
Teen says he hacked CIA director's AOL account - pavornyoh
http://nypost.com/2015/10/18/stoner-high-school-student-says-he-hacked-the-cia/
======
rcurry
I'm less concerned about the hacker, and more concerned that the Director of
the CIA not only has an aol.com email account but also uses that account to
transmit sensitive information.

I'm not just saying this to be a jerk - this should be grounds for immediate
termination of his employment. This is clearly a guy who shows poor judgement
with respect to the management of sensitive material.

Also, from the article:

"[The] problem with these older-generation guys is that they don’t know
anything about cybersecurity, and as you can see, it can be problematic.”

On the contrary - these "older-generation guys" cut their teeth in an
environment where we were going head-to-head with the KGB on a daily basis.
These guys have a solid understanding and awareness of basic information
security procedures, as well as a strong understanding of adversary
capabilities. I don't buy it.

~~~
blowski
Ultimately, this is the same as when the CEO tells me he's disabled anti-virus
protection because the popups annoyed him, or that he's using a personal
Dropbox account so he doesn't have to go through that pesky login process onto
the network drive.

My guess is that to many people in power, the benefits of using these web
services seem to outweigh the disadvantages because they just don't understand
the disadvantages. "It's OK - I set a great password!" There's simply nobody
powerful enough to monitor what they're doing, independent enough to want to
do something about it, and respected enough for people to listen.

We need independent bodies that act as national 'IT departments' and can
refuse requests from the very highest powers, in much the same way that any
other Head of IT can fire someone for gross misconduct because they were
downloading torrents on their company laptop.

~~~
wavefunction
The US Federal system was designed to have checks and balances provided by
oversight by different branches of government.

Unfortunately today we have people in these branches of government who either
won't do their duty because they are terrible at their jobs or because there
is a silent quid-pro-quo where these sorts of people look the other way for
each other.

~~~
blowski
While you're absolutely right in your diagnosis of the problem in the US, I
doubt these problems are specific to the US government. I'm a Brit, and there
are enough stories of technical incompetence here to make me assume it's a
global problem. I suspect even non-democracies have the same issue. Who's
going to tell Kim Jong-un he needs to rotate passwords?

~~~
wavefunction
Thanks for your thoughtful response, not sure what I said that rated
downvoting on my comment but apparently members of the CIA and Congressional
oversight committee are members of hn ;)

------
baconner
All this time I had assumed when Brennan called for dangerous things like
encryption back doors he must understand the negative impacts would be but
just didn't care as long as it helped the CIA. Now I'm thinking he actually
doesn't know what he's talking about at all which is somehow even worse. An
AOL email account with confidential files in it? Unbelievable.

~~~
gideon_b
There was nothing in the story saying confidential files were stored in his
AOL account. Also nothing about when the account was last used.

There was a time when we all had noisy modems and AOL accounts.

~~~
baconner
I think these qualify. You are free to disagree.

 _CIA Director John Brennan’s private account held sensitive files — including
his 47-page application for top-secret security clearance — until he recently
learned that it had been infiltrated, the hacker told The Post. Other emails
stored in Brennan’s non-government account contained the Social Security
numbers and personal information of more than a dozen top American
intelligence officials_

~~~
cvwright
Not quite. Confidential is a technical term in the military/IC world. It's a
classification, just like secret or top secret. I read somewhere that a lot of
the Wikileaks cables were supposedly stuff marked confidential.

Storing confidential material in an AOL account would be a crime, just like
giving the same material to Wikileaks.

Brennan's PII, job history, etc. is certainly valuable information, but
clearance application paperwork itself is unclassified.

~~~
baconner
Ok then my mistake - there's nothing in the article that says they were files
classified as confidential.

------
danso
> _CIA Director John Brennan’s private account held sensitive files —
> including his 47-page application for top-secret security clearance_

Stories like these make me shudder thinking about the times I may have, at
some point, included a document with personal information in an email, such as
to a prospective landlord for verification. Even if I were able to keep my
email account reasonably secure...I'm pretty sure all the recipients of my
email aren't as wary, or regularly delete old received emails with attachments
that they've collected over the _decade_.

