Slashdot Mirror
Is This the Golden Age of Hacking?
Barence writes "With a seemingly continuous wave of attacks hitting the public and commercial sectors, there has never been a more prodigious period for hackers, argues PC Pro. What has led to the sudden hacking boom? Ease of access to tools has also led to an explosion in the numbers of people actively looking for companies with weakened defenses, according to security experts. Meanwhile, the recession has left thousands of highly skilled IT staff out of work and desperate for money, while simultaneously crimping companies' IT security budgets. The pressure to get systems up and running as quickly as possible also means that networks aren't locked down as tightly as they should be, which can leave back doors open for hackers."
This is the Silver Age at best.
Meanwhile, the recession has left thousands of highly skilled IT staff out of work and desperate for money, while simultaneously crimping companies' IT security budgets... ?
Umm no, its the Lulz age of hacking.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
I guess they have forgotten about the 80s?
Palm trees and 8
Most of these hackers are from foreign countries, and many of them are on government payrolls. Recession impact? Nah.
Haven't RTFA'd yet, but I would suspect that hacks aren't any more common now - just more visible and more reported. It's like when the news media has a "summer of the shark" - after a few notable incidents, the media realizes that these stories bring in viewers, and then any further incidents, no matter how insignificant, are publicized when they otherwise wouldn't be. Just look at the recent Bethesda hack - that kind of thing goes on all the time, and I was surprised anyone bothered paying attention to it. Sure, some of them were big - the first Sony attack was significant, and the US Senate hack is noteworthy - but a lot of these recent hacks have been relatively minor.
There's also the possibility that all this attention is actually causing more hacks - after the initial Sony hack, hackers realized that Sony was a big, vulnerable target. By extension, they realized that big companies actually aren't bulletproof - in fact, many of them have terrible security. I'm sure such knowledge was widespread in the black-hat world, but now the secret is public knowledge.
You probably meant Cracking not Hacking. See http://www.catb.org/jargon/html/C/cracker.html
not especially because of the number of engineers with time on their hands, but because of the number of people who watch their wealth being given to the wealthy by those they voted for, and decide they have had enough and why not burn it all down..
Korma: Good
The problem most websites have is one of users choosing insecure login details, either through ignorance, laziness or disinterest. Although this is not a huge problem if it's front-end users, the same problem exists with admins, and those with elevated privileges. The most secure fortress is little protection if the passcode to open the front door is "1234".
I don't think this problem can be fixed by "forcing" users to choose long passwords, or to have a different password on every site they use. As we've seen, they simply won't do it, and why should they? It's different if you have a technical, or security-related background, and understand the risks - the average Joe isn't interested in spending the effort to maintain and organise a secure list of passwords in an offline location.
i think the only way this can be fixed is by using SecureID style authentication - either with stand-alone units, mobile apps, or units built into laptops or keyboards (separate from the other components). Obviously it would need to be physically separated from the machine being used to login (or at least sandboxed, in the case of a mobile app). We just need a good cross-platform authentication API that's easy for developers to implement, and cheap hardware/free software for the client.
Code, Hardware, stuff like that.
What has led to the sudden hacking boom? Ease of access to tools has also led to an explosion in the numbers of people actively looking for companies with weakened defenses, according to security experts. Meanwhile, the recession has left thousands of highly skilled IT staff out of work and desperate for money, while simultaneously crimping companies' IT security budgets. The pressure to get systems up and running as quickly as possible also means that networks aren't locked down as tightly as they should be, which can leave back doors open for hackers.
But by that logic, we could have seen similar things when the dotcom bubble burst, right?
My view of this comes from a completely different place. I see an exceptionally large amount of users' rights being debated and discussed and we're seeing communities popping up devoted to this. Frankly, it seems like the users are just getting shit on. And, like any struggle for rights, there are negative things that happen. There are always going to be people that take it to an extreme level and there are going to be innocent bystanders turned into victims. While I still see this as a bad thing, some of these actions remind me of a sort of John Brown at Harpers Ferry incident. Similarly, there's the mindless looting during rights demonstrations and protest crowds at the G8 summit but it's not the overall message that's doing that. The opportunists come out of the woodwork.
Similarly the public and citizens of the internet are demanding more rights. While this fight is going on with Facebook, Sony, world governments, etc, the communities are going to pop up that take it to an extreme offensive. They will do bad things and I'm not going to be one condoning it but I see it as part of the growing pains of companies respecting peoples' rights.
It's a sort of vigilante justice that I don't agree with nor condone but I can somewhat sympathize when I feel like I've been unjustly wronged by some of the targets and have had no sense of justice in the matter. People who feel strongly about this and have that negative spark in them would have a motive to become a part of these new communities. And in my opinion that's a more plausible explanation as to why you're seeing an explosion -- not the recession or turnover in network employees.
My work here is dung.
"Is This the Golden Age of Hacking?"
This what?
This century?
This decade?
How long is an 'Age'
Centralising security creates a single weak point, as recently demonstrated when someone stole the keys from SecureID. If Facebook can recognise us from our friends' pictures now, perhaps all our systems should be doing the same through webcams. It's too creepy to contemplate but not too far fetched technically.
Korma: Good
Of course, I didn't RTFA or even the RTFS, but I did RTFT, and based on that I'd argue that as time has moved on, we're moving further and further from whatever was the Golden Age of hacking.
