(How does a web admin get it this wrong? – promoted by DavidThi808)
UPDATED BELOW
Don’t look now, but there’s a problem with the website for Rep. Musgrave’s re-election. But no one has noticed, so I guess no one ever goes there?
I should call this diary of a madman…
Why would I go to Rep. Musgrave’s site?
http://www.musgraveforcongress…
I’ve been a proud Democrat all my life (except briefly when I was 12-13 — but that’s another story), but I had received an e-mail from her opponent, Betsy Markey (her own website is: http://www.markeyforcongress.com/ and doesn’t have any problems that I can see) — well, sorry about the parentheticals! I’ll get to the main gist:
Musgrave’s site had a security hole the size of the gap between her record and her campaign. I thought I could create an account like at Barack Obama’s site, and I did. I didn’t think I should be able to re-configure the whole site! So I did — sorta. I turned off the site, like unloading a gun that you find but you really, really wish you hadn’t found it because now you’re all responsible in case any one gets hurt and why can’t this ever happen to someone else…
Anyway.
So I wrote an e-mail to the administrator of the site. I wrote an e-mail to another account at the site. NO ONE HOME. So I took the site off-line. And I wrote another e-mail.
I wonder if anyone will notice?
UPDATE: Apparently more people read this blog than administrators of Musgrave’s campaign site read (and reply to) their e-mail!
4:15pm SITE STILL DOWN! And when I locked the door behind me, I didn’t leave a “backdoor” or keep a key. As I was trying to do the right thing — imagine if you went to a store during your lunch that you WOULD NEVER SHOP, but that somebody left the keys in the locks — or even left the ability to change the locks and make new keys! You could walk away — and from the comments below, some people might say I should have — or you could contact the store manager and lock the doors behind you.
Well, that’s what I chose to do. I tried to do the right thing, but did I? Time will tell!
You must be logged in to post a comment.
BY: notaskinnycook
IN: Monday Open Thread
BY: 2Jung2Die
IN: Monday Open Thread
BY: JohnInDenver
IN: Monday Open Thread
BY: 2Jung2Die
IN: Monday Open Thread
BY: spaceman2021
IN: Monday Open Thread
BY: spaceman2021
IN: Monday Open Thread
BY: joe_burly
IN: Monday Open Thread
BY: Duke Cox
IN: Monday Open Thread
BY: 2Jung2Die
IN: Monday Open Thread
BY: spaceman2021
IN: Monday Open Thread
Subscribe to our monthly newsletter to stay in the loop with regular updates!
LOL!
Not that that would change things, but someone is going to be very pissed and perhaps legally in the right.
Log in every day so we can look for you in Egypt or Russia if you don’t……
…taking her website offline is not OK. Just because you CAN do something doesn’t mean you SHOULD.
And posting about it is a surefire way to get yourself into trouble. Ms. Musgrave does not take kindly to this sort of thing.
No. I had a responsibility to myself and as a human being not to leave it as bad as when I found it.
It’s like a blogger’s hippocratic oath or something.
That while I agree turning it off was wrong, I am not sure I would have been able to resist temptation (like putting up a link to a gay rights group).
And how incompetent does her web staff have to be to do something this brain-dead. This isn’t forgetting something, this is adding functionality to the site.
Someone choose to add this – why?
ten, nine, eight….
TCI had the story a couple hours ago.
We’re “press!” With a code of ethics and everything. I’m a “commentator” for ’em because I’m neck-deep in Colorado politics. They won’t let me anywhere near the news side of things – not even the blog! Too bad, really, because I’d love to write a “news” story about how electronically backward the Musgrave folks are.
Fair warning, though, they don’t take kindly to computer high jinks.
they discuss the problem MIT had with hackers deliberately crashing their site. Their solution was ingenious: they added a command line: “Crash the system.”
When you clicked it out of curiosity, you crashed the system, and felt like an idiot. With even the most casual users able to crash the system, of course, the thrill was gone and the expert hackers (a term that then was an accolade) left it alone.
I think it reset automatically in ten minutes or so, and basically solved the problem. But if pols gets a subpoena for databoypols’s ID information and he ends up in jail, I’d advise him not to pick up the soap. He did commit a crime.
I was a student of yours a long– uh, some time ago!
And one thing I remember was your story of how an earthquake (yes, here in Denver; yes, it was very minor) may have been caused by pumping at significant pressure some nasty stuff from the Rocky Mountain Arsenal very deep into a fault. You mentioned that on the one hand, it was really bad. But on the other, the DoD actually helped by loosening the tectonic grip before a bad seismic event.
