This morning we detected that an unauthorized change was made to the SOA on-line store. In addition, many messages posted on the Actuarial Outpost discussed this unauthorized change, although posters did not realize that the odd things they were observing were unauthorized. Here is a brief summary of the situation and our remediation.



1.We worked with the vendor and established that the base system included a point of vulnerability. Specifically, one Web page in the site allowed anyone who was logged into the SOA on-line store to modify text on that page and create a new page by making a copy. The offender took both of these actions.
2.The loophole that allowed unauthorized access to the Web site did not provide any access to the database -- i.e., to read, change or delete member/candidate information (such as exam results or credentials). Likewise, the loophole did not affect the primary SOA Web site.
3.The vendor changed the programming to close this loophole and remove the option to modify and copy any page in the SOA on-line store.
4.The unauthorized changes were removed from the site.
5.We cut off the offender’s access by stopping and then restarting the on-line store services.
6.We put an ongoing process in place to notify the SOA Help Desk any time certain types of activity are initiated in the on-line store, including making any changes to existing text and creating new pages.
7.We are investigating the potential source for this intrusion. Unlike what happened last January and July, this was not harmless or cute. We may not be able to figure out who did this, but if we do, there will be consequences.

In any case, the integrity of SOA data was preserved. We are sure of that.

Bruce

Looks like a lot of people ('cept myself) guessed right...

yikes. i had no idea about any of this til now. that's pretty damn crappy. i hope you find out who the lil bugger is and out him on here!!

for those (like me) who clicked the "don't click this", will our information get stolen????....

No.

Bruce

I still don't see the "hack" portion of what happened.

I still don't see the "hack" portion of what happened.

Actually I agree with this. If there was some "loophole" or "vulnerability," then the security is to be blamed, not necessarily the "hacker."

We don't agree. Changing someone else's web pages is hacking by anyone's definition.

Bruce

Even if the user allows you to do so? So if a website has a guestbook that you can sign in to, you would consider it hacking if I click Add and type in my name?

"Hacking" is the correct term. The vulnerability provided an opportunity that would not have existed otherwise, and the person in question might not have bothered messing with the SOA website without the vulnerability, but the essence of hacking (in good and bad senses of the term) is finding and exploiting loopholes. I'd call the result more humorous than dangerous, but that might just be because the vulnerability was relatively slight.

I'll speculate that it was a student who noticed the unprotected button, knew something about html and SQL servers, and decided to play around; in which case they can probably be found by comparing login files with file change dates, if those are all in place. That's pure speculation, of course.

Even if the user allows you to do so? So if a website has a guestbook that you can sign in to, you would consider it hacking if I click Add and type in my name?
I actually closed the guest book on one of my websites because hackers had created bots that spammed it with links. So yes, guest books are one potential source of vulnerabilities for hackers to exploit. Typing your name in is what the page would be designed to do. :D

Hmmm... I suspect that you should start you search with the poster above ^^

:)

I'm glad I didn't come across it since I probably would have played around with it just to see what happened.

We're working on it. I'm offering a 12-hour amnesty to the perpetrator, who is undoubtedly reading this.

Bruce

We don't agree. Changing someone else's web pages is hacking by anyone's definition.

Bruce

Something tells me our opinions on this will be similar to the conflicting opinions in the "stealing wi-fi" thread in NAT.

Since I don't know the vulnerability specifically, I can't say much more regarding my opinion on hacking versus playing with a loophole. I think they are significantly different.

I don't think knowing anything about html and/or SQL came into play here though. If you see a button that you can click, how is it hacking to click on it? How is it different from my example with a guestbook?

Actually I agree with this. If there was some "loophole" or "vulnerability," then the security is to be blamed, not necessarily the "hacker."

Sounds like a silly prank that actually worked. Hard to believe the SOA website was this "vulnerable" to attack!

The SOA's vulnerable to attack? RUN!

