Norm Coleman Pwned (howto)

The story of Norm Coleman’s database hack inadvertent access from the hacker security consultant (whom I consider to be a hero) herself.

Wow. She’d going on my blogroll. Check it out.

See comments below for commentary on the meaning of the word “hacker” and it’s change over time.

Comments

  1. #1 Joshua Zelinsky
    March 15, 2009

    The key of this video is the point that Adria didn’t hack anything at all. She just did something that many people do when they are just having trouble with a poorly behaved website and went from there. Calling this hacking is about two steps above calling vandalism of Wikipedia pages hacking (and I’ve lost track of how many times the MSM has done thay). That what Adria did has been be called hacking is due to 1) the general media’s lack of understanding about computers 2) the Coleman campaign’s technical incompetency and 3)the Coleman’s campaign’s desire to make itself look more like a victim.

  2. #2 jay
    March 15, 2009

    She’s foolish to put it up under her name (should have been anonymised). People have gone to jail for something as simple as guessing a password. Wanna bet his lawyers are looking at this video right now?

  3. #3 dreikin
    March 15, 2009

    jay:
    to the best of my knowledge, there’s nothing actionable in that. She did the equivalent of using the normal postal code instead of the normal address form. There was no guessing (as in the password issues) or link manipulation (like when someone’s gotten into ‘secure’ areas of a website by typing http://something.somewhere/secret/adminsonly.php).

    Or, to put it another way:
    That be like going to your neighbor’s house to ask for some sugar, and ‘invading their privacy’ because they left their front door open while having sex on the couch..

  4. #4 Greg Laden
    March 15, 2009

    Joshua, you are using the incorrect version of hacking. Hacking is simply owning the resource, knowing what you are doing, being good at it. A hacker is an expert. Being called a hacker (with the correct definition) is a complement. My close personal friend whom I just met Adria is clearly a hacker.

    I don’t know about sex on the couch, but yes, what Adria did was totally legit if Coleman gives her any trouble he’ll have to answer to about 200 thousand bloggers who are going to be all over him like ugly on an ape.

    (Sorry apes. Just an expression.)

  5. #5 Adria Richards
    March 15, 2009

    Folks,

    I’m not a “hacker” by trade and did not use any special “hacking” tools to discover this security issue.

    Wikipedia definition of a Hacker:

    In common usage, a hacker is a person who breaks into computers.[1] The subculture that has evolved around hackers is often referred to as the computer underground. Proponents claim to be motivated by artistic and political ends, but are often unconcerned about the use of criminal means to achieve them.[2]

    The issue at hand here is that an organization that is meant to protect people was endangering their information. I did this to raise awareness of website security issues as a worldwide problem.

    Read about hundrededs of security breaches at http://tinyurl.com/databreachlist

    Adria Richards
    Organic Technology Consultant
    ——————————————
    Visit the website http://adennetworks.com
    Visit the blog: http://butyoureagirl.com

  6. #6 Joshua Zelinsky
    March 15, 2009

    Greg, Adria is a hacker by any reasonable definition. And you are correct that one definition of hacking is very good use of resources. Thus one refers to hacking the linux kernel or a clever hack that turns a VCR into a toaster. But to the general public, hacking doesn’t mean that. It means access to computers or electronics through clever, complicated, and generally nefarious means (probably with lots of big screens filled with ACCESS GRANTED in big green letters or ACCESS DENIED in big red letters and lots of cool phrases thrown in). To call what Adria did hacking is to make the general public think that a) Adria did something wrong and b) suggest that the Coleman campaign might have any valid explanation other than “we’re incompetent.”

  7. #7 Greg Laden
    March 15, 2009

    Yes, in fact, as Adria has pointed out to me privately, the common usage has become such that the term Hacker probably can’t be used any more as I’ve been using it since it first came into the technology jargon.

    On one hand, as an anthropologist, I fully accept and understand when a word simply changes meaning. That is how language works. But part of me refuses to accept changing my own use of a common word as I’ve always used it just because everyone else has become stupid.

    But the important thing at this point is that Adria Richards does not need to be labeled incorrectly. She’s a hero, not a villain.

  8. #8 jay
    March 16, 2009

    to the best of my knowledge, there’s nothing actionable in that. She did the equivalent of using the normal postal code instead of the normal address form.

    The problem occured when she opened the db file. Accidently landing on an improperly secured page is one thing. Accessing (even though it was poorly protected) private information is illegal. The fact that she admits on the video that she suspected this was database information removes any ‘plausible deniability’

    I am not unsympathetic to her, indeed that’s why I wish she had protected her identity.

  9. #9 Stephanie Z
    March 16, 2009

    jay, she didn’t open the file. She took a screen shot of the directory with the file in it and passed the screen shot around. She’s been very clear since the beginning that she didn’t want anything to do with the contents of the file.

  10. #10 kelebek
    March 16, 2009

    yorumsuz

  11. #11 Virgil Samms
    March 16, 2009

    Poor miking is annoying.

  12. #12 Epinephrine
    March 16, 2009

    The problem occured when she opened the db file. Accidently landing on an improperly secured page is one thing. Accessing (even though it was poorly protected) private information is illegal. The fact that she admits on the video that she suspected this was database information removes any ‘plausible deniability’

    If you find a wallet on the street, I assume you can look in it to try to figure out to whom it belongs. If she did open a DB, it could well be to confirm that it was in fact something that needs to be reported, not with malicious intent.

    As I’m not American, I’m not sure how it works there, but here intent matters a great deal: Poking around in someone’s wallet looking for info? Bad. Poking around in a lost wallet to find info to aid you in returning it? Fine. Morally (or is it ethically?), the question does come down to her intent, and legally in Canada one needs both the act and the intent in order to be guilty of any crime.

  13. #13 Greg Laden
    March 16, 2009

    Jay: Why is a database something you can’t look at if it is on the WWW? There is no a priori assumption that an accessible file (be it HTML, PHP, db, whatever) is private. If there was, than every time a new startup (like a blog or a company web site) became accessible before official start date was viewed there would be a privacy invasion. And that happens all the time.

  14. #14 Greg Laden
    March 16, 2009

    Please note the comment left above by Adria herself. It was stuck in moderation because of the links, and has been freed, but would be easily missed as it is upstream.

  15. #15 Stephanie Z
    March 16, 2009

    For the record:

    Richards didn’t download the database herself, but she posted a screen capture of what she’d found online after she made the discovery. An IT consultant for 10 years, she published her findings on her blog to educate others about the risks of improperly managed websites, she said.