« "Wingnut Debt Ceiling Demands" | Main | The Old Girl's New Tricks, Part V »

NY Times Humiliates Itself on Citi Hack Story

It is really hard to believe that in 2011 two technology reporters for 'the paper of record' could humiliate themselves and their paper so completely by botching a simple technology story. I don't think I've ever seen a story as screwed up as this one; literally. -- They didn't get a few facts wrong, they got the whole story wrong.

Ok, the topic is computer security -but before your eyes glaze over- TRUST ME a third grader could follow it. -- As long as that third grader was not part of the layers and layers of fact checkers and editors at the New York Times.

And while I'll explain the technology (in an easy way, honest) you don't need to know a thing about computers to know the story is bogus simply because it is not internally consistent. They spend half the story telling us how easy the hack was the other half telling us how sophisticated the hack was. Which is it?

And I'm purposely leaving the byline of Nelson Schwartz and Eric Dash in the story because they should forever be tied to this steaming pile of dung. As a formatting convention, I'm underlining the parts of the story that are pure poppycock and I'll bold the important parts.

Thieves Found Citigroup Site an Easy Entry

Using the Citigroup customer Web site as a gateway to bypass traditional safeguards and impersonate actual credit card holders, a team of sophisticated thieves cracked into the bank's vast reservoir of personal financial data, until they were detected in a routine check in early May.

That allowed them to capture the names, account numbers, e-mail addresses and transaction histories of more than 200,000 Citi customers, security experts said, revealing for the first time details of one of the most brazen bank hacking attacks in recent years.

In the Citi breach, the data thieves were able to penetrate the bank's defenses by first logging on to the site reserved for its credit card customers.

Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser's address bar. The hackers' code systems automatically repeated this exercise tens of thousands of times -- allowing them to capture the confidential private data.

The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.

One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. "It would have been hard to prepare for this type of vulnerability," he said.  [Complete bullshit -ED]    The security expert insisted on anonymity because the inquiry was at an early stage. ...

The expertise behind the attack, according to law enforcement officials and security experts, is a sign of what is likely to be a wave of more and more sophisticated breaches by high-tech thieves hungry for credit card numbers and other confidential information.

So let's review what these super elite ubber hackers did that was so impossible to prepare for... They saw their own credit card number in the URL in the address bar and they tried changing it out for another card number and BINGO the system coughed up information.

EEEEEW I hope you were impressed by their mad hacker high school skillz. -- This really wasn't even a hack, it was finding a big fat hairy bug that even no rookie programmer should have left.

Folks, this ain't rocket science. You don't put account numbers (or passwords etc) where people can see them. DUH! -- You know that and you're not a NYT expert.

It does not say what language they used on the site but I'll give you an example in PHP (which is the most widely used programming language on the web) it is a simple as using a POST command instead of a GET command. They do the same thing but a GET puts the information in the address bar and a POST hides it.

And how many programming degrees from Ivy league schools do you need to learn this bit of esoteric computer security? Well if you learn beginning programming at Lynda.com they teach it at hour 3 of a 22 hour course. It's one of the first things you learn as a programmer.

But maybe with the financial sector on the skids, Citi couldn't spring for the 25 bucks a month for Lynda.com.. NO PROBLEM. Here's a free video tutorial explaining it. Mind you this is a 22 minute video and you should watch the other 80 minutes first. So if you use the free site you should get to it about an hour and a half after you start to learn programming.

In other words, any moron who learned programming from youtube should have known this.

And the New York Times "expert' who says there was no way the bank could have foreseen that? I just wonder which of the two authors asked his 8 year old to be an expert for him. No 'expert' in the world would say something so stupid. If I were their editor I WOULD ASK WHO THE EXPERT WAS. They did not interview an expert, they made the quote up themselves or similar.

I know that most people become reporters because they don't have the skills to do anything else... but geeze you'd think two technology reports and their 'expert' would at least come close to getting it right...

But if you think that, you'd be expecting too much... These morons have no clue what they are talking about. QED

Note: Other languages than PHP do it differently of course but in EVERY language,  not transmitting sensitive data like card number and passwords in the clear (unencrypted) is something you learn basically on day one.  No 'sophisticated teams' of hackers required.


TrackBack URL for this entry:

Comments (17)

Spell check your headline. ... (Below threshold)
James H :

Spell check your headline.

Paul, you are completely co... (Below threshold)
Ken in Camarillo:

Paul, you are completely correct. I you were an inquisitive type and happened to look at the url and see your own data, you would not be able to resist experimenting to see what would happen with other data instead of your own. It seems likely therefore that this was a young person who was curious.

Thanks James, new keyboard ... (Below threshold)

Thanks James, new keyboard and I had all sorts of typos... naturally I leave the big one. sigh.

The bigger question Ken is ... (Below threshold)

The bigger question Ken is 'How long was this bug there before someone found it?'

With the number of users Citi has I wouldn't expect a bug like that to last more than a day myself.

Heads should roll at Citi f... (Below threshold)
Jim Addison:

Heads should roll at Citi for allowing such a basic breach of security.

At NYT, not so much. At one time, back when Abe Rosenthal was running the show, if you saw something stated as fact in the NYT you could take it to the bank - even in opinion pieces. But the principal owners, the Sulzberger-Ochs families, were determined to elevate their scion, Pinch, and shoved old Abe aside along with his antiquated notions of accuracy and fact-checking.

NYT is now all about the narrative. Their motto has changed from "All the news that's fit to print" to "All the news that fits, we print." If it fits the narrative, it's too good to check or correct.

Apparently Citi is on the "good" list this week.

Paul: I have always found ... (Below threshold)
James H :

Paul: I have always found my spelling errors doubly embarrassing when accusing others of stupidity.

I think we went over that i... (Below threshold)

I think we went over that in week 2 of my php class. And that is only because week 1 was going over the syllabus

Yeah it was a case of "Blog... (Below threshold)

Yeah it was a case of "Blogger Humiliates himself by misspelling humiliates."

But I'll take the occasional typo vs this train wreck.

Okay computer wizards. How ... (Below threshold)

Okay computer wizards. How do I secure my AT&T WIFI? I can't figure it out. ww

Paul, great to see you back.

I wonder which bottom basem... (Below threshold)
Infinitus est Numerus Stultorum:

I wonder which bottom basement offshore code mill built this stuff? Having said that, someone at Citi should have been code-reviewing and raised a red flag. This is incompetence bordering on sabotage!

People still read the NYT's... (Below threshold)

People still read the NYT's?

WW: Send me your IP Addres... (Below threshold)
James H:

WW: Send me your IP Address, username and password, and your Mastercard number.

WW I'm not actually here. ;... (Below threshold)

WW I'm not actually here. ;-)

I just had to come out the shadows for Charles Johnson making a Weiner out of himself and this was just so egregiously stupid, I had to blast them...

But having said that, I spoke to Kevin the other day (after the last Weiner update) and told him "I'll see you in a year or two when something gets to me."

Blogging once or maybe twice a year is fine with me... I'm actually exceeding my 'sell by' date rapidly making this many posts. ;-)

Have a good one.


WildWillie,Assumin... (Below threshold)


Assuming you have the default ATT wireless router:

Log in to your router (typically

click on the home network tab.

click on the wireless settings option.

Make your changes and save.

Thanks Kenny.James... (Below threshold)

Thanks Kenny.

James H, the information should be coming to you very soon. ;)

Paul, come on. Join the party. Kick it up a knotch. ww

Actually, spelling and gram... (Below threshold)
James H:

Actually, spelling and grammar errors drove me away from reading the NYT as much as I used to.

If a newspaper skimps on checking basic grammar and spelling, I also think the newspaper is skimping on its fact-checkihg.

The NYT is guilty of gross ... (Below threshold)

The NYT is guilty of gross stupidity and lack of factual content, but that's their problem because I don't read them on or offline.

BTW, that's not a hack, its an exploit.






Follow Wizbang

Follow Wizbang on FacebookFollow Wizbang on TwitterSubscribe to Wizbang feedWizbang Mobile


Send e-mail tips to us:

[email protected]

Fresh Links


Section Editor: Maggie Whitton

Editors: Jay Tea, Lorie Byrd, Kim Priestap, DJ Drummond, Michael Laprarie, Baron Von Ottomatic, Shawn Mallow, Rick, Dan Karipides, Michael Avitablile, Charlie Quidnunc, Steve Schippert

Emeritus: Paul, Mary Katherine Ham, Jim Addison, Alexander K. McClure, Cassy Fiano, Bill Jempty, John Stansbury, Rob Port

In Memorium: HughS

All original content copyright © 2003-2010 by Wizbang®, LLC. All rights reserved. Wizbang® is a registered service mark.

Powered by Movable Type Pro 4.361

Hosting by ServInt

Ratings on this site are powered by the Ajax Ratings Pro plugin for Movable Type.

Search on this site is powered by the FastSearch plugin for Movable Type.

Blogrolls on this site are powered by the MT-Blogroll.

Temporary site design is based on Cutline and Cutline for MT. Graphics by Apothegm Designs.

Author Login

Terms Of Service

DCMA Compliance Notice

Privacy Policy