Although in Mr. Brennan's case, he doesn't have that same excuse. It may have
been reasonably safe (for a layperson in IT) to send his application file over
aol.com's servers, but not to keep a copy of it in his Sent box. Even a novice
at cybersecurity should realize the problem of keeping digital files around on
an online server...it's not much different than keeping files in a file
cabinet and expecting that file cabinet never to be compromised.

~~~
x1798DE
>Stories like these make me shudder thinking about the times I may have, at
some point, included a document with personal information in an email, such as
to a prospective landlord for verification.

I always insist on encryption for these sorts of things. I'm fairly certain
that for everyone I've asked about an encrypted channel to deliver data, I've
always been the first person to even ask. This includes hospitals, agencies
who do background checks, etc. It's incredibly disturbing that no one else is
insisting that their sensitive documents not just sit unencrypted in all these
random in and out boxes.

------
oldmanjay
This kid is going to get charged with felony embarrassment of a federal
official and it will probably hurt quite a bit.

~~~
awqrre
But according to the government, you don't have expectation of privacy for any
personal data stored in the "cloud"

~~~
gknoy
That may be true, but it doesn't help. Impersonating another person could
plausibly be construed as accessing a system without permission -- a federal
offense, I believe. Couple that with things that likely include classified
information, if the director included that kind of thing, and anyone who
accesses his account could be facing a very aggressive prosecution.

~~~
awqrre
You can't have it both ways if you are the government... it should be the same
for everyone.

------
pavornyoh
A bit of a naive question but can someone answer this for me? To be a CIA
Director, isn't it a requirement to have some sort of a technical background
that way whoever is in the role is able to anticipate and always be a step
head when it comes to these sort of problems?

~~~
avivo
The CIA "is tasked with gathering, processing and analyzing national security
information from around the world, primarily through the use of human
intelligence (HUMINT)"

The director is presumably in charge of executing specific missions and a long
term vision for human spying. She/he does this by directing people who manage
people who manage people (etc.). I don't think a technical/engineering
background is presumed or necessary for such a role.

That said, an understanding of the basic structures and failure modes of
information security in the digital world as it pertains to HUMINT does seem
highly relevant (and necessary) for crafting and executing a modern
vision/mission.

~~~
fnordfnordfnord
>I don't think a technical/engineering background is presumed or necessary for
such a role.

Definitely, but one should know his/her limitations, and that one in
particular should also never speak about infosec. Brennan fails on both of
those accounts.

------
dekhn
Not the first time a CIA director has been casually incompetent with
confidential files:
[https://en.wikipedia.org/wiki/John_M._Deutch](https://en.wikipedia.org/wiki/John_M._Deutch)

------
jessaustin
The reason those in charge don't care about secrecy is... _secrecy is
important not for reasons of "national security", but rather for those of
politics_. Do we need to bash some hackers or protesters or journalists? "OK,
then secrecy is literally the most important thing, more important than cute
little kids or the Constitution or even the NFL." On the other hand, when it's
just us old M-IC lizards futzing around? "Naw, who cares? I'm the expert!"

------
atourgates
This apparently linked twitter account
[https://twitter.com/_CWA_](https://twitter.com/_CWA_) has posted what appears
to be un-redacted screenshots of names, phone numbers and social security
numbers of what I would assume the NYP article is referring to as "top
American intelligence officials".

A quick crosscheck of the names and emails brings up:

* The current Senior Director for the North Africa and Yemen National Security Council for the White House

* The former Former Deputy Assistant Secretary of Defense, for the US Department of Defense

* A retired 3-star general and former Deputy National Security Advisor to the President

It says something sad about our cybersecurity preparedness that the director
of the CIA is keeping this info in an aol.com account.

~~~
fnordfnordfnord
@_CWA_ is suspended as of a few minutes ago.

~~~
pavornyoh
>_CWA_ is suspended as of a few minutes ago.

What about the twitter account in the article? I am assuming that is what you
meant?

~~~
fnordfnordfnord
@phphax is still up. @_CWA_ was an account that was linked to by @phphax in a
stickied post. The @_CWA_ account posted the SSN's of Brennan and about a
dozen other gov't officials and mucky mucks. It appears that @_CWA_ was a
sacrificial account used for the purpose of disseminating that info.

~~~
pavornyoh
Aaah, got it. Thanks.