If you see a button that you can click, how is it hacking to click on it?
Specifically, one Web page in the site allowed anyone who was logged into the SOA on-line store to modify text on that page and create a new page by making a copy. The offender took both of these actions.
The bolded part is where I think the person crossed the line from "pushing a button" to "hacking". When you start adding pages to someone else's website, well, ok, there are sites that allow that. The SOA isn't one of them.

If Google accidently left a snippet of code on an obscure subpage that allowed me to go in and add something to their frontpage so it included a link to my website, I would totally do it and I would brag for the rest of my life about hacking Google.

I don't think knowing anything about html and/or SQL came into play here though. If you see a button that you can click, how is it hacking to click on it? How is it different from my example with a guestbook?

I agree. Sounds like someone was searching around the website and clicked a few buttons.

If the SOA wasn't one of those websites why did they leave those buttons up there? Bruce himself said that the website allowed anyone to do it, so I don't think the users that took liberty to click something in front of them (not seek it out through looking through code or other methods), then they should not be faulted.

The bolded part is where I think the person crossed the line from "pushing a button" to "hacking". When you start adding pages to someone else's website, well, ok, there are sites that allow that. The SOA isn't one of them.

Again, I don't think we have enough information to say either way. If the user found that http://store.soa.org/hackme.html (or something) was a site that allowed them modify the store, I'm not sure the SOA should do much to them.

When I was looking for a Nintendo Wii, I used a URL exploit that allowed me to view Target's inventory to know when one was in stock. Did I do any "hacking?" To some people - probably. But all I did was click on a link - which Target was hosting to the world.

Same thing with World Series of Poker Main Event Final Table. The last two years they've broadcasted it via internet for a fee. However, they don't secure their stream well enough, and people found way to take the video stream and put it on another site for everyone to view. Again, no hacking...they just found the URL for the video stream and was able to see it without a log in. Immoral? Perhaps...but I don't know if it should be punishable, as the owner was hosting the file to the world.

I agree. Sounds like someone was searching around the website and clicked a few buttons.As usual, you have no idea what you're talking about.

Bruce

Actually, i think the broadcast thing may be criminal.

As usual, you have no idea what you're talking about.

Bruce

Please explain.

...Unlike what happened last January and July, this was not harmless or cute.... ...there will be consequences.

In any case, the integrity of SOA data was preserved. We are sure of that.

Bruce
1. what happened last january and july? i must have been in lala land b/c i never heard anything about this.

2. what kinds of consequences? based on what i have read in this thread, it seems like someone was clicking around on the site and discovered something that wasnt normal and then he proceeded to play around with it and write in some funny (or not so funny) comments. since he didn't do anything to steal or change any information, i would think the consequences wouldn't be that severe. afterall, (and please dont take this the wrong way b/c i respect you and the SOA), but you/SOA/vendor were aware of this issue and apparently decided not to fix it when it was discovered and are only now fixing it since someone else, someone unauthorized, has discovered it too.

3. i am not credentialled nor do i sit for exams anymore, but i am glad to hear that everyone's information on your database was not compromised.

4. i still say you should publicly out the guilty party on the AO just for shits n giggles.

Actually I agree with this. If there was some "loophole" or "vulnerability," then the security is to be blamed, not necessarily the "hacker."

Are the windows on your car made of glass? Sounds like a loophole to me.

Are the windows on your car made of glass? Sounds like a loophole to me.

Are we going to start with bad analogies already? I'll give you a chance to make sense of what you just said.

Are we going to start with bad analogies already? I'll give you a chance to make sense of what you just said.

Hey, can you get someone for breaking and entering if they see your window down and start playing with stuff in your car?

Sure...I'd be a little embarrassed if I was the SOA (but please do not take your frustrations out on me Daddy B). In the grand scheme of things, this event is not significant. However, it may help the SOA identify other potential areas of security breach.

Risk is opportunity. Exploit it!

We're working on it. I'm offering a 12-hour amnesty to the perpetrator, who is undoubtedly reading this.Apparently we had at least three hackers. One has come forward and taken advantage of the amnesty offer, which will be honored, of course.

Bruce

Another hacker has come forward. Amnesty offered and accepted.

