Contractors Lose Jobs After Hacking CIA's In-House Vending Machines (techrepublic.com) 190
An anonymous reader quotes a report from TechRepublic: Today's vending machines are likely to be bolted to the floor or each other and are much more sophisticated -- possibly containing machine intelligence, and belonging to the Internet of Things (IoT). Hacking this kind of vending machine obviously requires a more refined approach. The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines. In their BuzzFeed post, the two writers state, "Several CIA contractors were kicked out of the Agency for stealing more than $3,000 in snacks from vending machines according to official documents... ." This October 2013 declassified Office of Inspector General (OIG) report is one of the documents referred to by Leopold and Mack. The reporters write that getting the records required initiating a Freedom Of Information Act lawsuit two years ago, adding that the redacted files were only recently released. The OIG report states Agency employees use an electronic payment system, developed by FreedomPay, to purchase food, beverages, and goods from the vending machines. The payment system relies on the Agency Internet Network to communicate between vending machines and the FreedomPay controlling server. The OIG report adds the party hacking the electronic payment system discovered that severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.
Who wrote this? (Score:5, Informative)
1. They weren't fired for hacking, they were fired for STEALING.
2. Unplugging the network cable doesn't count as hacking.
Re: Who wrote this? (Score:1)
It couldn't have been that easy - these machines have MACHINE INTELLIGENCE.
AND they're bolted to the floor!
Re: (Score:1)
Yes, I'm sure they have machine intelligence, to figure out the best way to rotate the spool in there to drop the products out. No way that could be done with a simple stepper motor, uh uh, no way. Has to have machine intelligence.
By these standards I guess back in high school we were hacking the vending machines in our cafeteria because we figured out if you put the money in to buy a soda and hit the buttons really fast you could get multiple cans (sometimes up to 10) to drop.
Re: (Score:3)
Re: (Score:2)
It couldn't have been that easy - these machines have MACHINE INTELLIGENCE.
A machine is only as smart as the human programming it, and is only as secure as the budget that funds it. Reference "IoT Security" for more detail.
AND they're bolted to the floor!
And hacking used to require this kind of effort. Now it seems all you have to lift is a network cable.
Re: (Score:3)
Imagine the havok a sentient CIA snax machine could cause!!!
Re: (Score:3, Funny)
Yeah, it sneaks up on you and goes "Here, have a Snickers bar." Pretty soon, everyone is too fat to move.
Re: (Score:2)
It couldn't have been that easy - these machines have MACHINE INTELLIGENCE.
AND they're bolted to the floor!
Right, that is why these guys got caught. When the network cable was reconnected and the transactions couldn't be processed, the machine intelligently wrote down the information and notified the appropriate authority.
Same as any human retail clerk, these machines aren't instructed to try to prevent all cases of fraud, instead they're trained to follow strict procedures and write down any exceptions or oddities for auditing at another layer.
In the old days when the machines were stupid, you could just rock i
Re:Who wrote this? (Score:5, Informative)
2. Unplugging the network cable doesn't count as hacking.
It would in the UK. A man was prosecuted here for adding a couple of "../" to a URI, which then provided him access to the root file system. I'm trying to find a reference to it.
Re: (Score:3)
It would in the UK. A man was prosecuted here for adding a couple of "../" to a URI, which then provided him access to the root file system. I'm trying to find a reference to it.
What does that have to do with unplugging a cable?
Re: (Score:2)
What does that have to do with unplugging a cable?
It is an example of something absurd that has nothing to do with hacking, in reference to the GP's post.
Re: (Score:2)
He thinks "hacking" means "getting charged with computer crimes," so he missed the point.
Re: (Score:2)
Re: Who wrote this? (Score:2)
Re: (Score:2)
The machine shouldn't accept electronic payment if the network cable is unplugged.
So if a cable fails, no one should be able to buy food?
Re: (Score:2)
Re: (Score:2)
Thanks - I knew I read about it on The Register, but I couldn't figure out the keyword to find it the archive.
...Or a hacksaw [Re:Who wrote this?] (Score:5, Funny)
2. Unplugging the network cable doesn't count as hacking.
Possibly they disconnected it with a hachet, making it literally hacking.
Re: (Score:2)
The proper term for that is haxing a computer.
Re: (Score:2)
Re: ...Or a hacksaw [Re:Who wrote this?] (Score:2)
Or possibly a HACKsaw.
