dougv.com « Doug Vanderweide » journalism

News Of The World Wasn’t ‘Hacking’ Voicemail, It Was Blagging

Doug Vanderweide — Fri, 08 Jul 2011 22:09:42 +0000

flickr /compujeramey

This is nitpicky, and I certainly don’t mean to take lightly the seriousness of the matter. But I do want to clarify that the News of the World wasn’t technically “hacking” voicemail in its scandal. It was engaged in social engineering.

For those of you who missed the headlines (and for the benefit of posterity): News of the World was (until July 10, 2011) a Sunday tabloid; like most British tabs, it’s best known for printing racy pictures of women and sleazy stories.

News of the World hired a private investigator to help it research stories. That contractor gained access to a number of voicemail accounts, including those of a murdered 13-year-old girl, several soldiers killed in the Middle East conflicts, and royal family members.

All the shoes involved here haven’t yet dropped, but as of this writing the scandal has closed the paper after 168 years of publication; threatens to bring down Prime Minister David Cameron; has led to several arrests and may well result in additional restrictions on Great Britain’s press. (Even overwhelmingly reasonable pundits, such as The Economist, are calling for a mucking out of British journalism’s stables.)

The entire affair is loathsome, no question about that, even for the British press, nefarious for its “chew people up and spit them out” appetite. It’s also caused other world press outlets to term what News of the World did “phone hacking,” needlessly worrying people who have taken reasonable steps to secure their voicemail that they, too, might be targeted.

So I want to clear things up. If you’ve changed your voicemail password (PIN), you almost certainly can’t be violated in the way News of the World violated its victims.

Hacking means “to alter a system to perform differently than intended.” Hacking isn’t necessarily a malicious act. In fact, it’s often a good thing. I am 100 percent in favor of hacking, provided the thing you are hacking is yours or you have permission to hack it.

Cracking means “to compromise the security of a system.” While there are legitimate reasons to crack, it’s never an appropriate thing to do with property that doesn’t belong to you.

(I realize this is only one interpretation of “hacker,” and that other definitions exist, which also encompass what I term separately as “cracking.” I reject definitions of hacking that assume malice or nefarious intent. Hackers don’t aim to cause harm to, or violate the rights of, others; crackers do. Period.)

Social engineering (also called “blagging”) is the act of exploiting human behavior to achieve an end, usually without the tacit understanding of the people targeted that they are being exploited.

That’s what News of the World was up to: Exploiting people who were ignorant of, or indifferent to, basic voicemail features and security.

As explained at this excellent article at sophos.com, a lot of people don’t change the default password for their voicemail. Additionally, most users don’t understand that the convenience of being able to access voicemail from a different phone is a security risk that should at least be managed, if not disabled. (Admittedly, a number of phone providers don’t give you the option to disable remote access to voicemail.)

Simply put, News of the World’s private investigator gambled that the victims of his snooping didn’t bother to change their voicemail passwords from default values, and didn’t disable (if they even could disable) remote voicemail access.

Again, I am not suggesting what News of the World did was OK. That people don’t protect themselves from being violated does not make it OK to violate them.

My point is that what News of the World did is not hacking; at no point did anything not perform as designed. It also isn’t cracking; at no point was any procedure undertaken to circumvent the built-in security of the voicemail systems in question. The victims’ misunderstandings and inaction were exploited. That’s social engineering.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/news-of-the-world-wasnt-hacking-voicemail-it-was-blagging

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post.

Tags: ethics, hacking, journalism, newspapers, privacy, social engineering

‘Behind Every Great Fortune Is A Great Crime’

Doug Vanderweide — Tue, 07 Dec 2010 04:27:56 +0000

Federal postal authorities with Vitaly Borker after they arrested him on Monday at his home in Brooklyn. Robert Stolarik for The New York Times

The headline to this post is via Chris Rock, who repeats that line during his “Never Scared” comedy special (link very NSFW!), speaking about the difference between being rich and being wealthy.

It means that significant, lasting wealth is often created by exploiting something new, or using some means to circumvent the kind of behavior most people would consider fair or reasonable. The patron of the exhaulted Kennedy clan made his fortune from bootlegging and insider trading before the 1929 stock market crash. Rockerfeller, Vanderbilt and Morgan were the great robber barons of the U.S. industrial revolution.

I mention this because Vitaly Borker, proprietor of decormyeyes, was arrested today on federal charges of “mail fraud, wire fraud, making interstate threats and cyberstalking.”

Borker, as you will remember from this blog, discovered some time ago that Google’s PageRank algorithm didn’t consider whether the mentioning of an online store was positive or negative. (Google claims this is no longer the case.) Therefore, Borker took a extremely combative approach to customer complaints, intentionally stoking animosity, so that his online store would appear in multiple online complaints, often at very reputable, PageRank-enhancing Web sites, such as Get Satisfaction.

It seemed to work well, and I admired the ingenuity behind it, if not the tactic itself. Seems now, however, that Borker will be a test case as to whether anti-service, and preying upon the gullible / lazy, is at an end. (I might also note that this is further proof that for all the caterwauling, good journalism isn’t dead; if anything, it’s more valuable than ever.)

All links in this post on delicious: http://www.delicious.com/dougvdotcom/behind-every-great-fortune-is-a-great-crime

Tags: ethics, Google, hacking, journalism, reputation, social engineering

A Completely Awesome 2600 Cover

Doug Vanderweide — Tue, 20 Jul 2010 04:27:05 +0000

Check out the cover on the Summer 2010 edition of 2600, The Hacker Quarterly:

Cover, Summer 2010 issue, 2600 magazine

I saw it at my local Barnes & Noble bookstore and had to buy it for its complete awesomeness. The one thing 2600 has, every issue, is cool cover art.

