Forgot your password?
typodupeerror

Hacking the Governator 382

Posted by kdawson
from the call-that-a-hack? dept.
mytrip writes, "The Democratic rival to California Gov. Arnold Schwarzenegger acknowledged that his aides were responsible for obtaining a controversial audio file, in which the Governator was heard disparaging members of other races, in a move that has led to allegations of Web site hacking. A source close to Angelides told CNET News.com that it was possible to 'chop' off the Web links and visit the higher-level 'http://speeches.gov.ca.gov/dir/' directory, which had the controversial audio recording publicly viewable. No password was needed, the source said." And jchernia notes, "As an aside, the California Highway Patrol is running the investigation — maybe the Internet is a truck after all."
This discussion has been archived. No new comments can be posted.

Hacking the Governator

Comments Filter:
  • by ptbarnett (159784) on Tuesday September 12, 2006 @10:48PM (#16093717)
    I vaguely remember someone in the UK that was convicted of the computer equivalent of trespass for doing something like this: manually removing the trailing elements in a URL.

  • by iammaxus (683241) on Tuesday September 12, 2006 @10:50PM (#16093732)
    Anyone remember this? http://www.boston.com/business/articles/2005/03/08 /harvard_rejects_119_accused_of_hacking_1110274403 / [boston.com] Seems like the media supported the concept that it was hacking. Given, it required more work than in this case, but it was still a case of freely accessible URL.
  • by Trailer Trash (60756) on Wednesday September 13, 2006 @12:51AM (#16094260) Homepage
    The irony of this is, of course, that the Governator made this observation jokingly apparently because one of his close aides or cabinet members is Puerto Rican and likes to joke about it. Rather than jumping up and down yelling to make sure everybody knows that he is for equal opportunity and all that, Herrn Schwartzeneggar simply lives his life as if race doesn't matter.

    I am very familiar with this, since my wife is asian. One day she asked me if I'm offended by her calling me a "white guy". Seriously. I said "of course not, it's what I am, like you're an asian babe". So I asked why she even asked me that. Turns out she had mentioned to a patient that her husband is a "white guy", and the guy told her it wasn't nice to call me that.

    As the parent says, it's just bullshit to act as if race doesn't exist.

    What the Governator said isn't racially disparaging. He jokingly made an observation. Those who are so offended by it are people who I personally won't bend over backward to not offend.
  • You'd be surprised (Score:5, Interesting)

    by Moraelin (679338) on Wednesday September 13, 2006 @03:34AM (#16094677) Journal
    I've seen big corporation programming consultants for which changing a URL was an unheard of concept, so I'm less surprised that a layperson considers it elite hacking.

    Seriously. Being as generic as I can for NDA reasons, let's just say that the corporation I work for paid good bucks to a BIG corporation's consultants to write a web application for them. Well, not even the whole app, but think more or less just the part where you register and set your data and preferences, with a bit of a hierarchy thrown in. (Some users could be, basically, managing others and giving or revoking rights to them.)

    The thing ended up years overdue, and needing a whole server farm just to support a modest number of users. (The joys of clueless Buzzword Driven Architecture at its finest, really.) They had to be started and shutdown in a given sequence too, as the modules on one machine depended on those on a second, which depended on those on a third, and so on. As a result, shutting down and restarting the whole system (e.g., for maintenance) took almost a whole day. But that's not the important part. The important part were the endless security issues, such as:

    1. yes, failure to account for URL editing. Rights were checked when generating the URLs on a page (e.g., which products, messages, whatever, you can click on), but not when actually accessing the linked page. So you could literally access any data in the database by just typing in its ID in one of those URLs.

    2. rights escalation. Did I mention editing URLs? The same went for the "change your password" page. You could just type in another user's id, change their password, and log in as that user. The "super-user" had id 0. 'Nuff said.

    3. wide open to cross-site scripting exploits. They hadn't figured out how to quote strings when displaying them on a web page. (Then when they "fixed" that, it encoded them twice and displayed them broken. So they disabled the fix again and tried to downplay the risks of anyone injecting JavaScript.)

    4. had obviously never heard of non-repudiation. (Security isn't just about who you let in, but also making reasonably sure who signed that contract or generally did what.) While in the old system a deleted user was just, basically, flagged as disabled, their clever system just deleted the user and his data. And because of foreign key constraints, it cascaded through the tables and erased any data connected to that user. Messages they posted or sent, contracts they signed, everything. Users could delete themselves too. (If anyone has trouble understanding why this is dangerous, think what you could do if your bank had something like that. Take a big loan, move the money somewhere else, delete your user.)

