Hacking the Governator 382
mytrip writes, "The Democratic rival to California Gov. Arnold Schwarzenegger acknowledged that his aides were responsible for obtaining a controversial audio file, in which the Governator was heard disparaging members of other races, in a move that has led to allegations of Web site hacking. A source close to Angelides told CNET News.com that it was possible to 'chop' off the Web links and visit the higher-level 'http://speeches.gov.ca.gov/dir/' directory, which had the controversial audio recording publicly viewable. No password was needed, the source said." And jchernia notes, "As an aside, the California Highway Patrol is running the investigation — maybe the Internet is a truck after all."
Moo (Score:3, Insightful)
Am i missing something here?
Re: (Score:3, Informative)
Sure, it's lots of fun. (Score:2)
No, that's the way normal human beings interact. Only people who have never really spent much time in a diverse, multiethnic environment get offended by such things... the rest of us tease each other constantly and have a grand old time.
Been in 'multiethnic' evironments all my life too.
Personally, I don't enjoy the stereotype.
These stereotypes are 'cute' if you only run into them once in a while. But what happens when you're trying to communicate at your job or to a customer and the person is intimid
Re: (Score:2)
Inflection does play a factor. If one is saying that blacks are basketball players, as in women are baby makers, yeah, it's an insult. But if one is saying that blacks are basketball players because they are keenly athletic, that is a compliment, isn't it?
Re: (Score:2)
Disclaimer: I think this all much ado about nothing.
That said, it's not a question of whether the adjectives used are 'complimentary' or not, but rather the generalization across an entire race that offends (some) people. They feel that racial generalizations (aka stereotypes) are unhelpful and inaccurate, and have a major history of abuse.
Re: (Score:2)
The opposite is true as well. Why should negativity win?
Re: (Score:2)
Re:gross generalizations (Score:5, Insightful)
That said, it's not a question of whether the adjectives used are 'complimentary' or not, but rather the generalization across an entire race that offends (some) people. They feel that racial generalizations (aka stereotypes) are unhelpful and inaccurate, and have a major history of abuse.
So what? This was an off-hand remark made in private. Have we come to the point where every word one says must be parsed and examined for any trace of anything that might offend the most hypersensative among us lest he or she be branded a racist?
-Grym
Re: (Score:2)
Yes.
That was easy. Give me another one.
Re: (Score:2)
Yeah, but an offhand remark made in private by the chief executive of one of the most powerful states in the union. I think it's reasonable to think that people might be interested in his views on various matters, as those are pretty likely to affect how he governs.
Re:gross generalizations (Score:5, Informative)
Re:gross generalizations (Score:5, Insightful)
Taking offense at someone voicing or defining their own stereo-type. Bah! Sounds kinda silly to me. How bout I get really pissed the next time someone offers me sunblock? "OMG, they assume because I have white skin that I'm prone to sunburns! How dare them!" Hehe, yeah that would be pretty silly.
So, I think I get what your saying about history of abuse and all; but it's the abusers that should be punished not the concept of stereo-types.
My two cents.
Re: (Score:2)
I think there's a distinction to be made between traits that are in fact genetically/racially derived (as in your example above) and ones that aren't. A better example might be if someone bought you a case of whis
Re: (Score:2, Funny)
correlation does not denote a casual relationship (Score:2)
Generalizations or stereo-types exist for a reason.
The reason is that people are lazy.
We do not want to have to evaluate everyone we meet on their own merits, so we group them together and apply a label.
Not because 10 out of 10 of the latino people you've met in your life are all hot-blooded does it mean that latino people are predisposed to aggression. There can be a third, independent factor, held by those 10 people that you've met that explain their personality. Maybe there are social factors
Re: (Score:2)
But if one is saying that blacks are basketball players because they are keenly athletic, that is a compliment, isn't it?
Back in the 20's it was the Jews that were naturally good at basketball due to their scientifically proven craftiness.
