Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security IT

This Website Has Solved Cybersecurity (vice.com) 47

A new parody website generates random excuses to explain why companies got hacked and apologizes to their users. From a report: Big companies that hold our personal data get hacked almost every day, but most don't really know how to deal with getting hacked, especially when it comes to telling users what happened. If you've read some data breach disclosures or notices, you know the classic "we take your privacy and security seriously" -- truly the "thoughts and prayers" of cybersecurity. No matter how bad the hack is, companies always have an excuse. Luckily, there's now a website that automatically generates more original, and entertaining, apologies you can use if your company gets hacked. It's called "Why the fuck was I breached?" and its excuse generating algorithm spills out truly hilarious excuses.

Here are a few examples:
"The fucking hacking people used Heartbleed to hack the coffee maker. But we have since worked with industry leading specialists, so it will never happen again."
"The fucking Fancy Bears used a vulnerability in Windows XP SP1 to hack the coffee maker. But we have since worked with industry leading specialists, so it will never happen again."
"The fucking Iranians used the open door in our basement to transfer 7 petabytes of data. But we have since upskilled our cafeteria staff, so it will never happen again."
"The fucking teenage hacking prodigies used nefarious techniques to partially disrupt our services. But we have since watched a YouTube video on cyber security, so it will never happen again."
"The fucking cyber terrorists used IoT malware to extract some private keys. But we have since worked with law enforcement, so it will never happen again."

This discussion has been archived. No new comments can be posted.

This Website Has Solved Cybersecurity

Comments Filter:
  • Why the fuck.... (Score:4, Insightful)

    by Rick Zeman ( 15628 ) on Wednesday November 06, 2019 @12:31PM (#59387564)

    ...didn't they stick the words "take seriously" in there?

  • by RightSaidFred99 ( 874576 ) on Wednesday November 06, 2019 @12:47PM (#59387638)

    At this point we should start looking at major companies that haven't been hacked and ask them what they're doing right/different. My current assumption is that it's just a difficult problem. Probably a lot of angry privacy obsessed Slashdotters work at companies who have been hacked, and we all know Slashdotters are the world's best, smartest so what's the deal?

    Are there a small handful of companies that have sensitive data that get frequent hacking attempts but which have never had a breach?

    • Re: (Score:3, Interesting)

      by Nidi62 ( 1525137 )

      At this point we should start looking at major companies that haven't been hacked and ask them what they're doing right/different. My current assumption is that it's just a difficult problem.

      More likely there are only 2 types of companies. Companies that have been hacked, and companies that either don't know they've been hacked or have been able to keep it quiet.

      So if anything, people will want to talk to them to find out how they've managed to keep the hack quiet.

    • by bugs2squash ( 1132591 ) on Wednesday November 06, 2019 @01:01PM (#59387708)
      per The Dallas Morning News [dallasnews.com]

      Military officers gathered and studied bullet holes in the aircraft that returned from missions. One early thought was that the planes should have more armor where they had been hit the most — fuselage, fuel system, the rest of the plane — but not on the engines, which had the smallest number of bullet holes per square foot.

      Abraham Wald, a leading mathematician, disagreed. Working with the Statistics Research Group in Manhattan, he asked an odd question: Where were the missing bullet holes — the ones that would be all over the engine if bullets were equally distributed?

      They were on the missing planes, the ones that had been shot down. So the vulnerable place wasn’t where all the bullet holes were on the returning planes. It was where the bullet holes were on the planes that didn’t return.

    • > At this point we should start looking at major companies that haven't been hacked and ask them what they're doing right/different.

      That's a good idea. That gives me an idea for a presentation. Too bad tonight is presentation night - I'll have to wait until next month. :)
      Tonight I can ask my red team friends what causes them the most problems (the best protections).

      From 20 years in the field I can tell you the top two things very easily.

      Most breaches involve either default passwords not getting changed

      • I think I know two elements of that solution. One is the security department needs to be separate from IT...

        Oh dear... no...

        Sometimes Security is going to require things that CIO doesn't like, because in the short run it doesn't make IT's job easier.

        But that... no...

        (But done right, robust systems mean a lot less putting out fired, which allows IT to focus on cool new stuff, rather then spending their time dealing with problems).

        Ok, yeah...

        Along with a CISO, the security team needs to be able to not only provide advice, but set compulsory policy, in collaboration with other departments.

        Dammit, no!

        I agree with most of your analysis, but your solutions are unfortunately doomed to failure, in my experience. When security is a separate department, it's often seen as a secretive group of ivory-tower dictators, pushing policy based on their own whims and timetables, without concern for the rest of the enterprise. Sure, they supposedly talk to other departments, but they really only talk to other managers, who never really know what's going on. There's

        • You totally disagree with most everything I said -
          in a respectful, thought-provoking manner. That's awesome! I wish we had more of that on Slashdot, and in the world generally. :)

          > it's often seen as a secretive group of ivory-tower dictators, pushing policy based on their own whims and timetables, without concern for the rest of the enterprise. Sure, they supposedly talk to other departments, but they really only talk to other managers

          That's certainly a good point, and I think your main point, or your

        • Security (the CISO) should not report to the CIO.

          The CISO should report to either the CEO, or the CRO (Chief Risk Officer)

          Both IT and Security are cost centers, but they serve entirely different purposes. The purpose of IT is to enable the business. The purpose of Security is to reduce business risk. They will always, always be at odds - and if they both roll up to the CIO, there will also be budget contention in addition to contention about adopting IT for the business, vs. managing risks around it.

          Securit

    • by Sarten-X ( 1102295 ) on Wednesday November 06, 2019 @01:12PM (#59387742) Homepage

      That's simple. The companies that aren't getting hacked are doing security right. The problem is that doing security right is hard.

      It's not going to get any easier by taking another company's solution and bolting it onto your company. In fact, that is actually worse than doing nothing, because now you have a false sense of security thinking that everything's just fine, so there's less motivation to improve things. If your company has to solve its own problems, there's a better chance of finding other problems along the way.

      In broad strokes, the steps are straightforward. Identify your threat model, secure things that are easy (in order of highest impact to the threats), and change your processes to make the hard things easy. That's just basic security practice, not really corporate... but it's the only advice that works for everyone.

    • by tlhIngan ( 30335 )

      At this point we should start looking at major companies that haven't been hacked and ask them what they're doing right/different. My current assumption is that it's just a difficult problem. Probably a lot of angry privacy obsessed Slashdotters work at companies who have been hacked, and we all know Slashdotters are the world's best, smartest so what's the deal?

      Are there a small handful of companies that have sensitive data that get frequent hacking attempts but which have never had a breach?

      Probably off t

    • They dont look, ergo they arent breached.

    • At this point we should start looking at major companies that haven't been hacked and ask them what they're doing right/different

      For half of the companies, it would be sheer luck that they have not been hacked yet. But ask them why, and they would award it to the CIOs lucky underwear and sell seminars about it to companies that had probably better security but were unlucky enough to be targeted for an actual hack.

      It's like the self help shelf in a bookstore. 1000 guys use 1000 random methods of selecting stocks to invest in. 990 go broke and 10 will write books trying to sell you their variety of throwing darts at the Wallstreet Jour

  • By the fucking generator
  • Nope, I don't see it, doesn't exist. [google.com]

    Meanwhile, I didn't realize that THIS existed: Link [bofhcalendar.com] - "To add the BOFH Excuse Calendar to your Google Calendar"
  • That site got hacked just because someone wanted to be funny. The irony definitely wouldn't be lost, but the comedy behind all seriousness aside would be comical.
    • That site got hacked just because someone wanted to be funny. The irony definitely wouldn't be lost, but the comedy behind all seriousness aside would be comical.

      Well, since they aren't using TLS, does it count if you man-in-the-middle site visitors?

    • We apologise again for the fault in the
      subtitles. Those responsible for hacking
      the people who have just been hacked,
      have been hacked.
  • I have not seen anything in the news that has said that a metric shit ton of people died yet.
  • We are more interested in paying massive bonuses to our executives rather than investing in security so get stuffed and get ready for the next breach.

    • by Pascoea ( 968200 )
      Spot on. Here's a great idea for C-level penalties when breaches occur: Instead of pure monetary fines, start fining/confiscating exec's stock options. Put the stock value and any dividends/capital gains into the Social Security fund. 1) Hit the executives where it hurts the most. 2) Maybe I'll actually receive something from Social Security when I retire in 25 years.
  • It's funny 'cause they swear a lot!

  • This kind of mocking attitude toward victims of hacks, ransomware, etc. really pisses me off. It is virtually impossible for system administrators to stay on top of every possible vulnerability, and it only takes one unmitigated vulnerability to fall prey. There are zero-day exploits, and state-sponsored attack tools. It's only a matter of time before the next Heartbleed, EternalBlue, or whatever. The latest anti-virus software, firewall, or monthly roll-up patch will not suffice against a skilled and deter

    • by Shotgun ( 30919 )

      There is an alternative.
      The "victim" could not store my personal information in the first place.
      If I claimed to be a bank and advertised that I would protect your money, you'd have every right to be upset if I let it get stolen. If I buy a $10 item from your store, and you chose to keep my credit card information on file, it is up to you to protect it in the exact same way. This is not victim blaming. This is holding the guilty accountable.

  • Could've gone mainstream viral without the profanity. I love profanity when used correctly. I consider it the 'seasoning' that makes conversation more impactful, interesting, or entertaining. The constant f-bombs ruin the more subtle joke that these are real responses. You could insert f-bombs in real responses and then it'd be a joke response. Creating joke responses and also including joke profanity is like the belt and suspenders approach to mocking security leaks. I might be proven wrong but I can't ima
    • by Khyber ( 864651 )

      Welp, I guess you fucking failed to pay attention, because there is no such thing as profanity. To say a word is good or bad is anthropomorphizing a fucking descriptive term, which is rather fucking hilarious to anyone that actually passed the shit we have which passes for basic fucking high school English classes.

      People who think words are profane are fucking retards.

      • I get your point. To be more correct maybe I should've used 'words not usable in mainstream publications' instead of 'profanity'. It wouldn't have flowed as nicely but it would've been more correct.
  • "The fucking teenage hacking prodigies used nefarious techniques to partially disrupt our services. But we have since watched a YouTube video on cyber security, so it will never happen again. Also, Jeffrey Epstein did not commit suicide."

  • But I stopped laughing after the hacking penetrations exceeded 1 billion in North America, and also stopped counting . . .
  • Who is this 'Equifax' and why are they so bad at security?

  • "The fucking security community used digital nukes to potentially access some customer data. But we have since hired external consultants, so it will never happen again."
  • 20 years ago I worked in a computer outsourcing company and those were the most dreaded words uttered by our sales people or upper management; "It will never happen again." Because we support staff knew that there were multiple ways for any particular failure to happen and despite whatever was done to solve the last problem, It Would Happen Again, likely from a different angle.

    Never believe it when someone says, "It will never happen again."

  • automation once again puts a lot of middle class employees out of a job.
    now that these excuses are automatically generated, what other job can these people do?

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...