Sophisticated, Targeted Breakins Uncovered

Ichabod writes "Sophisticated computer criminals stole data from Unisys, Booz Allen, L-3 Communications, Hewlett Packard, and Hughes Network Systems. It sounds like they used a combination of social hacking and undetected low-profile malware (reportedly NTOS.exe) to steal and encrypt sensitive data, and compromised Yahoo accounts to store and retrieve it. An international investigation appears imminent. And yes, unfortunately Reuters calls the criminals 'hackers,' further besmirching the once-revered title."

Another day another break-in

Security is only as good as it's implementation. These articles seem to get the same responses everytime. I would love to see /. act like a think-tank sometime and really come up with some solutions.

Re:Another day another break-in

[Red+Flayer]

by R00BYtheN00BY (1118945) Alter Relationship on Tuesday July 17, @02:51PM (#19891101)
god shut up

Telling Anonymous Coward to shut up seems like a rather futile exercise. He is, after all, the most prolific commenter of all Slashdot users.

Please, do us all a favor and get back under your bridge -- if I recall, it's the one known as Digg.

Re:Another day another break-in

[ringfinger]

According to the article, they used social engineering by "seducing employees with fake job-listings". This is interesting because it targets those employees that are most disgruntled. Offer them a chance at another job and they'll give you a username/password that probably is the same one they're using to access the corporate account system.

I agree, we should somehow pool our collective knowledge and accumulate it somewhere. There's an idea for /. to pull it back up on par with digg.

Re:Another day another break-in

Something else needs to be uncovered: Jessica Alba. She should be naked in all of her movies.

Re:Another day another break-in

[prelelat]

on par with Digg? I think Slashdot is still better than Digg. The articles aren't always some top ten games of all time, top ten country albums of all time. I think you can get allot more technical responses from Slashdot users on average, and you don't get as much "I'm l33tz ur 5ux0rz" I do see good comments at both places, and good stories at both, but if it's a slow news day at Digg you can expect to see allot more useless drivel then on Slashdot. At least if you filter out one particular editor...

Either way I think they could both use some work.

Re:Another day another break-in

[mehemiah]

I hope he ment back down on par with digg

Re:Another day another break-in

[djdavetrouble]

off topic but i agree. I get sick of the idiotic comments there and the low
quality of the copy on submissions. It is like being inside a teenaged male's brain,
not a good place to be.

Re:Another day another break-in

I am glad someone else noticed because I can never post more than a few times because the system makes me wait. That Anonymous Coward guy somehow has found a way to post all the time. Sometimes a bunch of posts in a row. Does anyone else know how he does that?

Re:Another day another break-in

"we should somehow pool our collective knowledge and accumulate it somewhere."

In soviet russia, knowledge accumulates YOU!

Re:Another day another break-in

[martin_henry]

It is like being inside a teenaged male's brain, not a good place to be.
More true words are rarely spoken (or typed) on /.

Re:Another day another break-in

Who, me?

Re:Another day another break-in

they'll give you a username/password that probably is the same one they're using to access the corporate account system Don't use passwords. Use two factor authentication with security certificates on USB thumbdrives/smartcards (and make sure they are removed before authentication is allowed, to help avoid people leaving them behind). This also helps avoid the problem of crackers coming along with fake token readers to steal private keys.

Solved?

Re:Another day another break-in

[tehcyder]

you can expect to see allot more useless drivel then on Slashdot. At least if you filter out one particular editor...

Why so coy?

Re:Another day another break-in

[vux984]

It is like being inside a teenaged male's -penis-, not a good place to be.

There fixed it for you.

Yes, I realize in the context the two words are synonymous. But this helps eliminate any confusion, and adds an extra dimension to the 'not a good place to be' . ;)

Re:Another day another break-in

[zoryn]

I know I'm gonna get modded down for this, but I was a usual reader at digg, and ever since I started spending more time on slashdot, I gotta tell you, it's a whole different level. Digg is filled with "Take that sony!", "A kid got killed doing something stupid, humanity wins." one-line-comments; slashdot on the other hand, always has insightful comments, sometimes very interesting debates (I know, I browse only at +3). To me, the most important part of slashdot is the comments section. A lot of useful information, specially on developers articles. Digg basically only shows us the articles.

The only thing I find strange..

[i8myh8]

..is that they'd use Yahoo! Mail to retrieve the data. Gmail offers more space. Hrm. Poorly researched.

Re:The only thing I find strange..

[jojoba_oil]

Actually, the so-called hackers thought that "Do No Evil" was a command to those using Google's services. As such they went elsewhere.

In all seriousness, I'd be willing to bet that they used compromised Yahoo! accounts for a few reasons: yahoo users are generally less computer-savvy (read: easier to compromise), they probably use gmail accounts themselves so they didn't want to draw attention there, and google has been rumored before to keep e-mails even after being deleted from the account.

Re:The only thing I find strange..

[Hoi+Polloi]

Plus gmail has mail content sensitive ads. So are they getting ads for credit card number websites and rootkits now?

Re:The only thing I find strange..

[TZapper]

Keyword: compromised.

Re:The only thing I find strange..

[jandrese]

I find it amazing that they feel the need to compromise someone else's yahoo account. Yahoo literally gives those things away for free, and it's not like you can't sign up from a compromised machine to mask your IP address. It just seems like extra effort to compromise those accounts and the only thing it buys you is a greater chance of detection when the real yahoo user logs back into his account and sees it full of credit card numbers or whatnot.

Re:The only thing I find strange..

Good point, except Yahoo just updated their storage to unlimited.

frequency

[HomelessInLaJolla]

The article is rather light on details. My first thought is to wonder how, after all this time, they finally managed to figure out that their systems were compromised.

My second thought is to wonder if it's even true or if this is just spin-hype for Trend.

My third thought is to objectively note that this is probably not an isolated incident. If this particular incident is this big then, in all likelihood, there are hundreds or even thousands of other compromised systems which haven't been diagnosed.

My fourth thought is "Haha!"

Re:frequency

in all likelihood, there are hundreds or even thousands of other compromised systems which haven't been diagnosed.

And you didn't figure THAT out until today? LOL.

Re:frequency

[pegr]

You want details? This trojan appears to be a variant of this nasty little bugger. (Warning: pdf). The link is to a detailed technical report on how it works, what it does, and how to decrypt data it encrypted. It was authored by Secure Science Corporation back in November of 2006.

Re:frequency

[HomelessInLaJolla]

There's no link to the advisories page from their front page, the advisories page doesn't actually list the .pdf, and the home page isn't the same as the first page.

Re:frequency

[spacerog]

Hewlett-Packard declined comment, while officials with other companies couldn't be reached for comment. A Department of Transportation spokeswoman said the agency couldn't find any indication of a security breach.

It was not clear whether the hackers used information stolen from the personal computers

Officials with Yahoo weren't available for comment.

An FBI spokesman declined comment, saying it is agency policy to neither confirm nor deny whether an investigation is ongoing.

Seems like a whole lot of nothing going on. You would think they would wait until they could get at least one external confirmation before press time. Shoddy reporting.

- SR

Re:frequency

heh

I'm betting that a lot of people didn't notice the problems with that link....

Re:frequency

there wasn't any problem with the link itself.

Re:frequency

[Nazlfrag]

You don't get it. If there was nothing going on they would have replied 'No, we are completely secure and always have been and always will' instead of 'No comment. Nothing to see here. Move along'.

This is news?

who has'nt hacked a big company yet? that shit is easy as pie..

Re:This is news?

[PitaBred]

So is proper capitalization and punctuation, yet, somehow, it doesn't happen very often...

Give it up

[IndustrialComplex]

I don't think you have to worry about the term 'hacker' being besmirched any more. It, like several other terms have entered the mainstream vernacular. If you really care about the terminology that much, invent a new term for what was the original 'hacking'. It is far too late to close the barn door on the hacker misconception.

Re:Give it up

Check out the Userfriendly dot org comic pages for the last few days.

Re:Give it up

[morari]

And while we're at it: I'm not a Trekkie, I'm a Trekker! Geeze.

Re:Give it up

[Jack+Pallance]

I guess you could say, this issue needs more than a "Band-Aid" for a solution.

Get it?

Band-Aid!!

(OK, It was a term that used to be used exclusively to mean a specific brand, but has now changed its meaning over time to mean something broader. I don't know why I even try with you people...)

Re:Give it up

hack/slash hacker/slasher

Re:Give it up

[elrous0]

You mind if I put a Xerox of this post up on my office bulletin board?

Re:Give it up

[elrous0]

The funny thing is when trekkies/trekkers/whatever are asked to explain the difference between the two terms, they always give either meaningless, nonsensical, or contradictory answers. It all boils down to a bunch of trekkies getting all pissed off back in the 70's/80's that the name had such a negative connotation and thinking that a few changed letters would hide the fact that they were still virgins wearing Starfleet uniforms.

Re:Give it up

[Fred_A]

I thought trekkers just went on long hikes...

Re:Give it up

au contraire:

1. if a journo fails to make the distinction, that doesn't (and still doesn't) make it right. witness: if i had a nickel for every time a journo wrote that someone was 'clinically dead' - meaning no pulse - before said corpse was revived. 'Clinically' means 'as declared by doctor' to be D-E-A-D, comprehende?

2. on the other hand, i'm not sure if the continued misnomer is such a bad thing. hackers who know, know, and really, who cares if dumb hacks and their equally brain-dead readership can't make the distinction? makes it all the sweeter when we observe 'hey, great hack' and those of our brethren that know, know.

Re:Give it up

[ashmon]

Only if you print it on a Kleenex and have a Coke afterwards.

Re:Give it up

[OzoneLad]

I thought trekkers just went on long hikes... And we're all thankful for that!

Re:Give it up

[treeves]

I think I need an aspirin.

Re:Give it up

[Aaron_Pike]

I have an idea! We could use a Wild West metaphor. Then we could call them "white-hat hackers" and "black-hat hackers." Oh, wait ...

DoT is on the list..

[dotpavan]

and "A Department of Transportation spokeswoman said the agency couldn't find any indication of a security breach." awesome!

"to steal and encrypt sensitive data"

[InvisblePinkUnicorn]

See, hackers get a bad rap. These folks were kind enough to encrypt the sensitive data they found, so that no outside parties could get a look at personal records.

No, it was never that way

[Henry+V+.009]

"further besmirching the once-revered title"

Revisionist history a little?

Re:No, it was never that way

[sconeu]

Yes. See the Jargon file. The term "hacker" has a long and distinguished history, before it was hijacked by the asshats who are "crackers".

Re:No, it was never that way

[u-bend]

Yes. See the Jargon file. The term "hacker" has a long and distinguished history, before it was hijacked by the asshats who are "crackers". Yes, but therein lies the problem I've always seen with the term that the tech community would prefer people use, i.e. that "cracker" already has a slang definition, and most people in the world will have reactions ranging from confusion to effrontery at the notion that their computer system was compromised by a bunch of rednecks.

Re:No, it was never that way

[wamatt]

Perhaps its irrelevant what it once was. A hacker now is a bad guy. Trying to re-educate the massive public mindset for the sake of some historical correctness, seems like a futile experience. Eventually 99% of the population won't know or care the origin.

It's like complaining about the word "gay" being used by teenagers and not referring to a homosexual or when people say "Mac O.S.X" instead of Mac OS Ten

Re:No, it was never that way

[fenodyree]

Asshats!

Now there is a title. Hackers gone, White Hat never made it. Enter Asshat.
Today I asshatted a Big Corp's main server, so I emailed their admin to fix the hole. I am such an Asshat.

Re:No, it was never that way

[Himring]

No, no. They meant "rappers."

Re:No, it was never that way

Crackers break software protections, Hackers defeat or bypass network/system security.

Re:No, it was never that way

[Frequency+Domain]

It's not revisionist. The term "hacker" has a history going back more than 50 years at MIT. Although its use has changed over the years, it definitely carried a connotation of using skill, imagination, and wits.

Re:No, it was never that way

You do know that OSX was programmed entirely in roman numerals, right?

Re:No, it was never that way

[It'sYerMam]

Or that their system was compromised by a thin, crispy biscuit.

Re:No, it was never that way

[Penguinshit]

I prefer the term "honky", thankyouverymuch...

Re:No, it was never that way

[trianglecat]

I like it! But wouldnt that be a$$h47?

Re:No, it was never that way

[WwWonka]

...and there you go again besmirching the once-revered title "asshat".

Re:No, it was never that way

[_Sprocket_]

Revisionist history a little?

I'm curious - did you first become aware of the term "hacker" after watching WarGames or Hackers?

Re:No, it was never that way

[WwWonka]

...which of course falls firmly in the hole that needs to be filled between a black hat and a brown hat.

Re:No, it was never that way

[Killjoy_NL]

That would be social engineering at its best :D

Re:No, it was never that way

[Stormie]

Yes. See the Jargon file. The term "hacker" has a long and distinguished history...

...and the Jargon File has a lot and distinguished history of passing off the vernacular of Eric S. Raymond and his circle of friends as some sort of universal language used by All True Computer Hackers everywhere.

If you have a problem with the term hacker

[pembo13]

contact the editors about it politely.

Re:If you have a problem with the term hacker

Get over it. Language evolves and so has the accepted meaning of the term hacker. It is like how the word gay used to mean happy.

Re:If you have a problem with the term hacker

[Waffle+Iron]

I would only have a problem with the term "hacker" if my mind were too feeble to grasp the concept of a homonym.

Re:If you have a problem with the term hacker

[Fulcrum+of+Evil]

What's that got to do with anything? You are aware that a word can have many meanings?

Re:If you have a problem with the term hacker

[Waffle+Iron]

You are aware that a word can have many meanings?

That's exactly what I was pointing out.

Re:If you have a problem with the term hacker

[Fulcrum+of+Evil]

No, a homonym is two words that sound the same. In English, when you spell the words the same, it's the same word.

Re:If you have a problem with the term hacker

[Waffle+Iron]

Nope. From dictionary.com:

hom-o-nym n.

1. One of two or more words that have the same sound and often the same spelling but differ in meaning, such as bank (embankment) and bank (place where money is kept).

2. a. A word used to designate several different things.
b. A namesake.

Re:If you have a problem with the term hacker

[Skrynesaver]

Pointless pedantry, but two words that sound the same are homophones

Social engineering

[athloi]

At least in the old days, we used to call it "social engineering" and hacking meant any kind of programming outside the obvious. That included getting machines to fork over security credentials, but that meaning was a subset of the broader term, which meant both a cheesy quick fix ("what a hack!") and a dancelike circumnavigation of inherent limitations to produce a semi-elegant but sturdy fix ("kernel hackers drink coffee black").

Re:Social engineering

[pipingguy]

Didn't "social engineering" mean something else before it got adopted by the computer crowd?

Better writeup at WaPo

[wiredog]

The Security Fix Blog

Re:Better writeup at WaPo

[BobMcD]

You'd think so, yeah, and I was going to mod you up for it, but some one here has their wires crossed...

Reuters story: Hackers steal data, moving it in encrypted form to their own servers.

A Department of Transportation spokeswoman said the agency couldn't find any indication of a security breach WaPo/Kaspersky story: Hackers sew up customer data in encryption, leaving behind a ransom note asking $300 for the key.

Those are similar, down even to the list of companies. But I wonder, if all the DoT's data is encrypted, and there's a ransom note, how they failed to detect that?

In seriousness, I wonder what the truth of the matter is... Did BOTH of these events occur? If so, there's likely to be some InfoSec jobs opening up real soon.

Linux, big guys ?

[deecha]

Why don't these folk seriously consider locked down implementations of Linux ? It's security model is so much better that Winbloz.

Re:Linux, big guys ?

Linux, except for RHEL is neither FIPS, nor Common Criteria certified. That means that should something happen, even though the OS may be more secure, SOMEONE is going to prison for not using software that has the certificates.

Windows has these certificates. If someone steals data from Windows systems, the company can blame it on MS, and show that they did due diligence, and none of the people will face prison sentences.

Re:Linux, big guys ?

[MrDoh1]

Add to that the fact that social engineering is platform independent.

Re:Linux, big guys ?

[evil_Tak]

Linux, except for RHEL is neither FIPS, nor Common Criteria certified.