I don’t know the exact system to which these tape cartridges belong, but I remember seeing very similar ones back in the late 1980s at the University of Maine’s computer lab.

The labels are what make this cover so great:

The coordinates on the top cartridge’s white label mark the epicenter of the Jan. 12, 2010 earthquake in Haiti. The “KH-5″ label on the side refers, I assume, to a series of early 1960s mapping / spy satellites. There may be a more significant connection between the two labels that I don’t get.
I like the implicit message in the third tape’s label, that the Library of Congress is retaining tweets.
I love the fifth tape’s label: If only such a tape existed, it would eliminate quite a bit of annoying political sideshow. Then again, no; it probably wouldn’t.
The tapes from the seventh down are also quite amusing.

And taken in context with the “DESTROY” label on the box in the background, and the placement of the entire stack atop tabloid personals ads, really adds to the entire presentation.

I also like a recurring feature 2600 has of showing pictures and short descriptions of foreign payphones. While payphones — and, by implication, phreaking — are endangered tech, even in developing countries, phones play an important role in hacking’s history, culture and community. Besides, it’s interesting to see the technology of other places.

A pair of payphone images from the Summer 2010 issue of 2600 magazine.

Editorial Hubris

I have mixed feelings about 2600 in general.

The editorials can be juvenile and sophomoric.

For example, I remember a long-winded diatribe, some years ago, about a new loss-control policy that Barnes & Noble had imposed. Basically, the policy was, if copies were stolen or lost, that was too bad for 2600; B&N would only pay for those issues their computers said were sold.

Extensive column inches were expended lamenting that policy as patently unfair to 2600. Which it was. But, 2600 wrote, they had little choice but to comply, as they needed the newsstand sales.

Apparently, the hubris involved in that editorial hasn’t affected 2600′s relationship with B&N. But one has to wonder why 2600 would take that risk.

Then again, the Summer 2010 editorial is a reasonable, intelligent consideration of how hacking, and the subsequent political causes it has spawned, have influenced debate and reconsideration of copyright and similar issues in the digital age.

It overreaches at points, as editorials are wont to do. For example, it cites as cause for celebration Sweden’s Pirate Party gaining “over seven percent in recent (European Union) parliamentary elections.” That translates to two of Sweden’s 18 EU Parliament seats; the EU Parliament has 736 members, so those two seats represent 0.27 percent of that body.

But overall, it makes its point responsibly and convincingly.

I disagree with 2600′s practice of replying to letters. If 2600′s editors don’t consider a letter cogent, fair or correct, they shouldn’t print it. But it is abusing a bully pulpit to reply to letters, especially in a quarterly publication.

It’s also largely unnecessary, as most of the letters survive on their own merit nicely, and as a rule are some of the most interesting and entertaining content.

Cool Story, Bro

The articles tend to be pedestrian; anyone with a basic understanding of computers or networking should either know about the subjects covered, or at least be able to figure out the hacks based on a single-sentence presentation. For example, in the Summer 2010 issue, the following hacks were exposed:

Google Analytics can be exploited by adding the tracking code for a domain to a completely unrelated domain’s page. Additionally, one can turn off JavaScript to disable Analytics tracking. The former point is by design, generally known to the Web development community and described in the Analytics documentation. The latter point is common sense.
One can create a sock puppet Facebook account, use a Web-based campus directory to stock up on friends, then troll. Thanks for the tip.
You can set up a WiFi router as an open network, then route all requests to a scary Web page telling people they shouldn’t use open networks. Again, thanks for the tip.
You can print fake bar codes onto stickers, put those stickers onto products, then use a store’s self-checkout to steal. I’m sure the author would be willing to write your legal briefs for you when you’re sharing a jail cell.

And so on.

Epic Win

Then again, there are a few articles that are interesting:

One author tells the story about having a microphone implanted into his throat and Bluetooth-enabled speakers placed in his ears. That was interesting.
Another article explained that T-Mobile G3 service is wide-open for HTTPS connections, enabling prepaid / non-data-plan subscribers to have Web access for free (provided the sites they visit support SSL, of course). Because this is a quarterly, that hole has probably been closed, but I am sure it was fun while it lasted.
There’s a useful overview on setting up what the author calls a “darknet,” or as a less-1337 user would call it, a multi-service proxy server. It doesn’t get into details, but it does visit the realm of possibilities and point those who might be interested in the right direction.

That’s 2600 for you, and I think it’s more than fitting as an allegory for digital — heck, for what that’s worth, real — life. Some of it is crap. Some of it is great. Mostly, it’s just there.

For those reasons, 2600 is like cotton candy to me: Largely fluff; barely nutritious; but fun to enjoy once or twice a year, when the mood is right.

All links in this post on delicious: http://delicious.com/dougvdotcom/a-completely-awesome-2600-cover

No related posts.

Tags: Anonymous, book reviews, coding standards, copyright, hacking, journalism, leadership, marketing, newspapers, reputation

dougv.com « Doug Vanderweide » journalism

News Of The World Wasn’t ‘Hacking’ Voicemail, It Was Blagging

Related Posts

‘Behind Every Great Fortune Is A Great Crime’

Related Posts

A Completely Awesome 2600 Cover

Editorial Hubris

Cool Story, Bro

Epic Win

Related Posts