" I think the very concept of an elite commission deciding for the American people who deserves to be heard is profoundly wrong." --former Congressman Newt Gingrich on the "Commission on Presidential Debates"
Tesla Motors was recently the victim of a website defacement and a Twitter hijacking. While the details of the attack itself aren't particularly interesting (essentially promising free cars to callers), the simplicity of the methods used to gain access to the @TeslaMotors Twitter account makes for an interesting talking point.
Clichés exist for good reason, and in this case, the chain was only as strong as its weakest link. The link I'm referring to is AT&T customer support.
A lot of people around here are already familiar with the benefits of social engineering as a tool, but this story might shine a different light on it for those that don't know just how easy it can be, and just how far it can be taken with malicious intent.
You don't need a high degree of technical know-how to fraudulently spoof authorized personnel over the phone. In many cases, you can just hang up and try again if you fail. For a large company like Tesla Motors, having a competent support network is essential; It's also an inherent security risk.
It's hard to say if there's much that can be done to mitigate the security risks while simultaneously preserving the efficacy of your support staff.
Chris Roberts is a founder and security researcher at One World Labs. While on a flight to New York, Mr. Roberts tweeted a joke about playing around with the engine-indicating and crew-alerting system on the plane, only to find the feds waiting for him on the ground in Syracuse. Another joke that provokes some interesting security related discussion!
What makes this interesting is the response to the whole situation. Mr. Roberts was detained and questioned for hours, had his electronics seized, and only days later found himself unable to board a plane to San Francisco. The article aptly describes the response as "knee-jerk", which seems to sum up a fairly significant amount of the war on cybercrime that's so prevalent in the media these days. It would seem that this "tough" stance is deemed appropriate not only for cyber criminals, but for legitimate security professionals that contribute significant time and resources to help make all of us more secure. A plane hacking joke on Twitter (while on a plane) might not have been the brightest move to make, or even the funniest one, but perhaps there shouldn't be so many situations where a bad joke gets you in this much trouble.
Do you think Chris Roberts was out of line? I say let's all band together and end the war on cybercomedy.
Microsoft's Azure has been added to the list of services eligible for the Online Services Bug Bounty program, and a new bounty program for Project Spartan that pays up to $15,000.
Not much to discuss here. We just like you guys and want to see you get paid.
That being said, bug bounties are a neat way to encourage a mindset that we believe should be ubiquitous by now. With effective ways to report vulnerabilities without the fear of legal ramification, the world is a better place. Incentives for identifying these vulnerabilities (other than satisfying your raging curiosity) definitely go a long way as far as security research is concerned, and Microsoft is willing to pay a significant chunk of change for your work if you manage to responsibly report what you find.
On April 29th, a hearing was held regarding encryption technology and potential U.S. policy responses.
The current state of encryption and its criminal implications have the FBI concerned enough to express a desire for backdoors that essentially allow the "good guys" to catch murderers and rapists; Of course it would only be available to the good guys.
For topics like this, we believe ambivalence is paramount. It isn't hard to understand why the idea of "going dark" is a scary thing, especially for a law enforcement agency. Encryption is a powerful tool that stands to protect your privacy and your liberty in ways that make it very difficult to replace. Encryption is a very heavy double-edged sword, so it's only natural that people have a hard time coming up with an effective solution that keeps the liberty edge sharp while dampening the edge that serves criminal activity all the way from fraud to child porn to espionage. It's just not an easy conversation to have.
Part of what makes encryption technology so powerful is how wonderfully complex it is. Skilled mathematicians and scientists make a good living developing effective and innovative encryption techniques to protect sensitive data for all of us, whether we're one person, a corporation, or even a government organization. It's this complexity that makes it so inappropriate to give much weight to the fantastically far-fetched solution proposed by law enforcement; Whether it's coming from a fear of going dark amongst criminals, or a corrupt desire to survey the American people, is irrelevant.
Fortunately, the hearing discussed in this article shows a promising enthusiasm for both civil liberties and handling security by opposing the backwards movement suggested by the FBI.
If somebody were to ask you what your stance is regarding the provision of an almighty skeleton key to be used only by law enforcement, you and the majority of this community might give pretty similar answers. With such a largely complicated issue that threatens our liberty and our security if mishandled, it's difficult to boil everything down to a simple question. The passion in this community for both of these things is what makes it a great place to discuss the implications of getting down from the fence on one side or the other.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.