Schneier on Security

A blog covering security and security technology.

« Tracking Automobiles Through their Tires | Main | How to Negate the Security of an Access Token »

December 27, 2006

The Problem with "Hiring Hackers"

The Communications Director for Montana's Congressman Denny Rehberg solicited "hackers" to break into the computer system at Texas Christian University and change his grades (so they would look better when he eventually ran for office, I presume). The hackers posted the email exchange instead. Very funny:

First, let's be clear. You are soliciting me to break the law and hack into a computer across state lines. That is a federal offense and multiple felonies. Obviously I can't trust anyone and everyone that mails such a request, you might be an FBI agent, right?
So, I need three things to make this happen:

1. A picture of a squirrel or pigeon on your campus. One close-up, one with background that shows buildings, a sign, or something to indicate you are standing on the campus.

2. The information I mentioned so I can find the records once I get into the database.

3. Some idea of what I get for all my trouble.

Posted on December 27, 2006 at 1:40 PM • 30 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

gfujimori • December 27, 2006 2:05 PM

Jericho has always had a sense of humor.

Full Disk Encryption • December 27, 2006 2:15 PM

Hiring a hacker is like hiring a stabber to perform surgery -- just because both the surgeon and the stabber knows how to use a knife and cut open flesh....

John • December 27, 2006 2:17 PM

Thanks for the grins.

Jemaleddin • December 27, 2006 2:37 PM

Seriously, they got him to send pictures of squirrels? Delightful. Rot-26? Beautiful. It's almost too bad it had to end.

Roy • December 27, 2006 2:39 PM

Running with the pigeon joke was a stroke of genius.

Scarybug • December 27, 2006 2:39 PM

rot-26 encryption is the best idea ever!

Evan Wired • December 27, 2006 2:40 PM

Actually, I believe the Communications Director wanted them to change his own grades, not the grades of the Congressman.

Josh O • December 27, 2006 2:42 PM

I think the guy was trying to get his own grades changed, not the grades of the congressman he worked for. After reading the emails though, I'm not surprised the grades were bad.

MarkW • December 27, 2006 2:45 PM

A reference to RFC1149 and a "rot-26" joke - classic.

Baz • December 27, 2006 2:48 PM

--- BEGIN PSP SIGNED MESSAGE ---
"and change the Congressman's grades"

Small correction: the story said Shriber was trying to get his own grades changed, not Rehberg's?

--- BEGIN PSP SIGNATURE ---
Today's Photographed Squirrel/Pigeon is "Tuftie"
--- END PSP SIGNATURE ---

Timmy303 • December 27, 2006 3:23 PM

That had me in stitches. Jericho is a genius.

Lyger • December 27, 2006 3:34 PM

@ Bruce, Evan, Josh, et al:

The request in question was indeed for the change of the aide's own grades, not for Congressman Rehberg. Until the story broke on networkworld.com, we had no idea of (nor interest in) the aide's profession.

Tremaine • December 27, 2006 3:46 PM

Dear god, the only thing that was lacking was a reference to rfc3203!

http://www.idaemon.ca/rfc3203/

That was just brilliant!

Ralph • December 27, 2006 3:49 PM

And so life imitates art.

There are many lessons in here; I feel that trusting "hackers" might be the least of them.

Rot • December 27, 2006 4:35 PM

ROT-26 has been used be a wide variety by hackers and crypotologists at some point in their lives. Despite this, we have evidence that it's insecure, and we have a pretty power-point presentation (available for the low price of only 1,000 Zimbabwe Dollars) with all kinds of language on it that you won't psudostafle, so you won't deppinjack the cryptowapple.

Use our (TM) ROT-546(TM) in its place! It's been calculated to be 21x as secure as ROT-26, and it is a proven communications method!

Visit www.doghouse.IReallyHopeThisDoesNotExist for a pricing guide, and further details!

Anonymous Coward • December 27, 2006 4:35 PM

This guy was lucky. He could have found some idiot who would have performed the crime instead of taking it as an opportunity for a prank.

Bluezoo7 • December 27, 2006 5:00 PM

I'll bet this sucker thought hackers were just geeky useful idiots before this happened...

Nathan • December 27, 2006 5:19 PM

This nicely illustrates the definition of hacker: given the opportunity to A) break into a school's database to change grades and B) engage in social engineering to see how far this guy would take things, the hacker opted for the latter, more interesting option.

I think we can remove the scare-quotes from "hacker" because clearly lyger is the geniune, inquisitive/creative type.

Tammy Coxen • December 27, 2006 5:26 PM

That was hysterical. Especially the pigeons.

ComCortexUnix • December 27, 2006 5:44 PM

Only Darkside Haxors will be willing to exploit government services for profit. But they dont want to look like tools aswell, so they end up getting themselves in an ego/financial pickle dont they.

j • December 27, 2006 5:44 PM

The pigeon idea reminded me of the guys who get off trying to sucker the 419 spammers. There are web sites with pages and pages of photos that 419 spammers sent of themselves holding strange objects or ridiculous signs - this business with the squirrels is a direct descendent. Hah!

B-Con • December 28, 2006 4:16 AM

I moderate one of the more search-engine friendly "hacker" forums out there, and I get at least one or two private requests per month for hacking services. I've wondered before just how many people like this I may have turned down.

bob • December 28, 2006 7:11 AM

SCORE:

Hackers:1

Criminal-minded politico seed:0

Number of similar criminal-minded politico seeds to be thwarted: 7,865,322; +3 more per second because politics is the best way to get money and power without adding any value to society.

Its like going out into a junkyard and killing mice one at a time with a club. They reproduce faster than you can attrit them.

Rich • December 28, 2006 10:22 AM

What I find interesting is that the guy claims to have spent time looking around attrition.org and didn't pick up the shade of the hats. Ok, maybe they're not always gleaming white- but IMO they're not black enough to pull a stunt like that either.

Also shows how much of our 'education' comes from Hollywood.

Richard • December 29, 2006 8:51 AM

Maybe in the near future, there would be a new career with service catalog and pricing for what kind of information "hacking" and for what sites. A sites with higher price means higher security protection.... :)

Anon • December 31, 2006 9:15 AM

Richard : you already find such catalogs on IRC

David • December 31, 2006 9:18 AM

ROT-26? I use that encryption scheme every day. Very easy to use. Not the strongest of encryptions, for sure, but I never forget the passphrase. However, I hear Vista uses this too. I hope Microsoft hasn't filed for a patent...

Roberto Galoppini • January 2, 2007 6:45 AM

I would love influencers like you try to not misuse the word hacker, it would be of great help.

Mike • January 2, 2007 8:45 AM

He asked the guys on Attrition? Jesus, he deserves everything he gets. A simple search of the site show they have been doing this stuff for YEARS.

This is like some kind of Darwin award...

Steve • January 2, 2007 9:57 AM

@Roberto:

They are hackers - in this case they hacked the procedure for hiring computer criminals in order to ridicule the hirer :-)

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D