Re: (Score:2)
While you are correct on both counts, what this story illustrates is the irony of large organizations (in commercial industry and government alike) that say "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box" (or similar feel-good sounding things) when what they really mean is "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box but who also remain within the strict policies/structures/conventions of the organizatio
Re: (Score:1)
Stealing from your startup employer would also get you fired.
Re: Who wrote this? (Score:5, Insightful)
If somebody is willing to steal a $1 candy bar, do you really want to trust them with information if unauthorized disclosure of that information can cause exceptionally grave damage to the nation's security?
Re: Who wrote this? (Score:5, Interesting)
Yeah. My immediate thought is that it might even be intentional; having known and and easy-to-exploit vulnerability in a non-essential system would be a really great way to weed out these kinds of idiots. I don't think it's unreasonable for intelligence agencies to test their employees in one form or another.
Re: (Score:2)
Except that a candy bar has nothing to do with secret information. A candy bar is an minuscule cost and a low cost challenge to keep a flexible mind.
Re: Who wrote this? (Score:5, Insightful)
Re: (Score:2)
Re: Who wrote this? (Score:4, Insightful)
Depends. If it were limited to "let's try this," and they got a $1 candy bar and it ended there, so what? At that point they should point it out to the vending company. And I would't have any problem with them "stealing" that $1 candy bar.
But it didn't end there. Not only didn't they report the vulnerability, they continued to abuse it to the tune of $3000. Them, I wouldn't trust.
Re: (Score:2)
Re: (Score:2)
I have no idea about the CIA, but most federal offices do not get an appropriation for "staff snacks", so it would be unconstitutional (under the Appropriations Clause) and illegal (under various statutes) and against policy (depending on branch of government) for them to buy snacks for employees or contractors.
The same is true of coffee, creamer, sugar, etc. -- the government facilities I have seen have "coffee messes" where any consumables are bought by the employees, with a jar or something similar for o
Re: (Score:2)
If somebody is willing to steal a $1 candy bar, do you really want to trust them with information if unauthorized disclosure of that information can cause exceptionally grave damage to the nation's security?
That depends on the motivation. If someone is so desperate that $1 makes a difference to it that they breach their own moral sense by stealing it, then no I don't. These people would be easily corruptible by any kind of money.
If they are stealing $1 because they don't give a shit about others, also pirate the occasional movie due to a lack of soft moral conviction but wouldn't steal something bigger, then yes. Yes I would. Trust and morals are not absolute. They aren't unilaterally given to everyone.
And in
Re: (Score:2)
We shouldn't have secrets that dangerous.
Are you suggesting that those secrets be made public or that we eliminate everything dangerous?
Re: (Score:2)
Eliminate all secrets. Transparency and sunlight for all. If our society can't function without deep dark secrets something is wrong.
Please show me where you can find such a society you are talking about? It is an ideal but will never happen in real life because humans are humans.
Re: (Score:3)
If the CIA can't discourage petty theft ...
They DID act to discourage that petty theft. By firing the people who did it. You know, making them lose their jobs and of course as a result their security clearances. Not that you think that has any impact because you have no idea how the actual world works.
We shouldn't have secrets that dangerous.
Like I said, you have no idea how the actual world works. There are, for example, entire groups of people - organized at various scales from families up through governments that own nukes - that want you to be dead. You, personally, dead. It's helpful
Re: (Score:2)
I wouldn't steal anything not valuable enough to be worth skipping the country over. $1 million, no. But give me a chance at $100million and you'd never see me again.
Re: (Score:2)
In some cases of inadvertant mishandling of classified information, the security clearance has been revoked temporarily or indefinitely. In others, the security clearance remains intact. Clinton got about the same treatment anyone else would have in her situation.
Re: (Score:2)
what they really mean is "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box but who also remain within the strict policies/structures/conventions of the organization."
Having morals and thinking outside the box aren't mutually exclusive. The CIA might be an exception, but most businesses subcontract the handling of vending machines to other companies. If the same is true for the CIA, then these idiots were stealing from another company. The CIA's rep is bad enough without that.
Re:Who wrote this? (Score:5, Insightful)
The CIA or any organization like it wants unicorns. They want the tiny subset of the Venn diagram where people are bold thinkers AND organizationally compliant rule followers.
