Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Hacker Tinkering With Yahoo Stories 387

Lifter writes "A hacker named Adrian Lamo had access for three weeks to the web-based content control system for Yahoo!'s news section, according to a story at SecurityFocus. He tinkered with a couple of stories without anyone noticing, then edited an August Reuters story about Dmitry Sklyarov, so that it said that Dmitry's program raised "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope." He also added a quote by John Ashcroft,"They shall not overcome. Whoever told them that the truth shall set them free was obviously and grossly unfamiliar with federal law." Funny stuff in itself, but the SecurityFocus story explores the harm that could come from a trusted news site being easily hacked in these times."
This discussion has been archived. No new comments can be posted.

Hacker Tinkering With Yahoo Stories

Comments Filter:
  • by Anonymous Coward on Wednesday September 19, 2001 @02:31PM (#2321680)
    10 ways to tell if you or someone you know may be a potential terrorist:
    1. They are shy or antisocial;
    2. They spend a large percentage of their free time on a computer;
    3. They are quick to criticize the government or corporations, often complaining about their "rights online";
    4. They are obsessed with privacy;
    5. They have a tendency to play violent computer games;
    6. They frequently illegally copy music, movies, or software;
    7. They listen to aggressive, "alternative" music;
    8. They have an aversion to going outside;
    9. They like to reverse-engineer, or "hack", anything they can for no substantive reason;
    10. They use software such as Linux, which is designed by and for hackers.
    For the sake of national security, please report all potential terrorists to the NSA [nsa.gov].
    • by Anonymous Coward
      Pre Flight Announcement, 2002

      "Good Afternoon, Ladies and Gentlemen, welcome to Northwest Flight 571,
      service to Los Angeles continuing on to San
      Diego. Before we take off, we'd like to acquaint you with some of the safety
      features of this Boeing 767. You know
      about the emergency exits, oxygen masks, floating seat cushions, and so on,
      so we will not waste time with those. Consult the cards in your seat pocket
      for information on all features of our aircraft.

      "Please do pay attention to the new security features.

      "In the event of midair terrorism, a panel will open alongside the window
      seat, containing two lightweight automatic handguns. They are fully loaded,
      and extra clips are available in velcro straps. As the flight attendants are
      now demonstrating, to operate the pistol, simply draw back the slide and let
      it fall forward, then aim by lining up the slot in the rear site with the
      front site, centered on the middle of your targets torso. Depress the
      trigger repeatedly to fire. The pistol holds 10 rounds; after the last the
      slide will lock back. Depress the clip release button located above the grip
      on the left side, remove the clip and slide a new one into place. Please be
      careful of your field of fire, and continue firing until your target goes
      down.

      "Your seats backs are equipped with kevlar armor, stay well down and aim
      over the top or around the side.

      "Your flight attendants are all armed with compact submachine guns; please
      follow their lead in directing fire.

      "If you feel you are unable to perform these duties, or are a conscientious
      objector, please let our attentants know so
      we can reseat you in the 'cowards rows' at the rear of the plane and not
      bring you drinks or peanuts.

      "For your safety, the aisles are equipped with electrified strips and
      computer controlled antipersonnel mines. For this
      reason, please remain in your seats until the captain has signalled all clear.

      "Note that the area around the cockpit is cleared of seats and marked with
      contrasting carpet. Under no circumstances
      should you cross this barrier during flight, various automatic devices will
      be activated to protect the cockpit.

      "The hatch in the floor at the back of the cabin is similarly marked and
      should be avoided during flight.

      "Anyone creating a disturbance, caught tampering with the pistol cases or smoke detectors in the lavatories will be apprehended and ejected via the rear floor hatch.

      "Thank you, and have a pleasant flight. We know you have a choice when you fly, and we thank you for choosing Northwest..."
      • I'm probably providing a big ol' heap of Purina Troll Chow here, but you ARE aware of what happens if you fire a weapon in a pressurized cabin and your slug somehow misses its intended target, right?

        This is why El-Al [elal.com] employs professionals [usatoday.com] in this capacity.

        • This is why El-Al employs professionals in this capacity.

          And that's great, and we should too, but don't get too complacent about the competence of those "professionals."

          Do you know any cops? Friends of friends who are cops? If you do, start asking them about firearms training... how often they have to go, how well they have to shoot. You will likely find that most cops consider their firearms training to be a chore... a pain in the ass, to be taken care of as quickly as possible.

          A disturbing number of cops can't even pass their periodic shooting qualification tests, and they get "do-overs" and other special treatment.

          When I was in my early 20s I went to the cop range in Montebello, CA... a relative was the assistant rangemaster there. I took the cop qualifying course of fire. That was the 2nd time I had handled a pistol. And I passed, and I scored in the 50th percentile.

          Did you get that? New shooter that I was at the time, I still did better than HALF THE DEPARTMENT. And while I do have some small talent for pistolcraft, I am NOT a prodigy. In fact, back then I plain sucked.