Re:gross generalizations (Score:4, Funny)
Re: (Score:3, Funny)
Re:gross generalizations (Score:4, Insightful)
I suppose all the anime fans that keep telling me how hot Japanese women are are racists too, then. If this is considered racism, I don't have any problem with racists. I guess we'll need a new word for the serious sort.
I mean, if the word "murder" could mean accidentally stepping on a cricket, I wouldn't care if I lived next door to someone described as a "murderer".
Re: (Score:2)
Re: (Score:3, Insightful)
I've felt my point of view, my chances of promotion, my entire standing in society has been suppressed my entire life to make up for the sins of the people 10 years older than I am. It was worse in the past- they were very blatant about even promoting imcompetant people to balance the percentages. Today, there are plenty of competant people of all races and sexes- I'm one of them- but they still need to get up to 50% female, 12% black, etc. I've seen females bl
If that's hacking (Score:5, Funny)
Wow, they must be really good... (Score:5, Funny)
beware the internet chop shop (Score:2)
Why do you think they've got the CHP involved? Someone obviously stole Governor Schwarzenegger's internets and took it to an internet chop-shop, where it's dismantled and sold for parts.
You'd be surprised (Score:5, Interesting)
Seriously. Being as generic as I can for NDA reasons, let's just say that the corporation I work for paid good bucks to a BIG corporation's consultants to write a web application for them. Well, not even the whole app, but think more or less just the part where you register and set your data and preferences, with a bit of a hierarchy thrown in. (Some users could be, basically, managing others and giving or revoking rights to them.)
The thing ended up years overdue, and needing a whole server farm just to support a modest number of users. (The joys of clueless Buzzword Driven Architecture at its finest, really.) They had to be started and shutdown in a given sequence too, as the modules on one machine depended on those on a second, which depended on those on a third, and so on. As a result, shutting down and restarting the whole system (e.g., for maintenance) took almost a whole day. But that's not the important part. The important part were the endless security issues, such as:
1. yes, failure to account for URL editing. Rights were checked when generating the URLs on a page (e.g., which products, messages, whatever, you can click on), but not when actually accessing the linked page. So you could literally access any data in the database by just typing in its ID in one of those URLs.
2. rights escalation. Did I mention editing URLs? The same went for the "change your password" page. You could just type in another user's id, change their password, and log in as that user. The "super-user" had id 0. 'Nuff said.
3. wide open to cross-site scripting exploits. They hadn't figured out how to quote strings when displaying them on a web page. (Then when they "fixed" that, it encoded them twice and displayed them broken. So they disabled the fix again and tried to downplay the risks of anyone injecting JavaScript.)
4. had obviously never heard of non-repudiation. (Security isn't just about who you let in, but also making reasonably sure who signed that contract or generally did what.) While in the old system a deleted user was just, basically, flagged as disabled, their clever system just deleted the user and his data. And because of foreign key constraints, it cascaded through the tables and erased any data connected to that user. Messages they posted or sent, contracts they signed, everything. Users could delete themselves too. (If anyone has trouble understanding why this is dangerous, think what you could do if your bank had something like that. Take a big loan, move the money somewhere else, delete your user.)
And so on, and so forth.
So, well, if "experts" hadn't heard of such elementary stuff, I can't be that surprised that the governor or a couple of journalists consider them advanced hacking.
Deep linking, move alone (Score:5, Insightful)
This is simply a matter of deep linking. Just because there's no page with a link to a URL doesn't magically make the accessible URL off-limits. Security through obscurity isn't. If the governator didn't want people to get it they shouldn't have posted it on their web site. Or at least put some form of authentication on it.
Re: (Score:2)
You are even making it seem more exciting than this was. It wasn't security by anything. It was a public webserver without *any* standard protections enabled.
I wonder how soon there will be a draft of a bill to make any "unwanted intrusions" into a webserver illegal in CA.
