Now on ScienceBlogs: A study that oversells massage therapy
Evolution, Life Sciences, Science Education, Human Evolution, and Stuff
Looking for stuff about birds?
Learn more about Charles Darwin and his work.
Lean more about lions
An archaeological expedition to the Congo
The Skeptical Search Engine
This search engine will only give you results from carefully selected skeptical and scientific sites.
The contents of Greg Laden's Blog are copyrighted by Greg Laden.
Click on "About" for the big picture, and "Archives" for the details.
« Skeptics Circle Number 107 .... | Main | Blogospherics »
Category: Norm Coleman
Posted on: March 15, 2009 8:55 PM, by Greg Laden
The story of Norm Coleman's database hack inadvertent access from the hacker security consultant (whom I consider to be a hero) herself.
Wow. She'd going on my blogroll. Check it out.
See comments below for commentary on the meaning of the word "hacker" and it's change over time.
PoliticsTrackBack URL for this entry: http://scienceblogs.com/mt/pings/102105
Comments
The key of this video is the point that Adria didn't hack anything at all. She just did something that many people do when they are just having trouble with a poorly behaved website and went from there. Calling this hacking is about two steps above calling vandalism of Wikipedia pages hacking (and I've lost track of how many times the MSM has done thay). That what Adria did has been be called hacking is due to 1) the general media's lack of understanding about computers 2) the Coleman campaign's technical incompetency and 3)the Coleman's campaign's desire to make itself look more like a victim.
Posted by: Joshua Zelinsky | March 15, 2009 9:37 PM
She's foolish to put it up under her name (should have been anonymised). People have gone to jail for something as simple as guessing a password. Wanna bet his lawyers are looking at this video right now?
Posted by: jay | March 15, 2009 9:53 PM
jay:
to the best of my knowledge, there's nothing actionable in that. She did the equivalent of using the normal postal code instead of the normal address form. There was no guessing (as in the password issues) or link manipulation (like when someone's gotten into 'secure' areas of a website by typing http://something.somewhere/secret/adminsonly.php).
Or, to put it another way:
That be like going to your neighbor's house to ask for some sugar, and 'invading their privacy' because they left their front door open while having sex on the couch..
Posted by: dreikin | March 15, 2009 10:07 PM
Joshua, you are using the incorrect version of hacking. Hacking is simply owning the resource, knowing what you are doing, being good at it. A hacker is an expert. Being called a hacker (with the correct definition) is a complement. My close personal friend whom I just met Adria is clearly a hacker.
I don't know about sex on the couch, but yes, what Adria did was totally legit if Coleman gives her any trouble he'll have to answer to about 200 thousand bloggers who are going to be all over him like ugly on an ape.
(Sorry apes. Just an expression.)
Posted by: Greg Laden | March 15, 2009 10:39 PM
Folks,
I'm not a "hacker" by trade and did not use any special "hacking" tools to discover this security issue.
Wikipedia definition of a Hacker:
The issue at hand here is that an organization that is meant to protect people was endangering their information. I did this to raise awareness of website security issues as a worldwide problem.
Read about hundrededs of security breaches at http://tinyurl.com/databreachlist
Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
Posted by: Adria Richards | March 15, 2009 10:51 PM
Greg, Adria is a hacker by any reasonable definition. And you are correct that one definition of hacking is very good use of resources. Thus one refers to hacking the linux kernel or a clever hack that turns a VCR into a toaster. But to the general public, hacking doesn't mean that. It means access to computers or electronics through clever, complicated, and generally nefarious means (probably with lots of big screens filled with ACCESS GRANTED in big green letters or ACCESS DENIED in big red letters and lots of cool phrases thrown in). To call what Adria did hacking is to make the general public think that a) Adria did something wrong and b) suggest that the Coleman campaign might have any valid explanation other than "we're incompetent."
Posted by: Joshua Zelinsky | March 15, 2009 11:05 PM
Yes, in fact, as Adria has pointed out to me privately, the common usage has become such that the term Hacker probably can't be used any more as I've been using it since it first came into the technology jargon.
On one hand, as an anthropologist, I fully accept and understand when a word simply changes meaning. That is how language works. But part of me refuses to accept changing my own use of a common word as I've always used it just because everyone else has become stupid.
But the important thing at this point is that Adria Richards does not need to be labeled incorrectly. She's a hero, not a villain.
Posted by: Greg Laden | March 15, 2009 11:28 PM
to the best of my knowledge, there's nothing actionable in that. She did the equivalent of using the normal postal code instead of the normal address form.
The problem occured when she opened the db file. Accidently landing on an improperly secured page is one thing. Accessing (even though it was poorly protected) private information is illegal. The fact that she admits on the video that she suspected this was database information removes any 'plausible deniability'
I am not unsympathetic to her, indeed that's why I wish she had protected her identity.
Posted by: jay | March 16, 2009 8:36 AM
jay, she didn't open the file. She took a screen shot of the directory with the file in it and passed the screen shot around. She's been very clear since the beginning that she didn't want anything to do with the contents of the file.
Posted by: Stephanie Z | March 16, 2009 8:46 AM
yorumsuz
Posted by: kelebek | March 16, 2009 9:16 AM
Poor miking is annoying.
Posted by: Virgil Samms | March 16, 2009 9:18 AM
If you find a wallet on the street, I assume you can look in it to try to figure out to whom it belongs. If she did open a DB, it could well be to confirm that it was in fact something that needs to be reported, not with malicious intent.
As I'm not American, I'm not sure how it works there, but here intent matters a great deal: Poking around in someone's wallet looking for info? Bad. Poking around in a lost wallet to find info to aid you in returning it? Fine. Morally (or is it ethically?), the question does come down to her intent, and legally in Canada one needs both the act and the intent in order to be guilty of any crime.
Posted by: Epinephrine | March 16, 2009 9:27 AM
Jay: Why is a database something you can't look at if it is on the WWW? There is no a priori assumption that an accessible file (be it HTML, PHP, db, whatever) is private. If there was, than every time a new startup (like a blog or a company web site) became accessible before official start date was viewed there would be a privacy invasion. And that happens all the time.
Posted by: Greg Laden | March 16, 2009 9:28 AM
Please note the comment left above by Adria herself. It was stuck in moderation because of the links, and has been freed, but would be easily missed as it is upstream.
Posted by: Greg Laden | March 16, 2009 9:55 AM
For the record:
Posted by: Stephanie Z | March 16, 2009 10:47 AM