Like high-end spec-ops, not only do they want really tough super-athletes, they want high intelligence, independent thinkers AND chain of command rule followers.
It's a small subset of people that match all those qualities.
Re: (Score:3)
Nope, its even worse:
They also want to pay below market rates.
They also want that brilliance on the cheap (Score:2)
Re: (Score:2)
The same people who are dumb and cheap enough to steal snacks are the same ones most likely to sell out your state secrets for money.
Anyone who's willing to risk their career and a criminal record for a $1 bag of junk food is not someone who you want working with sensitive information.
Re: (Score:3)
Are you really that dense or are you trolling? They were stealing. That shows a lack of character. I'd fire them as well, even if I were running a startup.
Re: (Score:2)
They were stealing. That shows a lack of character. I'd fire them as well, even if I were running a startup.
If you were running a startup, you'd be giving them free candy bars.
So I hear. I've never worked for a startup that had venture capital...
Re: (Score:2)
In other words, they should be considered for jobs as field agents.
Re: (Score:2)
While you are correct on both counts, what this story illustrates is the irony of large organizations (in commercial industry and government alike) that say "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box" (or similar feel-good sounding things) when what they really mean is "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box but who also remain within the strict policies/structures/conventions of the organization."
Is it any wonder that people who perceive themselves as truly talented tend to want to go work for startups or perhaps create their own startup? The type of people places like the CIA and big companies claim to be seeking are precisely the type of people who look at places like that and say "no way am I going subject myself to all that bureaucracy." Stories like those sort of prove the point.
One or two free candy bars, to see how the thing works would be "innovators/bold thinkers". Taking $3,000 of snacks is stealing. I can hack the cafeteria at work. If I go in late afternoon when there's only one worker, I can wait for them to go on a smoke break when the place is deserted, and load up my backpack with all sorts of free snacks. But I don't. Because it's stealing.
Re: (Score:2)
Re:Who wrote this? (Score:5, Funny)
Sure it does! Look, I'm going to hack my computer right n{#`%${%&`+'${`%&NO CARRIER
Re: Who wrote this? (Score:1)
Cause... (Score:2)
...it's easier to eat the evidence?
Re: (Score:1)
There is no CC card... It's a pre-paid card system - reloaded with cash ... thus using a card when it has $0, and the device is off-net, the device trusts the user (as we're in a trusted location) and will debit the acct when it comes back online. This can't even be seen as a weakness as its in a secure location, but to actually exploit the organizations trust is something different. (by stealing)
Re: (Score:1)
Par for the course for clickbait mills.
The summary even states it's from Buzzfeed.
Re: Who wrote this? (Score:2)
The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines.
It was written by someone who doesn't know a complete sentence from their asshole.
Re: (Score:2)
Posted by BeauHD - what do you expect? If it isn't an anti-conservative hit piece that has nothing to do with technology, she doesn't know what to do with it.
Re: (Score:2)
Lawyers like to law, teach them to law better, and they are going to law all over the place.
Wrestlers like to wrestle, teach them to wrestle better, and will wrestle all over the place.
Brewers brew......
Soldiers soldier....
Politicians politic.... ....and hackers hack.
And for the record, if unplugging the network cable after a secure handshake allows you to force a target to do something specifically opposite to what it was designed to do, such as dispense free candy, then it very much is a hardware exploit.
Re: (Score:3)
And, you know from previous reports, that the real reason gag orders and such are necessary is because the hacked (MTA in this case) are UNABLE to fix the problem in a timely manner.
Sad, but too many organizations employ technology solutions they are unable to maintain.
Liars, Cheats and Criminals at the CIA? (Score:5, Funny)
How did they not get a promotion?
Re: (Score:3)
Re: (Score:2)
How did they not get a promotion?
Believe it or not... It seams the CIA apparently has issues with stealing from vending machines... So there are some morals and ethics left.... Leaking classified data is A OK, putting classified information on a private E-mail server is A OK, spying on US citizens with abandon is fine, but don't you dare steal from the vending machine in the break room down the hall.. Who knew?
They're suppose to cheat the working class (Score:2)
Re: (Score:2)
Because they were caught. The CIA only wants employees smart enough to not get caught doing these things. Honestly, if you're dumb enough to get caught stealing from a !@#$ vending machine, how can they trust you to steal from the Russians?