Was it the 1990s that elevated Open Source to the mainstream's radar--whether or not it was able to achieve mainstream acceptance as an option. The creation of GNU/Linux, and eventually spawning what would become the Mozilla project.
Was it the 1970s-1980s with the Homebrew Computer Club and a culture that spawned several modern day behemoths (Apple, MicroSoft)?
Was it the 1940s where we we split the atom, and rooms full of people were biological calculators working on solving nature's mysteries? Enigma and the intelligence/counter-intelligence measures in place around them.
Does it predate our modern idea of technology? The analytical engine? The mechanical turk was a social hack. Complex but memorable and human-only usable ciphers have been popular for centuries.
Given our modern view point, and view that more-recent history is always most important, I'd say the late 70s to mid 80s was the golden age. Never was so much technology readily available and hacking actually encouraged by the companies in place.
But is this? Where even the "open source" Android platfom is usually provided via devices that require bypassing firmware crypto, and you can't even view without breaking the law, privately, on your personal computer, the contents of a medium you purchased in a reputable retail store?
Well, given the amount of effort spent hacking around CSS, encrypted firmware, and a mess of other attempts to keep people out of their toys, I guess you could make a case for it.
The issue is that ANYONE can crack these days. People with non-existent computer skills can easily acquire tools with point-and-click interfaces for hacking. Combine this with epic-level apathy on the part of the targets and it is a little like the destruction of the buffalo population during the wild west. Only if the cowboys were 12 years old, rode tanks, and had auto-target.
A golden age can only exist by looking back on what was. Anyone declaring anything to be a golden age is therefor automatically wrong.
The way to fix the problem of bad passwords is to do away with passwords entirely, and start using cryptographic authentication methods. It may require us to issue a special dongle to users, but at the end of the day people should be able to use their public key to log in to online systems. Naturally, there would be some issues -- users would need to have a way to revoke keys, increase their key sizes to compensate for new algorithms and faster computers, etc., but it would still be an improvement over what we have been doing for the past few decades.
Palm trees and 8
What do you expect to happen when you hire Systems Administrators for 6 month contracts to build your systems, and then let the contract expire after the servers are built? Servers don't usually patch themselves, nor do they remain compliant with your security standards once you give developers and DBA's root access.
Most ignorance is vincible ignorance. We don't know because we don't want to know. --Aldous Huxley
If you look at some of the 'hacks' like getting into CityBank, there isn't any real 'l33t uber haxor' going on here. Those sites were remarkably insecure. No stateful inspection of ID/Password, unsalted passwords/ids, declaring what should be very private information in the clear for all the world to see, multiple access points to private data, likely an unencrypted (non-ssl) connection, its also very likely that packet sequencing was non-random, so a border gateway protocol man in the middle attack using packet injection would work, as well as (much easier) ribbon tables to break poor passwords (brute force, but not that much force). The list goes on. Golden age? Not really. This is like when the kid taking his first introduction to scripting course came up with the ILUVYOU virus. If a newbie script kiddie can make off with the keys to the kingdom, then clearly the castle walls shouldn't be made of single ply wet tissue paper.
I think it is more bugs in software than the network infrastructure! Everyone is so quick to blame the infrastructure engineers when I have seen more poorly written applications with memory leaks and ones that run with root privileges than poor network designs.
It takes a special kind of person, who, when presented with lots of free time and the tools to do amazing things, says: "I think I'm going to horribly violate the entire online world today."
Perhaps I should be thankful that I'm turning my talents to more productive ends. But I doubt I'll be hired before these assclowns find work.
If you want to blame someone, we could blame Obama, whose administration has practically continued the war on hackers and then wondered "why are we so short on competent programmers?" or we could blame wall street and its "rape the economy and then blame those that tried to stop us" philosophy, or we could blame industries that engaged in military action against america, deliberately using their racketeering scheme to attack children and college students, knowingly and willfully attacking our country's supply of future skilled labor - something they did for over a decade prior to "the crash", or there's china and india who are or at least were doing so well in spite of our country's failures, or there's our own prior administration who spent countless times more money than we had or would ever have to wage war against iraq, an enemy of the terrorists that bombed us on 9/11, or there's the new fascists of america who are using the words "liberal" and "homosexual" instead of "undesirable" and "jew", or there's global climate change, or those that deny it, or sick and twisted people in power in every position they could be in...
Fuck it. When the world runs out of victims and points in my direction I'll be happily enjoying life on Mars, in my secret volcano lair at Olympus Mons, with my consciousness-infused computer "phylactery" keeping me immortal, enjoying the ability to do in the real world what we do online now.
If you can read this, I forgot to post anonymously.
Is it that there are more incidents of hacking, or just higher publicized ones?
You know how our media works. Summer of shark attacks, and all that.
Most of what lulzsec has done, for instance, is really penny ante script kiddy bullshit that's been overhyped. Wow, you saw the httpd.conf -- but didnt and couldnt edit it. Just like any other untrusted user with access to the box.
Javascript, Java, ActiveX in our browsers, trojans on phones!? Did I mention my neighbours have WEP wifi networks? Why are routers still being made that don't warn people when they turn WEP on that it is largely insecure... There is a systematic culture of choosing convinence over security in software design.
