Another Band Tries Pay What You Want Concerts

Hacked Recap

from the well,-that-was-fun dept

Mon, Aug 24th 2009 2:29am — Mike Masnick

As mentioned over the weekend, we were briefly hacked on Saturday evening. We've put in a bit of time to figure out what happened, clean up the mess and correct the problems (and harden some other defenses as well). The short story is that we left open a big hole that we shouldn't have left open. Yay. We had certainly locked down most of the obvious holes, and people try to hack us on a semi-regular basis, with little success. But, if someone's persistent enough, they'll find a way. In this case, though, we made it a hell of a lot easier than we should have. This particular hacker tried hitting a whole bunch of different routes early Saturday morning, most of which got rejected (some people noticed his attempt to do a SQL injection via the comments -- that failed). However, he went on to try SQL injections just about everywhere and eventually found one where we hadn't properly escaped things, and bam, that's all it takes. As you probably know, this site has been around since 1998, and while we've dumped/updated most of the old code, and most of the new code is properly secured, there were still a little pieces left over from the ancient code -- and that's where the big vulnerabilities were. That's not an excuse. We should have caught it earlier (in fact, we actually had been testing some code to replace some of the vulnerabilities, but hadn't deployed it yet -- but, we now realize it wouldn't have blocked all the problems). But, it is what happened.

From there, the hacker got into part of the blog admin (don't want to get into too many details of how the blog backend works, but it actually involves two separate admins -- which are separate from other stuff we do). Then, he basically had pretty good access to doing some stuff (though not everything) on the blog. He poked around a bit, deleted a bunch of comments, deleted a whole ton of old story submissions (most of which were junk anyway -- so thanks!) and then replaced a few stories on the front page with his fancy "hacked!" claims.

After that, the story is pretty straightforward. Once we realized what happened, we put the old stories back in place and made sure to quickly toss up some more secure walls to keep him out of the admin. We also shut down comments and submissions for a while, even though we were pretty damn sure the vulnerability wasn't there (it wasn't), but we wanted to make sure. Then a few of us spent some time digging around to understand just what the guy did so we could retrace his steps and make sure we killed off the basic vulnerabilities. Considering that he tried to hit us from a bunch of different angles, this took a bit longer than expected. But, once we figured out the basics, it was just a matter of tracking down the actual holes in the code. It was a little frustrating, since we really thought we'd blocked out SQL injections -- but in the end, it turns out we didn't do it absolutely everywhere. Anyway, there's a fair amount of code to go through, so we've been going over it with a fine-tooth comb, and checking it twice, then locking it down again.

Finally, we've been restoring the lost comments (we're doing that right now, so they might not all be back yet), of which we believe we didn't lose any (there's a small chance that a very very small number of comments were lost). Restoring the lost submissions is a bit much at this point (as I said, most were junk anyway), so if you submitted stories late Friday or Saturday, and really think we should see them, perhaps submit them again.

On the whole, there's not that much to say, other than check your code carefully, folks. If there's a hole somewhere, eventually someone's gonna find it. Luckily, this guy didn't do much damage -- just a bit of vandalism -- and he kept a few of us from enjoying what had otherwise been quite nice weekends with our friends and families. But he got us to go over our code pretty carefully (and mentally kick ourselves a few times), and get in touch with our inner CSI detectives to track down exactly what happened.

Update: Well, that was just great. Less than half an hour after posting this, our network provider went down for nearly two hours, despite supposedly having all sorts of redundancies. It had nothing whatsoever to do with the hack, but was a bigger issue for the provider. However, it did slow down us restoring the comments, meaning that comments need to remain off for probably another few hours. This has really been a fun weekend.

Update 2: Comments are back. We did end up losing a few comments, mostly those right before the hack. Really sorry about that. If you said something really important and it's missing... say it again, please.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hacked, sql injection
Companies: floor64, techdirt

64 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Michael Ho (profile), 24 Aug 2009 @ 9:21am

we're back...
Yay! we're back. Comments have returned, but it looks like we did, in fact, lose some.. sorry, everyone.

(Thanks to mcc and dty for all the extra work on the weekend. )
[ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 9:42am
  
  Re: we're back...
  So Hey,
  
  Did Backtype have backups like they did a few months ago? The two hack attacks seemed oddly similar...
  
  http://www.techdirt.com/articles/20081023/1124452627.shtml
  [ link to this | view in chronology ]
  - Mike Masnick (profile), 24 Aug 2009 @ 11:30am
    
    Re: Re: we're back...
    Did Backtype have backups like they did a few months ago? The two hack attacks seemed oddly similar...
    
