Hacker News new | past | comments | ask | show | jobs | submit login
TechCrunch: Skating on Thin Ice (jgc.org)
115 points by jgrahamc on July 16, 2009 | hide | past | web | favorite | 42 comments

I never, ever gloat or make fun of others when it comes to security. It seems like a no-win situation. If you go to someone privately with security concerns, you're generally seen as helpful. If I publicly oust somebody, there are all sorts of people like the author (but far less scrupulous) who might consider it their duty to knock me down a peg... and I'm no security expert.

Using "password" for a password is really stupid, but "really stupid" is relative to the knowledge level of the person pointing it out, in most cases. I'd prefer not to find out what really stupid thing I've done to allow some script kiddie access to my servers (or whatever the case may be).

I actually don't care much for the tone of this article either, for that matter. It's just a bit off for some reason IMO. Perhaps it comes across as a bit of gloating itself? I'm not sure, but it's not that big a deal.

The tone reminds me exactly of the bit in The Hitchhiker's Guide to the Galaxy where Slartibartfast calls Arthur Dent "late" in an effete attempt to sound sinister and threatening...

... but that's probably just me, though.

'threats... I'm not very good at them, though I'm told they can be quite effective...'.

I'm sure that I sound about as threatening as Slartibartfast.

Yes, but he has something to back it up.

Oh, I'm sure he does. He's a regular contributor here and a smart guy. There's just something a slight big 'off'. Too "hey, I'm a badass"?

"Hey, I'm badass" is the way to get Michael Arrington's attention :-)

A quick follow up. TechCrunch got in contact and we had a quick back and forth. They confirmed that the security vulnerability I was pointing out was something they had worried about already and taken action to mitigate.

They also said "We have had thousands of breakin attempts over the past few days". No surprise really.

And they are planning some posts pointing out the vulnerable nature of apps in the cloud.

Aren't the situations a little asymmetrical or are they ? How much does a disruption in Twitter service affect people and how much a disruption in Techcrunch affect the internet economy.

Are you suggesting they are both almost useless?

Edit: On second thought I assume you mean one of them is useful, but I could not tell from your comment which you though was more useful.

I really think that puts things in perspective a bit.

I think that what TC are doing with the stolen documents is deplorable journalism, but his site remains, and is currently unhacked, so I guess he has the last laugh.

I'm no "hacking expert" but is hacking nowdays really just you guessing/stealing a person's password?

Not all that's involved. Sometimes "hacking" involves creative pranks.

For example, one prank I pulled (which was admittedly pretty basic and silly) was a creative redirection using .htaccess for a certain someone's fixed IP address who used to lurk a site I ran last year. This person had an extreme distaste for me, because of the existence of the site and she would publicly slander me for something I never did at every available chance.

So I decided to have a little fun with her.

I set up a page with her (publicly available) photo with large text headline saying that she had been hacked, which the redirection went too.

Total time to setup - less than 3 minutes.

Having her write me a lengthy email me telling me that she was going to call the police (in Australia) and have me arrested was pretty interesting. I never responded.

I think I would be freaked out too if the next time I visited someone's blog (which I was hypothetically consistently leaving trolling/nasty comments on) there would be my picture there, exclaiming how I'd been hacked.

Sometimes the illusion of having "hacked" someone is just as satisfying as the real thing, without the messy potential of jail-time.

Remind me to stay on your good side.

We pulled a similar prank on a guy working on implementing 'verified by visa'. Every morning he'd walk in to the office and read the same news site. So, three days before completing the project we cloned the news site and posted an article that VISA had decided to abandon VBV.

He walks in to the office, starts reading the headlines (-- expletive deleted --) slams his coffee down and walks out of the office.

To his credit within 20 paces he started laughing like mad, knowing he'd been had. Pretty clever dude, it would have taken me a bit longer... :)

To protect the guilty and the innocent alike, no further references, but rest assured that a few words were addressed to VISA execs that were not exactly pc.

Lots of fun with the DNS.

You could do a load of damage with DNS redirection. If you look at the market penetration of Google Analytics you'll see that a very, very large number of sites are embedding JavaScript pulled from google-analytics.com in web pages. Now imagine if you redirected that one domain and served your own JavaScript. You could include the GA JavaScript as well, but add your own stuff which would then run in everyone's (within that DNS area) web pages and your JavaScript could start doing all sorts of nasty things.

Absolutely, I don't think it will be long before there will be a major hack like this at some large ISP. The temptation is just too large.

DNS is one of the weak links of the way the web is put together, and javascript embedded from third party sites nicely exposes that Achilles heel.

Another reason to mistrust open wifi connections :)

You wouldn't even need to do too much damage on the client side for an effective attack vector.

Imagine redirecting scripts for googleadservices.com and implementing their JS code with your own publisher ID there.

That would make some of those adsense cheques Markus Frind has shown off look like lunch money.

EDIT - if you really wanted to make something like this cool, you would instead use the publisher ID of some random charity (or even cycle through an array of charities) that could be easily obtainable by viewing source code in pages.

Just a thought...

EDIT #2 - Or, some more Internet Justice - just have it ignore the clicks that would otherwise go to domain parkers (with the revenue heading to charity). You cut off that air supply and eventually a lot of domains will start becoming available again.

That way, the Internet Wins.

"Remind me to stay on your good side."


I sold the site earlier this year, but the subdomain I set up is still live, so the "hack" (if you could really call it that) is still live.

Gives me a giggle, everytime - I know it was malicious, but it was damn funny.

Another thing I did to this person was embed a flash banner on her forums using google's adwords that would loop an 8 bit rickroll. She ended up disabling advertising on her site for a short while, instead of blocking the ad itself. It drove her users nuts. Among the best 80 cents I ever spent.

Good times.

Back in the day I was running an ISP, and when we did a website redesign at some point we added reverse lookup of the users IP address followed by a quick little dictionary lookup to add a "Back to [users ISP]" link (we did not have much business/marketing sense) if it matched any of the major ISPs.

Two days later we got a frantic call from someone at another ISP to tell us that someone had hacked our server and added a link to them - he wanted to make sure we didn't think it was them that had done it.

I think he is hiding something in his article. Interesting.

I'm not hiding anything. I'm just pointing out that this sort of gloating is a really bad idea. If I had actually broken into TechCrunch's systems do you think I would post an article about it?

Or maybe that's what you want us to think. After that last hack, you'd be rather high on the suspect list.

Get off the guy's back. That last hack was both clever and responsible. Having the ability to find security problems does NOT make one a suspect automatically.

Actually, in most companies that is exactly what it does.

Agreed. I wonder at what point intelligence and knowledge become an arrestable offense. I own a set of lock picks. If I were to carry these outside of my home in the UK (since I am not a locksmith) I could be arrested for the offense of "going equipped"


Section 25 Theft Act 1968

(1) A person shall be guilty of an offence if, when not at his place of abode, he has with him any article for use in the course of or in connection with any burglary, theft or cheat.

(3) Where a person is charged with an offence under this section, proof that he had with him any article made or adapted for use in committing a burglary, theft or cheat shall be evidence that he had it with him for such use.


Am I "going equipped" on a daily basis?

The joke goes that a locksmith was arrested for 'going equipped' and he countered they should arrest him for rape as well...

Hmm. I wasn't smart enough to think of that angle. I guess I wouldn't make a very good criminal mastermind. Oh well.

But remember on that Hacker News hack, I just thought of the possibility. Someone else did the actual work (and, in fact, totally independently of me).

When you take the proverbial out of someone elses systems, on a technology website read by thousands of tech savvy people you're asking for trouble.

Agree. It's one step down from when companies shout about how secure their systems are and then offer some 'challenge' prize money that they assume will never be won.

cough Unbreakable Linux cough

At least this post will have everybody running like headless chickens at TC deleting every unethical or compromising evidence and fixing every possible security hole.

But there will always be one hole left...

Or, Michael Arrington could just send me an email and I'll tell him which machine I'm talking about.

Would you also let know, which machine it is, if _someone else_ mails you.

Uh. No.

Hey it is me, Michael Arrington.

Please tell me which machine it is, send info to:



You think I don't know Michael Arrington's email address, or how to verify that it's really him?

I think the @mailinator was a tip off.

Make him sweat for 24 hours before giving any clue, so other hackers can put their mad skillz to test.

If they break in that wouldn't be your fault.

Boy, some people really don't like Michael Arrington.

He doesn't help his cause very much with his often arrogant bully tactics. Sometimes it seems like he enjoys insulting people who comment, which isn't really so different from Ron Artest jumping into the crowd to fight with folks, is it?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact