The Lesson of Recent Hacktivism 159
itwbennett writes "LulzSec says they're retired, which may or may not be true. But one thing the world has learned from their 'frightening yet funny escapades is that 'the state of online security stinks,' writes blogger Tom Henderson. LulzSec (and Anonymous) have 'demonstrated that an awful lot of people are either asleep at the switch or believed in arcane security methods like security through obscurity.'"
A related story at the Guardian suggests that governmental attempts to control the internet are spurring these activities.
Yikes. Coffee. Smell. Up. Getting. (Score:5, Insightful)
They believed that money spent on security products == we are secure. They were not asleep. They did not believe in security through obscurity. They trusted the industry. They gave it money in return for products that were supposed to protect them. They lived in ignorant bliss. Unfortunately, the security industry (and the rhetoric they proclaim) is all about the end goal of the industry making money. Companies are lured into a false sense of security based on what they are being told, and what they spend money on - and it seems totally reasonable from their perspective. Unfortunately, the public (and the victim companies) are not aware of one tenth of one percent of what is actually going on. Any company that has anything worth significant financial value is either compromised or is a target with a big bulls eye on their gold stash - guaranteed.
Re: (Score:1, Interesting)
The problem is the opposite. Actual security is ridiculously expensive and there is not a willingness to put up with that level of expense, especially not since any security you have, no matter how well done, can still be breached by someone who is sufficiently determined. So when few are willing to pay for actual security, and put up with the inconvenience required by actual security, you get products that try to patch things up a little bit for a much reduced cost. The much reduced cost may still be signi
Re:Yikes. Coffee. Smell. Up. Getting. (Score:4, Insightful)
Actual security is ridiculously expensive and there is not a willingness to put up with that level of expense
The cost of risk prevention: if the cost if risk mitigation is lower (no matter if people are burnt [wikipedia.org]) there you have it.
Far easier to them to externalize the cost and lobby for DCMA and anti-hacking laws - it's the populace that pays for the jail time.
Re: (Score:2)
The DMCA is irrelevant here, and bringing up "anti-hacking laws" doesn't make any sense. Do you think anything that LulzSec was doing should actually be legal?
Further, there are already anti-hacking laws. They don't really seem to prevent hacking. Apparently your idea of lobbying for anti-hacking laws to save money on security isn't really effective. I'd be surprised if any organization thought that was a viable alternative to actually having network security.
Re: (Score:2)
Actual security is ridiculously expensive
If you don't take those costs into account when drawing up your business plan and prefer the "let's cross our fingers and hope it doesn't happen" security method, perhaps you deserve to fail. Also, actual security is not _that_ expensive, you just need to hire the right people, or design the software properly from the start if you are going to code it yourself.
Somehow I'm reminded of a paragraph somewhere in the instruction manual to the game "Pirates!" - the original version in the late 80's, not the rem
Re:Yikes. Coffee. Smell. Up. Getting. (Score:4, Insightful)
One solution might consist of better user training coupled with better security design (protect truly secret data but don't worry about disclosure of information freely obtainable by outsiders via mechanisms like FOIA, stockholder inquiry, etc.)
It's a challenge, regardless of what you have to protect--or how you choose to protect it.
Re:Yikes. Coffee. Smell. Up. Getting. (Score:5, Interesting)
They believed that money spent on security products == we are secure. They were not asleep..
Except that, according to the reports, Sony had servers for development which were fully protected with firewalls etc. and which were not hacked / hackable (by LulzSec) and other servers for customer data where they hadn't made any investment. So they hadn't spent that money. You may be right they weren't asleep. Someone made a conscious choice that customer data is not important, but it's not that they had made any of the investment they should have done.
Re:Yikes. Coffee. Smell. Up. Getting. (Score:4, Interesting)
We could come up with many scenarios, the only ones that know what happened internally are not going to speak out about it willingly.
One thing is for sure, what I have seen in the small business world is a mirror to big business. It IS ignorance at some level in the corporate model.
Ironically, this same model helps bring down corporations and small businesses alike. All it takes is one bad stone at the right point in the pyramid to make it all come crumbling down.
Re: (Score:2)
It could be. The development department manager probably will be more willing to order a firewall then finance department manager.
Re: (Score:2)
Could be the age old "skimp on safety because one lawsuit in x years is less expensive then the added costs for the same period"...
Re: (Score:2)
Re:Yikes. Coffee. Smell. Up. Getting. (Score:5, Insightful)
If you're a web developer, let it be a lesson to you: download some basic hacking tools and try them out on your own website. You'll definitely learn something.
Re: (Score:2)
Many companies are leaving wide open, simple holes, like failing to escape their SQL, or parse out javascript
This is less the result of a conscious decision on their part to trade off security and more often the consequence of hiring out any IT or development work to the cheapest possible bidder. Companies, like people, must sometimes learn the hard way that one gets what one pays for. For what it's worth, I've noticed that offshore outsourcing shops are especially negligent when it comes to SQL injection, script entered into forms, careless query string handling and many other common attacks. It's too bad that Lu
Re:Yikes. Coffee. Smell. Up. Getting. (Score:5, Insightful)
I hate it when this excuse is used. And it's used often in business in many areas, not just security. It's the junior manager's way out - the way to duck and hide behind someone else. But while it's true a contractor, agency, or someone else will never do as good a job as you would if you did it yourself - at the end of the day it's the responsibility of the guy who approved and signed the cheque. If you don't even take the time to review the work you contracted, if you don't even bother to keep ONE person around who has any notion of how the work should be done and get him/her to go over it and approve it before it's accepted, then my friend, you deserve the good anal fucking that you are about to get.
Re: (Score:2)
At the very least you need a good legal department to put a damages clause into contracts. Then if you offshore and they've got a lousy security set up that causes you to lose money or business you can recover damages. The company shouldn't be left holding the ball if the contractor screws up.
Re: (Score:2)
Then if you offshore and they've got a lousy security set up that causes you to lose money or business you can recover damages.
Right. Done a lot of offshore dealings, have we? I recommend you investigate just how easy it is to enforce contracts, much less damage clauses in contracts, in other countries. Offshore = foreign courts which tend to perceive the "poor oppressed small local firm" as a victim of the large global company. These courts have a hard enough time putting murderers in prison. Even with a favorable verdict, you are never going to see your money again. Better to spend the time makings sure you have someone to go
Re:Yikes. Coffee. Smell. Up. Getting. (Score:4, Informative)
So why would you put less trust in an new hire employee then a contractor. It isn't the contractor fault or choosing a contractor sometimes they can offer really good quality work for less cost then hiring (no matter what the Union propaganda tells you) The problem falls back into management. If you hire a contractor to do the work and especially if you have never worked with them before you really cannot fully trust his code. You will need to audit it, and check it. Just because they do it for a living it doesn't mean they are any good at it? If the company doesn't care about security neither will the contractor. If the company cares about security so will the contractor.
For a lot of these outsourced companies they are tailored towards low cost. As that is what they wanted, if they wanted higher quality then it will cost them.
There is a ven diagram for this. You have Cheap, Fast, and Good you can only pick two.
Re:Yikes. Coffee. Smell. Up. Getting. (Score:5, Insightful)
They were not asleep. They did not believe in security through obscurity. They trusted the industry.
It has often been said, by Bruce Schneier [wikimedia.org] and others, that security is not a product that can be purchased, installed after the fact and forgotten, but rather an attitude and culture that must be cultivated and maintained. Knowledge and tools are important, but without the right attitudes and culture they will be of limited use. Remember that nobody cares more about your security than you do. If you don't care then nobody else will either, despite what they may tell you.
Re: (Score:2)
The trick is finding the right balance between that and every other concern involved in running a business.
Comment removed (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
This is a large part of why I keep to computers as a hobby. I do a lot of the things that the professionals do, on a smaller scale and on hardware that I own, but I don't have to deal with the headaches of folks that are trying to save some bucks and are certain to blame me when their cut rate equipment goes tits up.
