If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(C|Net)   Convicted hacker allowed into IT class in prison, and teaches prison a lesson or two of his own   (news.cnet.com) divider line 13
    More: Dumbass, prisons, Prison Service, unfair dismissal, Nicholas Webber  
•       •       •

10064 clicks; posted to Geek » on 04 Mar 2013 at 9:03 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



Voting Results (Smartest)
View Voting Results: Smartest and Funniest


Archived thread
2013-03-05 10:46:59 AM
1 votes:

MyKingdomForYourHorse: You would think with the coming cyber war as nation states engage in active cyber theft and crimes we could tap a resource of talented people who could assist us in this war.

...but nope, we'd rather send them to jail




That is like suggesting we use a convicted mass shooter or serial killer as a soldier or guard, since they know how all about killing.

Problem is we don't just need a hacker. We need people who understand cyber security and are willing to hack systems within our guidelines. If an untrustworthy crook took government equipment and skills gained under our watch to carry out personal business ....that would be bad.

They don't need to be talented so much as they need to accept living on a leash.
2013-03-04 08:32:18 PM
1 votes:

serial_crusher: Happy Hours: justtray: My favorite line from the newest 007 movie is "security through obscurity." My home wireless network isn't secured, it simply doesn't broadcast a signal. I'm sure a software engineer could easily create a program to scan for non-broadcast signals, but how would they know where to look? That way, all I have to do is tell people the name of my network, which I call something like, "User Error," or "404 Gateway" for confusion purposes.

I like the idea of error messages as SSIDs, and I never thought of that, but the only reason I can think of to broadcast an SSID is for the lulz or to make very subtle snarky comments towards your neighbors. For a brief period I used, "ShutYourYappyDogUp" and "FBISurveillanceVan#2" (yeah, real original). If you know the SSID, I'm ot even sure broadcasting it makes it easier for those devices you want on your network. Am I missing something?

Another hint. 'Remember my password' questions are some of the most unsecure things possible. It is relatively easy for someone to gain access to your mother's maiden name (especially if it's YOUR middle name), the street you used to live on, the car you drive, your work's name, or even your pet's name. Instead of using a password that can be easily compromised, come up with the equivilent of a safe word. Something that you always remember to try or can be triggered tangently based on the question. Basic example - "Insecurity," can be your codeword because you remember when you personally setup your questions, you know how insecure they are. For bonus points make it include numbers for letters to break up any random word attack.

I'll give the hackers another clue. I ALWAYS lie in response to those questions. It sometimes makes life difficult for me especially if I make them up when I've been drinking. "What's your pet's name?" "Snoopy" (of course - I'm so clever, I'm sure I'll remember that later). What street did you live on when you were born? "1313 Mockingbird Lane" (of co ...


What about needing to speak to a male or female based on a preconcieved sexual name orientation.

Yes, *cough*, I mean YES!
2013-03-04 01:15:35 PM
1 votes:

ongbok: serial_crusher: To be fair though, the "hide your SSID" trick will keep the laziest of freeloaders at bay.

CSB time: When one of my neighbors posted on the neighborhood facebook page that they'd seen a suspicious guy wardriving the neighborhood, I got all worked up and started thinking of ways to mess with him.  Then in a moment of clarity I looked at the SSIDs in my immediate vicinity and saw "linksys".  Went ahead, connected to that, opened http://192.168.1.1 with password "admin" and took the liberty of securing things for them.
Assholes posted on the facebook page whining about having been "hacked" once the Geek Squad came in and fixed things for them.  You're welcome, ungrateful bastards.

If you secured their wireless without their knowledge, how did they know the key?


Hence why they called the Geek Squad :p
I went ahead and left the default password on the admin page so they could connect via ethernet and take care of it.  Not sure if the "geek" bothered or just held down the "reset" button and then changed things from there.  All I know is there's no longer any routers reporting "linksys" or "ConfigureYourshiat" in my neighborhood anymore.  No suspicious wardrivers reported lately either.
2013-03-04 12:39:26 PM
1 votes:
Speaking of security theater... you guys ever watch Stargate and wonder why an alien race so technologically advanced that they could build an intergalactic network of stargates, would protect their valuable secrets and experimental weapons with mere riddles?  I mean, the DHDs have enough computing power to calculate planetary drift in real time, but to get into Merlin's secret layer you just have to pour some water on the right tile in his workshop floor?  Really?  You'd think he would have put some encryption on that.
2013-03-04 11:54:49 AM
1 votes:

justtray: My favorite line from the newest 007 movie is "security through obscurity." My home wireless network isn't secured, it simply doesn't broadcast a signal. I'm sure a software engineer could easily create a program to scan for non-broadcast signals, but how would they know where to look? That way, all I have to do is tell people the name of my network, which I call something like, "User Error," or "404 Gateway" for confusion purposes.


I LOLed when I learned how the algorithm for computers to find and connect to their preferred wifi networks worked.  Basically your computer just says, "hi I'm a computer and I'm looking to connect to one of the following access points: ".  Any access point can respond with "oh, I'm linksys!" and if there's no encryption your computer will believe it.  There's even a product on the market that automates that whole process for less than $100.

But yeah, your router is totally secure by just not broadcasting the SSID.  Just make sure you don't set your computers to automatically connect to it.

/For bonus security, you should set up MAC address screening...
2013-03-04 11:47:00 AM
1 votes:

justtray: My favorite line from the newest 007 movie is "security through obscurity." My home wireless network isn't secured, it simply doesn't broadcast a signal. I'm sure a software engineer could easily create a program to scan for non-broadcast signals, but how would they know where to look? That way, all I have to do is tell people the name of my network, which I call something like, "User Error," or "404 Gateway" for confusion purposes.


Sorry to keep harping on you but one last thing you should know so you don't ever accidentally sound foolish talking to someone who knows about security (technological or otherwise):
The phrase "security by obscurity" that you remember from the Bond movie is actually a phrase commonly used in the tech industry but is not seen as a good thing, as you seem to have interpreted it.  In reality, when security professionals mention "security through obscurity" it's almost always to point out a weakness rather than a strength.  The phrase is a joke - a way to mock a badly designed system.  Think about it, basically you are saying "my item is secure as long as no one ever looks at it."  I.e., "I have a pile of gold hidden under my bed and it is safe as long as no one ever knows its there."

So again, I don't mean to attack you and my goal isn't to make you feel bad.  I just wanted to give you a heads up that you are using that phrase wrong in case you ever try to use it as a pickup line at a party or something on a cute engineer girl.

/your techie wing-man
2013-03-04 11:31:18 AM
1 votes:

justtray: The passwords are so complex, people usually have to write them down and leave them nearby for when company comes over and wants to use them, defeating the entire purpose of the password being complex. And to protect against what exactly? The infinitely small chance someone is going to gain access to your home internet to do anything other than look at pics of lolcats?


imgs.xkcd.com

I'd like to enforce pass-phrases via GPO, but Windows has a 14-char max for length enforcement.

.... Guess it's kinda silly, either way.
2013-03-04 11:30:31 AM
1 votes:

justtray: My favorite line from the newest 007 movie is "security through obscurity." My home wireless network isn't secured, it simply doesn't broadcast a signal. I'm sure a software engineer could easily create a program to scan for non-broadcast signals, but how would they know where to look? That way, all I have to do is tell people the name of my network, which I call something like, "User Error," or "404 Gateway" for confusion purposes.


FYI- you aren't as clever as you think. 'Security through obscurity' is certaintly a thing that exists in the tech world, but what you are doing is no where even close to 'obsecurity'.

'Doesn't broadcast a signal' (aka not broadcasting SSID) may stop your mom from connecting without you showing her how, but it definitely wouldn't take "a software engineer to create a program to scan for non-broadcast'.  Nearly every computer and smartphone is capable for scanning for non broadcasting networks.  Heck, you can download an iPhone ap that does that.  It is literally a matter of just changing a setting on your windows network manager to show non-broadcasting SSIDs in the list of available wifi networks (just like you can filter it to only show secured WEP connections or only WPA connections).  Consider it the equivalent of taking the "Toyata" decal off the side of your car.  It doesn't make your car disappear, nor does it make it harder for a thief to steal your car if your doors are unlocked.

Let me refer you to this post that explains why so many people seem to believe the same myth that you do.  SSID is simply a NAME for your network.  link:  Removing the name doesn't 'hide your network'.
2013-03-04 11:26:09 AM
1 votes:
You would think with the coming cyber war as nation states engage in active cyber theft and crimes we could tap a resource of talented people who could assist us in this war.

...but nope, we'd rather send them to jail
zez
2013-03-04 11:01:50 AM
1 votes:
asset0.cbsistatic.com

I thought the picture of the writer was of the prisoner because of the orange shirt.
2013-03-04 10:02:46 AM
1 votes:

haws83: Could they define "hacked"?  Did he just gain access to unauthorized systems or did he do some damage of some kind?  Stupid article.


Very good question.

Is guessing weak passwords considered "hacking"?

I only watched a few minutes of War Games when it was on TV yesterday. Some of it reflected reality. In the '80s, people really did call every number in an area code trying to find a modem that would answer. That part was true.

There were also ways around paying for phone calls. That part was true too, especially since long distance phone calls were expensive back then.

Broderick mentioned they changed the password on his school's computer system every few weeks I'm not sure if that was true, but I doubt it.

CSB

I haven't changed my Fark password since I joined and even though I've been told it's reasonably "strong"*** it's actually quite simple and I would think easy to guess.

I'm not saying it's 12345, but it might be 12346,

/I actually expect a few dozen people who read this will now start trying to "hack" my password by guessing 12346, 12347, 12348, 12349.....ad nauseum. If you were Matthew Broderick's character you'd write a program to do it for you.. AFAIK, there is no lockout on Fark for getting the password wrong more than 3 times in a row, nor is there a timeout preventing you from guessing as many passwords as you can as fast as you can.

I actually hope I'm wrong about that, but I doubt it.

I'll give you "hackers" a hint. It's not the same password I use on my luggage.

Have fun!

Oh, and his school's password was "pencil" - a password easily guessed with a dictionary attack. It wasn't even "p3nc!l", just plain old "pencil".

But it didn't really matter how "strong" the password was since he knew where they wrote it down - probably on a post-it note attached to the school superintendent's monitor.

And THAT is the exact same weakness many systems suffer from today. Find the Post-it, gain root access, ?????,. Profit!!!!

*** I don't think Fark told me it's a "strong password", but I fail at security because it's the same password I use on another site.and they said so.

I look at it this way. If you "hack" my Fark password, you might make me look smarter than I actually am - or you might make me look dumber (if that's possible) or you might get me banned. Depending on which you did, I might be pleased or slightly annoyed. I'd get over it.

The other site I share my Fark password with? The consequences are even less - I don't even know why they require a password. The user names are different though.

Again, have fun!
2013-03-04 09:52:20 AM
1 votes:

haws83: Could they define "hacked"?  Did he just gain access to unauthorized systems or did he do some damage of some kind?  Stupid article.


This.

Also, I highly doubt that a prison would need a mainframe computer, much less an isolated IT class network.  At the very worst, they might have had an old AS/400 on there, but definitely not a z-series.
2013-03-04 09:35:03 AM
1 votes:
showwatcher.com

"Get busy living or get busy nmap --open 192.168.1.1....and that's goddamn right."
 
Displayed 13 of 13 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report