Re: (Score:2)
Analogies are usually less apt than the author claims them to be, but I'll use one anyway: Saying that security through obscurity doesn't offer legal protection against intrusions is like saying that if I hide my house key under the door mat, then anyone is implicitly welcome to use it to come into my house (perhaps even to take my stuff, depending on how far you extend the analogy).
Is it the same (at least, for l
Re:Deep linking, move alone (Score:5, Insightful)
Fact of the matter is that this audio clip was put in a place that was easily found and was obviously placed there intentionally. If it wasn't there intentionally, the webmaster is responsible through negligence, not the opponent's campaign.
Oh, there's also the little matter of it being posted on the government's web site, which is supposed to belong to every resident of California...
Re: (Score:2)
I think your analogy is apt in general, except in this case it wasn't a key under a door mat. Files on an open, non-passwor
Re: (Score:2)
A webserver isn't your desktop computer. A webserver is a specific computer whose use is to give files to people who ask for them. If you put files on the webserver, you're making them public.
Someone noticed that there was a speeches directory, asked the webserver what was in it. The webserver cheerfully replied. The person asked "oh, that file looks good. Can I look at that?" The webserver cheerfully said "sure" and
Re: (Score:2)
Very bad analogy. First, you start by talking about "my house". This was a public web server."Take my stuff". Nothing was "taken". Your analogy is about having things stolen from your home, eliciting a strong emotui
Re:Deep linking, move alone (Score:5, Insightful)
Re: (Score:2)
I guess there was an index page, password protected. But the actual MP3 files were in an open directory. Happens all the time. You often find ineresting things by looking at the URLs for sample images, for instance. (See Fusker sites [wikipedia.org] for an application.)
Not "Hacking" (Score:5, Insightful)
I'm sorry, this is not "Hacking," it's the way the web works. They sent the web server a URL, requesting a document, and the web server gave it to them. They didn't do anything nefarious, underhanded, or tricky. The didn't claim to be anybody they weren't, there was no phishing or pretexting or anything like that involved.
Imagine they had called the governor's office and said "Hi, got anything incriminating about the guv on file?" and when told "Sure, would you like a copy?" they said "Yes please!" What would people think then? It's the same darned situation here.
--MarkusQ
Not Lame - Oppo Research (Score:2)
It's the fault of Arnold's team if they're too stupid to realize that putting something like th
Re:Not "Hacking" (Score:5, Insightful)
The difference, as I stated, is that they were using the system the way it was designed to work. The whole reason browsers have address bars is so that you can type in URLs. The reason web servers respond with a list of the files in a directory is so that users can type in a partial URL and get a comprehensible list of alternatives to choose from.
Spoofing, SQL injection, etc. involve using things in ways that they were never intended to be used, breaking them in order to get access to something that the system was designed to prevent access to. It is the exact opposite of what happened here.
And as for your final point, how are they supposed to know that they aren't supposed to have access to something, when it is made available to them using the basic public interface as it was designed to be used, and none of the dozen or so ways to prevent them from gaining access were used? That seems to me to be a much more dangerous precedent, since you could retroactively criminalize almost any use of a web site by saying "Well, you should have known that you weren't supposed to look at that page!" and suddenly you've made somebody into a cyberterrorist by fiat.
--MarkusQ
An analogy I give to people on this issue (Score:3, Insightful)
On
Re: (Score:2)
Back in the 70s, when I was at university we had login acounts and the word got around of a way to login that gave you a 9600 baud connection instead of 2400 (using a different server, I think). So naturally I used this until one day a tutor noticed and asked me what the hell I was doing on this system. I said using my account, he asked why that system; I
Of course it's not hacking (Score:2)
It's both nothing and everything. No difference between the two in terms that someone typed in a uri, lack of auditing/checking what goes up the webpage (in terms of plain directory listing or unescaped sql statements in script files), let someone got what they wanted. Both results in data ending up in the wr
Re: (Score:2)
Final note, time for bad analogy time - if anyone likens removing parts of a uri as an illegal act, think about stripping drm from an audio file - both involves bytes removed to have more raw access to the data (data that are not exactly given out).
