Federal court filing system hit in sweeping hack, compromising identities of confidential informants

ThatRobGuy said:

Granted, I've only had very limited exposure to the inner workings of some of the infrastructure setups for things happening at a federal level...but I have a fair amount of experience with state government systems in a few different states. If the federal systems are the same (or even only just a little bit better, but not a lot) - then there's cause for concern.


In a lot of cases, what they refer to as "hacks" aren't even actually hacks, but merely accessing stuff that easily accessible due to a weak design.

I may be getting "into the tech weeds", but remember when they arrested that guy and putting him in prison, who they called "A hacker named Weev" claiming he "hacked AT&T", when it turns out, all he did was simply discover that AT&T's old tablet-version of the account management app used the account number in the URL query string. He found that if you incremented the number, there was no re-auth, and it would simply show you someone else's account info (their address, email address, name, etc...)

He wrote a loop that would start at 1, and go up to 200,000, and scrape the info off the page (not hard to do), and he ended up harvesting the email addresses of over 100k people, and sent the info to a reporter to say "hey, look, AT&T is exposing customer info".

The reality is, he didn't hack anyone at all, he didn't bypass or disable any security systems, he merely scraped something that was already easily accessible to anyone with above-average tech savvy.


When big fortune 500 companies or governments call things "hacks", everyone should keep their "bovine excrement detectors" on high... because in many cases, that's a "saving face" move to avoid talking about the fact that they were exposing something inadvertently. If they present it as "we were the victims of elite hackers", it lets them convey the notion that they did everything right and didn't skimp on the design.

Click to expand...

ThatRobGuy said:

Granted, I've only had very limited exposure to the inner workings of some of the infrastructure setups for things happening at a federal level...but I have a fair amount of experience with state government systems in a few different states. If the federal systems are the same (or even only just a little bit better, but not a lot) - then there's cause for concern.


In a lot of cases, what they refer to as "hacks" aren't even actually hacks, but merely accessing stuff that easily accessible due to a weak design.

I may be getting "into the tech weeds", but remember when they arrested that guy and putting him in prison, who they called "A hacker named Weev" claiming he "hacked AT&T", when it turns out, all he did was simply discover that AT&T's old tablet-version of the account management app used the account number in the URL query string. He found that if you incremented the number, there was no re-auth, and it would simply show you someone else's account info (their address, email address, name, etc...)

He wrote a loop that would start at 1, and go up to 200,000, and scrape the info off the page (not hard to do), and he ended up harvesting the email addresses of over 100k people, and sent the info to a reporter to say "hey, look, AT&T is exposing customer info".

The reality is, he didn't hack anyone at all, he didn't bypass or disable any security systems, he merely scraped something that was already easily accessible to anyone with above-average tech savvy.


When big fortune 500 companies or governments call things "hacks", everyone should keep their "bovine excrement detectors" on high... because in many cases, that's a "saving face" move to avoid talking about the fact that they were exposing something inadvertently. If they present it as "we were the victims of elite hackers", it lets them convey the notion that they did everything right and didn't skimp on the design.

Click to expand...

Hans Blaster said:

I'm not sure how much we can learn from "weev". He is a very slimy person.

Click to expand...