Hard News: Dirty Politics
2403 Responses
First ←Older Page 1 2 3 4 5 … 97 Newer→ Last
-
without knowing anything about his servers, if he was running something that when he made a blog post gave the option of making a Facebook announcement, he might have had his Facebook credentials stored on the publishing server.
Or he might have gone, I'll use this spare server space to back up my own machine as an offsite backup, what could go wrong?
-
Quite unlikely that the DDoS resulted in the email breach but DDoS as a smokescreen for data breach is increasingly common, tying up IT and site owner attention and resources and masking the intrusion within the flood of requests.
Would need further investigation into whether Whaleoil ever hosted a webmail service alongside the site to know more.
-
Many people use the same passwords everywhere. Easy to imagine that the WhaleOil blog admin account and, say, Slater’s FB account had the same password. So compromising the web server might yield the info needed to compromise things elsewhere.
-
It's charming how we're helpfully trying to work out how the information was accessed, rather than what it shows. #geeks
-
Sam P, in reply to
The MX records show that domain as having its mail handled by gmail, it shouldn't ever even pass through that server.
-
Danyl nominates the hacking of Labour's computers and abuse of of SIS information as the two big takeaways so far.
-
Sofie Bribiesca, in reply to
Danyl nominates the hacking of Labour’s computers and abuse of of SIS information as the two big takeaways so far.
I'd go with that . Dirty, and by track record we see deals that frankly stink and we get to pay for this shit. I really think (just an opinion of mine) that Labour can look really stupid when things like "sorry for being a man right now" goes viral because a bunch of employed shitstirrers jump in and before you know it the seed is planted. I give anything like that 24 hours to take hold. Once again job done. The smug pride that then continues in the House is childish. That's our democracy. And John Armstrong bleats on.
-
well i'll be fucked.
-
SHG, in reply to
Danyl nominates the hacking of Labour's computers and abuse of of SIS information as the two big takeaways so far.
If Danyl's #1 is the Drupal clusterfuck that we all laughed at back in June 2011, I can't see - without having read anything in the book of course - how that counts as anyone hacking the site. It was wide open to the Internet and all that shit was visible to anyone who cared to look.
-
Rich of Observationz, in reply to
Pretty much.
One would start by cracking his CMS password, etc. Look for any social networking API links with tokens. If there's a webmail server running, then trap passwords on that. Some people use VPNs to access their web servers - that's a vector, especially if you can hijack DNS that way and hence grab POP/IMAP access. If he's using ssh, turn off autologin and have it ask for a password. Or try and get X forwarding to happen.
Minutes of endless fun. All hypothetical, of course.
-
The Facebook route is made more plausible by the inclusion in the book of Facebook messages from Slater.
-
SHG, in reply to
A hacked server can provide a privileged platform to attack a client machine, typically a site admin's personal computer, which in turn could spill the beans for log in credentials to other services
Yeah I thought of that, but compromising a webserver in order to copy a keylogger to a client PC when it logs in to do administration and then gain access to mail/FB is a whole other level of intrusion. Is the DDOS just a smokescreen?
-
The whole thing puts the Whaleoil attacks on Tania Billingsley in a different context, doesn't it?
-
Robyn Gallagher, in reply to
the most likely scenario is that either the DDoS attack is a read hearing
Totally off topic, but "read hearing" is the best eggcorn ever. It fills my heart with joy!
-
Jonathan King, in reply to
Jesus. Chilling.
The whole thing puts the Whaleoil attacks on Tania Billingsley in a different context, doesn’t it?
-
Balance, in reply to
Is the DDOS just a smokescreen?
From what I can understand, DDoS attacks are nearly always a pretense to a deeper, targeted breach (aside from those attacks performed purely for the giggles).
And while "key-loggers" could be "how", that, to my mind, sounds so 90's. The attack interface from a privileged position is so ridiculously large now - there's a veritable smorgasbord of options once the beach-head has been made.
-
To be honest I'm more concerned with the facilitation of OIA requests to the SIS than how the emails etc got passed to Nicky Hager.
I wonder if it'll be on sale in Hamilton tomorrow.
-
Anonymous Coward, in reply to
DDoS needs to be packaged with other, more sophisticated attacks to be anything more than a temporary disruption. DDoS is the car parked in across your driveway. While you're arguing with the driver, someone else is hauling your TV out the back door after smashing a window to gain entry.
-
Anonymous Coward, in reply to
Glad you enjoyed my... intentional... Easter egg for the grammar-conscious..
-
Gotta say though, my money would be on National Party machinations going a bit wrong. Key wants to keep an eye on the Collins faction, so he gets his mates down on Pipitea St to grab Slater's emails. Then someone gets to see them who's not in alignment with Slater at all, who gives the details to a friendly hacker, who then passes them on to Hager. Something like that.
-
izogi, in reply to
Many people use the same passwords everywhere. Easy to imagine that the WhaleOil blog admin account and, say, Slater’s FB account had the same password. So compromising the web server might yield the info needed to compromise things elsewhere.
I’m not a security expert but that was my line of thinking when I read it. It might be something impressive but could be as simple as passwords left lying around or used for multiple roles on a server that he lazily assumed was safe. The simplest explanation to me is that Cameron Slater probably isn’t too assertive with his security measures to begin with.
He has at least one GMail account, which is advertised on his site. If he hadn’t enabled 2-step authentication (which I heartily recommend enabling for any GMail account of any significance), it’s really just a matter of discovering his email password. From there, potential access to any number of other accounts, facebook included, could be as easy as invoking an email password reset.
-
Even if Ede/Slater haven't broken any laws, if the PM's misled the public about his office's actions that's a big deal.
-
So this is interesting.
In November 2009 hackers broke into the files of East Anglia's Climate Research Unit and released a deluge of emails to the public, arguing (incorrectly) that the conversations between the scientists showed duplicity over climate science.
They called it ClimateGate, even though nine separate investigations exonerated the scientists and showed the leakers had shamelessly cherry picked sentences out of the emails and twisted them.The Norfolk Constabulary never did get to the bottom of who had stolen the emails. The community I work in considered them stolen. Very much so.
Nicky is clear that there was a hack. He even says it in the Herald. I'm guessing there's going to be a police enquiry as to who "stole" these emails?
Morality question: Is there a difference? I know that I hold WhaleOil in the same regard as I do the guys who hacked/leaked the ClimateGate emails but the shoe's sorta on the other foot here. No, Nicky's not twisting the emails, I'd imagine, and has meticulously checked everything, but the way in which he appears to have received these emails and data seems remarkably similar to the ClimateGate affair.
-
Bingo.
-
Andrew Geddis, in reply to
@cindy,
In law, probably no difference at all - whosoever hacked Slater breached s. 252 of the Crimes Act, and maybe s. 249 as well. But this isn't really about whether hacking Slater was legal or not. It's about what ought to be done with the material gained from that (illegal) hack and passed on to Hager without him asking for it/knowing who had given it to him. And, as you note, "Nicky’s not twisting the emails, I’d imagine, and has meticulously checked everything", which makes the use of the material quite different from the ClimateGate example.
Point being - the ethics of how (stolen) material is used is not governed entirely by the fact that the material was stolen.
Post your response…
This topic is closed.