
Hacker Publishes Personal Info of 20,000 FBI Agents - molecule
http://motherboard.vice.com/read/hacker-publishes-personal-info-of-20000-fbi-agents
======
gargravarr
In a perfect display of schadenfreude, the FBI might now be getting an idea of
why people are reluctant to allow them unfettered access to their private
information :)

Not really a useful comment, I know, but I had to show my appreciation for
this guy for pulling down the FBI's pants!

~~~
ethbro
I, for one, think privacy concerns over this release are overblown. After all,
the news reports I've read only contain _metadata_ about the individuals in
question.

That the data is out there isn't important. It's not being looked at by me or
other humans reading these news articles.

Furthermore, collection and access to this information is critical to the
fight against terrorism. If professionals aren't able to identify individuals
who may be endangering this country, that puts all of America at risk.

/congressional hearing

~~~
contingencies
The "metadata doesn't matter" argument is a fallacy that has been used to push
horrible legislation in many countries.

------
nmc
What is this??? In the first <blockquote> of the article:

<p> 20,000 FBI EMPLOYEES NAMES, TITLES, PHONE NUMBERS, EMAILS, COUNTRY <a
href="</p">penis </a> <a
href="[https://twitter.com/DotGovs/statuses/696796442850156545">Feb...](https://twitter.com/DotGovs/statuses/696796442850156545">February)
8, 2016</a> </p>

Notice the weird <a> tag in the middle.

~~~
spike021
Looks like the embedded tweet has the twitter handle's 'name', which is penis.

~~~
_yosefk
My old Chrome version actually renders the penis (the text, I mean) for a
split second and then it disappears.

~~~
pc86
Thank god it's only the text

------
danso
> _After tricking a department representative into giving him a token code to
> access the portal, the hacker claimed he used the compromised credentials to
> log into the portal, where he gained access to an online virtual machine.
> From here, the cybercriminal was presented with three different computers to
> access, he said, one of which belonged to the person behind the compromised
> email account. The databases of DHS and FBI details were on the DOJ
> intranet, the hacker said._

With public facing sites like Amazon -- who have necessarily engineered and
refined security solutions to manage a wide surface area of attack from its
customer base -- getting successfully social engineered on occasion, I shudder
to think what the situation is at a large, multidecade bureaucracy where
internal-only legacy technology stacks and access control procedures have
probably resulted in a mindset of "oh just put that on a sticky note"
workarounds just to get work done.

~~~
ryanlol
Yeah, regarding amazon: [http://imgur.com/a/yaI4B](http://imgur.com/a/yaI4B)

That took 2 calls.

~~~
roddux
What am I looking at here?

~~~
ryanlol
Internal Amazon stuff, including the customer service tools that can be used
to access anyones account, change their passwords etc...

~~~
roddux
Some top-notch social engineering there.

------
sanatgersappa
"If you've got nothing to hide, you've got nothing to fear"

~~~
Steve44
Because generally the 'powers that be' don't go publishing all of your data so
anyone can see. You choose what gets publicly published and they keep what
they have on you largely to themselves.

~~~
kristopolous
Thank Goodness! Since they're competent enough to keep personal info on their
federal agents safe from hackers, I feel safe trusting them to keep all my
sensitive information secure too!

Doesn't matter if you trust or mistrust the government - everyone leaves a
digital back-gate unlocked without realizing it once in a while.

Unfortunately no matter how noble the institution, mistake-prone carelessness
humans are behind them all.

~~~
MrTortoise
that reduces down to humans are responsible for human behaviour

~~~
sp332
That means that you shouldn't trust them with access to your sensitive data,
which they've been demanding recently.

------
matt_wulfeck
> A spokesperson for the DOJ told Motherboard on Monday that the department
> “is looking into the unauthorized access of a system operated by one of its
> components...

Please don't give us the "we weren't hacked. It was a company we used that
was!" Nonsense. I'm tired of hearing this. It's the same thing blue shield
said when its/my/your data was pilfered. YOU are responsible for it! If you
pass it off to some incompetent third party, then that reflects even more
poorly on you!

