5 outrageous hacks perpetrated by the FTC's new Chief Technologist

5 outrageous hacks perpetrated by the FTC's new Chief Technologist

Summary: The idea that this guy is going to be going to Washington is just awesome.

SHARE:

Last week, the United States Federal Trade Commission (FTC) named Princeton Professor Edward Felten to a newly-created role: Chief Technologist.

This is interesting. Very, very interesting. You see, the FTC is the United States official body tasked with keeping consumers safe. While the FBI fights identity theft crimes, the FTC is the agency responsible for combating identity theft before the crime occurs.

The FTC's role in consumer protection is incredibly important. Back in 2008, I published U.S. government agencies' cyber-security and record-keeping worse than previously thought, where I detailed some serious security flaws at Homeland Security and the FTC.

Even with these security flaws (and I still don't know if they've been patched), the FTC's role in protecting consumers has become increasingly important as we enter the digital age.

That's where Ed Felten comes in. Ed's an interesting character, as well as an accomplished computer scientist. At Princeton, he's spent the past decade or so pushing on interesting weaknesses at the point where technology meets governance.

I promised you some outrageous hacks, and here they are.

Hack 1: Hacking IE in the Microsoft monopoly case

You may or may not remember United States vs. Microsoft. This was back in the days of Windows 98, so you'll be forgiven if you forgot. Back then, Microsoft was accused of having a monopoly on browsers (how quaint!). As part of its defense, Microsoft claimed IE was an integral part of the operating system and couldn't be removed.

Enter Felten. He testified that IE could be removed by deleting the icons and removing the IE executable. After that, things didn't go Microsoft's way for a while, even though Microsoft claimed that IE was a lot more (DLLs, in particular) than just the iexplore.exe file.

Hack 2: The Sony rootkit scandal

Let's fast-forward to 2005. Sony had decided to come up with a scheme to prevent CD copying. As part of their scheme, when you put one of 50 of their music CDs into a PC, it would automatically install some copy protection software (for those who didn't turn off auto-run).

Felten discovered that Sony left what was essentially a rootkit on the PCs, allowing any Web page to download and install software onto a PC "infected" with the Sony protection-ware.

Hack 3: Deibold voting machine scandal

Remember the whole michegas about how easy it is to hack the voting machines? Yep, Felten's doing. In 2006, Felten and a team of graduate students got their hands on a Deibold voting machine and showed just how easy it would be to put some "malicous" software on a voting machine and have it change all the results.

For some reason, Deibold Election Systems is no longer known as Deibold Election Systems. They're now Premier Election Solutions. Did they change their name to avoid all the bad press stirred up by Felten's findings? Nah.

Hack 4: Sequoia voting machine scandal

Felten is a Jersey boy and New Jersey is pretty particular about its elections. In 2008, some smart New Jersey bureaucrats decided they wanted to avoid any form of voting machine scandal. To do so, they decided to send one Sequoia voting machine to Felten and his band of merry grad students.

Things did not go well. Sequoia Voting Systems, who happens to compete against the former Diebold, didn't much like the idea of Felten rummaging around in the guts of their pride and joy. Sequoia threatened legal action if Felten kept up his testing.

As it turns out, Felten did continue his testing and determined that the Sequoia could be compromised in minutes.

Hack 5: the cold boot attack

Because he wasn't busy enough in 2008, Felten and his students discovered a nasty little flaw called the cold boot attack.

If you've ever seen particularly bad science fiction, you know how this works. In science fiction, every so often there's a witness with invaluable data who suddenly dies. As the SF conceit goes, those last images are recorded somewhere in the victim and can be retrieved and replayed posthumously.

The cold boot attack works in a similar way. RAM retains information for just a few minutes after powering off, so an attacker could restart a machine and dig through previously secure RAM to extract keys and access information.

Mister Felten goes to Washington

So now you know Ed Felten. The idea that this guy, this guy is going to be going to Washington is just awesome. The FTC could use someone with Felten's twisted little mind to help it prepare for our digital future.

There's only one thing that concerns me. This gig of Chief Technologist is only for a year. It's virtually impossible to get anything done in a year in Washington. So I'm hoping that this role isn't just some sort of fellowship for Felten and the United States can derive some actual value and insight from one of our more interesting and influential white-hat hackers.

Topics: Browser, Hardware, Microsoft, Security

About

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • They should make the appointment a competitive one:

    You get to keep the job as long as your name is on the website for the office. Conversely, if you can hack in and change the name there, the job is yours. That will ensure that the best candidate will have the job and will be working tirelessly in the area of computer/web security.
    Geedavey
    • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

      @Geedavey

      One would hope the chief technologist would spend his time more productively than maintaining a web page.
      r_rosen
    • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

      @Geedavey. I suppose that's one way to get a 15 yr old in office.
      coughlm1@...
  • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

    He should try InZeroSystems, then BUY about 20mil !!! So the gov can keep working, unlike the UK gov hack today...
    Paul@...
  • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

    A minor correction... it was Mark Russinovich of Sysinternals fame who discovered the Sony rootkit. Felten discovered that the ActiveX control that Sony released to remove the rootkit opened the computer up to arbitrary code execution. The ActiveX control is mistakenly labeled a rootkit in the Wikipedia article about Felten.

    Sources:

    http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx

    http://en.wikipedia.org/wiki/Edward_Felten#Sony_rootkit_investigation
    Kevin Dean
    • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

      @Kevin Dean ooooooh BURN!!!!
      stevek@...
    • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

      @Kevin Dean
      My thoughts exactly. Russinovich deserves full credit for discovering the Sony rootkit, truly an amazing display of technical prowess, in my book.
      TecKnight
  • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

    Maybe he's there in case BHO forgets the PW to his BlackBerry?
    cmrhere@...
  • It'll never fly...

    Having someone in Washington who actually knows how to do something will never work. Either the person will go insane dealing with the Washington modus operandi or Washington will be embarrassed so many times when their true colors are displayed that they will oust the person.

    Probably will not last 12 months.
    pwatson
    • That's exactly right

      @pwatson

      As sad as it is...either he will grow rapidly sick of dealing with arrogant people who can't admit they don't know what they're talking about, but are too prideful to step aside and let him do what he needs to.

      Or, he will get an offer he can't refuse from the private sector (again).

      Here's hoping he's more interested in doing good than "doing well"
      SonofaSailor
    • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

      @pwatson That's so funny and true I guess... However, if he studied a bit of politics and understands a bit of bureaucracy, he's probably going go do well.
      mungujakisa
  • Ed Felton!??!

    This is going to be interesting!

    Talk about climate change...
    Bob.Kerns
  • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

    Personally, I think he'd be the right person for that job. The guy didn't do anything against the law, but helped to point out flaws and keep others safe. These "hacks" aren't outrageous as such, unless you're looking from the point of view of the companies he stood against. But from the consumer point of view, we should laud this guy, not raise the eyebrow at him for "outrageous hacks"
    mungujakisa
    • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

      @mungujakisa Well they were outrageous because he exposed the critical flaws in critical systems. That is pretty outrageous.
      Jimster480
  • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

    The correct spelling of the original name of the electronic voting machine manufacturer mentioned in the story is Diebold, not Deibold. It's just as easy to get this stuff right in the era of Google as not.
    loupgarous
  • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

    @mungujakisa: "hack" is a morally neutral term, or at least it was in its original meaning. It doesn't automatically connote illegal activity, except in the minds of those whose memories don't go back farther than twenty years or so.
    loupgarous
  • How much can the chief technologist achieve?

    The article is excellent except for one thing. It really never breaks down the job description of the Chief Technologist, so it makes the rest of the article interesting side notes.

    As to the hacks themselves a basic question always needs to be asked. What share of the credit goes personally to Professor Felten and what rightly belongs to his graduate students individually and collectively? My oldest son has a Ph.D. in (bio)Physics and is doing work now as a Post Doc. My son loves experimental work, but is not excited about the future possibility of becoming a University Professor because in his experience as a graduate student in his field, most of a professor's time is spent applying for grants to support the professor's graduate students and doing administrative duties, which negatively impacts their ability to do research. I have no idea if that is true for professors in computer science or not, but it is something to consider.

    If the Chief Technologist is to primarily be an advisor to the Commission in establishing new ISP rules, etc. then Professor Felten seems ideally suited to the job, but if the role is to mature the FCC's own internal technology, I agree with those who say a year isn't long enough. Government moves in budget years, not days, weeks or months.
    SeniorMoment
  • RE: 5 outrageous hacks perpetrated by the FTC's new Chief Technologist

    I would have called it outrageous had they named someone like Kevin Mitnick to this post.

    The guy that they are giving the nice new office to actually deserves to be there and theres nothing outrageous about it.
    Relorian@...
  • I think you're just trying to get me riled up!

    Perpetrate: 1: to bring about or carry out (as a crime or deception) : commit
    2 : to produce, perform, or execute (something likened to a crime)
    Hack #1. IE. OK on that one. I'm not a fan of MS, but they got shafted in that deal. Not a crime, though.
    Hack #2. Ed Felten did not create the Sony rootkit. Sony did.
    Hack #3. First, it's spelled Diebold. Second, isn't it a GOOD thing that he exposed a system that could, potentially, be used to commit election fraud? Could there be some ulterior motive for your effort to vilify this man in a public forum?
    Hack #4. Another voting machine, which was examined at the request of New Jersey election officials. Hardly outrageous. And also not a crime.
    Hack #5. Wow, it appears more and more as if this guy is actually qualified to provide advice on technology policy issues.
    So why, exactly, do you hate him?
    danindenver
  • Washington needs people who know what they are doing

    That's the problem. Politicians don't know squat about how things work, much less how they interact with other things. All a politician knows is how to influence people, and accumulate wealth and power.
    Dr_Zinj