I guess we will never know "how they thought up" their attack, but it doesnt really matter? They know how the system was abused, what was violated, etc...
Printable View
I guess we will never know "how they thought up" their attack, but it doesnt really matter? They know how the system was abused, what was violated, etc...
Well, I found myself wondering if such an attack would have been carried out if the article had never been posted. Which begs the question, is there such a thing as too much information for the general public? I was more or less digging for opinions on freedom of information from everyone/anyone here.
This kid was definitely not a hacker or cracker (by our standards). He was an overly curious kid with a computer and too much time on his hands. I'll bet that he read this article on Yahoo and decided to try it out for fun (not realizing the severe consequences on his actions).
So, should old hacks be made readily available to the public? Sure, Security experts knew about it. Hackers knew about it. IT Professionals knew about it. Crackers knew about it. We have our resources. We know where to find this stuff. We also know what we're doing (for the most part).
But, just how much coverage should hacks/exploits get? This is an old hack. Why shed new light on it? The minute I read that article, I remember thinking "Oh great, it won't be long before every 12 year old skiddie on the planet goes to Yahoo and reads this article and gets a chubby". Do we really need these inexperienced dopes, handed age-old hacks on a silver platter?
And for people in the knowing, this is old news. I certainly didn't need to be reminded. Did anyone here? I personally think an article like this poses way more dangers than it does benefits. That's what I was getting at and was hoping for some other AO viewpoints on the matter.
But the thing is, there is no secret to how their password recovery works, you find out after you need to use it... Its good that information like that is posted, it encourages change.
Just a new age version of dumpster diving. No exploit, social engineering maybe. It was Sarah Palin's fault for telling that she uses a yahoo account to conduct state affairs through a TV interview. That wasnt to smart.
Ding we have a winner. :DQuote:
Originally Posted by DeltaWeb
Exploit, hack, social engineering, misallocated resources, etc. This isn't a debate on semantics. Call it what you will but, try and stay focused on what's important.Quote:
No exploit, social engineering maybe
That's just complete nonsense. The only thing this event made clear was the inherent danger of the "forget my password" service. Palin's only mistake was believing in an "open government" ideology. While naive in nature, it doesn't make her responsible for the actions of people ready and willing to exploit flaws in the Yahoo service.Quote:
It was Sarah Palin's fault for telling that she uses a yahoo account to conduct state affairs through a TV interview
Quote:
It was Sarah Palin's fault for telling that she uses a yahoo account to conduct state affairs through a TV interview
Or like the inherent danger of leaving a loaded pistol laying around...Quote:
Originally Posted by "shagDevil
"If people don't kill people, guns kill people - can I blame my spelling mistakes on my pen?"
I don't know ShagDevil; I do believe that if Palin hadn't given that info in the interview, anyone seeking her email accounts would have needed a little more the Yahoo's "forget my password" feature.
That sounds an awful lot like security through obscurity. And while I agree what she did was naive, let me expand on your analogy.Quote:
I do believe that if Palin hadn't given that info in the interview, anyone seeking her email accounts would have needed a little more the Yahoo's "forget my password" feature
Assume Joe believes in being honest and not hiding anything. Joe says on national TV, "I have a gun cabinet full of guns". Not the brightest move but, Joe likes being open about his activities.
Yahoo headlines an article on how easy it is to break into gun cabinets. A week later someone breaks into the gun cabinet and steals the guns. Did Joe's TV announcement make his gun cabinet easy to break into? Or did it simply provide an avenue for someone to exploit an inherent flaw in something that should be inaccessible?
In my opinion, that makes Joe naive (maybe even incompetent) but, it sure as hell doesn't make him at fault for the design flaw in his gun cabinet.
I 100% agree with you SD. My point is - and I think yours, if I'm reading it correctly, it's not about security or exploits rather would the email account have been compromised if it weren't for the interview?
The "Forgot my password" function would still be available.
Is Yahoo responsible for it's misuse? NO
Now applying Joe's analogy in which one of Joe's stolen guns was used in a Murder:
Say the kid emailed [email protected] some Muslim propaganda along with a threat of some sort, would the SS - I mean Dept. of Homeland Security - investigate all parties involved? YES
Would there be hell to pay - Absolutely
Is Palin now responsible for using a less than secure email service for government communications?
Is Yahoo NOW at fault for offering the "Forget Password Function"?
Well, right off the bat. This is what I was looking for. A good, solid debate. So my thanks Dinowuff.
Very close. I was wondering if Palin's email account would have been compromised if the article on the "forgot my password" flaw wasn't posted on Yahoo. Which I can't seem to find anywhere now :mad:Quote:
it's not about security or exploits rather would the email account have been compromised if it weren't for the interview?
Well, Sarah Palin isn't responsible for designing a highly flawed system of personal questions used to reset passwords. Divulging her email account on TV shouldn't make any difference. Think of the argument about hiding your SSID. If good security is in place, there's no need to hide the SSID.Quote:
Is Yahoo responsible for it's misuse? NO
Well, she's sure as hell not responsible for providing a less than secure email service. Nor would she likely have used Yahoo's email service if she knew it could be breached so easily. Which at best, makes her naive. At worst, incompetent if she knew of such a flaw & didn't fix her secret answers.Quote:
Is Palin now responsible for using a less than secure email service for government communications?
Nope. But Yahoo is at fault for providing a less than secure email service. Regardless of what the email account was used for, the "Forgot My Password" service is flawed. Palin should be able to disclose her email account without the fear of it being broke into.Quote:
Is Yahoo NOW at fault for offering the "Forget Password Function"?