Forgot your password?
typodupeerror

Hacking the Governator 382

Posted by kdawson
from the call-that-a-hack? dept.
mytrip writes, "The Democratic rival to California Gov. Arnold Schwarzenegger acknowledged that his aides were responsible for obtaining a controversial audio file, in which the Governator was heard disparaging members of other races, in a move that has led to allegations of Web site hacking. A source close to Angelides told CNET News.com that it was possible to 'chop' off the Web links and visit the higher-level 'http://speeches.gov.ca.gov/dir/' directory, which had the controversial audio recording publicly viewable. No password was needed, the source said." And jchernia notes, "As an aside, the California Highway Patrol is running the investigation — maybe the Internet is a truck after all."
This discussion has been archived. No new comments can be posted.

Hacking the Governator

Comments Filter:
  • Moo (Score:3, Insightful)

    by Chacham (981) * on Tuesday September 12, 2006 @10:41PM (#16093670) Homepage Journal
    So calling someone passionate, but mentioned a way to denote tham as a group is a bad thing?

    Am i missing something here?

    • Re: (Score:3, Informative)

      by Darth Liberus (874275)
      No, that's the way normal human beings interact. Only people who have never really spent much time in a diverse, multiethnic environment get offended by such things... the rest of us tease each other constantly and have a grand old time.
      • No, that's the way normal human beings interact. Only people who have never really spent much time in a diverse, multiethnic environment get offended by such things... the rest of us tease each other constantly and have a grand old time.

        Been in 'multiethnic' evironments all my life too.

        Personally, I don't enjoy the stereotype.

        These stereotypes are 'cute' if you only run into them once in a while. But what happens when you're trying to communicate at your job or to a customer and the person is intimid

  • by Anonymous Coward on Tuesday September 12, 2006 @10:41PM (#16093677)
    then my grandma is a copyright violator. Oh, wait ...
  • by Anonymous Coward on Tuesday September 12, 2006 @10:41PM (#16093680)
    Chopping off URLs.... oh my, these h4x0rz are scary as shit! Hide your megabytes, kids!
    • Chopping off URLs.... oh my, these h4x0rz are scary as shit!

      Why do you think they've got the CHP involved? Someone obviously stole Governor Schwarzenegger's internets and took it to an internet chop-shop, where it's dismantled and sold for parts.
    • You'd be surprised (Score:5, Interesting)

      by Moraelin (679338) on Wednesday September 13, 2006 @03:34AM (#16094677) Journal
      I've seen big corporation programming consultants for which changing a URL was an unheard of concept, so I'm less surprised that a layperson considers it elite hacking.

      Seriously. Being as generic as I can for NDA reasons, let's just say that the corporation I work for paid good bucks to a BIG corporation's consultants to write a web application for them. Well, not even the whole app, but think more or less just the part where you register and set your data and preferences, with a bit of a hierarchy thrown in. (Some users could be, basically, managing others and giving or revoking rights to them.)

      The thing ended up years overdue, and needing a whole server farm just to support a modest number of users. (The joys of clueless Buzzword Driven Architecture at its finest, really.) They had to be started and shutdown in a given sequence too, as the modules on one machine depended on those on a second, which depended on those on a third, and so on. As a result, shutting down and restarting the whole system (e.g., for maintenance) took almost a whole day. But that's not the important part. The important part were the endless security issues, such as:

      1. yes, failure to account for URL editing. Rights were checked when generating the URLs on a page (e.g., which products, messages, whatever, you can click on), but not when actually accessing the linked page. So you could literally access any data in the database by just typing in its ID in one of those URLs.

      2. rights escalation. Did I mention editing URLs? The same went for the "change your password" page. You could just type in another user's id, change their password, and log in as that user. The "super-user" had id 0. 'Nuff said.

      3. wide open to cross-site scripting exploits. They hadn't figured out how to quote strings when displaying them on a web page. (Then when they "fixed" that, it encoded them twice and displayed them broken. So they disabled the fix again and tried to downplay the risks of anyone injecting JavaScript.)

      4. had obviously never heard of non-repudiation. (Security isn't just about who you let in, but also making reasonably sure who signed that contract or generally did what.) While in the old system a deleted user was just, basically, flagged as disabled, their clever system just deleted the user and his data. And because of foreign key constraints, it cascaded through the tables and erased any data connected to that user. Messages they posted or sent, contracts they signed, everything. Users could delete themselves too. (If anyone has trouble understanding why this is dangerous, think what you could do if your bank had something like that. Take a big loan, move the money somewhere else, delete your user.)

      And so on, and so forth.

      So, well, if "experts" hadn't heard of such elementary stuff, I can't be that surprised that the governor or a couple of journalists consider them advanced hacking.
  • by kherr (602366) <kevin@pupp e t h e a d .com> on Tuesday September 12, 2006 @10:42PM (#16093692) Homepage
    Gee, content freely accessible via URLs on the WWW? What a novel concept.

    This is simply a matter of deep linking. Just because there's no page with a link to a URL doesn't magically make the accessible URL off-limits. Security through obscurity isn't. If the governator didn't want people to get it they shouldn't have posted it on their web site. Or at least put some form of authentication on it.
    • by garcia (6573)
      Security through obscurity isn't.

      You are even making it seem more exciting than this was. It wasn't security by anything. It was a public webserver without *any* standard protections enabled.

      I wonder how soon there will be a draft of a bill to make any "unwanted intrusions" into a webserver illegal in CA.
    • Security from a technical perspective may be different from security from a legal perspective.

      Analogies are usually less apt than the author claims them to be, but I'll use one anyway: Saying that security through obscurity doesn't offer legal protection against intrusions is like saying that if I hide my house key under the door mat, then anyone is implicitly welcome to use it to come into my house (perhaps even to take my stuff, depending on how far you extend the analogy).

      Is it the same (at least, for l
      • by TWX (665546) on Tuesday September 12, 2006 @11:27PM (#16093899)
        I'd counter with the RFC for HTTP. The protocol is designed to provide content located in a designated directory structure on the file system. Anything located in that file structure that isn't specifically covered with a password is supposed to be available to any browser. And as for someone saying that it wasn't provided in an index or referrer page, I'd compare it to large college textbooks or anthologies that don't have every single entry itemized in a table of contents or index, and how published content (which I believe the Web has been acknowledged as) would compare.

        Fact of the matter is that this audio clip was put in a place that was easily found and was obviously placed there intentionally. If it wasn't there intentionally, the webmaster is responsible through negligence, not the opponent's campaign.

        Oh, there's also the little matter of it being posted on the government's web site, which is supposed to belong to every resident of California...
      • by mcmonkey (96054)

        Analogies are usually less apt than the author claims them to be, but I'll use one anyway: Saying that security through obscurity doesn't offer legal protection against intrusions is like saying that if I hide my house key under the door mat, then anyone is implicitly welcome to use it to come into my house (perhaps even to take my stuff, depending on how far you extend the analogy).

        I think your analogy is apt in general, except in this case it wasn't a key under a door mat. Files on an open, non-passwor

      • by cgenman (325138)
        I'd guess you're thinking of unprotected wireless networks, which is a separate issue.

        A webserver isn't your desktop computer. A webserver is a specific computer whose use is to give files to people who ask for them. If you put files on the webserver, you're making them public.

        Someone noticed that there was a speeches directory, asked the webserver what was in it. The webserver cheerfully replied. The person asked "oh, that file looks good. Can I look at that?" The webserver cheerfully said "sure" and
      • by 1u3hr (530656)
        Saying that security through obscurity doesn't offer legal protection against intrusions is like saying that if I hide my house key under the door mat, then anyone is implicitly welcome to use it to come into my house (perhaps even to take my stuff, depending on how far you extend the analogy).

        Very bad analogy. First, you start by talking about "my house". This was a public web server."Take my stuff". Nothing was "taken". Your analogy is about having things stolen from your home, eliciting a strong emotui

    • by cpuffer_hammer (31542) on Tuesday September 12, 2006 @11:33PM (#16093930) Homepage
      I would say that the individual sent a request for a copy of the recoding to the governors office. The office was foolish and send a copy of the speech to the requestor. Sounds to my like a staff training problem. Staff member will have to go for reeducation, and be reprogrammed.

  • Not "Hacking" (Score:5, Insightful)

    by MarkusQ (450076) on Tuesday September 12, 2006 @10:45PM (#16093705) Journal

    I'm sorry, this is not "Hacking," it's the way the web works. They sent the web server a URL, requesting a document, and the web server gave it to them. They didn't do anything nefarious, underhanded, or tricky. The didn't claim to be anybody they weren't, there was no phishing or pretexting or anything like that involved.

    Imagine they had called the governor's office and said "Hi, got anything incriminating about the guv on file?" and when told "Sure, would you like a copy?" they said "Yes please!" What would people think then? It's the same darned situation here.

    --MarkusQ

  • by dgerman (78602) on Tuesday September 12, 2006 @10:47PM (#16093715) Homepage
    Disparaging? hardly. This is just a sensationalist way to report the news. Here is the actual comment (from the Washington Post http://www.washingtonpost.com/wp-dyn/content/artic le/2006/09/08/AR2006090800599.html [washingtonpost.com]):

      "I mean Cuban, Puerto Rican, they are all very hot," the governor says on the recording. "They have the, you know, part of the black blood in them and part of the Latino blood in them that together makes it."

    the article continues...

    'Garcia, who is Puerto Rican and the only Latina Republican in the assembly, appeared with Schwarzenegger yesterday and said she was not offended by the governor's comments. Garcia earlier told the Times that she refers to herself a "hot-blooded Latina."

    "I love the governor because he is a straight talker just like I am," she said.'

    • The actual statement has to sound like the Terminator. Observe:

      I mean Cuban, Puerto Rican, they are all very hot

      Should be

      I.MEAN.CUBAN.PUER.TO.RI.CAN.DEY.ARE.ALL.VER.Y.HO T.
      [screen flickers between visible and infrared view, zooms in on a rodent in the wall]
      [choice screen appears, -kill, -verbally abuse and process further, -ignore]
      .FUCK.YOU.ASS.HOLE.

      [At this point the person talking to Arnold should be alarmed and might actually gasp.]

      The next statement should be kind of like this:

      .THEY.HAVE.THE.

    • Re: (Score:3, Informative)

      by jafac (1449)
      "I love the governor because he is a straight talker just like I am," she said.'

      Yeah, except when he hides behind his ESL-credentials and says things like: "I never took steroids, besides, they weren't illegal when I took them." or "I believe that gay marriage should be between a man and a woman."

      Personally, the guy who promised to come in as governor and apply fiscal discipline to solve California's budget crisis - and the first thing he does is put out a measure to borrow 8 billion dollars;

      Straight-talkin
    • Disparaging? hardly. This is just a sensationalist way to report the news.

      The problem is that many people believe that nonesense. And the guy is the governor..., he runs the state! Don't you think it's a little worrying he attributes personality traits to race?

      There are many of these stereotypes. For instance, I read once that there is a strong 'masculine' stereotype to most things concerning the black race, and similarly a strong 'feminine' basis to most things asian. This may have it's roots in

  • by ptbarnett (159784) on Tuesday September 12, 2006 @10:48PM (#16093717)
    I vaguely remember someone in the UK that was convicted of the computer equivalent of trespass for doing something like this: manually removing the trailing elements in a URL.

    • by MichaelSmith (789609) on Tuesday September 12, 2006 @11:17PM (#16093856) Homepage Journal
      I vaguely remember someone in the UK that was convicted of the computer equivalent of trespass for doing something like this: manually removing the trailing elements in a URL.

      When the GST (tax) was launched here in 2000 the tax department had a web site where you could query something about your tax and the cgi script it used had an argument like ?tfn=nnnnnnn where the n's are your tax file number (9 digits).

      So this guy tried a couple of combinations, got the details of others, and took it to the tax people with advice to change their security arrangements.

      So they did, by locking him up.

      • Michael, are you able to supply more details about this situation - articles, etc?
        • Here's some info about it clipped from a law journal [nswscl.org.au]:

          Privacy concerns were raised in Australia when a hacker accessed the business and bank account details of up to 27,000 businesses in Australia who were accredited suppliers of GST information and assistance packages to businesses through the GST Start-up Assistance Office. The 'hacker' reportedly obtained the information without actually hacking the site, as the information was provided on an ordinary page accessible through a URL on the site (the web a

    • Daniel James Cuthbert [slashdot.org]. Reportedly, he got suspicious about a site where he'd donated money and (here's a disconnect for you) ran a directory traversal attempt (foo.com/../stuffoutsidewebroot) allegedly to check whether the site was genuine. This set off their IDS. He made life harder for himself by making a false initial statement to the police instead of a true one or "I want my lawyer now".
  • Is it just me, or did this whole thing make you feel like you were on crazy pills? I didn't find anything remotely racist in what he said. He was giving her a compliment. I wish people spoke about me and said,"You know, its just that mix of Norwegian and German... it just makes him hot." The only person that says that about me is my wife, but I guess that will have to suffice. Regardless, Arnold, you can talk about that crazy hot blood in my veins whenever you feel the need to bud. Not that it would matt
    • by nizo (81281) *
      ...Arnold, you can talk about that crazy hot blood in my veins whenever you feel the need to...


      Wait, are you hitting on Arnie???

    • by Jeremi (14640)
      I didn't find anything remotely racist in what he said. He was giving her a compliment.

