October 2, 1998 | Albion.com, San Francisco | Issue #006
All the News That's Fit to Hack
F1RST 0FF, WE HAVE T0 SAY.. WE 0WN YER DUMB ASS. 4ND R3MEMB3R, DUMB ASS 1S OFT3N CUTE 4SS. AND WE L1KE CUTE ASS. S3C0ND, TH3R3 AR3 S0 MANY L0S3RS H3R3, 1TZ HARD T0 P1CK WH1CH T0 1NSULT THE M0ST.
The paper was forced to shutdown the site for nine hours during the massive surge of news interest generated by the release of the Starr report two days earlier. But most remarkable thing about this crack is that fact that The New York Times went public with it in a news story the next day.
The cliché image of the genius hacker, embodied by the Times' coverage of "Kevin Mitnick, Dark-Side Hacker", belies the reality of Internet security in the late 90s: many system crackers use a modest set of skills and knowledge to carry out persistent and opportunistic probes of potential target systems. Most of them are not even programmers per se, let alone a master like Mitnick. Hundreds of "pre-programmed" attack scripts are publicly available at sites like www.rootshell.com. Corporate and government web sites are under attack every minute of every hour of every day. With enough luck and persistence, the random cracker gets through.
This begs the question: If web sites are breached every day, why aren't the papers full of reports of system break-ins? There is a tacit conspiracy of silence on the part of corporations and governmental entities who are victimized by these ongoing attacks. News that a major corporate web site has been breached is usually quickly contained within company walls for the fear of bad PR if word got out.
The hush-hush nature of break-ins damages the efforts of computer security administrators and experts to keep ahead of the crackers probing their systems. Knowledge is power by studying how sites like the Times' were compromised, sysadmins can harden their own systems. It also provides fodder for IT managers trying to convince upper management to devote resources to computer security. From this point-of-view, The New York Times did cyberspace a favor by reporting on its own security lapses. The old gray lady received an object lesson in network security and shared the lesson with its readership. All the News That's Fit to Print, rather than a white-wash.
Presumably, the Times is strengthening its web security in the aftermath of the intrusions. But I won't be surprised if the attackers take another shot. I can see the hacked tagline now: "4LL TH3 BITS THATZ NEWZ 2 H4CK." Here's a clue: It probably won't be Kevin Mitnick, or even a Kevin Mitnick, that pulls it off. As HFG braggs on the AntiOnline site: "IF WE CAN DO IT, ANYONE CAN."
-- Seth Ross