lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200401231458.24618.kspencer@ngrl.org>
Date: Fri, 23 Jan 2004 14:58:24 -0500
From: Kirk Spencer <kspencer@...l.org>
To: "BUGTRAQ@...URITYFOCUS. COM" <BUGTRAQ@...urityfocus.com>~Kevin DavisĀ³ <computerguy@....rr.com>
Subject: Re: Major hack attack on the U.S. Senate


Agreed this was not a "hack attack" as usually considered.  However, I would 
raise two points.  The first is simple - If someone starts reading files on a 
computer to which they are not supposed to have access, do we not consider 
this an attack?  Even if the reason they got in is configuration errors?

Second, there is a question of which side's position is easier to believe.  
You said: " Additionally the Republicans allegedly 'in the summer of 2002, 
their computer technician informed his Democratic counterpart of the glitch.'  
You cut off the next sentence which says:  " Other staffers, however, denied 
that the Democrats were told anything about it before November 2003."  The 
article does not state whether it was Democrat or Republican staffers.  

I'll ask a simple question which indicates why I think the latter is more 
probable:  Can you think of a sysadmin who wouldn't act when told that _all_ 
his clients' passwords were invalid because the permissions were misapplied?

I think that the word "hack" is wrong.  Otherwise, yes, I think the tenor of 
the article has validity.

Kirk Spencer

On Thursday 22 January 2004 10:29 pm, ~Kevin DavisĀ³ wrote:
> This was clearly not a "hack attack".  The title and opening content of
> this article is quite intentionally misleading.  The phrases
> "infiltration", "monitoring secret memos", "exploited computer glitch",
> "hack attack" are used.  If you read the entire article you will find out
> the following:
>
> First, "A technician hired by the new judiciary chairman, Patrick Leahy,
> Democrat of Vermont, apparently made a mistake that allowed anyone to
> access newly created accounts on a Judiciary Committee server shared by
> both parties -- even though the accounts were supposed to restrict access
> only to those with the right password."
>
> Which means the Democrats screwed up setting up their own share point and
> allowed public access to it.  There was no "computer glitch" which was
> "exploited".  This was completely a human screw-up.  And there was no
> hacking ("exploitation of a computer glitch") done by the Republicans.
> Unless you wish to call clicking on a share point configured with public
> access and opening it up "hacking".
>
> Additionally the Republicans allegedly "in the summer of 2002, their
> computer technician informed his Democratic counterpart of the glitch".
>
> The Republicans knew that the share was supposed to be protected (why else
> would they inform the Democrats of the misconfiguration?) so they certainly
> did something wrong despite (supposedly) warning the Democrats of the
> problem, but not to the extent that the article - in the way that it was
> written - would like you to believe.
(snip)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