    That wasn't a hack. That was an internal muckup. But, most of the comments have been restored, and we're looking to see if we can get the remaining ones.
    [ link to this | view in chronology ]
mjb5406 (profile), 24 Aug 2009 @ 9:30am

My SQL Injection
INSERT INTO SEND_TO_PRISON (SELECT * FROM TECHDIRT_HACKERS WHERE SUCCESS = TRUE);
COMMIT;

That, of course, is the Oracle SQL syntax; for SQL Server and Sybase (Transact-SQL) follow that by GO; rather than COMMIT; :-)
[ link to this | view in chronology ]
- Nismoto, 24 Aug 2009 @ 10:06am
  
  Re: My SQL Injection
  No, you don't need GO and COMMIT works just fine for MS SQL Server.
  [ link to this | view in chronology ]
  - mjb5406 (profile), 24 Aug 2009 @ 1:01pm
    
    Re: Re: My SQL Injection
    My bad... quite honestly, I haven't used Transact-SQL for years, and in older versions you HAD to use GO... I'm an Oracle DBA at heart!
    [ link to this | view in chronology ]
Anonymous Coward, 24 Aug 2009 @ 9:32am

Someone said

"lol ya cuz the link was made to steal you ip adress..."

http://www.techdirt.com/articles/20090820/0327475945.shtml

Apparently this person went through a lot of effort to hack techdirt. Did they have access to our IP addresses? Why would they go through so much effort to try to steal people's IP addresses and hack techdirt? Just out of curiosity.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 9:35am
  
  Re:
  and if he did have access to our hostmasks/IP addresses would you mind publicizing his/her hostmask/IP address? I think we should know. Or at least report him/her or something, but I do believe the people at techdirt should know who's behind this if possible. Then again, they could have been using a proxy or have done it remotely via some computer they hacked. Might not be a good idea to arbitrarily give away peoples IP addresses if it's the later. But it just seems weird that someone would go through all this trouble to hack techdirt and try to figure out our IP address.
  [ link to this | view in chronology ]
  - Hephaestus (profile), 24 Aug 2009 @ 1:36pm
    
    Re: Re:
    Why in the hell are you worried if people know who you are or your IP Address ... we are not talking national security here ... In this blog/place we talk about about IP Law, its abuse, and an open internet. This sort of speach is protected in the US.... If you are australian or british well I understand your worry....
    
    ... Big Ole Grin
    [ link to this | view in chronology ]
ogormask (profile), 24 Aug 2009 @ 9:40am

no ethical hacking
Its strange how bad some of the hacking is getting lately. It seems like it used to be limited to a few people who were actually capable of doing anything and they for the most part seemed to have a code of ethics, you know, hack the bad guys but the good guys are part of the team. Now it seems that its become so much easier to do and everyone wants to try to prove that they are some l337 haxors by pressing a few buttons on a script and thinking they are billy badass for a day. I also dont think that many of these guys realize how easy it is to trace them. Sure they know how ip addresses work but masking this is pretty hard. Not unless they are smart enough to login to their neighbors wireless or some sort of thing like that. I suppose its the age of wireless that makes this even easier to perform. Maybe I am just getting old and this is how it always was?

Anyways sorry it happened. I like this site and you guys certainly dont deserve having to deal with this type of thing. There are plenty of other sites out there that would make a pretty good target. Here is one http://www.rove.com/

That was a joke btw.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 10:45am
  
  Re: no ethical hacking
  "I also dont think that many of these guys realize how easy it is to trace them."
  
  Oh, they realize how easy it is to trace them, trust me. Most of them either don't care or they would make sure you don't trace them if they didn't want to be traced. There are little real consequences for "hacking" even if they are traced.
  [ link to this | view in chronology ]
- Ben Zayb, 24 Aug 2009 @ 10:59am
  
  Re: no ethical hacking
  There are hackers, crackers and there are script kiddies. Then there are those who copy-paste code that they find all over the net.
  [ link to this | view in chronology ]
  - Anonymous Coward, 24 Aug 2009 @ 11:20am
    
    Re: Re: no ethical hacking
    Code monkeys.
    [ link to this | view in chronology ]
    - Anonymous Coward, 24 Aug 2009 @ 11:21am
      
      Re: Re: Re: no ethical hacking
      http://en.wikipedia.org/wiki/Code_monkey
      [ link to this | view in chronology ]
    - Ben Zayb, 24 Aug 2009 @ 11:30am
      
      Re: Re: Re: no ethical hacking
      Code monkeys then. TY for the link.
      [ link to this | view in chronology ]
  - Chronno S. Trigger (profile), 24 Aug 2009 @ 12:10pm
    
    Re: Re: no ethical hacking
    There are two forms of hackers, black hats and white hats. Black hats are the bad ones, white hats are the good ones. Both know what they are doing, usually wright their own coding, and usually are good enough to get out before they get noticed.
    
    Crackers are people who crack software. Good in their own right but usually don't go onto other people's computers.
    
    Script Kiddies are those who copy-past code that doesn't belong to them. They are sloppy, and usually just do it to be "l33t". The lowest level of crap on the internet.
    
    Comparing script kiddies to hackers is like comparing a kid who watched too much power rangers to a 4th level black belt.
    
    I know people from all three categories. I have the utmost respect for hackers and crackers (usually really nice people). The script kiddies are assholes on and off line.
    
    Granted, I may be a little out of date on my definitions. I've been online for a long, long time.
    [ link to this | view in chronology ]
    - Anonymous Coward, 24 Aug 2009 @ 12:19pm
      
      Re: Re: Re: no ethical hacking
      The thing is some of these trolls and such who do nothing but start trolling groups online and start hacking things are very educated people, often having high degrees in things like mathematics. Why they choose to spend their life causing vandalism and such is beyond me, they often dedicate a lot of time just to vandalize things for no reason. I don't understand the psychology of it and most people don't but it is frustrating.
      [ link to this | view in chronology ]
      - Anonymous Coward, 24 Aug 2009 @ 3:08pm
        
        Re: Re: Re: Re: no ethical hacking
        "The thing is some of these trolls and such who do nothing but start trolling groups online and start hacking things are very educated people, often having high degrees in things like mathematics. Why they choose to spend their life causing vandalism and such is beyond me"
        
        Perhaps they feel abused or underappreciated by society, and choose this dubious method to lash back, after spending years of their lives and getting in hock up to their eyeballs at college only to find themselves sitting in the unemployment line next to assorted punks, drop-outs, and bohemians?
        [ link to this | view in chronology ]
        
        Anonymous Coward, 24 Aug 2009 @ 4:02pm
        
        Re: Re: Re: Re: Re: no ethical hacking
        That's no excuse.
        [ link to this | view in chronology ]
    - Anonymous Coward, 24 Aug 2009 @ 1:36pm
      
      Re: Re: Re: no ethical hacking
      Black hats are the bad ones, white hats are the good ones.
      
      Well, this is not entirely accurate. Some black hats function as vulnerability bounty hunters/researchers, and some of them arguably reduce the value (and hence income opportunities) of professional criminal programmers by making exploit code public. Some white hats leverage their legitimate access to sensitive systems to do damaging things (while still doing their jobs as well, so no one notices the other stuff right away).
      
      A better way to think of it, rather than good/bad, might be authorized/unauthorized. If you want to get more granular, it could be authorized-malicious, authorized-benign, unauthorized-benign, unauthorized-malicious. You don't know who the bad ones are until after they've done something bad.
      
      These days, anyone who engages in unauthorized-benign hacking but isn't doing it for money is stupid. In this case, whoever did it was probably either hired or was looking around for something to monetize eventually (well, I suppose there are "hacktivists" now, who do it for ideological reasons, but since they aren't doing it for money they fall under stupid).
      [ link to this | view in chronology ]
      - Anonymous Coward, 24 Aug 2009 @ 2:08pm
        
        Re: Re: Re: Re: no ethical hacking
        These days, anyone who engages in unauthorized-benign hacking but isn't doing it for money is stupid.
        
