Hacked Recap

from the well,-that-was-fun dept

As mentioned over the weekend, we were briefly hacked on Saturday evening. We've put in a bit of time to figure out what happened, clean up the mess and correct the problems (and harden some other defenses as well). The short story is that we left open a big hole that we shouldn't have left open. Yay. We had certainly locked down most of the obvious holes, and people try to hack us on a semi-regular basis, with little success. But, if someone's persistent enough, they'll find a way. In this case, though, we made it a hell of a lot easier than we should have. This particular hacker tried hitting a whole bunch of different routes early Saturday morning, most of which got rejected (some people noticed his attempt to do a SQL injection via the comments -- that failed). However, he went on to try SQL injections just about everywhere and eventually found one where we hadn't properly escaped things, and bam, that's all it takes. As you probably know, this site has been around since 1998, and while we've dumped/updated most of the old code, and most of the new code is properly secured, there were still a little pieces left over from the ancient code -- and that's where the big vulnerabilities were. That's not an excuse. We should have caught it earlier (in fact, we actually had been testing some code to replace some of the vulnerabilities, but hadn't deployed it yet -- but, we now realize it wouldn't have blocked all the problems). But, it is what happened.

From there, the hacker got into part of the blog admin (don't want to get into too many details of how the blog backend works, but it actually involves two separate admins -- which are separate from other stuff we do). Then, he basically had pretty good access to doing some stuff (though not everything) on the blog. He poked around a bit, deleted a bunch of comments, deleted a whole ton of old story submissions (most of which were junk anyway -- so thanks!) and then replaced a few stories on the front page with his fancy "hacked!" claims.

After that, the story is pretty straightforward. Once we realized what happened, we put the old stories back in place and made sure to quickly toss up some more secure walls to keep him out of the admin. We also shut down comments and submissions for a while, even though we were pretty damn sure the vulnerability wasn't there (it wasn't), but we wanted to make sure. Then a few of us spent some time digging around to understand just what the guy did so we could retrace his steps and make sure we killed off the basic vulnerabilities. Considering that he tried to hit us from a bunch of different angles, this took a bit longer than expected. But, once we figured out the basics, it was just a matter of tracking down the actual holes in the code. It was a little frustrating, since we really thought we'd blocked out SQL injections -- but in the end, it turns out we didn't do it absolutely everywhere. Anyway, there's a fair amount of code to go through, so we've been going over it with a fine-tooth comb, and checking it twice, then locking it down again.

Finally, we've been restoring the lost comments (we're doing that right now, so they might not all be back yet), of which we believe we didn't lose any (there's a small chance that a very very small number of comments were lost). Restoring the lost submissions is a bit much at this point (as I said, most were junk anyway), so if you submitted stories late Friday or Saturday, and really think we should see them, perhaps submit them again.

On the whole, there's not that much to say, other than check your code carefully, folks. If there's a hole somewhere, eventually someone's gonna find it. Luckily, this guy didn't do much damage -- just a bit of vandalism -- and he kept a few of us from enjoying what had otherwise been quite nice weekends with our friends and families. But he got us to go over our code pretty carefully (and mentally kick ourselves a few times), and get in touch with our inner CSI detectives to track down exactly what happened.

Update: Well, that was just great. Less than half an hour after posting this, our network provider went down for nearly two hours, despite supposedly having all sorts of redundancies. It had nothing whatsoever to do with the hack, but was a bigger issue for the provider. However, it did slow down us restoring the comments, meaning that comments need to remain off for probably another few hours. This has really been a fun weekend.

Update 2: Comments are back. We did end up losing a few comments, mostly those right before the hack. Really sorry about that. If you said something really important and it's missing... say it again, please.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Michael Ho (profile), Aug 24th, 2009 @ 9:21am

    we're back...

    Yay! we're back. Comments have returned, but it looks like we did, in fact, lose some.. sorry, everyone.