          The fact is hobbyist shooters will very often be better shots than the police. Hobbyists LIKE their guns. They practice because it's fun. Have you ever seen a modern tactical pistol match? The master shooters are like damn SUPERHEROES, they can shoot so well. It's really amazing.

          Most cops shoot a couple of times a year, when regs force them to, and they don't take the gun out of the holster in between.

          True story from the Glendale CA PD: An officer (female, not that it matters) goes in for her qualifying, which happens twice a year there if I remember right. She goes into the range, draws and fires... and nothing happens. Turns out there was no magazine in her weapon. She had removed it after her last qualifying trial, months before, and never replaced it... and never noticed. D'oh!

          True story, Bell, CA: Cops are hidden behind their car, exchanging fire with a criminal. I forget the specifics. Another cop drives up, runs over to them and joins in. As he shoots, he says, "Hey guys, what are we shooting at?" (This is not a joke.)

          I got both those stories from eye witnesses in the departments.

          I'm a big cop supporter, so don't flame me for those illustrations. I'm just pointing out that firearms skill is not generally a big cop strength until you get to the elite units.

          Those El Al cops -- I bet they are pretty good though. Israel doesn't screw around in matters martial.
      • by alen ( 225700 ) on Wednesday September 19, 2001 @02:57PM (#2321870)
        Don't forget about parachutes. Once you exit the aircraft you have the rest of your life to open it.
      • Ditch the semi-autos and give the passengers revolvers. Revolvers are simpler to operate, so the safety brief could be much shorter. They are mechanically simpler, so less preventive maintenance would have to be done on them (i.e. cheaper for the airlines = lower ticket prices). The immediate action drills for revolvers are much simpler as well. The passengers wouldn't have to worry about failure to feed (a problem not uncommon with inexperienced shooters who might "limp wrist" the gun) or failure to extract. Failures to fire are corrected simply by pulling the trigger again, which is probably going to be the passenger's natural response. Semi-Autos are sexy and great for serious shooters, but for inexperienced shooters (or anyone who doesn't like to do preventive maintenance) revolvers are a better choice for self-defense.

        I also think the safety briefing should include a warning to only use the airline-approved frangible ammunition for the guns; otherwise some idiot with a few FMJ rounds in his pocket is likely to stick them in the gun and decompress the plane during the firefight. Other than that, I think that is a good briefing.
    • In other news 87% of Slashdot readers were taken into custody and questioned. It seems that they all fit the profile of terrorists. Who knew?

    • by Anonymous Coward
      5. They have a tendency to play violent computer games;

      hey - MS Flight Simulator isnt violent
    • Is that someone with a different mindset might read this, think it serious and start mass emailing it to their friends.

      We're in for some rough times...

  • I think it's possible a lot of major news sites have been lately hacked by script kiddies. How else do you account for the quality of writing on some of these sites?
  • Yeah, I know this is a serious accusation,
    but at the same time, I can't help but find
    the humor in it.

    Does anybody have any links to a copy of the original Yahoo article?
  • by cp4 ( 250029 )
    If you are worried about the trustworthiness of your news site, getting your news from a site named YAHOO might be your first mistake.
    • I don't think the name matters. What if the New York Times, slashdot, the LA Times, CNET or something similar got hacked? How would you respond to that?

      The problem is that people still trust everything they read, despite what all of our mothers told us.
  • by ichimunki ( 194887 ) on Wednesday September 19, 2001 @02:36PM (#2321713)
    How do we know the Security Focus story wasn't actually the hacker-planted story, and that anything happened over at Yahoo at all?

  • How do we know that this story wasn't altered by a hacker that has access to slashdot?
  • I know that this could be pretty serious news, because unfortunately most people easily get swayed by anything they read (which sometimes consists only of finding waldo), but i find it that it is just a lighthearted hacker with power that he doesnt want to waste. Still, this shows that news stories are compromisable, (at last some are) and this could potentially become a more serious matter if this was raised to a scale of 5 billion.
  • by Daniel Dvorkin ( 106857 ) on Wednesday September 19, 2001 @02:37PM (#2321719) Homepage Journal
    I'm honestly not too concerned about this kind of hacking. I tend to take _anything_ I hear about any major incident like the Sept. 11 attacks with a grain of salt for a day or two. And I would hope to God that the people making important, irrevocable decisions -- e.g. the U.S. government -- aren't relying on Yahoo! News for information.

    Consider it freedom of speech, and of the press, and of petition for redress of grievances, updated for the modern age ...
    • yeah I thought it was all cgi until thursday

      i do feel sorry for these guys though (if it's real)

      wired coup [cuntbubble.com]

    • Heh. Yeah, I'm not sure that intentionally introduced errors in news stories are much worse than the un-intentional ones that are routinely there anyway. I've been personally close to enough stories that make the paper to realize how horrible the quality of most daily reporting truly is in this country (and don't even get me started on the amateur outfits like indymedia).