Right now I couldn't hack it when it comes to hardware on that scale, but that comes largely from the decision not to waste my time or energy studying the things which are really enterprise only
Re: (Score:2)
Regarding Lulzsec (Score:5, Interesting)
LulzSec might have ended, but I can guarantee you the exact same stuff is happening underground, except this time you probably won't know all your information has been stolen. Other than exposing corrupt whitehats I don't really agree with their actions, but I'm not sure if the alternative of keeping it in the hands of underground blackhats and IRC scriptkiddies is any better (not that is wasn't going on during LulzSec as well, but still).
Regardless, the AntiSec movement seems to be picking up some steam, at least within Brazil (protests are planned for July 2nd), and the first AntiSec release has just been posted to Pirate Bay: http://thepiratebay.org/torrent/6502765 [thepiratebay.org] with more promised tomorrow.
Regardless of their "supposed" script kiddie status (they did break into a hacking contest website and turned down the 10k), I think it was smart for them to disband and take up a greater cause, and I guess time will tell if they are successful or just run out of water.
Re: (Score:1)
WTF? A group actually opposed to computer security, and they are picking up steam? What ... is the rationale behind this?
Re: (Score:2)
AntiSec is against the industry as it is now, not security. It's sort of like the people under communism who were antigovernment, they weren't antigovernment in general, they were anti that particular government.
Re: (Score:2)
Could you please quote someone else for a link like this?
"Arcane" (Score:2)
Arcane is not really the right word there. There's nothing "arcane" about security through obscurity. Perhaps they meant "archaic"?
Re: (Score:2)
You don't think that selling your sole to Satan requires arcane rituals?
Re: (Score:2)
Just a new pair a shoes.
Re: (Score:2, Informative)
A little vandalism goes a long way (Score:2)
Screw vandalism, especially on "soft targets" (Score:5, Interesting)
Here's the thing: information security, just like any other type of security or insurance, is completely relative.
My dinky little websites have adequate capacity to serve the few hundreds of people a day who visit them, but would not withstand a Slashdotting or DDoS. My house is secure enough to resist a burglar, but not secure enough to resist a Navy SEAL strike team. Does this mean I'm negligent? No, it means that I could spend thousands of dollars on additional infrastructure for security or capacity but I choose not to because it's highly unlikely I would need to.
That's why the example of LulzSec is pathethic and not instructional. There are lots of "soft targets" on the Internet (in terms of security or capacity) that you could take down pretty easily if you wanted to, just because those sites can't justify full-time security teams or massively extensible infrastructures. I'm not talking about high-profile sites like Sony or the CIA, but stuff like EVE login servers or some county in Arizona. A bunch of douchebag script kiddies taking down some MMO server doesn't necessarily mean that anyone was truly "negligent," it just means that they picked easy targets. And there is not, nor will ever be, a shortage of easy targets on the Internet if you're willing to aim at those.
Re: (Score:3)
Re: (Score:2)
For example, a quick google search turns up this page on apache security [petefreitag.com].
There isn't really much there that will significantly improve security, except the suggestions to keep Apache up-to-date and maybe installing mod_security. For instance, hiding the Apache version number might actually decrease security since now you might miss yourself you are out of date. It's not going to prevent any attack from happening.
Re:Screw vandalism, especially on "soft targets" (Score:4, Interesting)
I don't agree with your analogy, as physical and digital security are too different. Not many houses can stand a SEAL attack, yet it is perfectly possible to connect a computer to the Internet with zero vulnerabilities (think OpenBSD).
Secondly, after a few decades of research that is still ongoing, there are plenty of known practices that make it easy to quite thoroughly secure a server. These issues include (list from memory, mainly related to recent attacks where this was the exact vulnerability):
That's what I can think of, from the top of my hat. All of them are easy to implement - and when implemented will prevent most attacks from happening. Sure you won't be immune to zero-day attacks on your web server software, or other services. But it limits the attack vectors a lot already.
Not following such "best practice" standards I would call negligence.
Now I readily admit that my own server is also not configured perfectly, there is a bit of "security through obscurity" too of course. Yet I have a software-firewall blocking all but whitelisted ports, my SQL queries are sent to the database through a library that does the escaping and so for me, preventing SQL injection attacks automatically. No-one else has ssl access, so no way you can social engineer the password from me. Oh yeah and I don't need to store any personal details of visitors there, that also helps.