    (Thanks to mcc and dty for all the extra work on the weekend. )

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    mjb5406 (profile), Aug 24th, 2009 @ 9:30am

    My SQL Injection

    INSERT INTO SEND_TO_PRISON (SELECT * FROM TECHDIRT_HACKERS WHERE SUCCESS = TRUE);
    COMMIT;

    That, of course, is the Oracle SQL syntax; for SQL Server and Sybase (Transact-SQL) follow that by GO; rather than COMMIT; :-)

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 9:32am

    Someone said

    "lol ya cuz the link was made to steal you ip adress..."

    http://www.techdirt.com/articles/20090820/0327475945.shtml


    Apparently this person went through a lot of effort to hack techdirt. Did they have access to our IP addresses? Why would they go through so much effort to try to steal people's IP addresses and hack techdirt? Just out of curiosity.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 9:35am

    Re:

    and if he did have access to our hostmasks/IP addresses would you mind publicizing his/her hostmask/IP address? I think we should know. Or at least report him/her or something, but I do believe the people at techdirt should know who's behind this if possible. Then again, they could have been using a proxy or have done it remotely via some computer they hacked. Might not be a good idea to arbitrarily give away peoples IP addresses if it's the later. But it just seems weird that someone would go through all this trouble to hack techdirt and try to figure out our IP address.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    ogormask (profile), Aug 24th, 2009 @ 9:40am

    no ethical hacking

    Its strange how bad some of the hacking is getting lately. It seems like it used to be limited to a few people who were actually capable of doing anything and they for the most part seemed to have a code of ethics, you know, hack the bad guys but the good guys are part of the team. Now it seems that its become so much easier to do and everyone wants to try to prove that they are some l337 haxors by pressing a few buttons on a script and thinking they are billy badass for a day. I also dont think that many of these guys realize how easy it is to trace them. Sure they know how ip addresses work but masking this is pretty hard. Not unless they are smart enough to login to their neighbors wireless or some sort of thing like that. I suppose its the age of wireless that makes this even easier to perform. Maybe I am just getting old and this is how it always was?

    Anyways sorry it happened. I like this site and you guys certainly dont deserve having to deal with this type of thing. There are plenty of other sites out there that would make a pretty good target. Here is one http://www.rove.com/

    That was a joke btw.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 9:42am

    Re: we're back...

    So Hey,

    Did Backtype have backups like they did a few months ago? The two hack attacks seemed oddly similar...

    http://www.techdirt.com/articles/20081023/1124452627.shtml

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 9:59am

    Apparently the person who hacked techdirt calls himself "Biohazard" ( http://digg.com/tech_news/Techdirt_Hacked_by_Biohazard_Sorry_Guys http://com.puter.tv/techdirt-hacked-by-biohazard-sorry-guys/7181/ ). Not sure if this is a threat or not.

    I'm not sure if this is the correct information but I found it on EFnet by looking up Biohazard. The person is also in an empty channel as well, a common practice for trolls and "hackers" on efnet (so the info is probably correct).

    I probably really shouldn't release all this info but here goes.

    bioboy@91.206.90.73 bioboy
    91.206.90.73

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Nismoto, Aug 24th, 2009 @ 10:06am

    Re: My SQL Injection

    No, you don't need GO and COMMIT works just fine for MS SQL Server.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 10:45am

    Re: no ethical hacking

    "I also dont think that many of these guys realize how easy it is to trace them."

    Oh, they realize how easy it is to trace them, trust me. Most of them either don't care or they would make sure you don't trace them if they didn't want to be traced. There are little real consequences for "hacking" even if they are traced.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    diabolic (profile), Aug 24th, 2009 @ 10:45am

    Hey TechDirt, do us commentors need to wory about our personal details like our names, email addresses and passwords? Did that stuff get compromised?

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Ben Zayb, Aug 24th, 2009 @ 10:59am

    Re: no ethical hacking

    There are hackers, crackers and there are script kiddies. Then there are those who copy-paste code that they find all over the net.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Dark Helmet (profile), Aug 24th, 2009 @ 10:59am

    Re:

    Perhaps more importantly, what if any access or attempts to access was there to financial information from the Cwf+RtB experiment?