      I have to see something several different places (which are not obviously merely copying one another) before I'll start to seriously give it much consideration as fact--and even then, realize that large parts of the story will be missing or incorrect for other reasons.

      One of the best things about last week, though, was that in the middle of all the chaos and speculation, there were a lot of private individuals who just took some time out and posted up pictures they had taken or things they had seen with their own eyes. Put enough of those things together, and you have a far more accurate story than what a single reporter can do in the same amount of time.

    • e.g. the U.S. government -- aren't relying on Yahoo! News for information.

      Good news: The U.S. government doesn't rely on Yahoo! News as its primary source of information.

      Bad news: The U.S. government is strongly influenced by the U.S. general population, many of whom do rely on news sources as reliable as Yahoo! News

      News for Yahoos. Because Brittney Matters.
  • Security? (Score:5, Insightful)

    by x-empt ( 127761 ) on Wednesday September 19, 2001 @02:37PM (#2321722) Homepage
    The problem with security today is the lack of it. Generally security on the Internet today is the same as how secure businesses are physically. Many businesses leave filing cabinet doors unlocked, rooms open, and papers unshredded.

    Now in the company where you work, how hard would it be for a person in the general public to walk-in and act like a new client or staff member and gain access to sensitive information?

    The problem with computing security in general is that it is more often exploited than flaws in physical security. IT departments don't know how to read www.microsoft.com/security and RedHat's update/errata page. They find security too difficult and do not place it high on their priority lists.

    - x-empt
    • It would not be diplomatic to comment on where I'm working, but I can comment on places I have worked.


      Of ALL the organizations I've worked in, both in England and the US, only one has impressed me on the level of security, and that was the SERC Daresbury Laboratory.


      Hey, sure, it wasn't brilliant, but it was hardly intended to be. For what it was designed to do, it did its job magnificently. And that's all any security is supposed to do.


      (Passwords were strong, dial-in lines were call-back & manually authenticated, etc. Physical security was via electronic locks.)


      The weakest I've seen has to be at, well, just about any University I've worked at or studied at. NASA wasn't too hot, either, which surprised me. For such intelligent people, they could do some amazingly stupid things.


      (Sendmail 2.6 should not be considered the safest piece of software in the Universe. Yet I've seen plenty of machines, open to the world, -still- running this museum relic. There are even copies of GateD 3.0 in active use, on desktop Unix boxes. I'm sorry, but you can't blame the mice for feeding, if you're handing them swiss cheese.)


      All in all, I'd love to see organizations fined for encouraging computer-related crime, when they actively make themselves vulnerable.


      (This is very different from when computers are vulnerable, either because there is a genuine reason for the vulnerability to be present, OR because the vulnerabilty was not public knowledge at that time. Organizations have a responsibility to be responsible, not gods. No human is omnipotent, omnicognent and omnipresent, and should not be penalized for not being something they could never be.)

    • Just wait.

      With the anti-encryption hype in congress, soon we may not have good security at any level. It's bad enough today when things aren't kept upto date, but how much worse will it be when you aren't allowed to be secure?

      I find it so fitting that this story came directly after the story on public distrust of secure encryption.
    • I don't lock my file cabinets. That would be damned annoying. How many keys can a person keep? How many passwords can they remember?

      I think the better way to help security is to make it less necessary. If the systems, on a low level, don't allow destruction then the hacker will only be able to fiddle. Better, more wide-spread version control would be good, for instance. That protects against not just maliciousness, but unintentional mistakes as well (which are more common).

      Of course, better security is always better. But more locks are a pain, and every lock needs a key (or probably twenty of them). Every key is a potential hole. We need less boats and more intertubes.

      • I think the better way to help security is to make it less necessary. If the systems, on a low level, don't allow destruction then the hacker will only be able to fiddle.

        This is very very dangerous - it's a lot better for a hacker to destroy than to fiddle (ObOntopic: as per the Yahoo stories). If the story is gone then you know something is wrong, but if the details are subtly changed, who is to know?

        Better, more wide-spread version control would be good, for instance. That protects against not just maliciousness, but unintentional mistakes as well (which are more common).

        Version control is better, but you still have to notice that the malicious change has been added, and then find who did it (or at least who the attacker was pretending to be) and remove it.

        To use CVS as an example - if somebody has made a malicious change at -r1.4, you have to check out -r1.3 and also take a diff from -r1.4 and -rHEAD, then apply that diff to -r1.3 and hope nothing breaks, if it does then you have to work out what was depending on the malicious code, and hope that they didn't hide the malicious code along with a bunch of architectural changes that everyone assumed were legit because they helped.
        (in which case you need to reverse engineer their changes and throw out the bad bits).

        This takes a lot of time with code, and is almost impossible for things like masses of data with only occasional bits modified, and that within parameters.

