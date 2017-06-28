Contractors Lose Jobs After Hacking CIA's In-House Vending Machines (techrepublic.com) 127
An anonymous reader quotes a report from TechRepublic: Today's vending machines are likely to be bolted to the floor or each other and are much more sophisticated -- possibly containing machine intelligence, and belonging to the Internet of Things (IoT). Hacking this kind of vending machine obviously requires a more refined approach. The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines. In their BuzzFeed post, the two writers state, "Several CIA contractors were kicked out of the Agency for stealing more than $3,000 in snacks from vending machines according to official documents... ." This October 2013 declassified Office of Inspector General (OIG) report is one of the documents referred to by Leopold and Mack. The reporters write that getting the records required initiating a Freedom Of Information Act lawsuit two years ago, adding that the redacted files were only recently released. The OIG report states Agency employees use an electronic payment system, developed by FreedomPay, to purchase food, beverages, and goods from the vending machines. The payment system relies on the Agency Internet Network to communicate between vending machines and the FreedomPay controlling server. The OIG report adds the party hacking the electronic payment system discovered that severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.
1. They weren't fired for hacking, they were fired for STEALING.
2. Unplugging the network cable doesn't count as hacking.
It couldn't have been that easy - these machines have MACHINE INTELLIGENCE.
A machine is only as smart as the human programming it, and is only as secure as the budget that funds it. Reference "IoT Security" for more detail.
AND they're bolted to the floor!
And hacking used to require this kind of effort. Now it seems all you have to lift is a network cable.
Imagine the havok a sentient CIA snax machine could cause!!!
Re:Who wrote this? (Score:5, Informative)
2. Unplugging the network cable doesn't count as hacking.
It would in the UK. A man was prosecuted here for adding a couple of "../" to a URI, which then provided him access to the root file system. I'm trying to find a reference to it.
It would in the UK. A man was prosecuted here for adding a couple of "../" to a URI, which then provided him access to the root file system. I'm trying to find a reference to it.
What does that have to do with unplugging a cable?
I add
/. to my daily browsing. I am the L33T hax0r known as 4Chan. (How do you do the reverse L and 7 again?)
...Or a hacksaw [Re:Who wrote this?] (Score:5, Funny)
2. Unplugging the network cable doesn't count as hacking.
Possibly they disconnected it with a hachet, making it literally hacking.
The proper term for that is haxing a computer.
Re: ...Or a hacksaw [Re:Who wrote this?] (Score:2)
Or possibly a HACKsaw.
While you are correct on both counts, what this story illustrates is the irony of large organizations (in commercial industry and government alike) that say "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box" (or similar feel-good sounding things) when what they really mean is "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box but who also remain within the strict policies/structures/conventions of the organizatio
Stealing from your startup employer would also get you fired.
Re: Who wrote this? (Score:3)
If somebody is willing to steal a $1 candy bar, do you really want to trust them with information if unauthorized disclosure of that information can cause exceptionally grave damage to the nation's security?
We shouldn't have secrets that dangerous.
Are you suggesting that those secrets be made public or that we eliminate everything dangerous?
Re: (Score:3)
If the CIA can't discourage petty theft
They DID act to discourage that petty theft. By firing the people who did it. You know, making them lose their jobs and of course as a result their security clearances. Not that you think that has any impact because you have no idea how the actual world works.
We shouldn't have secrets that dangerous.
Like I said, you have no idea how the actual world works. There are, for example, entire groups of people - organized at various scales from families up through governments that own nukes - that want you to be dead. You, personally, dead. It's helpful
Re: (Score:3)
Yeah. My immediate thought is that it might even be intentional; having known and and easy-to-exploit vulnerability in a non-essential system would be a really great way to weed out these kinds of idiots. I don't think it's unreasonable for intelligence agencies to test their employees in one form or another.
Except that a candy bar has nothing to do with secret information. A candy bar is an minuscule cost and a low cost challenge to keep a flexible mind.
Re: (Score:3)
Depends. If it were limited to "let's try this," and they got a $1 candy bar and it ended there, so what? At that point they should point it out to the vending company. And I would't have any problem with them "stealing" that $1 candy bar.
But it didn't end there. Not only didn't they report the vulne
what they really mean is "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box but who also remain within the strict policies/structures/conventions of the organization."
Having morals and thinking outside the box aren't mutually exclusive. The CIA might be an exception, but most businesses subcontract the handling of vending machines to other companies. If the same is true for the CIA, then these idiots were stealing from another company. The CIA's rep is bad enough without that.
Re:Who wrote this? (Score:5, Insightful)
The CIA or any organization like it wants unicorns. They want the tiny subset of the Venn diagram where people are bold thinkers AND organizationally compliant rule followers.
Like high-end spec-ops, not only do they want really tough super-athletes, they want high intelligence, independent thinkers AND chain of command rule followers.
It's a small subset of people that match all those qualities.
Re: (Score:3)
Nope, its even worse:
They also want to pay below market rates.
They also want that brilliance on the cheap (Score:2)
The same people who are dumb and cheap enough to steal snacks are the same ones most likely to sell out your state secrets for money.
Anyone who's willing to risk their career and a criminal record for a $1 bag of junk food is not someone who you want working with sensitive information.
Are you really that dense or are you trolling? They were stealing. That shows a lack of character. I'd fire them as well, even if I were running a startup.
Re: (Score:3)
And, you know from previous reports, that the real reason gag orders and such are necessary is because the hacked (MTA in this case) are UNABLE to fix the problem in a timely manner.
Sad, but too many organizations employ technology solutions they are unable to maintain.
