Slashdot Mirror
British Crackers Demand Millions in Inforansom
RuntimeError writes "The Times of UK report that a group of British Cr/Hackers have broken into the computer systems of atleast 12 multinational companies, stolen confidential files, and are holding the companies to ransom." One of the companies is Visa, as in credit cards. I believe this has far more hysteria potential than the recent CDuniverse inforansom scandal. Expect the usual pundits to be all over this story within the next few days.
Hopefully all UK net users have already seen the following, but it's worth pointing out just the same:
/.'ers: what's happening down there?).
Gasp in awe as you watch Jack Straw, Home Secretary of the UK (ie, important government chap), find himself liable for two years imprisonment (if this law was to pass) because someone sent him an encrypted message that he can't decrypt.
This law is really so incredibly fscked, and demonstrates a completely lack of understanding, on par with the 'net filtering legislation that's just come in to effect in Australia (Oz
...j
(an Australian living the UK)
All machines except for those in a DMZ should be denied all incoming packets by default. Opening up all ports on all hosts (as default) is just plain stupid--why even have a firewall?
--
If thumbprint scanners can be made small and inexpensive enough, it might be a viable idea.
Under my proposal, the thief needs the card and the passphrase. I do like your thumbprint idea as an additional measure since people seem to have a habit of picking stupid passwords.
With all of that, stolen credit cards would be completely useless. Add in digital cash (with similar security) and mugging becomes useless.
but scream that big brother is coming if they want a thumb print that is of little value other then for ID purposes.
Thumbprint is less secure against merchant fraud/crackers than smartcards. It is more or less fixed data. It is only as secure as the POS system (not very). With smartcards and electronic wallet, it doesn't matter how compromised the POS terminal is.
but it is very difficult to make a system extremely secure,
That is true, but many businesses don't even seem to try. The CDuniverse case is a perfect example, the card numbers were apparently stored as plaintext on the web server (NT running Microsoft-IIS/4.0).
To be fair, various encryption export laws don't help matters any. If strong encryption could be freely exported, it would be used in a lot more software. That would go a long way (but not all the way) to preventing these problems.
Ever seen "Demolition Man"? Personally I'd rather someone just stole my credit card.
Yes, good movie, and AGREED!
I read specs on a thumbprint scanner once that included infrared scan as well. It claimed to be able to detect duress as well as dismemberment/death and refuse access under those conditions. I doubt the commercial scanners are that good though.
Nice idea but I can't see that this is much better suited to the Internet than standard cards. It's not what this is designed to do, either - this is a digital replacement for hard currency.
Most people allready shell out for a wallet to hold cash, DL, and credit cards. They don't have to cost all that much more. Since they'd be no smarter than a 4 function calculator which can be had for $1.99.
I am also aware that the Mondax system is for hard currency. What I propose is added functionality based on the same hardware. Since smart cards are smarter now than they were when Mondax was first proposed, I don't see any reason they can't serve both purposes.
For people who won't buy a wallet, they can use the keypad at the POS terminal and take their chances. They're still more secure than the current system.
A US group was randomly generating card numbers, and then tried to charge around $20 to the card via standard means. They didn't have any expery data, but apparently, the one checker they used did NOT require this information. The result: the company got about $20 charged (one time only) to a number of accounts, and collected that cash for themselves. They are still in operation, as far as I can tell, and are rather 'small time' for both credit card companies (who tend to only chase after $100 or more PER CARD scams) and the US govt (who tends to need $100k or more to put down the smack). Yes, they're illegal, but considered small time by the 'authorities'. At least, if you are smart enough to watch your CC statement, you'll notice the odd $20 charge and can dispute it.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
Enough whining for now...
Nick
-- "It's a sad day for American capitalism when a man can't fly a midget on a kite over Central Park" - Jim Moran
By "do not ask me to explain", I really meant that it was not anything to do with me and that I can see the stupidity of the situation. It arose from the sort of thing that I was writing about. The firewall was set up when the percieved threat of Jave (and there are ways of using Java to get data out) were known and ActiveX was not yet common. Since its installation the only work that has been done is to install the software updates. No changes have been made to the configuration.