------
discardorama
So they claim he had classified docs in his AOL account. Why didn't the
person(s) emailing these docs to Brennan's AOL account raise a question?

~~~
mgkimsal
perhaps he just emailed those docs to himself? I do that a fair amount, so I
can pick them up later.

~~~
tracker1
I'm working in a relatively locked down environment.. At least once a week I
have to email myself something (nothing sensitive) just to be able to get to
it at home, which requires a resource that's blocked en-masse at work, but
none the less I need access to.

------
ChuckMcM
I can believe that the information security is atrocious for folks unwilling
or unable to adopt agency policies, but how stupid do you have to be to poke
the head of the CIA in public?

~~~
pavornyoh
Agreed. Also this in the post>The hacker contacted The Post last week to brag
about his exploits, which include posting some of the stolen documents and a
portion of Brennan’s contact list on Twitter.

Like seriously, it is like begging to be apprehended.

~~~
OscarCunningham
Once you've hacked the CIA it's probably easier to go public, so that you know
the CIA probably won't just kill you.

~~~
llamataboot
But don't underestimate the power of teenage male bravado.

~~~
pavornyoh
>But don't underestimate the power of teenage male bravado.

I guess you are right. I clicked the twitter name on the post and he has
indeed posted the documents and is daring them. Just unreal.

------
benevol
This is so dumb, it couldn't even be taken seriously as a honeypot strategy.

------
Cheyana
If this was anyone below him he would discipline and possibly terminate them.

------
ck2
That point in life when you realize that the people "in charge" have no idea
what they are doing and might be the furthest thing from an expert.

------
gotchange
I am not buying the Palestinian/Intifada cause of this stunt. There's
something fishy about this operation and the timing in particular for the
leak.

------
imgabe
And the previous CIA director got fired because he had an affair that was
leaked via his email account. What is it with CIA directors and email
accounts?

------
nomadhacker
Sorry, I can't get past the fact the CIA director has an AOL account.

------
NN88
He's taunting them right now

------
NN88
his twitter account is nuts

------
snockerton
I wonder if the AOL disk is still sitting in his CDROM tray at home.

~~~
rcurry
Why would he keep his AOL disk in the cup holder?

~~~
tracker1
I knew (witnessed) the person who got that famed call... was at the compaq
side of the MCI call center handling support calls for compaq, on one side,
and iomega on the other (I worked on the iomega side).

Walking by... head pops up... "dude... dude... (trying no to snicker too hard)
... this lady's cup holder is broken..." ... me respondign "cup holder?" ...
"yeah, the cd drive.. she thinks it's a cup holder" ...

Such a brief interaction, but really funny none the less... My funniest call
was someone calling to back up their master's thesis work, because they were
concerned about the power during the storm... was almost 6 minutes into the
call when he said the power was out (desktop computer). It's really hard to be
professional when faced with certain levels of stupid.

~~~
FireBeyond
Yeah, in cases like this I refer to Scott Adams Dilbert (or rather one of the
books).

"I get emails all the time from people who say they were -that- tech support
guy that got -that- call about the cup holder. While we're on the subject of
what people want in their email client, I want my email client to lock all
those people in a room and force them to duke it out until there really is
only -that one guy-."

~~~
tracker1
I wasn't the guy... I just happened to be around when it happened... Like I
said, I did get a call from someone trying to get hardware support when the
power was out... I also had a friend that used to keep his ash tray in front
of the desktop as a "smokeless ashtray" since it sucked the smoke into the
front intake.

These are probably the three most stupid tech things I've seen... I also saw a
computer that was shot once, I am pretty sure that's happened a few times.

------
drig
Why do they keep referring to this guy as a "stoner"? What he smokes doesn't
seem to be at all related to what he's done.

~~~
tvon
This is the NY Post.

Also, what is a NY Post story doing here?

~~~
pavornyoh
>Also, what is a NY Post story doing here?

NY Post was the first to break the news and it is all over the news- CNN, Fox,
etc.. Can't find the link to them but here it is
here[http://www.computerworld.com/article/2994451/cybercrime-
hack...](http://www.computerworld.com/article/2994451/cybercrime-
hacking/stoner-high-school-kid-claims-to-have-hacked-cia-directors-email-
account.html)

