Norm Coleman Pwned (howto)

The story of Norm Coleman's database hack inadvertent access from the hacker security consultant (whom I consider to be a hero) herself.

Wow. She'd going on my blogroll. Check it out.

See comments below for commentary on the meaning of the word "hacker" and it's change over time.

More like this

.... Not to pick on Norm's physical appearance or anything, but those of use who find his continued existence in Minnesota politics both enigmatic and unconscionable (for us, for allowing it) are starting to see him like that. Anyway, somebody who is too busy to blog sent me this interesting item…
Gabriella Coleman's Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous is largely a laudatory history of the Anonymous hacker activist movement with some anthropological and political analysis. Whitney Phillips' This Is Why We Can't Have Nice Things: Mapping the Relationship between…
Paul Schemlzer has a writeup in Minnesota Independent covering the fallout from the exposure of the exposure of Norm Coleman's donor database. Paul addresses the mean spirited Republican reactions to professional IT consultant Adria Richards, who... ...has been the target of anger from Coleman…
From CREW's report on the most Corrupt Members of Congress, this bit about Norm Coleman: When in Washington, Sen. Coleman lives in a basement apartment in the Capitol Hill townhouse of Republican operative Jeff Larson. Mr. Larson runs FLS Connect, a telemarketing firm, which has been paid over $…

The key of this video is the point that Adria didn't hack anything at all. She just did something that many people do when they are just having trouble with a poorly behaved website and went from there. Calling this hacking is about two steps above calling vandalism of Wikipedia pages hacking (and I've lost track of how many times the MSM has done thay). That what Adria did has been be called hacking is due to 1) the general media's lack of understanding about computers 2) the Coleman campaign's technical incompetency and 3)the Coleman's campaign's desire to make itself look more like a victim.

She's foolish to put it up under her name (should have been anonymised). People have gone to jail for something as simple as guessing a password. Wanna bet his lawyers are looking at this video right now?

jay:
to the best of my knowledge, there's nothing actionable in that. She did the equivalent of using the normal postal code instead of the normal address form. There was no guessing (as in the password issues) or link manipulation (like when someone's gotten into 'secure' areas of a website by typing http://something.somewhere/secret/adminsonly.php).

Or, to put it another way:
That be like going to your neighbor's house to ask for some sugar, and 'invading their privacy' because they left their front door open while having sex on the couch..

Joshua, you are using the incorrect version of hacking. Hacking is simply owning the resource, knowing what you are doing, being good at it. A hacker is an expert. Being called a hacker (with the correct definition) is a complement. My close personal friend whom I just met Adria is clearly a hacker.

I don't know about sex on the couch, but yes, what Adria did was totally legit if Coleman gives her any trouble he'll have to answer to about 200 thousand bloggers who are going to be all over him like ugly on an ape.

(Sorry apes. Just an expression.)

Folks,

I'm not a "hacker" by trade and did not use any special "hacking" tools to discover this security issue.

Wikipedia definition of a Hacker:

In common usage, a hacker is a person who breaks into computers.[1] The subculture that has evolved around hackers is often referred to as the computer underground. Proponents claim to be motivated by artistic and political ends, but are often unconcerned about the use of criminal means to achieve them.[2]

The issue at hand here is that an organization that is meant to protect people was endangering their information. I did this to raise awareness of website security issues as a worldwide problem.

Read about hundrededs of security breaches at http://tinyurl.com/databreachlist

Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com

Greg, Adria is a hacker by any reasonable definition. And you are correct that one definition of hacking is very good use of resources. Thus one refers to hacking the linux kernel or a clever hack that turns a VCR into a toaster. But to the general public, hacking doesn't mean that. It means access to computers or electronics through clever, complicated, and generally nefarious means (probably with lots of big screens filled with ACCESS GRANTED in big green letters or ACCESS DENIED in big red letters and lots of cool phrases thrown in). To call what Adria did hacking is to make the general public think that a) Adria did something wrong and b) suggest that the Coleman campaign might have any valid explanation other than "we're incompetent."

Yes, in fact, as Adria has pointed out to me privately, the common usage has become such that the term Hacker probably can't be used any more as I've been using it since it first came into the technology jargon.

On one hand, as an anthropologist, I fully accept and understand when a word simply changes meaning. That is how language works. But part of me refuses to accept changing my own use of a common word as I've always used it just because everyone else has become stupid.

But the important thing at this point is that Adria Richards does not need to be labeled incorrectly. She's a hero, not a villain.

to the best of my knowledge, there's nothing actionable in that. She did the equivalent of using the normal postal code instead of the normal address form.

The problem occured when she opened the db file. Accidently landing on an improperly secured page is one thing. Accessing (even though it was poorly protected) private information is illegal. The fact that she admits on the video that she suspected this was database information removes any 'plausible deniability'

I am not unsympathetic to her, indeed that's why I wish she had protected her identity.

jay, she didn't open the file. She took a screen shot of the directory with the file in it and passed the screen shot around. She's been very clear since the beginning that she didn't want anything to do with the contents of the file.

Poor miking is annoying.

By Virgil Samms (not verified) on 16 Mar 2009 #permalink

The problem occured when she opened the db file. Accidently landing on an improperly secured page is one thing. Accessing (even though it was poorly protected) private information is illegal. The fact that she admits on the video that she suspected this was database information removes any 'plausible deniability'

If you find a wallet on the street, I assume you can look in it to try to figure out to whom it belongs. If she did open a DB, it could well be to confirm that it was in fact something that needs to be reported, not with malicious intent.

As I'm not American, I'm not sure how it works there, but here intent matters a great deal: Poking around in someone's wallet looking for info? Bad. Poking around in a lost wallet to find info to aid you in returning it? Fine. Morally (or is it ethically?), the question does come down to her intent, and legally in Canada one needs both the act and the intent in order to be guilty of any crime.

By Epinephrine (not verified) on 16 Mar 2009 #permalink

Jay: Why is a database something you can't look at if it is on the WWW? There is no a priori assumption that an accessible file (be it HTML, PHP, db, whatever) is private. If there was, than every time a new startup (like a blog or a company web site) became accessible before official start date was viewed there would be a privacy invasion. And that happens all the time.

Please note the comment left above by Adria herself. It was stuck in moderation because of the links, and has been freed, but would be easily missed as it is upstream.

For the record:

Richards didnât download the database herself, but she posted a screen capture of what sheâd found online after she made the discovery. An IT consultant for 10 years, she published her findings on her blog to educate others about the risks of improperly managed websites, she said.