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 11:02am

    I just want to say that based on the headers returned by techdirect (apache 1.3.3, php 4.x, etc), every item on that list has at least some security issue that has been patched in a later version. While I don't suspect these were the routes used to get in this time, I would say that it is surprising to find a "tech" company so far out of date.

    heck, PHP 4.x had been EOL'ed.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Bobby'); Drop Table, Aug 24th, 2009 @ 11:12am

    Comments; Glad to see you caught it so quickly

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 11:20am

    Re: Re: no ethical hacking

    Code monkeys.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 11:21am

    Re: Re: Re: no ethical hacking

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 11:25am

    Re:

    Little Bobby Tables, we call him.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Ben Zayb, Aug 24th, 2009 @ 11:30am

    Re: Re: Re: no ethical hacking

    Code monkeys then. TY for the link.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Mike Masnick (profile), Aug 24th, 2009 @ 11:30am

    Re: Re: we're back...

    Did Backtype have backups like they did a few months ago? The two hack attacks seemed oddly similar...

    That wasn't a hack. That was an internal muckup. But, most of the comments have been restored, and we're looking to see if we can get the remaining ones.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    Mike Masnick (profile), Aug 24th, 2009 @ 11:32am

    Re:

    Hey TechDirt, do us commentors need to wory about our personal details like our names, email addresses and passwords? Did that stuff get compromised?

    While in the admin, the guy had access to the comment admin, which would show email addresses of commenters if they left them. So it's possible that some email addresses were exposed. No passwords were exposed though.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    Mike Masnick (profile), Aug 24th, 2009 @ 11:34am

    Re: Re:

    Perhaps more importantly, what if any access or attempts to access was there to financial information from the Cwf+RtB experiment?

    That's separate. He could have seen some of what's been purchased (there's a running ticker of purchases), but no financial information. All of that is way separate and protected.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Chronno S. Trigger (profile), Aug 24th, 2009 @ 12:10pm

    Re: Re: no ethical hacking

    There are two forms of hackers, black hats and white hats. Black hats are the bad ones, white hats are the good ones. Both know what they are doing, usually wright their own coding, and usually are good enough to get out before they get noticed.

    Crackers are people who crack software. Good in their own right but usually don't go onto other people's computers.

    Script Kiddies are those who copy-past code that doesn't belong to them. They are sloppy, and usually just do it to be "l33t". The lowest level of crap on the internet.

    Comparing script kiddies to hackers is like comparing a kid who watched too much power rangers to a 4th level black belt.

    I know people from all three categories. I have the utmost respect for hackers and crackers (usually really nice people). The script kiddies are assholes on and off line.

    Granted, I may be a little out of date on my definitions. I've been online for a long, long time.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 12:18pm

    Re: Re:

    So my paranoia about not leaving my email address anywhere paid off. Good to know.

    Mike, can you think of a separate kind of accounts where I DO NOT have to provide my name or email? I mean, in the comments, I oftentimes express opinions that could cost me my job, and I totally don't want them to be associated with my real name absolutely ANYWHERE...

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 12:19pm

    Re: Re: Re: no ethical hacking

    The thing is some of these trolls and such who do nothing but start trolling groups online and start hacking things are very educated people, often having high degrees in things like mathematics. Why they choose to spend their life causing vandalism and such is beyond me, they often dedicate a lot of time just to vandalize things for no reason. I don't understand the psychology of it and most people don't but it is frustrating.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 12:27pm

    31 "we"s and no "I"s !

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Mike Masnick (profile), Aug 24th, 2009 @ 12:47pm

    Re:

    31 "we"s and no "I"s !

    Would you like the rest of the team to introduce themselves? It was "we" not "I."

    And who might you be?

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    diabolic (profile), Aug 24th, 2009 @ 12:52pm

    Re: Re:

    Glad I used a unique email and password at this site. For all the heckling that AC's get around here, there is apparently good reason to stay private.

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Alan Gerow (profile), Aug 24th, 2009 @ 12:58pm

    Re:

    Well, the hacker prevented them from playing Wii all weekend.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    mjb5406 (profile), Aug 24th, 2009 @ 1:01pm

    Re: Re: My SQL Injection

    My bad... quite honestly, I haven't used Transact-SQL for years, and in older versions you HAD to use GO... I'm an Oracle DBA at heart!

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 1:36pm

    Re: Re: Re: no ethical hacking

    Black hats are the bad ones, white hats are the good ones.