Most of these attacks appear to be SQL injection related. And that is easy to prevent: the MySQLdb module for Python is doing that for you already. That only leaves tests like type checking ("I expect an integer value - let's see if this string can be converted to integer"), and value checking ("this string should be no more than 20 characters", "this should be a positive integer, not larger than 100").
And indeed there will always be lots of soft targets - yet companies that take user's personal details must not be a soft target. High-profile web sites should also know that they will be a target of hackers (the higher the profile, the bigger the lulz for a successful attack after all), and as such have also no excuse to be a soft target. Yet it is several of those that have been proven to be pretty soft targets.
Re: (Score:2)
Not many houses are built as a small, mostly buried concrete cube with no doors or windows, which is basically what the building equivalent of OpenBSD is.
As soon as you make that OpenBSD system usable by adding functionality, the attack vectors start to open up dramatically.
Re: (Score:3)
I don't agree with your analogy, as physical and digital security are too different. Not many houses can stand a SEAL attack, yet it is perfectly possible to connect a computer to the Internet with zero vulnerabilities...
No such thing good sir. Open BSD may stop blaster or some windows virus attaching itself to your system but does zero against attacks on the software that actually make it usable. Rarely are online attacks directed at the operating system hosting the front end. SQL Injection attacks make a database accessible regardless of the system, Vulnerabilities [apache.org] in your HTTP server can give you access to the root of your system, a myriad of poorly coded PHP or other server side code could give access to a system.
If you
Re: (Score:2)
The difference with using an out-of-the-box secure system is that at least you know that only what you explicitly open, is open. Nothing else. And the next step is of course to make sure that you do not open anything any more than you intend to.
Re: (Score:2)
Ahhh so I suppose Win2k7 server is a perfectly secure system then. I mean out of the box it blocks all internet traffic except to the windows update site to get the current security fixes, and then queries you to setup your firewall and network.
Good to see we're on the same page now.
Re: (Score:2)
my SQL queries are sent to the database through a library that does the escaping
Just a question in passing, why do you need to send SQL text to the database in the first place? Why not use stored procedures? It seems simpler to me and also cleaner from an architecture perspective (i.e., separating database model from application logic). It also prevents any and all kind of attack against the database, making them impossible even if you for instance forget to escape your strings somewhere.
Re: (Score:2)
Well six, seven years ago when I built it up, stored procedures didn't exist in MySQL. I believe it's possible now but not sure whether Debian stable has that version included. That's already a major reason.
Secondly most queries are done through a library call, not by sending the actual SQL command. Like db.query(db, fields, where, options, ...). There is nothing more fancy in it than reading information, no calculations or whatever - simply not needed. Really the most basic use of a db.
Re: (Score:2)
which has the advantage that you ever have only one SQL text in database memory, instead of having the database parse, compile and execute a gazillion different versions.
Re: (Score:2)
not storing passwords as plaintext but as (salted) hash - a preventative measure for in case you do get hacked
This. How anyone is still writing code that does this baffles me beyond all belief. I despair every time I click on a "forgot my password" link and get an email with a copy of my plain-text password...
Re: (Score:3)
I claim that a good part of that is a myth.
Securing your house the same as a bank vault is unreasonable, because the physical changes required are massive, and costly, and require infrastructure.
Removing telnet and moving to SSH is not even in the same category.
Many of the "soft targets" are not soft because someone decided that a lock and a deadbolt are enough for their threat scenario, and the windows don't need to be reinforced - they are soft because nobody thought about threat scenarios at all.
Also, be
Re: (Score:1)
Re: (Score:2)
I'm guessing that they spent more time deciding who was the best source of lulz than who was the easiest target. There's just way too many sites that are basically completely unsecured.
not everything is relative (Score:3)
DDoSing is very hard to counter and small sites can be DDoSed by legitimate requests as well (see Slashdotted). Also, you don't leak sensitive data while being down. However SQL injection is just fucking pathetic. There's no excuse for that. That's developer negligence. I'm not excusing LulzSec for it, they comitted a crime etc., but it's like leaving your frontdoor open, being robbed, and then lamenting about "what the world has come to".
