Originally published at: https://boingboing.net/2020/02/11/anyone-can-sign-up-for-this.html
…
There’s likely at least one federal felony in here, not including conspiracy and accessory charges.
Start with sites ending in .mil to ensure the most bang.
I thought this was like ‘we’ll randomly generate a password for you to use once a day’ and thought it was the dumbest idea ever, but boy this is much more interesting.
This reminds me of this:
Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?
Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”
In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.
Happy scripting.
Strange framing—you’re implying they’re hacking other people’s accounts or acquiring them from somewhere. MSCHF is creating these paid/premium accounts to give away, not giving away someone else’s credentials.
They’re venture-funded ($11M raised so far), but the limited expense of this particular stunt could be entirely covered by sponsorship. They’ve featured Headspace twice in the past four days, so I wouldn’t be surprised if they were one of them.
a pseudo-internet-performance-art-collective founded by ex-Buzzfeed employees that specializes in viral pranks.
These are the exact type of people I like to give my phone number to!
Yeah the article is rather unclear. If these are accounts they are giving away then it’s all cool. If these are random account credentials gleaned from some security leak then there’s a world of hurt coming to all involved. Seems unlikely it would be the second one.
I’m scripting right now.
This topic was automatically closed after 5 days. New replies are no longer allowed.