      Compliments can be racist. E.g. the classic "that black guy was so articulate during the job interview!", with its connotation that black people are usually inarticulate. Or the ever-popular "Asians are so smart and hard-working!". In both cases, the person probably means well, but they are still engaging in racist thinking: assuming that someone's race is an indicator of some other trait which is not, in fact, racial

    • by Anonymous Coward on Tuesday September 12, 2006 @11:24PM (#16093884)
      So, someone didn't hack a web site, and someone didn't make racists comments. Right then, all caught up on the news.
    • Re: (Score:2, Insightful)

      by Mr. Slippery (47854)

      I wish people spoke about me and said,"You know, its just that mix of Norwegian and German... it just makes him hot."

      The context was "hot" as in "hot-tempered" or "hot-blooded", not like "am I hot or not?"

      Whether "hot-tempered" is compliment or not is debatable. Certainly the accusations of being "hot-tempered" that people directed toward those of Irish ancestry in the laste 19th and early 20th centuries, the time of "No Irish Need Apply" signs, were not compliments.

  • "I mean, they (Cubans and Puerto Ricans) are all very hot...they have the, you know, part of the black blood in them and part of the Latino blood in them and together that makes it,"

    Big deal! I actually heard hispanics saying just the same kind of thing about themselves.

    • Big deal! I actually heard hispanics saying just the same kind of thing about themselves.

      Totally. And that's exactly why I don't get why black people get all upset when I call them the N-word.

  • by iammaxus (683241) on Tuesday September 12, 2006 @10:50PM (#16093732)
    Anyone remember this? http://www.boston.com/business/articles/2005/03/08 /harvard_rejects_119_accused_of_hacking_1110274403 / [boston.com] Seems like the media supported the concept that it was hacking. Given, it required more work than in this case, but it was still a case of freely accessible URL.
  • GET TO THE (url) CHOPPER!
  • by RelliK (4466) on Tuesday September 12, 2006 @10:55PM (#16093752)
    Nice spin there. All he did was call one lady hot. BFD! As much as I think the governator is a joke, this is just getting ridiculous.
    • by klaun (236494)

      Nice spin there. All he did was call one lady hot. BFD! As much as I think the governator is a joke, this is just getting ridiculous.

      While I agree that his comments were not disparaging, he definitely did more than call one lady hot. He characterized a group of people in a particular way based on their race. I think mainly the idea is that it was probably in poor taste for a governor to say. I imagine that some people might interpret it as being indicative of a predilection for making generalizations a

  • I'm just waiting until there's a move by content providers to ban popup blockers because they prevent people from seeing ads ... thus costing someone potential ad revenue and when someone is deprived of potential revenue (even if the loss of potential revenue is only in their imagination) it is now the equivalent of theft.

    There are quite a lot of people who view competent computer use as a form of magic. They are deeply scared of technology, vote people into office who don't understand technology and expec
  • CHP (Score:5, Informative)

    by matt2413 (135292) on Tuesday September 12, 2006 @11:09PM (#16093818) Homepage
    The CHP merged with the California State Police in 1995. They are the law enforcement authority on CA state property.

    http://www.chp.ca.gov/html/history.html [ca.gov]
    • I thought they were just patrolling the information superhighway.

      Heh heh..you kow...because people used to call it that.

      I give up.
  • That's all it would have taken. It's the default setting in IIS, but not the default in Apache2, as far as I recall. Anyway, the Gov's web site neglected to apply this fundamental protection. Tough crap, This is pretty silly stuff anyway.
  • The California Highway Patrol are California's State Troopers.
    • by DragonWriter (970822) on Wednesday September 13, 2006 @12:36AM (#16094211)
      For those to whom the parent is not clear, the California Highway Patrol has, for quite some time, subsumed the function of the formerly-separate California State Police, and also has a function with regard to the Governor (and, IIRC, certain other state officers) parallel to the protective role of the federal Secret Service.

      So its not all that odd that the CHP is running the investigation, other than the fact that there is obviously nothing illegal about accessing publicly-served pages from someone's webserver, so there shouldn't be an "investigation" at all.
  • l'd love to see a folder ''up" button in Firefox and other browsers--it would make "hacking" easier and perhaps educate.
  • by Panaqqa (927615) on Wednesday September 13, 2006 @01:13AM (#16094349) Homepage
    Shouldn't the RIAA be suing over this?
  • I could care less about this sort of thing... I'm sure we've all seen the vid of arnie toking it up, so what is a couple of free speach (legal) remarks going to do? I for one am really against dumbasses and actors in our seats of government, but this is just... well... i dunno... First off, if there is a master race on the planet, it is going to end up being blacks mixed with other races. I mean, its pretty sad, but we selectively engineered them to be the "best slaves you could" get... so if you en

Each honest calling, each walk of life, has its own elite, its own aristocracy based on excellence of performance. -- James Bryant Conant

Working...