That was your example of spin. A tale proudly told, if I remember… 😉
All spin aside: every administration function of the site was available to me once I created an ordinary account using the built-in tools. I figure that “closing the site” using the same built-in administrative tools was indeed my responsibility upon discovering how poorly the site was setup.
Is that my example of spin?
It may come to it: a judge may judge me right or wrong in this! I hope not, but if so….
wasn’t in ethics!
My undergraduate ethics professor did his doctoral work at Georgetown where he taught ethics to a young man named… Bill Clinton. It was always worth a few laughs in class when he retold that.
at the graduate school of public affairs at UCD. One of my first students was John Stone who later became Jeffco Sheriff during Columbine and FUBARed the public relations of the Columbine massacre. I ever after explained that if John Stone’s ability in public relations reflected my ability as an instructor, it was time to find another line of work!
That in itself is an obvious track for them to follow.
If, however, the law says “malicious” in it, then they will have a hard time proving malice given what he has posted.
The DMCA is a strange document, however, I wouldn’t want to be Databoy.
By disabling the functionality of her site, the diarist has probably run afoul of serious computer law violations.
Hope you hid your tracks well, my friend, ’cause a bit of Black Hat activism could cost you a lot of cash or “time out”.
At the time, I felt I was doing the right thing as I explained in the post. Now, I think I did what I had to in self-preservation!
Imagine if someone else got in there after me and did real mischief!
I figure I won’t get a big thank you from Rep. Musgrave’s office or her campaign staff, but I actually helped them (and I think I helped myself by ‘closing the door’ when I left).
And that’s why I’m being public about this — I actually want a trail of what was done and why!
I can’t stand Musgrave but what you did here is so unethical, I’m not sure where to begin.
Get your ass off this blog and get on the phone to her campaign office and continue to play as stupid with them as you have with us here and hope she finds it within her Christian spirit not to press charges.
is that they are too busy preparing the attack ad for television blaming the vandalism on Millionare Markey. Marilyn is nothing if not a counter-puncher.
I think it’s pretty clear the guy didn’t intend to crash the site, just to make sure no one else came in after that would screw it up in an irrecoverable way.
I don’t think many juries would send this guy to prison for trying to do the right thing. It was an error on the Musgrave website, and he didn’t do anything that the website itself didn’t allow him to do. How does Musgrave’s stupidity mean he broke a law? He didn’t hack the site, he just used functionality (stupidly) built into the site by the campaign.
So chill.
Perhaps IT isn’t your day job?
Giving the diarist the benefit of the doubt, he got in legitimately – no tricks, no hidden access area.
Once there, he did something that he wasn’t supposed to do, and that no right-thinking jurist would consider to be anything less than malicious: he shut the web site down (Denial Of Service). Being granted access to a system does not automatically grant you the right to access that system to do anything it wasn’t intended that you do.
And, on his way toward crashing the site, he theoretically changed all the passwords or disabled access permanently for everyone – including the site administrator, who presumably needed the admin panel to get the system back up and running. If the jury wasn’t convinced by the first action of the malicious intent of the diarist, then this secondary act should remove all doubt.
Hacking, or more properly cracking, always involves exploiting an unintended functionality. Assuming the diarist isn’t euphemizing the initial access, the website was poorly configured, but Denial of Service is Denial of Service, no matter how it’s initiated.
The whole premise of this post is a brag about hacking Musgrave’s campaign site. Duh.
Stick to being “press.” Don’t give up your day job, genius because reading comprehension is apparently as foreign to you as good manners.
Good news, though. You’re not “kind of” a dick. You’re just a dick. Period. And I’m guessing a small one.
You should turn it back on, just as it was.
YOU are Marilyn’s web master, and this is all a scam like when Lieberman tried to blame his website crashing on his opponent.
I would not at all be surprised to find out that Marilyn’s site just crashed due to incompetence, and this is all just a cover for that.
If so, then bravo, because you really do sound like an authentic over-smart but under-wise hacker.
I’ll lay odds that it’s MM’s own campaign trying to cover up gross incompetence.
I don’t think you’ll find a friend in law enforcement, and I say this from personal experience.
No being coy: you did real mischief – you disabled the system and threw away the key. Last time I helped a client on that kind of action, the guy wound up with all kinds of Feds on his doorstep and the Nashville US Attorney running a grand jury. Last I checked he was the most contrite ex-hacker on the Intertubes.
101.1) “Authorization” means the express consent of a person which may include an employee’s job description to use said person’s computer, computer network, computer program, computer software, computer system, property, or services as those terms are defined in this section.
102.2) Any person who knowingly and without authorization uses, alters, damages, or destroys any computer, computer system, or computer network described in section 18-5.5-101 or any computer software, program, documentation, or data contained in such computer, computer system, or computer network commits computer crime.
