
I challenged hackers to investigate me and what they found out is chilling - cdvonstinkpot
http://pandodaily.com/2013/10/26/i-challenged-hackers-to-investigate-me-and-what-they-found-out-is-chilling/
======
EGreg
Seriously, this story made me feel more secure. I imagined a lot more attack
vectors (such as [http://xkcd.com/792/](http://xkcd.com/792/) ) and having all
those attempts fail seems kind of anticlimactic.

Basically they got in via phishing? First via a .jar file and then a video?
I'd like more info on how the video can take over your computer. But in any
case I don't fall for phihing scams.

The best thing I saw there was asking to print out the resume. Had the system
been newer it would have worked.

Couldn't they have tried using one of those drive-by Javascript
vulnerabilities?

The rest of it once they gain entry is straightforward.

Here is what I am wondering about: I use Google Apps for my email etc. If my
company starts competing with Google on some fronta, can't Google just engage
in corporate espionage by simply reading the email we store there? They'd also
have access to all our accounts. How would this ever come to light?

~~~
SkyMarshal
Funny xkcd, hadn't seen that one. Btw, did something relevant happen in March
1997 or was that just a random date?

~~~
pakitan
Plenty of theories on explain xkcd but nothing definitive:
[http://www.explainxkcd.com/wiki/index.php?title=792](http://www.explainxkcd.com/wiki/index.php?title=792)

------
GeneralMayhem
This is a fascinating story, but it actually made me feel more secure, not
less. Look at the attack vectors they used - physical access, infected
hardware, email attachments from strangers? I suppose the easy stuff worked,
so they didn't have to come up with anything more sophisticated.

I'd still be more worried about the 1999 attack - social engineering the
businesses who hold your information - than about anyone getting it directly
from my personal footprint.

~~~
benbou09
It wasn't easy for the attackers because they chose not to break the law. If
they had just broken into every network in the neighborhood until they found
the right one, it would have been simpler.

------
noir_lord
The interesting part is how much they managed to do without breaking the law,
the scary part is how much more they could have done _by_ breaking the law.

An absolutely fascinating article but not good for the old paranoia.

~~~
swombat
Indeed! The hackers seem almost incompetent - until you remember that they
were playing with both hands tied behind their back.

A less scrupulous hacker would simply have broken into the flat by picking the
lock, which would have resolved most of their difficulties.

------
therobotking
I actually found their initial attempts really disappointing. I was hoping for
some really cool, advanced stuff. Emailing them .jar files? To me that's
laughable. When my friends and I used to try and infect each other with sub7
in the 90s it was with a .jpg with the executable buried inside. That was more
sneaky that a .jar claiming to be a resume.

~~~
atulagarwal
Do you mean something like file.jpg.exe?

Agreed, emailing .jar is kind of lame. They should have tried with some
office/PDF exploits first!

------
DaveWalk
I enjoyed this piece -- especially comparing the author's experience in asking
a private investigator to check him out in 1999 versus a pen tester to do the
same in 2013.

All the attack vectors seem fairly straightforward, but I suppose the
combination used on each target changes each time, and that's where the skill
comes in.

------
junto
The take away from the story is not to open .JAR files and to setup all family
members computers up such that they can't install any software or accept any
email attachments, because quite probably, your family members will be stupid
and open .JAR files.

------
rh73
I expected something more elaborate than sending malware as an email
attachment, this is a commonly known way of infecting and hijacking machines
so it makes the topic less news-worthy.

But it's always good to remind people to apply common sense when using email
and the internet and be aware of their digital footprints.

------
deepak56
Long read but very interesting, almost like a crime thriller. I think it is
pretty obvious that privacy is dead. Any average computer user will leave
scents - and a good expert needs to only pick one of these to unravel the
whole story.

------
robert681
A very fascinating story indeed! For people already working in the security
industry it might look easy because they used very common attack vectors but
the generic public have no idea of these things and they are the typical
victims.