        Can you imagine what would happen to a mining company if someone managed to change their survey data so they dug a mine in the wrong place? Not a massive change probably (low order bits on GPS data or similar), but enough to cost millions of dollars.

        On the other hand if the data is deleted then you know it's gone and can try to recreate from backups.

        The biggest danger is that small changes will go un-noticed until the backup loops are over-written and there's enough real work done since the last clean offsite backup (surely everyone keeps at least one every few months) that it takes more work to recreate everything than to throw it away.
  • by Anonymous Coward
    ...persecution. It shouldn't be illegal to hack a site if your hacks are funny. ACLU where are you now?
  • he didn't do anything than go to what they said was a wide open url - it was "secured" via obscurity - you weren't supposed to know about it.

    I don't know how many times dipshits here in my office have suggested that parts of our app were sucure b/c "how would anyone ever figure out that url" - duh - so I showed them.

    what pisses me off is these people are everywhere and don't get fired and are still allowed to make these retarded design decisions.
    • From the article (which you might consider reading...)



      Proxy problems
      Yahoo! declined to comment on the specifics of the hack, but as described by Lamo, modifying the portal's
      news stories didn't require much hacking. He made the changes using an ordinary web browser, and didn't
      need to do so much as enter a password.

      The culprit in this case was a trio of proxy web servers that bridged Yahoo!'s internal corporate network to the
      public Internet. By configuring a web browser to go through one of the proxies, anyone on the Internet could
      masquerade as a Yahoo! insider, says Lamo, winning instant trust from the company's web-based content
      management system.

  • what would he do? Spell check the stories? Too obvious...
  • I love this guy. Where do I donate to his cause?

    If malicious hacking has to exist, it should certainly be in the style of The Onion [theonion.com].
    • I love this guy. Where do I donate to his cause?

      Not sure, but I bet you will be able to write to him shortly c/o Dept. of Corrections.
  • by Rope_a_Dope ( 522981 ) on Wednesday September 19, 2001 @02:42PM (#2321761)
    Is there any reason that the major news organizations don't PGP or MD5 sign their stories as posted on the web, to verify they are posted and mirrored correctly? It could easily be ascertained that the site was being changed if Yahoo News were to include a signature at the bottom to check the veracity of the article. Obviously this guy was making minor changes to the stories early on, just to see if he could get away with it. A simple spider/crawler that checks the signature could be run by Yahoo against any and all of their posted stories, and if they don't match the copy editor's , then a flag can be raised! The AP could do this as well for any stories that go across the newswire, and are posted across the Internet.
    • Because they want strong encryption banned. If they were actually using it themselves, then, well, that just doesn't work. Besides, it's illegal to exploit security flaws, <satire>which means we can safely assume it will never happen</satire> like good little ostriches.
    • Is there any reason that the major news organizations don't PGP or MD5 sign their stories as posted on the web, to verify they are posted and mirrored correctly?

      Well, for one thing is the media we're talking about, expecting them to have a clue is wishing thinking. Also, how many people would bother verifying them? You and I, perhaps, but certainly not the public in general. And certainly not one that favors backdoors in crypto [slashdot.org].
    • I imagine he was able to pose as a copy editor or some other priviledged user. So, of course, the articles matched the "copy editor's" -- or, at least what the system believed was the copy editor.

      A distributed system like that is harder to secure. So you have a PGP signature... do you give every priviledged person the private key? No, that doesn't work at all, since people come and go, and probably don't keep good personal security anyway.

      So now Yahoo needs it's own certification -- not just a key chain, since a person who's priviledged at one point may not be in the future. Now it's a matter of breaking into the certification and adding your certificate. Maybe harder, but when you consider how much extra work Yahoo would have to do to even get to that place...

      And then, who's really going to check those keys? People? No one would bother. The system? Well, hack the checking system.

      Security is a system. Signatures are no silver bullet, and they are a PITA to manage and use.

      OTOH, sending notification to original editors/authors when the article is modified is not only useful for security, but generally useful. Keeping good version information would be good too. So that might work well (though of course you could always hack the notifying system).

    • Is there any reason that the major news organizations don't PGP or MD5 sign their stories as posted on the web
      That would prevent distributors and editors from editing the stories for space or spin. The latter has been observed -- many references to the positive effects of marijuana and the negative effects of prohibition have been snipped from wire stories published in (IIRC) the Dallas Morning News.
      It could easily be ascertained that the site was being changed if Yahoo News were to include a signature at the bottom to check the veracity of the article.
      You should have stopped while you were ahead. Go learn what cryptographic signatures really give you, and then stop by m-w.com to look up "veracity" and see if that's the same thing.

      Anyway all you'd have to do is 0wn the signature machine, break enough signatures that they turn the alarm off, and the rest of the site is yours. Social engineering is often the most effective attack.

