at least some vindication[1].
[1] In no way am I comparing the character of these two men, just the injustice they both suffered at the arms of the technically illiterate law enforcement/legal system. If I were a medical doctor who was before the board being judged for malpractice, I wouldn't want a jury of 12 of my 'peers' deciding my fate - I'd want other doctors.
> Weev went to jail for literally HTTP GET'ing an AT&T server with a URL that was readily available on any Ipad device. In the RFC there's literally a return code for "Not Authorized", he got a good ol' 200 saying 'come on in' and got convicted of "conspiracy to access a computer without authorization".
Everybody repeatedly says this while ignoring his behavior during and after obtaining the information, which is what he was really convicted on. He said so himself.
Yes. I got a letter from OPM detailing what may have been compromised an offering me some identity theft protection/monitoring service. They got my SF-86 (https://www.opm.gov/forms/pdf_fill/sf86.pdf) and my fingerprints, so pretty much everything.
I do love the SF-86 form. "Please list all acts of terrorism you have participated in, in an attempt to overthrow the Government of the United States: Nature of act, Dates from and to" and that sort of thing. I wonder if anyone who answered 'YES' to that section ever got a clearance?
Any idea how far back the compromised records go? Trying to determine if records from 2005 may have been exposed, but I've moved a number of times since then, and I haven't been notified. I presume they would have found me if they wanted to, but wish there was a proactive way for me to inquire.
This guy should be captured and killed. Most FBI agents are very dedicated to trying to protect people and doing something like this should be an act of espionage and dealt with accordingly.
This breaks the HN guidelines. On this site, please comment civilly and substantively, or not at all. Your comment would be fine without that sentence.
Your other comments in this thread make it sound like you're knowledgeable about this space in a way that most of us aren't. The way to communicate here is to share that knowledge in a civil way, so we all learn something.
This is a bummer. Most FBI agents are good people trying to help keep a lid on crime in their country. They don't deserve personal exposure or embarrassment for providing what is obviously a necessary, thankless, and underappreciated service.
I'm waiting for the day that script kiddies do something useful, like emptying out everyone's credit file or deleting all the pending bills in a major hospital system's computer. Embarrassing and/or exposing normal individuals doesn't provide any real macro-level help to anybody.
How are any of the things you mentioned useful? I think I can quite confidently say that the things you mention will probably cause more rather than less suffering in the long term. And it's exactly this type of naive disregard for the complexity of actions and their consequences that makes 'script kiddies' so harmful.
> naive disregard for the complexity of actions and their consequences that makes 'script kiddies' so harmful.
If I worked at FBI I'd be angry and motivated. The retaliation won't come in the form of a zip file, either. It completely boggles the mind that someone thought that this was a smart step toward their own goals.
"Let's shut down Mastercard!" I guarantee that someone somewhere in the world was attempting to pay for an urgent medical bill during that time-period. What did the hack actually change? Nothing. It merely proved the hack was possible.
You don't just hack someone and automatically change the world for the better, for the worse most likely.
Right, it was just an adhoc example. The sentiment of what you said is true - these are just people doing their job. I don't know why you are getting downvoted so much. Thinking that there exists a hack which won't result in harm is an easy mistake to make.
Yeah, seriously. Credit scores are what separate me from the idiots who are insolvent and going bankrupt. I would be pretty unhappy with paying higher interest for loans because some dickhead wiped the slate clean.
"We're all equal now!" Yeah, and we're now all paying for it.
Same exact thing with hospital billing - wipe that slate clean, the hospital has to take out loans to stay solvent, and they increase rates to compensate. And you know that they aren't going to be able to get anywhere with Medicaid or the insurance companies... so they're going to hit the people who are least equipped to take the even higher prices for medical care. Thanks, Mr. Script Kiddie!
>Credit scores are what separate me from the idiots who are insolvent and going bankrupt.
You'd think that. I know a person that has gone bankrupt 5 times. He's always able to coax his credit score up within 2-3 years to rack up another 100k in credit card debt before he files for bankruptcy again, right on schedule.
I also know responsible people who've been completely fucked over by insurance companies who refuse to pay claims based on their own clerical errors, among many other horror stories.
Credit reporting is an unreliable, oppressive system, where your financial well-being is left in the hands of 3 companies that have minimal oversight and exist primarily to help lenders fuck the consumer out of money.
Anyone who has your social security number can start reporting derogatory accounts on your credit and seriously hurt your life that way. Think twice before you fork that number over to the dental receptionist.
The idea of this type of hack is to force a change in the methodology, not just to reset the counter. These hacks would have to be continuous service disruptions to be effective. They can't just do it once and let everything go back to normal.
For what it's worth, my credit score is currently in the mid-700s.
I personally believe this type of thing is inevitable. There are people in the government who recognize this too, and have been pushing for cybersecurity initiatives to prevent it (though these concerns have been co-opted by politicians for use in forcing down oppressive copyright and surveillance legislation, pleasing media company donors).
There is a great deal of latent risk in this hyperconnected world. It'll be amazing and frightening to watch hacks at this type of scale play out. Like I said, I have no doubt whatsoever that they will.
Sure, but this isn't a serious option for most people. Other commenters have pointed out that credit scores have gone beyond just borrowing money, so I won't address that aspect.
Many people don't know how to make money as adults without borrowing money to go to university (and student loans are non-dischargeable debt), so as soon as you become an adult, before you can even enter the productive workforce, you're saddled with tens of thousands of dollars in debt and interest payments that'll follow most people around for decades.
Culturally, people in the U.S. are pressured to buy a home as quickly as possible. If you're in your 30s and still renting people assume you don't know how to manage money. Renting and tenancy in most places in the U.S. is configured such that if you want stability, you need to "buy" (meaning, you need to pay rent to the bank instead of a landlord).
If you want a decent car that doesn't break down constantly (which is a functional requirement in most places in the U.S.), one generally needs to borrow money to afford that, at least until he's well into his career and has the opportunity to redirect some student loan money into paying cash for a car.
You have to borrow money on credit cards to get a decent credit score that'll make it so you're not immediately underwater in these fixed collateral-backed installment loans.
While it is theoretically possible to go without borrowing much money, it's not practical for the majority of people. It was made that way on purpose, because banks like money. The system is structured so that the average American pays at least 2x the real cost of goods all the way through to retirement (pays once to the vendor/seller, and once or more in interest to the lender that financed the purchase).
I personally find this disgusting and really hope we can see changes that make interest and borrowing truly and practically optional for average people in future generations.
In a creep of scope, credit scores are now used to determine whether or not you can be trusted to rent a domicile, the size (if any) of a deposit for utilities, increase/lower rates of one's auto insurance, and even some employers now use credit rating as part of screening candidates.
Even if you never borrow money, your credit scores impact your life.
I don't think it's disregard for the complexity of actions. I understand that pretty well. No one's saying it won't be messy, but you can't make an omelette without breaking a few eggs.
I absolutely agree that there would be far-reaching consequences from hacks that neutralized the medical billing/insurance systems and the credit reporting systems, but I disagree with your assessment that those consequences would be a net negative. I believe they would be net positive.
I see where you're coming from, but "deleting all the pending bills in a major hospital system's computer"? In the best case that would affect hospital's budget, in the worst people will be chased by collection agencies due to mixup in records.
Edit: actually the most realistic scenario - whoever's on call in IT gets to work the night restoring backups. Meanwhile doctors are pissed off and lose time, because they may not be able to update or trust the medical records, unless it can be proven they were not changed.
Yeah, a well-implemented hack would make it more difficult than simply spending a night restoring backups. It would have to be more than a temporary breach to have a substantial effect.
The concept is to make it impossible to do business under the existing conditions. If hospital systems are unable to bill their patients because their systems are constantly scrambled by vigilantes, it'll affect the cost-benefit calculation involved in continuing operation under their existing business model.
Undoubtedly there would be confusion and misapplied bills involved. I don't see that as detrimental to the overarching cause. The only reason these systems are able to operate as-is is because their architects have devised a carefully fragmented and extremely confusing system that splits American society such that unity on the issue can't be achieved without substantial personal cost to the members of the more powerful/useful social factions.
If someone can level that playing field, we'll be well on our way to substantive change. When the powerful people have to feel the indignity of getting their credit wrecked for a decade or more because their kid fell down at a playground and got a concussion, even though they took every precaution that the man said they'd have to take to survive this kind of routine nightmare semi-intact, the rules will change much faster.
At present, the poor get their medical care pretty well taken care of through Medicaid. The rich don't care because they can throw infinity money at health problems (which is not to say they actually have to). It's the middle class that's getting raked over the coals, because they're not rich enough to force a change through monetary influence and they have too much to lose to force a change through social action.
I'm really not even a single-payer or socialized medicine kind of guy, but the current system is the worst of all worlds. The ACA provided a few useful tweaks but overall the system is just getting worse and worse. It shouldn't be allowed to stand.
Excellent commentary. Private markets with public motivations are super dangerous. On this specific issue we have ended up with the worst possible combination of a private/free market and a federal market behaving as a huge actor that operates outside of the free market system(ie no requirement to be profitable/sustainable). The presence of that almost majority actor drives decision making and behavior that completely cripples the free market relationship between the consumer and provider.
The health care market was already barely a free market due to the nature of the service and availability.
I also do not really care what system we have in the US single or federal, we just can not continue to ignore the repeated failures that "sorta" socialized programs leave in their wake.(CRA) Just one or the other.
You don't want that. Because a script kid will change some of the info subtly instead of destroying it. Lets say alter randomly patients conditions and allergies. The results could be unpleasant.
I'd be surprised if this wasn't done by libertarian "activists". Either that, or any number of other radical terrorist sympathizers. I mean, imagine the philosophical steps that would get someone to the point where they feel justified in doxing thousands of federal agents. This probably wasn't a script kiddie, it was someone who aches to topple society.
Although we don't know who's responsible for it (and fairly doesn't really matter), I think any transparency activist would consider this to be a step in the right direction.
Not really a useful comment, I know, but I had to show my appreciation for this guy for pulling down the FBI's pants!