Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking Crime Victims to Remain Secret

Posted by CowboyNeal on from the security-through-obscurity dept.

outlier writes "The AP is reporting that federal law enforcement agencies are offering to keep the names of companies that have been victims of major cracking crimes secret. The goal is to encourage victims to come forward, so that the government can 'prosecute cases while at the same time achieving the kinds of protection and addressing the concern that the business community rightly has.'" My favorite part is how FBI agents will now "discretely" arrive at victims' offices.

13 of 179 comments (clear)

  1. yep by Sacarino · · Score: 5, Insightful

    Nothing beats security through denial.

    "Uh, I wasn't hacked, nope. Must have been Corporation X."

    And WTF is this?
    Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers.

    Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

    --
    -- El Sacarino tiene gusto de la chocha
    1. Re:yep by FreeLinux · · Score: 4, Insightful

      Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers.

      Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?

      True dat. This little gem is popping up more and more frequently. It is utter BS but, as more people hear it in more places they will accept it as fact. It is total BS!! NO corporation is paying extortion money to hackers. Unless they are counting the dollars wasted on "Security Consultants".

    2. Re:yep by commodoresloat · · Score: 3, Insightful
      It's just data that you don't ahve and isreally hard to estimate.

      Same with the number of invisible gay werewolves in Omaha, Nebraska - it's data you don't have, so you can't estimate it. Is there any evidence at all that this kind of extortion has ever been successful? I understand the security fees scenario, but I find it hard to believe that any company would hire someone who just hacked their network and threatened to break things or otherwise cause illegal damage. Do you want such a person on your staff? But if all they're doing is saying "Do you know your network is vulnerable to exploit X, our company can help you for a modest fee," then I'm not sure this belongs in the category of extortion.

  2. How is secret victims going to work? by The+Creator · · Score: 3, Insightful

    them: "Someone has testified against you, we wont tell you who it is, and we can't tell you what they said either".
    you: "Umh ok".

    --

    FRA: STFU GTFO
  3. Is this a good thing? by skaffen42 · · Score: 5, Insightful

    I agree that confidentiality is important in some crimes. For example a woman who has been raped shouldn't have to have her name splashed on the front page.

    But... if my bank or credit card company has a habit of getting hacked (ie. lax securtity) I figure I have a right to know about it.

    Just my $.02.

    --
    People couldn't type. We realized: Death would eventually take care of this.
  4. a bit hard for defaced web sites but.. by SystematicPsycho · · Score: 2, Insightful

    There must be a dozen or so sites in each country that take a list of recentltly defaced web sites, I guess this isn't as severe as screwing up millions of credit card numbers.

    Shouldn't the consumer be aware if someone who they gave there credit card details has been hacked and now they are exposed? It comes down to, if your a victim, you want to know.

    --
    Analytic & algebraic topology of locally Euclidean meterization of infinitely differentiable Riemmanian manifold
  5. How Convenient! by ackthpt · · Score: 2, Insightful
    Won't this encourage companies to leave themselves vulnerable, if potential customers and investors are unaware of such lapses?

    Case in point... AbiWord vs. PayPal.

    I'd certainly like to know that the California State agency which kept my personal information had been hacked into. Same for anywhere I have or might be placing sensitive information.

    Bad policy, bad! No treat for you!

    --

    A feeling of having made the same mistake before: Deja Foobar
  6. Double standard. by FrankieBoy · · Score: 5, Insightful

    Wait a minute, I'm confused here. The government is doing everything it can to protect the names of companies that have deployed inadequate network security practices from getting out but they're also making it their mission to expose companies that have employed deceptive accounting practices like Enron and MCI. The bottom line is that they both point to problems with the running of the company and if the company is publicly held then this information should be exposed and the incompetence dealt with.

  7. Re:this is good by vicviper · · Score: 3, Insightful
    What makes you think that a defendant can't be pressured *right now* to admit to any variety of crimes with out knowing his/her accuser? The article makes no claim that identity of the victom will be withheld until trial. From the article:

    Another U.S. attorney, Roscoe Howard of the District of Columbia, said the Constitution requires that a criminal defendant be permitted to face the accuser at trial, but he noted that many computer-crime investigations culminate with a plea agreement, where the names of victim companies can be kept secret.

    The article deals with the relationship between the victim corperation and the public. The idea here is that companies can come forward with knowledge that the govt. is sensitive to their concerns about public reaction to this type of crime.

    Now with all this said, if you are accused of anything and plea guilty to some crime without knowing who you are accused of victimizing, I have no sympathy for you (or your brainded lawyer... you did ask for an attorney, right?)

  8. Constitutional??? by chuckw · · Score: 3, Insightful

    Ummmm, that isn't even constitutional. The accused has a right to confront their accuser. Do you really think the accuser is going to keep quiet about who the victim is? Doubt it, unless they give him some real incentive not to. Either way, with lawyers, relatives, friends etc, the true story is going to leak out somehow. If the FBI *REALLY* thinks this is going to remain secret, they have more than a few problems...

    --
    *Condense fact from the vapor of nuance*
  9. Who needs fair trials, anyway? by Fefe · · Score: 2, Insightful

    So now not only is the electronic "proof" easily faked, now you don't even have to tell the hacker whom he supposedly hacked?

    Great! The perfect infrastructure to put arbitary people in jail. You can frame anyone!

    And how can the hacker prove to the judge that the alleged victim had something to gain from framing him? And it makes it impossible that someone can can read about the trial in the newspaper and help prove the hacker's innocence.

    Obviously they want to get rid of Kevin Mitnick for good this time.

  10. Hothouse Flowers by crucini · · Score: 3, Insightful

    Criminalizing hacking is probably a mistake. It's a natural impulse to explore networks and work past barriers. It's no coincidence that the word "hacking" describes both creative programming and "malicious" network connections. They both stem from the impulse to explore systems.

    The Government is now voicing concern about our "National Information Infrastructure" and its vulnerability. Passing tough laws and increasing enforcement is exactly the worst thing we could do for that cause. It will merely grow "hothouse flowers" - vulnerable networks that will not be probed by ordinary people (because they're scared) and will remain vulnerable for cyber-terrorists or organized crime.

    Indulging the weakness of our corporate information security will be a never-ending spiral. Instead we should drag these hothouse flowers out into the real world and let natural selection take its course. In fact, the government could help most by offering bounties to people who hack into important facilities. Of course these bounties would be added to the tax bill of the corporation responsible for the security weakness. If most of the malicious hackers were reporting to the government, there'd be no way for "victims" to hide the incidents, and they could be publicized so customers and shareholders can react appropriately. That's how free markets are supposed to work - people buy and sell based on information.

    Small scale hackers and script kiddies are like the constant barrage of viruses that keeps our immune systems on their toes. If we manage to scare them all away, we become the "boy in the bubble".

  11. Culpability by StikyPad · · Score: 2, Insightful

    From the article:

    "Companies that worry too much about public response underestimate the public's ability to assess the situation with some sophistication," [the FBI spokesman] said. "If a bank robber sticks a gun in a teller's face, the public is not confused about who's fault that is."

    What about companies that provide little to no protection to their networks? Is that still the same as a robber sticking a gun in a teller's face, or would that be more akin to say, someone walking into the bank, into the unlocked vault, and walking out with everyone's valuables? And can the public still asses the difference with any level of sophistication?

    --
    https://www.eff.org/https-everywhere