Haven't looked, but most likely a dump from a 3rd party service where user's used government email as credentials, then isolated out to look like a bigger hack than it is?
33k is a lot though, and nothing to scoff at. But given the breath of scope in the addresses here, this looks less like a breach of a government agency and more like some social network, etc.
Could any computer crime be reasonably interpreted as treason given the fairly strict definition in the constitution?
Treason against the United States, shall consist only
in levying War against them, or in adhering to their
Enemies, giving them Aid and Comfort. No Person shall
be convicted of Treason unless on the Testimony of two
Witnesses to the same overt Act, or on Confession in
open Court.
It wouldn't surprise me to see the government try to claim "cyber warfare" meets the bill for "levying War against them", but I can't imagine the supreme court letting that stick.
edit: If you provided hacked information to a foreign power I could see that being considered giving aid to an enemy. My original question was more focused on the actual hacking itself than what you do with the information.
Treason would be a hard one because I think it only applies during wartime. But would any of our various unending wars qualify? War on terror, war on drugs? Maybe not since they weren't declared by congress.
It's unlike it would be a Treason charge, though we are not required to be at war for that to apply. The reason would be the proof burden for Treason in court is very high, and set forth in Article III.
In truth it'd be likely to fall under federal statutes governing systems access, and probably I'd guess the 1917 Espionage Act.
It's just not worth tickling the dragon's tail. What would be the motivation for anyone to even try (except for maybe government-sponsored hackers in China who are probably safe from extradition and personal blame)?
Even if you bought a laptop from someone in another state on Craigslist with cash and connected to public Wi-Fi (without a cellphone on your person, of course)... I still would not feel confident that NSA couldn't track you down if you gave them a good reason to.
Law enforcement will absolutely go interview the person you bought with cash from and get a sketch, maybe even a license plate off surveillance near your meeting place. Cash transactions make tracing involve more schlep than a SQL query, but they are not close to anonymous.
How is it possible to uniquely identify a computer's hardware from over the internet?
Do you think there is a database that connects an identifying factor of all computers to their owners?
A computer vendor could maybe keep a list of device serial numbers/MAC addresses, along with non-cash payment methods, but how could law enforcement legally acquire such data, if not authorized in a specific case?
And if there is a specific case, what is the likelihood that an investigator could determine a device's serial number/MAC from over the internet(how is that even possible?) and then locate the original vendor then locate the original purchaser?
The crux of this seems to be somehow uniquely identifying a device over the internet. A vendor having a database of items sold + payment method seems more plausible.
Isn't an IP address the only identifying factor of a machine transmitted over the internet? And IP addresses aren't permanently tied to machines. Even if theoretically an IP address could somehow be used to acquire the connected MAC addresses, doesn't TOR prevent that?
I'm not an expert on this, if something is wrong here, or I'm missing something, I'd be happy to learn.
You'd need at least a little bit of remote code execution on the perpetrator's machine to lift his MAC address. Not guaranteed, but plausible.
I expect the manufacturer to have a database correlating MAC address, serial number, date the device left the factory, and where (i.e. which retail store) it was shipped to.
I expect the retail store's inventory tracking system to know when the device with that serial number was sold, by which cashier, at which register.
If it doesn't know the (tokenized) credit card number and name on card directly, I expect the store to be able to find its copy of the receipts from that register at that time, which would contain the last 4 digits and name on card.
If the purchase was relatively recent, I expect video of the register at that time.
If the purchase was in cash but the video is still around, I'd also expect video of the purchaser walking out to his car, and (maybe separately) a shot of that car with good enough resolution to pick out the license plate.
I don't think Joe Credit Card Fraudster gets this kind of attention, but someone who is believed to be a credible national security threat... absolutely.
This is all true, but it assumes optimal data retention by retailers, and a government agency with the skills (and willpower) to do the legwork.
In reality, I would expect that one or more of those elements in the chain to be broken. Retailer lost their backups. Changed systems, threw out the old one. Doesn't keep records that far back. Etc.
I agree there is a possibility they could track all these steps, but it would require everything working perfectly (from the authorities' POV)
If the purchase was in cash for a second hand item (possibly third hand or more) then it becomes very dificult to track the buyer down. Look around a second hand store for a laptop that is more than a few years old and it is likely to have had at least one other owner since the original purchase. Do not use the laptop for at least 1 week, that way any CCTV from the store has been overwritten and really by the time they manage to trace it from the manufacturer through any owners and on to the second hand store it will be perhaps 2 weeks after purchase. At this stage even public CCTV records will start to be overwritten. If you bought one well in advance, i.e. 2 or even 3 months before you used it then it would make it nigh on impossible to find the buyer.
As an added level of security, a month after buying it make a post on craigslist to sell it as broken/not working. send an email to yourself from an internet cafe offering to buy it. Via email arrange a trade at a location without any CCTV. Plausible deniability if the police do ever show up at your door.
I think the point is that some idiot is (clearly) going to be dumb/ballsy enough to try, which brings up one of my biggest pain points about surveillance / gov't power:
What can be done with those logins by someone NOT employed by the government to harm ME?
This is the kind of thing that needs to be brought up in arguments when politicians pine for safety and surveillance. The history shows us over and over that the information cannot be controlled.
Interesting. The hashes seem to be sha512crypt ($6$) in two flavors: One specifying 5000 rounds and using a fixed salt of 'usesomesillystri', and the other is... odd. It's in the format of '$6$rounds=50$....', which I think means that rounds=50 will be interpreted as a salt, but I'm not sure. Most of them are the latter format.
Does anyone know the origin of "usesomesillystri" as a salt? Googling that string found more results than I expected, but most of them are from password files with no explanation.
I found some PHP example code that tries to use "usesomesillystringforsalt" as a salt, is this just the aftermath of people writing real websites based on online examples? It seems a bit more pervasive in password dumps across the internet than I would expect unless it's in a really high profile example somewhere.
edit: It appears to be used in the official PHP documentation for crypt[0].
/* These salts are examples only, and should not be used verbatim in your code.
You should generate a distinct, correctly-formatted salt for each password.
*/
Copy paste.
I had a fun exercise with a client that said they don't need a process to control the take in, audit and validation of 3rd party (mainly open source) code in their SDLC process because they strictly prohibit it in their coding policy.
I ran a code plagiarism tool on the top 500 github repos and on some list of the top most common code questions from stackoverflow and found 1000's of hits on only a small part of their code base with even comments copied directly from stack being not to uncommon.
In one particular instance it was a perfect storm of stupidity they had some code that was supposed to take user provided files and store them on S3 the example they copied from actually had a valid AWS access token of another company if that code was live the files which would be mainly their customers invoices and tax info could've ended up on some one else's server.
After that afternoon I never had a single pushback from neither their head of development nor their compliance guys ever again.
> People downloading and seeding this are doing nothing wrong.
You should consider the argument you'd make that downloading, possessing, and publishing (if seeding) US government employee credentials doesn't violate the Computer Fraud and Abuse Act.
Copyright violations are one thing. The US government has unending resources. And they've had no problems whatsoever extraditing people from countries all over the world (including Canada and Germany) for computer crimes: https://www.judiciary.senate.gov/imo/media/doc/2-4-14%20Rama...
> You should consider the argument you'd make that downloading, possessing, and publishing (if seeding) US government employee credentials doesn't violate the Computer Fraud and Abuse Act.
As usual the rest of the world is not a place within the US. It's a shame some people keep overlooking that.
I haven't downloaded the file to confirm. But if you've got an account at one of the above domains, you should consider that password compromised and rotate it, there and anywhere else that uses the same value. (And consider not re-using passwords, if the latter case applies to you.)
42 comments
[ 2.8 ms ] story [ 59.7 ms ] thread33k is a lot though, and nothing to scoff at. But given the breath of scope in the addresses here, this looks less like a breach of a government agency and more like some social network, etc.
edit: If you provided hacked information to a foreign power I could see that being considered giving aid to an enemy. My original question was more focused on the actual hacking itself than what you do with the information.
It could be considered "light treason" however...
In truth it'd be likely to fall under federal statutes governing systems access, and probably I'd guess the 1917 Espionage Act.
Even if you bought a laptop from someone in another state on Craigslist with cash and connected to public Wi-Fi (without a cellphone on your person, of course)... I still would not feel confident that NSA couldn't track you down if you gave them a good reason to.
For the lulz
Do you think there is a database that connects an identifying factor of all computers to their owners?
A computer vendor could maybe keep a list of device serial numbers/MAC addresses, along with non-cash payment methods, but how could law enforcement legally acquire such data, if not authorized in a specific case?
And if there is a specific case, what is the likelihood that an investigator could determine a device's serial number/MAC from over the internet(how is that even possible?) and then locate the original vendor then locate the original purchaser?
The crux of this seems to be somehow uniquely identifying a device over the internet. A vendor having a database of items sold + payment method seems more plausible.
Isn't an IP address the only identifying factor of a machine transmitted over the internet? And IP addresses aren't permanently tied to machines. Even if theoretically an IP address could somehow be used to acquire the connected MAC addresses, doesn't TOR prevent that?
I'm not an expert on this, if something is wrong here, or I'm missing something, I'd be happy to learn.
I expect the manufacturer to have a database correlating MAC address, serial number, date the device left the factory, and where (i.e. which retail store) it was shipped to.
I expect the retail store's inventory tracking system to know when the device with that serial number was sold, by which cashier, at which register.
If it doesn't know the (tokenized) credit card number and name on card directly, I expect the store to be able to find its copy of the receipts from that register at that time, which would contain the last 4 digits and name on card.
If the purchase was relatively recent, I expect video of the register at that time.
If the purchase was in cash but the video is still around, I'd also expect video of the purchaser walking out to his car, and (maybe separately) a shot of that car with good enough resolution to pick out the license plate.
I don't think Joe Credit Card Fraudster gets this kind of attention, but someone who is believed to be a credible national security threat... absolutely.
In reality, I would expect that one or more of those elements in the chain to be broken. Retailer lost their backups. Changed systems, threw out the old one. Doesn't keep records that far back. Etc.
I agree there is a possibility they could track all these steps, but it would require everything working perfectly (from the authorities' POV)
As an added level of security, a month after buying it make a post on craigslist to sell it as broken/not working. send an email to yourself from an internet cafe offering to buy it. Via email arrange a trade at a location without any CCTV. Plausible deniability if the police do ever show up at your door.
What can be done with those logins by someone NOT employed by the government to harm ME?
This is the kind of thing that needs to be brought up in arguments when politicians pine for safety and surveillance. The history shows us over and over that the information cannot be controlled.
I found some PHP example code that tries to use "usesomesillystringforsalt" as a salt, is this just the aftermath of people writing real websites based on online examples? It seems a bit more pervasive in password dumps across the internet than I would expect unless it's in a really high profile example somewhere.
edit: It appears to be used in the official PHP documentation for crypt[0].
[0] http://php.net/manual/en/function.crypt.php
I ran a code plagiarism tool on the top 500 github repos and on some list of the top most common code questions from stackoverflow and found 1000's of hits on only a small part of their code base with even comments copied directly from stack being not to uncommon.
In one particular instance it was a perfect storm of stupidity they had some code that was supposed to take user provided files and store them on S3 the example they copied from actually had a valid AWS access token of another company if that code was live the files which would be mainly their customers invoices and tax info could've ended up on some one else's server.
After that afternoon I never had a single pushback from neither their head of development nor their compliance guys ever again.
I mean, shitty people gonna be shitty. Not much you can do about that, except kick down their door if you're law enforcement.
You should consider the argument you'd make that downloading, possessing, and publishing (if seeding) US government employee credentials doesn't violate the Computer Fraud and Abuse Act.
Copyright violations are one thing. The US government has unending resources. And they've had no problems whatsoever extraditing people from countries all over the world (including Canada and Germany) for computer crimes: https://www.judiciary.senate.gov/imo/media/doc/2-4-14%20Rama...
As usual the rest of the world is not a place within the US. It's a shame some people keep overlooking that.
"Uploaded: 2016-04-20 13:55:48 GMT"
https://thepiratebay.se/torrent/14371033/US_Government_Data
(Found by googling magnet info hash)
alum.mit.edu stu.aii.edu student.monroecc.edu mail.mst.edu missouri.edu usnwc.edu jfsc.ndu.edu utsa.edu hsl.harvard.edu itt-tech.edu scad.edu gmu.edu ohsu.edu my.sinclair.edu
I haven't downloaded the file to confirm. But if you've got an account at one of the above domains, you should consider that password compromised and rotate it, there and anywhere else that uses the same value. (And consider not re-using passwords, if the latter case applies to you.)