      -jhp

  • Taliban Surrenders bin Laden After Web Site Defaced

    http://bbspot.com/News/2001/09/surrender.html
  • I've been getting spam that claims to be from Yahoo today. It seems to originate with a site whose front page says "this site is under construction.... ".

    Here's the entirety:

    Click these links to see recent news and up to the minute stats:

    Current link
    http://finance.yahoo.com/q?s=ivoc.ob&d=v1

    52 week link
    http://finance.yahoo.com/q?s=ivoc.ob&d=c&k=c4

    Please FWD this email to your associates of similar interests..... Sorry for any
    intrusions.

    Disclaimer: Neither Corporate America nor the writers of this communique makes
    specific trading recommendations or gives individualized market advice.
    Information contained in this newsletter is provided as an information service
    only. Corporate America recommends that you get personal advice from an
    investment professional before buying or selling stocks or other securities. The
    securities markets are highly speculative areas for investments and only you can
    determine what level of risk is appropriate for you. Although Corporate America
    obtains the information reported herein from sources that it deems reliable, no
    warranty can be given as to the accuracy or completeness of any of the
    information provided or as to the results obtained by individuals using such
    information. In no way should this be construed as a recommendation to buy or
    sell a particular security.

    Not Interested: http://www.cyberxworld.com/cleanlist.html
  • I dunno... (Score:3, Insightful)

    by jd ( 1658 ) <imipak@ya[ ].com ['hoo' in gap]> on Wednesday September 19, 2001 @02:43PM (#2321774) Homepage Journal
    Sounds like the sort of quality of reporting you might expect from a bankrupt portal.


    Seriously, though, disinformation and "information terrorism" may not be as lethal as 110 floors of concrete dropping on you, but for precicely that reason, it's much more insidious, with an impact that no amount of bulldozing can ever clear away.


    It's also much more common. AFAIK, only two buildings of that size have ever been felled through malice. On the other hand, virtually every political and commercial organization has at least one "spin-doctor" - the popular name for info-terrorists.


    If the US is serious about its war on terrorism, it should first prove itself, by eliminating all spin-doctors from the Government, and demanding rigorous honesty and accountability within all sectors not directly tied to national security.


    Yes, NS has to be an exception. Otherwise you get into some, ummm, interesting situations:


    Passport Control Officer: Are you a foreign spy?


    Foreign Spy: Yes. I'm here to learn all your secrets.


    Passport Control Officer (into microphone): Psychiatric Unit to Gate 4, please.

  • text of the article (Score:1, Informative)

    by Anonymous Coward
    I had a hard time connecting.
    Here's the original article. (Undoctored I promise ;-)

    Yahoo! News hacked
    Hacker tinkers with with news articles undetected.
    By Kevin Poulsen
    September 18, 2001 4:25 PM PT

    In a development that exposes grave risks of news manipulation in a time of crisis, a hacker demonstrated Tuesday that he could rewrite the text of Yahoo! News articles at will, apparently using nothing more than a web browser and an easily-obtained Internet address.

    Yahoo! News, which learned of the hack from SecurityFocus, says it has closed the security hole that allowed 20-year-old hacker Adrian Lamo to access the portal's web-based production tools Tuesday morning, and modify an August 23rd news story about Dmitry Sklyarov, a Russian computer programmer facing federal criminal charges under the controversial Digital Millennium Copyright Act (DMCA).

    Sklyarov created a computer program that cracks the copy protection scheme used by Adobe Systems' eBook software. His prosecution has come under fire by computer programmers and electronic civil libertarians who argue that the DMCA is an unconstitutional impingement on speech, and interferes with consumers' traditional right to make personal copies of books, movies and music that they've purchased.

    Lamo tampered with Yahoo!'s copy of a Reuters story that described a delay in Sklyarov's court proceedings, so that the text reported, incorrectly, that the Russian was facing the death penalty.

    The modified story warned sardonically that Sklyarov's work raised "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope."

    The text went on to report that Attorney General John Ashcroft held a press conference about the case before "cheering hordes", and incorrectly quoted Ashcroft as saying, "They shall not overcome. Whoever told them that the truth shall set them free was obviously and grossly unfamiliar with federal law."
    It's more difficult to get into their advertising reporting statistics than their news production tools.

    Lamo says he's had the ability to change Yahoo! News stories for three weeks, and made minor experimental changes to other stories that have since cycled off the site.

    The hacker provided SecurityFocus with a screen shot showing an August 10th Reuters story about a Senate committee?s report on the National Security Agency. The screen shot shows the story on Yahoo! News with a false quote attributed to the report: ?Rebuilding the NSA is the committee?s top priority. In partnership with AOL Time Warner, we fully expect to bring you a service you can?t refuse.?

    According to Lamo, the NSA story remained on the portal for three days, before being cycled off.

    He says he deliberately chose an old story Tuesday so it would be seen by few readers, while still demonstrating the vulnerability.