I think this type of security problem is common. Especially when consultants are used to install firewalls etc. Once the consultant has gone home and the budget is spent then the problem is forgotten. In our situation it is even more stupid as I work at a university and we have some great people working here but the computer services department is run by winders kiddies that do not understand the Sparcs (or anything much harder than installing Office) and therefore leave them to the consultants. Budget cuts mean that they can only offer 18,000 UKP for a sysadmin and therefore they can't get one.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
I hope that these companies will take responsiblity for the flaws in their security and not, as most do, claim that it is all the fault of the evil cr/hackers. Visa should be so secure that no one could get in. Sensitive data should not be accessible from the outside.
What often happens is that a supposedly secure system is put in and the opperators are so happy that they do not look at security again until, a few years down the road, someone breaches that security.
Security is a developing science. What was secure last year is transparent this year. I work behind 2 firewalls, yet because they are too restrictive we pierce holes through them so that we can use things like UDP. They were not designed to stop activeX but they do stop all Java (do not ask me to explain).
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
If you want credit card numbers, go to the dumpster of any restaurant and start digging. Want good gold/platinum card numbers? Go to the good restaurants.
These stories are so damned stupid. People get all up in arms about giving their credit card numbers to online merchants yet they give them to complete strangers at restaurants, bars, and retail stores everyday. I trust amazon.com more than I trust most of the restaurant workers around here to my credit card number.
This article is a typical tabloid boom. It starts with a "It has issued ransom demands of up to £10m and is also suspected of hiring out its services" and later talks about "Visa confirmed last week that it had received a ransom demand last month, believed to have been for £10m."
In general this thing looks much like a bad plot for another Hollywood blockbuster. There is only some lack of green color and antenas over the head of the baddies...
--
--
"Insert witty quote here."
I'd say it's pretty transparently a reaction to Y2K.
The "computers are going to destroy us" articles sell a fair amount of newspapers. That space was well-filled with Y2K articles over the last few months, but since that whole issue obviously went nowhere, the space needs to be filled with something else. IOW, we're back to the hacker/cracker stories, except we can expect to see the focus on "professional hacker groups" rather than kids in their bedrooms.
It wouldn't surprise me in the least if this were some part of a larger plan to get the backing of the less-computer savvy parts of British society for the proposed bill.
Unless they can swing popular opinion behind it, there is little chance that it will be passed. Why? Those who don't understand it or care about it will do nothing, while those of us that do understand it, and oppose it, will do everything we can to ensure that it never comes into force.
On the other hand, if there are enough high-profile, "your money is in danger, even your most personal details!" kind of stories, Jo Public is going to sit up and take notice, and call for the bill's introduction without ever knowing that there is anything bad about it. The majority will buy the party line that it is necessary for their protection, just like the cameras on our streets and public transoprt are. (Not that I'm totally opposed ot them, but there are an awful lot of them these days...)
From the article:
"The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator.
Well, duh. I bet they've been using 'phones and even meeting face to face, too. Maybe I'm reading far too much into this, and letting my paranoia run away with me, but why was this comment even necessary? They've (allegedly) cracked the compuer systems of 12 multinational companies, of course they were using sophisticated techniques!! (To say otherwise would be to imply that it was easy.) Being computer savvy, and net connected, of course they've been communicating via email and "internet chat".
If this isn't part of some conspiracy to get popular support for one of the most potentially dangerous bills that has ever come to my attention, then someone somewhere is probably unable to believe their luck that such a fine supporting story has been handed to them on a plate.
Cheers,
Tim
It's official. Most of you are morons.
_These_ crackers are thieves, but not all crackers are. If some group hacks Hotmail and replaces the main page with a message saying "Your security sucks. Hacked by F00fc8C7" then I say more power to them. When someone defaces a web page, it, like you said, forces the company to get their act together. It is a PR loss to the company, but having a secure site is much more important than that. Everyone wins.
Its time for companies to start securing their systems. First off, *really* important information should not be on computers hooked up to the internet. But, a lot of computers need to be on the net - so here we go.
First of, they all need a computer-staff, and their own "computer security officer". There should of course be password security - but more important - people should be educated about email attachments, trojan horses, and so forth.
Servers should be under constant surveilance. The admins should always know every single program, which version it is, and so forth. They should keep their eyes open, reading bugtraq and other sources every single day.
A firewall is also a very good idea, for these kind of companies. They do need to be configured correctly, and block out common "trojan-ports" (12345 (netbus), 31337 (bo), and so forth). This to ensure that no sloppy employee gets his computer backdoored -- and the rest of the net gets access to it. If anybody gains access on ANY of the hosts behind the firewall, the entire network is "compromised" (to a certain degree).