Bruce

Hey, can you get someone for breaking and entering if they see your window down and start playing with stuff in your car?

Okay...define "get someone?" There are vandalism laws in most jurisdictions. If I left my windows down, and someone left me a note saying "Don't click me" (mind you - no permanent damage), the police would laugh at me if I wanted to press charges. If they permanently damaged my car, that would be a different story.

Is this at all comparable to website? Hell no. Why? We all "know" not to go into someone's car if it's unlocked. Since some sites want you to make modifications and other sites want you to just read them, the lines aren't as clear when it comes with a website.

Let me ask you this. This is the URL to your post:
http://www.actuarialoutpost.com/actuarial_discussion_forum/showpost.php?p=2981283

Do you think it's "illegal" for me to type this into my browser? (Note that I incremented the post number by 1 in the URL)
http://www.actuarialoutpost.com/actuarial_discussion_forum/showpost.php?p=2981284

Like I said before - it's very possible someone was able to take a transcript URL - for example:
https://store.soa.org/Default.aspx?tabid=999&action=profile&args=9

And just started playing around, changing the URL to:
https://store.soa.org/Default.aspx?tabid=321&action=profile&args=7

And found something with the "admin" tools. Do you really think that this is devious "hacking?"

As I said twice I believe - we don't have information as to how this happened. I think if a guy happened to come across some page with modification tools, he could have thought of it as a "feature." If he broke some kinda encryption to access this page, then I say it is "hacking." I saw unless we/SOA know which one of these it is, it's hard for me to jump to the conclusion that this guy should be burned at the stake.

wow, at least three! i'm glad a few have come clean. i'm sure it was a harmless prank...but i still think it would be awesome to out them on here! :dsmile:

Apparently we had at least three hackers. One has come forward and taken advantage of the amnesty offer, which will be honored, of course.

Bruce

I'm curious how you know "three hackers" if - at this time - only 2 seem to have come forward. Did "hacker 1" say he has accomplices?

wow, at least three! i'm glad a few have come clean. i'm sure it was a harmless prank...but i still think it would be awesome to out them on here! :dsmile:

Maybe a binary pin or something...

So, what happens to the third person if you find them outside of the Amnesty period? Can I be involved in the punishment somehow?

Are we going to start with bad analogies already? I'll give you a chance to make sense of what you just said.

Putting a piece of flimsy glass between me and your belongings sounds like a security vulnerability.

Why am I supposed to know that using a rock to break your car window is wrong, but computer geeks get to claim ignorance every time they screw with someone else's stuff? Are you saying that your people are stupid?

Okay...define "get someone?" There are vandalism laws in most jurisdictions. If I left my windows down, and someone left me a note saying "Don't click me" (mind you - no permanent damage), the police would laugh at me if I wanted to press charges. If they permanently damaged my car, that would be a different story.

Is this at all comparable to website? Hell no. Why? We all "know" not to go into someone's car if it's unlocked. Since some sites want you to make modifications and other sites want you to just read them, the lines aren't as clear when it comes with a website.

Let me ask you this. This is the URL to your post:
http://www.actuarialoutpost.com/actuarial_discussion_forum/showpost.php?p=2981283

Do you think it's "illegal" for me to type this into my browser? (Note that I incremented the post number by 1 in the URL)
http://www.actuarialoutpost.com/actuarial_discussion_forum/showpost.php?p=2981284

Like I said before - it's very possible someone was able to take a transcript URL - for example:
https://store.soa.org/Default.aspx?tabid=999&action=profile&args=9

And just started playing around, changing the URL to:
https://store.soa.org/Default.aspx?tabid=321&action=profile&args=7

And found something with the "admin" tools. Do you really think that this is devious "hacking?"

As I said twice I believe - we don't have information as to how this happened. I think if a guy happened to come across some page with modification tools, he could have thought of it as a "feature." If he broke some kinda encryption to access this page, then I say it is "hacking." I saw unless we/SOA know which one of these it is, it's hard for me to jump to the conclusion that this guy should be burned at the stake.

