Schneier on Security
A blog covering security and security technology.
« Tracking Automobiles Through their Tires |
| How to Negate the Security of an Access Token »
December 27, 2006
The Problem with "Hiring Hackers"
The Communications Director for Montana's Congressman Denny Rehberg solicited "hackers" to break into the computer system at Texas Christian University and change his grades (so they would look better when he eventually ran for office, I presume). The hackers posted the email exchange instead. Very funny:
First, let's be clear. You are soliciting me to break the law and hack into a computer across state lines. That is a federal offense and multiple felonies. Obviously I can't trust anyone and everyone that mails such a request, you might be an FBI agent, right?
So, I need three things to make this happen:
1. A picture of a squirrel or pigeon on your campus. One close-up, one with background that shows buildings, a sign, or something to indicate you are standing on the campus.
2. The information I mentioned so I can find the records once I get into the database.
3. Some idea of what I get for all my trouble.
Posted on December 27, 2006 at 1:40 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Jericho has always had a sense of humor.
Hiring a hacker is like hiring a stabber to perform surgery -- just because both the surgeon and the stabber knows how to use a knife and cut open flesh....
Seriously, they got him to send pictures of squirrels? Delightful. Rot-26? Beautiful. It's almost too bad it had to end.
Running with the pigeon joke was a stroke of genius.
rot-26 encryption is the best idea ever!
Actually, I believe the Communications Director wanted them to change his own grades, not the grades of the Congressman.
I think the guy was trying to get his own grades changed, not the grades of the congressman he worked for. After reading the emails though, I'm not surprised the grades were bad.
A reference to RFC1149 and a "rot-26" joke - classic.
--- BEGIN PSP SIGNED MESSAGE ---
"and change the Congressman's grades"
Small correction: the story said Shriber was trying to get his own grades changed, not Rehberg's?
--- BEGIN PSP SIGNATURE ---
Today's Photographed Squirrel/Pigeon is "Tuftie"
--- END PSP SIGNATURE ---
That had me in stitches. Jericho is a genius.
@ Bruce, Evan, Josh, et al:
The request in question was indeed for the change of the aide's own grades, not for Congressman Rehberg. Until the story broke on networkworld.com, we had no idea of (nor interest in) the aide's profession.
And so life imitates art.
There are many lessons in here; I feel that trusting "hackers" might be the least of them.
ROT-26 has been used be a wide variety by hackers and crypotologists at some point in their lives. Despite this, we have evidence that it's insecure, and we have a pretty power-point presentation (available for the low price of only 1,000 Zimbabwe Dollars) with all kinds of language on it that you won't psudostafle, so you won't deppinjack the cryptowapple.
Use our (TM) ROT-546(TM) in its place! It's been calculated to be 21x as secure as ROT-26, and it is a proven communications method!
Visit www.doghouse.IReallyHopeThisDoesNotExist for a pricing guide, and further details!
This guy was lucky. He could have found some idiot who would have performed the crime instead of taking it as an opportunity for a prank.
I'll bet this sucker thought hackers were just geeky useful idiots before this happened...
This nicely illustrates the definition of hacker: given the opportunity to A) break into a school's database to change grades and B) engage in social engineering to see how far this guy would take things, the hacker opted for the latter, more interesting option.
I think we can remove the scare-quotes from "hacker" because clearly lyger is the geniune, inquisitive/creative type.
That was hysterical. Especially the pigeons.
Only Darkside Haxors will be willing to exploit government services for profit. But they dont want to look like tools aswell, so they end up getting themselves in an ego/financial pickle dont they.
The pigeon idea reminded me of the guys who get off trying to sucker the 419 spammers. There are web sites with pages and pages of photos that 419 spammers sent of themselves holding strange objects or ridiculous signs - this business with the squirrels is a direct descendent. Hah!
I moderate one of the more search-engine friendly "hacker" forums out there, and I get at least one or two private requests per month for hacking services. I've wondered before just how many people like this I may have turned down.
Criminal-minded politico seed:0
Number of similar criminal-minded politico seeds to be thwarted: 7,865,322; +3 more per second because politics is the best way to get money and power without adding any value to society.
Its like going out into a junkyard and killing mice one at a time with a club. They reproduce faster than you can attrit them.
What I find interesting is that the guy claims to have spent time looking around attrition.org and didn't pick up the shade of the hats. Ok, maybe they're not always gleaming white- but IMO they're not black enough to pull a stunt like that either.
Also shows how much of our 'education' comes from Hollywood.
Maybe in the near future, there would be a new career with service catalog and pricing for what kind of information "hacking" and for what sites. A sites with higher price means higher security protection.... :)
Richard : you already find such catalogs on IRC
ROT-26? I use that encryption scheme every day. Very easy to use. Not the strongest of encryptions, for sure, but I never forget the passphrase. However, I hear Vista uses this too. I hope Microsoft hasn't filed for a patent...
I would love influencers like you try to not misuse the word hacker, it would be of great help.
He asked the guys on Attrition? Jesus, he deserves everything he gets. A simple search of the site show they have been doing this stuff for YEARS.
This is like some kind of Darwin award...
They are hackers - in this case they hacked the procedure for hiring computer criminals in order to ridicule the hirer :-)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.