~~~
ryanlol
There's literally no sign of a hack here (I mean, besides the statement that
they're investigating), this is OSINT stuff.

Trust me, you could hack any recruiting company and they'd be sitting on much
more data than this.

~~~
iheartmemcache
Yep. Even the spooky Stratfor[1] would have more information than this. This
is nothing like what Snowden or literally hundreds of thousands of people who
hold TS/SCI have access to (identities of NCOs or other espionage operatives,
access to recruiting databases for foreign nationals who went abroad to the US
for graduate studies and are being assessed as potential intelligence assets
by their professors, etc). A pissed off 4channer with good Google-fu could get
more information than this.

[1] Which I'm sure intelligence agencies are thankful for, because all the
tin-foil hatters are misplacing their resources in designing conspiracy
theories about an incompetent "private intelligence organization" which
amounts to a bunch of people who could easily be outsmarted by a 4chan-er with
good Google-fu. You know all those stories you heard about the KGB being
incompetent, or now hear about how the Party is in modern China w/r/t
information control? Yeah.. the FIVEEYES are about on par when it comes to
incompetence.

~~~
mistermann
> recruiting databases for foreign nationals who went abroad to the US for
> graduate studies and are being assessed as potential intelligence assets by
> their professors

Is this for real?

~~~
jonesetc
Yes, it also happens in the reverse direction. Foreign nationals going abroad
with the goal of gaining intelligence from professors.

~~~
Abraln
When I was a research assistant in college in the US, we had an Iranian
student apply to work with us several times, even after we told him no the
first time. We were researching the properties of yellow cake uranium for the
Department of Energy! Obviously there are strict rules on that kind of work,
hiring him would have been VERY illegal, but he still kept bugging us even
after telling him that.

------
ryanlol
The meaning of "personal info" sure has been diluted, this is zoominfo level
data (in fact, based on a quick look it could very well be scraped from
there).

~~~
simplicio
Yea, I've worked for a few gov't agencies over the years, and most of them
have had basically the same info on a public facing "who's who" webpage. The
identities and job titles of public employees is public information.

Internal email addresses and phone numbers might be a little more problematic,
since they could be spam targets. But it'd be a pretty brave/dumb spammer or
prank caller who targets the FBI.

~~~
jug
Yes, the problem according to the FBI indeed seems to be more about the
unauthorized breach than the information actually contained:

> “This unauthorized access is still under investigation; however, there is no
> indication at this time that there is any breach of sensitive personally
> identifiable information,” DOJ spokesperson Peter Carr said in a statement.

------
IIAOPSW
I don't see the problem. I thought privacy was dead.

~~~
miguelrochefort
Same here. I wonder how long it will take before people get used to it.

------
noodles23
Every time I check HN, there's a new crypto tool, encrypted databases, and
tips on hardening your servers. No matter how secure your system is
technically, there is always the requirement to make parts of it "insecure"
(in the sense that people buy enterprise encryption, but expect the company
that sells it to keep a spare copy of the keys to recover lost data just in
case)

The reality in cyber security is that people provide the weakest and easiest
point of entry to compromise any computer system. Until the business side and
process side of things improve, shit like this will remain common.

------
azraomega
This is just a dump of their "phonebook". Not even close to OPM hack...
Sensationalist article.

~~~
sp332
The article doesn't say it was like OPM.

------
a3n
> In any case, a DHS spokesperson said the agency is looking into the reports,
> though “there is no indication at this time that there is any breach of
> sensitive or personally identifiable information.”

