Thursday, April 30, 2015

Final: What's all the Buzz About?

Full disclosure: I neglected to write down specific feedback received in class, and that's my own fault. Feedback received as comments on my draft has been noted.

          Hacking isn’t all about little guys and questionable governments. Hacking can be, and is also done by large companies, many of which we freely give troves of personal information. Take Google, for instance. Do you have a Gmail account? If so, think about all the information that has passed through that account. Google now has a copy of it. Surely they wouldn’t do anything nefarious with it, right? Well, they did with Google Buzz. While the idea of consent shouldn’t be a fuzzy gray area, it often is, and Google used that to their advantage.

            So what happened? In 2010, Google casually dropped an email in every Gmail user’s inbox. They were promoting a new service called Buzz. The email was light on details, and prompted interested users to click a link to learn more. That seems innocent enough, until one realizes that link is an opt-in button for the service. One click and Buzz was enabled. Once activated, Buzz analyzed the user’s Google account, including their entire email history. Some information was made public by default, like who the user interacts with often (with full names and email addresses). Did users really consent to this? I would argue that they did not.

            We’re all very familiar with the EULA – End User License Agreement. They can be dozens or hundreds of pages long, and few users ever read even the first line. Those who do are met with endless legalese that makes little to no sense for the average person. Sound familiar? The same thing happened a few years ago before the housing bubble burst. Thousands of families, who by all proper standards were not fit to have a mortgage, were pushed into signing cryptic documents on the premise of a mortgage. Many later discovered hidden fees and steep penalties lurking in those documents, and hundreds went into foreclosure because of them. The problem? They didn’t really understand to what they were agreeing. The same is true for Google’s user agreement. Nobody truly understands what we’re giving Google “permission” to do.

            In this case, consent to Google’s user agreement could be called tacit. That is, we all check the box saying we’ve read and agreed, but don’t actually take the time to figure out what we’re agreeing to. In addition, a majority of users (in most cases) won’t take any action if they discover Google is doing naughty things with their information. A. John Simmons notes tacit consent is “given by remaining silent and inactive; …it is expressed by the failure to do certain things” (Simmons 279). By continuing to use Google’s services, even those not connected to Buzz, users tacitly consented to Buzz’s practices. Apathy can be dangerous, as seen with Buzz. Without taking any action, troves of personal information remained available with no protections. Was this right for Google to do? Absolutely not, and they received strong backlash for it. Tacit consent only worked as long as users remained ignorant of what was happening. With Buzz, that changed quickly.

            On the idea of ownership (as it applies to consent), Google puts users in a predicament. In order to use Google’s services as advertised, and to their full capability, users must provide some amount of personal information. By actively providing this information, users are exercising explicit consent, in that the information is provided willingly. What’s interesting to consider is that at that point, who owns the data? Does it still belong to the user, or does Google take ownership once it’s on their servers? While John Doe still owns the rights to his own name, Google’s user agreement grants them the rights to do whatever they please with their copy of John Doe, and any other information connected to him. John wanted to use Google services, so he had to provide some of his information. In a sense, he entered into a social contract with Google, to which John Rawls notes, “unjust social arrangements are themselves a kind of extortion, … and consent to them does not bind” (Simmons 277). To reiterate, Google required information in order to use their services. The only alternative option is to not use the service, and we all secretly judge people who don’t have an @gmail.com email address. Enough said on that.

            Like the newer Google+, the grand idea behind Buzz was to create a new social network—one that users would welcome into their private lives with open arms. Google’s aim was likely to collect information for marketing purposes, and provide ultra-targeted advertising and content suggestions based on email conversations and frequent contacts. Some people just don’t want that. Personally, I block all ads. If one slips through my filters, I block it manually. I don’t care what Google wants me to see; I care what I want to see. I consent to Google’s data mining to a very small extent, and I control my settings tightly. If they try to pull some shady business, I speak out (as should everyone). Advertising can be a cash cow, so Buzz was a great business idea. Google just took it way too far.

Reference: Simmons, A. John. "Tacit Consent and Political Obligation." Philosophy and Public Affairs 5.3 (1976): 274-91. Print.