Golden age implies that great (or, at least, impressive) things are accomplished. Nothing much impressive about (to paraphrase) shooting fish, in a barrel, twice in the head, with an elephant gun.
More online services each year = more targets each year. Inadequate investment in security = easier targets. I'm sure crackers are getting more sophisticated, but probably no more than in any other field. It's definitely easier to find victims.
One could imagine an age of some kind which grows from all this, but not quite there yet.
People rely more on the Web, putting more stuff up into clouds from different providers. Thus, the target interest shifted. Why hack one PC if you can hack one ps3 network and access millions of users data?
The recent hacks show how the cloud computing world does not solve any problem, it creates them.
There are a lot of reasons for this to be an age of intrusions galore:
1: Corporate philosophy. I mention this often, but it is very true -- security is a cost center, so in a lot of firms, it gets hind teat in the budget.
2: Ease of getting away with intrusions. Got a botnet? Just create some PPTP/L2TP connections and you can manually try breaking into machines and one can either not be traced, or have the blame shifted to another party. Especially if the intrusions come from a country that is disliked.
3: Lack of international cooperation. All it takes is one proxy to be in a country that doesn't like another, and there is no way an intrusion can be traced, much less prosecuted.
4: Lack of meaningful security tools. A lot of the tools used in businesses are all sizzle, and not much steak. Take AV programs. They are great at catching last week's stuff. However, most attacks are polymorphic 0-days that just zing past AV program detections.
5: Ease of infecting via ad rotation services. Ad rotation services can sling malware without ever getting caught because people will blame the website, not the servers slapping the ads on it. The same ad servers that can target by demographic can target a company and just that company for malware.
6: Using the Internet for all traffic. In the past, there were backbones that were not accessible to anyone that transactions ran across. Now the same wire that gets pr0n to Joe Sixpack also carries bank data and transactions.
7: Failure to use basic security protocols in password storage. Hell, crypt(3) is better than most ways passwords are stored. The best thing is to look at known secure utilities like TrueCrypt and follow their example.
8: SQL injections and parametrized queries. Simple stuff, but because a lot of dev projects just want a code base regardless of bugs, this stuff gets ignored until the breaches start.
9: No real network security. A firewall doesn't cut it anymore. Instead, companies have to use VLANs and keep departments separated. This way, a compromise in receiving doesn't mean finance or HR is pwned too.
10: Legacy protocols. FTP (other than anonymous FTP), telnet (except for use for debugging), and other insecure protocols need to either be limited via packet filtering mechanisms and router ports, or eliminated altogether. Instead, if two machines need to share data, have them use a LUN presented to them and a filesystem that allows for this.
11: Lack of internal policies and procedures. Security isn't just clicking "secure mode" on an appliance and walking off. There needs to be a process if someone calls in from an internal line demanding info, or someone physically is picking a lock.
12: Separation of duties and data. This is expensive relatively, so it tends not to be done, and the same server with the source code build may have the HR payroll data. This makes for a field day for an attacker.
13: Chain of custody of data. Either the machine it sits on is properly secured, or the data is stored encrypted with proper key management. For example, some enterprise level backup programs have data encrypted at the client end, and only that end has the key. This way, if the enterprise backup server gets compromised, the data can be destroyed, not accessed or modified.
14: Morale. Morale is so easily forgotten, especially with companies that do the low bidding among the last 3-5 candidates. High morale means people are proactive on security. Low morale means people will ignore breaches assuming they won't be thrown under the bus.
15: Cloud computing. There is no benefit for a cloud provider to give anything but token gestures for security financially, so one is begging to be compromised unless there is solid encryption with good key management done before the data leaves the client. Even then, blackhats can have free and unfettered access to the encrypted data and can detect patterns over time. SLAs are meaningless; a cloud provider can change hands or go bankrupt and all the privately stored data can be made into a torrent or sold to anyone with cash.
Because most businesses pay lip service at best to security, it is no wonder why blackhats are having a field day.
The golden age of hacking was the late 1970s and 1980s. Things they pulled off back then were far more impressive and interesting to watch.
I did agree, more people are hacking now than ever before, Magazines like Make and Makerfaire as well as the rise of the Hackerspace has significantly made inroads on bringing hacking back to the masses...
But the article is written by a illiterate journalist that seems to not realize that the term "Hacker" has been retaken and what he is talking about is simply a cyber-criminal or cracker.
Do not look at laser with remaining good eye.
Are they talking about hacking or cracking?
For hacking, this could be a silver age. The days of HomeBrew and phone phreaks were the golden age.
For cracking, as others have noted, it's the lulz age.
I'm not longer writing code myself, but I'm constantly amazed at how utterly horrible the code being written by my successors appears and works. Where is the craftsmanship and pride in writing clean, fast code today?
Indeed since hackers now refer exclusively to the people doing bad stuff on the Internet. Well maybe not exclusively on the Internet, but you get the idea.
(\__/) This is Lapinator
(='.'=) copy it in your sig
(")_(") so it can take over the world
I was going to say something about cost. As the hacking becomes more widespread, companies will notice it is a problem and start to DO something about it. Systems are more vulnerable now because the money has not been spent to secure them - because it hasn't been too much of a problem. We'll probably go through a phase of increased security breaches until people take it seriously and fix it. Now would be a good time for some data driven analysis comparing various OSes and their configurations from a security point of view. That's difficult, but we need to start looking at what works, doesn't work, and why.
