42 comments

[ 2.8 ms ] story [ 59.7 ms ] thread
Haven't looked, but most likely a dump from a 3rd party service where user's used government email as credentials, then isolated out to look like a bigger hack than it is?

33k is a lot though, and nothing to scoff at. But given the breath of scope in the addresses here, this looks less like a breach of a government agency and more like some social network, etc.

Bold is the man that tests leaked credentials against .mil domains.
Even behind a proxy, using TOR on some public/compromised wifi?
When the stakes are treason and/or Guantanamo Bay, you are still bold no matter how many precautions you take or maybe just stupid.
Could any computer crime be reasonably interpreted as treason given the fairly strict definition in the constitution?

  Treason against the United States, shall consist only
  in levying War against them, or in adhering to their
  Enemies, giving them Aid and Comfort. No Person shall
  be convicted of Treason unless on the Testimony of two
  Witnesses to the same overt Act, or on Confession in
  open Court.
It wouldn't surprise me to see the government try to claim "cyber warfare" meets the bill for "levying War against them", but I can't imagine the supreme court letting that stick.

edit: If you provided hacked information to a foreign power I could see that being considered giving aid to an enemy. My original question was more focused on the actual hacking itself than what you do with the information.

Treason would be a hard one because I think it only applies during wartime. But would any of our various unending wars qualify? War on terror, war on drugs? Maybe not since they weren't declared by congress.

It could be considered "light treason" however...

No, "the war on drugs" does not qualify for treason.
"The war on drugs" is not an actual war, it's just a catchphrase.
It's unlike it would be a Treason charge, though we are not required to be at war for that to apply. The reason would be the proof burden for Treason in court is very high, and set forth in Article III.

In truth it'd be likely to fall under federal statutes governing systems access, and probably I'd guess the 1917 Espionage Act.

Aside from Presidential speeches, the "wars" in Iraq and Afghanistan were never formally ended.
It's just not worth tickling the dragon's tail. What would be the motivation for anyone to even try (except for maybe government-sponsored hackers in China who are probably safe from extradition and personal blame)?

Even if you bought a laptop from someone in another state on Craigslist with cash and connected to public Wi-Fi (without a cellphone on your person, of course)... I still would not feel confident that NSA couldn't track you down if you gave them a good reason to.

>What would be the motivation for anyone to even try except for maybe government-sponsored hackers in China

For the lulz

Law enforcement will absolutely go interview the person you bought with cash from and get a sketch, maybe even a license plate off surveillance near your meeting place. Cash transactions make tracing involve more schlep than a SQL query, but they are not close to anonymous.
How is it possible to uniquely identify a computer's hardware from over the internet?

Do you think there is a database that connects an identifying factor of all computers to their owners?

A computer vendor could maybe keep a list of device serial numbers/MAC addresses, along with non-cash payment methods, but how could law enforcement legally acquire such data, if not authorized in a specific case?

And if there is a specific case, what is the likelihood that an investigator could determine a device's serial number/MAC from over the internet(how is that even possible?) and then locate the original vendor then locate the original purchaser?

The crux of this seems to be somehow uniquely identifying a device over the internet. A vendor having a database of items sold + payment method seems more plausible.

Isn't an IP address the only identifying factor of a machine transmitted over the internet? And IP addresses aren't permanently tied to machines. Even if theoretically an IP address could somehow be used to acquire the connected MAC addresses, doesn't TOR prevent that?

I'm not an expert on this, if something is wrong here, or I'm missing something, I'd be happy to learn.

You'd need at least a little bit of remote code execution on the perpetrator's machine to lift his MAC address. Not guaranteed, but plausible.

I expect the manufacturer to have a database correlating MAC address, serial number, date the device left the factory, and where (i.e. which retail store) it was shipped to.

I expect the retail store's inventory tracking system to know when the device with that serial number was sold, by which cashier, at which register.

If it doesn't know the (tokenized) credit card number and name on card directly, I expect the store to be able to find its copy of the receipts from that register at that time, which would contain the last 4 digits and name on card.

If the purchase was relatively recent, I expect video of the register at that time.

If the purchase was in cash but the video is still around, I'd also expect video of the purchaser walking out to his car, and (maybe separately) a shot of that car with good enough resolution to pick out the license plate.

I don't think Joe Credit Card Fraudster gets this kind of attention, but someone who is believed to be a credible national security threat... absolutely.

This is all true, but it assumes optimal data retention by retailers, and a government agency with the skills (and willpower) to do the legwork.

In reality, I would expect that one or more of those elements in the chain to be broken. Retailer lost their backups. Changed systems, threw out the old one. Doesn't keep records that far back. Etc.

I agree there is a possibility they could track all these steps, but it would require everything working perfectly (from the authorities' POV)

If the purchase was in cash for a second hand item (possibly third hand or more) then it becomes very dificult to track the buyer down. Look around a second hand store for a laptop that is more than a few years old and it is likely to have had at least one other owner since the original purchase. Do not use the laptop for at least 1 week, that way any CCTV from the store has been overwritten and really by the time they manage to trace it from the manufacturer through any owners and on to the second hand store it will be perhaps 2 weeks after purchase. At this stage even public CCTV records will start to be overwritten. If you bought one well in advance, i.e. 2 or even 3 months before you used it then it would make it nigh on impossible to find the buyer.

As an added level of security, a month after buying it make a post on craigslist to sell it as broken/not working. send an email to yourself from an internet cafe offering to buy it. Via email arrange a trade at a location without any CCTV. Plausible deniability if the police do ever show up at your door.

I'm behind 7 proxies bro. Nah. jk If the NSA wants you, you're toast.
I think the point is that some idiot is (clearly) going to be dumb/ballsy enough to try, which brings up one of my biggest pain points about surveillance / gov't power:

What can be done with those logins by someone NOT employed by the government to harm ME?

This is the kind of thing that needs to be brought up in arguments when politicians pine for safety and surveillance. The history shows us over and over that the information cannot be controlled.

You need a smart card to access those applications.
Interesting. The hashes seem to be sha512crypt ($6$) in two flavors: One specifying 5000 rounds and using a fixed salt of 'usesomesillystri', and the other is... odd. It's in the format of '$6$rounds=50$....', which I think means that rounds=50 will be interpreted as a salt, but I'm not sure. Most of them are the latter format.
Does anyone know the origin of "usesomesillystri" as a salt? Googling that string found more results than I expected, but most of them are from password files with no explanation.

I found some PHP example code that tries to use "usesomesillystringforsalt" as a salt, is this just the aftermath of people writing real websites based on online examples? It seems a bit more pervasive in password dumps across the internet than I would expect unless it's in a really high profile example somewhere.

edit: It appears to be used in the official PHP documentation for crypt[0].

[0] http://php.net/manual/en/function.crypt.php

I guess they missed this part of that example:

  /* These salts are examples only, and should not be used verbatim in your code.
    You should generate a distinct, correctly-formatted salt for each password.
  */
(comment deleted)
Copy paste. I had a fun exercise with a client that said they don't need a process to control the take in, audit and validation of 3rd party (mainly open source) code in their SDLC process because they strictly prohibit it in their coding policy.

I ran a code plagiarism tool on the top 500 github repos and on some list of the top most common code questions from stackoverflow and found 1000's of hits on only a small part of their code base with even comments copied directly from stack being not to uncommon.

In one particular instance it was a perfect storm of stupidity they had some code that was supposed to take user provided files and store them on S3 the example they copied from actually had a valid AWS access token of another company if that code was live the files which would be mainly their customers invoices and tax info could've ended up on some one else's server.

After that afternoon I never had a single pushback from neither their head of development nor their compliance guys ever again.

Link has been deleted, does anyone have a mirror?
Appears to have been reported to Google, Reddit, and the Internet Archive for removal.
I think it's too late to get rid of it anyway.
True. Which is why the swarms' IPs are being logged.
What good will that do?
Tell you who is downloading leaked passwords for government employees?

I mean, shitty people gonna be shitty. Not much you can do about that, except kick down their door if you're law enforcement.

Yeah right. People downloading and seeding this are doing nothing wrong. If you want to do something useful you could try notifying account holders.
> People downloading and seeding this are doing nothing wrong.

You should consider the argument you'd make that downloading, possessing, and publishing (if seeding) US government employee credentials doesn't violate the Computer Fraud and Abuse Act.

Copyright violations are one thing. The US government has unending resources. And they've had no problems whatsoever extraditing people from countries all over the world (including Canada and Germany) for computer crimes: https://www.judiciary.senate.gov/imo/media/doc/2-4-14%20Rama...

> You should consider the argument you'd make that downloading, possessing, and publishing (if seeding) US government employee credentials doesn't violate the Computer Fraud and Abuse Act.

As usual the rest of the world is not a place within the US. It's a shame some people keep overlooking that.

See my sibling post. We extradite (successfully) frequently for computer crimes.
A comment in the Reddit thread says that the breach includes some .edu credentials as well:

alum.mit.edu stu.aii.edu student.monroecc.edu mail.mst.edu missouri.edu usnwc.edu jfsc.ndu.edu utsa.edu hsl.harvard.edu itt-tech.edu scad.edu gmu.edu ohsu.edu my.sinclair.edu

I haven't downloaded the file to confirm. But if you've got an account at one of the above domains, you should consider that password compromised and rotate it, there and anywhere else that uses the same value. (And consider not re-using passwords, if the latter case applies to you.)

Top used domains:

       5823 gmail.com
       2339 yahoo.com
       1510 hotmail.com
       1078 gsa.gov
       800 navy.mil
       594 mail.mil
       571 usace.army.mil
       474 us.af.mil
       474 aol.com
       280 comcast.net
       227 sbcglobal.net
       208 msn.com
       202 va.gov
       158 us.army.mil
       153 verizon.net
       142 gilbaneco.com
       140 live.com
       138 cox.net
       124 usmc.mil
       120 nasa.gov
       113 earthlink.net
       111 outlook.com
       107 att.net
       103 nps.gov
       94 usc.edu
       87 mail.missouri.edu
       81 faa.gov
       77 me.com
       74 mac.com
       69 hdrinc.com
       69 fs.fed.us
       69 dla.mil