Tuesday, April 28, 2015

Final Social Engineer Task



For my last task, I chose to go dumpster diving in my neighborhood. Dumpster diving is the act of digging through people's trash to find information that can be useful in an attack.

A couple of my neighbors always put their rolling trash containers out a day before the trash truck collects them because sometimes the trash collectors pick it up early in the morning. Before I got to my house I quickly pulled a bag out of my next door neighbor’s trash bin and took it home. I was unlucky because there was nothing but garbage. It was so gross but I didn’t give up just yet. Later that night I went to a different area in the neighborhood and grabbed 3 different home’s trash bags. I was trying to look for mail, but most of them were torn apart. Luckily, I found a Chinese take-out bag. There was a receipt stapled to it with the person’s name, address, and phone number. Mission accomplished. I was able to retrieve valuable information on one of my neighbors through their trash. Most of them torn up their mail, but I guess because it was just a food receipt they didn't think twice about it.

My strategy was to do it as fast as possible and to act casual. There was no one in sight both times so I was pretty lucky. I’m glad I went back and grabbed more than one bag.

The moral stake is to be cautious of handling valuable information even when discarding, because your trash can be someone else’s treasure.

There are many things I can do with this information. With just this person’s first and last name, I can do a Google search on her. I would be able to retrieve online accounts and maybe even find images of them.

When I went through people’s trash, I was disgusted but I wanted to do something interesting and different. I was afraid someone would rush out their home and freak out but I’m glad no one did. 

Final social engineering task:

I had no idea what to do for a task until today. Didnt know where to break into, didnt know who to follow, so i almost didnt do one. when i got to the school today i walked around looking for something to do. I walked into the computer lab to see if i could get into somewhere. I walked into the central office as soon as i saw the big guy walk out, i looked to my right and saw extra paper used for priniting. i simply took one. when the help desk guy saw me, i simply smiled and said "i need this". i didnt expect it to be that easy to be honest. mostly because the timing was perfect.

Final Social Engineering Task

My task this week was  to see if i can get a stranger to give me money; any amount.

I decided to kill two birds with one stone and head to the vending machine to get a snack. Once I arrived at the vending machine, I  decided to grab something that was almost two dollars. I inserted some change which wasn't enough. I decided to put on the act and act like i was checking my pockets thoroughly for loose change. 

Then as some people walked by, i asked them each if they can spare $.75, they said no sorry i don't have it. The third person walked by and I asked and they said no sorry i don't have it. All of a sudden he turned around, pulled out his wallet and gave me a dollar. I gladly took it, smiled and said thank you! 

I felt bad asking because i could've just had the machine return my change and use my ATM card. I could've stayed there and continue to ask each person walking by, just to see how much i could rack up, but that would be wrong taking someone's hard earned money for a measly snack. 

It's nice to know that their are still kind people out there.

-Mz Queen Green

Monday, April 27, 2015

Social engineer challenge choice,

Sorry I thought I posted it on tuesday but forgot.

For my social engineer task I am going to try to get into the VPNE office of Boston Children Hospital by lying about my identity, I have a doctors appoinment in that hospital tomorrow so i figure I give it a try and get into that office, I will provide pictures to prove.

Thanks, ill update with results tomorrow.


Social Engineering Challenge ...whatever number: I Know What You Did Last Winter

My final task was to get a fellow player's home address without following them home.

All geographical identifying information will be abbreviated. I'm relying on my target to confirm this information.

I already knew Agent Raven Blue lives in M, so I decided to target her. We were talking after class last week, and she expressed doubt that I could pull it off. So confident was she, that she openly informed me that she lives on G St. I wasn't sure if this was true or misdirection, but I ran with it.

To the Internet! A Google search of Agent Raven Blue's name revealed her Twitter profile. I was looking for pictures...aaaaaand...a-ha! January 27th. The Blizzard. Agent Raven Blue posted a picture from a residential area, which I interpreted to suggest this is her apartment:

On second thought, I'm not going to post these images. A clever mind could reverse-search them and determine the location. The images are available for review offline if needed.

Now, armed with this view and G St, I took to Google Street View. I went down G St. It didn't take long to find the green house opposite the white house. Seen below:

Second image also redacted.