Now, I do not condone Lulz Security or Anonymous, but the fact of the matter is they're not just 'script-kiddies'. Every tech-savvy webpage I've gone the ones that are user-submitted have belittled the efforts of both hacking groups as if they could do the same things so easily. I'm not sure why there is such a pretentious atmosphere of 'pro' coders here... but to be real honest with everyone, they have spent a lot of time researching web security vulnerabilities, and the biggest joke of all is that a good portion of readers on slashdot are probably sysadmins who think their system is protected by a golden firewall, which they probably bought from some other software vendor.. Blah, blah, it's just sql injections... lol, yeah... that's the greatest joke of all, they guessed your table names and you allowed escape characters... And these people certainly realize they don't even have to lie or fabricate their stories considering they get in with the simplest, MOST known vulnerabilities.. I think some of lulz's actions deserve merit, the fact that they haven't been caught yet is a sure sign that they're somewhat competent at what they do.... much better in-fact than the security companies that supposedly get paid top-dollar to ensure data protection.. In essence, the biggest joke is not the simple attacks of the hacking groups, it's honestly the over-abundance of hypocrisy and finger pointing that essentially does nothing next to actually coming up with valid security solutions.. The best example of all this is simply Mitnick, he didn't even have to hack.. he just called someone up for a password.. you know why, because the smartest hacker doesn't waste 9 years trying to guess/crack a hash, especially when people are so much easier to manipulate than software.
The "Golden Age of XXXX" can only be determined when it has been left.
Can we make another movie with Angelina and just throw in Brad Pitt so we can get the 2x the eye candy in a techy movie? Keep Megan Fox out she's way too dumb for a hacker-esque movie...
The availability of tools that can automagically find these vulnerabilities and exploit them is what I blame.
I have no such sympathy. Those tools with find holes are not just as easy for security staff to obtain, but those tools were made FOR the security staff. If someone works in IT Security and don't know how to run Metasploit on their own infrastructure, then they are utterly useless to the point of being the real point of blame. And if companies can't hire those individuals, they are as to blame as banks that don't take security measures to protect tellers from armed bank robbers.
The same trend to "open environment" that has removed the bullet proof glass from bank tellers is the same BS "open environment" pushed by company websites. Yeah, they opened it, alright. They flew so fast to become "social" that they exposed their nickers!
I8-D
Actually most would consider the "golden age of hacking" to be the mid-to-late 80's.
None of the large, corporate scale intrusions that have been in the news of late were born out of curiosity, or executed using self-derived skillsets or self-crated tools.
On the other hand, it's probably a good time to be in security, as the expected overreaction from the corporates is sure to be the gravy train the various HBGary-esque security firms have been waiting for.
Then only outlaws will have hacking tools
QED
If you don't know where you are going, you will wind up somewhere else.
Comment removed based on user account deletion
Porn stars.
Could it also be the right generation - there is now a generation of "politically motivated" people out there who will have grown up with a computer+internet environment from an early age....can this reasonably be said of any other generation? Is this the reason so many hackers have been "created"? Other generations used other tools, ours will use the internet.
So, like, the 1300s were the golden age of bacteria?
Nowadays its easier than 10 year ago to explain why you dont want an openly writable share on a network drive. Nowadays its easier to explain to people why they should choose their passwords well.
While i think anonymous-es script kiddies are stupid a-holes who should go to a therapy, i have to say all these things have made the job of the security admin much easier, since you will get more attention than 10 years ago when "but the my network is still working" was a usual response to a "hey, i think this is insecure".
So systems will get more secure, and at some point people may even learn about cryptographic certificates.
"Hack The Planet!"
This is totally random and about a month late, but just out of curiosity, does anyone on here have a ffffound invitation or know how one goes about obtaining one? They seem very elusive
Spielen
This is the golden age of hacking-for-publicity. I have seen a few people comment that the 80's were the golden age of hacking. I wasn't old enough then to agree or disagree, but I do think that hacking was just as big in the early to mid 90's, when I first came on the scene, as it is now. The only difference is that hackers get a lot more publicity now, and that has cause some to seek publicity.
Earlier today Obama talked about a lack of engineers in the US. The same goes for IT professionals. The problem is that those professions are often underappreciated and underpaid, so smart ambitious people go into business and law not tech.
I work for a Fortune 500 company whose IT department just sent down a command to uninstall Firefox 4 and replace it with 3.6. So they went out of their way to decrease the security of someone's workstation. Hacking is so prevalent because the best and brightest go into CS, and the dumbest drop out and go for IT. Those people make departments less secure, not more secure. The IT managers are usually just as bad or worse. And in my experience, the bigger the company the worse the IT department.
While anyone can put the spotlight on any code or binary, the problem is the difference in language used by lawyers and solicitors who are holding office vs that of the reverser in the field of creativity, one falsely freaks out and makes everything an expensive terror emergency; problem, solution, reaction, the other is calm or willing to test different results, and takes the attitude that your lack of preparation doesn't declare any emergency on my behalf. Both make new words and language up, but neither is on the same page. One holds 23 pages of the definition of the word "AS" and the other holds 23 pages of op codes
people stuck in the middle are going through life with no goals at all.
While someone reading this might have goals still, put yourself in the other shoe to see how unhealthy this is in the big timeline, could you go through life with no goals because these were crushed by some new law?
The uncertainty, and the lack of fixed reference is no mistake when the source only contains ever changing lies and fear scenarios. It also creates apathy at the expense of creativity. Why invest in the stock market, if I can't have my HFT flash crash computer cheating right next to their insider trading one? After all it's a rigged game, I'm only thinking big, how much did you say you can print a day again?
through language creating law everything is controlled by those making the new law.
there should be a ban on lawyers and retired lawyers from holding office or appointed for government. Or else a ban on their ability to make law, or use their inflammatory language. I don't know, but I do know I can hear an unhealthy spring has come loose in the the box making these sick boing sounds, and smells like burned plastic and the guys doing the op codes can't concentrate with all the annoying noises and stench, with the guys doing the twenty three pages of the word "AS" hash out some new emergency directive limiting how much fresh air the op code guys might have left.
you know what the answer won't be Tunisia styled twitter-ing and facebook-ing across fios-spyOS splitters
you know what the answer is
Learn the language, that's the hack we need now. This way we can maybe dis assemble the crap in an orderly way, as opposed to being forced to smash it later with the "oop's we fucked up" hammer. when getting smashed by such a hammer would suck equally at a time we ought be re-thinking everything. It's like the snake that eats it's tail now, a careful proper surgery can repair it since it hasn't been too long the head has bitten the tail, but much more and it's done, no matter how it's sliced. We need the language of that surgery in the hands of the people, or at least allowing people to do the surgery. Not the language of the surgery with twenty three pages of "AS" inserted. Think about it, you need a collector, emitter and base, coils, caps and resistors, not a mandated AS encrypted AS de-bounce circuit front end with an mandated AS destructive "off" kill switch. I mean who the fuck is soldering this shit together?
people must refuse to bite their own tails, and point out that tail biting is unproductive and killing jobs
I remember what it was like before the movie, "War Games" came out. *THAT* was the golden age.
>/
The reasons are plenty, but none of this is good for end consumers or citizens. This pesky open ground called "the Internet" is becoming quite a nuisance for IP owners/enforcers [RIAA/MPAA], governments [WikiLeaks], ISPs [taking note of cellular telecom providers], etc. Everyone wants their unfair share of the pie and keep the mass population in fear.
With Osama down, the US government needs a new public fear to play on. I won't be remotely surprised when all of this starts to be commonly coined as "cyber-terrorism" [blargh!].
That would have been when all services were exposed to the Internet, plaintext protocols were the norm, exploits were of the single-packet variety, etc.
I know it seems that governments are powerless against hackers, especially with many operating in countries that are not currently serious about stoping them, but this will eventually change. Eventually, all governments are going to impose harsh and swift penalties for any and all hacking activities. I'll use an old west analogy to explain...
Back in the old west, if you stole a horse, pretty much whoever caught you could hang you on the spot, or at least any semi-legitimate 'deputy' could do it. Why was horse stealing dealt with so harshly? We don't hang current car theives.
It was because of two things. Stealing a horse was pretty damned easy in most cases, yet the old west economy depended on horses. As such, the importance of protecting the business structure allowed the punishment to grow out of whack to the crime.
Hacking is the same now... It's painfully easy to do, but the economy is becoming more and more dependant on electronic comerce, and more and more damage can be done. Eventualy, this will drive any and all hacking to be targeted as a serious crime, not just hacking that really damages a company or government. Eventually, you will end up going to jail for 10 years for changing your friends facebook page without his permission, so there will no longer be an avenue fo casual hackers to practice their skills, and fewer folks will graduate to serious hacking.
I'm not saying hacking will be eliminated, but that there won't be any casual hackers, just like there aren't any casual murderers, only hard core cyber criminals who need to start in and stay in obscurity. As such, this is the golden age of hacking.
Not really. In a capitalistic environment only the ones that have enough money to have proper security will flourish. So its good with these security breaches because it will cull the cruft. I wouldn't be surprised if lulzsec already has complete ownage of everything relevant on the net. And with that I hope they'll ramp up the disclosure so the rest of us know how bad it really is. My estimate so far is that it is worse than we can imagine.
Way back in the 90s, when people could deface a website and get slapped on the wrist. Hack a dozen corporations and not be investigated.
Now you do any hacking at all, and you get investigated and locked up by the FBI. It's definitely not the golden age. It's the age where hacking is as stupid as selling drugs used to be in the 80s.
* Subsistence ("There are some lovely berries here")
* Gift ("This deer is too big to eat before it spoils, so let's share it, and others will share next time")
* Exchange ("You give me some meat, and I will give you fruit").
* Planned ("You over there will hunt the meat and you over there will gather the fruit and we will divide it up")
* Theft ("Give me your fruit and meat because I'm stronger or cleverer than you")
The balance shifts with technological and cultural changes.
Theft is, sadly, a form of self-employment, or even subsistence in a sense, for desperate people, even if it is illegal (although privatizing profits and socializing costs by big companies often is not, as what is theft and what is legal is relative to cultural norms).
Other options would be improved subsistence through 3D printing and solar panels and local gardening, a bigger gift economy like more of Freecycle and food banks, a basic income to soften the exchange economy, or better planning like to have quality local free-to-the-user public housing and cafeterias and workshops. Each state chooses what balance it is going to have based on culture and ideology and existing power centers.
More on this here:
http://peswiki.com/index.php/OS:Economic_Transformation
(But the "theft" part was insightfully suggested to be added by someone else on slashdot after I wrote that.)
See also:
"The Mythology of Wealth"
http://www.conceptualguerilla.com/?q=node/402
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
Anyone can acquire tools. If that were all it took to pull off a successful hack then yes everybody would be doing it but it depends on the nature of the hack.
Hacking a website, DDOSing, anyone can do. Actually infiltrating the entire network, not anyone can do this. This requires a team of somewhat skilled hackers.
And not any programmer can be a hacker either. There are millions of programmers and anyone can learn to be a programmer, but you cannot learn to be a hacker, you need a talent for it.
Old school hacking requiered intimate knowlege of hardware, and because of limited resources OS implementation were done very carefull... and therefore harder to subvert.
Now: hardware its so powerfull that the "good compromise" on sofware development management its to "save" on programers time using easy, unsafe, teorical weak technologies. A couple of economic bubbles made some of this unsound engineering "options" full range solutions fads.
Unsafe technologies hegemony, result on ecosystem requiring best practices for expected availability, but still perpetually in danger of the latest unknow exploit.
Old news: The same old race for the bottom quality accepted by the market, in search of maxing the profits for the top descition makers, bites the proverbial...
There is just a hacking news boom. Hacks were done before but not as many people cared. The reason they care now is because of the potential for easy and beneficial hacks such as anything from homebrew enablers and jailbreakers to social hacks like wikileaks. "Hack" has become a buzzword because common people are able to easily benefit from hacks, and that was not the case before. News jumps on the bandwagon for ad impressions, but you can say that about any trend.
that cheap hardware permits sub-optimal solutions to survive, and the present mentality of "learn something new today, flush it down the sink in the evening" leads to a mentality of newer is better without ever having the time to really understand what is happening. Eventually we will hit limits in processes and materials and computers will stop changing so much. Hopefully we'll be able to build permanent solutions to existing problems and work out all the bugs, or as close as is humanly possible.
1) Never before has there been so many things one could hack and in so many different ways. There is more online presence today than ever, thus more opportunity.
2) Many of those online, do not take security seriously, just look are large recent examples. This culture will change eventually, however for now it's the wild west.
Take those two, add the fact that there are more people online with more computer knowlege than ever before (perhaps not as a ratio of the whole, but in shear numbers yes), and all one has to do is pick off the low hanging fruit. Targeted hacking might be tough still if they actually have any security, however Citibank and Sony has shown that even large institutions show a blatant disregard for basic security. Even with great security, it can always be circumvented by insiders either intentionally for gain, or unintentionally through stupidity (bad practices or human engineering).
The golden age started around 1977. In 1977 the TRS-80, the Apple ][ and Commodore PET were all released. In 1978 the Hayes modem began being produced on a mass scale (followed soon by Novation's CAT). By 1980 there were BBSs like 8BBS which were open to the nascent hacker culture (it was raided by the FBI in 1982), and this culture could be seen on Modem Over Manhattan in 1981 and after. There were other hacker BBSs like OSUNY around in 1982. There were also overlooked hacker discussions on Micronet/Compuserve and The Source. Then in 1983, WarGames was released around the time news of the 414 busts were hitting major newspapers. You also had computers like the VIC-20 that could attach to a TV selling for less than $100, with a modem for less than $100, allowing many people to afford to buy these things. So you have an influx of kids onto BBSs, in a young culture which was full of discussions of WarGames and the 414's, with some older, semi-radical technicians who knew about mainframe systems thrown in the mix. You began to have magazines like 2600 in 1984, Phrack in 1985. TAP meetings in the early 1980s gave way to 2600 meetings. Summercon began in 1987.
What happened is what happens with many movements. It began to get more organized, into sophisticated groups (LoD, MoD, L0CK, Phonemasters, The Posse - not to mention European groups like 8lgm and the people around the CCC, Hack-tic etc.) who eventually gained effective remote control of core Internet pillars (Internic, major gateways like MAE-West, corporate computers of Cisco etc.), as well as x.25 (Tymnet, Sprintnet), Baby Bell computers (COSMOS to SWITCH/FOMS, SARTS, TIRKS etc.).
The consensus seems to be this ended in 1995, not with a bang but a whimper. The rise of the Internet killed it off. There are a few reasons for this. One is some hackers or hacker groupies started making a lot of money working for start-ups (a lot meaning hundreds of millions, to less than that). Another is the old BBS culture was killed off and replace by the Internet. It used to be there were thousands of BBSs in kids homes, and then other dialups, the mainframes, that the kids would go raid. It was Manichaeism - the hacker network of BBSs where hackers would talk and go raid mainframe (or x.25) dialups, and on the other side the corporate mainframes, totally closed off, with all of the data and so forth. The Internet blended this all together - our network of our own private BBSs disappeared, and suddenly corporations opened up their computers to a large extent via web pages. Changes in production affected relations of production.
Hacking did not completely stop in 1995, but you have nothing like what existed then now - a network of technologically sophisticated groups who shared information and techniques, who had the capability to get into virtually any system. It's possible things could get to that point again, but I haven't seen sign of it. And it is hard to have the network of people necessary to do something like that and keep it completely secret.
You're going to LIKE, & probably appreciate (if not empathize with) this:
"1: Corporate philosophy. I mention this often, but it is very true -- security is a cost center, so in a lot of firms, it gets hind teat in the budget." - by mlts (1038732) * on Wednesday June 15, @10:51AM (#36450552)
Agreed, & for pointing out problems in security once, in a company I was hired to do SFTP coding for data transfers + Stored Proc & bind variables usage alongside removing business logic from app front ends to DB's (all good security measures)?
Well, it GOT ME FIRED ONCE even... I couldn't BELIEVE IT!
Why?
Well - First, I pointed out that my systems mgr. had setup Trend Micro AntiVirus wrong! (I.E.-> It wasn't updating to all of the client nodes/workstations, & was 6++ months out of date... I didn't put the blame on him either, I just pointed it out! Turns out he WAS the one who set it up wrong though!)
How'd I discover this?
Well - I found that out when my system & others turned up infections multiplying over their network!
So, on the off chance?
I asked my mgt. if they were "shadowing me" via some app, they said no... so, I showed them the rogue .exe running in memory on my machine & others!
Mind you, & this happened AT A FAIRLY MAJOR INSURER, that has data on folks healthcare!
(E.G.-> Clients are WWF for example)
That company, which I was doing secure FTP data transfer development for, stored procs, bind vars, & business logic movement to DB out of the app itself (& moving apps from VB6 to VB.NET &/or ASP.NET back in 2006)?
You can secure apps & db's all to hell, but if you're NOT COVERING WORKSTATIONS vs. malware - you're screwed anyhow: It's like locking all your doors & leaving the windows WIDE OPEN!
Heh, kicks my ASS to this day: I pointed out a problem, & guess what? They fired me for it!
HOWEVER - Those same managers got fired later though: As they got caught using AVG freeware edition ILLEGALLY in place of Trend's erroneous setup!
(The company got fined large from what I understand too, & they made up for it by canning those 2 stooges (one was a "paper MCSE" & the other? NO COMPUTER SKILLS AT ALL beyond maybe that of an typical end-user (& yet, he was "mgt." - give me a break: How many of YOU have seen that BEFORE too??)))
Mgt. today (not all, but many) are MORE INTERESTED IN "BURNING BUDGET" so they can get the same next yr. or MORE, or, getting bonuses instead of doing their job - especially in security (especially nowadays).
---
"2: Ease of getting away with intrusions. Got a botnet? Just create some PPTP/L2TP connections and you can manually try breaking into machines and one can either not be traced, or have the blame shifted to another party. Especially if the intrusions come from a country that is disliked." - by mlts (1038732) * on Wednesday June 15, @10:51AM (#36450552)
Or, by using anonymous proxies... small addendum, but you overlooked it.
---
"3: Lack of international cooperation. All it takes is one proxy to be in a country that doesn't like another, and there is no way an intrusion can be traced, much less prosecuted.." - by mlts (1038732) * on Wednesday June 15, @10:51AM (#36450552)
Gov't.'ally & law enforcement wise? Yes, agreed... HOWEVER:
"GEEKS" all over put out data you can use to secure yourself!
Classic case of "the community takes care of itself/it's own" but... you have to find, and USE, said data, yourself to your security advantage...
I.E.-> It's NOT really fully automated for you!
(E.G.-> I get data from all over the world, every 15 minutes, that populates a protective HOSTS file & firewall rules table here via Python scripts my nephew & I built in fact, that way! Pure "hands of
I used the same "train-of-thought" (literally) in my responses this week on LulzSec/Anonymous here http://yro.slashdot.org/comments.pl?sid=2231322&cid=36416026 by my LITERALLY calling today's internet "The Wild West" there... lol!
* Great minds DO think alike!
APK
P.S.=> It pretty much IS, and it's gotten "wilder" since around 2002-2004 period - I know it literally by numbers doing the talking for me, in fact!
How?
Well, here, in my populating a custom protective HOSTS file for "layered security" here!
E.G.-> From 1997 when I started it, to around oh, 2007 or so? I had MAYBE 400k-500k entries in a 10 yr. span!
However, from 2008 to present?
I am up to 1,444,000 entries of bad sites/servers/hosts-domains blocked in it (blackhole 0.0.0.0 blocked vs. loopback 127.0.0.1 slower & more ops type)!
That as of 15 minutes ago!
So - that tell anyone anything (think differential equations, & growth over a timeframe)? Does me!
I.E.-> I tripled the # of entries of KNOWN bad sites/servers/domains-hosts in it, in far less time than I spent the first decade on it, in the last 3 yrs. now... apk
The FBI is documented to have infiltrated the Black Panthers and pushed them towards more aggressive militancy in order to bring about their downfall. Is it possible the same thing is happening with hacker groups at the moment? The gubment, at least on the law enforcement side, would love a way to push through additional controls and restrictions on the Wild, Wild Web. What better way to win support for that then show what is possible by active/aggressive Bad People?
after that its all script kiddies and feds dont kid yourselves real hackers are in background doing little and keeping low profiles.
this is the age of rage against corporations. IT has just begun.
You'd like it... it points out a TRUE tale of a guy (stoll himself) working in academic environs & finding that a backup logging system students wrote the year before wasn't "jiving" w/ std. NIX logging... he started checking into it, & voila:
He found that that academic institutions systems were being penetrated by German Hackers in the employ of the KGB (how he caught them was hilarious & inventive - a keyboard believe it or not, iirc!).
In fact, iirc (been years since I read it, around 2001 iirc)? It was the "chaos computer club"... precursors really to today's "Anonymous" &/or "LulzSec"!
(Except they were TOTALLY in it "for the money" - I don't feel LulzSec + Anonymous are though (in fact, I think THEIR goals are a LOT more noble, if you could call it that (especially LulzSec, because of this http://uk.ibtimes.com/articles/160624/20110610/lulzsec-lulz-security-nhs-health-service-cyber-attack-weak-hack-hackers-hacked-sony-nintendo-network.htm where they actually DID DO "Good"... instead of abusing it for themselves... I have to give them that! )))
Great read too... even if "geekish" (normal folks could appreciate it too, reads like a mystery-detective novel - geeky/nerdy computer types would for sure, as they understand the material).
It was a "best seller" also iirc, even if based on "geek" materials as well... good stuff! Look into it IF you haven't read it...
APK
P.S.=> Weirdest part, even if it was YEARS-to-DECADES ago? He pointed it out to local law enforcement. They said "contact the feebs" (FBI)... or was it another agency like interpol?? Not sure anymore but... everyone kept "passing the buck", that is, UNTIL the man found that MILITARY INSTALLATIONS WERE BEING HIT (Ft. Stewart in Richmond Hill Ga. (reason I recall that is my brother was stationed there no less, he's a Major in the military now))... great read, you'd love it!
I think it should be "required reading" for ANY person in academia in a course-track for computer security in fact!
... apk
Scumbags then, scumbags now,
I think the more important question here is: are they (the companies) being attacked more or are they being more honest about being breached?
The average system plugged in today is way more secure than the average system from 5 years ago which was way more secure than the average system from 10 years ago which was way more secure than the one from ... yada yada yada.
Two simple reasons.
1 - Disclosure laws. Yes they're important but because of mandatory disclosures way more of these things make the news than they would of back in the 80s or 90s. So not only do we hear about it more often, but many groups/individuals are more motivated to go after the low hanging fruit because they can get bigger headlines out of it.
2 - There's gold in them there hills. Credit cards, SINs, online bank accounts, whatever. It's all the same thing: Money. And there's a heck of a lot more of it floating around on this Internets thing than there ever was back in the day.
Here's a list of things that I wish the major consumer OS's especially the desktop ones would do, and they'd be fairly easy to implement:
-push hardware vendors to use full disk encryption by default with a hardware managed key
-password manager built into the OS that logs in when the user logs in and "integrates" with the OS/browser well, and automates most of the bullshit picking new passwords and so on, so users actually use it and use it properly that is no longer use weak passwords, reuse passwords etc
-two factor authentication to log in
-update automatically in the background system that requires no user interaction to run updates, doesn't noticeably slow down the system, and doesn't require the software to be installed from the OS's "app store" to work, and doesn't require user interaction to add new programs to the list
-No list is complete without: not run admin by default (but this one has been repeated a thousand times)
Things I wish they'd do that would take a little more work:
-push software vendors to use ASLR (and to really take advantage of that, push them to make 64-bit versions of their programs)
-push software vendors to use DEP, with these two I am specifically talking about, the major web browsers, browser plugins like flash and financial software like quicken
Overall, I guess it's still a young industry and these things take time. I think that security will hugely improve once the hardware underneath stops evolving, at least quite so quickly. OTOH that won't happen for the forseeable future so stuff like this could go a long way towards helping.
Also while I'm asking for diamond studded saddles for my herd of ponies, get the government to abolish the SSN system. Stupid friggin system. And they have the gall to investigate other entities for poor security practices, gimme a break.
Failure formatting five FAQs of financial facts.
Is this the golden age of shitty question headlines?
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
Making it illegal to develop a software product is a bad idea. Software security experts use some of the VERY same tools to test network security as those who 'test' it with the intention of breaking things or stealing data. The only exception is that the real, most dangerous crackers make their own tools (or mod existing ones), while the script kiddies are the ones who get prosecuted.
It's completely unenforceable. The only thing a law like this will do is make it more difficult for legit IT security experts to do their job.
No, it's the year web based business was forced to grow up.
The CORRECT spelling & phrase is not what you wrote:
http://slashdot.org/comments.pl?sid=2234578&cid=36429134
"Gotos have there place" - by JonySuede (1908576) on Monday June 13, @05:10PM (#36429134)
It's THEIR, indicating possessive, not THERE, you blatantly obvious illiterate dolt!
(LOL, If that's how you write english? I'd HATE to see your code you write (that is, IF you even do)).
APK
P.S.=> Payback's a BITCH, yea? See here, and I am waiting on your trolling behind to show up there:
http://tech.slashdot.org/comments.pl?sid=2248218&cid=36479278
Just so I can publicly make you look more stupid than you already have clearly evidenced yourself to be!
... apk