    "Yahoo! takes security across its network very seriously, and we have taken appropriate steps to restrict unauthorized access to help ensure that we maintain a secure environment," said Kourosh Karimkhany, senior producer at Yahoo! News, in a statement. The company declined further comment.

    'Subversion of Information Attack'
    The hack highlights a risk that's troubled security experts since 1998, when a group called "Hacking for Girlies" defaced the web site of the New York Times, replacing the front page with a ramshackle tirade that criticized a Times reporter, and defended then-imprisoned hacker Kevin Mitnick.

    "There's always been a concern that somebody would gain access to a news site and make more subtle changes," says Dorothy Denning, professor of Computer Science and director of the Georgetown Institute for Information Assurance at Georgetown University.

    One year ago hackers modified a news story on the California Orange County Register web site to report that Microsoft founder Bill Gates had been arrested for hacking into NASA computers.

    Experts warn that malicious corruption of content at a respected news source -- sometimes called a 'subversion of information attack' -- could have serious consequences during a crisis.

    In the hours following the September 11th terrorist attacks on New York and Washington, millions turned to the Internet for information. Top news sites reported as many as 15 million unique users. Yahoo! reportedly had double the traffic that it received for the entire month of August.

    "You can imagine someone changing lists of people who were on the planes, or reported missing, or all kinds of things that could cause a lot of grief," says Denning. "Or posting stories attributing attacks to certain people."

    Lamo agrees, and says he's troubled that he had the power to modify news stories that day.

    "At that point I had more potential readership than the Washington Post," says Lamo. "It could have caused a lot of people who were interested in the days events a lot of unwarranted grief if false and misleading information had been put up."

    Proxy problems
    Yahoo! declined to comment on the specifics of the hack, but as described by Lamo, modifying the portal's news stories didn't require much hacking. He made the changes using an ordinary web browser, and didn't need to do so much as enter a password.

    The culprit in this case was a trio of proxy web servers that bridged Yahoo!'s internal corporate network to the public Internet. By configuring a web browser to go through one of the proxies, anyone on the Internet could masquerade as a Yahoo! insider, says Lamo, winning instant trust from the company's web-based content management system.

    The hacker criticized the web giant for not prioritizing security on the systems that allow editing and creation of news stories.

    "There are more secure parts of their network," says Lamo. "It's more difficult to get into their advertising reporting statistics than their news production tools."

    The hacker has a history of exposing the security foibles of corporate behemoths. Last year he helped expose a bug that was allowing hackers to take over AOL Instant Messenger (AIM) accounts. And in May, he warned troubled broadband provider Excite@Home that its customer list of 2.95 million cable modem subscribers was accessible to hackers.

    Lamo's hobby is a risky one. Unlike the software vulnerabilities routinely exposed by 'white hat' hackers, the holes Lamo goes after are specific to particular networks, and generally cannot be discovered without violating U.S. computer crime law. With every hack, Lamo is betting that the target company will be grateful for the warning, rather than angry over the intrusion.

    "I can't give you an exact answer why he does that," says Matthew Griffiths, a computer security worker and a long-time friend of Lamo. "He's kind of a superhero of the Internet."

    "I agree that it's not the safest thing I could be doing with my time," says Lamo. "If they prosecute me, they prosecute me."
  • Why would hacking a news site so that an individual post his or her opinion freely be less trustworthy than someone paid by a vested interested to write and post opinions daily?

    Unless of course you only read one source of news... or as is the case with the soon to be USA, only have one conglomerated company to deliver that news.

    • Why would hacking a news site so that an individual post his or her opinion freely be less trustworthy than someone paid by a vested interested to write and post opinions daily?

      Becuase we tend to adjust for this based on previous experiences, personal bias, etc., and unexpected content from some interloper can exploit reader expectations. Everyone trusts somebody to tell us the "truth", and will be unlikely to question that entity even when fed disinformation. Imagine how Yahoo's readership could have been confounded by a fake story on the morning of September 11 about any of the following topics:
      • Threats of a new airborne attack in another city, or of lots of unaccounted-for planes in the air
      • Release of biological agents in the water supply
      • False reports of the demise of public figures
      • Widespread shortages of food, water, etc.
      Would the bulk of Yahoo's readers question these statements? Would those who did be questioned themselves? Remember, terrorists want to sow FUD. This sort of hole provides an ideal opportunity to do so; planting a critical fake fact in a widely read story won't necessarily create a lasting big lie, but it will create a certain amount of confusion and doubt. (Bear in mind that this effect is exacerbated by the tendency of news giants to report each other's stories, sometimes without checking every fact first...)

  • Wit (Score:4, Insightful)

    by ajs ( 35943 ) <ajs@a[ ]com ['js.' in gap]> on Wednesday September 19, 2001 @02:46PM (#2321793) Homepage Journal
    He tinkered with a couple of stories without anyone noticing, then edited an August Reuters story about Dmitry Sklyarov, so that it said that Dmitry's program raised "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope."

    My jaw is left gaping.... Oh, I wish all crackers were this smart! Thank you for restoring my faith in human sarcasm ;-)
    • "If leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when they had done this, they would sooner or later realize that the privileged minority had no function, and they would sweep it away. In the long run a hierarchical society was only possible on a basis of poverty and ignorance."
      --"Emanuel Goldstein," 1984, by George Orwell
      • Re:Wit (Score:2, Insightful)

        by BenboX ( 194360 )
        I dunno about this. I think our current society by its very nature has proven that George Orwell was incorrect in this regard. Factually, it's more likely this:


        "If leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become stupefied by mindless mass entertainment and extra-large servings of fatty foods; and having done this, they would hang on tightly to the priviledged minority who ensures their continued diet of mind-numbing pop culture and Super-sized SUVs."

    • Oh, I wish all crackers were this smart!

      We prefer to be called caucasian or melanin-deficient, thank you!

  • Funny stuff in itself, but the SecurityFocus story explores the harm that could come from a trusted news site being easily hacked in these times."

    What about a "trusted" news site spewing forth crap by itself....like oh government and corporate propaganda, misinformation, and happy stuff like that? Oh wait, they're doing it in our best interests. To reassure us that everything is ok, while our civil liberties are stripped away one by one.

    Yay!
  • Finally -- the hacker equivalent of the Jedi mind trick!
  • See The 1982 Daily Kal [stanford.edu]

    (Well, it looked much better on paper.)
  • Because of this malicious act, there are probably thousands or possibly millions of people who have been duped into thinking that John Ashcroft is an intelligent person with a sense of humor. We can only be thankful that he did not attribute any profound statement to president Bush.
  • I hear he also hacked into /. and substituted the word "tumor" for "gall bladder". Yeah... *that's* what happened...
  • Duck and cover.


    I agree with the sentiment, however with the timing, I think there will be problems for you.

  • by aka-ed ( 459608 )
    Some call it "editing."

    Ot would be a good idea that all news carry this disclaimer: "For your own protection, please do not depend on a single source for news."
  • He could have changed all the links in the stories to http://www.goatse.cx !
  • by Outland Traveller ( 12138 ) on Wednesday September 19, 2001 @03:04PM (#2321917)
    Heh, the only thing unusual about this story is that a *hacker* changed the meaning of a story to suit an agenda. It's not as if the news wasn't biased already!

    One of the things that worries me greatly when I am brave enough to think about it at length, is how fantastically biased and non-independent our (USA) official news sources are. Almost every traditional media segment (TV, newspapers, radio) are as we speak undergoing a tremendous reorganization, where the vast majority of the markets are controlled by a few private companies whose major line of business isn't journalism.

    For an shock for those who haven't done it already, find an international issue and compare how it is covered in the US with how it is covered by far-foreign or minority news sources. You may find the experience similar to discovering Slashdot and Kuroshin after years of Ziff Davis, especially if you read coverage that goes on for a few pages instead of paragraphs. You might not discover the truth but you'll have much better questions.

    The bias is subtle to detect without a comparison, because the bias is often in what is *not* reported, or arguments that are *not* published. If you don't mind being being stoned by a flag-waving mob you can even try this experiment with last week's horrible tragedy.

    So, as much as I support punishing this hacker for his illegal actions, a part of me also commends him for increasing the average distrust of mainstream news.

    • find an international issue and compare how it is covered in the US with how it is covered by far-foreign or minority news sources.

      You just find a different bias. And most of the indie and foreign news media is just as bad as the "mainstream" media is about sources and seperating fact from opinion (both have a place in news, but should be attributed and classified).

      Both mainstream and "alternative" (i.e., outside of your country of origin, or low circulation) media have shining examples of good news... and 95% are crap. Just because you don't share a facination with Britney Spears and how Robert Downey Jr. is doing does not make People magazine a bad news source - they (used to, I haven't read the rag in years) attribute their sources, and seperate checked facts from rumors, just like the Wall Street Journal, the BBC, or Jello Biafra.

      --
      Evan

      • I didn't mean to imply that other news sources are not biased. Of course they are as well, however, they are often biased in a different direction, giving you a better idea of where the truth is.

        Also, I think your second paragraph misses the point I was trying to make. Modern biases are often in what is *not* reported and *not* questioned. Many mainstream news sources do a good job on the issues they choose to investigate, but people should realize that there aren't others equally or even more worthy of investigation in the same sphere that are passed over.
    • Hi!

      Yeah, but...

      Ten years ago you were considered to be unusually well-informed if you subscribed to two newspapers--even if those newspapers mostly regurgitated national content from the Associated Press wire. Nowadays it is a trivial exercise to cross-reference stories in "new media" news sites (CNet, ZDNet) with traditional American print media (N.Y. Times, Wall St. Journal, Washington Post) as well as sites from overseas.