Again, I'm not saying that what they did was illegal but probably unethical and certainly in poor taste.
Regardless, here's an analogy of mine that's actually true. I'm a medical student and in one of my courses there are small group sections that assign ho
Re: (Score:2)
403 Forbidden
Of course, if they were accessible, it might have been a test of honesty. If you are questioning ethics, that's a whole different subject. I only covered removal of uri to get to the parent directory, not changing the uri itself.
In the end, don't post what you don't want people to see on the Internet, and if you must, properly secure the files so it only gets to the intended reciepients.
Re: (Score:2)
Session ids are usually much longer than 5 characters, and of a fixed length (such as a hexadecimal digit 32 bytes in length), not easily guessed. Most cases if there's a match, a more sophisticated method (say, gained from an XSS attack) is used to acq
Re: (Score:2)
Webservers are specifically designed to serve up content that is *anywhere* in thier public webspace as long as there are no access restrictions on the content or directory that the content is in. A web application that suffers from an SQL injection vulnerability is not designed to give admin access to the application because someone knows some magic SQL code to put in a form field, that is a side effect of bad coding and not a designed function of the application.
It's poor design. An SQL injection atta
Re: (Score:2, Insightful)
A directory accessible by URL-chopping is a public place. Anyone with knowledge of semantics of URLs understands how to construct chopped URLs and use them to find information on a wwebsite.
Information placed in a public place is assumed be to be public.
Re: (Score:2)
The key difference being that this person was exploiting a bug in the way the server parses URLs, rather than just entering a valid URL and getting a response. There's a big difference between exploiting a bug to get around existing security and using something correctly in the absence of any attempt at security.
--MarkusQ
Re: (Score:2)
Re: (Score:2)
Disparaging members of other races? Hardly (Score:5, Informative)
"I mean Cuban, Puerto Rican, they are all very hot," the governor says on the recording. "They have the, you know, part of the black blood in them and part of the Latino blood in them that together makes it."
the article continues...
'Garcia, who is Puerto Rican and the only Latina Republican in the assembly, appeared with Schwarzenegger yesterday and said she was not offended by the governor's comments. Garcia earlier told the Times that she refers to herself a "hot-blooded Latina."
"I love the governor because he is a straight talker just like I am," she said.'
That's not the actual statement. (Score:2)
The actual statement has to sound like the Terminator. Observe:
I mean Cuban, Puerto Rican, they are all very hot
Should be
I.MEAN.CUBAN.PUER.TO.RI.CAN.DEY.ARE.ALL.VER.Y.HO T.
[screen flickers between visible and infrared view, zooms in on a rodent in the wall]
[choice screen appears, -kill, -verbally abuse and process further, -ignore]
.FUCK.YOU.ASS.HOLE.
[At this point the person talking to Arnold should be alarmed and might actually gasp.]
The next statement should be kind of like this:
.THEY.HAVE.THE.
Re: (Score:3, Informative)
Yeah, except when he hides behind his ESL-credentials and says things like: "I never took steroids, besides, they weren't illegal when I took them." or "I believe that gay marriage should be between a man and a woman."
Personally, the guy who promised to come in as governor and apply fiscal discipline to solve California's budget crisis - and the first thing he does is put out a measure to borrow 8 billion dollars;
Straight-talkin
racial stereotypes are not harmless (Score:3, Insightful)
Disparaging? hardly. This is just a sensationalist way to report the news.
The problem is that many people believe that nonesense. And the guy is the governor..., he runs the state! Don't you think it's a little worrying he attributes personality traits to race?
There are many of these stereotypes. For instance, I read once that there is a strong 'masculine' stereotype to most things concerning the black race, and similarly a strong 'feminine' basis to most things asian. This may have it's roots in
Re:Disparaging members of other races? Hardly (Score:4, Insightful)
Umm, no it's not, at least about as much as targetting Cosmo towards women is sexism. Racism requires either preferential treatment, prejudice or implicit or explicit claim of superiority. Simply attributing a neutral personality trait to a broad ethnic or cultural group and using historical ethnic or cultural heritage as supporting evidence is NOT racist. It's a broad generalization, maybe, but it implies no claim to superiority nor attempt to disparage.