Also shared PHP hosting sites are vulnerable to other malicious user,
Re: (Score:3)
Re: (Score:3, Funny)
Anti-negligence laws? I'd rather guess we'll be seeing some anti-hacker laws.
Why legislate corporations when you can legislate people?
Re: (Score:2)
Re: (Score:2)
The text of the law can easily be summed up: All your computers are belong to us.
Hacktivism? Teenage scum! (Score:1, Flamebait)
A related story at the Guardian suggests that governmental attempts to control the internet are spurring these activities.
These hackers are to the internet as street thugs are to a dark alley! Catch 'em and Guantanamize 'em!
These are acts of activism based on a desire for a better and free society, you say?
Oh please! Next you'll be telling me that many of these hacking act thingies require education, intellect, and creativity beyond that of an average person...
It's not even possible! (Score:1)
Given that these "rogues" or "hackers" are well skilled with network technology, what do these governments think they can do if the are capable of setting up their own internet? They know how to make the hardware; they know how to make the software; they know how to send communications over different spectrums. The governments would have to have complete control and ability to scramble communications over all possible channels. And even then, a new communication channel can be found and used to transfer ele
Re: (Score:2)
2. Track signal.
3. Send in police.
4. Pound-me-in-the-ass-prison for unlicenced use of a radio transmitter.
5. Publicise, to scare off any others who might try it.
Re: (Score:2)
Except that you'll never find a radio receiver without doing door to door searches, and the government for the last decade or so has been more concerned with keeping secrets.
Re: (Score:2)
IT knows, they just can't keep up (Score:3)
I don't think people are asleep at the switch, at all.
I also don't think they are relying on security through obscurity.
In large companies I have worked for, there are a lot of very competent people that care a lot about security. But the thing is, security is a minor consideration to spend time and money on compared to making working systems.
Obviously it would be better if that would change, but I don't think honestly it can until someone has had the lesson REALLY driven home to them by a major security issue.
I would bet that within five years Sony security is actually pretty good. It is a good wake-up call to the industry, but remember that generally the alarm clock is only really heard by the owner of the house it rings in...
Re: (Score:2)
That's part of what I'm talking about though. You could probably build some of those expensive systems, but you don't have the time... and the business side will not authorize the money to buy instead of build.
But I'll bet right now the coffers are open in terms of buying a LOT more online security products at Sony. They got hit, hard, and so now they will be willing to forgo a higher percentage of profits to protect things because they have seen the dark end of the tunnel and realized just how much loose
Simple reason: Nobody wants security (Score:5, Insightful)
Nobody wants security. Everyone wants compliance.
From an auditor's point of view, it's very easy to explain the reason why the security in most companies is at a level that's not even laughable. No company is interested in it. What they want is certificates, they want their ISO27k and their PCI-DSS, but not because they want them to know for themselves that they're secure, they want them to display to others that they are, so they can get contracts or are compliant with legal requirements to be allowed to do something.
Now, some might think security and compliance with security requirements is the same. Both mean that you "want" security. And that's the fallacy. Security is something you want yourself. You want security because you want to be secure. Security is in this case the primary interest and the focus by itself. Compliance is something that is forced onto you. You want security because someone else wants you to be secure. Security is in this case only the means to the goal, be it to conform with legal requirements to continue operations or be it to be allowed to process credit card payment.
Within the last decade or so, the number of companies where I actually had the idea that they wanted security for themselves, even if only as a side effect to the compliance requirements, was very, very low. Most want to get done with it, preferably fast and without hassle. If the compliance requirement is that your door is locked and barred but doesn't say anything about your windows, they won't even listen to you if you tell them they have no windows but just big holes in the wall. Their door is sealed, that suffices to be compliant. The windows? Not part of the compliance requirement, we don't care.
Re: (Score:2)
I'm with you on the compliance vs. security angle. Recently I've started working with people who want me to certify I comply with HIPAA guidelines for touching private health care data. The emphasis on paperwork over real security practices there is mind-boggling. I'm been put into an uncomfortable position because I can't morally agree to these policies unless I really mean it--which means I'm facing a huge security expense overhead added to my business--while my competitors do a shady job but mark all
Re: (Score:2)
Re:Simple reason: Nobody wants security (Score:5, Insightful)
Disclaimer: I've worked in compliance until recently, but my background is security.
The problem you outline is real, but you are missing a point: Compliance got traction because companies don't invest in security. The risk/reward just doesn't work out. A million credit cards lost? The PR to fix that is a lot cheaper than the security investment to prevent it. And the real damage isn't for you, it's for the credit card holders and their companies.
That's why compliance became so big, because too many people realized that unless you force them, companies won't do security. The same way that airbags in cars didn't become standard issue until some laws were passed. Human beings are horrible at risk management for everything that falls outside our daily experience.
The quality of your compliance managers determines if you're just following the book, or actually bringing an advantage to the company. I proud myself on IT management being happy they had me (I wasn't part of IT, to them I was an outsider from the finance department, the compliance hand of the CFO). You can do compliance in a way that IT doesn't hate and that gives you actual benefits.
Unfortunately, too few compliance managers are IT people, much less IT security experts. Which leads to them doing things "by the book". Or, as it's called in other contexts: Work-to-rule. As we all know, that's not work, that's sabotage.
Re: (Score:2)
I think maybe if some kind of financial liability was introduced, companies would take notice. Say, $50 for lost personal details (name, address), $100 per lost cc number, $5000 per lost SSN.
Smaller companies would have to use payment processor companies with better security. Larger companies and payment processors would have an incentive to not just follow best practices and minimum compliance, but actively conduct audits to reduce risk. Insurance companies would also insist on good security, in theory.
Of
Re: (Score:2)
I think maybe if some kind of financial liability was introduced, companies would take notice.
No, they wouldn't.
That's what I was saying about humans being horrible at risk assessment.
There's a reason we didn't make car manufacturers responsible for accident injuries, but instead forced them to build in airbags, no matter what their in-house crash statistics might have said.
We need regulation like that for IT as well. Make it a (very costly) offense to store passwords unencrypted, no matter if there's a breach or not. Stuff like that. Go through the best practice lists - there are a number of well-d
Re: (Score:2)
Airbags, to pick up on your car analogy (he did it, not me! :), have gained traction, though. Try, just try, to sell a car without airbags today. Security in cars has become a selling point. After decades of it being a minor, if any, point in car design, mind you, but it finally is a topic for car designers and a selling point for salesmen. "This is is a street cam filming someone driving our new model. As you can see, the driver fell asleep during the drive. Here you see him impact at 150mph. And here you
Re: (Score:2)
I guess it still needs a decade or two 'til people want the same in their computers, and done to their data in other people's computers.
My point exactly.
I think we need to force security on people. Once they have to do it, they will come around to appreciating the benefits of doing it right.
Because once the option "ignore it" is taken away, doing it right is often the next-best one, and a more effective use of budget than doing a half-assed job that may blow up in your face.
Re: (Score:2)
Re: (Score:2)
If someone complains about his OEM for failing a security audit, it's time to pack your stuff and go.
I don't expect a lot from my customers. I hold their hand from the moment they start wanting compliance, all through the process development and design phase up to the moment they get audited (of course, then by someone else, since I'm technically not their auditor but their counsel in such a scenario). But if he starts "Uh... that's our OEM/ISP/whoeverelse to blame", pack your stuff and go. You could, techn
Re: (Score:2)
I have one (ONE, a single ONE) customer who actually wanted security. And I always love going back to him, working for him is actually a lot of fun.
At first it didn't look too good. The CSO at first came across as paranoid in the worst tin-foil-hat way you could think of. Everyone's working against him, everyone's trying to bypass his security measures, everyone's just watching YouTube all day, they disable their Antivirus just to spite him and install cracked software (which the AV would disallow), you kno
Re: (Score:2)
How deep into the OSI would you like to squeeze security? I agree that stacking security on top of the whole process isn't really securing a lot, but the deeper the layer for security, the more has to change.
'Suggests'? (Score:1)
warm and fuzzy. (Score:1)
governmental attempts to control the internet (Score:2)
AntiSec == security through obscurity? (Score:2)
Wait what? Lulzsec showed that security though obscurity is bad? I thought the whole point to their "AntiSec" cause was to stop security companies publicly announcing vulnerabilities [wikipedia.org]. Isn't that the definition of security through obscurity?