So what you're saying is that RHEL is Common Criteria certified, so the OS is more secure, and SOMEONE doesn't have to worry about going to prison.

Don't use windows on Secure networks.

[LWATCDR]

I know the pro windows crowd will jump up and down but I hope they will hear me out.
1. Windows is the most popular OS on the planet. Just for shear number of systems it is most hacked.
2. Windows is harder to lock down than most other OSs. That is often because software expects to be running with admin rights.

I am trying to figure out how no one noticed these programs trying to make connections to the outside world. My guess is that they where not expecting a Trojan. Heck we got hit by a worm at my office. It didn't get through our firewall at all. Somebody brought a notebook in and connected it to our network.
It only infected three machines but it was a good cheap lesson for us.

Re:Don't use windows on Secure networks.

[BobMcD]

My guess is that they where not expecting a Trojan ...especially coming from their own, presumably patched and up-to-date, boxes.

Don't rule out the social engineering aspect here. They sought out security employees that wanted to leave the company.

Genius, really.

Re:Don't use windows on Secure networks.

[acherrington]

...Or you can use the NSA's Security Guide to provide a standard model of security. Sounds like you need to look at the configuration guides for router's switches and Operating Systems. http://www.nsa.gov/snac/downloads_all.cfm

Re:Don't use windows on Secure networks.

"I am trying to figure out how no one noticed these programs trying to make connections to the outside world."

The article said that the programs used web pages on Yahoo, so I would guess that the traffic got lost in all the other web traffic coming from the computer.

Re:Don't use windows on Secure networks.

[A+non-mouse+Coward]

I'm not denying that Windows has had a track record I wouldn't want, but that said, if the data is important enough to these "hackers", and the employees are using OSX/Linux/*BSD/AIX/ZOS it's really not going to matter. This was a social engineering attack against people. Yes, you have to trust people in this day and age if you want to get any work done. Yes, the more people you trust, the lower your organization's overall trustworthiness is. It's simple math. People are not perfectly trustworthy, therefore:

limit (N->infinity) T = t(a) * t(b) * t(c) ... * t(N) = 0
where t is less than 1

Sure, technically speaking the sysadmins could be running systems where installing malware in root land (for all users) is prevented (non-admin users), but look at the alternative OSes-- they all let users execute apps in their user profiles (OSX/BSD/Linux, etc.)! All the "hackers" really needed was to trick them into running code in their user profiles, because all the trojans needed to do was access data that the users already had access to-- not data that was stored in admin/root land-- userland!

--
Don't get into religious OS wars ... They all suck!

Evil FBI at it again.

[N8F8]

Using their evil databases to identify trends and patterns.

Interesting new avenue for social engineering...

[ringfinger]

Put job ads in front of disgruntled employees and ask them to create accounts to apply -- then watch as they merrily type in their favorite usernames/passwords into your cracker system. Easy as pie...

more data please

[scolbert]

Wouldn't it be nice if we could get more data on these security breeches? The articles are so lite weight. What technique? What data? I think the more we learn about these problems, the more bullet proof we can make our systems. We are at a disadvantage in that the criminal understands the vulnerability and can exploit it over and over again.

Sammy at IT/Personafile

Re:more data please

[GungaDan]

The security breech is my end of the security device. Pity those on the security muzzle side.

Shortening names...

[jojoba_oil]

Nowadays I do my banking at WaMu, get a daily paper from WaPo... What next, I'll be reading SlaDo?

Re:Shortening names...

[wiredog]

"Washington Post" instead of "WaPo" exceeds the subject line length. So blame /. for the shortening. Blame Stef for the butter.

Not Sophisticated At All

[neoshroom]

"What is most worrying is that this particular sample of malware wasn't recognized by existing antivirus software. It was able to slip through enterprise defenses," said Yankee Group security analyst Andrew Jaquith, who learned of the breach from Morris. "This is a serious threat. It shows how sophisticated hackers have become," Haro said.

This is not sophistication.

1. Take any virus/trojan that is recognized by antivirus software.
2. Put it through an executable compression package to make its code vary from what it used to be on the hard drive or in memory.
3. Viola! Your malware is now stealthed from any antivirus program.

Either that was rather simple or I am a seriously dangerous hacker.

Re:Not Sophisticated At All

[TClevenger]

At least in the olden (DOS) days, when McAfee came upon a pklite'd executable, it would unpack and scan the unpacked executable. I would hope that current antivirus programs would do the same.

Re:Not Sophisticated At All

[BobMcD]

I believe the sophistication is question is the combination of the targets, the undetectible malware, and the delivery method. Not the malware itself.

This was a concentrated attack "seducing employees with fake job-listings on ads and e-mail" and was only directed at specific targets, rather that the entire world at once.

Likewise they used a website that was unlikely to be blocked to warehouse the data, instead of somewhere in Russia, etc.

No, this seems a bit above the bar to me.

Re:Not Sophisticated At All

[scottwed]

There is a way to combat this, but it requires you to enable Window's Data Execution Prevention. At least two of the executable compression packages I played with tout their ability to obscure source code by extracting, and then running purely out of memory. Unfortunately, their compression payload then has to run out of memory marked for data storage. Turn on DEP, and the programs are doa

Re:Not Sophisticated At All

[icydog]

How did you get modded +5 Insightful? From the link you posted:

Also, some older virus scanners simply report all compressed executables as viruses because the decompressor stubs share some characteristics with those. Most modern virus scanners can unpack several different executable compression layers to check the actual executable inside.

Re:Not Sophisticated At All

Parent is an idiot if he think's modern day anti-virus' don't unpack packed files before scanning them. He's even dumber if he thinks the trojan/virus won't be detected in memory after it's unpacked during run-time. sorry, it doesn't stay packed in memory brah.

From Webster

[Shihar]

Main Entry: hacker
Pronunciation: 'ha-k&r
Function: noun
1 : one that hacks
2 : a person who is inexperienced or unskilled at a particular activity
3 : an expert at programming and solving problems with a computer
4 : a person who illegally gains access to and sometimes tampers with information in a computer system

I am pretty damn sure that the thieves in question meet both #3 and #4, hence they are 'hackers'. I probably would not waste time bothering Reuters to complaining that not all hackers are evil. They used the word correctly.

Not strange at all

[CrazyJim1]

Yahoo offers "unlimited" mail storage. Maybe not with new accounts, but several of mine do.

Re:Not strange at all

[i8myh8]

Ok, *that* is bizarre. My yahoo account I've had for a looong time says "You now have unlimited storage" when I login, whereas the newer ones I setup for email lists, spam and other such nonsense gives me a quota.

Everybody's happy!

[ingo23]

From the article:

A Department of Transportation spokeswoman said the agency couldn't find any indication of a security breach.

See, it's a win-win situation - the criminals did everything smoothly without leaving a trace, and at DoT it looks like nothing happened!

Use of "hacker"

[Matt+Perry]

Reuters calls the criminals 'hackers,' further besmirching the once-revered title.

Get over it. Seriously. This romanticism for some obscure meaning of a word being understood by the general public is really getting tiresome. Words can have multiple meanings depending on the context and hacker is no different. We just have to live with it. There's no way to change the meaning of the word in the public consciousness without some type of huge marketing campaign. Saying you are a Perl hacker is going to be interpreted the way you want by the audience you are targeting with that phrase. If someone thinks you are breaking the security of Perl then they probably don't know what Perl is and aren't the audience for your use of that word. Likewise, when I talk about forking and killing children I'm not talking about murdering babies (contrary to what the marketing woman thought, whose office was near my cube, when she reported me and my co-worker to HR 10 years ago).

Re:Use of "hacker"

[Delusion_]

This is something that Eric S. Raymond pushes with The Jargon File. He's the only source of this deliberate dodge, and the Jargon File doesn't suffer much because of this agenda, generally being an excellent resource.

There's this notion of 're-claiming' the word for geeks instead of the 'bad guys' that's ahistorical and revisionist at best. The word 'hacker' has long been used by people who are interested in doing interesting things with technology. It has also long been used by people who want to cause harm or find gain by their technological skills.

The English language is context-sensitive. The prescriptionist approach to language is about telling people how to use language 'correctly'. The descriptionist approach to language is about telling people how language is used in the real world. There is a role for both approaches, as they serve different uses, but prescriptive approaches can cause difficulty when the people involved aren't comfortable with where a new language trend is going. People who take it upon themselves to be knee-deep in issues of etymology really do themselves a disservice by not embracing a more descriptionist approach.

It's a strange bit of work when the Jargon File, usually fairly descriptionist, starts pushing a prescriptionist agenda with regards to 'hacker' versus 'cracker'. Given that so-called 'crackers' almost universally use the work 'hacker' to describe themselves, and given that most outsiders use 'hacker' in both the postive and perjorative senses, English language use has embraced the contextual weight that the word 'hacker' requires. The holdouts pushing 'cracker' are insisting that people who do label themselves 'hackers' and have a different point of view on IT ethics be called 'crackers'. To restate - it's a pejorative word created to describe others, not oneself, and there are a lot of unpleasant words that share this quality. It's akin to some of the semantic debates usually reserved for religious topics.

'Hacker', 'cracker', 'white-hat', 'black-hat' - it's all an oversimplification that really underestimates peoples' ability to use language contextually, the ability of the press to convey information, and the ability of the audience to understand that information without someone carrying the 'cracker' banner writing strident editorials to anyone who believes differently. That's probably the worst aspect of this: otherwise knowledgeable people taking it upon themselves to turn every use of 'hacker' into a language war instead of offering a more nuanced view of the situation.

I wish 'cracker' proponents would quit wasting peoples' time by 'correcting' people who seem to understand the necessary context of language.

Re:Use of "hacker"

[Bill,+Shooter+of+Bul]

true enough. We should just come up with a new word that means the old thing. Hack is a type of saw, and I can see some 'hacks' that could be accomplished by it. However, much cooler 'hacks' could be made with a chain saw. So I now consider myself to be a chainer. Then there would be no confusion when talking about unorthodox modifications to subprocess prior to termination, or colloquially, After the children have been forked, you have to chain them before you kill them. Duh.

Re:Use of "hacker"

[_Sprocket_]

There's this notion of 're-claiming' the word for geeks instead of the 'bad guys' that's ahistorical and revisionist at best. The word 'hacker' has long been used by people who are interested in doing interesting things with technology. It has also long been used by people who want to cause harm or find gain by their technological skills. While you've got a really good point, I'd also add that there's another distinction in between the two. Some of the "doing interesting things with technology" often involved bypassing access controls. Part of that is simple understanding of a system to the point of being able to defeat it. Part of it is being able to do something you're not supposed to be able to do - very much part of the hacker ethos and what better way to exercise it than counter something specifically designed to stop you from doing what you're doing? All this has a history of practical application all the way back to the MIT days where some members of the Tech Model Railroad Club applied their locksmith knowledge to various obstructions to computer access.

What amount of hacking is done with malicious intent is somewhat debatable. There is certainly a rich lore of various practical jokes. But an outright intent towards destruction seems to be somewhat rare at first. It picks up when it becomes apparent that there is money to be made hacking for illicit gain. There's some indications of organized criminal interest early on... but the true "cyber punk" starts to gain traction somewhere in the mid-to-late 80s.

Re:Use of "hacker"

[justinlee37]

contrary to what the marketing woman thought, whose office was near my cube, when she reported me and my co-worker to HR 10 years ago

What was the outcome of that?

Re:Use of "hacker"

Everything ended out very well for all parties. His children were taken away from him and put into social service, and he is in the process of being thrown into "rape me in the ass" prison for 25 - life.

Sincerely,
The Co-Worker

Re:Use of "hacker"

[obi]

You wrote the comment I was going to write. I echo the feeling this "reclaiming" is revisionist. The only time I heard the term "cracker" really being used was wrt "software cracking" to bypass its (copy) protection of some sort. And the people that did it happily referred to themselves as crackers, too.

Like you say, the ESR "cracker" is really an ex post facto invention - and basically a pejorative term. Well, RMS used "cracker" in 1983 too, iirc - but there too it was a conscious and artificial attempt at changing the vocabulary to distinguish the "good" (ie. themselves), from the "bad" (ie. people with different morals/ideals or different/less (?) skills). I guess my problem with the word is that it's mainly used by people who like to feel they're better than other people.

I feel "hacker" is a neutral term completely orthogonal to the malevolent or benevolent intentions of the hacker. This is also why I like the terms white/gray/black hat, because these conversely are only about ethics/intentions and not about skill.

hacker: who cares?

This battle was lost ages ago, yes I actually used to care about it, too. Why? I have no idea. It's clear from context what the word means. Context includes who you are talking to, what you're talking about, etc. There are many examples of words with this issue in English, especially with words that relate to computing and technology. Who cares if the average guy thinks hacker means someone who breaks into computers? To him, that's what it means, and he can talk to other people and they'll understand him. Hell, I'd understand him. Look people, it's a word, a sequence of lines, a certain sound that vocal chords produce, whatever. Why do you care so much about these things?

Re:hacker: who cares?

[SL+Baur]

This battle was lost ages ago, yes I actually used to care about it, too. Why? I have no idea. It's clear from context what the word means. Context includes who you are talking to, what you're talking about, etc. True the battle was lost a long time ago, but context is cultural too. I've given up trying to explain the difference to my wife who is not a native English speaker. I do consider it a big deal though and I will make sure my kids know the difference.

Why do you care so much about these things? Because it was our word first. There was an idiot no-name blogger who had an article posted here a few months ago who was trying to coopt the term "superuser" as a synonym for virus writing criminal who should be shot, IMO.

Proven theory

[HomelessInLaJolla]

And you didn't figure THAT out until today? LOL. You must be new here.

revere?

And yes, unfortunately Reuters calls the criminals 'hackers,' further besmirching the once-revered title."

The only people who ever "revered" it are the only one's who care that there's a difference anyway. What William Gibson dreamworld are you living in where average people used to spend their off-hours talking about how much they revere "hackers"?

"Sophisticated, Targeted Breakins"

[Pluvius]

I didn't think it could get more sophisticated than the classic Breakin 2.0: Electric Boogaloo. Bravo, hackers!

What's with the whining about the word "hacker," anyway? Talk about beating a dead horse.

Rob

Booz Allen = privatized US government services

[schwaang]

Good one.

But from reading TFA, you might think "*yawn*, some big companies got hacked, who cares."

I don't know about DoT, but a lot of government services are being run by Booz Allen and other contractors. I called up some Federal agency hotline a while back and got a greeting like "Welcome to the US Dept. of XYZ hotline, run by Booz Allen. Please call back [during a time of day that is impossibly inconvenient in your time zone]." Think of them like Halliburton, only in Washington D.C. instead of Iraq.

If any outsourced Federal agencies handling citizen's personal information got hit, this problem *could* be more relevant to the average joe than they would think from reading TFA.

But it will be hard to find out, because those agencies' spokespersons will only be able to say something stupid, like: "the agency couldn't find any indication of a security breach".

Re:Booz Allen = privatized US government services

[moosesocks]

Welcome to America.

By the time the general public catches on to how terribly and horribly bad this is, it'll be too late to do anything about it.

There's been talk of selling or leasing our interstate highways to overseas investors as a source of tax money. I believe it's already been done in Illinois, and there are talks of doing the same for the NJ Turnpike.

The incident a year or so ago about port security being run by an overseas corporation also didn't sit well with me at all. I'm all for international trade, but there are some things that absolutely positively must stay domestic.

"Once Revered Title"

[_bug_]

Isn't it a bit like "spam"? Someone comes along and calls junk mail spam and the next thing you know everyone uses the word to denote junk e-mail rather than the meat product. And Hormel tried (and still does in some ways) to get people off the term? How many of you really care about your (non)use of the word "spam"?

And so it is with "hacker". Public doesn't give a shit. You say hacker and they know "bad computer guy". Just like "spam" is "bad e-mail".

And like I'd say to Hormel, just give it up. The fight is long since lost.

So it goes.

Re:"Once Revered Title"

[plague3106]

Hormel is amused with the term spam for junk mail. I guess you've never looked at their site huh?

Re:"Once Revered Title"

[Attila+Dimedici]

"Hormel is amused with the term spam for junk mail. I guess you've never looked at their site huh?" That may be now, but a few years ago they sued a number of people for violating thier trademark by using the term for junk email. They lost but the gist of their argument was that people were implying that Spam was undesirable thus damaging the value of the brand that they had built up.

Re:"Once Revered Title"

[the_greywolf]

As much as I hate what's become of the title "hacker," I still love it when I'm walking down the street wearing my "hacker." t-shirt from ThinkGeek.

On sidewalks, I'm given a wide berth.

In stores, I'm carefully watched, but all the clerks are extremely friendly and very helpful. (I can usually get retail shopping done quicker and more efficiently.)

Even restaurants and fast food places seem more concerned about my personal satisfaction.

These people are scared of hackers.

Re:"Once Revered Title"

[secolactico]

As much as I hate what's become of the title "hacker," I still love it when I'm walking down the street wearing my "hacker." t-shirt from ThinkGeek.
On sidewalks, I'm given a wide berth.

Are you sure it's not just B.O.?

Re:"Once Revered Title"

[Farmer+Tim]

These people are scared of hackers.

Whereas if you wore a T-shirt with "Cracker" written on it, all you'd get is derisive laughs from people of a certain ethnic extraction.

Re:"Once Revered Title"

Isn't it a bit like "spam"? Someone comes along and calls junk mail spam and the next thing you know everyone uses the word to denote junk e-mail rather than the meat product. And Hormel tried (and still does in some ways) to get people off the term? How many of you really care about your (non)use of the word "spam"?

No kidding. But you have to admit, Hormel gets there due from Spam...just think of all the targeted ads on gmail in the spam folder. Anytime I clear my spam folder it makes me hungry seeing another spam recipe in the sponsored link. But seriously, just goes to show you a 'secure' system isn't ever secure. Too bad they didn't kill the help desk, these tickets are getting out of control.

Re:"Once Revered Title"

[Fulcrum+of+Evil]

Nah, the official cracker uniform is a stained wifebeater and a meshback hat with a big 3 on it.

Re:"Once Revered Title"

[the_greywolf]

Are you sure it's not just B.O.?

Positive.

wow

[nomadic]

I know the pro windows crowd will jump up and down but I hope they will hear me out.

Uh....the huge pro windows crowd on slashdot?

Re:wow

[rbanffy]

Don't forget /. is getting increasingly digg-ish.

Expect a huge amount of Windows vict^H^H^H^Husers here.

Re:wow

[cecille]

Gah, not to get into a huge flame war here, but I seriously don't understand why there's this association of liking/using windows and being some kind of computer moron.

Let me put it right out in the open here - I like and use Windows. In fact, I'd wager that a large number of /. people do, and either downplay it or deny it. Now I'm not saying that unix type OS's don't have their place - I use solaris and linux at work for coding and my servers generally run openBSD. BUT I want my personal box to be as easy and hassle free as possible so I run windows and only windows. I don't consider myself to be a windows victim and it's not a choice I made just because that's what came with the box. Say what you want about bloatware, but it's nice to buy a piece of hardware and have it just work. It's nice to install a program without having to recompile the kernel. It's nice to have a box I can actually buy decent games for. And no...I haven't reinstalled every two weeks since I bought it and yes, it is still working and not overflowing with disease and spyware.

Look, I'm not trying to defend every aspect of the OS - clearly there are some issues. But as I get older and more impatient, I'm starting to see windows as the more attractive option simply because there are some things that they got very, very right. Namely the fact that they put so much emphasis on usability.

Anyway, my long winded point is that not all windows users are stupid or just stumbled upon windows by accident. I know it's fun to bash things senselessly, but let's grab a little perspective here. Windows is not the devil, it's just not perfect. Nothing is.

Re:wow

[poptones]

I seriously don't understand why there's this association of liking/using windows and being some kind of computer moron...

Ummm... maybe because so many posts like yours prove it so?

Yeah, its nice to install a piece of hardware and have it "just work" - that's one reason windows fails so often. If you've never had to deal with a modem, sound card, video card or network card that wouldn't install properly then you haven't been mucking with computers very long at all. The fact "everything" comes with windows drivers doesn't mean it will actually install properly, only that hardware makers know they have to appear to provide support for windows. The driver problem isn't because "windows is easier" or even more complete, it's just because vendors are lazy and secretive and largely don't want their own customers to be able to use the hardware they've purchased in any way except exactly how the vendor sees it.

And the number of user space programs that require you to "recompile the kernel" to complete an install are so few and far between as to be pretty much insignificant. Are you confusing the act of upgrading an existing installation with the initial act of installing software?

You use Solaris for coding... what? Java server applets?

Re:wow

[jlarocco]

Anyway, my long winded point is that not all windows users are stupid or just stumbled upon windows by accident. I know it's fun to bash things senselessly, but let's grab a little perspective here. Windows is not the devil, it's just not perfect. Nothing is.

The "problem" is that the vast majority of Windows users are stupid and they are using Windows simply because it came with their box.

Of the hundreds of millions of Windows users, maybe 0.5% are actually computer savvy and chose to use Windows. Of the few million people using Linux, Mac, or something else, it's closer to 99.5%.

So, to answer your question of why Windows users are portrayed as less computer literate, it's because on average, they are less computer literate.

Say what you want about bloatware, but it's nice to buy a piece of hardware and have it just work. It's nice to install a program without having to recompile the kernel. It's nice to have a box I can actually buy decent games for.

This is the other reason people tend to disregard the comments of Windows users: most of them haven't even tried the alternatives, and it shows.

Before you spout off, "But how often do Linux people use Windows?", remember that a lot of them get paid to use Windows every day.

Re:wow

[rbanffy]

"Gah, not to get into a huge flame war here, but I seriously don't understand why there's this association of liking/using windows and being some kind of computer moron."

Well... Let's examine what your computer non-moron-ness index is.

"Let me put it right out in the open here - I like and use Windows."

Started bad.

"In fact, I'd wager that a large number of /. people do, and either downplay it or deny it. Now I'm not saying that unix type OS's don't have their place - I use solaris and linux at work for coding and my servers generally run openBSD."

Using Solaris for coding... Unless you have some very exotic toolset, it makes little sense. Most tools also run or run better under some flavor of Linux or BSD. I did some development under Solaris/SPARC and liked the performance compared to my x86 box of the time. Currently I do most of my development under Eclipse, NetBeans or Eric (and I am trying to get around Emacs/Slime), all of them run on just about every modern OS and are more than happy on my Core Duo notebook. Linux also makes it far easier to keep the whole environment up to date than Solaris or BSD (or even IRIX, which had an outstanding software manager). There are also some very sweet tools for OSX, but they tend to be more useful if you develop for OSX, so, they are as useful for me as Visual Studio (which is also very good, if you happen to do Windows).

I won't dispute your use of BSD for servers. It's a matter of taste. It works very well, but won't give you any non-moron points.

"BUT I want my personal box to be as easy and hassle free as possible so I run windows and only windows."

That's exactly why I don't run Windows. I have hosed countless Windows boxes during my Visual Studio years. And it's not trivial to back up all your user configuration between disasters. It used to take me one full day to recover a Windows box to a workable state (unless I have a system image to restore) and it takes me less than two hours to do the same from a Ubuntu CD. Yes. Even if I don't have an install-list file ready.

"I don't consider myself to be a windows victim and it's not a choice I made just because that's what came with the box."

There is no shame in being a victim. I keep a Windows box for "going to the bank" and a couple Windows images under VMWare for when I have to check something under IE 7. And no, I would never install IE under Wine - it's just wrong.

"Say what you want about bloatware, but it's nice to buy a piece of hardware and have it just work."

My printer requires a driver disk. So does my camera. And my modem (never reinstalled it after the first Windows setup was ruined). And my video card. They all need driver CDs under XPSP2. Vista is nicer in that regard, but it is at least an order of magnitude more bloated, so, it may not need driver CDs, but needs another hard drive, a couple more megahertz and a couple more gigabytes of RAM.

On the other hand, everything but wireless in my notebook worked from the start with Ubuntu. It took a kernel package update to make the wireless (broadcom) work. It takes minutes to have a Linux box with a very capable install and very pleasing eye-candy.

"It's nice to install a program without having to recompile the kernel."

You just lost all your non-moron points. Nobody has to recompile a kernel just to run a userland program. And nobody ever should. The most I ever had is to tweak some limits to make Oracle happy or install a different stock kernel package to make some weird - really weird and non-cooperative manufacturer - hardware work. If you have to recompile the kernel, then the program is broken.

"It's nice to have a box I can actually buy decent games for."

I have one of those too. It's called a Playstation and it's hooked to the biggest screen in the house, next to a very comfortable sofa. My son loves it and I can even do some writing while watching him play.

"And no...I haven't reinstalled every two weeks since I

Re:wow

[cecille]

Are you confusing the act of upgrading an existing installation with the initial act of installing software?

No I'm not, thanks. I've had programs before that did require a kernel recompile to work. Drivers too. Most notably the software and drivers that came with some video cameras that we were using on a project. After downloading and installing the tonnes of different packages required to get the software to work in the first place, and finally installing the thing (complete with a recompile), it barely even worked. Mediocre quality at best. Time wasted on this? Hours. Time to get it running on a windows box? 10 minutes. Better quality too. Now, this is likely because the software supplied and supported by camera company was for windows, and the linux software was not supplied by the company itself. But that's sort of my point - windows is easy and hassle free because people support it and write software for it and test the software and drivers with their products. Is this ideal? no. But that's the way it is. Could I have likely gotten the cameras working with reasonable quality on a linux box? Likely. Was it worth the time and hassle? Absolutely not. Especially considering the cameras were to be interfaced with control software for another piece of hardware working on...you guessed it...windows.

You use Solaris for coding... what? Java server applets?

I write firmware for DVD chips. But thanks for proving my point that people automatically treat Windows users like morons.

Re:wow

[cecille]

Just a few points. I use Solaris for coding because that is the infrastructure set up for work. They do use specialized tools because it's firmware coding. It's nice that you have a choice of tools and environments, but the majority of my coding is done for work, and there we have an IT department that gets to worry about stuff like keeping the boxes up to date.

I have had programs where I've had to recompile. And yes, I'm sure the program wasn't really good in the first place, but there's really not a lot I can do about that. I'm not talking basic user programs (I use windows for those types of things anyway =). The ones where I've had to perform the strange install and recompile dance are mostly programs and drivers for controlling strange hardware (ex video stuff). Yeah, probably bad coding, but you get what you get.

"not overflowing" was clearly a bad choice of words. I don't have any viruses on my windows box. It's just that the perception is that a windows box has to be this festering box of disease and that's not necessarily the case.

Security Answer

[Cytlid]

I have the solution to all of our security concerns.

  There are two types of people in the world:

  - those who care about computers
  - those who don't

Chances are the first group are experts (of varying degrees). The second group are most likely the "vulnerable" ones (in terms of social engineering).

My solution -- never let group #2 touch a computer again. Ever.

Re:Security Answer

[Chineseyes]

My solution -- never let group #2 touch a computer again. Ever.


Congratulations you just put group #1 out of work.

Gay still means happy...

[Etherwalk]

The word `Gay' still means happy. It just has another meaning, too.

Re:Gay still means happy...

[arashi+no+garou]

True, however I'd be willing to bet the average straight guy with a smile on his face would be confused for at least a few seconds if someone said to him "Wow, you sure look gay today!"

No Hope Allowed

[neoshroom]

At least in the olden (DOS) days, when McAfee came upon a pklite'd executable, it would unpack and scan the unpacked executable. I would hope that current antivirus programs would do the same.

Even if the virus scanner scans for pklite'd executables, you can always write your own unique executable compressor or modify an existing one until your executable is non-detectable.

Virus scanners are like front door locks. Any serious cat burglar is just going to grappling hook to the roof and cut a hole through strait into the attic bypassing the door lock entirely.

Re:No Hope Allowed

That would depend if they wanted to leave signs of entry.

Re:No Hope Allowed

[CastrTroy]

Virus scanners are like front door locks. Any serious cat burglar is just going to grappling hook to the roof and cut a hole through strait into the attic bypassing the door lock entirely.

That has to be the worst analogy I've ever heard. Cutting a hole in the roof is akin to having a virus that displays a giant message on the screen saying "I'm a virus, delete me". Do you think nobody is going to notice you throwing a grappling hook and climbing onto someone's roof? Or are the people in the house not going to hear you when you start to cut the hole?

So this is what phishing has become?

hahaahahahahahahahaha

hahahahahahahahaaa

I See

[neoshroom]

I believe the sophistication is question is the combination of the targets, the undetectible malware, and the delivery method. Not the malware itself.

So the sophistication was the delivery method -- email! Now my Grandma is a hacker too!

Already known. Just not implemented.

[khasim]

The solution is to establish a pattern of what account at what workstation accesses what information from what servers at what times.

Then any deviation from that pattern is flagged and investigated.

Why is Alice in Accounts Receivable searching the HR server?
Why is Alice logged into Bob's machine in HR?
Why is Alice logging in at 1am?

Re:Already known. Just not implemented.

[Kadin2048]

The problem is that this, like most other effective security schemes, is expensive.

Companies won't implement more security than is cost-effective. Their decision making process is going to be driven directly by the perceived odds of being broken-into, times the cost of a possible breakin. They're not going to spend more money than that.

I doubt there are really going to be any serious (multi-million or -billion dollar) consequences for any of the companies involved. Maybe a few people will get fired and some new procedures will get written into some document that nobody reads, but there's not going to be a major bloodletting. (These companies run the government, in the most literal sense.)

When you see a F500 company absolutely taken to the cleaners -- totally bankrupted -- due to an IT-security mishap, then you'll see real security implemented. But until then it's just going to be a lot of after-the-fact patching-up and good 'ol "security theater." And a lot of blaming the messenger. That's always cheap.

Re:Already known. Just not implemented.

[Meski]

Alice has no Life.

Re:Already known. Just not implemented.

[marafa]

why is alice in chains?

Re:Already known. Just not implemented.

[Knuckles]

Then any deviation from that pattern is flagged and investigated.

Sounds like this can only work in a company made up of drones. How do you implement this in a company that it is worth working for, that keeps an open information policy and treats the employees like sensible adults?

Why is Knuckles searching the HR server? Well, it interests me and they seem to have allowed me access.
Why is Knuckles logged into Bob's machine in HR? Bob's colleague called me up with a computer question and I walked over to help.
Why is Knuckles logging in at 1 am? I had a brilliant idea and couldn't sleep.

This isn't true

[TheReckoning]

I have watched both BitDefender and Kaspersky open those executable compression packages. I don't have BitDefender in front of me, but during scans it logs the quantity of "packed" files that it has unpacked. It seems reasonable to assume that most of the rest of the AV companies do the same.

It's arguable that the AV products are always able to open up every variation of these things, but it's incorrect to say that simply enclosing your malware inside one automatically makes it undetectable.

Re:This isn't true

[Fulcrum+of+Evil]

what happens if I send a 100k worth of gzipped zeros through your scanner? Will it open up the whole thing? Feel free to substitute an appropriate quantity of gzipped zeroes.

Re:This isn't true

[idontgno]

cat /dev/zero | gzip -c | mail -s "Unpack this, beeotch" fulcrum@evil.org

Re:This isn't true

[Fulcrum+of+Evil]

Joke's on you - that thing will never terminate.

Re:This isn't true

[idontgno]

The joke's on teh 133t h@x0r; I know it won't terminate.

But now you've blown the punchline...

puzzel

[Fuzzums]

hacker : criminal :: freedomfighter : __________

Re:puzzel

puzzel

hacker : criminal :: freedomfighter : English Teacher

Re:puzzel

yeah, i'd agree with that. english teachers = terrorists.

i'll take it a step further. teachers in general = terrorists. (although, they probably have the best intentions in mind.)

http://www.cantrip.org/gatto.html

Re:puzzel

[multipartmixed]

hippie!

Sorry - important correction -

[Delusion_]

> He's the only source of this deliberate dodge

was supposed to read:

> He's NOT the only source of this deliberate dodge

Clearly I'm having some language problems today, too.

complications

Oh sure, it sounds like a good idea... but I bet you'd get tired of people from group #2 asking you print out copies of facebook for them.

This is a lost cause, unfortunately.

I agree that one key aspect to Security is its implementation. Unfortunately, in the U.S. the normal education program either ignores or (at best) gives a rather limited education in the matter of Security. The reason for this is because our legal system actively (and strongly) discourages research into Security. In some cases, classes have been explicitly shut down by corporations (and they are purported to not only have audited such classes, but threatened not to employ any student which has an offending class on their transcript).

The end result is what we have today. Nearly all of C.S. graduates are at best underprepared to properly understand Security, let alone implement secure solutions. I daresay 90% (at least) of todays students are what I would call "button-pushers" in this area. They take canned things, put them together, and call them "secure" without really understanding what they are doing, or how it works. Or what the attack vectors are or how to improve things.

Conversely, the people who are really exploring security are the ones who do it on their own, and so-called "hacking" is one key aspect of their education.

The bottom-line is that we have a system which generates better blackhats than whitehats.

This is unlikely to change in the near future, if at all. Be prepared to see more of these exploits. Corporate IT will be woefully unsuited to deal with it unless, and until, people are better educated in this matter.

on par with digg?

[xzvf]

Quality on par with digg? I don't even know how to respond. Maybe you wanted to Quantity on par with digg. The moderation and answers here are far more insightful and not nearly as biased as the ones on digg.

Because It Is Insightful!

[neoshroom]

What is not insightful is pointing out that modern virus scanners can unpack some forms of executable compression. I promise, there are easily made custom forms of compression they are not familiar with unpacking, which is the whole point -- only takes one hole to sink the ship and only takes a person with a blunt instrument to make a hole.

Not that expensive. Just requires planning.

[khasim]

You're right, there won't be any serious consequences. There usually aren't.

But the only problem with my proposal is that it takes THOUGHT and PLANNING. It cannot be retrofitted to an existing network. (unless you're really lucky)

The networks have to be constructed so that each point can be monitored. Instead, most networks grow "organically". As connections are needed, they're added. Without any plan. Just get the connections in now.

The same with servers. The last place I worked had a server in the DMZ cabled directly to another server behind the firewall. They did that because it was "easier" for them to handle that way.

Monitoring and security aren't considered when building a network. And until they are, social engineering attacks such as this will continue to happen. And continue to succeed.

Re:Besmirched, eh?

[chriscappuccio]

check out steven levy's 1984 book 'hackers'

Favorite (and most telling) quote:

[idontgno]

"Internet security firms began to release patches to fight the malicious software on Monday night."

"Hey, dammit, don't close that barn door now, we're trying to put the horses away!"

"further besmirching the once-revered title"

[falconwolf]

Revisionist history a little?

There is no revision of history when someone points out hackers ARE NOT criminals nor that they intentionally damage systems. The first tyme "hacker" was used derogatorily was in the 1980s, before then Hacker meant "simply referred to a person who was capable of creating hacks, or elegant, unusual, and unexpected uses of technology."

The concept of hacking entered the computer culture at the Massachusetts Institute of Technology in the 1960s...
But there are standards for success as a hacker, just as grades form a standard for success as a tool. The true hacker can't just sit around all night; he must pursue some hobby with dedication and flair. It can be telephones, or railroads (model, real, or both), or science fiction fandom, or ham radio, or broadcast radio. It can be more than one of these. Or it can be computers.

Steven Levy has written a good book on what and who hackers are, Hackers: Heroes of the Computer Revolution

Falcon

think tank

[bigredradio]

slashdot != think-tank

slashdot == drunk-tank

meanings

[falconwolf]

Yes, but therein lies the problem I've always seen with the term that the tech community would prefer people use, i.e. that "cracker" already has a slang definition, and most people in the world will have reactions ranging from confusion to effrontery at the notion that their computer system was compromised by a bunch of rednecks.

I don't think there's much of a chance people confuse someone who's proficient with something like a computer and a white Southerner or redneck. Hack also has another meaning, a hack used to also mean a journalist, reporter, or writer.

Falcon

OS security

[falconwolf]

1. Windows is the most popular OS on the planet. Just for shear number of systems it is most hacked.

Yea, I went into a Mac store, not an Apple store, and asked about antivirus and firewall programs and the worker I talked to said Macs don't get infected and don't get broken into. I tried to tell him the only reason is because the people who do such things target OSes with big market shares and that when Macs get big enough a share they will be targetted. He just kept saying OSX is immune.

While I like Macs and believe they are more secure than Windows for the average user, unlike what this guy was saying, Macs will be cracked

Falcon

Re:OS security

[Don_dumb]

The biggest danger to Macs right now as I see it is complacency. When the Mac gets hacked (a headline virus or something), it will be a PR disaster for Apple and its vendors as they have spent so much time saying "it is immune" rather than "it is more secure". Not using an anti-virus program is one thing (it is a kind of reassurance that you haven't been done), but no firewall? I would have stopped talking to that worker straight away.

Re:OS security

[falconwolf]

The biggest danger to Macs right now as I see it is complacency.

That's exactly what I saw in this saleman, complacency, that or a lack of knowledge.

Not using an anti-virus program is one thing (it is a kind of reassurance that you haven't been done), but no firewall?

RSN I plan on ordering a Macbook Pro, and when I do I'll also order av and firewall software. Get it with disk utilities, backup, diagnostic, and disaster recovery software, then I think I'll be pretty good to go. Now I need to find one or more good books on Mac admin, hacking, and security. I want to get as proficient with Macs as I can. The same goes with Linux.

Falcon

Re:OS security

[Don_dumb]

RSN I plan on ordering a Macbook Pro, and when I do I'll also order av and firewall software. Get it with disk utilities, backup, diagnostic, and disaster recovery software, then I think I'll be pretty good to go. Now I need to find one or more good books on Mac admin, hacking, and security. I want to get as proficient with Macs as I can. The same goes with Linux.

You have outlined (almost exactly) my plans, I am also planning on a MacBook Pro (albeit not RSN) and everything pretty much as you have detailed. I guess it is no coincident that we both see complacency in Mac sales.

Re:OS security

[falconwolf]

You have outlined (almost exactly) my plans, I am also planning on a MacBook Pro (albeit not RSN)

I added "RSN" because I've been planning it for a long tyme. I don't work and am on disability. However my sister owes me a few thousand dollars, so I'm waiting for her to pay me.

Falcon

I know what does happen often though

some stupid pussy complaining about speeeling

They told you all you need to know. M$ Again.

[twitter]

FTFA:

Hackers only targeted a limited group of personal computers, which kept traffic down and allowed them to stay under the radar of security police who tend to identify threats when activity reaches a certain level.

In this case, we are safe assuming "personal computers" == Windoze. Big dumb companies put that crap on people's deskstop.

The lesson learned again is that corporate security is only as strong as it's weakest link. If you let Windoze retrieve your data you have no secrets.

OSes

[falconwolf]

I want my personal box to be as easy and hassle free as possible so I run windows and only windows.

Sounds like you want a Mac.

Say what you want about bloatware, but it's nice to buy a piece of hardware and have it just work.

I've bought 4 new PCs for myself running some version of Windows, two were from Gateway, one from HP, and the other one is from Microway. The one from Microway is the only one of the four that I did not have trouble with either the hardware or the OS, which is NT4.0. One of the Gateways and the HP had to have their motherboards replaced before they were a year old as well the hdd for each. The LCD on the other Gateway cracked a few mnonths after getting it. Also with both the first Gateway and the HP I had to reinstall Windows a few tymes.

I have also bought two USED Macs. The first one was an SE30 I bought in 1992, it lasted until the floppy drive died in 2000. That was the first hardware problem I had with it, and I didn't have any trouble with the OS. The second is a PowerMac 7300/200 I got a few months later, in 2000. It lasted until January 2006 when it didn't power up. Again that was the first hardware problem and it didn't have software problems either.

It's nice to install a program without having to recompile the kernel.

You don't need to recompile the OS on Macs either.

It's nice to have a box I can actually buy decent games for.

Now that's one thing lacking on Macs, there are a lot of games for Macs but not nearly as many as for Windows.

Falcon

hax0rz

[Eil]

And yes, unfortunately Reuters calls the criminals 'hackers,' further besmirching the once-revered title."

You mean after they've been doing this for 20 years, there's still somebody left who cares about it?

He's a fake!

[pxc]

Everyone knows Windows users aren't that sensible!

hippie!

[falconwolf]

Yeap! A relatively long haired one. I even like The WELL.

Falcon

Why do you care so much about these things?

[falconwolf]

Because it was our word first

If you mean first for technolgy and computers, yes, but "hack" had been used for a long tyme to mean someone else. In the 1920s, I believe, "hack" meant someone who was a journalist, reporter, or writer. I'm not sure but I think "hack" was used in the 1941 movie "Citizen Kane" , meaning reporter.

Falcon

Re:Why do you care so much about these things?

[SL+Baur]

Merriam Webster http://mw1.merriam-webster.com/dictionary says that variant of hack dates from the 1600s and comes from the British word `hackney', or taxi driver.

Language abuse is a serious matter. Example: `Rugby' in my wife's culture is the brand of glue of choice for those who would abuse such things, hence `doing rugby' means sniffing glue not playing a team sport with a ball.

Hackers; besmirched titles; sheesh

[bartwol]

Reuters calls the criminals 'hackers,' further besmirching the once-revered title.

I don't understand why Reuters didn't call them Muslims. It seems better to further besmirch an even more besmirched title.

<bart

Intel inside, idiot outside?

The problem with all form of security is that user will want it to very secure at first but after few times either locked out or something they will let down their guard and allow their system to be open for the sake of convenience or other reasons. Only near draconian measures or absolute control of all systems and network activities will stop this. Bad employees or even management will exist everywhere, look at the FBI with Robert Hansen, so trying stopping "evil" employee at lesser organization will be hard.
My worst offenders are the clueless users that, against your written rules and recommendations, uses simple passwords or open files in emails that infect their system and I get to see it as junk on my network.

HACKERS == Bad Guys

[sciop101]

Black Hats, even Script Kiddies, own Hacker now!

When the obfuscation occurred in the '80s, nobody fought or argued against it hard enough.

Then the movie! Blame it all on Angeline Jolie!

Bad guys victorious by default!

Dale Drew is the head of security at L-3

I know a bit about Dale Drew, if you google him you will see he is an ex law-enforcement snitch with very little real security or technical expertise. From my experience with Dale he is at best incompetent. I hope he loses his job for his shoddy security work (incidentally L-3 is also a spam sewer as well.)

3 headlines combined

[SaberTaylor]

from today:

1.) IT: Sophisticated, Targeted Breakins Uncovered
2.) Bionic Hand Makes it to Market
3.) First Robotic Drone Squadron Deployed

Poor skilled crhackers will pwn a bionic hand. Then the bionic hand will hack them into getting root on the UAV squadron. Then $300 will be demanded for returning control of the AGM-114 and Paveway II loaded UAVs.

I am zealot, hear me roar

n/t

Re:They told you all you need to know. M$ Again.

In this case, we are safe assuming...

And you know what they say when you assume...

WRONG, L3 Communication wasn't listed

Read the article more carefully next time.

Quick defense slippage quiz

I feel a quiz coming on.

Q. Is it *game over* when the bad guy can execute code on your computer?

A. Duh
B. No because I have a virus checker and its supposed to keep me safe from everything.

Q. Do virus scanners provide a false sense of security?

A. Duh
B. No, they provide a real service and keep my computer safe from getting viruses... How I let that virus on to my computer in the first place doesn't matter because I have a virus scanner.

Q. Once a computer has been rooted can anyone with a straight face make any reasonable determination of what has been accessed or stolen?

A. Ah....no!
B. Of course, anythings possible.

State Sponsored Hacking

[Alchemist253]

Given the targets and, more importantly, the specificity of the described attacks, I would almost bet money that - if ever caught - it will be found that the break-ins were funded by and/or committed by the foreign intelligence branch of another government.

Especially notable is that L-3 Communications (note: NOT Level3 Networks, an entirely unrelated company with an unfortunately similar name) was attacked. L-3 is a major, major contractor for highly classified work with the Department of Defense. Other organizations on the list are less prominent but nonetheless important players in U.S. defense electronics.

It has been long recognized that virtually all opposing foreign governments (except, interestingly, North Korea) have active electronic and communications espionage programs against both the U.S. government and leaders in scientific and engineering fields. This is in fact the main reason that the rather silly-named U.S. Cyber Command (http://www.af.mil/news/story.asp?storyID=12303050 5) was created.

Booz Allen HA HA!!!!

[bryan1945]

Fuckers laid me off when they completely flubbed a huge contract. It was a multi-team effort, with my team as the lead. But the big wig in charge led one of the other teams. He kept picking the other team's suggestions over my team. Well, the company lost the contract (some $900 mil).

And better yet, the branch office I worked at is going to be shut down because the fort they support is being shut down! (Partly due to the poor implementation of their plan)

cue Nelson, bitches!

Nah, I'm not bitter or anything. My whole team was trashed due to a few idiots; the winning company had basically 80% of our ideas. And now I've been doing manual jobs for years.

Fuck Booz Allen. Guess it's time to move out of the west coast. I hear that there is something called snow in the northeast.

Who in their sane mind does that?

[Opportunist]

When you're asked in a job interview to hand over your user/pass or trade secrets, would you do it?

I was actually asked in a job interview if I'd mind "taking some work from the old plant with me". I refused, called the interview over and went out. 2 days later I got the call that I was hired. Not despite refusing, but because. Actually I was one of the few that did, and the most qualified of those that did.

It's amazing how few people actually think ahead. When a prospective employer asks you to bring along some info, what they do is test your integrity. Because they know, if you don't mind bringing information to them, you certainly won't mind taking it with you again when you leave. And usually you move up the ladder, not down, when you're switching jobs, so the info you bring is by no means as valuable as the info you'll take when you leave.

Honestly, I was surprised that there were appearantly quite a few who didn't have any problem stealing IP from their former company...

Re:Who in their sane mind does that?

[Peeteriz]

I believe that you've misunderstood - the 'attack' is simply to provide known employees (for whom, presumably, the attacker can deduce the internal usernames) a web-form to register for something (in this case, it was a job opportunity); and then bet on the fact that the password they'll use for this other thing would be the same password that they use in day to day operations. And it worked. It doesn't need a great accuracy to be useful - 10% chance of a match is easily good enough.

Re:They told you all you need to know. M$ Again.

twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.

• As a representative of the Linux community, participate in mailing list and newsgroup discussions in a professional manner. Refrain from name-calling and use of vulgar language. Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer. Your words will either enhance or degrade the image the reader has of the Linux community.
• Avoid hyperbole and unsubstantiated claims at all costs. It's unprofessional and will result in unproductive discussions.
• A thoughtful, well-reasoned response to a posting will not only provide insight for your readers, but will also increase their respect for your knowledge and abilities.
• Always remember that if you insult or are disrespectful to someone, their negative experience may be shared with many others. If you do offend someone, please try to make amends.
• Focus on what Linux has to offer. There is no need to bash the competition. Linux is a good, solid product that stands on its own.
• Respect the use of other operating systems. While Linux is a wonderful platform, it does not meet everyone's needs.
• Refer to another product by its proper name. There's nothing to be gained by attempting to ridicule a company or its products by using "creative spelling". If we expect respect for Linux, we must respect other products.
• Give credit where credit is due. Linux is just the kernel. Without the efforts of people involved with the GNU project , MIT, Berkeley and others too numerous to mention, the Linux kernel would not be very useful to most people.
• Don't insist that Linux is the only answer for a particular application. Just as the Linux community cherishes the freedom that Linux provides them, Linux only solutions would deprive others of their freedom.
• There will be cases where Linux is not the answer. Be the first to recognize this and offer another solution.

From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy

definitions

[falconwolf]

Merriam Webster mw1.merriam-webster.com/dictionary says that variant of hack dates from the 1600s and comes from the British word `hackney', or taxi driver.

OneLook Dictionary Search, as a quick reference, lists 8 definitions of hack as a noun, 8 as a verb, and 1 as a surname. A surname? Depending on a person's disposition I imagine someone with a last name of "Hack" could have a lot of fun, or a lot of grief. Looking at all the results; there's catagories for Art, Computing, Medicine, and seven other catagories; I'm kind of surprized there's so many. I haven't clicked on all the links but I'm thinking they probably share the same basic meanings.

Falcon

Social engineering

Social engineering, not "social hacking", you gormless fool. Sheesh.