You'll notice the white house on the left, the green house on the right, and the side street just before it.

Turning the view around, I noticed a multi-story building with balconies that could have had the above view. The building's ground floor had some lettering, and a quick Google search revealed the address.

Agent Raven Blue lives at XX G St in M, likely on the third floor. I'll let her confirm this.

Mission accomplished. I've learned that I'm a decent Internet sleuth, and I'm not to be underestimated.

With this information, I could do a lot of things. Good thing I don't have nefarious purposes for getting this information!

- The Admiral

Final Mission!

This week my mission was to gain access back into the previous building that I was in, Cheeseboy. This time I would re-gain entry AND take photo evidence that I got into their test kitchen and grabbed something from the refrigerator.

My strategy was to enter through a back door that I noticed last time I was there. I knew that the kitchen was right along that side of the building and hoped to get in and out during lunch hour. It was pretty quiet in the building, but I was still afraid of be seen by the same manager as last time. However, I just went for it...







Mission Complete!!

My strategy to enter through the back door quietly worked! I did feel slightly bad for sneaking around and was nervous to what was around each corner. I learned that physical security it just as important as cyber-security for a company. Once the physical layer is infiltrated, everything is at risk, like their fridge, or confidential information. Now that my final mission is over, I will leave Cheeseboy alone. These missions were a blast (especially since I didn't get caught) and they taught me a lot.
(I think I even managed to get extra credit on this one, you will see what I mean in class tomorrow.)

Til then!!


Social Engineering final task: "Get 5 phone numbers"

For my final task I wanted to get someone to give me their cell phone and I will copy 5 phone numbers from their contact list without them noticing.

My principal target for this task was a my co-worker. I disabled the WiFi adapter on my laptop so it can’t connect and I claimed that I tried everything to fix it but nothing worked, I asked her if she has the hotspot feature in her smart phone, I was sure her phone has it since its Iphone 4. She said that she doesn't know what it is, I explained the concept and said that I just need to try if my laptop will connect to another wireless network, I also explained that I don't have that feature in my phone since I have to call the phone provider and I haven't done it yet. She accepted and gave me her phone unlocked. I Activated the hotspot, before doing anything with it, I asked her if I can go grab something from my office quickly she said that is fine, I said I will bring her phone back right the way. I went to my disk when throught the contact list and opened the 5 first once and took a picture with my phone of them (took less time than coping). went back and gave her her phone. Mission accomplished I had the 5 phone numbers without being noticed.

My strategy was effective even thought if I had to target a stranger, it would be a lot harder.

I didn’t like lying and going through my coworker private data, this is one of the mission that I didn't like doing which is a little weird since I chose it, which I regretted it, but also felt relieved since this was be my last task of the semester.

Social Engineering Task Proposal

For my task of choice i would like to see if i can get a stranger to give me money; any amount.

Friday, April 24, 2015

Draft for final Project- "Defenders of the Defenseless"

“Defenders of the Defenseless” can anonymous truly make these claims. In an interview with CNN Anonymous was asked a question of why they would get involved in certain types of cases such as Rape or hate cases when they are supposedly “The Rulers of the Internet”. I too have question why they get involved and then that’s when the Defenders of the Defenseless comment was brought up. My issue with this is how Anonymous can call themselves the defenders of the defenseless if they only try to get involved in high profile cases.

I have noticed that they get involved in cases where the victim or guilty has been treated unfairly or an error has been made within the case or trial but upon further investigation they only target the cases that are the most covered or televised. It makes me wonder if maybe they get involved because yes they believe that’s something wrong was done and someone needs to make a stand but also to get more media attention for themselves. Are their actions done because they truly believe in the cause or case or are they just seeking the media attention? I want to believe that it’s more than just an attention getting act because I believe in some of the things Anonymous stands for. I have followed Anonymous for years and have been intrigued by their protests and hacktivism activities. That’s not to say I haven’t been frustrated or disagreed with some of them as well.