    And so on, and so forth.

    So, well, if "experts" hadn't heard of such elementary stuff, I can't be that surprised that the governor or a couple of journalists consider them advanced hacking.
  • by Anonymous Coward on Wednesday September 13, 2006 @03:59AM (#16094719)
    Generalizations or stereo-types exist for a reason.
    The reason is that people are lazy.
    We do not want to have to evaluate everyone we meet on their own merits, so we group them together and apply a label.
    I disagree. Most people don't generalise about people they know, only those they don't know (or only slightly know), but this isn't because they're lazy, it's because such generalisations are rational, and improve the ability to survive, and function in the world. We can't know everyone well, so we make assumptions about those we don't know well, using the limited information we have about them. We aren't at all unique in this respect either: other animals generalise extensively, e.g. in their reactions to humans and other species.

    The rational thing to do when facing an unknown thing (including an unknown individual) isn't to make no assumptions about it, but rather to make limited assumptions based on whatever information is available about it, together with one's knowledge of what that information means. For example, if you see someone exhibiting all of the characteristics of being infected with a highly contagious disease, you would be wise to avoid them until such time as you can ascertain whether or not they are in fact infected. This may not seem to be fair to someone with, e.g. a non-infectious disease that produces similar symptoms to a highly infectious one, but without such behaviour, the infectious disease would spread much more rapidly amongst the population.

    Not because 10 out of 10 of the latino people you've met in your life are all hot-blooded does it mean that latino people are predisposed to aggression. There can be a third, independent factor, held by those 10 people that you've met that explain their personality.
    Naturally there may be other factors, but given your example, is there any rational reason to ignore the fact that 10 out of 10 latino people you've met have been hot-blooded (assuming this proportion is substantially different from the general population)? Given the perfect correlation in your sample, if you run into a latino you don't know, it would be quite sensible to assume that person is hot-blooded, until you have sufficient information to make that determination individually.

    Continuing with your hypothetical example, the question of whether or not being latino causes hot-bloodedness is not particularly important, relative to the correlation. To the extent that being latino can't be caused by being hot-blooded, any causal relationship would have to go the other way. Moreover, social factors cannot cause an individual to become latino, even if they can perhaps cause hot-bloodedness, so this means the correlation between being latino and being hot-blooded is either a coincidence (and statistical techniques can be used to test this), or that being latino is a causal factor, either indirectly or directly: e.g. at one extreme, it could be argued that being latino leads to being discriminated against, which ultimately leads to a social environment which produces hot-bloodedness, where as at the other extreme, it could be argued that all latinos possess genes which directly lead to hot-bloodedness.

    On the whole, what matters in terms of governing rational behaviour is the correlation, not the presence or absence of a causal relationship. To use a fairly ridiculous example, if you find that people wearing red hats are substantially more likely to rob you or people you know than those not wearing red hats, it would be rational to avoid people who wear red hats, irrespective of the fact that it's a virtual certainty that wearing a red hat doesn't cause an individual to become a thief.
  • by Anonymous Coward on Wednesday September 13, 2006 @12:30PM (#16096792)
    ...it was: election year mud-slinging.

    Well, both sides are trying to draw attention to something that, in their view, was unethical (racial stereotyping and computer hacking).

    At most, however, this kind of thing would be expected to energize their bases. Conservatives aren't going to care about comments that are not politically correct in, what they consider to be, a time of war. Liberals aren't going to care about slightly shady efforts to expose the truth about Republicans in power.

    That newspapers generally run stories about controversial behavior of celebreties is no surprise. It's what sells the papers. That does not, however, imply that one should automatically vote (or not vote) for the controversial celebrities in a government election. Basically, people need to make up their own minds - and that's what they'll do anyway.

    As to the L.A. time being liberal, it could be a lot worse. They could have front page headlines like: "If you vote for a Republican you are voting to send American soldiers to their deaths in a civil war in a backwater country halfway around the world because you value cheap oil for your SUV more than the lives of American soldiers". The L.A. times doesn't care about the truth. They care about telling people what they already know so they will buy more newspapers. In comparison to other parts of the country they may adopt a more liberal view but that doesn't make the view they promote right or wrong - it's just what sells the papers.

When you don't know what you are doing, do it neatly.

Working...