Except, you know, names. Merely being identified as a person moves you from
not existing in the criminal universe to target. From name and other
information comes yet other information, comes economic damage, or in this
case, possibly life threatening damage.

~~~
rhino369
Names aren't secret or private information. The agents give you their names if
you talk with them. A significant portion of them are on linked in. During
criminal trials their names are public record. Only four FBI agents died at an
"adversaries" hand in the past 20 years, one botched undercover drug bust, an
agent who ran into the twin towers on 911 to help people, and two who died in
raids.

These guys are cops and detectives, not secret agents and spies.

~~~
ryanlol
> The agents give you their names if you talk with them.

At least in my case the agents refused to give me their full names, citing
personal safety concerns.

~~~
a3n
I called the police for something a couple years ago, and when I asked for a
card after it was over she gave me a card where one of her names was pre-
scratched out, I forget if it was her first or last.

------
ck2
Everytime I see something like this I ask "why was this system connected to
the internet in the first place".

Sure an intranet only computer can be compromised as well, usb drive, social
engineering, etc. but it is exponentially harder.

Really hoping ICBM systems are not on the internet because some general wanted
to monitor them from his smartphone.

------
DamnYuppie
Anyone else notice that Crytobin appears to be down? Wonder if they took it
offline because of this or are they simply blocking traffic in the US to it?

~~~
jackgavigan
Looks like it's been dropped from DNS servers.

    
    
      $ nslookup cryptobin.org
      Server:	8.8.8.8
      Address:	8.8.8.8#53
      
      ** server can't find cryptobin.org: NXDOMAIN
    

It can still be accessed directly via
[https://151.236.7.117](https://151.236.7.117)

~~~
ryanlol

      Domain Status: serverHold https://www.icann.org/epp#serverHold
    

Yes, the domain has been suspended.

------
aluhut
I wonder when the moment comes where really secret personal/information is
going to appear only on paper again.

I wouldn't want this happening to me.

------
hellofunk
Guys like this give hackers a bad name.

------
awqrre
Isn't that public data? name, country, phone number, email...

------
bamdadd
anyone have attempted to publish these on
[http://icwatch.wikileaks.org](http://icwatch.wikileaks.org) ?

------
moonshinefe
I find it somewhat interesting that this hacker didn't use this information
for leverage, if he's indeed some strong supporter of the free Palestine
cause. Instead, he just let it loose and raised the middle finger.

It makes me think either the supposed motivation for this hack isn't what it
seems, or it was perpetuated by someone who's incredibly naive. It just
doesn't seem to add up.

~~~
ryanlol
What leverage could he possibly gain by not releasing this data?

~~~
moonshinefe
Well, you don't get leverage by not releasing data for no reason...

However, if you're in possession of 20k FBI agents' private information, you
could probably contact Palestinian politicians, and they could use it in
negotiations. It's valuable information to governments at war.

~~~
grkvlt
And then your crime goes from (mere) 'computer misuse' to 'espionage' or even
'treason', with the exciting penalties they draw. I don't think anyone with
half a brain wants to go down that road, particularly since the info isn't
even that valuable, but the penalties would be the same as TS/SCI information
release to an 'enemy government' or similar.

------
someonewithpc
That's not what "hacker" means. An Hacker is some person who enjoys tinkering
with systems. You mean "cracker".

~~~
iheartmemcache
Weev went to jail for literally HTTP GET'ing an AT&T server with a URL that
was readily available on any Ipad device. In the RFC there's literally a
return code for "Not Authorized", he got a good ol' 200 saying 'come on in'
and got convicted of "conspiracy to access a computer without authorization".

Federal prison for what was effectively WGET'ing something that was, again,
readily available. Still, in the eyes of the public and the law, hacker and
cracker are the same thing. The guy is a racist liar but he didn't deserve
federal prison. His conviction was later vacated on a venue technicality,
which sucks, because had it been overturned in a higher circuit with the judge
offering an Opinion, case law would have been set and Aaron Schwarz would have
at least some vindication[1].

[1] In no way am I comparing the character of these two men, just the
injustice they both suffered at the arms of the technically illiterate law
enforcement/legal system. If I were a medical doctor who was before the board
being judged for malpractice, I wouldn't want a jury of 12 of my 'peers'
deciding my fate - I'd want other doctors.