      Lightbulb!

      Here's a thought: how about a website, like SlashDot or Kuro5hin, that provides links to a variety of different angles on a given story. Pick a story or two per day and provide links (with a modicum of commentary) to coverage from a variety of sources.

      Hmmm... A splendid idea to contemplate, and thus a good reason to procrastinate.

  • by ConsumedByTV ( 243497 ) on Wednesday September 19, 2001 @03:15PM (#2321982) Homepage
    You can learn more about some of his other hacks here: http://www.terrorists.net/ [terrorists.net]
    Hes an amazingly brilliant guy. I have spent a few 2600 meetings in SF with him. I hope that nothing comes of this type of "cracking" satire. However I would like to say that Adrian is a true hacker. One conversation with him and you will come to this understanding. True hacking can transend computers and into social aspects like Adrian has aparently done.

    Hes cute too :)
  • Using my (pre-yahoo buyout) account at Geocities, I accidently got root level access to one of their servers this past May (via ftpfs in MC, zipslack 3.9) Took them two weeks to figure out the security hole, while they watched me hit their ftp server @ ft6.geo.yahoo.com! They thanked me, but never sent the goodies my way. (ask jkb about that)

    For future use, send all Yahoo server e-mail to:
    security-core@yahoo-inc..com

  • by Fantastic Lad ( 198284 ) on Wednesday September 19, 2001 @03:40PM (#2322131)
    This is hilarious!

    The whole problem is that people DO in fact trust the web as a source of accurate news. Dumb. The web is by it's very nature unreliable. Period. Anybody who gets upset about a little news hacking is a whiner.

    It is YOUR RESPONSIBILITY to double, triple and quadruple check and cross reference any information you find on-line. That's the power of the web; for the first time in history, it is actually possible to get something approaching the whole story. But you can't be lazy. I think hackers who send chills of 'insecure feelings' down the spines of the Norms in Suburbia are doing humanity a service by repeatedly demonstrating just how unreliable the web is. By showing that you CANNOT rely on single sources of information. Such repeated hacks might even raise the awareness of people to the point where they take some personal responsibility for the information which they allow into their heads.

    But what is the response? (What will be the response?)

    An almost unified cry of "Kill the Hackers".

    Last week, 95% of the people on this very site were pissed off when Mafia Boy, (a junior highschool kid. i.e., a CHILD!), got a wrist slap rather than capital punishment.

    Shocking! -Especially since most Slashdotters fit the hacker profile to a 'T'. It is utterly dumbfounding that people were so embittered towards a 15 year old who didn't do anything more than perpetrate but a little DOD attack and make life interesting for a bunch of tech support monkeys who get paid hourly anyway.

    I was even modded down for the mere suggestion that a crime which doesn't hurt anybody, hasn't damaged or removed any property, and hasn't infringed on anybody's civil rights, should rightly be considered a mis-demeanor on the same level as graffiti or vandalism. But people want blood these days.

    All I have to say is, "Be careful what you wish for."

    -Fantastic Lad
  • Even in America, we are human, and I for one have always taken the news with a shaker of salt! (which keeps me thirsty [metaphorically] for updates and corrections) These have become a "standard" in today's media. Journalistic integrity (oxymoric in certain contexts) has given way to impetuous needs for the media equivalent of /.'s "First Post!"

    This applies to all forms of media - not just the web. I's gotten worse, IMHO, starting with Desert Storm and the O.J. trial - CNN, in its zeal to feed info in bulk form with the emphasis on expediance instead of accuracy, is a case in point. The world, not just U.S., has been "spoiled" by the byproducts of the Information Age. So has journalism.

    In fairness, I was up way too late two nights ago, and quickly submitted a report to /. regarding "Taliban Delares Holy War on U.S." that was on CNN (TV) prominently displayed. In this case I'm glad it was rejected. Fifteen minutes later, there was a rephrased "Taliban Warns of Possible Holy War" or something to that effect. MSNBC followed suit and misreported, then "lightened up". This also occurred on the respective websites.

    So, the obvious point here is that we can trust most of what we can see, hear, and (hopefully) touch. On topic, it is a concern that Yahoo's "security through obscurity" was so vulnerable. Sure wish I could read the Security Focus article - still /.'ed - but I did read a post with the text here earlier.

    I think of more concern would be the vulnerabilities of news services like AP and Reuters - the compromise of them could be a propagandist's dream come true. Hey, Wow, I just thought of something! Why don't we hack into the news "services" of our enemies? We could win the whole damn thing just by convincing the radical factions that they are already with Allah, and all is well. They can just relax and go back to making hashish, and whatever...

    There was a interesting discussion of this on NPR's [npr.org] "Talk of the Nation" program [npr.org] a while back, but I can't seem to find it.

Take an astronaut to launch.

Working...