102.3) If the loss, damage, or thing of value taken in violation of this section is less than fifty dollars, computer crime is a class 3 misdemeanor; if fifty dollars or more but less than three hundred dollars, computer crime is a class 2 misdemeanor; if three hundred dollars or more but less than ten thousand dollars, computer crime is a class 5 felony; if ten thousand dollars or more, computer crime is a class 3 felony.
…then we’re already up to Class 5 felony, or the webmaster’s seriously under-paid.
I think it’s safe to say that the diarist didn’t have express permission, nor will the site have had an explicit document granting him that permission. And without permission, he knowingly shut down the site, “damaging” it. And it’s been down for several hours, potentially damaging her fund-raising efforts (this is where it could be upgraded to Class 3 Felony status…) and costing her IT staff time.
Either that, or the poster is a complete shill and this is a stunt a la Lieberman as has been pointed out by TBTH.
I imagine the people who setup this site and login arrangement get into it the same way you did. Bad form – yes. Make it a news story and/or tell the masses about it as a matter of fact, but don’t jeopardize yourself, Markey, or progressive techies by not allowing their people to get in.
I must disagree with your actions here.
.
But from the sound of it, what he did actually prevented further damage.
Now, as a wingnut conservative, I’m more sympathetic to and rooting for Musgrave.
I should be outraged, if he did malicious damage.
But I say he did her campaign a big favor.
I am betting that Musgrave publicly thanks the guy and wins his vote.
If her webmaster ever figures out there’s a problem.
.
.
I know that there are some smart folks computerwise who post here.
Please don’t make fun of me, I’m very sensitive.
I was able to go to the site
http://musgraveforcongress.org and click through the pages.
If I put the “www” in the address, that site is down.
Are those two different sites ?
.
Pinging musgraveforcongress.org [72.19.164.67] with 32 bytes of data
Pinging http://www.musgraveforcongress.org [72.19.164.70] with 32 bytes of data
They have the 2 names pointing at 2 different IP addresses. Now both could be on the same machine but that would be a very weird configuration. At the same time, you generally point both names at the same IP address.
I wonder if the way their system goes to “updating” mode is to point at an alternate IP address and it did it only for the name he/she went in on. If so, he/she can go in on the other still.
OK, I”m not an internet genius. But in my defense, I ran a 20 seat community computer lab, I’ve done a lot of computer repair, own somewhere around 9 domain names, and am not exactly an idiot in these matters. YET…
I’ve noticed that some sites/servers require a www prefix, and with other URLs they don’t. My own primary domain is either, paulv.net or wwwl.paulv.net . Both work.
Awaiting enlightenment.
paulv.net
bigcottonwood.net
verizzo.net
thems the main ones.
Under the covers all machines are identified by an IP address like 11.22.33.44. And a given machine can have multiple IP addresses but an IP address goes to 1 machine. (Behind a firewall you can have IP addresses that are also used behind other firewalls but as they stay behind the firewall, the IP address is sill unique to a machine).
Now all a name like http://www.paulv.net or http://www.paulv.net or paul.is.a.stud.paulv.net does is get mapped to an IP address. That’s what DNS does – the name to IP mapping. Most places map both name.com and http://www.name.com to the same IP address – but you don’t have to.
All in the DNS. I was thinking along the lines of how the server is set up. A host I used once running Linux had a specific “WWW” folder besides the same info outside of it. That led me to incorrect conjecture for a number of years, apparently.
Thanks.
http://www.mydomain.com and mydomain.com are different. They could be different machines locate on different continents. But in reality the convention has been to map them both to the same web server, and for best results put a rule in your .htaccess file to rewrite the URL to one or the other. It’s a best bractice because cookies get stored under the domain. Coloradopols suffers from a bug along these lines… If you log in under coloradopols.com and then surf to a page via a link that has the www. prepended, you suddenly aren’t logged on anymore. It’s also a best practice because search engines see them as distinct web sites (as they technically could be) so your page’s significance can be divided in half.
I remember in the olden days the distinction was still real and if you forgot the www you’d get 404 errors. Made tech support for newbies fun. “Did you remember the WWW?”
Just to make it more confusing, you can point many sites at the same IP address (www.thielen.com and http://www.barbiesciencefair.info both point to my home server). And the web server can then serve up a site based on the requested url.
So it’s name -> IP -> machine -> web server -> via name -> website
… if even that.
You aren’t helping the cause.
And you have opened yourself to enormous civil and potentially criminal liability.