Oh dear (Score:2)
Eh, this really ain't that hard. It is similar to how the Nazi's showed us how hate is bad.
This article ain't about the agenda of Lulzsec but on what the results of their actions have revealed about IT security.
Yes, antisec is idiotic, it is however not relevant.
The large number of successful hacks recently have shown IT security is in a bad state. The motivations for those hacks are not relevant nor even that a single group did it.
Re: (Score:2)
Graffiti reading "Antisec" began appearing in San Diego, California in June 2011 and was incorrectly associated with the original Antisec movement. According to CBS8, a local TV affiliate "People living in Mission Beach say the unusual graffiti first appeared last week on the boardwalk." They also reported "...it was quickly painted over, but the stenciled words were back Monday morning." It was later realized to be related to the new Anti-Sec movement started by LulzSec and Anonymous, some local news have seen and corrected this error.
Same name, different movement, apparently.
Guardian Article (Score:3)
I have to admit, I read that sentence in the summary and I scoffed. Then I read the article, and I still scoffed.
How about my interpretation of Loz Kaye's article: people who are deeply involved in some cause always find the reason "bad thing happened" to because of "bad thing that they don't like and have been working against". It reminded me a lot of Pat Robertson's claim that 9/11 happened because of the gays and feminists and abortionists. Uh huh. Sure it did.
Terminology (Score:1)
"Hacktivism." Ugh.
The problem as I see it. (Score:3)
The governments of the western world seem to have it in mind that criminalizing everything will protect them from some sort of boogeyman/men. Hackers, and in general people who steal whats "theirs". People who just want to share their free thought. What the people in power want is for you to second guess everything you say or do, and to live in fear of the consequences. They want to create a cyber police and regulate every aspect of our lives. For what? For profit. To maintain control. No other reason. We've seen thanks to the actions of Anonymous and wikileaks and others how deep the corruption is. We've seen first hand what happens when some group destroys an entire eco system (the gulf of mexico) compared to when someone attacks the state. Now all the cards are on the table. They want to shut it all down. They want three strikes laws. They want search and seizure laws. They want to do things without due process or warrents. They want to impose their twisted morality on the populace. They want to frame Anonymous/Wikileaks and the like and make them out to be pedophiles or terrorists or pirates or rapists. It's rather disgusting how obvious it is. And the most shocking thing of all is that they are actually SURPRISED by the retaliation they are receiving, as minimal as it is! The actions of what appear to be just a few people have terrified the companies who thought they had carte blanc to do as they pleased. However it hasn't pressed them to change their ways, but to hide behind a veneer of superiority and attempt to stop those selfish robin hoods of the internets.
Re: (Score:2)
The governments of the western world seem to have it in mind that criminalizing everything will protect them from some sort of boogeyman/men.
I think its more that its the easiest line to sell to the voters, at least that's what the politicians believe. Maybe if they had more respect for the intelligence of their citizens and less for Saturday night psychology the world might be a better place.
Wrong line of thought (Score:2)
Not asleep - in a rut (Score:3)
[disclosure: I do this for a living]
If you look over what happened over the last 5 years or so in security you'll see that nothing really new has happened. We get more sophisticated with defenses, stuff gets more expensive, but fundamentally it's deja vu all over again. 99% of what I come across suffers from a pure tactical focus - no long term thinking, no attempt at understanding the mindset of those seeking to cause harm or steal information, no strategy or root cause analysis of assaults.
The result is that defense has simply turned into an arms race. Immensely profitable for providers, no added value for the customer.
About 5 years ago we started to work on different approaches which normal risk assessment never touches. As a consequence of the insights gained we stamped out bank data theft for our clients without imposing new regimes or buying new equipment - all it took was a month worth of work. However, that requires people that can really think differently, whereas HR has moved towards cookie cutter tick box selections that seem to be aimed at filtering out exactly those people who can make a difference (the use of HR management seems to exacerbate this trend).
Security management has become predictable, and with predictability comes failure. The message is clear: start thinking differently - or lose the battle.
Re: (Score:2)
Sorry, the above is me - must have ticked "anon" out of habit :-)
Not everyone cares (Score:3)
When doing consultancy a lot of people told me flat out they didn't care about security. Quotes like "Anyone can walk in here during lunch and steal whatever they like; why would I (as the IT director) spend $$$ on computer security when management doesn't even care to lock the door." were very common. While the logic is obviously flawed it does illustrate that it simply wasn't a priority - which is not the same as living in ignorant bliss.
Security through Obscurity (Score:2)
Anyone who doesn't believe in Security through Obscurity should post their passwords and credit card numbers on /.
Obscurity is a useful component (Score:3)
So it is with obscurity. Provided it is not the ONLY security feature used, it has a place in reducing the visibility of a target - just as camoflage has been doing in the military for hundreds of years. It also adds to the overall difficulty of getting into a secure location (be that a website or building) and therefore has a deterrent effect: even if that's only to move the baddies along to try the next target on the list, rather than yourselves.
Where does that leave obscurity? Right where it needs to be: as a valuable tool in preventing and delaying security breaches. The key thing about it (as with all security features) is to know when it is no longer effective and then to either revamp it or replace it. However, it obviously is still effective for the vast majority of institutions and therefore should not be dismissed.
A windows and a brick (Score:2)
Re: (Score:3, Funny)
Its a site that allows celebrities & famous people to make twats of themselves by not speaking through agents, PR or lawyers.
Re:I disagree (Score:5, Informative)
Re:I disagree (Score:4, Insightful)
I swear to fucking god - look at how my posts are modded on this thread.
Don't bring up Bush and claim your post isn't flamebait. I mean, seriously, this is what you said:
"I actually blame the parents (the Bush-haters) for breeding such a bunch of twats as LulzSec. Please don't mark this down as flamebait"
Re: (Score:2)
Re: (Score:1)
Dealing with the kids now modding the slashdot scene is beyond formulaic.
don't mod me down, if you do you must be a kid.
Say shit you like = Yay!
don't mod me down, yay.
Try to get somebody to fucking read something, maybe listen for a damn change = incur the wrath of the hordes!
don't mod me down, my post shouldn't be modded down.
here's a tip: instead of coming to the baseless conclusion that this is a generational thing maybe ask why certain people feel that way, you'll get a better response than your branding of a generation as 'stupid' and 'pricks'. you get modded down your post has 'back in my day we were smarter and more considerate and your opinion is stupid' superiority complex overtones.
FWIW i didn't
Re: (Score:3)
CEO sociopaths? Well, maybe to a degree, but that isn't the underlying cause. Greed is rather the reason. Greed, but not (only) on the CEO's side.
The CEO is under pressure, like everyone else in the company: He has to perform, and he has to perform well. He has to generate revenue, and lots of it. Else he's being replaced by one who does.
The sociopath CEO now does it without remorse. The conscious CEO does it because he rationalizes that a lot of people have invested their money, probably all their life sav
Re: (Score:2)
You are, simply put, wrong. And on a number of levels and from a number of angles. Let me count:
1) It is, in fact, the "security guys" fault for not anticipating all the chaos that is possible in the world. That's their job. They are there to provide security, mitigate risks, and generally make people safe. And it is entirely due to their lack of diligence and their general incompetence. For the intrusions that I've gone over, LulSec
Re: (Score:2)
You're an idiot and should be fired.
You don't post company info on third party sites, end of story. Oh, and there's no such thing as too small for source control.
I have probably just been trolled.
Re: (Score:2)
Re: (Score:2)
the legally obscene - is already illegal
what are you talking about
Re: (Score:2)
he meant: what is defined in the "legal" world or in terms of law as obscene is already illegal.
this is different from saying "the obscene is illegal" as different people have different views of what is obscene.
That is what he meant, thought it was obvious, i guess not.
Re: (Score:2)
you should know that it is already illegal for a minor to be exposed to porn. This would only help us stay in the law better.
Of course this would also be a tremendous help to most businesses who need to avoid sexual harassment lawsuits.
So you need a bad law to protect you from other bad laws. Got it.