I never, ever gloat or make fun of others when it comes to security. It seems like a no-win situation. If you go to someone privately with security concerns, you're generally seen as helpful. If I publicly oust somebody, there are all sorts of people like the author (but far less scrupulous) who might consider it their duty to knock me down a peg... and I'm no security expert.
Using "password" for a password is really stupid, but "really stupid" is relative to the knowledge level of the person pointing it out, in most cases. I'd prefer not to find out what really stupid thing I've done to allow some script kiddie access to my servers (or whatever the case may be).
I actually don't care much for the tone of this article either, for that matter. It's just a bit off for some reason IMO. Perhaps it comes across as a bit of gloating itself? I'm not sure, but it's not that big a deal.
The tone reminds me exactly of the bit in The Hitchhiker's Guide to the Galaxy where Slartibartfast calls Arthur Dent "late" in an effete attempt to sound sinister and threatening...
A quick follow up. TechCrunch got in contact and we had a quick back and forth. They confirmed that the security vulnerability I was pointing out was something they had worried about already and taken action to mitigate.
They also said "We have had thousands of breakin attempts over the past few days". No surprise really.
And they are planning some posts pointing out the vulnerable nature of apps in the cloud.
Aren't the situations a little asymmetrical or are they ? How much does a disruption in Twitter service affect people and how much a disruption in Techcrunch affect the internet economy.
I think that what TC are doing with the stolen documents is deplorable journalism, but his site remains, and is currently unhacked, so I guess he has the last laugh.
Not all that's involved. Sometimes "hacking" involves creative pranks.
For example, one prank I pulled (which was admittedly pretty basic and silly) was a creative redirection using .htaccess for a certain someone's fixed IP address who used to lurk a site I ran last year. This person had an extreme distaste for me, because of the existence of the site and she would publicly slander me for something I never did at every available chance.
So I decided to have a little fun with her.
I set up a page with her (publicly available) photo with large text headline saying that she had been hacked, which the redirection went too.
Total time to setup - less than 3 minutes.
Having her write me a lengthy email me telling me that she was going to call the police (in Australia) and have me arrested was pretty interesting. I never responded.
I think I would be freaked out too if the next time I visited someone's blog (which I was hypothetically consistently leaving trolling/nasty comments on) there would be my picture there, exclaiming how I'd been hacked.
Sometimes the illusion of having "hacked" someone is just as satisfying as the real thing, without the messy potential of jail-time.
We pulled a similar prank on a guy working on implementing 'verified by visa'. Every morning he'd walk in to the office and read the same news site. So, three days before completing the project we cloned the news site and posted an article that VISA had decided to abandon VBV.
He walks in to the office, starts reading the headlines (-- expletive deleted --) slams his coffee down and walks out of the office.
To his credit within 20 paces he started laughing like mad, knowing he'd been had. Pretty clever dude, it would have taken me a bit longer... :)
To protect the guilty and the innocent alike, no further references, but rest assured that a few words were addressed to VISA execs that were not exactly pc.
You could do a load of damage with DNS redirection. If you look at the market penetration of Google Analytics you'll see that a very, very large number of sites are embedding JavaScript pulled from google-analytics.com in web pages. Now imagine if you redirected that one domain and served your own JavaScript. You could include the GA JavaScript as well, but add your own stuff which would then run in everyone's (within that DNS area) web pages and your JavaScript could start doing all sorts of nasty things.
You wouldn't even need to do too much damage on the client side for an effective attack vector.
Imagine redirecting scripts for googleadservices.com and implementing their JS code with your own publisher ID there.
That would make some of those adsense cheques Markus Frind has shown off look like lunch money.
EDIT - if you really wanted to make something like this cool, you would instead use the publisher ID of some random charity (or even cycle through an array of charities) that could be easily obtainable by viewing source code in pages.
Just a thought...
EDIT #2 - Or, some more Internet Justice - just have it ignore the clicks that would otherwise go to domain parkers (with the revenue heading to charity). You cut off that air supply and eventually a lot of domains will start becoming available again.
I sold the site earlier this year, but the subdomain I set up is still live, so the "hack" (if you could really call it that) is still live.
Gives me a giggle, everytime - I know it was malicious, but it was damn funny.
Another thing I did to this person was embed a flash banner on her forums using google's adwords that would loop an 8 bit rickroll. She ended up disabling advertising on her site for a short while, instead of blocking the ad itself. It drove her users nuts. Among the best 80 cents I ever spent.
Back in the day I was running an ISP, and when we did a website redesign at some point we added reverse lookup of the users IP address followed by a quick little dictionary lookup to add a "Back to [users ISP]" link (we did not have much business/marketing sense) if it matched any of the major ISPs.
Two days later we got a frantic call from someone at another ISP to tell us that someone had hacked our server and added a link to them - he wanted to make sure we didn't think it was them that had done it.
I'm not hiding anything. I'm just pointing out that this sort of gloating is a really bad idea. If I had actually broken into TechCrunch's systems do you think I would post an article about it?
Get off the guy's back. That last hack was both clever and responsible. Having the ability to find security problems does NOT make one a suspect automatically.
Agreed. I wonder at what point intelligence and knowledge become an arrestable offense. I own a set of lock picks. If I were to carry these outside of my home in the UK (since I am not a locksmith) I could be arrested for the offense of "going equipped"
---
Section 25 Theft Act 1968
(1) A person shall be guilty of an offence if, when not at his place of abode, he has with him any article for use in the course of or in connection with any burglary, theft or cheat.
(3) Where a person is charged with an offence under this section, proof that he had with him any article made or adapted for use in committing a burglary, theft or cheat shall be evidence that he had it with him for such use.
Hmm. I wasn't smart enough to think of that angle. I guess I wouldn't make a very good criminal mastermind. Oh well.
But remember on that Hacker News hack, I just thought of the possibility. Someone else did the actual work (and, in fact, totally independently of me).
Agree. It's one step down from when companies shout about how secure their systems are and then offer some 'challenge' prize money that they assume will never be won.
At least this post will have everybody running like headless chickens at TC deleting every unethical or compromising evidence and fixing every possible security hole.
He doesn't help his cause very much with his often arrogant bully tactics. Sometimes it seems like he enjoys insulting people who comment, which isn't really so different from Ron Artest jumping into the crowd to fight with folks, is it?
Using "password" for a password is really stupid, but "really stupid" is relative to the knowledge level of the person pointing it out, in most cases. I'd prefer not to find out what really stupid thing I've done to allow some script kiddie access to my servers (or whatever the case may be).