I tried to find a word better than the phrase defenders of the defenseless that could really describe what anonymous is: Vigilantes which is defined as members of a self-appointed group of citizens who undertake law enforcement in their community without legal authority, typically because the legal agencies are thought to be inadequate. The big question after reading that is whether that is what Anonymous is and whether what they are doing is actually in defense of the defenseless. In one instance they protested the Westborough Baptist church that planned to protest the Newtown memorial service. In this situation I would have agreed but the way they did it seemed more harmful then helpful. Anonymous released addresses and phone number of members of the church and thus endangering anyone who lived there including innocent children. There is a phrase that’s says two wrongs don’t make a right. That seems to be true in most cases. Also how many cases have the victims asked for Anonymous help it seems Anonymous is more bent on the punishment then the help. A better term for them to use is maybe “Punishers of the Wrong.” A clear picture pops into my head when I think of defending the defenseless and it’s a mother protecting her child; that is defending the defenseless.

Do the research do you think Anonymous are the “Defenders of the Defenseless”?


Wednesday, April 22, 2015

Mission of my choice!

This week my mission will be to gain access back into the previous building that I was in, Cheeseboy. This time I re-gain entry AND will take photo evidence that I got into their test kitchen and grabbed something from the refrigerator.

Wish me luck!

Social Engineering Final proposal: "Get 5 phone numbers"

For my final task I wanted to propose to get someone to give me their cell phone and I will copy 5 phone numbers form there contact list without them noticing.

Social engineering - My choice!

I was thinking I would attempt to slip a picture of myself into a fellow player or professors car\truck. Must be inside of the car or truck without the fellow player noticing.

Tuesday, April 21, 2015

Draft: Blame and Fairness

A Brighton man by the name of Shahab “David” Yousheei was arrested in an undercover sting operation at Boston Common. Yousheei and his crew had a kiosk in Downtown Crossing where he sold items with a credit card encoder. He then steals his customers identities to open credit cards, used those fraudulent credit cards to purchase gift cards, used those gift cards to buy merchandise (including iPads, cellphones, etc.), and resold those merchandises for profit. This scheme makes it harder to trace and allows them to make cash with stolen identities.

Yousheei stole thousands of dollars worth of items from identity theft. He and his crew repeatedly used the same scheme. They saw an open opportunity and the lack of responsibility from customer’s not protecting their identity and took advantage to steal from them. Identity fraud is against the law but it makes me wonder if it’s entirely the attacker’s fault that the victim is not protecting their identity. This leads to the moral aspect of blame. Philosopher John Rawl’s A Theory of Justice (1971), stated fair circumstances for everyone to have the opportunity to pursue their aims. People argued that blame leans more towards personal responsibilities. So who’s at fault? I do believe identity theft is wrong, but I also believe it is a person’s responsibility to protect their identity. Rawl believes the blame is associated with their attitudes, which is the outcome of people’s voluntary choices. Choices not subject to our control. Rawl believes choices with social or biological circumstances. Circumstances on how the society views situations and actions lead from how a person was raised. He did not focus on choices with personal responsibility.  On the other hand, Robert Nozick’s Anarchy, State, and Utopia (1974), believed in individual rights and personal responsibilities. This situation would be problematic because the individual has the right to fight for their identity but they also have to fight to keep their identity.

Yousheei was arrested when Boston Police set him up to buy counterfeit money. According to Counterfeiting Laws and Penalties, someone guilty of counterfeiting can face up to 20 years in prison, but the person who passes or attempts to pass counterfeit faces only 5years. I understand we need to keep criminals in jail but the Boston Police Department stated “we will continue to join forces with our law enforcement partners to put you out of business and in jail.” I agree that Yousheei should not have accepted to purchase counterfeit money and that he should be arrested for identity theft but I do not agree that they set him up with a different crime for longer sentencing, is this fair? Dan-Cohen believes, “the main goal of the criminal law ought to be to defend the unique moral worth of every human being.” I feel like the Boston Police is selecting his fate. What he did was wrong and he shall be arrested but the he will be punished more than his wrong doing.

There are many mishaps in this case, the moral lesson on blame and fairness is endless. Yousheei got charges for identity theft, illegal possession of a credit card encoder, falsely making credit card, using a fraudulent credit card, receiving goods purchased with a fraudulent credit card, and possession of counterfeit money.