Is this what goes for 'hacking' nowadays? (Score:2)
Doesn't require special knowledge. (Score:2)
A hacker, on the other hand, uses skill and knowledge, usually in creative and unusual ways, to achieve his goal.
Fed Contractors vs Fed Employees (Score:5, Interesting)
If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.
Re: (Score:1)
If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.
Not saying I *necessarily* agree or disagree with the practice, but isn't that the whole reason to use contractors in the first place? No long-term retirement liabilities and all that.
Re: (Score:2)
If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.
...for three years...
Re: (Score:2)
FreedomPay (Score:4, Insightful)
Contractors did not realize the "free" in FreedomPay means free speech not free beer.
Re: (Score:2)
Contractors did not realize the "free" in FreedomPay means free speech not free beer.
They do a much better job explaining that to contractors [wikipedia.org] at the NSA [wikipedia.org].
Risking your job for fifty cents (Score:2)
Throughout my working life I have amazed that people with good jobs would be willing to jeopardize them for nickels and dimes -- stealing stationery, fudging expense vouchers, and now, apparently, cheating a company vending machine. Don't these people realize that they are putting their livelihoods at risk by stealing from their employer?
Re: (Score:2)
Re: (Score:2)
So why did they get fired exactly?
Stealing company property. They might have gotten away with it if they had scrubbed the hard drives, remove the asset tags and didn't post pictures with the Dell service tags. A recycler was supposed to pull the hard drive, create a disk image for the legal department, destroy the hard drive and provide a certificate of destruction.
Re: (Score:2)
Decades ago, a friend 'somehow came into possession' of two of the new (Large Car company) monster aluminimum V8s/transmissions, out of prototypes that had been destroyed before the (Large Car company) reps eyes. Two years before they were to be put into production.
Long story short, he sold one set...standard computer, so called (Large Car Company) for support, gave serial#...Secret Service...denied everything, denied, denied, denied...got away with it, no 'double secret' motors found at his locations.
Honest Summary. (Score:1)
CIA hires break laws then the CIA covers it up.
Hiring contractors seems inherently risky. (Score:2)
Think about it. Intelligence agencies routinely do things which violate norms of civilized behavior. Suborning treason (in other countries' nationals) and invading privacy are standard operating procedure. Yet you depend on your employees to scrupulously follow the rules and norms when it comes to your own agency.
So you give people symbols, rituals and training which ground them in the traditions and identity of your service. I expect this works pretty well, because pride and belonging are powerful motivato
Where's the vendor safety checks? (Score:1)
The suspects ... (Score:2)
Story is DISAPPOINTING (Score:2)
Stealing is a CRIME (Score:1)
They were fired for Theft. Stealing is such a low level sleazy crime
they need to go work in a fast food joint to work off the debt!
"Hacking" is HARDLY what they did - its just theft
Is this really what passes for hacking these days? (Score:2)
> Severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.
Is this really what passes for "hacking" these days?
Firing them not the brightest idea (Score:2)
I'm assuming they were hired specifically for this sort of out-of-the-box workarounds. You cannot turn someone into something they are not and telling them to be anything other than what they are impedes them from performing at their best when you need them to. If I was the supervisor that had been made aware of this, I would have found a way to expense payments to the vendor without letting the employee's know. 1) it keeps skills from workers you may need solidly in the 'asset' category, 2) it keeps their
Let me guess (Score:2)
The CIA probably asked for the option that these vending machines still work if there are network outages, on the basis that it's employees and contractors should be trusted enough not to steal shit and they're the only ones with physical access to the machines.
The other options are: No network, no food. Pay with cash.
The last think you want is a hungry IT department trying to fix your broken network.
STALE, repost (Score:2)
Re: (Score:2)
Amputation for stealing food.
That's moral. Compassionate. A measured response.
Re: (Score:2)
Re:should be thanked not sacked (Score:5, Insightful)
A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. But whose fault would this be?
[emphasis mine]
The people who stole the stuff. It's ALWAYS the fault of the person who stole the stuff. 100% of the time. If I don't lock my door and people clean out my house that makes me an idiot, but the person that cleaned it out is still the guilty party. (The insurance company may exercise their "idiot clause" and not reimburse me for my stuff because of my negligence. But that's not relevant to the conversation, the thief is still a thief, and should get the appropriate punishment if caught.)
So why reward the incompetent by expecting an unrequired level of honesty from users?
