Three Years of Hell to Become the Devil: The "Hackers" Are Back

Well, the Senate 'hacking' scandal is the story that just won't die. The Sergeant-At-Arms has been investigating for far, far longer than the whole thing is worth, but even more depressing is the fact that any reference to what was technically required for 'hacking' has now been lost.

Let's recap. Unless the investigation reveals something new that I've not seen, the 'hacking' involved searching through a shared server for folders that were unrestricted by the systems administrator. Note that at least as of 1999, securing a share drive against this kind of interference was a standard part of Senate systems administration training. I can say this with some authority because that's where I learned to administer an NT box. Unless Senate systems training has gotten worse since I was there, this drive wasn't 'secure' at all.

The Washington Post doesn't think this is a defense:

It isn't much of a defense to suggest that the material was not adequately protected on a shared network and was therefore fair game. If Democratic staffers had left their office doors unlocked, would it be open season on their file cabinets? Senate staffers appear to have done the electronic equivalent of rifling through one another's desks in a systematic and sustained effort to gather intelligence. Mr. Hatch deserves credit for insisting -- in the face of considerable party pressure -- that, even in the midst of a partisan war over judicial nominations, such behavior will not be tolerated.

Better question: if the Democrats and Republicans shared a filing cabinet to which they both had separate keys, and which had a separate unlocked 'shared' door, would the Republicans be wrong in taking copies of files placed in the unlocked 'shared' drawer? A server isn't a set of desks or rooms--if you really wanted to push the network analogy to an office space, that kind of individualized space would be each staffer's desktop machine--but a single filestore to which everyone has the access that they are specifically given by the sysadmin. Let me be absolutely explicit here: absent some kind of real hacking, no user has any access to a file which has not been affirmatively given to him by a systems administrator. The Democrat's sysadmin was, as everyone agrees, given notice of the problem, and the Dems didn't correct it.

I'll admit that ethically, this is probably sketchy, in the realm of 'ungentlemanly conduct.' But to call this hacking or theft is to put an onus on network browsers that I doubt most Democrats really want to enforce.

For example, go browse some of your favorite websites hosted by the technologically inexperienced. (This may very well include your author, who is less inexperienced than careless.) If you look closely at the code, you'll notice that images, stylesheets, and other files are often left in unprotected directories. To take just one case that I just noticed in researching this article:
http://www.threeyearsofhell.com/images/
Now, suppose I had an image in this directory labelled "MYGRADES.gif", and that this file contained the grades on my recent exams. It's reasonable to expect that I mean to keep these private. And of course, while I've given my visitors leave to visit Three Years of Hell, gentlemanly expectations would counsel that I've not given you permission to go through my collection of images. (OK, I just have in this entry, but you know what I mean.)

Now, answer honestly--how many of you without computer experience would know, prior to finding that file, that this was 'restricted'? The reason one wouldn't expect that is because, when it comes to computers, your machine (the 'client') makes a request to the server, and it's assumed that the server has been told not to give you anything you shouldn't have. If you download a file with my grades in it, is it your fault for looking in a place that I've told you exists--it's in the source code to the webpage--and I've not secured?

If I gave you links to a dozen sites with such unsecured directories, and you went there without knowing that such areas 'should have' been guarded, would you want to be liable for digital trespass? If you downloaded the files I had in there (for instance, if I had copyrighted music in that directory), would you want to be liable for illegally downloading them? What if I'd changed the filenames?

This is why securing a file-server on an otherwise open network is the responsibility of the owner. There's a big leap between taking specific steps to get around security--say, hacking the image directory if I'd put an htaccess password on it--and just poking around somewhere that I've implicitly given you access. Nonetheless, this is the precedent the Democrats are setting now.

Comments

Quoth Anthony: "... absent some kind of real hacking, no user has any access to a file which has not been affirmatively given to him by a systems administrator." Sorta kinda. Remember that by default, NT/2000 gives the Everyone group Full Control permissions to all network shares and folders (possible exception, the users home directory, which I've been noticing in XP systems is defaulting only to access by the user). If the sysadmin is a complete doofus and leaves the default permissions on the network share, whether you can call that an affirmative grant of permission depends on how Clintonesquely you want to parse "affirmatively". HOWEVER, I certainly wouldn't call it "real hacking" for a user to access a network share when the permissions haven't been reset from the default permissions, and more importantly, I've yet to see a statute which would make such access criminal. Dammit, I should have submitted my resume back when this sh*t hit the fan. Ah well, wasted opportunities.

Posted by: Len Cleavelin | February 17, 2004 2:08 PM

Len: You have to click a button to assign those, though. Sure, it's a 'default,' but the Admin still has to assign it. Simply put, it's not the user who's setting all this up. Indeed, if I've been given access, even inadvertently, I can't remove that access without Sysadmin privileges.

Posted by: A. Rickey | February 17, 2004 2:13 PM

While you may very well be absolutely correct in saying that the conduct here likely fell short of "criminal," as you note, it's certainly sketchy ethically. as far as office analogies go, try this one. a huge shared file cabinet, with combo-lock doors. all of the locks came set with a default combo (say 666), and both sides are strongly encouraged to change the combo. some time later, one side tries, for kicks, the default combo. it works. they help themselves to the contents. crime or not, it's clearly not ethical, and such conduct should be shamed, and, most likely, its perpetrators fired. your understanding of computers/servers/all-that-jazz clearly goes well beyond mine, and maybe it does legitimately change the equation. but you wrote: "If you download a file with my grades in it, is it your fault for looking in a place that I've told you exists--it's in the source code to the webpage--and I've not secured?" is it my fault my car is stolen if i haven't secured my garage door, or haven't locked its doors? I mean, sure, I'm an idiot, but the guy who drove off in it is still a car thief. clearly, of course, there are differences between these examples. like you, if the cyber-conduct in question is exactly as you describe, i'd be wary of criminalizing it. as in your example with your grades unwittingly posted (or say, McDonald's accidently posting the recipe for its secret sauce in a sub-directory), it seems absurd to think you/MickeyDs could sue people who simply downloaded that which you gave them access to. but i feel the senate situation is different. your blog or mickey d's have sites that are generally open to the public, and in mix-ups that see the private inserted into what is available to the public, criminal penalties/civil liabilities shouldn't enter the equation, at least certainly on the part of any downloader. but--and maybe my understanding of the senate is off here--i don't think the senate is the same way. do one party's staffers/Members really share _any_thing with the other's? that is, while your site/computer & MickeyD's site/computer have portions that are meant to be private and others meant to be public, aren't both the computers/info on sides in the Senate pretty much 100% private? that is, i guess it's conceivable you did want to make your grades available alongside your blogged description of law school, or mickey d's did want to announce its secret sauce alongside the nutritional content of its other food, but given the senate's presumption of secrecy, didn't the republicans have to know, with %100 total confidence, they were looking at things the democrats wanted to remain secret.yes the democrats f*cked up--but so do people who fail to lock their cars/garages/homes. anyhow, sorry this is so very rambling, largely because i haven't made up my mind. i'm leaning toward thinking this probably wasn't a crime, but i definitely feel it was a significant ethical breach, and the people who committed it should be fired (along with the idiotic dem sysadmin folks).

Posted by: Toluca Jim/Visible Hand | February 17, 2004 4:21 PM

TJ: I love your comments. Even when they're wrong, they keep me on my toes. Certainly I need to explain myself a bit better here. Remember that a server is just that: something to which you send requests, and to which the computer responds according to the policy the server owner has set. So, for instance, it's not the same as your garage example. The example would be better if your garage has a doorman, to whom you've given the command: "If anyone comes along here asking to take my car, let him." Now, maybe you assume that only friends you want to loan the car to are coming by, because you live deep in the woods. But I wander by--assume you'd not loan good ol' me your car--and for a lark ask your doorman, "Can I take the car?" He, to my surprise, says "yes, you may have it" and I wander off with it. Still ethically sketchy, but not theft as such. Similarly, some committees will probably have shared drives that aren't limited from each other. After all, if you wanted to store agendas of committee meetings, transcripts of events, etc. etc., you'd not limit those files to members of just one party. I can't say that with authority about this machine (I'm not there), but I'd be honestly surprised if there wasn't some general share drive. I'm not even sure they should be fired, TJ: there's at least some evidence put forward that they told the Dems and the sysadmin, and nothing changed. In that case, I'm happy to call it fair game.

Posted by: Anthony Rickey | February 17, 2004 4:46 PM

But in your example of my car & doorman deep in the woods, surely you must know that despite what my foolish doorman says, you're taking somebody else's property. people just don't give cars away, and this doorman is either grossly incompetent or insane. surely the proper & ethical thing would be to pass on by, and possibly alert me that my doorman is incompetent. i'd certainly not want somebody on my payroll who felt comfortable driving off with somebody's car just because a doorman let them. anyhow, at the risk of making this too tedious, here's another analogy. pretend the senate has two parking lots--1 for dems & 1 for GOP. each lot is guarded by the same company. this company understands senators are in a hurry and ID checks are cumbersome and so explains senators can flash a special hand sign and enter--say 2 thumbs up. the dems quickly change their security sign to a peace sign. one day, a dem staffer is walking by the GOP lot and, on a lark, decides to run up & flash the 2 thumps up sign. to his surprise, he's given entry! now, surely somebody who goes ahead and drives out with a car that obviously does not belong to him isn't Mr Ethical, and were he on my staff, I'd fire him. I can understand why you don't feel this is criminal, but would you really want somebody like that working for you? i mean, sure, a certain degree of opportunistic/machiavellian calculation is a great & necessary element of successful politics, but it can go too far. i'd certainly hope for better ethics & a better sense of responsibility from the folks working for some of the most powerful & influential individuals in our Republic. yes the dems were colossally stupid, yes perhaps it's unfortunate that people are fuzzing the issue and talk of how this is crime keeps popping up, but I'd really like to think my side would have notified the GOP and made sure the security flaw was rectified. and if people on my side looked, i wouldn't be happy about it and I'd feel we could and should find better people. then again, the 'gentlemanly' senate is the place where folks got caned in a century and a half back, so maybe i'm just being naive.

Posted by: Toluca Jim/Visible Hand | February 17, 2004 7:02 PM

TJ: Unless the actual situation works greatly differently from what's been explained to me, the comparison is again inapt. The guard at the gate of the parking lot is analogous to a password. But a Windows computer user on an NT network gives his password at signon. It's assumed that after you've given the password (which has been assigned not to 'Republicans' or 'Democrats' but to an individual) then you are permitted to go anywhere you can get the server to go. The moment you log in, you're in the lot already. In this case, the parking lot attendant has either set you in the wrong lot, or set up the guideropes incorrectly. If you were really looking for an analogy that fits morally, if not technically, it's this: you're a Republican staffer, and a delivery boy comes by and drops a paper on your desk. (He thinks you're the Toluca Jim who works for the Democrats, I guess.) You glance at it, and see it's the wrong document. Further, you know the delivery guy's got the wrong idea, and will keep delivering these things to you. You mention it to his boss, a member of the Democratic Party, and he says, "Oh, yeah, thanks, I'll get him to fix that." Now, from a gentlemanly point of view, are you acting improperly? Well, probably. But let's say you take a look at that document and it's got passages in it that call your friends Nazis, or want to deny your friend a position because he's got a lot of Hispanic friends. Wouldn't that assuage your guilt at being ungentlemanly a bit? If Hatch wants to fire someone for not living up to that standard, fine. However, for the partisans who (read the memos) were behaving like a rat pack of bastards to start shouting for blood about behavior that is, at best, ungentlemanly... my heart just doesn't bleed.

Posted by: Anthony Rickey | February 17, 2004 7:21 PM

Here's my best shot at a one-to-one analogy, as I believe that all of them offered so far here in these comments do not capture the essence of the security situation at hand. Imagine that you are in a locked building that requires a key (your username/pw) to enter. You are now wandering down a hallway of doors (browsing the Network Shares in "My Computer" or equivalent). Some doors (fileshares) are locked (have more restrictive than default settings) and require a key (group membership or ownership) to enter. Some doors are clearly labeled, some are not. You walk down the hall and twist the doorknob of a room labeled "Democratic blah committee notes", and find it unlocked! Oh, and did we mention that everyone in the building is invisible to each other (can't read the log files), except to God (the sysadmin who can)? So when you walk in that room and make perfect copies of what's in it, no one sees you except God, who isn't paying attention. The legitimate users of the room didn't know (or bother to if they did) to check and see if there were combinations on the locks on the doors, since all the doors you ever were suposed to go into opened automatically anyway. So there was both a failure in education of the users, and a failure of diligence in setting up the fileservers by the sysadmins, and a failure of their managers to ensure that best practices in either area were being followed.

Posted by: David Mercer | February 18, 2004 8:19 PM

Nice, but yours still contains inaccuracies: a) not only should other users be invisible, but users should not be able to see doors that are locked to them. (General setup means that if a folder is properly secured, you can't see it. b) many users won't really understand that these are 'doors' and 'rooms.' (You'd be surprised how many people I worked with who didn't understand that neither the share drive nor their 'home' directory on the server didn't exist physically in their PC.)

Posted by: A. Rickey | February 18, 2004 8:41 PM

a) Untrue, just because something is seen doesn't mean it's not properly secured. In an NT environment, there are few ways to hide the shares. You can create a hidden share and use drive mapping, and/or tell only those who need to know about it. You can use drive mapping in general and setup a Group Policy to not allow browsing the shares on the network/server. However, this last example is not a best practice. b)I'm sure the staffers who actually undertook the viewing and copying of the files in question understood quite well the ramifications of their actions. To bring up your experience with many people only serves to obfuscate the actual problems with this case. You might enjoy success as a trial attorney, attempting to misdirect the jury! This is a mess. There's enough blame to go around on the partisan sides, and also on the technical staff. Split the legal responsibility all three ways, and let's move on.

Posted by: Jonathan Link | February 19, 2004 8:09 PM

Jonathan: a) Admittedly, this is back in the 3.0 days, but you can create a network share and only allow certain groups (say, a "Republicans" and "Democrats" group, two groups that any competent sysadmin should have on a committee server) to have read access to them. A user might be able to see the folder, but he should get a security violation if he clicks on the contents. Another option is to share a folder called "Democrats", and place view restrictions on the individual folders inside it. Basically, there's a lot of ways around any of these problems, any of which can be done. b) Sorry, but it is relevant. Most of the users I administered weren't very technically savvy. And the expectation, both of users of a system and of most system administrators, is that once you're inside a system, you should only be able to see things that you're allowed to see. "Splitting the responsibility" would be both dangerous and cack-handed. Given the vast difference in power, knowledge and responsibility between a user and an admin, I don't want a precedent stating that access is something that a user should have to guess at. A user should be free to assume that anything they can see, they have access to, and the responsibility for making sure they can't should lie with the SA. Sure, they probably knew what they were doing was morally sketchy--I'm willing to go with that. But the precedent this sets is dubious in the extreme. Besides, with all due respect, if these were Democratic staffers, we'd not be having this conversation. And if Michael Moore had done the leaking instead of Robert Novak, we'd be giving him another award.

Posted by: A. Rickey | February 19, 2004 9:01 PM

Anthony: a) When you stated that users shouldn't know that doors are locked to them, I confused that with hidden shares. It's trivial to create a folder make it visible to everyone, and let only a certain group have access to said folder. Normally users can see all folders shared, unless purposefully hidden. b)It's easy to avoid a discussion by simply saying if the other side did it, this discussion wouldn't happen. It's not a legal consideration, and won't make a darn difference. Ultimately, once Republicans notified Democrats that they could access information not meant for them, it became both their responsibility to make sure that the permissions were changed. The fact that both sides didn't ensure that the server was secured properly, for whatever reason is largely irrelevant, because both sides had knowledge that something wasn't henky. I'm not concerned about establishing such a precedent, in this case, it involves knowledgeable users, and not those who access information when they are not authorized, and don't know they aren't authorized. And, just to revisit the otherside arugment, this likely wouldn't have happened if Leahy hadn't brought in an outside IT firm to install and configure the committee's servers.

Posted by: Jonathan Link | February 20, 2004 4:14 PM

Johnathan: a) There are ways of creating functionally hidden shares that aren't that difficult. The easiest and quickest, as I said, is to share a top-level folder that can be seen, and put the folders you want 'hidden' in a subset of that. There are better ways of creating hidden shares (at least in NT 3.0--I've not tried on Server 2003), but that solution works fine. b) As for 'if the shoe were on the other foot' argument, no, it's not a legal argument. I don't confine myself to merely that, though, since I don't think anyone is going to get criminal or civil penalties against them. If anything, ethics violations are most likely to be charged. However, both the Times and the Post have griped in editorials about how shameful this 'leaking' is. Neither of those are legal matters at all--they're just hypocrisy. However, Jonathan, you've caught one of my biases in this matter. When Leahy brought in outside technicians, he took a job away from someone who'd probably been trained in a similar fashion to me: by the Sergeant-At-Arm's own IT training program, which specifically addressed how to handle this. Instead, he brought in a bundle of cronies. You can see why my sympathy ain't there. ;) b)

Posted by: A. Rickey | February 20, 2004 4:43 PM

The "Hackers" Are Back

Comments

Post a comment

Giving The Devil His Due

Search

Choose Stylesheet

What I'm Reading

Shopping

Projects I've Been Involved With

Syndicated from other sites