        Uh, pretend I actually typed "unauthorized-malicious" there instead.
        [ link to this | view in chronology ]
      - Anonymous Coward, 24 Aug 2009 @ 2:32pm
        
        Re: Re: Re: Re: no ethical hacking
        "These days, anyone who engages in unauthorized-benign hacking but isn't doing it for money is stupid. In this case, whoever did it was probably either hired or was looking around for something to monetize eventually"
        
        You obviously have never opped a channel on Efnet. There are people out there who don't have anything better to do than to spam channels, hack websites, etc... for whatever reason. and I mean educated people at that, with degrees in things like math. and it's not that they make money off of doing it either, they just for whatever reason enjoy doing it. They try to take over channels and just want to make the channel members and operators lives miserable. They start trolling groups that organize "attacks" on channels where they flood the channels with junk making the lives of operators miserable, it's such a headache to deal with. Nobody really understands their psychology or why they do what they do.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 24 Aug 2009 @ 2:37pm
        
        Re: Re: Re: Re: Re: no ethical hacking
        and one of the most infamous trollers on Efnet (and he's good at math too though I really shouldn't be feeding the trolls by mentioning him here at all because they like this kind of attention) is qpt which stands for quantum pixie troll. He's been trolling channels on efnet for many many years, he's been banned from the Efnet network (but that doesn't keep him out because he'll find proxies and other ways of getting in), he's been banned from wikipedia, and he just likes to enter channels and flood them for no reason. Any channel operator of a large enough channel pretty much knows who he is and has had to deal with him before and pretty much people on Efnet know who he is too.
        [ link to this | view in chronology ]
Anonymous Coward, 24 Aug 2009 @ 9:59am

Apparently the person who hacked techdirt calls himself "Biohazard" ( http://digg.com/tech_news/Techdirt_Hacked_by_Biohazard_Sorry_Guys http://com.puter.tv/techdirt-hacked-by-biohazard-sorry-guys/7181/ ). Not sure if this is a threat or not.

I'm not sure if this is the correct information but I found it on EFnet by looking up Biohazard. The person is also in an empty channel as well, a common practice for trolls and "hackers" on efnet (so the info is probably correct).

I probably really shouldn't release all this info but here goes.

bioboy@91.206.90.73 bioboy
91.206.90.73
[ link to this | view in chronology ]
diabolic (profile), 24 Aug 2009 @ 10:45am

Hey TechDirt, do us commentors need to wory about our personal details like our names, email addresses and passwords? Did that stuff get compromised?
[ link to this | view in chronology ]
- Dark Helmet (profile), 24 Aug 2009 @ 10:59am
  
  Re:
  Perhaps more importantly, what if any access or attempts to access was there to financial information from the Cwf+RtB experiment?
  [ link to this | view in chronology ]
  - Mike Masnick (profile), 24 Aug 2009 @ 11:34am
    
    Re: Re:
    Perhaps more importantly, what if any access or attempts to access was there to financial information from the Cwf+RtB experiment?
    
    That's separate. He could have seen some of what's been purchased (there's a running ticker of purchases), but no financial information. All of that is way separate and protected.
    [ link to this | view in chronology ]
- Mike Masnick (profile), 24 Aug 2009 @ 11:32am
  
  Re:
  Hey TechDirt, do us commentors need to wory about our personal details like our names, email addresses and passwords? Did that stuff get compromised?
  
  While in the admin, the guy had access to the comment admin, which would show email addresses of commenters if they left them. So it's possible that some email addresses were exposed. No passwords were exposed though.
  [ link to this | view in chronology ]
  - Anonymous Coward, 24 Aug 2009 @ 12:18pm
    
    Re: Re:
    So my paranoia about not leaving my email address anywhere paid off. Good to know.
    
    Mike, can you think of a separate kind of accounts where I DO NOT have to provide my name or email? I mean, in the comments, I oftentimes express opinions that could cost me my job, and I totally don't want them to be associated with my real name absolutely ANYWHERE...
    [ link to this | view in chronology ]
  - diabolic (profile), 24 Aug 2009 @ 12:52pm
    
    Re: Re:
    Glad I used a unique email and password at this site. For all the heckling that AC's get around here, there is apparently good reason to stay private.
    [ link to this | view in chronology ]
Anonymous Coward, 24 Aug 2009 @ 11:02am

I just want to say that based on the headers returned by techdirect (apache 1.3.3, php 4.x, etc), every item on that list has at least some security issue that has been patched in a later version. While I don't suspect these were the routes used to get in this time, I would say that it is surprising to find a "tech" company so far out of date.

heck, PHP 4.x had been EOL'ed.
[ link to this | view in chronology ]
Bobby'); Drop Table, 24 Aug 2009 @ 11:12am

Comments; Glad to see you caught it so quickly
[ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 11:25am
  
  Re:
  Little Bobby Tables, we call him.
  [ link to this | view in chronology ]
Anonymous Coward, 24 Aug 2009 @ 12:27pm

31 "we"s and no "I"s !
[ link to this | view in chronology ]
- Mike Masnick (profile), 24 Aug 2009 @ 12:47pm
  
  Re:
  31 "we"s and no "I"s !
  
  Would you like the rest of the team to introduce themselves? It was "we" not "I."
  
  And who might you be?
  [ link to this | view in chronology ]
  - Anonymous Coward, 24 Aug 2009 @ 4:22pm
    
    Re: Re:
    "HTTP/1.1 200 OK
    Date: Mon, 24 Aug 2009 23:21:04 GMT
    Server: Apache/1.3.33 (Unix) PHP/4.4.8 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7g
    X-Powered-By: PHP/4.4.8
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html
    "
    
    The "we team" might want to get to work on getting your server software out of 2004 and bringing it up to date. Plenty of holes there.
    [ link to this | view in chronology ]
    - Hephaestus (profile), 24 Aug 2009 @ 6:33pm
      
      Re: Re: Re:
      sounds like extortion .... hack a site and demand payment for fixing it ...
      
      Enter the G-Men
      [ link to this | view in chronology ]
- Alan Gerow (profile), 24 Aug 2009 @ 12:58pm
  
  Re:
  Well, the hacker prevented them from playing Wii all weekend.
  [ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 1:40pm
  
  Re:
  >>31 "we"s and no "I"s !
  
  Yeah! I bet the're all named "Mike" which is why Billy Mays wanted to clean Dennis' desk last week.
  
  http://www.instantrimshot.com
  
  Hah! Don't forget to tip your waitstaff.
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2009 @ 2:11am
  
  Re:
  I seriously doubt Mike was personally hacked, unless he is some sort of cyborg from the future. Hm... that would explain some things tho.
  [ link to this | view in chronology ]
nameless, 24 Aug 2009 @ 5:02pm

Opensource
So, in the past you've been a proponent of voting companies making their code opensource so everyone can check their code for security holes. I was just wondering if you'd be willing to do the same, considering what just happened
[ link to this | view in chronology ]
- diabolic (profile), 24 Aug 2009 @ 5:28pm
  
  Re: Opensource
  Can you not see the difference between machines/code used to elect our public officials and the code that runs on the web site of a private company? Get a clue.
  [ link to this | view in chronology ]
- Anonymous Coward, 24 Aug 2009 @ 5:32pm
  
  Re: Opensource
  This is some random website that hardly anyone knows (no offense Mike) compared to some voting company where everyone is going to know about them if they become a huge factor in our voting process. Besides, AFAIK, Mike seems to be against electronic voting systems, at least right now. But what he seems to be saying is that if we are going to use them we might as well make them open source, to which I agree.
  
  http://www.techdirt.com/articles/20090608/2201455173.shtml
  [ link to this | view in chronology ]
  - Anonymous Coward, 24 Aug 2009 @ 5:35pm
    
    Re: Re: Opensource
    Though I myself am not necessarily opposed to e-voting systems, I think they can provide more transparency if implemented properly (read my posts on the above link, my nick is Bettawrekonize). I think more transparency is a necessity. However, they should certainly be implemented with a paper trail along side it of course.
    [ link to this | view in chronology ]
- ..., 24 Aug 2009 @ 6:52pm
  
  Re: Opensource
  Apples and Oranges
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2009 @ 8:49am
  
  Re: Opensource
  also the problem with an e - voting system really isn't about open source or not. The problem is that the user doesn't know what software is running on the computer. How the heck do I know the open source software is running on the computer I am voting on and not some other software pretending to be the open source software. That's why the problem is an issue of public transparency and not one of open source or not. A lot of research has gone into this (maybe 20 years worth), you can read them here ( http://people.csail.mit.edu/rivest/Rivest-TheThreeBallotVotingSystem.pdf and http://www.usenix.org/events/evtwote09/tech/ ). I came up with a solution that somewhat fixes the problem but doesn't consider voter coercion because I didn't think it would be a problem when I thought of my system (I thought of the possibility of voter coercion but didn't really think it was that likely). Apparently the academic community thinks it is so, not satisfied with the academic communities solution, I came up with a better system that almost solves it completely but isn't entirely foolproof. I will mention it here shortly.
  [ link to this | view in chronology ]
  - Bettawrekonize, 25 Aug 2009 @ 9:19am
    
    Re: Re: Opensource
    (this idea is non patentable. Please spread it, I want everyone to know about it).
    
    There is a list on some website for every state of everyone who voted. Then there is another list that lists a bunch of voter numbers and the associated vote.
    
