18 attempts got blogger into Kennedy ad firm’s website — This should be interesting as it evolves.

The blogger’s aggressive attempts to penetrate the website might be criminal hacking or they simply might be routine antics in the new world of Internet-based politics, where computer geeks delight in discovering the undiscovered, and where pushing the envelope is part of the game.

The bloggers side of the story

found by Ben Franske



  1. since when is:
    …/images/
    …/home/
    …/ads/
    …/secret/
    …/etc/

    considered hacking?

    I’m certain the video could have been found that easily with some creative folder naming

  2. OhForTheLoveOf says:

    that puter stuff sho is tricky

  3. Mike Voice says:

    Sounds like what I’ve seen people do when a new camera is close to being announced.

    People going to an existing webpage – say for a “Canon EOS20D” – and assuming the page http address would be similar, replace “20D” with “25D” and “30D” and “3000D” to see if such webpages exist.

    Similar efforts have found unannounced cameras & lenses on Nikon’s sites – close to the rumored time of official announcements.

    The rumor mill can get excited when the result is not “page not found”, but rather “page not currently available”.

  4. AB CD says:

    The blogger’s explanation sounds innocent up until he explains why he used that password. Who would be looking at this box, and the first thing that comes to mind is Allen, when the campaign is for Kennedy? Turns out it’s not even a password, but part of the URL that you are supposed to enter. This is not what I’d call a criminal act, though the blogger should come clean about it. I notice the media isn’t so quick to front page this story, but when it was the Republicans hacking they parroted the Democrat story line. And in that case there was no password, just click on which files you want to access.

  5. Mr. Neolib Fusion says:

    If the site asked for a password, at least as it does now, then it is not an open web page. Anymore then having a key that fits a padlock does not mean the area is open to the public. It doesn’t matter how weak the password is or flimsy the lock is, they are both to restrain unauthorized people from entering.

    Using the excuse about how easy it is is a stupid argument. I don’t care how easy your sister is, if she is under age then she is off limits.

    It wasn’t a case of adding to the URL, he admitted entering a password. And he apparently tried 18 different times before stumbling upon a password that worked. This was no accident. It was a purposeful hacking.

  6. James Hill says:

    Neo,

    There’s only one flaw with your point of view: By its nature, a web server is public. Is putting part of a website behind a password really enough to consider it private? In my opinion, no.

    Now, if the guy hacked on to their corporate network this would be a different issue, but this is a web site. If this place is putting prerelease stuff on a web server they’re asking for trouble.

  7. Post #6 shows huge hole in how many people understandi what is private and what is public on the internet, although exact parallel exists in our “normal” life.
    Fact that some store is on the public street does not mean that its content is free for taking, particularly if its door is locked… Yes, you can easily break in by breaking window or defeating the lock, but do either and when cought, you’ll go to jail. Password protected website that resides on the public internet is the same. One does not have any right to defeat it. Even trying is criminal as it shows your attempt to steal.
    In this particular case I understood that the blogger guessed the password “Allen” after a number of attempts = he “jimmied” the lock and there is evidence he persisted until breaking in… Hence he deserves to be arrested. In my opinion he is equal to any common thief.

  8. James Hill says:

    Post #7 shows the void of logic that exists in most technology discussions today.

    The public street analogy doesn’t work. Theft involves taking something away, while looking at something on a web site doesn’t. A password doesn’t represent a lock, because what’s behind a password is virtual… meaning more of one of what is being protected can exist.

    In my opinion the blogger is equal to any peeping tom, only this one has poor taste.

  9. Mike Voice says:

    And the only reason this is getting any traction is because one party is trying to get it to “stick” to the other party’s candidate.

    Reminds me of this one…
    http://www.dvorak.org/blog/?p=5670

    Kenney demanded an apology from Musgrave’s likely Democratic opponent, state Rep. Angela Paccione of Fort Collins.

    And, I love how 18 attempts is considered “agressive”…

    Yeah, sounds like a brute force attack to me. 🙂

  10. AM says:

    #9 Mike, you got this right. It’s a tempest in a teapot and ultimately not likely to influence the election.

    Unless it’s a plot by Jesse and the independents to discredit everybody in favor of Hutchinson … 😉

  11. Mr. Neolib Fusion says:

    #8, The public street analogy doesn’t work. Theft involves taking something away, while looking at something on a web site doesn’t.

    It is illegal to break into a store, regardless of whether or not you take anything. Different jurisdictions might use different terms, but it still ends up being criminal trespass. This guy illegally gained entry to a site that was not open to the public. That is generally called hacking.

    Just because a server has portions open to the public does not open ALL the information stored on that server to the public. Otherwise private information such as credit card numbers, personal ID, and email addresses would all be free for the taking.

  12. Gregory says:

    But this isn’t even breaking in, it’s not a lock

    It’s more like… someone had some blinds up, obscuring a part of a public street (say.. for a music gig, I’ve seen that setup before), and someone peeked through the blinds by finding a hole.

