[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200401231458.24618.kspencer@ngrl.org>
Date: Fri, 23 Jan 2004 14:58:24 -0500
From: Kirk Spencer <kspencer@...l.org>
To: "BUGTRAQ@...URITYFOCUS. COM" <BUGTRAQ@...urityfocus.com>~Kevin DavisĀ³ <computerguy@....rr.com>
Subject: Re: Major hack attack on the U.S. Senate
Agreed this was not a "hack attack" as usually considered. However, I would
raise two points. The first is simple - If someone starts reading files on a
computer to which they are not supposed to have access, do we not consider
this an attack? Even if the reason they got in is configuration errors?
Second, there is a question of which side's position is easier to believe.
You said: " Additionally the Republicans allegedly 'in the summer of 2002,
their computer technician informed his Democratic counterpart of the glitch.'
You cut off the next sentence which says: " Other staffers, however, denied
that the Democrats were told anything about it before November 2003." The
article does not state whether it was Democrat or Republican staffers.
I'll ask a simple question which indicates why I think the latter is more
probable: Can you think of a sysadmin who wouldn't act when told that _all_
his clients' passwords were invalid because the permissions were misapplied?
I think that the word "hack" is wrong. Otherwise, yes, I think the tenor of
the article has validity.
Kirk Spencer
On Thursday 22 January 2004 10:29 pm, ~Kevin DavisĀ³ wrote:
> This was clearly not a "hack attack". The title and opening content of
> this article is quite intentionally misleading. The phrases
> "infiltration", "monitoring secret memos", "exploited computer glitch",
> "hack attack" are used. If you read the entire article you will find out
> the following:
>
> First, "A technician hired by the new judiciary chairman, Patrick Leahy,
> Democrat of Vermont, apparently made a mistake that allowed anyone to
> access newly created accounts on a Judiciary Committee server shared by
> both parties -- even though the accounts were supposed to restrict access
> only to those with the right password."
>
> Which means the Democrats screwed up setting up their own share point and
> allowed public access to it. There was no "computer glitch" which was
> "exploited". This was completely a human screw-up. And there was no
> hacking ("exploitation of a computer glitch") done by the Republicans.
> Unless you wish to call clicking on a share point configured with public
> access and opening it up "hacking".
>
> Additionally the Republicans allegedly "in the summer of 2002, their
> computer technician informed his Democratic counterpart of the glitch".
>
> The Republicans knew that the share was supposed to be protected (why else
> would they inform the Democrats of the misconfiguration?) so they certainly
> did something wrong despite (supposedly) warning the Democrats of the
> problem, but not to the extent that the article - in the way that it was
> written - would like you to believe.
(snip)
Powered by blists - more mailing lists