    When I vote I am FIRST given a voter number on a computer. It's important the voter number comes first. I type in whom I want to vote for. Now mob boss (or someone I am selling my vote to) may ask for my voter number and I can give it to them and they can go online and look up the voter number and ensure that it contains the correct vote. But, what I could do is tell the system I am being coerced. Then the system will give me a true voter number first and I will type in who I really want to vote for and it will record it (it will not print out this number on the receipt, I must memorize it). Then it will give me a false voter number and I type in who I am supposed to vote for (say mob Boss wants me to vote for George Bush but I really want to vote for Ron Paul). The computer adds the false vote to the true list along with the true vote. But then there is another list that lists all the candidates and how many false votes each candidate has (it tells nothing else). It also makes up a random number of false votes for each candidate with fictitious numbers and it adds them to the true list and adds the number of fictitious votes for each candidate that it randomly generated to the number of coerced votes for each candidate on the other list. So it might look something like this
    
    Number of Coerced votes for George Bush = 263
    
    Number of coerced votes for Ron Paul = 157
    
    (maybe 123 are randomly generated for George Bush by the system but no one knows that number).
    
    (maybe 46 are randomly generated by the system for Ron Paul and not inserted by anyone where as the rest are inserted by people who claimed they were being coerced).
    
    So for every false vote added to the true list for a candidate it gets subtracted because we know it should be subtracted based on the false voter list. Then we can see the result and make sure it adds up to the total number of people who voted.
    
    Now there is the situation of, what if mob boss tells you to say your vote is coerced and he demands both numbers. Well, you can tell the system how many false votes you want to insert. What mob boss doesn't know is how many false votes you inserted. So you can tel the system you want to insert three false votes for George Bush (or any number of false votes) that show up on the true voter list (and get printed on your receipt) and get subtracted from the list as well because they get added to the number of coerced votes for George Bush as well. The true voter number won't show up on the receipt and the receipt does not distinguish between a false vote and a true vote so no one can know who you really voted for (you just have to remember your true voter number in that situation).
    
    The only shortcoming in this system (and it's a major concern) is that it assumes that mob boss doesn't work for the government and that the system doesn't secretly keep track of false votes and their associated true votes. Basically it assumes the system doesn't somehow secretly work for mob boss in the background. But other than that it is foolproof.
    
    Another shortcoming could be the idea that people might be required to take a picture of the screen showing who you really voted for with their cell phones.
    
    Some things could help remedy that
    
    A: Perhaps trying to create monitors that blur the image on them if a picture is taken.
    
    B: Setting up the system so that the screen never distinguishes between a false vote and a true vote, you must distinguish based on what you type (and it tells you what to type depending on what you want to do). So the screen never actually tells you something is a true vote or not, you determine that based on what you type.
    
    C: Disallowing cell phones and cameras in the voting booth with the computer and searching for them before someone enters.
    [ link to this | view in chronology ]
    - Anonymous Coward, 25 Aug 2009 @ 9:26am
      
      Re: Re: Re: Opensource
      A: Perhaps trying to create monitors that blur the image on them if a picture is taken (ie: create a monitor that doesn't take good pictures, it displays images so that you can see them just fine but on a camera they will appear blurry. There are ways this can be done though it's not foolproof).
      [ link to this | view in chronology ]
    - Anonymous Coward, 25 Aug 2009 @ 9:35am
      
      Re: Re: Re: Opensource
      Also, the person must have the option of not having a false vote printed on a receipt. So basically the person could choose to insert 3 false votes that are printed on the receipt and he could choose to insert three false votes (or whatever number) that aren't printed on the receipt
      [ link to this | view in chronology ]
      - Anonymous Coward, 25 Aug 2009 @ 9:40am
        
        Re: Re: Re: Re: Opensource
        So mob boss basically has no way of knowing how many false votes you inserted into the system or if any number you give him is a false vote or a true vote. It will show up on the true voter list but get subtracted out and mob boss has no way of telling if your vote got subtracted out or how many of the votes that were subtracted out were just randomly generated by the system.
        [ link to this | view in chronology ]
    - Anonymous Coward, 25 Aug 2009 @ 10:35am
      
      Re: Re: Re: Opensource
      I just thought of a flaw in my system. Someone could take the number of coerced votes for Ron Paul, reduce it, and subsequently increase the number of coerced votes for George Bush by the same amount. The total will still add up just fine.
      [ link to this | view in chronology ]
ASH, 25 Aug 2009 @ 2:33am

This may sound like a strange question to raise at this time, but why exactly is this a "hack"? Why is it "vandalism"? If I'm not mistaken (and I might be), everything you post on the site is public domain, you've said so in the past. That means people are free to do with it what they will.

Just raising the question--interested to hear the answer.
[ link to this | view in chronology ]
- Mike Masnick (profile), 25 Aug 2009 @ 4:36pm
  
  Re:
  This may sound like a strange question to raise at this time, but why exactly is this a "hack"? Why is it "vandalism"? If I'm not mistaken (and I might be), everything you post on the site is public domain, you've said so in the past. That means people are free to do with it what they will.
  
  Um. Seriously? Public domain means they're free to copy it and do whatever they want with it *elsewhere*. Not on our site.
  [ link to this | view in chronology ]
  - ASH, 27 Aug 2009 @ 2:20am
    
    Re: Re:
    Why does it mean that? Your "site" isn't something that physically exists, it's just intellectual property like any other IP. You're exercising ownership interest over that IP, just as other IP owners do--and while you seem comfortable with deciding how they should be entitled to do it, you call it "vandalism" when someone does it to you.
    [ link to this | view in chronology ]
    - Blaise Alleyne (profile), 27 Aug 2009 @ 9:34am
      
      Re: Re: Re:
      Your "site" isn't something that physically exists, it's just intellectual property like any other IP.
      
      It was the physical instance of the site that was vandalized, the Techdirt servers that were broken into, through the site and affecting the site contents stored in the database. That's not intellectual property -- it's the machine, the admin interface, the data, etc.
      
      I release all the code I write under a free license, but that doesn't mean anyone can use my my laptop -- nevermind vandalize it. I release all the songs I write under a free license, but that doesn't mean someone can use my guitar -- nevermind vandalize it.
      
      I can only assume, for the sake of my own sanity, that this is a poor attempt at searching for hypocrisy, rather than believe that you actually don't understand the difference between copying a website and breaking into the software on the server that manages it.
      [ link to this | view in chronology ]
Christopher Heayn (profile), 25 Aug 2009 @ 4:09am

Sorry to hear that you guys got hacked and that it screwed up your weekend. Love the site and hope it doesn't happen again. Any assistance that I could add feel free to contact. Keep up the great job.
[ link to this | view in chronology ]
Zaphod (profile), 25 Aug 2009 @ 5:25am

One kind of ethical hacking...
One kind of ethical hacking comes to mind, and that is hacking skiddies. Believe it or not, there are some devious dirty tricks one can pull, to totally reverse the tables and expose their networks.

One thing they really hate is when you study their injection attempts, and then make "booby traps" consisting of scripts that sit in the location of exploitable files you don't use, and return fake probe responses saying you are hackable. They then they try to inject their stupid script/shell that has contained therein their favorite IRC network and #channel, plus the botnet command password, and commands.

Personally, I just upload the shells to Avira so they can make new signatures for Anti-Vir (free *nix & windows versions available).

Now that's pwning. (/me spits the bad taste out of his mouth caused by using leetspeak)
[ link to this | view in chronology ]
nameless, 25 Aug 2009 @ 5:50am

Re: Opensource
Yes, they are different, but I was just wondering if he would apply what he says. It may not be the exact same situation, but it still has some merit.
I just love the internet, ask a serious question, get told wy your question isn't valid
[ link to this | view in chronology ]
- diabolic (profile), 26 Aug 2009 @ 9:35am
  
  Re: Re: Opensource
  Holding some random blog to the same level of scrutiny as voting does not have merit. Ask a stupid question, get a stupid answer.
  [ link to this | view in chronology ]
  - nameless, 26 Aug 2009 @ 11:49am
    
    Re: Re: Re: Opensource
    You're right, they don't have the same merit, but it's still a valid question. Since this blog is not nearly as important as e-voting machines are, why not just make the code for the blog open source? The same arguments that you use against making it open source can be applied to e-voting machines.
    
    Also, the statement "Ask a stupid question, get a stupid answer" always seemed dumb to me. I also don't see how my question was "dumb"
    
    I'm not trying to say this blog is as important as e-voting machines. If you got that out of what I wrote then I think there are bigger issues. All I'm saying is if making the code of e-voting machines opensource is supposed to make them more secure, why not do it to the blog?
    [ link to this | view in chronology ]
    - Blaise Alleyne (profile), 27 Aug 2009 @ 12:03pm
      
      Re: Re: Re: Re: Opensource
      "I'm not trying to say this blog is as important as e-voting machines. If you got that out of what I wrote then I think there are bigger issues. All I'm saying is if making the code of e-voting machines opensource is supposed to make them more secure, why not do it to the blog?"
      
      I think it's a legitimate question. Thing is, it takes work to open source code. To clean up code and make it generic enough to be used elsewhere, to maintain a software project... it takes effort to release code, and it's not quite as simple as 'giving it way'.
      
      Also, I think it's important for web services to be free (like libre.fm or identi.ca), but the Techdirt blog isn't a web service. The code is just their publishing platform. That could be useful to others... but, with mature open source publishing/content management options like WordPress, Drupal, Joomla!, etc, there likely wouldn't be a ton of interest from developers.
      
      I'd say, IMHO, (1) it's not essential (like e-voting machines, or web services) and (2) the benefits of freeing up the code might not be worth the effort it would take to do so.
      [ link to this | view in chronology ]
Zaphod (profile), 27 Aug 2009 @ 5:04am

@ ASH

Technically, it does exist, as magnetic domains on an HDD in a server somewhere. These magnetic domains are controlled by the arrangement of proton spin axises, as real as any stack of bricks that make a house.

Now he didn't make the HDD, but you didn't make the bricks (or whatever) your house is built out of either. And your house, is just an arrangement of materials, dictated by intelligence. Does that make your house and possessions intellectual property? If so, can I do with them what I wish, perhaps, burn them to the ground? Hacking Mike's site is equitable to that, in several of the philosophical mannerisms you are clinging so tenaciously to.
[ link to this | view in chronology ]
ASH, 27 Aug 2009 @ 10:06am

As I said before, I'm just raising the question. Because you both (and Mike as well) have it wrong--nobody broke into the server room and smashed everything inside with an axe; which is why these analogies of burning down a house or stealing your laptop go off the rails. Someone changed the IP that was stored *on* the servers, which is exactly what Mike has said repeatedly is in the public domain.

In fact, Blaise, you even make the point yourself: you shake your finger about not knowing the difference between the "website" (which is IP) and the "software that manages it" (which, BTW, is also IP). And yet, you seem to not know the difference between a "free license"--which means you own it, but let people use it freely--and "public domain", which means nobody owns it, including you.

Which brings us back to the original point: Mike likes the idea of deciding what happens to other people's IP; but, not so much when it happens to him.
[ link to this | view in chronology ]
- Blaise Alleyne (profile), 27 Aug 2009 @ 11:49am
  
  Re:
  This will probably be my only other reply, because this topic is so ridiculous and I'm already guilty of feeding a troll.
  
  "Someone changed the IP that was stored *on* the servers, which is exactly what Mike has said repeatedly is in the public domain."
  
  They didn't change the "intellectual property" (copyright here), they modified the contents of Floor64's database. That doesn't change any copyright claims (the "intellectual property"), or lack thereof, on the database. It changes the Floor64's actual database, specifically.
  
  The expression on the Techdirt blog is essentially considered to be in the public domain -- that's what would be covered by copyright. That means anyone can use, adapt, built upon or modify that expression. That doesn't mean that anyone can use or modify Floor64's database.
  
  I seriously hope that distinction isn't beyond your comprehension.
  
  "you shake your finger about not knowing the difference between the "website" (which is IP) and the "software that manages it" (which, BTW, is also IP)."
  
  The website isn't itself "intellectual property." It contains content that would be covered by copyright. Because anyone can do what they want with the content doesn't mean that anyone can do what they want on Floor64's server or its database.
  
  Is that hard to understand?
  
  (And the software that manages the site is covered by copyright, but Floor64's copy and running instance is a different matter, and I specifically wrote "breaking into" the software -- i.e. unauthorized access.)
  
  "And yet, you seem to not know the difference between a "free license"... and "public domain".
  
  The distinction between public domain and freely licensed doesn't matter here since both allow the freedom to modify that you're having trouble understanding here. (Public domain content is also free content.)
  
  "Mike likes the idea of deciding what happens to other people's IP; but, not so much when it happens to him."
  
  If you have to try this hard to find some sort of hypocrisy, maybe you're searching for something that doesn't exist. I think you want to believe it exists, but you seem too smart for me to be convinced that you actually believe there's any kind of hypocrisy here.
  [ link to this | view in chronology ]