I agree, this is terrible programming. There are definitely ways around spotty connectivity, and FreedomPay has most definitely let their customer down by not adequately protecting their interest. I'm sure you wouldn't have to hunt around too long for a civil lawyer that would be willing to sue FreedomPay for their negligence, but that doesn't excuse the workers who exploited that negligence.
More than one person at fault (Score:2)
A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. But whose fault would this be?
[emphasis mine]
The people who stole the stuff. It's ALWAYS the fault of the person who stole the stuff. 100% of the time. If I don't lock my door and people clean out my house that makes me an idiot, but the person that cleaned it out is still the guilty party. (The insurance company may exercise their "idiot clause" and not reimburse me for my stuff because of my negligence. But that's not relevant to the conversation, the thief is still a thief, and should get the appropriate punishment if caught.)
It's very common for more than one person to be at fault in a situation. The person who stole the stuff is criminally liable, but the person who left the door unlocked is still negligent. Both are at fault.
Re: (Score:3)
It's ALWAYS the fault of the person who stole the stuff. 100% of the time.
But maybe not 100% of the fault. More than one person can be at fault.
In college I took an accounting class, and the teacher's favorite subject was "Internal Controls", systems and rules set up to make sure that people can't just steal money. He gave an example:
Suppose a small company has an accounting department with poor internal controls, and the head accountant knows that if he/she just edited one spreadsheet, he could steal a w
Re: (Score:3)
It is inexcusable not to have the card broadcast its current credit to a disconnected machine. What possible circumstances would excuse this? And even if you have cards that can start a credit account, yhe machine would remember the card's number and transaction so the data could be updated when the machine was reconnected.
Regardless of how bad the system was designed, the truly inexcusable activity here was not reporting it.
The end result was abusing the shit out of the vulnerability to the tune of $3000+ worth of stolen goods.
The line between a consultant and a criminal is often defined by ethics.
Re: should be thanked not sacked (Score:2)
Re: (Score:1)
Re: (Score:2)
Really? Except for stealing and getting caught, this activity actually was quite clever, even if it was a crime.
I think I'd be smiling at their cleverness while I was yanking their clearances, badges and escorting them out of the building....
Re: (Score:2)
That's not how most of them worked. Maybe you found a particularly poorly designed one, but the vast majority wouldn't allow you to watch PPV at all if it couldn't make the phone call to confirm.
The only way to watch PPV without the phone line connected to the box was to phone in to the customer service people and get a code and punch it in on the remote.
Of course the fact that Hollywood's garbage is locked down harder than other items is no surprise.
satellite systems let you buy a bit before shuttin (Score:2)
satellite systems let you buy a bit before shutting down PPV if it could not make a call maybe at most $10-$20
Re: (Score:2)
None of the systems that I have worked with. They all allow for zero purchases without authentication.
Re: (Score:2)
in the past after at least making a few calls you can unhook the phone line / pick up the phone and other some ppv and it will not dial out or say you need a phone to buy this ppv movie now an $29.99 or more event may need to call in right away. Also back then they had the hacked cards.
Re: (Score:2)
Hacked cards definitely did exist.
But the ability to purchase ANYTHING without connecting to the phone network most certainly did not.
Sure you can unhook the phone cord, and watch normal television, but the only way you'd watch PPV is either with the hacked card, or by calling in and having them set it up remotely.
Re: (Score:2)
Don't forget MITMing the cards with old PCs, 'dead' cards, unloopers, soldering serial cables to the receiver's card connectors etc. Good times.
Also credit and bank debit cards in the '80s (Score:2)
Back in the '80s or so I tried to pay for a car repair with a perfectly valid credit card and had it declined. A call to the credit card company disclosed the reason:
When the database was offline the authorization servers would approve charges up to $300 (1980ish dollars) and refuse those above that. This kept them from making all their cards stop working, on one hand, limited the losses to savvy crooks, and only inconvenienced those making the relatively rare high-sticker purchases. (Like me, trying to
Re: (Score:2)
When I was about 10, my dad caught me emptying two rows of candy out of vending machines, my arm was just skinny enough and long enough. I was up in that candy hole like a vet fertilizing a prize heffer.
He hung around till I got the last of it, then we ran for it.
I haven't seen that model machine in a while, still look for it, though my arm has been too big for decades. I had little bothers though, we got about six years free gum and lifesavers all told, there were years with three of us expropriating.