    Well, this is not entirely accurate. Some black hats function as vulnerability bounty hunters/researchers, and some of them arguably reduce the value (and hence income opportunities) of professional criminal programmers by making exploit code public. Some white hats leverage their legitimate access to sensitive systems to do damaging things (while still doing their jobs as well, so no one notices the other stuff right away).

    A better way to think of it, rather than good/bad, might be authorized/unauthorized. If you want to get more granular, it could be authorized-malicious, authorized-benign, unauthorized-benign, unauthorized-malicious. You don't know who the bad ones are until after they've done something bad.

    These days, anyone who engages in unauthorized-benign hacking but isn't doing it for money is stupid. In this case, whoever did it was probably either hired or was looking around for something to monetize eventually (well, I suppose there are "hacktivists" now, who do it for ideological reasons, but since they aren't doing it for money they fall under stupid).

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    Hephaestus (profile), Aug 24th, 2009 @ 1:36pm

    Re: Re:

    Why in the hell are you worried if people know who you are or your IP Address ... we are not talking national security here ... In this blog/place we talk about about IP Law, its abuse, and an open internet. This sort of speach is protected in the US.... If you are australian or british well I understand your worry....

    ... Big Ole Grin

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 1:40pm

    Re:

    >>31 "we"s and no "I"s !

    Yeah! I bet the're all named "Mike" which is why Billy Mays wanted to clean Dennis' desk last week.

    http://www.instantrimshot.com

    Hah! Don't forget to tip your waitstaff.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 2:08pm

    Re: Re: Re: Re: no ethical hacking

    These days, anyone who engages in unauthorized-benign hacking but isn't doing it for money is stupid.

    Uh, pretend I actually typed "unauthorized-malicious" there instead.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 2:32pm

    Re: Re: Re: Re: no ethical hacking

    "These days, anyone who engages in unauthorized-benign hacking but isn't doing it for money is stupid. In this case, whoever did it was probably either hired or was looking around for something to monetize eventually"

    You obviously have never opped a channel on Efnet. There are people out there who don't have anything better to do than to spam channels, hack websites, etc... for whatever reason. and I mean educated people at that, with degrees in things like math. and it's not that they make money off of doing it either, they just for whatever reason enjoy doing it. They try to take over channels and just want to make the channel members and operators lives miserable. They start trolling groups that organize "attacks" on channels where they flood the channels with junk making the lives of operators miserable, it's such a headache to deal with. Nobody really understands their psychology or why they do what they do.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 2:37pm

    Re: Re: Re: Re: Re: no ethical hacking

    and one of the most infamous trollers on Efnet (and he's good at math too though I really shouldn't be feeding the trolls by mentioning him here at all because they like this kind of attention) is qpt which stands for quantum pixie troll. He's been trolling channels on efnet for many many years, he's been banned from the Efnet network (but that doesn't keep him out because he'll find proxies and other ways of getting in), he's been banned from wikipedia, and he just likes to enter channels and flood them for no reason. Any channel operator of a large enough channel pretty much knows who he is and has had to deal with him before and pretty much people on Efnet know who he is too.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 3:08pm

    Re: Re: Re: Re: no ethical hacking

    "The thing is some of these trolls and such who do nothing but start trolling groups online and start hacking things are very educated people, often having high degrees in things like mathematics. Why they choose to spend their life causing vandalism and such is beyond me"

    Perhaps they feel abused or underappreciated by society, and choose this dubious method to lash back, after spending years of their lives and getting in hock up to their eyeballs at college only to find themselves sitting in the unemployment line next to assorted punks, drop-outs, and bohemians?

