Slashdot Mirror
Hacking Crime Victims to Remain Secret
outlier writes "The AP is reporting that federal law enforcement agencies are offering to keep the names of companies that have been victims of major cracking crimes secret. The goal is to encourage victims to come forward, so that the government can 'prosecute cases while at the same time achieving the kinds of protection and addressing the concern that the business community rightly has.'" My favorite part is how FBI agents will now "discretely" arrive at victims' offices.
We do have in Brazil a police force specialized on internet crimes but sisnce the majority of the attack victims are off-shore, it's kind difficult to track down the crackers.
Faith can move mountains. I prefer dynamite.
Companies that get hacked are, of course, only interested in recovering and getting back to their core competency. Nobody hsa time for forensics or any other bullshit, unless they've got an export control box hacked or we're talking classified data, in which case legislation dictates that more measures are required.
This is good because I beleive then that a lot more companies will come forward with hacking tales, more development will be done to plug holes, more people will be able to talk about hacking, more people will be aware of the dangers, more people will become educated about hacking and virueses and the like, and we will have fewer "I cant find the any key" tech support calls and fewer viruses propagating like mad.
Help I'm a rock.
Alcohol and Calculus don't mix. Don't drink and derive.
You mean they used to arrive all lumped together? No wonder people got upset!
Learn to spell, guys...
> My favorite part is how FBI agents will now "discretely" arrive at victims' offices.
The guys in black trenchcoats? Uh, those are our network consultants. Yeah, network consultants.
Sheesh, evil *and* a jerk. -- Jade
Maybe the courts should just start calling the parties H4X0R and H4X0R3D...
I'm the Devil the Windows users warned you about.
Nothing beats security through denial.
"Uh, I wasn't hacked, nope. Must have been Corporation X."
And WTF is this?
Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers.
Ok, someone needs to prove this, otherwise I get the highly suspect that it's some government propaganda. Honestly, who pays a script kiddie to remove the pr0n and racist/anti-gay shit from their site?
-- El Sacarino tiene gusto de la chocha
them: "Someone has testified against you, we wont tell you who it is, and we can't tell you what they said either".
you: "Umh ok".
FRA: STFU GTFO
I agree that confidentiality is important in some crimes. For example a woman who has been raped shouldn't have to have her name splashed on the front page.
But... if my bank or credit card company has a habit of getting hacked (ie. lax securtity) I figure I have a right to know about it.
Just my $.02.
People couldn't type. We realized: Death would eventually take care of this.
Hi. We're from the FBI. You're under arrest for hacking. We cannot disclose what you did or who you hacked. Just jump into our jail.
Isn't this sort of like the family who's teenage daughter gets pregnant and they don't want anyone to know because "what will the neighbors say?!?!"?
FLR
My favorite part is how FBI agents will now "discretely" arrive at victims' offices.
In my experience, the FBI can be extremely discrete when they want to be. I work for a company that provided some important information to the FBI after September 11 last year. There would on occasion be two or three agents in our office, who always showed up driving an unmarked car, and wore casual attire. Most of the people in our office had no idea the FBI was even present.
The article says this isn't an issue because most hacking computer-crime investigations end in a plea deal, but how willing will suspects be to plea if they know they have an out at trial?
However, in the case of companies that don't spend an appropriate amount on infosec, fear of public knowledge of their lack of security is often the only impetus to spend any money at all. Case in point: as the only "computer guy" (read:webmaster) at work, any problems with systems, be they internal or external, get blamed on me. I've fought tooth and nail for training (nope), a new network architecture (confidential documents, including employee data and customer financials, are stored on a Win2k box that has no firewall, no A/V, nothing), even just the ability to install freeware solutions (fuck spending an appropriate amount of money, just let me spend some time, please) have all gone by the wayside. The only time I can get approval for anything is when I lay out specific scenarios of stolen data being released publicly and the ensuing customer backlash over the lack of security. Without that hammer, I've got nothing. And since the only infosec experience I have is that which I can get for free, on my own time, I need all the hammers I can get.
The analogy in the article with a teller and a bank applies here. The idea is to encourage victims to step forward so law enforcement can catch the bad guys. The point here is that either way, as a stock holder you wouldn't know that security was comprimised(at least the company isn't going to publish the info), but if ACME Co. can have some assurances that their name won't be in the headlines the next day, they may be more willing to come forward.
Wait a minute, I'm confused here. The government is doing everything it can to protect the names of companies that have deployed inadequate network security practices from getting out but they're also making it their mission to expose companies that have employed deceptive accounting practices like Enron and MCI. The bottom line is that they both point to problems with the running of the company and if the company is publicly held then this information should be exposed and the incompetence dealt with.
don't tell them that!
What, the bit about an agency or a government?
any of it!
Right. You're under arrest for hacking.
don't tell them what they're under arrest for!
We can't just arrest them, can we?
we do it all the time!
But that's what morally corrupt dictatorships do and we're not one of those, we're from a democracy, right?
oh, great, next you'll give the whole thing about where we are from away, just why don't you wave the flag, show 'em a picture of your mom and ask if they'd like some apple pie! fer chrissake!
Ok, we cannot disclose who you are, what you did or who you did it to, who we are, what we are here for, what you may or may not be charged with, where we are taking you or anything else. We're not even sure if we are at the right address, but just come with us.
quietly.
A feeling of having made the same mistake before: Deja Foobar
My favorite part is how FBI agents will now "discretely" arrive at victims' offices.
- Yes. I've been looking for you, Neo. I don't know if you're ready to see what I want to show you, but unfortunately you and I have run out of time. They're coming for you, Neo, and I don't know what they're going to do.
- Who's coming for me?
- Stand up and see for yourself.
- What, right now?
- Yes, now. Do it slowly. The elevator.
This is of marginal value because while it may keep things under wraps while the hack is occurring, if the hacker is caught (the goal, after all), then they have the right (in the U.S. at least) to face their accusers. Barring a rather broad-sweeping gag order, the press will get wind of it. And given that the bait here is for the company to remain anonymous permanently so users of that company to not lose trust in that company, this is of dubious value.
Plus, IF the hacker (remember a lot of jobs are done from the inside) catches wind that the FBI has been contacted and is being asked to be discrete, this is a new weapon. They now know that they have brand new button to push that the company would, for whatever reason, really not want pushed.
Just a thought.
My
Limekiller
So is this saying that hacking is even more humiliating, more personally damaging, more vicious than rape or murder (or any number of other violent and cruel acts) -- so much so that we have to shield its victims from any public knowledge of their being victims? Or maybe are we saying that corporations get whatever they want from our justice system? (*cough* Microsoft penalty judgement *cough*)
Ummmm, that isn't even constitutional. The accused has a right to confront their accuser. Do you really think the accuser is going to keep quiet about who the victim is? Doubt it, unless they give him some real incentive not to. Either way, with lawyers, relatives, friends etc, the true story is going to leak out somehow. If the FBI *REALLY* thinks this is going to remain secret, they have more than a few problems...
*Condense fact from the vapor of nuance*
Criminalizing hacking is probably a mistake. It's a natural impulse to explore networks and work past barriers. It's no coincidence that the word "hacking" describes both creative programming and "malicious" network connections. They both stem from the impulse to explore systems.
The Government is now voicing concern about our "National Information Infrastructure" and its vulnerability. Passing tough laws and increasing enforcement is exactly the worst thing we could do for that cause. It will merely grow "hothouse flowers" - vulnerable networks that will not be probed by ordinary people (because they're scared) and will remain vulnerable for cyber-terrorists or organized crime.
Indulging the weakness of our corporate information security will be a never-ending spiral. Instead we should drag these hothouse flowers out into the real world and let natural selection take its course. In fact, the government could help most by offering bounties to people who hack into important facilities. Of course these bounties would be added to the tax bill of the corporation responsible for the security weakness. If most of the malicious hackers were reporting to the government, there'd be no way for "victims" to hide the incidents, and they could be publicized so customers and shareholders can react appropriately. That's how free markets are supposed to work - people buy and sell based on information.
Small scale hackers and script kiddies are like the constant barrage of viruses that keeps our immune systems on their toes. If we manage to scare them all away, we become the "boy in the bubble".
at the cost of consumers of course.
>along with any sensitive corporate disclosures that could prove embarrassing.
Embarrassing? I'm sorry, but if my bank has an incompetent IT department, uses crappy software, has a poor security policy, etc then I should find about it in the paper alongside the police blotter which lists every drunk, domestic fight, and pot possession in the county.
The meat packing industry is the same way. They can recall tons of dangerous product without telling the press who the meat was sent out to. For instance it was all sent to McDonalds or Subway then those companies have the choice to tell you. Your safety, and life in some cases, is second to their PR.
Government is supposed to protect all interests without giving in to one side. Sadly, those with the resources get what they want and there isn't even a popular opposition party to call BS on laws like this.