And hardcore Republican John Suthers will be the guy you will have to face, as the AG’s office prosecutes computer crime. If it’s prosecuted as a federal crime, which it certainly could be since you are messing with a federal candidate’s fundraising, you’re looking at a world of hurt.
Very, very bad form. And I don’t think you have a clue what you’ve just opened the door to, both for yourself legally and for Betsy Markey and the entire Democratic ticket.
I talked to a number of other IT people and we quickly came to a concensus on what we thought was right. This was with no knowledge of the law which – as posted here would change what we would probably do.
1) Contact the site and let them know.
If there is no response then…
a) If someone else getting has serious consequences, then turn it off.
b) If someone getting in is not serious, leave it alone.
And finally…
Wait 24 hours before publisizing it to give them time to correct it.
But the above discussion did not take into account the unique case of where the person who discovered it is a political opponent of the person who’s website it is. And that does change things.
I think as there were no serious consequences to leaving it alone (they could easily wipe the disk and rebuild in a couple of hours), it should not have been touched.
Especially since this person is a supporter of Betsy as this drags her into this – and that is not good.
On the flip side, it would definitely have been legit for him/her to email the press to tell them how to register and they could then see for themselves the functionality to verify it. And the press could then run with it after waiting a couple of hours for MM to get her site fixed.
And everyone in security has a different opinion of how long to wait before publisizing a security hole. And I can’t recall any case before where the one reporting wanted to “harm” the one they were reporting on – although many do take some glee in pointing out security holes in Microsoft’s products.
Anyways, I think the turning it off was dumb, but it was arguably a responsible (although maybe not legal) move.
http://www.musgraveforcongress…
still works just fine.
Now if this guy really wanted to fix the site he could have set admin access back to defaults and let the campaign know. That would be the real way of “locking the keys in the store”
This has the smell of fake all over it.
agreed that it smells fishy and fake, but when i checked at 9p it was still down.
my guess is that the number of likely voters still undecided in that race likely to hit MM’s website for any info is somewhere in the 0-5 range.
Fishy and fake is probably right, no one has a backup? Unless, I suppose, everyone is locked out.
Today has been an interesting day! And while opinions here in the comments are generally negative (Ouch! I thought that could happen– the commenters here are generations more evolved than most other places on the web), the story over at the Colorado Independent is bit on the fanciful side. “Exploits…”? Hardly!
And yes, the other sites for Musgrave’s campaign are still up. And no, I’m not about to try and create any more accounts like I did during lunchtime at http://www.musgraveforcongress.org.
Really, it’s a mundane situation, and yes I did have express permission to do what I did, as I quote an e-mail sent (automatically) by the account creation system:
I’m obviously not a lawyer, but shouldn’t a website have a “Terms of Use”? — But this site welcomed me with, well, open everything. I think that even out of the box, the default install conditions of the CMS that the site is using isn’t as insecure as what I found!
And when I clicked on the link in the e-mail that confirmed my newly created account, there was a menu at the website right under my new account name allowing me to “administer” the site. Play time was over! What I thought was a pre-release interactive feature when I signed up was turning into a horrible chasm of incompetence! I took screen shots and deleted my blog entries (I apologize to the Pols, I’ll never stray again).
Now (cue defensive mode), by the time that I had already sent two e-mails to different addresses that were listed on the site about the problems. I had no idea who received them — did I just tell the entire hemisphere about a problematic website? — I had a choice to make. As the newest expressly installed administrator of http://www.musgraveforcongress.org, I made a choice: with a simple checkbox and a click of a submit button, I could close down the site from myself and anyone else.
At that point, I turned off the lights and closed the door.
I think I would have been that kind to a democratic candidate’s website as well. And in that situation, I might have come straight here to the Pols site, too!
I don’t think registering gives you explicit permission to alter or damage the site in the way that you did.
Colorado’s computer crime law is much more explicit than most; the wording of the authorization definition is pretty specific. “Express consent” means that you must receive explicit permission from the site owner, not just to log in and access the system, but to do specific things on the system.
If the door to a house is open, do you go in and turn off the power, then change the lock and close the door “just in case”?
(PS – I’m giving you a real benefit of the doubt here when responding – personally, I think you’re a tongue-in-cheek wise-ass hacker looking to glorify his conquest.)
Sounds like “exploits” to me. In a good way.
What he describes can get him in a world of trouble – years of jail time and tens if not hundreds of thousands of dollars in criminal fines per incident. And that’s assuming he only ever violates state statutes and never traverses state lines – which, assuming he lives here in CO, he apparently did, since the server appears to reside in Kansas.
He has, even under the best interpretation, caused the Musgrave campaign hundreds of dollars in IT fees; my guess is that for 8 hours of downtime and a complete system migration (the server is now at a different IP address), the costs to the campaign were $1,000+ for third-party admin work. The costs to the ISP may be enormous. A server that’s been hacked at an admin level cannot be guaranteed safe – and depending on the paranoia level, that could include all of the other virtual servers that may have resided on the same physical system as the compromised system. Restoring confidence in a compromised system is costly and time-consuming.
As they needed to fix their system.
And you did it under the name “aRegisteredDemocrat?” Do you realize that this gives them further ammo to claim that this was an organized attack by Democratic party operatives – which it is not. Stupid, stupid, stupid.
Hopefully you will learn from your mistake. And part of me hopes you are caught so that others can learn from your mistake.
As a software developer myself, and an observer of the Internet, we know all sorts of stories of desecration of candidate Web sites.
Anyone could have posted deceptive material. A downed Web site is no big deal compared to, say, changing what the “Issues” section says an enraging otherwise-would-be-supporters.
No one will remember the few hours the site was down. But, desecration might have ended up being a long-running joke about the security of the site.
I’d a desecrated the damned thing, just as she desecrates Coloradans every day.
MARKEY ’08.
As someone who’s been a CISSP and deals with sysadmin stuff every day, once a server’s been compromised, you can’t trust anything on it.
You may think you’re saving the campaign a potential PR headache, but what you really did is to undermine their entire system integrity, at least in the eyes of an ISP security response team or other competent admin.
And as an immediate proof, according to David’s post earlier compared to a DNS lookup now, the system has been moved to a new server (different IP, now .191, including the non-www site). In all likelihood, they restored from a backup point; if DBP isn’t lucky, they preserved the old system for forensics use.
The fact that anyone could have done this means others may have already done so, but made subtle changes that no one noticed yet. If this guy did nothing other than notify them, they still should have assumed that it was compromised.
Not at least before the election.
To publicize this will make them look like incompetent idiots.
for the same reason so many system crackers are let off the hook. The negative publicity is a killer.
another dirty trick by millionaire Markey.
I’m offering 8-5 that’s exactly what they do. With enemies as dumb as Databoypols, Marily doesn’t need friends.
with this.
Though if they were notified in an innocent ‘I tried to do this and got more than I expected’ user kind of way, they would probably assume it was a short term misconfiguration and let it slide.
By actively using the administrative functions to disable access and the website itself, the assumed security risk was raised.
Rule of every job I’ve had as a sysadmin and support tech: everyone wants to assume that they’ll be okay, even after the same system gets re-hacked within 15 minutes of fixing the known security hole. Maybe people just assume it’s like a BSOD – reboot and the problem will be solved.
…I’d like to share a little story.
When my two oldest boys were about 13 and 14, they were visiting my folks in Aurora. They came home from the mall one afternoon to find the house locked and no one home.
There was an optional way in–through the back yard (safe, since the dog knew them) and in through the unlocked kitchen window. Unfortunately, a neighbor spotted them who did NOT know them as well as the dog did.
A few minutes after the boys got in, cops knocked on the door! The boys explained, but naturally the cops wanted some proof.
So Kenny led them into the den and offered to fire up my dad’s computer (an 8088 running DOS, if memory serves) and prove that he was a legal resident of the home, since he had the password for some BBSs loaded on it.
He made this offer in a room COVERED in family photographs, many of which the two boys were actually featured in.
My point is that, while there are of course techie types who are the exceptions that prove the rule, many of these folks look at problems as they relate to the actual tech part of the matter first, and the human interaction part second.
It’s my opinion that Databoypols was genuinely intending to do the right thing. After this, he has probably picked up some new ideas about what the BEST right thing to do would be if a similar situation comes up. But in any case, I think it would be nice for people to give him the benefit of the doubt.
An attack ad by the Muskox would backfire. “So, I should re-elect Marilyn Musgrave for THIS reason? Someone hacked her website?”
Puh-leeze.
and had some government contracts, my father was an alcoholic, and they hacked my website !
Boo hoo, vote for Musty.
she files a criminal complaint against Betsy, charging it was done by her campaign. The Da is , who, Buck? He plays with it for a few days while the press writes it up. You don’t need a conviction, just a few headlines and more stories on how dirty the Democrats are.
In case you haven’t realized this yet, gentlemen, Team Marilyn knows how to play hardball.
I like your tale, neonnurse, but whether or not databoypols intended to do the right thing (which is only true if vandalism has suddenly become the right thing) the point is that such stupid things bring discredit on the cam;aign you support. I forget the detail, but didn’t Karl Rove once vandalize his own candidate’s office so he could blame it on the other candidate? The tale was told in “Bush’s brain.”