Sources:



Leaderboard - Week 9




Leaderboard
Week 9
Name
Points
Admiral Thistle 
49
Captain Black X31
45
Pink Mystery    
39
Admiral Aquamarine
35 (1 ethical exclusion)
Agent Raven Blue
27 ( 1 Failed Attempt)
MzQueen Green
25 (2 Failed Attempt)
TheBlack Capo  
14 (2 Failed Attempts)
InspectorGreen2013     
12 (3 Failed Attempts)

Social enginerring #8 - Tape on your water bottle.

  My task this week was to put a piece of tape that was given to me on a fellow players water bottle. I was curious how I could do this inside of class especially with everyone watching and on high alert of being targeted. I noticed the only person who had a water bottle was MzQueen Green so I knew she was my target I wondered how I could get this done especially because she was leaving her bottle in her bag. My original thought was a sneak attack to just tape on their right in front of her.

  I waited figuring I could catch her before she left the class. As time ticked by I was getting edgy but then she stood up and left the classroom leaving her bag and the water bottle on the table as soon as she was out of sight I leapt up out of my chair and tripped stirring up everyone's attention. I hoped no one would try to stop me or tell MzQueen Green. I taped the red tape to her bag and sat back down. Mission accomplished.

I didn't like reaching into someone's bag It felt intrusive and I know I wouldn't be happy if someone did it to me. Although a piece of tape is small and un-harmful this could have easily been a different scenario it could have been a tracker that I slipped into her bag or poison that I left on her water bottle. You would never think how serious it would be until it is done and you start to think all of things you can get into someone's bag.
Social Engineer Challenge - Convince a fellow player

My task for this was to convince a fellow player that I am proficient in a language that I am really not proficient in.

I didn't have a time to work on this task since i had to leave class early last Tuesday.
My plan was to arrive early to class today and I was going to target AgentBlueRaven since she told me one day that she has some Italian in her family. I was going to practice a few sentences and words in Italian and try to have a conversation with her in Italian, but i was not able to get it done because I was late for class and by the time I got to class everyone was already here.

Mission Failed....

Social Engineering #6 Covincing or No?

My challenge last week was to convince a fellow player that a famous person is related to me. I knew this would be challenging but I figured if I stuck to it I might be able to make it work. I originally started on Inspector Green and told him that my cousin is J. Alvarez he was skeptical but I continued by saying I have tickets to his concert this weekend. I asked him if he wanted to go because I had plans this weekend. I had a pair of tickets that I saved from an event I went to two years ago and showed them to him to prove it and a part of me noticed that he reached for them as if he would take them.

I put them away and continued to prod if he wanted to go to MY COUSIN'S concert and he was reluctant but never said that he did not believe that he did not believe me. By the time class was over he said no he didn't want the tickets and I think it was because he thought my task was to give someone something. I am not sure whether he believed it or not.

This task I think was considerably hard because mostly everyone in this class knows my name knows about me and we have been in this class for months already social engineering each other and learning things about each other. This task would have been easier towards the beginning of the class. As for the morals of this task I could see where someone could trick someone by using this lie. If I could convince a stranger that Steven Tyler was my uncle I could ask them for their contact information and guarantee a letter from him. There is so much that can be done with a small lie with someone that is gullible enough to believe it.

Social Engineer Challenge 9

My task this week was to find out what  CaptainBlack X31 does on Tuesdays after class.

Well since i needed help on a lab that i needed to turn in tuesday after class, i asked him if he would be available after class to help me. (legit request)

I told him i would not be home until around 7pm. He said sure i'll be available. So around 7:30pm i texted him letting him know i was logging on and if he was still able to assist and he responded sure!

I started the lab and worked my way through. By 8pm I reached and completed the part i had a problem with. I then texted him and let me know that i figured it out and thanked him for standing by.

We then continued on via text discussing next week's presentation and what we have left for the rest of the semester. This went on for another hours or so.

Looks to me like  CaptainBlack X31is usually relaxing at home after class on tuesdays, unless i call him to ask for help :-)

Thanks  CaptainBlack X31!

