This Website Has Solved Cybersecurity (vice.com) 47
A new parody website generates random excuses to explain why companies got hacked and apologizes to their users. From a report: Big companies that hold our personal data get hacked almost every day, but most don't really know how to deal with getting hacked, especially when it comes to telling users what happened. If you've read some data breach disclosures or notices, you know the classic "we take your privacy and security seriously" -- truly the "thoughts and prayers" of cybersecurity. No matter how bad the hack is, companies always have an excuse. Luckily, there's now a website that automatically generates more original, and entertaining, apologies you can use if your company gets hacked. It's called "Why the fuck was I breached?" and its excuse generating algorithm spills out truly hilarious excuses.
Here are a few examples:
"The fucking hacking people used Heartbleed to hack the coffee maker. But we have since worked with industry leading specialists, so it will never happen again."
"The fucking Fancy Bears used a vulnerability in Windows XP SP1 to hack the coffee maker. But we have since worked with industry leading specialists, so it will never happen again."
"The fucking Iranians used the open door in our basement to transfer 7 petabytes of data. But we have since upskilled our cafeteria staff, so it will never happen again."
"The fucking teenage hacking prodigies used nefarious techniques to partially disrupt our services. But we have since watched a YouTube video on cyber security, so it will never happen again."
"The fucking cyber terrorists used IoT malware to extract some private keys. But we have since worked with law enforcement, so it will never happen again."
Here are a few examples:
"The fucking hacking people used Heartbleed to hack the coffee maker. But we have since worked with industry leading specialists, so it will never happen again."
"The fucking Fancy Bears used a vulnerability in Windows XP SP1 to hack the coffee maker. But we have since worked with industry leading specialists, so it will never happen again."
"The fucking Iranians used the open door in our basement to transfer 7 petabytes of data. But we have since upskilled our cafeteria staff, so it will never happen again."
"The fucking teenage hacking prodigies used nefarious techniques to partially disrupt our services. But we have since watched a YouTube video on cyber security, so it will never happen again."
"The fucking cyber terrorists used IoT malware to extract some private keys. But we have since worked with law enforcement, so it will never happen again."
Why the fuck.... (Score:4, Insightful)
...didn't they stick the words "take seriously" in there?
Re: (Score:2)
This is Slashdot, so I know it's a bit gauche to actually RTFA, but:
If you’ve read some data breach disclosures or notices, you know the classic “we take your privacy and security seriously”—truly the “thoughts and prayers” of cybersecurity.
Re: (Score:2)
I'm talking about in the generated excuse.
Re: (Score:2)
Too obvious?
Re: (Score:3)
If they took our privacy seriously they wouldn't be harvesting every scrap of personal information they possibly can after peopl click "I believe you!".
.
Re: (Score:2)
Re:Why the fuck.... (Score:4, Insightful)
If they took our privacy seriously they wouldn't be harvesting every scrap of personal information they possibly can after people click "I believe you!".
What they mean is, "We take your privacy -- seriously."
Re: Why the fuck.... (Score:2)
ðY£ :)
Re: (Score:3)
The Star Trek Script Generator I had on my Commodore PET in the 1970's was a lot funnier... just sayin'.
Re: (Score:2)
Re: (Score:2)
Daddy, what's a carrier?
(Burn, karma, burn....)
Re: (Score:2)
I think "Meh..." is overrating the examples. I didn't think it was possible to do worse than "Our thots and prairs are with you", but them managed.
Who hasn't been hacked? (Score:3)
At this point we should start looking at major companies that haven't been hacked and ask them what they're doing right/different. My current assumption is that it's just a difficult problem. Probably a lot of angry privacy obsessed Slashdotters work at companies who have been hacked, and we all know Slashdotters are the world's best, smartest so what's the deal?
Are there a small handful of companies that have sensitive data that get frequent hacking attempts but which have never had a breach?
Re: (Score:3, Interesting)
At this point we should start looking at major companies that haven't been hacked and ask them what they're doing right/different. My current assumption is that it's just a difficult problem.
More likely there are only 2 types of companies. Companies that have been hacked, and companies that either don't know they've been hacked or have been able to keep it quiet.
So if anything, people will want to talk to them to find out how they've managed to keep the hack quiet.
Re: (Score:2)
So that would really be 11 types of companies then.
Re:Who hasn't been hacked? (Score:5, Insightful)
Military officers gathered and studied bullet holes in the aircraft that returned from missions. One early thought was that the planes should have more armor where they had been hit the most — fuselage, fuel system, the rest of the plane — but not on the engines, which had the smallest number of bullet holes per square foot.
Abraham Wald, a leading mathematician, disagreed. Working with the Statistics Research Group in Manhattan, he asked an odd question: Where were the missing bullet holes — the ones that would be all over the engine if bullets were equally distributed?
They were on the missing planes, the ones that had been shot down. So the vulnerable place wasn’t where all the bullet holes were on the returning planes. It was where the bullet holes were on the planes that didn’t return.
Top 2: Default passwords and missing updates (Score:3)
> At this point we should start looking at major companies that haven't been hacked and ask them what they're doing right/different.
That's a good idea. That gives me an idea for a presentation. Too bad tonight is presentation night - I'll have to wait until next month. :)
Tonight I can ask my red team friends what causes them the most problems (the best protections).
From 20 years in the field I can tell you the top two things very easily.
Most breaches involve either default passwords not getting changed
Re: (Score:2)
I think I know two elements of that solution. One is the security department needs to be separate from IT...
Oh dear... no...
Sometimes Security is going to require things that CIO doesn't like, because in the short run it doesn't make IT's job easier.
But that... no...
(But done right, robust systems mean a lot less putting out fired, which allows IT to focus on cool new stuff, rather then spending their time dealing with problems).
Ok, yeah...
Along with a CISO, the security team needs to be able to not only provide advice, but set compulsory policy, in collaboration with other departments.
Dammit, no!
I agree with most of your analysis, but your solutions are unfortunately doomed to failure, in my experience. When security is a separate department, it's often seen as a secretive group of ivory-tower dictators, pushing policy based on their own whims and timetables, without concern for the rest of the enterprise. Sure, they supposedly talk to other departments, but they really only talk to other managers, who never really know what's going on. There's
Great disagreement, thanks! (Score:2)
You totally disagree with most everything I said - :)
in a respectful, thought-provoking manner. That's awesome! I wish we had more of that on Slashdot, and in the world generally.
> it's often seen as a secretive group of ivory-tower dictators, pushing policy based on their own whims and timetables, without concern for the rest of the enterprise. Sure, they supposedly talk to other departments, but they really only talk to other managers
That's certainly a good point, and I think your main point, or your
Respectfully, disagree (Score:2)
Security (the CISO) should not report to the CIO.
The CISO should report to either the CEO, or the CRO (Chief Risk Officer)
Both IT and Security are cost centers, but they serve entirely different purposes. The purpose of IT is to enable the business. The purpose of Security is to reduce business risk. They will always, always be at odds - and if they both roll up to the CIO, there will also be budget contention in addition to contention about adopting IT for the business, vs. managing risks around it.
Securit
Re:Who hasn't been hacked? (Score:4, Interesting)
That's simple. The companies that aren't getting hacked are doing security right. The problem is that doing security right is hard.
It's not going to get any easier by taking another company's solution and bolting it onto your company. In fact, that is actually worse than doing nothing, because now you have a false sense of security thinking that everything's just fine, so there's less motivation to improve things. If your company has to solve its own problems, there's a better chance of finding other problems along the way.
In broad strokes, the steps are straightforward. Identify your threat model, secure things that are easy (in order of highest impact to the threats), and change your processes to make the hard things easy. That's just basic security practice, not really corporate... but it's the only advice that works for everyone.
Re: (Score:2)
Probably off t
Re: (Score:1)
They dont look, ergo they arent breached.
Re: (Score:2)
At this point we should start looking at major companies that haven't been hacked and ask them what they're doing right/different
For half of the companies, it would be sheer luck that they have not been hacked yet. But ask them why, and they would award it to the CIOs lucky underwear and sell seminars about it to companies that had probably better security but were unlucky enough to be targeted for an actual hack.
It's like the self help shelf in a bookstore. 1000 guys use 1000 random methods of selecting stocks to invest in. 990 go broke and 10 will write books trying to sell you their variety of throwing darts at the Wallstreet Jour
The fucking answers (Score:2)
Nope. (Score:2)
Meanwhile, I didn't realize that THIS existed: Link [bofhcalendar.com] - "To add the BOFH Excuse Calendar to your Google Calendar"
I'd laugh if (Score:1)
Re: (Score:2)
That site got hacked just because someone wanted to be funny. The irony definitely wouldn't be lost, but the comedy behind all seriousness aside would be comical.
Well, since they aren't using TLS, does it count if you man-in-the-middle site visitors?
Re: (Score:2)
subtitles. Those responsible for hacking
the people who have just been hacked,
have been hacked.
Hmmm (Score:2)
How about a bit of reality... (Score:2)
We are more interested in paying massive bonuses to our executives rather than investing in security so get stuffed and get ready for the next breach.
Re: (Score:2)
What are you, 12? (Score:2)
It's funny 'cause they swear a lot!
Victim Blaming (Score:2)
This kind of mocking attitude toward victims of hacks, ransomware, etc. really pisses me off. It is virtually impossible for system administrators to stay on top of every possible vulnerability, and it only takes one unmitigated vulnerability to fall prey. There are zero-day exploits, and state-sponsored attack tools. It's only a matter of time before the next Heartbleed, EternalBlue, or whatever. The latest anti-virus software, firewall, or monthly roll-up patch will not suffice against a skilled and deter
Re: (Score:2)
There is an alternative.
The "victim" could not store my personal information in the first place.
If I claimed to be a bank and advertised that I would protect your money, you'd have every right to be upset if I let it get stolen. If I buy a $10 item from your store, and you chose to keep my credit card information on file, it is up to you to protect it in the exact same way. This is not victim blaming. This is holding the guilty accountable.
Watch your mouth (Score:1)
Re: (Score:1)
Welp, I guess you fucking failed to pay attention, because there is no such thing as profanity. To say a word is good or bad is anthropomorphizing a fucking descriptive term, which is rather fucking hilarious to anyone that actually passed the shit we have which passes for basic fucking high school English classes.
People who think words are profane are fucking retards.
Re: (Score:1)
Also, (Score:2)
"The fucking teenage hacking prodigies used nefarious techniques to partially disrupt our services. But we have since watched a YouTube video on cyber security, so it will never happen again. Also, Jeffrey Epstein did not commit suicide."
thanks! (Score:2)
Equifax (Score:1)
Who is this 'Equifax' and why are they so bad at security?
I mean, sometimes it comes close? (Score:2)
no, no, no, not those words (Score:2)
20 years ago I worked in a computer outsourcing company and those were the most dreaded words uttered by our sales people or upper management; "It will never happen again." Because we support staff knew that there were multiple ways for any particular failure to happen and despite whatever was done to solve the last problem, It Would Happen Again, likely from a different angle.
Never believe it when someone says, "It will never happen again."
automation! (Score:2)
automation once again puts a lot of middle class employees out of a job.
now that these excuses are automatically generated, what other job can these people do?