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 4:02pm

    Re: Re: Re: Re: Re: no ethical hacking

    That's no excuse.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 4:22pm

    Re: Re:

    "HTTP/1.1 200 OK
    Date: Mon, 24 Aug 2009 23:21:04 GMT
    Server: Apache/1.3.33 (Unix) PHP/4.4.8 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7g
    X-Powered-By: PHP/4.4.8
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html
    "

    The "we team" might want to get to work on getting your server software out of 2004 and bringing it up to date. Plenty of holes there.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    nameless, Aug 24th, 2009 @ 5:02pm

    Opensource

    So, in the past you've been a proponent of voting companies making their code opensource so everyone can check their code for security holes. I was just wondering if you'd be willing to do the same, considering what just happened

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    diabolic (profile), Aug 24th, 2009 @ 5:28pm

    Re: Opensource

    Can you not see the difference between machines/code used to elect our public officials and the code that runs on the web site of a private company? Get a clue.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 5:32pm

    Re: Opensource

    This is some random website that hardly anyone knows (no offense Mike) compared to some voting company where everyone is going to know about them if they become a huge factor in our voting process. Besides, AFAIK, Mike seems to be against electronic voting systems, at least right now. But what he seems to be saying is that if we are going to use them we might as well make them open source, to which I agree.

    http://www.techdirt.com/articles/20090608/2201455173.shtml

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Anonymous Coward, Aug 24th, 2009 @ 5:35pm

    Re: Re: Opensource

    Though I myself am not necessarily opposed to e-voting systems, I think they can provide more transparency if implemented properly (read my posts on the above link, my nick is Bettawrekonize). I think more transparency is a necessity. However, they should certainly be implemented with a paper trail along side it of course.

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    Hephaestus (profile), Aug 24th, 2009 @ 6:33pm

    Re: Re: Re:

    sounds like extortion .... hack a site and demand payment for fixing it ...


    Enter the G-Men

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    ..., Aug 24th, 2009 @ 6:52pm

    Re: Opensource

    Apples and Oranges

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    Anonymous Coward, Aug 25th, 2009 @ 2:11am

    Re:

    I seriously doubt Mike was personally hacked, unless he is some sort of cyborg from the future. Hm... that would explain some things tho.

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    ASH, Aug 25th, 2009 @ 2:33am

    This may sound like a strange question to raise at this time, but why exactly is this a "hack"? Why is it "vandalism"? If I'm not mistaken (and I might be), everything you post on the site is public domain, you've said so in the past. That means people are free to do with it what they will.

    Just raising the question--interested to hear the answer.

     

    reply to this | link to this | view in thread ]

  47.  
    icon
    Christopher Heayn (profile), Aug 25th, 2009 @ 4:09am

    Sorry to hear that you guys got hacked and that it screwed up your weekend. Love the site and hope it doesn't happen again. Any assistance that I could add feel free to contact. Keep up the great job.

     

    reply to this | link to this | view in thread ]

  48.  
    icon
    Zaphod (profile), Aug 25th, 2009 @ 5:25am

    One kind of ethical hacking...

    One kind of ethical hacking comes to mind, and that is hacking skiddies. Believe it or not, there are some devious dirty tricks one can pull, to totally reverse the tables and expose their networks.

    One thing they really hate is when you study their injection attempts, and then make "booby traps" consisting of scripts that sit in the location of exploitable files you don't use, and return fake probe responses saying you are hackable. They then they try to inject their stupid script/shell that has contained therein their favorite IRC network and #channel, plus the botnet command password, and commands.

    Personally, I just upload the shells to Avira so they can make new signatures for Anti-Vir (free *nix & windows versions available).

    Now that's pwning. (/me spits the bad taste out of his mouth caused by using leetspeak)

     

    reply to this | link to this | view in thread ]

  49.  
    identicon
    nameless, Aug 25th, 2009 @ 5:50am

    Re: Opensource

    Yes, they are different, but I was just wondering if he would apply what he says. It may not be the exact same situation, but it still has some merit.
    I just love the internet, ask a serious question, get told wy your question isn't valid

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Anonymous Coward, Aug 25th, 2009 @ 8:49am

    Re: Opensource

    also the problem with an e - voting system really isn't about open source or not. The problem is that the user doesn't know what software is running on the computer. How the heck do I know the open source software is running on the computer I am voting on and not some other software pretending to be the open source software. That's why the problem is an issue of public transparency and not one of open source or not. A lot of research has gone into this (maybe 20 years worth), you can read them here ( http://people.csail.mit.edu/rivest/Rivest-TheThreeBallotVotingSystem.pdf and http://www.usenix.org/events/evtwote09/tech/ ). I came up with a solution that somewhat fixes the problem but doesn't consider voter coercion because I didn't think it would be a problem when I thought of my system (I thought of the possibility of voter coercion but didn't really think it was that likely). Apparently the academic community thinks it is so, not satisfied with the academic communities solution, I came up with a better system that almost solves it completely but isn't entirely foolproof. I will mention it here shortly.

     

    reply to this | link to this | view in thread ]

  51.  
    identicon
    Bettawrekonize, Aug 25th, 2009 @ 9:19am

    Re: Re: Opensource

    (this idea is non patentable. Please spread it, I want everyone to know about it).

    There is a list on some website for every state of everyone who voted. Then there is another list that lists a bunch of voter numbers and the associated vote.

    When I vote I am FIRST given a voter number on a computer. It's important the voter number comes first. I type in whom I want to vote for. Now mob boss (or someone I am selling my vote to) may ask for my voter number and I can give it to them and they can go online and look up the voter number and ensure that it contains the correct vote. But, what I could do is tell the system I am being coerced. Then the system will give me a true voter number first and I will type in who I really want to vote for and it will record it (it will not print out this number on the receipt, I must memorize it). Then it will give me a false voter number and I type in who I am supposed to vote for (say mob Boss wants me to vote for George Bush but I really want to vote for Ron Paul). The computer adds the false vote to the true list along with the true vote. But then there is another list that lists all the candidates and how many false votes each candidate has (it tells nothing else). It also makes up a random number of false votes for each candidate with fictitious numbers and it adds them to the true list and adds the number of fictitious votes for each candidate that it randomly generated to the number of coerced votes for each candidate on the other list. So it might look something like this

    Number of Coerced votes for George Bush = 263

    Number of coerced votes for Ron Paul = 157


    (maybe 123 are randomly generated for George Bush by the system but no one knows that number).

    (maybe 46 are randomly generated by the system for Ron Paul and not inserted by anyone where as the rest are inserted by people who claimed they were being coerced).

    So for every false vote added to the true list for a candidate it gets subtracted because we know it should be subtracted based on the false voter list. Then we can see the result and make sure it adds up to the total number of people who voted.

    Now there is the situation of, what if mob boss tells you to say your vote is coerced and he demands both numbers. Well, you can tell the system how many false votes you want to insert. What mob boss doesn't know is how many false votes you inserted. So you can tel the system you want to insert three false votes for George Bush (or any number of false votes) that show up on the true voter list (and get printed on your receipt) and get subtracted from the list as well because they get added to the number of coerced votes for George Bush as well. The true voter number won't show up on the receipt and the receipt does not distinguish between a false vote and a true vote so no one can know who you really voted for (you just have to remember your true voter number in that situation).

    The only shortcoming in this system (and it's a major concern) is that it assumes that mob boss doesn't work for the government and that the system doesn't secretly keep track of false votes and their associated true votes. Basically it assumes the system doesn't somehow secretly work for mob boss in the background. But other than that it is foolproof.

    Another shortcoming could be the idea that people might be required to take a picture of the screen showing who you really voted for with their cell phones.

    Some things could help remedy that

    A: Perhaps trying to create monitors that blur the image on them if a picture is taken.

    B: Setting up the system so that the screen never distinguishes between a false vote and a true vote, you must distinguish based on what you type (and it tells you what to type depending on what you want to do). So the screen never actually tells you something is a true vote or not, you determine that based on what you type.

    C: Disallowing cell phones and cameras in the voting booth with the computer and searching for them before someone enters.

     

    reply to this | link to this | view in thread ]

  52.  
    identicon
    Anonymous Coward, Aug 25th, 2009 @ 9:26am

    Re: Re: Re: Opensource

    A: Perhaps trying to create monitors that blur the image on them if a picture is taken (ie: create a monitor that doesn't take good pictures, it displays images so that you can see them just fine but on a camera they will appear blurry. There are ways this can be done though it's not foolproof).

     

    reply to this | link to this | view in thread ]

  53.  
    identicon
    Anonymous Coward, Aug 25th, 2009 @ 9:35am

    Re: Re: Re: Opensource

    Also, the person must have the option of not having a false vote printed on a receipt. So basically the person could choose to insert 3 false votes that are printed on the receipt and he could choose to insert three false votes (or whatever number) that aren't printed on the receipt

     

    reply to this | link to this | view in thread ]

  54.  
    identicon
    Anonymous Coward, Aug 25th, 2009 @ 9:40am

    Re: Re: Re: Re: Opensource

    So mob boss basically has no way of knowing how many false votes you inserted into the system or if any number you give him is a false vote or a true vote. It will show up on the true voter list but get subtracted out and mob boss has no way of telling if your vote got subtracted out or how many of the votes that were subtracted out were just randomly generated by the system.

     

    reply to this | link to this | view in thread ]

  55.  
    identicon
    Anonymous Coward, Aug 25th, 2009 @ 10:35am

    Re: Re: Re: Opensource

    I just thought of a flaw in my system. Someone could take the number of coerced votes for Ron Paul, reduce it, and subsequently increase the number of coerced votes for George Bush by the same amount. The total will still add up just fine.

     

    reply to this | link to this | view in thread ]

  56.  
    icon
    Mike Masnick (profile), Aug 25th, 2009 @ 4:36pm

    Re:

    This may sound like a strange question to raise at this time, but why exactly is this a "hack"? Why is it "vandalism"? If I'm not mistaken (and I might be), everything you post on the site is public domain, you've said so in the past. That means people are free to do with it what they will.

    Um. Seriously? Public domain means they're free to copy it and do whatever they want with it *elsewhere*. Not on our site.

     

    reply to this | link to this | view in thread ]

  57.  
    icon
    diabolic (profile), Aug 26th, 2009 @ 9:35am

    Re: Re: Opensource

    Holding some random blog to the same level of scrutiny as voting does not have merit. Ask a stupid question, get a stupid answer.

     

    reply to this | link to this | view in thread ]

  58.  
    identicon
    nameless, Aug 26th, 2009 @ 11:49am

    Re: Re: Re: Opensource

    You're right, they don't have the same merit, but it's still a valid question. Since this blog is not nearly as important as e-voting machines are, why not just make the code for the blog open source? The same arguments that you use against making it open source can be applied to e-voting machines.

    Also, the statement "Ask a stupid question, get a stupid answer" always seemed dumb to me. I also don't see how my question was "dumb"

    I'm not trying to say this blog is as important as e-voting machines. If you got that out of what I wrote then I think there are bigger issues. All I'm saying is if making the code of e-voting machines opensource is supposed to make them more secure, why not do it to the blog?

     

    reply to this | link to this | view in thread ]

  59.  
    identicon
    ASH, Aug 27th, 2009 @ 2:20am

    Re: Re:

    Why does it mean that? Your "site" isn't something that physically exists, it's just intellectual property like any other IP. You're exercising ownership interest over that IP, just as other IP owners do--and while you seem comfortable with deciding how they should be entitled to do it, you call it "vandalism" when someone does it to you.

     

    reply to this | link to this | view in thread ]

  60.  
    icon
    Zaphod (profile), Aug 27th, 2009 @ 5:04am

    @ ASH

    Technically, it does exist, as magnetic domains on an HDD in a server somewhere. These magnetic domains are controlled by the arrangement of proton spin axises, as real as any stack of bricks that make a house.

    Now he didn't make the HDD, but you didn't make the bricks (or whatever) your house is built out of either. And your house, is just an arrangement of materials, dictated by intelligence. Does that make your house and possessions intellectual property? If so, can I do with them what I wish, perhaps, burn them to the ground? Hacking Mike's site is equitable to that, in several of the philosophical mannerisms you are clinging so tenaciously to.

     

    reply to this | link to this | view in thread ]

  61.  
    icon
    Blaise Alleyne (profile), Aug 27th, 2009 @ 9:34am

    Re: Re: Re:

    Your "site" isn't something that physically exists, it's just intellectual property like any other IP.


    It was the physical instance of the site that was vandalized, the Techdirt servers that were broken into, through the site and affecting the site contents stored in the database. That's not intellectual property -- it's the machine, the admin interface, the data, etc.

    I release all the code I write under a free license, but that doesn't mean anyone can use my my laptop -- nevermind vandalize it. I release all the songs I write under a free license, but that doesn't mean someone can use my guitar -- nevermind vandalize it.

    I can only assume, for the sake of my own sanity, that this is a poor attempt at searching for hypocrisy, rather than believe that you actually don't understand the difference between copying a website and breaking into the software on the server that manages it.

     

    reply to this | link to this | view in thread ]

  62.  
    identicon
    ASH, Aug 27th, 2009 @ 10:06am

    As I said before, I'm just raising the question. Because you both (and Mike as well) have it wrong--nobody broke into the server room and smashed everything inside with an axe; which is why these analogies of burning down a house or stealing your laptop go off the rails. Someone changed the IP that was stored *on* the servers, which is exactly what Mike has said repeatedly is in the public domain.

    In fact, Blaise, you even make the point yourself: you shake your finger about not knowing the difference between the "website" (which is IP) and the "software that manages it" (which, BTW, is also IP). And yet, you seem to not know the difference between a "free license"--which means you own it, but let people use it freely--and "public domain", which means nobody owns it, including you.

    Which brings us back to the original point: Mike likes the idea of deciding what happens to other people's IP; but, not so much when it happens to him.

     

    reply to this | link to this | view in thread ]

  63.  
    icon
    Blaise Alleyne (profile), Aug 27th, 2009 @ 11:49am

    Re:

    This will probably be my only other reply, because this topic is so ridiculous and I'm already guilty of feeding a troll.

    "Someone changed the IP that was stored *on* the servers, which is exactly what Mike has said repeatedly is in the public domain."

    They didn't change the "intellectual property" (copyright here), they modified the contents of Floor64's database. That doesn't change any copyright claims (the "intellectual property"), or lack thereof, on the database. It changes the Floor64's actual database, specifically.

    The expression on the Techdirt blog is essentially considered to be in the public domain -- that's what would be covered by copyright. That means anyone can use, adapt, built upon or modify that expression. That doesn't mean that anyone can use or modify Floor64's database.

    I seriously hope that distinction isn't beyond your comprehension.

    "you shake your finger about not knowing the difference between the "website" (which is IP) and the "software that manages it" (which, BTW, is also IP)."

    The website isn't itself "intellectual property." It contains content that would be covered by copyright. Because anyone can do what they want with the content doesn't mean that anyone can do what they want on Floor64's server or its database.

    Is that hard to understand?

    (And the software that manages the site is covered by copyright, but Floor64's copy and running instance is a different matter, and I specifically wrote "breaking into" the software -- i.e. unauthorized access.)

    "And yet, you seem to not know the difference between a "free license"... and "public domain".

    The distinction between public domain and freely licensed doesn't matter here since both allow the freedom to modify that you're having trouble understanding here. (Public domain content is also free content.)

    "Mike likes the idea of deciding what happens to other people's IP; but, not so much when it happens to him."

    If you have to try this hard to find some sort of hypocrisy, maybe you're searching for something that doesn't exist. I think you want to believe it exists, but you seem too smart for me to be convinced that you actually believe there's any kind of hypocrisy here.

     

    reply to this | link to this | view in thread ]

  64.  
    icon
    Blaise Alleyne (profile), Aug 27th, 2009 @ 12:03pm

    Re: Re: Re: Re: Opensource

    "I'm not trying to say this blog is as important as e-voting machines. If you got that out of what I wrote then I think there are bigger issues. All I'm saying is if making the code of e-voting machines opensource is supposed to make them more secure, why not do it to the blog?"

    I think it's a legitimate question. Thing is, it takes work to open source code. To clean up code and make it generic enough to be used elsewhere, to maintain a software project... it takes effort to release code, and it's not quite as simple as 'giving it way'.

    Also, I think it's important for web services to be free (like libre.fm or identi.ca), but the Techdirt blog isn't a web service. The code is just their publishing platform. That could be useful to others... but, with mature open source publishing/content management options like WordPress, Drupal, Joomla!, etc, there likely wouldn't be a ton of interest from developers.

    I'd say, IMHO, (1) it's not essential (like e-voting machines, or web services) and (2) the benefits of freeing up the code might not be worth the effort it would take to do so.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This