I see your point. But at the same time, you seem to be making light of the part where they are similar. I'll note the bolded blue text above.

Is there any situation where it's not a bad idea to edit a website that you refer to for passing/failing grades?

This is a sign the tests aren't hard enough.

This is a sign the tests aren't hard enough.

That's a little bit extreme, but actually not too far off the mark. At the risk of understating things, I'd say that this is a sign that some candidates lack the maturity, foresight, and respect for the profession and the examination process to really earn the designation--even if they were to pass all the exams tomorrow.

But there always have been, and always will be, such individuals.

Is there any situation where it's not a bad idea to edit a website that you refer to for passing/failing grades?

I never said whether the person did something "right" or "wrong." All I've been trying to say was that it's not a devious as people may think.

If I found the vulnerability, I might have played around with it a little bit, so I really can't fault someone for playing around. Afterward, I'd probably contact the webmaster of the site, letting them know what the consequences of the vulnerability might be.

Since the "perpetrator" didn't contact anyone makes me to believe they wanted to "prank" SOA and/or showoff. With the info we know on the AO, it hardly sounds like hacking. Maybe Bruce knows it was "actual hacking" versus "unintelligent exploratory surfing," but that hasn't been shared with us yet.

All I'm saying is don't just to the "devious hacker" conclusion with no evidence. Again, my opinions can change once/if more information comes in.

I never said whether the person did something "right" or "wrong." All I've been trying to say was that it's not a devious as people may think.

If I found the vulnerability, I might have played around with it a little bit, so I really can't fault someone for playing around. Afterward, I'd probably contact the webmaster of the site, letting them know what the consequences of the vulnerability might be.

Since the "perpetrator" didn't contact anyone makes me to believe they wanted to "prank" SOA and/or showoff. With the info we know on the AO, it hardly sounds like hacking. Maybe Bruce knows it was "actual hacking" versus "unintelligent exploratory surfing," but that hasn't been shared with us yet.

All I'm saying is don't just to the "devious hacker" conclusion with no evidence. Again, my opinions can change once/if more information comes in.

That's fair. It's impossible to argue intent without more information, which, I think, is what your initial stance was all about.

My argument is more like, even though it might not be "against the law", let common sense prevail.

i still think it would be awesome to out them on here! :dsmile:
:iatp:

Specifically, I'd encourage the two who have come forward to the SOA to publicly out themselves and explain their intentions (thus ending this thread's argument and bringing peace to the nation once more).

If the one who hasn't come forward doesn't before the amnesty period ends, perhaps the punishment could be they are banned from the AO. :dsmile:

I think its about time SOA comes up with rules for hackers like disqualify them. It might be a harmless prank this time around but what if next time they figure out way to change credentials or access CC# info. and such. Not to say that SOA shouldn't invest more time in securing their website. SOA should be treated just like any other educational institution and with all money they make from exam fees (which must be a lot as these exams are difficult and most people take them more than once) they should invest some in good IT system.

On the lighter side...now everyones busy on this thread and no one is thinking of the results anymore..

All software has vulnerabilities. SOA buys the best software around, but it's not perfect. And one of the vulnerabilities (exploited by hacker #1) was very unusual -- and helpful in tracking him down. Hacker #2 found a huge opening left by hacker #1 and sort of walked in and looked around. No bad intentions. Hacker #3 did no harm at all, but if he doesn't come forward, we'll do a lot worse than ban him from the Outpost. He may be looking for a new career.

What people may not realize is that a dozen or more people spent all day trying to establish beyond any doubt that our database was not corrupted in any way. Eventually, we did establish that -- and then I started this thread. But nobody here would be very happy today if we had to reconstruct your exam histories from paper records -- when we even have them!

Bruce

A third hacker has come forward. Amnesty offered and accepted. Looks like we have at least four.

Bruce

:popcorn:

hackercount=hackercount+1

don't assume that all actuaries and actuarial students are on the outpost. i dont know where else you might have discussed this SOA hacking and the potential ramifications of not coming clean. suppose this last(?) hacker doesn't even know he did anything wrong or that you are looking for him or waiting for him to confess. that wouldnt be exactly fair or proper to threaten his career if he has no idea he was in the wrong.

maybe im wrong and this person knew he was pulling a prank. say he was...does a harmless prank warrant losing his career?

Hacker #3 did no harm at all, but if he doesn't come forward, we'll do a lot worse than ban him from the Outpost. He may be looking for a new career.
:yikes:

Bruce, would you please confirm something? While the "Don't click this" button was active, it logged you out of the SOA store if followed. At least, I read one other description that seemed to describe that, and I that's what I remember happening when I looked at it.

So the verify part: the second login was truly the SOA's login page that came up, and was not a spoof page that was capturing people's login information outside the SOA for nefarious purposes, correct?

Thanks,

That's a little bit extreme, but actually not too far off the mark. At the risk of understating things, I'd say that this is a sign that some candidates lack the maturity, foresight, and respect for the profession and the examination process to really earn the designation--even if they were to pass all the exams tomorrow.

But there always have been, and always will be, such individuals.

:iatp:

The tests are hard enough, I expect. The problem is that we have no real test of "the maturity, foresight, and respect for the profession and the examination process to really earn the designation". In my view, that criterion is actually more important than passing every exam with a 10. I agree hat, like the poor, we will always have immature miscreants. That doesn't mean we shouldn't weed them out when they expose themselves as such.

don't assume that all actuaries and actuarial students are on the outpost. i dont know where else you might have discussed this SOA hacking and the potential ramifications of not coming clean. suppose this last(?) hacker doesn't even know he did anything wrong or that you are looking for him or waiting for him to confess. that wouldnt be exactly fair or proper to threaten his career if he has no idea he was in the wrong.

maybe im wrong and this person knew he was pulling a prank. say he was...does a harmless prank warrant losing his career?The "last" hacker is the least guilty. The first one is the most sophisticated and definitely acted intentionally. No doubt about it. And this "prank" was anything but harmless, as I have already explained. A dozen people worked literally all day to establish that the SOA's data were not corrupted -- and, fortunately, we did establish that. Many people (a surprising number!) took advantage of the amnesty, a special offer made only to people who visit here. The amnesty period is now over, and if we find more hackers, we'll take appropriate action. We are still looking.

Bruce

...the second login was truly the SOA's login page that came up, and was not a spoof page that was capturing people's login information outside the SOA for nefarious purposes, correct?That appears to be correct.

Bruce

But nobody here would be very happy today if we had to reconstruct your exam histories from paper records -- when we even have them!

Bruce

Wow, I find this statement terrifying. I may be reading into this way too much, but this implies to me that there are not incremental and interval backups on the SOA exam database?

If the database ever became corrupt due to hacking, hardware failure, etc, is there a possibility at all that any part of anyones exam history could be lost?

If this is the case, nowadays we do not even get paper transcripts to be able to prove anything.

I really hope that this is not the case, as students we have put far too much into exams for this to even be possible.

We have lots of independent backups. I was merely extrapolating to a worst-case scenario where hackers corrupt everything. Probably impossible, but who knows? Anyway, this latest event gave us quite a scare.

Bruce

We have lots of independent backups. I was merely extrapolating to a worst-case scenario where hackers corrupt everything. Probably impossible, but who knows? Anyway, this latest event gave us quite a scare.

Bruce

I can only imagine what a scare that was for everyone involved. When I first read about it the first thing I did was logged on and made sure my transcript was correct.

Assuming that there are appropriate tape backups done, I don't think that is possible, but nonetheless, would not be any fun.

We have lots of independent backups. I was merely extrapolating to a worst-case scenario where hackers corrupt everything. Probably impossible, but who knows? Anyway, this latest event gave us quite a scare.

Bruce

I would hope it's impossible, as something that secure should have an offline back-up in addition to any online back-ups.

Look guys, there's a difference between something that's illegal and something that's unethical. I find issues with websites, file access, and the like all the time that were obvious the webmasters/sysadmins had no intention of getting out there. Instead of playing havoc with a bunch of nervous people, I emailed the webmasters/sysadmins when I found these vulnerabilities.

The actuarial professional wants to maintain a high ethical standard. The ethical thing to have done, should one have found the vulnerability, would be to contact the SOA. "They were asking for it" is not an appropriate response. A more constructive response is to offer your services in attacking the site to find vulnerabilities, because yes, there will always be problems.

Heck, if you were afraid of being identified, there are ways to send anonymous emails, or you can use an alt-ID on here to PM Bruce. I've had to do anonymous notifications before (I learned how to spoof email because I had to tell a school staff member that all the high school boys were reading her emails from her boyfriend because her default file permissions were 755 when she saved them. =That= was fun.)

Look guys, there's a difference between something that's illegal and something that's unethical. I find issues with websites, file access, and the like all the time that were obvious the webmasters/sysadmins had no intention of getting out there. Instead of playing havoc with a bunch of nervous people, I emailed the webmasters/sysadmins when I found these vulnerabilities.

The actuarial professional wants to maintain a high ethical standard. The ethical thing to have done, should one have found the vulnerability, would be to contact the SOA. "They were asking for it" is not an appropriate response. A more constructive response is to offer your services in attacking the site to find vulnerabilities, because yes, there will always be problems.

Heck, if you were afraid of being identified, there are ways to send anonymous emails, or you can use an alt-ID on here to PM Bruce. I've had to do anonymous notifications before (I learned how to spoof email because I had to tell a school staff member that all the high school boys were reading her emails from her boyfriend because her default file permissions were 755 when she saved them. =That= was fun.)

:iatp:

So, if you clicked on the "Don't Click This" button, does that make you one of the hackers or not?? I'd think that there were thousands of people that clicked on this button.

So, if you clicked on the "Don't Click This" button, does that make you one of the hackers or not?? I'd think that there were thousands of people that clicked on this button.

I don't see that as hacking. To me, hacking is finding a vulnerability in a web site/database that you exploit in some way.

Clicking a button on a page you have every right to be on is not hacking. Clicking on that button, with that message was a bit risky, but IMHO not hacking.

Given the literary and religious history out there (and basic human psychology), a "Don't click" button is about as likely to be followed as "Don't open this box", "You can eat the fruit of any other tree, but not this one", or "Don't look back" (whether at your dead wife following you from the underworld or the back at the city being burned to a crisp by God).

Whoever made that first button certainly knew of the all-too-human impulse to do what you're explicitly told not to do (when not given a reason why not to... (follow the negatives!)).

Given the literary and religious history out there (and basic human psychology), a "Don't click" button is about as likely to be followed as "Don't open this box", "You can eat the fruit of any other tree, but not this one", or "Don't look back" (whether at your dead wife following you from the underworld or the back at the city being burned to a crisp by God).

Whoever made that first button certainly knew of the all-too-human impulse to do what you're explicitly told not to do (when not given a reason why not to... (follow the negatives!)).

I wouldn't have clicked the button had Bruce not been on AO the last time, telling us how smart we were for figuring out how to get our results early (I'm referring to the process of trying to register for the exam and if you passed, you'd get stopped from paying for it and it would tell you "you've already passed this exam.") I thought this button was possibly a joke from either Bruce or one of his buddies at the SOA. Now I'm spending all day wondering if I'll lose my job because I clicked on the button. When does it become hacking? I agree that the person who set up the button "hacked", but what about someone in my shoes?

I wouldn't have clicked the button had Bruce not been on AO the last time, telling us how smart we were for figuring out how to get our results early (I'm referring to the process of trying to register for the exam and if you passed, you'd get stopped from paying for it and it would tell you "you've already passed this exam.") I thought this button was possibly a joke from either Bruce or one of his buddies at the SOA. Now I'm spending all day wondering if I'll lose my job because I clicked on the button. When does it become hacking? I agree that the person who set up the button "hacked", but what about someone in my shoes?
your not going to lose your job becuase you clicked on that button...

I would hope it's impossible, as something that secure should have an offline back-up in addition to any online back-ups.Indeed.