Draft Post: Hacker's Loyalty

Adrian Lamo is an ex-hacker who was also known as the “Homeless Hacker”. He was called the “Homeless Hacker” because he accessed hotspots in various locations to penetrate internal networks of high profile companies and alerted them of their vulnerabilities. He offered his services to fix it because he felt he was doing the right thing by notifying them of this security breach and the potential harm it can do to their system if it got into the wrong hands.  Most companies took him up on his offer and did not press charges.  It wasn’t until 2002 when one of the companies, NY Times, he hacked didn’t think so kindly of Lamo’s actions. Instead they notified the U.S. Attorney’s office who started an investigation on Lamo and his actions. He would later be found guilty and be placed on 6 months probation and also having to pay restitution. While on probation, he cleaned up his act and attended school to become a Threat Analyst.

In 2010, a U.S. Soldier by the name of Bradley Manning contacted Adrian Lamo via AOL chat room. During their chat, the two discussed Lamo’s past hacking history, Manning awaiting to be discharged due to his gender identity issue, both their experience in the IT world.  As the conversation progressed, Manning eventually confided that he has been penetrating the U.S. classified network and forwarding classified information to Wikileaks. This information he believed the public needed to know. Not believing what he was hearing, Lamo asked Manning for specific stories and Manning supplied. Lamo contacted the U.S. military and informed them of his conversation with Manning.  Manning was later arrested and charged with several offenses, with one being “aiding the enemy”, which led to a 35 year sentence.

Lamo claimed that his action for turning manning in was to help the nation, "Mr Manning's well being was not as important as the security of our armed forces. I had never considered myself particularly patriotic, but when push came to shove the wellbeing of the nation was of paramount importance to me." (excerpt from http://www.theguardian.com/world/2011/dec/15/hacker-adrian-lamo-bradley-manning-wikileaks)

I think that Lamo is a hypocrite, just as he thought that he was doing good exposing the companies whose systems he penetrated and then offering to fix it instead of doing ill will, Manning felt the same way about his actions; he felt as though the classified information needed to be known by the public so the truth would be out.  According to Wired article, there are three different types of Hackers: whitehats (employed with companies in which they hack within the law), Blackhats (penetrate networks illegally for fun), and Grayhats (hackers who protect security holes from vandals). It would seem as though Lamos is regarded as a Grayhat. Since when is a grayhats loyalty to the law enforcement?

to be continued....



Final Draft for Final Post: Albert Gonzalez – T.J Maxx

          It is so much easier to pay with a credit/debit card.  Most of us have one, or a few of them. A lot of people don’t like to carry cash with them anymore, and if you need cash, you can easily find an ATM close by, since there are so many around. We also love shopping, and a lot of us use our credit/debit cards to pay for the items we purchase. In order to obtain a Credit/Debit card you have to provide your name, address, social security number, among other personal information to the Bank. So since it’s your personal information, wouldn't you want Companies to protect it when you use your Credit/Debit card to purchase items from them? I would like them to keep my information secure, I hope you would too. But unfortunately when it comes to information security, not all companies and industries are alike.  

Albert Gonzalez was accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million cards and ATM numbers from 2005 through 2007. The biggest such fraud in history. He stole card information from TJX Companies like T.J Maxx, BJ’s Wholesale Club, DSW, Office Max, Boston Market, Barnes & Nobles, and Sports Authority. He hacked stores in different states like New York, Massachusetts, and New Jersey. Gonzalez was arrested on May 7, 2008 and On March 25, 2010, he was sentenced to 20 years in federal prison.

I believe that Albert Gonzalez actions were wrong, and he is guilty as charged, but I have to ask, do you think Albert Gonzalez was the only one at fault? Many would say yes, he is, but I would argue the opposite.