Re: (Score:3)
Sure it does! Look, I'm going to hack my computer right n{#`%${%&`+'${`%&NO CARRIER
Cause... (Score:2)
...it's easier to eat the evidence?
The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines.
It was written by someone who doesn't know a complete sentence from their asshole.
Posted by BeauHD - what do you expect? If it isn't an anti-conservative hit piece that has nothing to do with technology, she doesn't know what to do with it.
Liars, Cheats and Criminals at the CIA? (Score:5, Funny)
How did they not get a promotion?
Re: (Score:2)
How did they not get a promotion?
Believe it or not... It seams the CIA apparently has issues with stealing from vending machines... So there are some morals and ethics left.... Leaking classified data is A OK, putting classified information on a private E-mail server is A OK, spying on US citizens with abandon is fine, but don't you dare steal from the vending machine in the break room down the hall.. Who knew?
They're suppose to cheat the working class (Score:2)
Because they were caught. The CIA only wants employees smart enough to not get caught doing these things. Honestly, if you're dumb enough to get caught stealing from a !@#$ vending machine, how can they trust you to steal from the Russians?
Re:should be thanked not sacked (Score:5, Insightful)
A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. But whose fault would this be?
[emphasis mine]
The people who stole the stuff. It's ALWAYS the fault of the person who stole the stuff. 100% of the time. If I don't lock my door and people clean out my house that makes me an idiot, but the person that cleaned it out is still the guilty party. (The insurance company may exercise their "idiot clause" and not reimburse me for my stuff because of my negligence. But that's not relevant to the conversation, the thief is still a thief, and should get the appropriate punishment if caught.)
So why reward the incompetent by expecting an unrequired level of honesty from users?
I agree, this is terrible programming. There are definitely ways around spotty connectivity, and FreedomPay has most definitely let their customer down by not adequately protecting their interest. I'm sure you wouldn't have to hunt around too long for a civil lawyer that would be willing to sue FreedomPay for their negligence, but that doesn't excuse the workers who exploited that negligence.
More than one person at fault (Score:2)
A supermarket left open but unstaffed all day with no security would suffer amazing amounts of loss. But whose fault would this be?
[emphasis mine]
The people who stole the stuff. It's ALWAYS the fault of the person who stole the stuff. 100% of the time. If I don't lock my door and people clean out my house that makes me an idiot, but the person that cleaned it out is still the guilty party. (The insurance company may exercise their "idiot clause" and not reimburse me for my stuff because of my negligence. But that's not relevant to the conversation, the thief is still a thief, and should get the appropriate punishment if caught.)
It's very common for more than one person to be at fault in a situation. The person who stole the stuff is criminally liable, but the person who left the door unlocked is still negligent. Both are at fault.
Re: (Score:3)
It is inexcusable not to have the card broadcast its current credit to a disconnected machine. What possible circumstances would excuse this? And even if you have cards that can start a credit account, yhe machine would remember the card's number and transaction so the data could be updated when the machine was reconnected.
Regardless of how bad the system was designed, the truly inexcusable activity here was not reporting it.
The end result was abusing the shit out of the vulnerability to the tune of $3000+ worth of stolen goods.
The line between a consultant and a criminal is often defined by ethics.
Amputation for stealing food.
That's moral. Compassionate. A measured response.
Is this what goes for 'hacking' nowadays? (Score:2)
Doesn't require special knowledge. (Score:2)
A hacker, on the other hand, uses skill and knowledge, usually in creative and unusual ways, to achieve his goal.
That's not how most of them worked. Maybe you found a particularly poorly designed one, but the vast majority wouldn't allow you to watch PPV at all if it couldn't make the phone call to confirm.
The only way to watch PPV without the phone line connected to the box was to phone in to the customer service people and get a code and punch it in on the remote.
Of course the fact that Hollywood's garbage is locked down harder than other items is no surprise.
satellite systems let you buy a bit before shuttin (Score:2)
satellite systems let you buy a bit before shutting down PPV if it could not make a call maybe at most $10-$20
Really? Except for stealing and getting caught, this activity actually was quite clever, even if it was a crime.
I think I'd be smiling at their cleverness while I was yanking their clearances, badges and escorting them out of the building....
Fed Contractors vs Fed Employees (Score:5, Interesting)
If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.
If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.
...for three years...
FreedomPay (Score:4, Insightful)
Contractors did not realize the "free" in FreedomPay means free speech not free beer.
Risking your job for fifty cents (Score:2)
Throughout my working life I have amazed that people with good jobs would be willing to jeopardize them for nickels and dimes -- stealing stationery, fudging expense vouchers, and now, apparently, cheating a company vending machine. Don't these people realize that they are putting their livelihoods at risk by stealing from their employer?
So why did they get fired exactly?
Stealing company property. They might have gotten away with it if they had scrubbed the hard drives, remove the asset tags and didn't post pictures with the Dell service tags. A recycler was supposed to pull the hard drive, create a disk image for the legal department, destroy the hard drive and provide a certificate of destruction.
CIA hires break laws then the CIA covers it up.
Hiring contractors seems inherently risky. (Score:2)
Think about it. Intelligence agencies routinely do things which violate norms of civilized behavior. Suborning treason (in other countries' nationals) and invading privacy are standard operating procedure. Yet you depend on your employees to scrupulously follow the rules and norms when it comes to your own agency.
So you give people symbols, rituals and training which ground them in the traditions and identity of your service. I expect this works pretty well, because pride and belonging are powerful motivato
The suspects ... (Score:2)
Story is DISAPPOINTING (Score:2)
They were fired for Theft. Stealing is such a low level sleazy crime
they need to go work in a fast food joint to work off the debt!
"Hacking" is HARDLY what they did - its just theft