In a perfect display of schadenfreude, the FBI might now be getting an idea of why people are reluctant to allow them unfettered access to their private information :)
Not really a useful comment, I know, but I had to show my appreciation for this guy for pulling down the FBI's pants!
I, for one, think privacy concerns over this release are overblown. After all, the news reports I've read only contain metadata about the individuals in question.
That the data is out there isn't important. It's not being looked at by me or other humans reading these news articles.
Furthermore, collection and access to this information is critical to the fight against terrorism. If professionals aren't able to identify individuals who may be endangering this country, that puts all of America at risk.
It appears to have been edited out, but that looks like a remnant of someone probing for cross-site scripting vulnerabilities by putting mismatched quotes and tags into places they don't belong.
> After tricking a department representative into giving him a token code to access the portal, the hacker claimed he used the compromised credentials to log into the portal, where he gained access to an online virtual machine. From here, the cybercriminal was presented with three different computers to access, he said, one of which belonged to the person behind the compromised email account. The databases of DHS and FBI details were on the DOJ intranet, the hacker said.
With public facing sites like Amazon -- who have necessarily engineered and refined security solutions to manage a wide surface area of attack from its customer base -- getting successfully social engineered on occasion, I shudder to think what the situation is at a large, multidecade bureaucracy where internal-only legacy technology stacks and access control procedures have probably resulted in a mindset of "oh just put that on a sticky note" workarounds just to get work done.
Because generally the 'powers that be' don't go publishing all of your data so anyone can see. You choose what gets publicly published and they keep what they have on you largely to themselves.
Except that everyone has some data that they want to keep private...
Maybe you want to keep your text messages private from your employer, or your browsing history private from your children, or your maximum driving speeds private from your local law-enforcement, or your sexual preference separate from your wife, or etc, etc.
> A spokesperson for the DOJ told Motherboard on Monday that the department “is looking into the unauthorized access of a system operated by one of its components...
Please don't give us the "we weren't hacked. It was a company we used that was!" Nonsense. I'm tired of hearing this. It's the same thing blue shield said when its/my/your data was pilfered. YOU are responsible for it! If you pass it off to some incompetent third party, then that reflects even more poorly on you!
In this context, "component" means an agency that's part of the DOJ. The FBI, for example, is a component of the DOJ. They're simply stating that Main Justice wasn't hacked.
They arent responsible, subcontractor is. As I posted some time ago:
"The very first thing University of Washington Center for Information Assurance and Cybersecurity (accredited by U.S. Department of Homeland Security, whatever that means) teaches you about becoming a CIO is precisely delegating responsibility :)"
The meaning of "personal info" sure has been diluted, this is zoominfo level data (in fact, based on a quick look it could very well be scraped from there).
Yea, I've worked for a few gov't agencies over the years, and most of them have had basically the same info on a public facing "who's who" webpage. The identities and job titles of public employees is public information.
Internal email addresses and phone numbers might be a little more problematic, since they could be spam targets. But it'd be a pretty brave/dumb spammer or prank caller who targets the FBI.
Every time I check HN, there's a new crypto tool, encrypted databases, and tips on hardening your servers. No matter how secure your system is technically, there is always the requirement to make parts of it "insecure" (in the sense that people buy enterprise encryption, but expect the company that sells it to keep a spare copy of the keys to recover lost data just in case)
The reality in cyber security is that people provide the weakest and easiest point of entry to compromise any computer system. Until the business side and process side of things improve, shit like this will remain common.
> In any case, a DHS spokesperson said the agency is looking into the reports, though “there is no indication at this time that there is any breach of sensitive or personally identifiable information.”
Except, you know, names. Merely being identified as a person moves you from not existing in the criminal universe to target. From name and other information comes yet other information, comes economic damage, or in this case, possibly life threatening damage.
Names aren't secret or private information. The agents give you their names if you talk with them. A significant portion of them are on linked in. During criminal trials their names are public record. Only four FBI agents died at an "adversaries" hand in the past 20 years, one botched undercover drug bust, an agent who ran into the twin towers on 911 to help people, and two who died in raids.
These guys are cops and detectives, not secret agents and spies.
Anyone else notice that Crytobin appears to be down? Wonder if they took it offline because of this or are they simply blocking traffic in the US to it?
I find it somewhat interesting that this hacker didn't use this information for leverage, if he's indeed some strong supporter of the free Palestine cause. Instead, he just let it loose and raised the middle finger.
It makes me think either the supposed motivation for this hack isn't what it seems, or it was perpetuated by someone who's incredibly naive. It just doesn't seem to add up.
Weev went to jail for literally HTTP GET'ing an AT&T server with a URL that was readily available on any Ipad device. In the RFC there's literally a return code for "Not Authorized", he got a good ol' 200 saying 'come on in' and got convicted of "conspiracy to access a computer without authorization".
Federal prison for what was effectively WGET'ing something that was, again, readily available. Still, in the eyes of the public and the law, hacker and cracker are the same thing. The guy is a racist liar but he didn't deserve federal prison. His conviction was later vacated on a venue technicality, which sucks, because had it been overturned in a higher circuit with the judge offering an Opinion, case law would have been set and Aaron Schwarz would have at least some vindication[1].
[1] In no way am I comparing the character of these two men, just the injustice they both suffered at the arms of the technically illiterate law enforcement/legal system. If I were a medical doctor who was before the board being judged for malpractice, I wouldn't want a jury of 12 of my 'peers' deciding my fate - I'd want other doctors.
[+] [-] gargravarr|10 years ago|reply
Not really a useful comment, I know, but I had to show my appreciation for this guy for pulling down the FBI's pants!
[+] [-] ethbro|10 years ago|reply
That the data is out there isn't important. It's not being looked at by me or other humans reading these news articles.
Furthermore, collection and access to this information is critical to the fight against terrorism. If professionals aren't able to identify individuals who may be endangering this country, that puts all of America at risk.
/congressional hearing
[+] [-] nmc|10 years ago|reply
<p> 20,000 FBI EMPLOYEES NAMES, TITLES, PHONE NUMBERS, EMAILS, COUNTRY <a href="</p">penis </a> <a href="https://twitter.com/DotGovs/statuses/696796442850156545">Feb... 8, 2016</a> </p>
Notice the weird <a> tag in the middle.
[+] [-] spike021|10 years ago|reply
[+] [-] SeeDave|10 years ago|reply
[+] [-] jimrandomh|10 years ago|reply
[+] [-] danso|10 years ago|reply
With public facing sites like Amazon -- who have necessarily engineered and refined security solutions to manage a wide surface area of attack from its customer base -- getting successfully social engineered on occasion, I shudder to think what the situation is at a large, multidecade bureaucracy where internal-only legacy technology stacks and access control procedures have probably resulted in a mindset of "oh just put that on a sticky note" workarounds just to get work done.
[+] [-] ryanlol|10 years ago|reply
That took 2 calls.
[+] [-] sanatgersappa|10 years ago|reply
[+] [-] Steve44|10 years ago|reply
[+] [-] bcook|10 years ago|reply
Maybe you want to keep your text messages private from your employer, or your browsing history private from your children, or your maximum driving speeds private from your local law-enforcement, or your sexual preference separate from your wife, or etc, etc.
[+] [-] zacharycohn|10 years ago|reply
[+] [-] ryanlol|10 years ago|reply
Edit: 5 downvotes, really?
That's a common argument used by various agents of the government to justify their actions that violate peoples right to privacy.
There isn't any privacy violations happening here, nobody affected seems to be very bothered.
[+] [-] matt_wulfeck|10 years ago|reply
Please don't give us the "we weren't hacked. It was a company we used that was!" Nonsense. I'm tired of hearing this. It's the same thing blue shield said when its/my/your data was pilfered. YOU are responsible for it! If you pass it off to some incompetent third party, then that reflects even more poorly on you!
[+] [-] ___ab___|10 years ago|reply
[+] [-] ryanlol|10 years ago|reply
Trust me, you could hack any recruiting company and they'd be sitting on much more data than this.
[+] [-] 3327|10 years ago|reply
[+] [-] rasz_pl|10 years ago|reply
"The very first thing University of Washington Center for Information Assurance and Cybersecurity (accredited by U.S. Department of Homeland Security, whatever that means) teaches you about becoming a CIO is precisely delegating responsibility :)"
http://depts.washington.edu/ciac/
[+] [-] ryanlol|10 years ago|reply
[+] [-] simplicio|10 years ago|reply
Internal email addresses and phone numbers might be a little more problematic, since they could be spam targets. But it'd be a pretty brave/dumb spammer or prank caller who targets the FBI.
[+] [-] IIAOPSW|10 years ago|reply
[+] [-] miguelrochefort|10 years ago|reply
[+] [-] noodles23|10 years ago|reply
The reality in cyber security is that people provide the weakest and easiest point of entry to compromise any computer system. Until the business side and process side of things improve, shit like this will remain common.
[+] [-] azraomega|10 years ago|reply
[+] [-] sp332|10 years ago|reply
[+] [-] mineshaftgap|10 years ago|reply
[deleted]
[+] [-] a3n|10 years ago|reply
Except, you know, names. Merely being identified as a person moves you from not existing in the criminal universe to target. From name and other information comes yet other information, comes economic damage, or in this case, possibly life threatening damage.
[+] [-] rhino369|10 years ago|reply
These guys are cops and detectives, not secret agents and spies.
[+] [-] ck2|10 years ago|reply
Sure an intranet only computer can be compromised as well, usb drive, social engineering, etc. but it is exponentially harder.
Really hoping ICBM systems are not on the internet because some general wanted to monitor them from his smartphone.
[+] [-] DamnYuppie|10 years ago|reply
[+] [-] jackgavigan|10 years ago|reply
[+] [-] aluhut|10 years ago|reply
I wouldn't want this happening to me.
[+] [-] hellofunk|10 years ago|reply
[+] [-] awqrre|10 years ago|reply
[+] [-] bamdadd|10 years ago|reply
[+] [-] moonshinefe|10 years ago|reply
It makes me think either the supposed motivation for this hack isn't what it seems, or it was perpetuated by someone who's incredibly naive. It just doesn't seem to add up.
[+] [-] ryanlol|10 years ago|reply
[+] [-] someonewithpc|10 years ago|reply
[+] [-] iheartmemcache|10 years ago|reply
Federal prison for what was effectively WGET'ing something that was, again, readily available. Still, in the eyes of the public and the law, hacker and cracker are the same thing. The guy is a racist liar but he didn't deserve federal prison. His conviction was later vacated on a venue technicality, which sucks, because had it been overturned in a higher circuit with the judge offering an Opinion, case law would have been set and Aaron Schwarz would have at least some vindication[1].
[1] In no way am I comparing the character of these two men, just the injustice they both suffered at the arms of the technically illiterate law enforcement/legal system. If I were a medical doctor who was before the board being judged for malpractice, I wouldn't want a jury of 12 of my 'peers' deciding my fate - I'd want other doctors.
[+] [-] alexandros|10 years ago|reply
[+] [-] sarciszewski|10 years ago|reply
My attempt to summarize the new meaning of the word hacker is "any person who employs (especially technological) ingenuity to solve a problem".
Full explanation: https://scott.arciszewski.me/blog/2014/08/cause-and-infect-w...
[+] [-] strictnein|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] rhino369|10 years ago|reply
[+] [-] lawnchair_larry|10 years ago|reply
[+] [-] Dolores12|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] radius|10 years ago|reply
Also, I didn't realize the surname Acevedo was so popular...