One of the Companies he hacked was T.JX Companies, T.J Maxx and Marshals s are clothing store owned by T.JX that sells designer clothes for a discounted price. Therefor a lot of customers walk in to theirs stores and purchase their items. I am not talking about a Mommy and Daddy owned store, I am talking about a very big company that is making a very good amount of money. But surprisingly they were using out of date and vulnerable security encryption for their machines and networks. I believe that if a person uses their Credit/Debit card at a store for instance, it is the store’s responsibility to keep the information safe. Once I swipe my card thought your credit machine, my card information is stored, so it becomes your property. Probably more than 90% of the customers affected were not aware that their Credit/Debit card information was compromised.
So I ask, why weren't they protecting their costumer’s private information with up to date security? T.JX was using WEP security encryption for their network. Almost every hacker out there likes a challenge, but when the security is outdated and weak is like a day at the park for them. I believed that T.JX should have done a better job at securing their networks and customers information.
Sources:


Social engineering challenge: Stop!

My challenge for the past week was to have a fellow player fail their challenge due to my efforts. I had no definite plan on how to go about doing this, so i just had to keep my eyes open for when i saw someone openly trying to accomplish their task. the only open attempt was made by Raven Blue when she stuck the piece of tape to MzQueens water bottle. It all happened do fast i couldn't process anything she managed to stick tape on the bottle before I could even get up to intercept, so that was a fail. Before that, when i saw CaptianBlack take his challenge card from the bag, there were only two card in there. When i picked mine, it was the same challenge i had in a previous week, so i put it back. That left two cards in the bag, one of which i knew what it was so that was a 50-50 chance he'd pick that card. when he opened his card, i noticed the color of the writting and it was the same as the one i had, so i knew what his challenge was before he even finished reading it. for the whole class period, i tried to keep my eye on CaptianBlack to try and watch out for his attempt at his challenge so i can stop him. unfortunately, i didnt see him attempt his challenge, so that was a fail. looking back, i probably should have just said out loud to everyone what his challenge was, that way everyone would be suspicious of him trying to trade anything with them. 

Final blog post first draft: The Hacks on the PSN (2011)



The Sony PlayStation Network (PSN) has had a handful of hacks and incidences since its release in November of 2006 from jail broken PS3s to a mass intrusion of privacy, but the hacks that took place in April and June of 2011 were two for the record books. In April, Sony said it discovered that between the 17th  and 19th,  an "illegal and unauthorized person" got access to 77 million PSN users names, addresses, email address, birthdates, usernames, passwords, logins, security questions and more. At first, Sony and the rest of the world believed it to be George Hotz, the hacker that made public instructions on how to jailbreak your PS3. Come to find out that the splinter hacktivist group of Anonymous known as Lulzsec was responsible by using a DDoS attack on the network, deliberately flooding the PSN server with traffic causing a loss of income for a company that does business online. Jake Davis (20), Mustafa Al-Bassam (18), Ryan Ackroyd (26) and Ryan Cleary (21) from Lulzsec all claimed responsibility and plead guilty. This hit Sony big time, shutting them down for nearly a month to try to recover and costing just about $171.1 million in damages. A few months later, a separate attack on the PlayStation Network, Sony Online Entertainment and Sony's Qriocity media-streaming service led to the theft of private data pertaining to more than 100 million user accounts, including credit-card numbers. All three services were offline for more than three weeks. Anonymous later came forward and took credit for the attack, saying that it was unintentional that they obtained the information of all PSN’s users. Using a basic SQL injection attack to expose millions users' personal data, 3.5 million digital coupons and 75,000 music codes.

A couple questions that I ask Sony are:

  • Why were PSN passwords apparently stored in plain, human-readable text?
  • Why were email addresses, personal details, and credit card details also stored in unencrypted form?

While it might be impossible to fully prevent unauthorized access to a system, it’s very simple to encrypt data in a way that both secures user privacy, and makes it almost valueless to any hacker with an intent to use that information for their own personal gain, profit or otherwise.

Some questions that I have for the hacktivist groups are:

  • Why make user accounts public? Users aren’t the ones at fault so they shouldn’t be the ones that are punished.
  • Instead of hacking a big league company like Sony, why not simply inform them that their security was not as tightly secured as they claimed it to be? Why was the result of your hacking necessary?

I was in either of the hacktivist’s shoes, I would probably have the same ideals in terms of trying to make being online safe for all users. As I mentioned in one of my questions to the hacktivists, I would simply inform a company that did business online that the security that they claim to be fool proof, isn’t. I wouldn’t put any of the users at risk because that isn’t my goal.

Sources: