A trick that exposed an AT&T security flaw also enabled the funniest joke in Canadian politics.
It’s a tale of two cities: Washington and Ottawa. It’s a tale of two hackers: Andrew Auernheimer, known as weev, and Kevin O’Donnell, the Green Party of Ontario’s deputy leader and provincial candidate for Ottawa Centre. It’s also a tale of two countries on either side of the 49th parallel, and how that narrow line can sometimes make all the difference.
Auernheimer is currently serving a 41-month prison sentence for identity theft and violating the Computer Fraud and Abuse Act (CFAA). In June of 2010 Auernheimer and his associates at Goatse Security exposed the emails of more than 100,000 iPad owners, through a flaw in security at AT&T which they had discovered. As the Electronic Frontier Foundation explains the hack, “AT&T configured its website to automatically publish an iPad user’s e-mail address when the server was queried with a URL containing the number that matched an iPad’s SIM card ID. In other words, if anyone typed in the correct URL with a correct ID number, the e-mail address associated with that account would automatically appear in the login prompt.”
That is roughly analogous to the “hack” which enables telemarketers to reach unlisted numbers. They start at 100-0000, move on to -0001, then -0002, and so on. Testing each of those URLs (and then sending the results to Gawker) is basically what weev is in prison for.
Meanwhile, up in Canada, a prominent Canadian senator and ex-broadcaster named Mike Duffy was busy recording intro after intro for a Conservative Party fundraising video. A real pro, he did take after take, day after day, greeting hundreds of faceless Canadians by name. “Hi Joel,” he sang out perkily. And so on, for over 800 names. These snippets were then prepended to the rest of the fundraising video and emailed to loyal party supporters in hopes they would be inspired to shower the party with cash.
Since that time, Duffy has become embroiled in a rather complex and Schadenfreude-rich scandal revolving around, of course, money. The charges include paying a friend to do no visible work and taking money from the party to pay his own legal bills, along with the standard issue expense account irregularities. The upshot is that Senator Duffy has replaced Toronto mayor Rob Ford as the punchline of choice in Canadian political circles.
On December 18, Glen McGregor at the Ottawa Citizen stumbled across the intro videos, still echoing cheerfully into the void online. “Enter your first name here http://movingforward.conservative.ca/vb/101/c3eeg/glen and the senator reads it aloud — “Hello, [YOUR NAME]. It’s Mike Duffy” — as extolls the many accomplishments of the prime minister.”
Among the many who could not resist was the aforementioned Kevin O’Donnell. But merely forcing the politico to mumble “Hi Kevin” wasn’t enough; he had to go on and scrape the whole website. By the afternoon he had trawled the site and posted on his own videos of Duffy greeting 750 individual names. The Canadian Twittersphere exploded and Macleans, Canada’s answer to Time magazine, interviewed O’Donnell the same day.
“I’m a computer programmer and just about everything I know about my trade was learned by digging through how other people have done their work and learning from it. So I dug into how they did the ‘name’ videos. Of course, once that was solved, the idea of putting them all on the Internet was too funny to not do.”
O’Donnell also explained how he found those 750 names, and it sounds an awful lot like the “hack” that landed weev in prison:
“The sleuthing showed the ‘name’ videos were predictably located at this link. Then I just googled for any list of first names and picked one that had about 3,500 in it. Running a downloader in a loop yielded 750 successful matches. I added an open source Flash video player on to the page and that was it.”
The difference is that Canada doesn’t have the CFAA, the 1986 anti-hacking law so broad it’s been described as “the worst law in technology.” While weev remains locked up for exposing a major corporation’s security flaws, O’Donnell is being celebrated across Canada for doing roughly the same thing to a politician.
Photo via Daniel Means/Flickr
Pure, uncut internet. Straight to your inbox.