disLEXia

Tuesday, 24. September 2002

How the greek came to ban gaming

Mrs. Irini Vasselaki, who is by the way the chair of the criminal law special interest group in the german society for justice and informatics ond of greek origin, explained on the anti-censorship conference last week how the greek government decided to ban gaming. There was a recent problem with small private casinos in greece. A lot of people were getting addicted and lost all their money. Society decided in the newspapers, talkshows etc. that this was a major problem and the politicians had to do something about it. So they rushed to make a law against the casinos. I guess in greek there is -as in german- only one word for gambling and playing. So they messed up the law, prohibiting all establishments offering gambling or playing. And now some law enforcement doesn't get the difference eigther. This shows again that lawmaking shold be don slowly, carefully and that you should have some technologists at hand to find such issues.
01:00 | #

Sunday, 22. September 2002

Another Nigeria-419-fraud Victim - loosing 2,100.000 US$

A well-known plaintiff's attorney in suburban Detroit is the latest victim of a variation on the Nigerian scam.  His bookkeeper embezzled $2.1 million over a period of six months and sent the funds by means of 13 separate wire transfers to overseas banks. 

Said an investigating FBI agent:  "She was gullible -- gullible and had access to $2.1 million."

The lawyer is going after his bank, because the bookkeeper did not have the authority to approve wire transfers. 

from the Detroit Free Press

How RIAA was hacked

It was so simple. They had an admin interface without password protection and documented that in robots.txt.[The Register]
19:40 | #

Tuesday, 10. September 2002

Hacking Trackback into Radio I

I want trackback. I want it transparent and I want it now. Seems I have to do it myself. First I want to accept incomming trackback 'pings'. Installing standalone trackback on md.hudora.de ig no problem. Now get trackback links under my Radio items. I dropped a extremly quick and dirty thing named trackBack.txt in my Macros folder and added < %trackBack(< %itemNum% >)% > in #itemTemplate.txt. That's it. Get the trackBack Script and modify the URLs to suit your server:

on trackBack(postid, trackbackUrl = "http://md.hudora.de/cgi-bin/tb.cgi") { 
        local (adrblog = radio.weblog.init ()); 
        local (adrpost = @adrblog^.posts.[string.padwithzeros (postid, 8)]); 
        local(permaLink = "http://radio.weblogs.com/0112292/"); 
        try {radio.weblog.getUrlForPost (adrpost, @permaLink, adrdata:adrblog)}; 
        if defined (adrpost^.title) { 
                local(ptitle = string (adrpost^.title))} 
        else {                               
                local(ptitle = "")}; 
        return ("<a href=\"" + trackbackUrl + "?__mode=list&tb_id=" + postId +"\" onclick="window.open(this.
href, 'trackback', 'width=480,height=480,scrollbars=yes,status=yes'); return false\">TrackBack</a>\n<!-- <rdf
:RDF xmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"\nxmlns:dc=\"http://purl.org/dc/elements/1.1/\"
>\n<rdf:Description about=\"" + trackbackUrl + "?tb_id=" + postId + "\"\ndc:title=\"" + ptitle + "\" 
dc:identifier=\"" + permaLink+ "\" /></rdf:RDF> -->")}

Friday, 22. November 1996

Risks of believing what you read: Re: Irish rock band (RISKS-18.62)

> ... first group to be burglarized on the Internet [?]

Those who are following this story will already know that the samples from U2's new album were not ""siphoned off" along cables feeding the band's own video camera", that provides a one day delayed view of U2's studio activities, but were copied from a promotional video that was sent out from Island Records to their office in Hungary. The video was reported to have been borrowed and samples taken from it - a purposely degraded recording - were uploaded to a web page on the Internet.

The story seems to have got very quickly elaborated to include hackers. The hacker aspect appears to have come from the quote in the Sunday Times from a "former hacker":

Hackers may have used the camera as a door into the studio's computers where the new songs are stored.

The real risk here is that it seems that newspapers don't employ anyone qualified to proofread and follow up their Internet related stories. (Also c.f. the recent Observer story about pornography on the Internet). [stuart@gol.com (Stuart Woodward) via risks-digest Volume 18, Issue 63]
17:13 | #

Thursday, 02. May 1996

Re: Cambridge University systems hacked! (RISKS-18.09)

Another two risks demonstrated here are:

Summarisation of technical information by people who do not understand it - a reporter in this case, but the risk probably applies elsewhere

Believing what newspapers print.