Bruce

I wouldn't have clicked the button had Bruce not been on AO the last time, telling us how smart we were for figuring out how to get our results early (I'm referring to the process of trying to register for the exam and if you passed, you'd get stopped from paying for it and it would tell you "you've already passed this exam.") I thought this button was possibly a joke from either Bruce or one of his buddies at the SOA. Now I'm spending all day wondering if I'll lose my job because I clicked on the button. When does it become hacking? I agree that the person who set up the button "hacked", but what about someone in my shoes?
I was sorta thinking the same thing as you, but not near as panicky as you sound..... I really don't see any way I can get in trouble b/c i clicked a button that existed on the webpage..... but who knows

So, if you clicked on the "Don't Click This" button, does that make you one of the hackers or not?? I'd think that there were thousands of people that clicked on this button.Not if that's all you did.

Bruce

I don't see that as hacking. To me, hacking is finding a vulnerability in a web site/database that you exploit in some way. Clicking a button on a page you have every right to be on is not hacking. Clicking on that button, with that message was a bit risky, but IMHO not hacking.I agree on all points.

Bruce

Did SOA ever get hacked before?

I wouldn't have clicked the button had Bruce not been on AO the last time, telling us how smart we were for figuring out how to get our results early (I'm referring to the process of trying to register for the exam and if you passed, you'd get stopped from paying for it and it would tell you "you've already passed this exam.") I thought this button was possibly a joke from either Bruce or one of his buddies at the SOA. Now I'm spending all day wondering if I'll lose my job because I clicked on the button. When does it become hacking? I agree that the person who set up the button "hacked", but what about someone in my shoes?I've tried to be very clear that what you guys did the last two times was creative, impressive and harmless. Some people were annoyed, for sure, but not me. Nobody changed anything on the SOA's site those times.

What happened this time was very, very different. I hope that everybody understands the difference. If not, PM me. And, just for the record, I have fun with people, but putting that kind of button on the SOA's website would have been totally inappropriate -- and I guess I hope that you would expect better of me than to do something like that!!! :oops:

Bruce

Not if that's all you did.

Bruce
Ok cool, then i no longer need to worry about this...

I clicked the button - saw the logon box on the associated page, underneath the "Your curiosity ..... " - put my username and password in there and it didn't do anything if i remember correctly - then shrugged my shoulders and closed the page, figuring it was an admin login.

Whew..... :)

I'd be mindful of not disclosing too many details in response to the seemingly ceaseless inquiries into the exact nature of the security breach.

There are some things that I have read here about the nature of the SOA databases that I do not care to know, nor need to know. I do not feel that it is necessary for the SOA to disclose the potential for these databases to be corrupted.

I realize that people want answers, they want to understand why this act was considered so severe. The problem with that is that everyone other than the hackers and the administrators of the vulnerable system are outsiders--they cannot see what was done to exploit the security vulnerabilities in question. Attempting to convey the seriousness of the act by disclosing details about the structure of the data systems is not, in my view, necessary.

The allegations are serious, but at the same time, if there were similarly serious allegations of professional misconduct, the ABCD wouldn't be publishing the details on an internet forum.

Just sayin'.

Ok cool, then i no longer need to worry about this...

I clicked the button - saw the logon box on the associated page, underneath the "Your curiosity ..... " - put my username and password in there and it didn't do anything if i remember correctly - then shrugged my shoulders and closed the page, figuring it was an admin login.

Whew..... :)


That's pretty much exactly what I did.
I assumed it was a joke placed there by the SOA on purpose and was quite amused by it.

:popcorn:

hackercount=hackercount+1

giggle

The allegations are serious, but at the same time, if there were similarly serious allegations of professional misconduct, the ABCD wouldn't be publishing the details on an internet forum.

Allegations - yes, but if someone is deemed to be acting unprofessionally (i.e. violating the AAA Code of Conduct) through an ABCD Hearing, one of the recommended actions could be Public Discipline.

While I doubt the ABCD would come on the AO and make a post regarding this, the information would be public in the actuarial community, and have no doubt that the new would trickle down here.

Since the three hackers that have come forward have been offered amnesty, I doubt they would ever be outted on here (unless they came forward themselves).

Since the three hackers that have come forward have been offered amnesty, I doubt they would ever be outted on here (unless they came forward themselves).You got that right.

Bruce

Bruce - It's a bit weird with you now using an avatar. :-P

http://www.actuarialoutpost.com/actuarial_discussion_forum/showpost.php?p=2979101&postcount=59

As a computer science major, I want to say that what Bruce described is far different from simply changing a few passed arguments in a URL to get some information and is not even close to "clicking on a few buttons" or finding a security hole by simply navigating around on the site.

What Bruce described is definately and without a doubt intentional (although not necessarily malicious) hacking, and whoever did it had no illusions about his actions being considered anything but hacking.

I just wanted to weigh in with that amid the rampant giving of the benefit of the doubt when what Bruce had already said clearly contricted several presumptions.

Bruce - It's a bit weird with you now using an avatar. :-PI think Bruce and his avatar should be featured on imageoftheactuary.org

I never said whether the person did something "right" or "wrong." All I've been trying to say was that it's not a devious as people may think.
Since the "perpetrator" didn't contact anyone makes me to believe they wanted to "prank" SOA and/or showoff. With the info we know on the AO, it hardly sounds like hacking. Maybe Bruce knows it was "actual hacking" versus "unintelligent exploratory surfing," but that hasn't been shared with us yet.

As this was done to the website of a professional organization and not your bff's blog, I don't think the term "unintelligent exploratory surfing," applies here. Any student who has seen the exam code of conduct knows the SOA might not react well to you tampering with their webpage.

What part of the code do you think was violated?
Do you consider this a "material" violation?

+++++++++++++++++++++++++++++
Now Playing: Sudden Impact II
Starring Daddy B as Harry Callahan
"Go ahead, make my day."
+++++++++++++++++++++++++++++

As this was done to the website of a professional organization and not your bff's blog, I don't think the term "unintelligent exploratory surfing," applies here. Any student who has seen the exam code of conduct knows the SOA might not react well to you tampering with their webpage.

This is a moot point, as people have come forward and admitted to "hacking." My posts were meant as a precautionary measure that maybe SOA's vendor left an admin site open to the public by accident (or something similar).

I'm done trying to explain this to people that are not familiar with the tech industry in the 21st century. Go read some tech blogs. You'll find that innocent people do damage, more significant than what happened to the SOA, accidentally. It happens. Not every security breach is someone trying to do something devious.

Enough, already! This was not an accident. It was not something SOA's vendor did. It was sophisticated hacking, plain and simple, especially on the part of hacker #1. He came forward, so we have no beef with him, but interestingly, the SOA staff had already focused on him because he was on the site exactly when the first breach occurred. Anyway, can we move on now, please?

Bruce

Well, it's a nice distraction for those people waiting on exam results. It's this or the photo caption thread, I guess.

We'll stop at 3:00 EST.

Except for those of us waiting until the 11th... :D

Except for those of us waiting until the 11th... :D

isn't FM the 18th...

the SOA has an online store?

the SOA has an online store?

The SOA Store is where you sign up for exams, not T-shirts and Mugs

Where do you think we get our signed copies of Bruce's autobiography?

What did they take, some designer sunglasses and a tiebar?

Enough, already! This was not an accident. It was not something SOA's vendor did. It was sophisticated hacking, plain and simple, especially on the part of hacker #1. He came forward, so we have no beef with him, but interestingly, the SOA staff had already focused on him because he was on the site exactly when the first breach occurred. Anyway, can we move on now, please?

Bruce

Daddy Bruce:

You claim this was a "sophisticated hacking". If that was the case, then why didn't you report the violation and allow the Discipline Committee to investigate? Who gave you the authority to offer immunity to these "hackers" before a formal investigation was complete? Isn't that a conflict of interest?

Truly yours,
Amateur attorney

Yawn.

Bruce