    The server is public, the protection failed. Saying he hacked it is a bit like building a building full of paper an complaining when someone from the outside falls through the wall.

  13. lou says:

    Neolib: I tend to agree with #12/Gregory, the amount of protection does matter. To test your reasoning, could a notice on the door of the store saying “private property”, with no lock, be allowed?

    And as an IT professional, if any private information (social security numbers, etc.), are stored on a web site (meaning a server whose IP address is available via TCP/IP to the public), then the IT administrator of that site is being completely negligent, and should be considered liable for any problems. A bank could put no-tresspassing signs (instead of locks or other physical security) outside their vaults or safe deposit boxes, but if there was a breech, they would be considered liable. Any computer professional that allows personal, non encrypted info to be available from a public web server is just as liable. (This is my opinion, once again).

  14. Mr. Neolib Fusion says:

    …the amount of protection does matter. To test your reasoning, could a notice on the door of the store saying “private property”, with no lock, be allowed?

    The answer is YES. It doesn’t matter if you think there should have been a stronger lock. If the lock or impediment that is there is to stop people then to go past that point is trespass. You have no unfettered right to access any piece of property, be it real estate or cyberspace.

    The location is similarly irrelevant. Whether it is a parked car on a public street or locked in a garage, you do not have permission to enter either.

    There’s only one flaw with your point of view: By its nature, a web server is public. Is putting part of a website behind a password really enough to consider it private? In my opinion, no.

    There is no convention, rule, court ruling, consensus, or agreement that web servers are public. Except among those who think there is no such thing as personal property.

    Often both public and private areas reside on the same server. Using DU as an example, the portion the public sees and is invited to read and post comments is public. But behind that is the structure of the whole site that you are not allowed to see. Included are the email addresses of every poster. I imagine that someone might be able to defeat the security and obtain those addresses, yet quite obviously they are not public nor intended to be public information. Being on the same server DOES NOT make those addresses public.

    Often companies will have confidential information including price lists, schedules, specifications, customer orders, and deliveries on their web sites. These are accessible to salesmen and specific customers with passwords. The public has no right to this information any more then if it was in a file cabinet at Corporate.

    Theft involves taking something away, while looking at something on a web site doesn’t.

    He downloaded and distributed someone else’s property. Like it or not, he did not have permission or authority to view the advertisement or to download it. So there is a theft involved.

    For reference, try this one then tell what the difference between the two is.
    http://www.dvorak.org/blog/?p=6269#comments

  15. James Hill says:

    Neo, you’re not doing so hot in this thread either.

    A password isn’t a lock, and logic dictates that something private shouldn’t be kept on a public web server because, by nature, a web server can’t be locked.

    The first sign you’re wrong is needing multiple paragraphs to state your flawed viewpoint.

  16. AB CD says:

    So if can’t be explained in one paragraph, it must mean you’re wrong?
    The question I have is how much is the blogger lying? Did they change the site to say password? I think they did given the behavior of the site. If you enter ‘Fusion’ it would go to Fusion.html. If it said password to begin with, then maybe that’s trespassing. Well that’s one paragraph, so I guess I’ll quit now.

  17. Mr. Neolib Fusion says:

    It is simply no fun having a battle of wits with an unarmed enemy.

    A password isn’t a lock, and logic dictates that something private shouldn’t be kept on a public web server because, by nature, a web server can’t be locked.

    Say it all you like. Shout it from the highest hill you can find. It won’t matter. A web server and anything on that server remains someone’s property. Illegally accessing computer content is a Federal Offense.

    The Feds, several states, and foreign governments are building a nice pile of case law regarding hacking and I think this guy is possibly in line to be charged. Can you point out a Court Case that a Judge decided a web server was public property?

    In fact, if John Dvorak, or his web master Marc P., agree that his web sites and servers are public property then I will apologize and refrain from posting for one month. Or you could try reading the Terms of Usage yourself.
    http://www.dvorak.org/blog/html/terms.html

  18. jbellies says:

    Although I often agree with Mr. H. Fusion, I don’t believe that things are so cut and dried as Mr. Neolib Fusion lets on.

    First, it was not a password:
    http://newpatriot.org/2006/09/proof.html

    Second, wasn’t there a court case years ago about copying the contents of a ROM, and the owner lost because he didn’t put the copyright notice both on the chip and in the ROM code itself? I wonder if the web site in question put in sufficient warnings of privacy? Certainly a video on the internet, accessible by typing in a URL, would normally be public. This is not a list of social security numbers or campaign donors.

    It seems that here the webmasters couldn’t be bothered to set up a real password system (or perhaps it was extra charge from the ISP), so they relied on privacy by obfuscation. The solution was fairly simple. Who is to say what the purpose of the obfuscation was? Maybe it was to deny naive surfers the ability to see the videos, only to allow those with the interest and an IQ > 109 to see them?

    My prediction is that the “case” will not go to court. If it does, the FBI will lose.


0

Bad Behavior has blocked 5890 access attempts in the last 7 days.