~~~
jsmthrowaway
> Weev went to jail for literally HTTP GET'ing an AT&T server with a URL that
> was readily available on any Ipad device. In the RFC there's literally a
> return code for "Not Authorized", he got a good ol' 200 saying 'come on in'
> and got convicted of "conspiracy to access a computer without
> authorization".

Everybody repeatedly says this while ignoring his behavior during and after
obtaining the information, which is what he was _really_ convicted on. He said
so himself.

------
radius
Interesting that the dataset only goes from A-Je. I wonder what happened to
the rest of the data.

Also, I didn't realize the surname Acevedo was so popular...

------
uptown
Tangentially related, but have the people affected by the OPM hack last year
been notified?

~~~
Lambent_Cactus
Yes. I got a letter from OPM detailing what may have been compromised an
offering me some identity theft protection/monitoring service. They got my
SF-86
([https://www.opm.gov/forms/pdf_fill/sf86.pdf](https://www.opm.gov/forms/pdf_fill/sf86.pdf))
and my fingerprints, so pretty much everything.

~~~
grkvlt
I do love the SF-86 form. "Please list all acts of terrorism you have
participated in, in an attempt to overthrow the Government of the United
States: Nature of act, Dates from and to" and that sort of thing. I wonder if
anyone who answered 'YES' to that section ever got a clearance?

~~~
GSegbar
I'd answer yes, the nature being voting.

------
max_
The thing in encrypted... i don't thinks is harmful to the US gov.

------
avukich
This guy should be captured and killed. Most FBI agents are very dedicated to
trying to protect people and doing something like this should be an act of
espionage and dealt with accordingly.

~~~
dang
> _This guy should be captured and killed_

This breaks the HN guidelines. On this site, please comment civilly and
substantively, or not at all. Your comment would be fine without that
sentence.

Your other comments in this thread make it sound like you're knowledgeable
about this space in a way that most of us aren't. The way to communicate here
is to share that knowledge in a civil way, so we all learn something.

We detached this comment from
[https://news.ycombinator.com/item?id=11064557](https://news.ycombinator.com/item?id=11064557)
and marked it off-topic.

------
cookiecaper
This is a bummer. Most FBI agents are good people trying to help keep a lid on
crime in their country. They don't deserve personal exposure or embarrassment
for providing what is obviously a necessary, thankless, and underappreciated
service.

I'm waiting for the day that script kiddies do something useful, like emptying
out everyone's credit file or deleting all the pending bills in a major
hospital system's computer. Embarrassing and/or exposing normal individuals
doesn't provide any real macro-level help to anybody.

~~~
valvar
How are any of the things you mentioned useful? I think I can quite
confidently say that the things you mention will probably cause more rather
than less suffering in the long term. And it's exactly this type of naive
disregard for the complexity of actions and their consequences that makes
'script kiddies' so harmful.

~~~
zamalek
> naive disregard for the complexity of actions and their consequences that
> makes 'script kiddies' so harmful.

If I worked at FBI I'd be angry and _motivated._ The retaliation won't come in
the form of a zip file, either. It completely boggles the mind that someone
thought that this was a smart step toward their own goals.

"Let's shut down Mastercard!" I guarantee that someone somewhere in the world
was attempting to pay for an urgent medical bill during that time-period. What
did the hack _actually_ change? Nothing. It merely proved the hack was
possible.

You don't just hack someone and automatically change the world for the better,
for the worse most likely.

~~~
cookiecaper
I just want to make it clear that I didn't suggest there would be positive
effects from shutting down payment systems.

~~~
zamalek
Right, it was just an adhoc example. The sentiment of what you said is true -
these are just people doing their job. I don't know why you are getting
downvoted so much. Thinking that there exists a hack which won't result in
harm is an easy mistake to make.