The story printed in the newspaper bears only a passing resemblance to the real incident. What actually happened was that a packet sniffer was found running on a machine on the subnet that connects the central Unix service, mail server, and so on. Everyone who uses these systems was required to change passwords. The e-mail system has not been replaced, and I've no idea how this detail got into the article.

Steve Early sde1000@cam.ac.uk [Stephen Early via risks-digest Volume 18, Issue 10]
10:19 | #

Sunday, 10. October 1993

give us all your passwords

Last week, many of us at the company where I work were astonished to receive an e-mail message from our parent company's legal department asking everyone to send them all the passwords everyone had used on our LAN servers since January, 1991, except for current passwords. Fortunately, it was shortly revealed that this did not apply to our division, but not before I had sent back a reply telling the person in the legal department how dangerous I thought this was.

Later we found out at a company meeting that another division in our family of companies is being sued because of some possibly suspicious stock trading, and our legal department wants to make sure that it can get at any records on their network servers. I, of course, suspect that they are being spectacularly ignorant of how little use the password lists would be to them and the security risks involved with having lists of individual passwords laying around in plaintext form. Even though none of the passwords should be current, my experience suggests that many people stick to certain themes and patterns for passwords, especially when password aging is used, as it is on our servers. Our passwords expire every 40 days, which means that everyone working at our company since January 1991 has gone through 25 passwords by now, giving any crackers a sizable database to extrapolate from. And of course, everyone will probably send their password lists by e-mail, giving crackers an easy opportunity to intercept such lists. [stevev@miser.uoregon.edu (Steve VanDevender) via risks-digest Volume 15, Issue 11]
07:59 | #

Friday, 18. October 1991

Yet another journalistic cock-up- There's an double page spread in "Ha'aretz" today (17/10/91) based on an

interview with an ex-cracker who for the past four years has run a computer security firm. When he was a teenager, he took his revenge on a hated maths teacher by breaking into computer of the American bureau of an Israeli paper, and inserting a false story reporting on how the said teacher had been arrested on a drugs charge. The story was duly transmitted back to Israel, and printed in the next edition. [See Risks:???? Internet link's down, and I can't reach the WAIS risks archive (meta-risk?)]

Now it seems he's found an even easier way to get bogus articles into a newspaper - just talk to a journalist.

He decided to demonstrate his prowess to the journalist by breaking in to one our VM machine. The account he chose was that of the head of the Computer Centre advisory centre. The owner of this account isn't the most technical of people- her passwords are chosen from a quite small, related set of words. Four years ago, he broke into her account - he claims that by chance, her password happened to be the same at the time of the demonstration. I have no evidence to contradict this,although it seems more likely that he guessed her current password using the information he had from the old one.

Up until this point, the article is mostly accurate - but now, the bogometer needle starts going off the scale.

------

Claim #1: He claimed that the account be broke was privileged.

Lie: The account was an ordinary user account, with *no* system priviledges.

------

Claim #2: He stated that the account name had a prefix which indicated that the account was special, and that this showed how naive the system managers were.

Lie: See #1. Even if his claim were valid, the risk is exactly the same as being able to cat /etc/groups on a UN*X box to see who's in wheel. ------

Claim #3: He claimed that from this account he count enter the accounts of all employees and researchers, and change their files.

Lie: See #1.

------

Claim #4: He claimed that from this account, he could change information on the administration computer. He offered to wager the journalist that he could make him a Technion employee, give him a professorship, pay him a bonus, and then erase everything without leaving a trace.

Lie: See #1. Also, the administration computer is completely separate from VM machine. The only connection is that both have the same three letters written on them. This machine can only be connected to from special terminals.

------

Claim #5: He claimed he could shutdown the computer and destroy all the data on the machine.

Lie: See #1.

------

Claim #6: He claimed he could destroy all the back-ups.

Lie: Maybe if he stuck magnets on a few SCUD-C's and lobbed them at the various tape archives. It's a lot harder to spoof a human being, especially when you're a 24 year old male, and the spoofee is a 50ish woman.

He also makes other false statements, including a claim that before he hired a salesman, he never approached anyone to offer his services. Four years ago, he came to the Technion, and offered his services to a member of computer centre staff. This offer was not taken up.

What made things worse was the slightly inept performance of the Technion spokesbeing. After a quick telephone call to the head of the centre, who gave him the usual spiel about how theoretically, all systems are breakable if you can connect to them, and that without more details, he couldn't say what the cracker could or could not do. The spokesbeing took this message, and then garbled so completely that he acknowledged almost all the allegations in the article.

The risks? 1: Technologicaly naive journalists can easily be taken for a ride by experts with something to sell. The best computer reports in the press come from papers like "{\em The} {\sf Guardian}", where the computer editor has a technical background as well as a journalistic one.

2: Technologicaly naive spokebeings can be taken for a ride by journalists with something to sell. Maybe Spaf or Cliff Stoll could give pointers on how to handle the media when statements can only come from the talking suits.

3: The boy who called "wolf!" effect. We know that our computers aren't secure (here in the UNIX group, doubly so). In an academic environment, there's really nothing you can do about it, except for blocking the more obvious holes, and keeping good backups. But when an article like the Ha'aretz one appears, it throws a bad light upon the institution, and lessens the impact when you really do have a serious break in.

Simon ses@techunix.technion.ac.il ses@techunix.bitnet Tel +972-4-292658 [ses@ccgr.technion.ac.il (Simon E Spero) via risks-digest Volume 12, Issue 53]
02:51 | #

Thursday, 21. February 1991

Accuracy in movies and newspapers (Re: Hollombe, RISKS-11.15)

The beauty of TV and newspapers is that _everything_ in them is wrong! This is really true. No matter what the subject matter is, if you happen to be a specialist in that area, you'll grit your teeth when you read or watch. Neurosurgery -- ballet -- the law -- names of streets in your own hometown -- archaeology -- accounting -- you name it, they get it wrong. I'm not surprised: the media have to talk about everything under the sun but couldn't possibly afford to be experts in all of it. The fun part is that even when we're done rolling our eyes at, say, some egregious astronomy error, we sit back and take at face value something about China or Churchill or Chernobyl or child development! We shouldn't. Experts in those areas are busy gritting their teeth even now -- while they swallowed the astronomy stuff without complaint. :-)

[Another instance that strikes home even more is being directly MISquoted after making a carefully worded direct statement and insisting that it be used verbatim if at all... Perhaps there is nothing special about computers and related technologies that causes many media folks to be so far off the mark. But there are lots of technological nonsophisticates writing on technology (and only a few really thoughtful and careful ones). Perhaps the worst problem is the tendency toward 10-second sound bites and 25-words-or-less oversimplifications. PGN] [tneff@bfmny0.bfm.com (Tom Neff) via risks-digest Volume 11, Issue 16]
00:00 | #

Tuesday, 15. May 1990

Feds Pull Plug On Hackers (Huggins, RISKS-9.91)

...[the Secret Service agent] also said there was no evidence that the suspects were working together. Rather, they probably were sharing information someone had put into a national computer "bulletin board". [...]

Does our law enforcement community really think that "working together" requires physical presence? Don't they recognize that sharing information via a cracker bulletin board is collaboration? Isn't this the whole point of a computer security case? [bob@MorningStar.Com (Bob Sutterfield) via risks-digest Volume 9, Issue 92]
14:52 | #

Re: "Feds Pull Plug On Hackers" (RISKS-9.91)

Boy, do I hate sensationalism in journalism.

Does anyone besides me find it difficult to believe these 42 computers ran up over a million dollars apiece in unpaid phone time? You *could* do it in a month or two if you had connect time 24 hours a day (very) long distance, or a couple hours a day for two years. So, its possible, but I don't believe it for all 42 systems.

It's also pretty colorful to refer to a "nationwide network" of people for which "there was no evidence that [they] were working together".

Richard B. Clark, Lisle, IL [rbc@cuuxb.ATT.COM (~XT6561210~Rick Clark~C24~H15~6011~) via risks-digest Volume 9, Issue 92]
14:13 | #

disLEXia, a research project by Maximillian Dornseif