It's ok to be hot-blooded? (Score:2)
Racism requires either preferential treatment, prejudice or implicit or explicit claim of superiority.
True.
Simply attributing a neutral personality trait to a broad ethnic or cultural group and using historical ethnic or cultural heritage as supporting evidence is NOT racist.
Being called hot-blooded is not a 'neutral personality trait'.
It's a very bad thing in many situations and would suggest that people of those races are not suited for certain tasks or positions in society.
Personally, I do
Re: (Score:3, Insightful)
<blockquote><i>are any of your personality traits due to your race or ethnicity?</i></blockquote>
Oh bollocks. Most of my personality traits are related to my ethnicity insofar as they usually go hand in hand with the cultural norms of the society they come from. Other than adopted children it rarely happens & even then, many people who are adopted into a different ethnic fa
Ok but pretending all races are the same is stupid (Score:5, Insightful)
Well, something else we know is that humans like to use generalities. We like to generalize traits, trends, whatever. Helps us deal with understanding overall patterns in data. Thus it should be no surprise that traits get generalized to races. Happens to other things too, you can see all the traits that get generalized to geeks (like not having girlfriends) here on Slashdot.
So if you are going to get all bent every time someone makes a race related observation, ask yourself why. Is it because you think they are a bad person, with a malfunctioning brain? Or maybe is it because you yourself find that you generalize based on things like race, but don't want to admit or verbalize it?
Look the answer to racial division in this country isn't to hide it, to try and pretend like we are all the same and make it taboo to talk about. The answer is to talk about it, to laugh about it, and to understand and accept it. We are all different, physically, mentally, socially, etc. We need to celebrate our differences and understand that they aren't a reason to hate. Trying to hide away from them and make them taboo won't do any good.
Re: (Score:3, Interesting)
I am very familiar with this, since my wife is asian. One day she asked me if I'm offended by her calling me a "white guy". Seriously.
Re: (Score:3, Insightful)
It would be correct to say "men are taller than women on average." To simply say, "Men are taller than women" is dumb; it's just factually incorrect. It's probably not that offensive, because of the context. For one thing, your height is relatively easily proven, so preceptions about your height ju
Re: (Score:3, Insightful)
"Hot" is a personality trait? I thought it was a set of physical features dictated by genetics.
Which by definition, is tied to race.
People of Asian decent are generally shorter than most people. That's not racist. It's genetics.
Re: (Score:2)
He said "hot" as in "hot-blooded", i.e. quick to temper, not "hot" as in "physically attractive". Being "hot-blooded" is indeed a personality trait and has nothing to do with physical features.
Re: (Score:2)
You must be using the term "hot" in a way unknown to the majority of men in the world. (Actually, more like all except you)
Yes and no (Score:3, Insightful)
Also, one's background (again not actual 'blood' or skin colour, but upbringing) tend to influence one's sexual behavior. In terms of actual genetic
Hot? (Score:2)
Re:Disparaging members of other races? Hardly (Score:5, Funny)
Actually, Arnie is being racist. His comment implies that those who don't have the "black blood" and the "Latino blood" don't "make it." Whatever the hell that means.
Re:Government Contract$ (Score:3, Insightful)
Wasn't this a crime in the UK? (Score:5, Interesting)
Re:Wasn't this a crime in the UK? (Score:5, Informative)
When the GST (tax) was launched here in 2000 the tax department had a web site where you could query something about your tax and the cgi script it used had an argument like ?tfn=nnnnnnn where the n's are your tax file number (9 digits).
So this guy tried a couple of combinations, got the details of others, and took it to the tax people with advice to change their security arrangements.
So they did, by locking him up.
Re: (Score:2)
Re: (Score:2)
Here's some info about it clipped from a law journal [nswscl.org.au]:
Re: (Score:2)
I feel like I'm taking crazy pills. (Score:2, Insightful)
Re: (Score:2)
Wait, are you hitting on Arnie???
Re: (Score:2)
Compliments can be racist. E.g. the classic "that black guy was so articulate during the job interview!", with its connotation that black people are usually inarticulate. Or the ever-popular "Asians are so smart and hard-working!". In both cases, the person probably means well, but they are still engaging in racist thinking: assuming that someone's race is an indicator of some other trait which is not, in fact, racial
all caught up now (Score:4, Funny)
Re: (Score:2, Insightful)
The context was "hot" as in "hot-tempered" or "hot-blooded", not like "am I hot or not?"
Whether "hot-tempered" is compliment or not is debatable. Certainly the accusations of being "hot-tempered" that people directed toward those of Irish ancestry in the laste 19th and early 20th centuries, the time of "No Irish Need Apply" signs, were not compliments.
Re: (Score:2)
Big deal! (Score:2)
"I mean, they (Cubans and Puerto Ricans) are all very hot...they have the, you know, part of the black blood in them and part of the Latino blood in them and together that makes it,"
Big deal! I actually heard hispanics saying just the same kind of thing about themselves.
Re: (Score:2)
Totally. And that's exactly why I don't get why black people get all upset when I call them the N-word.
sounds like the grad student thing from a year ago (Score:3, Interesting)
predator, starring two future governors (Score:2)
Disparaging? (Score:4, Funny)
Re: (Score:2)
While I agree that his comments were not disparaging, he definitely did more than call one lady hot. He characterized a group of people in a particular way based on their race. I think mainly the idea is that it was probably in poor taste for a governor to say. I imagine that some people might interpret it as being indicative of a predilection for making generalizations a
Re: (Score:2)
Am I racist now?
Everything's hacking in the mind of idiots (Score:2, Insightful)
There are quite a lot of people who view competent computer use as a form of magic. They are deeply scared of technology, vote people into office who don't understand technology and expec
CHP (Score:5, Informative)
http://www.chp.ca.gov/html/history.html [ca.gov]
Re: (Score:2)
Heh heh..you kow...because people used to call it that.
I give up.
Directory Listing Denied (Score:2)
Some free Apache Advice for ARRRNNOOLLDD (Score:2)
CHP == State Trooper (Score:2)
Re:CHP == State Trooper (Score:4, Informative)
So its not all that odd that the CHP is running the investigation, other than the fact that there is obviously nothing illegal about accessing publicly-served pages from someone's webserver, so there shouldn't be an "investigation" at all.
UP button in browser (Score:2)
The Governor's sharing audio files? (Score:5, Funny)
beh... (Score:2)
Re:Disparaging Comments (Score:4, Funny)
Re:Disparaging Comments (Score:4, Funny)
Re: (Score:2, Informative)
Try the real version (Score:4, Insightful)
1. Republican (barely) makes SLIGHTLY off color remark that bothers no one, especially the woman the remark was about, who thought it was funny.
2. L. A. Times prints the story from an "anonymous" source without bothering to do any verification.
3. Despite no one with a functioning brain thinking the comment was anything to even care about, extensive media coverage is given to the blubbering hand wringing and panty soiling histrionics of various key Democrats, including Arnold's opponent, who act as if he was caught eating babies on video.
4. It is revealed that the file was taken from a computer by members of the Phil Angelides staff, possibly illegally, and that the L. A. Times probably knew more about the source than they originally let on, suggesting political dirty tricks collusion.
5. Not one mainstream reporter asks the Phil Angelides campaign what happpened to their pledge of "sticking to the issues".
The leftists on Slashdot and elsewhere torture logic to the point that the UN considers issuing a stern finger wagging.
Re: (Score:2)
Surprised that almost no one has drawn parallels with the HP mess.
And, for contrast... (Score:3, Insightful)
But: such media coverage as
Schwarnazi?? (Score:3)