They should also have a fully switched network, or preferably, implement encrypted protocolls for data transfers internally, so that even if ONE host got cracked, packetsniffing would do no good.
Ohwell, the list goes on and on and on. The important things is -- every big company should tighten up their security REALLY good. They should have their own staff looking after it.
Smalltime companies should do their very best too -- but they don't have that many computers to protect - and therefore don't need that big a staff.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
"Rune Kristian Viken" - http://www.nwo.no - arca
This is good in that hopefully companies will get serious about protecting their information systems.
No it's not. Companies should be serious about protecting their information systems because it's the right thing to do, not because some criminals (albeit clever ones) have made it necessary.
Analogy time! Would you be thankful for criminals who break into your house and steal valuable things? Even if they stole nothing, but merely left a note saying that they'd be back to steal your property later, if you don't pay them a big ransom? Hell no. You'd be angry, and rightly so. You might add better security, and that might be a Good Thing(tm) but it's still not good that some thugs threatened you or your property.
I've always thought that simple access to the card itself being protected is pretty unreasonable (ie if you have the number & epiration date, you have the keys to the store).
Isn't it time now in this day of ease of access to information to add something smarter to credit cards for security?
This so called "reporter" is a menace and a proven liar. If you would like to read more about his so called journalistic coups, take a look at the very very good British newsletter Need To Know.
0 827.txt&line=52#l
0 820.txt&line=48#l
They have been covering his misreporting and his bumbling attempts to infiltrate direct action groups in the UK by "fakemailing" them for some time now.
Please, do not even consider believing a word that this buffoon says. How he still holds a post at the Times is quite beyond me.
http://www.ntk.net/index.cgi?back=archive99/now
http://www.ntk.net/index.cgi?back=archive99/now
A little planning goes a long way...
But they've (supposedly) got thousands of credit card numbers! They could squeeze far more money out of those credit cards than £10 million, and if they did it carefully, it would be very difficult to catch them at it. Silly crackers...learn how to play the game before you start.
--
Seems to conjure up the right sort of negative connotations.
As a recent victim of credit card fraud(from a "legit" company), I gotta say that this scares me a little. However, it is the price I pay for convenience. The time that I spent working out my last credit card fraud problem is nothing compared to the time I save by not having to stop for cash, not having to write a check, etc. The convenience of being able to whip out my card is nice. In addition, it's nice to be able to order things online/over the phone without having to mail them a check of some sort.
However, I must ask - why now? We've seen two stories like this in the last week, and they both seem to have been planned for a while. Is there some sort of reason this is suddenly more prevalent?
Unfortunately, as long as companies keep storing customer's/client's valuable information in insecure places with insecure software, there will always be some cr/hacker that will find a way to nab it.
Even more unfortunately, the media will skew and distort this to the point where the spoonfed masses won't see the real point (which is that better security is needed at these online companies). Such is life.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
One of the few things that large corporations listen to is public embarassment. When people privately tell microsoft of a security flaw they've discovered, MS just sits on its hands until it gets leaked publicly.
Vandalism is petty crime, and far more people are hurt by incompetent companies that don't find they have reason enough to care about the security levels they inflict upon their patrons. A pointy reckoning to them all!
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Ungoed-Thomas has moderator access!!! :-)
:-)
Stop that! Just the thought that JU-T might ever read our precious slashdot and use it as a source for future works of fiction is going to lose me some sleep tonight.
I'm going to chant over and over again, the moderator didn't read the article, and didn't understand who double-plus-ungoed is, and why all the higher moderated posts in this thread are all about the Times, JU-T, and...
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Interestingly, the UK government has laws going through, as I'm sure everybody knows, that would allow law enforcement to demand encryption keys from anyone without the need for judicial oversight or reasonable grounds, and also to then require you not to tell anyone. I'm sure the promulgation of stories like this one is supported by the agencies that stand to benefit.
Wow! That is just plain evil. This means someone should start a campaign to get Linux boxes in the UK to use StegFS. StegFS (Steganographic File System) is an encrypted ext2 file system which allows for plausable deniability, i.e. you can give them the password to a lower encryption level and they will have no way to prove higher encryption levels exist, thus there is nothing they can do to make you give up you encrypted data (it also wipes unused blocks so none of this taking the disk to find shit you deleted).
Now, the requiring you not to tell anyone is a seperate issue. I donno what to do about this. I suppose you could just tell people anyway.. maybe someone could run a web page which publishes lists of incedents where they have used this power? Is anyone tring to fight this?
Jeff
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
It never fails fry my brain when I hear the indignation expressed by the technically clueless in response to tabloid -esque puffery like this. These are the same people who, after thier meal at Olive Garden, think nothing of handing thier card to an unknown person who disappears with it for five minutes. The same people who think nothing of pulling out thier cards and receiving cash at an ATM in a dark, empty parking lot at night. The same people who never even perceive the strangers jammed into the supermarket checkout lane behind them as they whip out thier card and pay for groceries.
These people seem think that the idea that some 'evil haxor' may come along seeking your card number successfully is somehow more repugnant than knowing that management at Best Buy has reports listing the zillion or so numbers thier checkout computers recorded over the holidays just sitting around on desks all day.
Anybody know how many lost Mars probes ZDNet helped recover today...?
======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16
Sacred cows make the best burgers.
Should I appreciate the message they sent my by spray painting my wall with, "Your locks SUCK DOOD!!!"?
Defacing a web-page is a little different. It's closer to putting a post-it note on the inside of your door saying "eY3 0wN u!" or something. Scary but not necessarily all that much work to clean up.
Trees can't go dancing
So do them a big favor
Pretend dancing stinks!
Some of his recent accomplishments include:
1) allowing Colonel Pinochet, the Chilean dictator and alleged perpetrator of crimes against humanity, to escape justice on the grounds that he is too frail to face the hardships of a court trial. This decision is further to a private medical report on Pinochet's condition, which by its nature seems pretty difficult to challenge.
What exactly about his mind/body is unable to sit through a trial? What are the odds of his staging a "miraculous" recovery upon arrival back to Chile, where he has immunity from prosecution?
2) then there's the case of his letting Mike Tyson, former heavyweight champion boxer, rapist of a teenager and ear gourmet into Britain. The UK law says that aliens convicted of a crime that would carry a prison sentence of 12 months in Britain are denied entry, unless on extreme compassionate grounds. Compassion towards Tyson not towards the British businesses who had invested in the fight!
3) there's the example of the alleged Nazi war criminal Konrad Kalejs who is accused of killing >30,000 civilians in Latvia during World War II. He was found living in a residential countryside home. Instead of prosecuting him, Straw allowed his deportation from the UK as he had *gasp* overstayed his 6 month visa.
It makes me *so* proud to be a part of such an ethical government. *sob* I'm choking up here.
Well, acutally, VISA _DID_ inform those people whose accounts were affected. Or, at least, they informed their banks, and I happen to bank at a "good" bank (a credit union, actually), that in turn informed me. They cancelled my existing VISA card, and sent me a new one. They did say that the card number had been compromised at VISA, and that VISA had alerted them. At the time, I thought it odd that I had not heard of numbers being compromised at VISA, so I thought it must have been a small scale leak.
SO, if you were not informed of the compromise either (1) your card was not affected or (2) your bank chose not to tell you. Door number 2 is a black eye for your bank, not VISA.
Does VISA really have an obligation to tell the whole world that some of their numbers were compromised? IMHO, No. They do have an obligation to tell those people who were affected, and I think they did a good job there, at least in my case. Perhaps they chose not to tell the whole world because their investigation (along with whoever else) was on-going. Perhaps (more likely) they chose not to tell the whole world for fear of a mass canceling of VISA cards prior to Christmas. As long as the affected people were notified, which seems to have happend, I really don't think they screwed up here.
Merde, il pleut encore!
Well, that 'trillions of dollars a year' is basically their throughput. Their gross income will be substantially less than that. (and their net income less than that, etc.)
But the thing is, $10 million is big enough to be HUGE for the average band of thieves, but maybe small enough for Visa to consider paying instead of hunting for blood. If it was only $1 million, they almost definitely would have paid. If it were $100 million, then the crackers would be hunted to the ends of the earth.
As it is, it sounds like they erred a bit too close to the $100 million mark. Too bad for them.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I suppose if Taco and Hemos had posted this under a humour heading we would understand we should all laugh at it. But they are just re-posting drivel in the hopes of getting their failing andover stock to go up in price :-)
/. community several times before as a creator of the worst lies about computing we have seen. His job is to create shocking headlines to try and sell a few more papers in an overcrowded market. His dishonoured name makes a regular appearance on www.ntk.net, I would suggest you go on over there and do a search on double-plus-ungoed.
/.ers laying this one open as well. Its amusing how most /.ers are blaming VISA security, when the real story is in tearing apart this piece of "journalism" as the fiction it is.
The article is by one of the most ridiculed "journalists" in Britian, which puts him out in front of a large pile of pathetic scandal-mongers. JU-T has been pointed out to the
Some of the "stories" which only he has uncovered lately include one whereby his "highly placed source at the FBI" confirms that drug lords all over the world are hiring thousands of programmers to write software drugs, and then they can download them to cyber-junkies and make trillions of $$$ untraceably over the evil internet. Another story regurgatated the claim by a far right wing US research group that 70% of all material on the internet was hard-core pr0n.
The reason you don't see any other newspaper cover these stories or run more truthful versions is that these articles are completely works of fiction, and even the other scandalsheets in Britian won't stoop low enough to answer the Times garbage.
This story first broke last summer, when some kids tried to extort money from VISA. They were stupid, they even made the phone call from their home phone. Scotland Yard closed that case out without blinking. Now the Times pulls it up along with a few hints of other cases, but offers no facts or details, to prove to their readership the internet is a big evil thing which needs strong government regulation.
I can see there are a few other
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
From their point of view there's no reasons to tell it, you avoid the panic and anyway, you're going to pay for whatever happens so the public doesn't loose anything by not knowing.
They stole corporate secrets and things like that, they didn't steal credit cart numbers, so this is more of an internal matter and all it does is make them seem incompetent, which I'm really not sure if it's true or not.
Companies have the right to have a little privacy too, maybe not much, but enough that they don't need to tell the public if it doesn't effect it (and Visa would need to loose a lot more than 10 millions of pounds before the customers see a difference).
ummm ok I realize you've asked not to be asked to explain this novel aproach to security, but I would like to point out (for the benifit of other readers) how un-informed this decision is. Java has a wonderfull security model and stays in it's own sandbox.
ActiveX, on the other hand, is like a drunken super-model on crack. Sure, it's sexy, but you never know what it's going to do next.
I would favor blocking the later, and letting through the former.
_________________________
Hacker gang blackmails firms with stolen files
£10m ransom demands sent out
Along with the story we're discussing here, we have this little jem:
Pollution set to rip giant hole in ozone layer
More than half the ozone is likely to disappear by March, climatologists warn
Rip a hole? March is 2.5 months away!
Along with that little story, we have more "all the news that's fit to spit":
Call girl fights Vat man's bill for £500,000
Flesh-coloured stockings not claimable - but lacy ones might be
Is this hard news? I think not.
And this little tidbit about Mr. big lips:
Do not arise Sir Mick Jagger
Downing Street blocks planned honour because of errant ways
looks like a gossip rag to me, but then again, I'll let you be the judge.
_________________________
"We were hacked into in mid-July last year," said Russ Yarrow, a company spokesman. "They gained access to some corporate material and we informed both Scotland Yard and the FBI."
Also . . "These are professionals and there is some evidence that suggests some of the activity was contracted and paid for," said a computer expert involved in the investigation.
First of all, the initial Hack was way back in July? Shouldn't there be better disclosure on these matters? Keeping their customers uninformed is by far the worst offence here. Months and months passed before this was finaly disclosed, and in that time billions of dollars were at risk.
Secondly, it would apear that they suspect a competitor (or someone with an interest in seeing them loose money) is behind the hack. Interesting, don't you think ??
_________________________
1 port scanner: $25.
1 cable modem: $200.
Knowing you're bringing down the worlds largest financial transaction institution?: Priceless.
_________________________
Like I said, "bring on the defenders...."
OK, so what if they copied the file?! How about if I change my analogy to use water soluble paint instead?
What, on the other hand, if the crackers decided to rootkit the system, then cp index.html to index.html.bak, so it _appeared_ to be a harmless prank?
If a site has been compromised, the usual (and proper) course of action is to rebuild from trusted tapes. None of this affects the original point, though, which is this:
Vandalism, regardless of the financial consequences, is still vandalism. Similarly, theft is still theft. Both cause harm, both destroy trust, and both break down open and free dialog.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
While not all crackers are thieves, most are criminals in some form. The hotmail crackers you mention are vandals. If they want to be known as something other than criminals, then they could privately email Hotmail with the details of their security flaw. Even this would be in a grey area.
Honestly, my apartment security sucks compared to, say, Intel's fab plants. Does that mean that I should thank thieves and vandals for breaking in, stealing my stereo, and destroying my records? Should I appreciate the message they sent my by spray painting my wall with, "Your locks SUCK DOOD!!!"?
There's no reason we should accept that security less than NSA levels is an acceptable invitation to invasion, either physically or cybernetically. Criminal Trespass is indefensible no matter where it takes place.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
We need to ask ourselves the usual questions:
a) How reliable is this news source?
b) What is the potential for harm to Visa customers?
c) Have the hacker group(s) actually stolen credit card numbers, or gained access to some other part of the system?
d) What can Visa do about it in terms of guaranteeing that IF card numbers have been stolen, that customers will not be liable for any charges made illegally (or is this already provided for)?
Before we start to create mass hysteria and hype over this, we need to assess the actual potential for damage so that we do not let this get blown out of proportion.
I mean taking a realistic view, Visa is going to be damn well careful to keep their data secure, this hack is most certainly not due to negligence on their part. They're probably working their asses of right now to fix it. IF card numbers have been stolen, Visa has to pay for illegal purchases - and you can be sure that they're making every effort to avoid this.
... is the author. Jon Ungoed-Thomas has managed to embarrass himself several times in the past, once by e-mailing Earth First! pretending to be an anti-corporation activist called "Jo", trying to provoke them into letting him in on something illegal. He sent the e-mail from the address jonathan.ungoed-thomas@sunday-times.co.uk!
More details at NTK - search for "Ungoed".
Gerv
I think the next thing we need a word for, after "benchcrafting", is "hacksationalism" (or maybe "cracksationalism" before people flame me) to cover all these media stories trying to spread panic about cracks amounting to nothing.
I can't be bothered to look it up now, but I'm almost convinced that The Times has featured a number of stories like this before, all of which indeed did lead to end of civilisation as we knew it (or maybe not...)
So what about this one, well:
"The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator.
Wow, malicous hackers that can use email and IRC! They have got to be a dangerous threat!
It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system.
Now that is good journalism! Don't bother explaining that "code" has two meanings in computers, and that the "source code" has nothing to do with accessing the site (unless it was broken to begin with, but...) But then we do know how expensive it is when a hacker gets your source code, look at poor Sun who had to recode Solaris from scratch after Mitnick looked at its source (what? Didn't they? They must have since they claimed the entire cost of it in damages.)
Also, in both this and the CDUniverse case, the hackers are (apparently) trying extortion as a way of making money off their cracks. Extortion is a really, really, really, bad way of committing crimes without getting caught. Unless you happen to have serious underworld money laundering connections, you are going to get caught when you try to get your hands on the money - for sure. If these guys think they can walk a way with a suitcase of "100 thousand quid in unmarked twenties" they have watched too many movies.
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
The Times was, a very long time ago, the paper of the elite in the UK. Then Murdoch bought it and took it downmarket in the search for sales after its traditional userbase migrated to the Telegraph / FT / Independent / Guardian.
Hence they're a bit clueless now. This story has been going for a few days in the UK, but no details are apparent, no arrests have been made, no evidence shown. I'm sure somebody has made some threats, but then there's always somebody out there who'll make threats.
Interestingly, the UK government has laws going through, as I'm sure everybody knows, that would allow law enforcement to demand encryption keys from anyone without the need for judicial oversight or reasonable grounds, and also to then require you not to tell anyone. I'm sure the promulgation of stories like this one is supported by the agencies that stand to benefit.
You seem to be oblivious to the distributed dead-man switch of internet data release/publication.
I die. I forget to log into any one of many "magic" accounts out there, or something. A script in several places on the net times out, and lets the cat out of the bag on Usenet.
ask for *WAY* more than it would take to kill you professionally. *WE* of technologically endowed brain, beyond good and evil are the masters here.
--- Nothing clever here: move along now...
Well if past records are anything to go on, any second now someone will post here about how we should be thanking the crackers for forcing the companies to get their acts together. This will come despite the fact that the crackers are thieves, blackmailers, and dealers (of illegally obtained information).
I wonder how culpable Visa really is in this. I suspect that they had good solid security in place, and that the criminals broke in through some actual code bugs. (i.e. some new buffer overflow, rather than something like poor/no password selection)
I'm not sure what to make of the fact that Visa didn't tell the public, though. That's a bit disturbing.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban