The Lesson of Recent Hacktivism

itwbennett writes "LulzSec says they're retired, which may or may not be true. But one thing the world has learned from their 'frightening yet funny escapades is that 'the state of online security stinks,' writes blogger Tom Henderson. LulzSec (and Anonymous) have 'demonstrated that an awful lot of people are either asleep at the switch or believed in arcane security methods like security through obscurity.'" A related story at the Guardian suggests that governmental attempts to control the internet are spurring these activities.

Re:Twitter:

Its a site that allows celebrities & famous people to make twats of themselves by not speaking through agents, PR or lawyers.

Yikes. Coffee. Smell. Up. Getting.

They believed that money spent on security products == we are secure. They were not asleep. They did not believe in security through obscurity. They trusted the industry. They gave it money in return for products that were supposed to protect them. They lived in ignorant bliss. Unfortunately, the security industry (and the rhetoric they proclaim) is all about the end goal of the industry making money. Companies are lured into a false sense of security based on what they are being told, and what they spend money on - and it seems totally reasonable from their perspective. Unfortunately, the public (and the victim companies) are not aware of one tenth of one percent of what is actually going on. Any company that has anything worth significant financial value is either compromised or is a target with a big bulls eye on their gold stash - guaranteed.

Re:Yikes. Coffee. Smell. Up. Getting.

The problem is the opposite. Actual security is ridiculously expensive and there is not a willingness to put up with that level of expense, especially not since any security you have, no matter how well done, can still be breached by someone who is sufficiently determined. So when few are willing to pay for actual security, and put up with the inconvenience required by actual security, you get products that try to patch things up a little bit for a much reduced cost. The much reduced cost may still be significant, but it is nowhere near the cost of actual security.

Re:Yikes. Coffee. Smell. Up. Getting.

[rtfa-troll]

They believed that money spent on security products == we are secure. They were not asleep..

Except that, according to the reports, Sony had servers for development which were fully protected with firewalls etc. and which were not hacked / hackable (by LulzSec) and other servers for customer data where they hadn't made any investment. So they hadn't spent that money. You may be right they weren't asleep. Someone made a conscious choice that customer data is not important, but it's not that they had made any of the investment they should have done.

Re:Yikes. Coffee. Smell. Up. Getting.

[phantomfive]

It's been my experience that most companies aren't even spending money on security. If they are even thinking about security, they are ahead of most. Many companies are leaving wide open, simple holes, like failing to escape their SQL, or parse out javascript. That is the lowest-hanging fruit. Really, it wouldn't surprise me if you could use Metasploit and nothing else to break into 20% of the major websites in the world.

If you're a web developer, let it be a lesson to you: download some basic hacking tools and try them out on your own website. You'll definitely learn something.

Re:Yikes. Coffee. Smell. Up. Getting.

[jhoegl]

Or it could be that the person in charge of Development was smart enough to invest in it because they knew better and the person in charge of Customer Data was not.
We could come up with many scenarios, the only ones that know what happened internally are not going to speak out about it willingly.
One thing is for sure, what I have seen in the small business world is a mirror to big business. It IS ignorance at some level in the corporate model.
Ironically, this same model helps bring down corporations and small businesses alike. All it takes is one bad stone at the right point in the pyramid to make it all come crumbling down.

Re:Yikes. Coffee. Smell. Up. Getting.

[CodeBuster]

They were not asleep. They did not believe in security through obscurity. They trusted the industry.

It has often been said, by Bruce Schneier and others, that security is not a product that can be purchased, installed after the fact and forgotten, but rather an attitude and culture that must be cultivated and maintained. Knowledge and tools are important, but without the right attitudes and culture they will be of limited use. Remember that nobody cares more about your security than you do. If you don't care then nobody else will either, despite what they may tell you.

Re:Yikes. Coffee. Smell. Up. Getting.

[CodeBuster]

Many companies are leaving wide open, simple holes, like failing to escape their SQL, or parse out javascript

This is less the result of a conscious decision on their part to trade off security and more often the consequence of hiring out any IT or development work to the cheapest possible bidder. Companies, like people, must sometimes learn the hard way that one gets what one pays for. For what it's worth, I've noticed that offshore outsourcing shops are especially negligent when it comes to SQL injection, script entered into forms, careless query string handling and many other common attacks. It's too bad that LulzSec disbanded, they were bringing attention to problems that have long been ignored by corporate America.

Re:Yikes. Coffee. Smell. Up. Getting.

[c0lo]

Actual security is ridiculously expensive and there is not a willingness to put up with that level of expense

The cost of risk prevention: if the cost if risk mitigation is lower (no matter if people are burnt) there you have it.
Far easier to them to externalize the cost and lobby for DCMA and anti-hacking laws - it's the populace that pays for the jail time.

Re:Yikes. Coffee. Smell. Up. Getting.

[hairyfeet]

This reminds me of an old story i was told by a teacher: A friend of his goes in to do some hired gun work for this company and gets told by the PHB he is NOT allowed under ANY circumstances to touch the NT 3.whatever server box. It has run great for years and he don't care if it is out of date, it works so just clean the fans and go on. Now since he had worked with NT 3.whatever before he didn't see how this machine had been doing its job all these years without a single fail. So he logs into it and what does he find? It is actually some version of Fedora. apparently the guy before him got tired of the BS and just changed it out without telling the PHB.

And it is THIS, this right here, that is often the problem. It isn't that the IT guys don't want to do a good job, it is that some PHB is cockblocking them at every turn. I myself ran into this doing some hired gun for a law firm. I told them I didn't have time to support the place but I recommended a couple of different guys who could do the job well. they had experience, their prices were reasonable, so what happened?

Somebody decided they cost to much and "he knew a guy" that was "a whiz at computers" and could do it for half the price. I get called back a year later when they catch this clown running a gaming server and downloading porn on company time and...wow. he had first of all took ALL the nice neat Dell office boxes, which were standard MOR office machines, and chunked them because they were "too slow" and instead custom built a bunch of gamer rigs from kits so of course nothing matched, then since he didn't know shit about corporate networking he bought a bunch of Dlink home routers you know, the shitty blue ones? Oh and that is not all he had more than half a dozen ISPs as his idea of "adding capacity" was just to add another ISP.

So needless to say fixing that clusterfuck wasn't cheap, neither for me nor all the hardware I had to buy to replace his gamer shit, so did the guy that caused this mess get punished? Nope he had already got promoted a couple of times for all the money he saved them on "IT costs" and was no longer in charge of anything IT and therefor didn't get the blame...ARGH!

So if you want to know why networks are a mess, it often ain't the IT guy (except for gamer retard) it is the stupid ass, dumb shit, WTF are they thinking, Dilbert bullshit that goes on every single damned day in this country. The PHBs get rewarded for saving money even if that money was saved by sacking anyone who knew what the fuck was going on, they cause one clusterfuck after another, but ultimately they don't care because they either fail up or use their "success story" to move to another comapny.

This is why i had to get out of corporate and open my little shop, as the stress of absolute insane stupidity was giving me chest pains. It was like a friend who ended up being threatened with losing his job and got drug before the regional head. The PHB above him wanted him fired because, and I quote "You have NO RIGHT to tell me who i can and can't talk to! I demand you give me my emails from Melissa right now!". He got lucky that the regional head actually watched the news so he went "He isn't talking about the virus, is he?" and when he found out that yes, senior bigfool wanted Glenn to let Melissa loose on the network the PHB got a dressing down and Glenn got an apology and a free steak dinner.

But it is that kinda of rampant herp derp that is the cause of this bullshit and frankly I don't see how some script kiddies are gonna undo decades of upward failure and PHBs. Oh and what you are talking about is what me and my friends called "black box thinking" which sadly I saw every time the salesmen came around. You wine and dine the PHB and give the "This (insert device) will make you (insert hacker, virus,fool) proof!" and sadly they'd bite 9 times out of 10. Needless to say the shit never worked like it was sold, but since the PHB never got dinged for it who cares, right?

Re:Yikes. Coffee. Smell. Up. Getting.

[Intrepid+imaginaut]

The trick is finding the right balance between that and every other concern involved in running a business.

Re:Yikes. Coffee. Smell. Up. Getting.

[Dunbal]

Actual security is ridiculously expensive

If you don't take those costs into account when drawing up your business plan and prefer the "let's cross our fingers and hope it doesn't happen" security method, perhaps you deserve to fail. Also, actual security is not _that_ expensive, you just need to hire the right people, or design the software properly from the start if you are going to code it yourself.

Somehow I'm reminded of a paragraph somewhere in the instruction manual to the game "Pirates!" - the original version in the late 80's, not the remake(s). Paraphrasing - "the goal of piracy is to redistribute wealth to the pirates from those that are too lazy to protect it". Your excuse about costs is as ludicrous as the captain of a galleon full of gold complaining that he couldn't afford cannons to protect himself. If you're not making money you probably don't have anything worth stealing. On the other hand if you have 50,000,000 credit card/billing information entries in your database, please don't tell me you couldn't afford to hire someone to handle security.

Re:Yikes. Coffee. Smell. Up. Getting.

security is not a product that can be purchased, installed after the fact and forgotten, but rather an attitude and culture that must be cultivated and maintained

To Bruce Schneier and yourself for quoting it, Amen Brothers.

This. This right here (or rather the lack of understanding of this) is exactly why we're in the mess we're in.

Re:Yikes. Coffee. Smell. Up. Getting.

[Dunbal]

I hate it when this excuse is used. And it's used often in business in many areas, not just security. It's the junior manager's way out - the way to duck and hide behind someone else. But while it's true a contractor, agency, or someone else will never do as good a job as you would if you did it yourself - at the end of the day it's the responsibility of the guy who approved and signed the cheque. If you don't even take the time to review the work you contracted, if you don't even bother to keep ONE person around who has any notion of how the work should be done and get him/her to go over it and approve it before it's accepted, then my friend, you deserve the good anal fucking that you are about to get.

Re:Yikes. Coffee. Smell. Up. Getting.

Actually that likely just means that the development servers were firewalled so that they were only accessible to the developers.

The production servers by their very nature had to be accessible by the public to be used, so the firewalls let traffic through. That then meant it was possible for LulzSec to use an exploit they couldn't do on the unreachable development servers.

Re:Yikes. Coffee. Smell. Up. Getting.

[jellomizer]

It could be. The development department manager probably will be more willing to order a firewall then finance department manager.

Re:Yikes. Coffee. Smell. Up. Getting.

[Dunbal]

That's ok, there's an entirely new generation coming that is going to fix everything. /BIG sarcasm

Re:Yikes. Coffee. Smell. Up. Getting.

[jellomizer]

So why would you put less trust in an new hire employee then a contractor. It isn't the contractor fault or choosing a contractor sometimes they can offer really good quality work for less cost then hiring (no matter what the Union propaganda tells you) The problem falls back into management. If you hire a contractor to do the work and especially if you have never worked with them before you really cannot fully trust his code. You will need to audit it, and check it. Just because they do it for a living it doesn't mean they are any good at it? If the company doesn't care about security neither will the contractor. If the company cares about security so will the contractor.

For a lot of these outsourced companies they are tailored towards low cost. As that is what they wanted, if they wanted higher quality then it will cost them.
There is a ven diagram for this. You have Cheap, Fast, and Good you can only pick two.

Re:Yikes. Coffee. Smell. Up. Getting.

[DRBivens]

In my experience, the COST of security matters much less to people than does the INCONVENIENCE it entails. Many organizations are quite willing to spend money on security hardware, software, and services. Secure implementations can be defeated by authorized users who either perceive the security as inconvenient or unnecessarily harsh ("I'm not going to lock my screen before I get coffee; I'll only be gone for a couple of minutes.")

One solution might consist of better user training coupled with better security design (protect truly secret data but don't worry about disclosure of information freely obtainable by outsiders via mechanisms like FOIA, stockholder inquiry, etc.)

It's a challenge, regardless of what you have to protect--or how you choose to protect it.

Re:Yikes. Coffee. Smell. Up. Getting.

[blueg3]

The DMCA is irrelevant here, and bringing up "anti-hacking laws" doesn't make any sense. Do you think anything that LulzSec was doing should actually be legal?

Further, there are already anti-hacking laws. They don't really seem to prevent hacking. Apparently your idea of lobbying for anti-hacking laws to save money on security isn't really effective. I'd be surprised if any organization thought that was a viable alternative to actually having network security.

Re:Yikes. Coffee. Smell. Up. Getting.

[wintercolby]

Actually, this is quite common. It's not that I agree with it, but here's how this happens. Development is less mission critical, so it gets security updates first. Firewall rules can be written willy nilly in development environments. Custom applications get security bugs worked out of them in development. The next place all of these changes go is a testing environment. The testing environment is far less wild-west as far as what can be done, in an enterprise environment. It's still easier to get the necessary changes approved, and work done. Once all of these items are rolled out, in the test environment, it's found that some critical or perceived critical piece of the system is broken by the security modifications. The company then goes back to the drawing board, and modifies the development environment until everything looks smooth. Rinse and repeat. If you have silos that don't communicate, you get developers, sys admins and net admins all testing changes at the same time. We mistake meetings for communication. People in change review meetings rarely listen in on the other 300 changes that need approval, and most people drop from teleconferences when their piece is done. I would argue that it's more of a mismanagement issue than an economic or cost issue.

Re:Yikes. Coffee. Smell. Up. Getting.

[Reverand+Dave]

More than expensive is that actual security is inconvenient to most users which makes it much less attactive to managers only concerned with keeping people happy over keeping your data safe. You can have a safe network environment, or you can have an easy to use network environment but you can't have both. In a safe environment you may have to provide excessive logins and not be able to use your fancy Iphone on the companies network, but you don't have to worry about your data or your customers data compromised, or you can surf where ever you want and connect whatever handheld device you own to the network and have your company network down for weeks at a time because 1 manager thinks it may be nice or "politically advantageous" to open up facebook use while at work.

Re:Yikes. Coffee. Smell. Up. Getting.

Did you read the section after it titled "Schwartz paper" that says that the number of fatalities was exaggerated and that 27, at the time, was lower than average for a car of it's size. That the fuel tank location (the apparent defect) was commonplace on American cars and that it was the media misreporting the facts that caused the hysteria?

I'm not saying that the security industry is the same way, but your analogy is flawed.

Re:Yikes. Coffee. Smell. Up. Getting.

[hedwards]

This is a large part of why I keep to computers as a hobby. I do a lot of the things that the professionals do, on a smaller scale and on hardware that I own, but I don't have to deal with the headaches of folks that are trying to save some bucks and are certain to blame me when their cut rate equipment goes tits up.

Right now I couldn't hack it when it comes to hardware on that scale, but that comes largely from the decision not to waste my time or energy studying the things which are really enterprise only.

And, I do wonder how many other people that could do a phenomenal job aren't even bothering to try because of how miserable the entry level jobs can be. And Pythonesque the policies which appear to be extremely common in the corporate world.

Re:Yikes. Coffee. Smell. Up. Getting.

And this is why I have grown to hate working in the IT industry. 10 years in and I am so fucking jaded with the idiocy of management I want to become one. I want to get wined and dined and make terrible decisions and get paid more money to do it. I am sick of being the guy who has to clean up for these idiots. I am sick of being cockblocked on everything useful I try to do. I am sick of being paid less to do more.
   

Re:Yikes. Coffee. Smell. Up. Getting.

[hitmark]

Could be the age old "skimp on safety because one lawsuit in x years is less expensive then the added costs for the same period"...

Re:Yikes. Coffee. Smell. Up. Getting.

Great. But wtf is a PHB?

Re:Yikes. Coffee. Smell. Up. Getting.

[gl4ss]

it's not about investment or money, it's about who you let do the shit and if you let them change things or if you just let them watch over until something bad happens - and the more expensive the initial version, the less willing pencil pushers are to let anyone do it better for cheaper, that would make them liars you see... maybe they were even paranoid before about who they let into the know about how the customer system worked, so people didn't know how shitty it was - happens all the time, doesn't matter if it's shitty if it's in use by a hundred million people.. because the user base makes the server piece have 'value' regardless of if it would be better to switch to something else, once something has value it's a prize for the office that runs it - no matter the size of the corporation and actually the bigger the corporation the more important it is that your office has numerical value. turns out the customer db had been done in fashion that had an enormous negative value so the joke really is on the budget assholes who didn't check what they were budgeting for and didn't check what they were running live with peoples cc's in it, the sony ceo got taken for a ride, really - the credit card numbers should have never been stored on their systes and it could be argued that the whole system should have been done so that Sony would have never, ever laid their eyes on the cc numbers(they should never have been stored in their db and they would have had easier time negotiating cc processing too - though i'm thinking that they just simply lied to their cc processor and didn't bother to do repeat charges the right way). I hope he is happy about how much he paid for the fellas who designed their nice system.

Re:Yikes. Coffee. Smell. Up. Getting.

[Darinbob]

At the very least you need a good legal department to put a damages clause into contracts. Then if you offshore and they've got a lousy security set up that causes you to lose money or business you can recover damages. The company shouldn't be left holding the ball if the contractor screws up.

Re:Yikes. Coffee. Smell. Up. Getting.

[Dunbal]

Then if you offshore and they've got a lousy security set up that causes you to lose money or business you can recover damages.

Right. Done a lot of offshore dealings, have we? I recommend you investigate just how easy it is to enforce contracts, much less damage clauses in contracts, in other countries. Offshore = foreign courts which tend to perceive the "poor oppressed small local firm" as a victim of the large global company. These courts have a hard enough time putting murderers in prison. Even with a favorable verdict, you are never going to see your money again. Better to spend the time makings sure you have someone to go over their work before they get paid instead of counting on lawyers. That might work in the US, but not outside.

Re:Yikes. Coffee. Smell. Up. Getting.

[hairyfeet]

Don't know if Anons can see their posting history (as I have never posted as Anon, I stand by my comments) but if you do see this PHB is from Dilbert and stands for "Pointy Haired Boss" which is a completely clueless moron who knows just enough buzzwords to be a cockblock and doesn't know shit about how things actually work, which sadly I've found in corporate settings is pretty much 85%+ which is why I ran away from corporate before it drove me into an early grave. Now I ONLY deal with SOHOs and SMBs, where the people actually KNOW they don't understand the tech and are just happy to have someone knowledgeable and will defer to your judgement.

As for the poster above you getting sick from working corp? Come join us in the wonderful world of PC building and repair. you'll never make 6 figures but you WILL have a hell of a lot less stress, get to meet nice folks that actually appreciate you (hell I even met my current GF of 3 years this way) and won't have to deal with anymore impossible problems with no budget thought up by total idiots. I don't know how many times in corporate I'd see everything turned into a clusterfuck and then be expected to fix said clusterfuck with NO money and no help. Yeah and if I can't pull off a trick worthy of Chris Angel? The I get bitched out for the problem I didn't cause in the first place!

Well fuck that shit, working in a little shop you may never get rich but you won't have to worry about ulcers or a heart attack either. People actually listen to you (for the most part and those that try for even a second to act like a PHB I show the door) and you are able to implement best practices without any cockblocking or bullshit. my customers all have backup drives, all make disc images, all have the Av I approved up, everything runs nice and smooth and I don't have to deal with anymore herp derp corporate bullshit. Well worth the lower pay, and you meet a hell of a lot nicer folks as a bonus.

I disagree

[Saint+Stephen]

It seems to me to be not as reasonable to think that LulzSec represents a massive amount of laziness / carelessness on the part of those admin'ing the systems, as to think that we just didn't understand the situation sufficiently clearly yet. The LulzSec twerps merely pointed out the "chaos in the universe" aka the difficulty in getting anything done.

To mangle a quote quoted in V for Vendetta (favorite subject of Anonymous): The falcon spins ever wider and soon cannot see the falconer. Mere chaos is unleashed upon the world.

LulzSec, being children, merely pointed out the chaos. To that end it's a great lesson, just like Al Quaeda / IED and the Viet Cong before that: it teaches us real people how to deal with the situation properly.

I still say fry the bastards though. Even children must be responsible. My generation could have just as easily done the kind of vandalism (and did), we just didn't want to be that big a pricks.

I actually blame the parents (the Bush-haters) for breeding such a bunch of twats as LulzSec.

Please don't mark this down as flamebait; it really is not an invalid opinion to hate LulzSec and what it stands for, no matter how much you teenagers reading this want to agree with them. Hating reality is part of teenager-hood. We understand how you feel; we all went through it.

But calling all CEOs "sociopaths" ?? Come on man, please join us back on this planet. Sure there are the Enrons of the world, and you might hate George Bush and all that, but come on guys. You've crossed the line into stupidhood now.

It ain't the security guys fault for not anticipating all the chaos that is possible in the world ;or rather it is their fault; but not due to lack of dilligence. It's just damn hard to keep that falcon flying around you :)

Re:I disagree

[Saint+Stephen]

Excuse me "mere anarchy" not "mere chaos". Much better quote that way. Veherwrung, not Ordung, for you geeks.

Makes me laugh to see V for Vendetta be such a powerful cultural touchstone. Back in the 80s it was not so well known. I guess a metaphor for you young folks would be as if, I don't know, some Pokemon character was now driving people to destroy society or something. It was just a damn comic book written by a guy who used to sell LSD in high school guys :-) It ain't the damn sayings of Buddha or anything :)

Re:I disagree

[Triv]

V for Vendetta? Seriously? That quote's from W.B. Yeats: Turning and turning in the widening gyre The falcon cannot hear the falconer; Things fall apart; the centre cannot hold; Mere anarchy is loosed upon the world, http://www.potw.org/archive/potw351.html Credit where it's due.

Re:I disagree

My generation could have just as easily done the kind of vandalism (and did), we just didn't want to be that big a pricks.

don't mod me down, but your generation are pricks.

no matter how much you teenagers reading this want to agree with them. Hating reality is part of teenager-hood. We understand how you feel; we all went through it.

don't mod me down, i'm older and more mature and you'll see my point of view when you grow up and stop being childish.

You've crossed the line into stupidhood now.

don't mod me down, but you're stupid.

Come on man, please join us back on this planet. Sure there are the Enrons of the world, and you might hate George Bush and all that, but come on guys.

don't mod me down, but come on guys, come on.

It ain't the security guys fault for not anticipating all the chaos that is possible in the world ;or rather it is their fault; but not due to lack of dilligence.

don't mod me down, but it's not the responsibility of the security guys to implement basic security.

Re:I disagree

[mug+funky]

don't complain about your modding. none of the people you're arguing with modded you.

Re:I disagree

Dealing with the kids now modding the slashdot scene is beyond formulaic.

don't mod me down, if you do you must be a kid.

Say shit you like = Yay!

don't mod me down, yay.

Try to get somebody to fucking read something, maybe listen for a damn change = incur the wrath of the hordes!

don't mod me down, my post shouldn't be modded down.

here's a tip: instead of coming to the baseless conclusion that this is a generational thing maybe ask why certain people feel that way, you'll get a better response than your branding of a generation as 'stupid' and 'pricks'. you get modded down your post has 'back in my day we were smarter and more considerate and your opinion is stupid' superiority complex overtones.

FWIW i didn't mod you.

Re:I disagree

[Raenex]

I swear to fucking god - look at how my posts are modded on this thread.

Don't bring up Bush and claim your post isn't flamebait. I mean, seriously, this is what you said:

"I actually blame the parents (the Bush-haters) for breeding such a bunch of twats as LulzSec. Please don't mark this down as flamebait"

Re:I disagree

[Opportunist]

CEO sociopaths? Well, maybe to a degree, but that isn't the underlying cause. Greed is rather the reason. Greed, but not (only) on the CEO's side.

The CEO is under pressure, like everyone else in the company: He has to perform, and he has to perform well. He has to generate revenue, and lots of it. Else he's being replaced by one who does.

The sociopath CEO now does it without remorse. The conscious CEO does it because he rationalizes that a lot of people have invested their money, probably all their life savings, into the stocks of that company and he has a responsibility to do his best to justify that trust. That's the beauty of the system, nobody is a sociopath, everyone can rationalize what he does. Your boss fires you, who's knee deep in dept, but he can rationalize it because he has to fire someone from the team or he has to fire everyone 'cause his budget doesn't allow him to continue the project else. His boss in turn, who signed the budget, couldn't give him more because he, in turn, only had so much money to spend and he doesn't even know you, he only knows that if he distributes his money well, a lot of people will be able to keep their jobs. This chain goes up to the CEO, who in turn rationalizes his layoffs with the responsibility to the investors. Who, in turn, don't even know what they invest in because that's something their bank's investment manager does. Who in turn can rationalize that he has to do his best to invest that money in those companies that perform best because people trusted him with money to invest for them.

You see, nobody has to be a sociopath anymore to be an asshole.

Re:I disagree

[DNS-and-BIND]

Funny - a couple of years ago, bringing up Bush-hatred into totally unrelated conversations was considered obligatory, something normal people would do. It was serious and sane and anyone who modded flamebait was in league with Bu$hitler. People seriously used Bu$hitler, on this website, and were, in their tiny minds, not using flamebait. Look up "Bush Derangement Syndrome".

Re:I disagree

[HeckRuler]

Ah, yes, "stupidhood". I guess you'd be an expert on that wouldn't you.
You are, simply put, wrong. And on a number of levels and from a number of angles. Let me count:

1) It is, in fact, the "security guys" fault for not anticipating all the chaos that is possible in the world. That's their job. They are there to provide security, mitigate risks, and generally make people safe. And it is entirely due to their lack of diligence and their general incompetence. For the intrusions that I've gone over, LulSec did not make use of zero-day vulnerabilities or unknown mystical powers. They used well known vectors that competent "security guys" could have protected against. The only other positions you can share the blame with is their boss. And of course, LulSec themselves.
2) You hate lulsec, that's apparent. It's going beyond that though. You are so biased that you are making presumptions about them by calling them children. Calling them pricks and twats is simply name-calling, but the point where your demonizing influences the facts you know about them is self-deluding.
3) Pride. You elevate and praise yourself. It's good to speak well, and a little ego is good, but you're just kinda coming off as a douche.
4) You generalize that all teenagers are full of hate.
5) You also generalize that your entire generation is somehow above being this sort of "big prick", even after having just stated that your generation performed similar actions.
6) Sociopaths really do make the most productive CEOs. You have to remove yourself to a certain degree to be able to crush a persons livelihood. Not everyone can be a hatchet-man. Anyway, there have been studies and the signs of a good CEO are similar to the signs for sociopaths. But everyone has a little bit in them and sociology is a ludicrously soft science.
7) You drag politics into it for no apparent reason. Really, I just can't do this justice without looking at it again:

I actually blame the parents (the Bush-haters) for breeding such a bunch of twats as LulzSec.

My god. It's like the hate is palpitate. If you think every ill of the world is all the democrats fault then really, I'd advise that you need to relax a little.
8) The grammar in your first paragraph is atrocious.

as to think that we just didn't understand the situation sufficiently clearly yet.

Wut? But I guess at this point I'm merely being nitpicky. The wrongness of your post on other counts is more than sufficient to earn you for negative karma. But seriously, you need to re-evaluate your life if these are your honest views. Or simply GTFO and leave us be.

Regarding Lulzsec

LulzSec might have ended, but I can guarantee you the exact same stuff is happening underground, except this time you probably won't know all your information has been stolen. Other than exposing corrupt whitehats I don't really agree with their actions, but I'm not sure if the alternative of keeping it in the hands of underground blackhats and IRC scriptkiddies is any better (not that is wasn't going on during LulzSec as well, but still).

Regardless, the AntiSec movement seems to be picking up some steam, at least within Brazil (protests are planned for July 2nd), and the first AntiSec release has just been posted to Pirate Bay: http://thepiratebay.org/torrent/6502765 with more promised tomorrow.

Regardless of their "supposed" script kiddie status (they did break into a hacking contest website and turned down the 10k), I think it was smart for them to disband and take up a greater cause, and I guess time will tell if they are successful or just run out of water.

Re:Regarding Lulzsec

[Opportunist]

Could you please quote someone else for a link like this?

Re:Regarding Lulzsec

[inglorion_on_the_net]

Regardless, the AntiSec movement seems to be picking up some steam

WTF? A group actually opposed to computer security, and they are picking up steam? What ... is the rationale behind this?

Re:Regarding Lulzsec

read what the antisec movement is first and you'll realize they aren't opposed to security, they're opposed to the industry that exploits the vulns to blackmail/sucker companies into paying them money.

Re:Regarding Lulzsec

Yes it's picking up a bit of steam, just enough steam to inspire who know just enough to be dangerous to create the Governments 'need' to substantiate taking more of our freedoms. That along side of convincing the Ameican't Public that there's a real need for more three letter agencies. My take on it, invest into social media outlets, and intelligence budgets.

War is expensive! Teach our kids to be nationalistic, use social media to reinforce behavior, finally make the transition from lower/lower-middle class more seamless into military branches outside of high school. Last but not least, if they're going to be lazy, stupid, and complacent. Why not take advantage? Hell, just think you could eventually be higher echelon government someday too!

Hail Aristocracy

Re:Regarding Lulzsec

[hedwards]

AntiSec is against the industry as it is now, not security. It's sort of like the people under communism who were antigovernment, they weren't antigovernment in general, they were anti that particular government.

Re:Regarding Lulzsec

[inglorion_on_the_net]

In the Wikipedia article on Antisec, it says:

It attempts to censor the publication of information relating to but not limited to: software vulnerabilities, exploits, exploitation techniques, hacking tools, attacking public outlets and distribution points of that information. Movement followers have cited websites such as SecurityFocus, Securiteam, PacketStormSecurity, and milw0rm to be targets of their cause, as well as mailing lists like "full-disclosure", "vuln-dev", "vendor-sec" and Bugtraq, as well as public forums and IRC channels.

As recently as 2009, attacks against security communities such as Astalavista[1] and milw0rm,[2] as well as the popular image-host ImageShack[3][4] have given the movement worldwide media attention.

To me, that sounds like a group opposed to computer security. Not only do they seek to stop publication of vulnerability information (which will allow vendors to go back to pretending security is not an issue), they are actually attacking others' systems. Perhaps they claim to be improving computer security, but I don't that's what they are actually accomplishing.

"Arcane"

[tylersoze]

Arcane is not really the right word there. There's nothing "arcane" about security through obscurity. Perhaps they meant "archaic"?

Re:"Arcane"

I was thinking the same thing. The idea of "security through obscurity" is insane, not arcane.

Re:"Arcane"

[carpenoctem63141]

Actually, arcane means something is known to few/obscure. So an arcane security method could be interpreted as a security method that relies on obscurity.

Re:"Arcane"

Arcane is not really the right word there. There's nothing "arcane" about security through obscurity. Perhaps they meant "archaic"?

They'd still be wrong. There is nothing either arcane or archaic about obscurity as a security technique. It's not wise to rely solely on it, but it is quite often a very useful layer in a larger security model.

Re:"Arcane"

[hedwards]

You don't think that selling your sole to Satan requires arcane rituals?

Re:"Arcane"

Satan requires his sole be fresh and pan-fried with plenty of clarified butter and a squeeze of lemon.

Re:"Arcane"

[Duradin]

Just a new pair a shoes.

A little vandalism goes a long way

[mykos]

Lulzsec's resounding accomplishment is that it will wake organizations up about the state of their security, and maybe even get us a few anti-negligence laws for the companies who think of security as an afterthought.

Re:A little vandalism goes a long way

[Opportunist]

Anti-negligence laws? I'd rather guess we'll be seeing some anti-hacker laws.

Why legislate corporations when you can legislate people?

Re:A little vandalism goes a long way

[mykos]

This is, sadly, the way it will likely go. Rather then a reasonable response, like "we already have laws against hackers, so how about you get better security", we'll probably get something closer to "PATRIOT ACT 2: WARRANTLESS WIRETAPPING BOOGALOO"

Re:A little vandalism goes a long way

[Opportunist]

The text of the law can easily be summed up: All your computers are belong to us.

Good for the Industry

Lulzsec will ultimately be used as a case study by IT managers to get proper funding and approval for security projects from the C-level executives. For the next year or so anyway... until the PHB types forget about it and stop caring.

Hacktivism? Teenage scum!

[davegravy]

A related story at the Guardian suggests that governmental attempts to control the internet are spurring these activities.

These hackers are to the internet as street thugs are to a dark alley! Catch 'em and Guantanamize 'em!

These are acts of activism based on a desire for a better and free society, you say?

Oh please! Next you'll be telling me that many of these hacking act thingies require education, intellect, and creativity beyond that of an average person...

Re:Hacktivism? Teenage scum!

Oh shut up.

It's not even possible!

Given that these "rogues" or "hackers" are well skilled with network technology, what do these governments think they can do if the are capable of setting up their own internet? They know how to make the hardware; they know how to make the software; they know how to send communications over different spectrums. The governments would have to have complete control and ability to scramble communications over all possible channels. And even then, a new communication channel can be found and used to transfer electronic signals.

It's a futile, stupid effort. I can set up my own intranet... and then what? The government comes in and takes it away... ok, then build another. They'd have to make it so I couldn't buy certain pieces of hardware. Then the same corporations that profit from that hardware would cry foul for dipping in to their revenue stream. Now you get the government fighting against the same corporations they protected, and well, let's face it, the government will back down.

The scales of justice are weighed in both gold and greed.

Re:It's not even possible!

[SuricouRaven]

1. Build reciever.
2. Track signal.
3. Send in police.
4. Pound-me-in-the-ass-prison for unlicenced use of a radio transmitter.
5. Publicise, to scare off any others who might try it.

Re:It's not even possible!

[hedwards]

Except that you'll never find a radio receiver without doing door to door searches, and the government for the last decade or so has been more concerned with keeping secrets.

Re:It's not even possible!

What use is a receiver without a transmitter?

Re:It's not even possible!

[SuricouRaven]

I was telling it from the government's perspective. Obviously, the first step is to build a reciever - they'd need the reciever in order to track where the transmitters are.

IT knows, they just can't keep up

[SuperKendall]

I don't think people are asleep at the switch, at all.

I also don't think they are relying on security through obscurity.

In large companies I have worked for, there are a lot of very competent people that care a lot about security. But the thing is, security is a minor consideration to spend time and money on compared to making working systems.

Obviously it would be better if that would change, but I don't think honestly it can until someone has had the lesson REALLY driven home to them by a major security issue.

I would bet that within five years Sony security is actually pretty good. It is a good wake-up call to the industry, but remember that generally the alarm clock is only really heard by the owner of the house it rings in...

Re:IT knows, they just can't keep up

[Uhhhh+oh+ya!]

True but I don't think its as simple as that. I work in IT and we are constant looking for ways of improving security. One of the biggest problems is that the software or devices that would improve security the most tend to cost unreasonable amounts of money and require you to keep multi-thousand dollar contracts with the companies who make them. Not to mention a week before a new security software is released the hackers are already hard at work finding the holes in it so before you know it your system is unsecured again.

Re:IT knows, they just can't keep up

[SuperKendall]

That's part of what I'm talking about though. You could probably build some of those expensive systems, but you don't have the time... and the business side will not authorize the money to buy instead of build.

But I'll bet right now the coffers are open in terms of buying a LOT more online security products at Sony. They got hit, hard, and so now they will be willing to forgo a higher percentage of profits to protect things because they have seen the dark end of the tunnel and realized just how much loose security can cost.

The price of security products may seem unreasonable but remember it takes a lot of effort and careful thought to get that stuff right.

Simple reason: Nobody wants security

[Opportunist]

Nobody wants security. Everyone wants compliance.

From an auditor's point of view, it's very easy to explain the reason why the security in most companies is at a level that's not even laughable. No company is interested in it. What they want is certificates, they want their ISO27k and their PCI-DSS, but not because they want them to know for themselves that they're secure, they want them to display to others that they are, so they can get contracts or are compliant with legal requirements to be allowed to do something.

Now, some might think security and compliance with security requirements is the same. Both mean that you "want" security. And that's the fallacy. Security is something you want yourself. You want security because you want to be secure. Security is in this case the primary interest and the focus by itself. Compliance is something that is forced onto you. You want security because someone else wants you to be secure. Security is in this case only the means to the goal, be it to conform with legal requirements to continue operations or be it to be allowed to process credit card payment.

Within the last decade or so, the number of companies where I actually had the idea that they wanted security for themselves, even if only as a side effect to the compliance requirements, was very, very low. Most want to get done with it, preferably fast and without hassle. If the compliance requirement is that your door is locked and barred but doesn't say anything about your windows, they won't even listen to you if you tell them they have no windows but just big holes in the wall. Their door is sealed, that suffices to be compliant. The windows? Not part of the compliance requirement, we don't care.

Re:Simple reason: Nobody wants security

[greg1104]

I'm with you on the compliance vs. security angle. Recently I've started working with people who want me to certify I comply with HIPAA guidelines for touching private health care data. The emphasis on paperwork over real security practices there is mind-boggling. I'm been put into an uncomfortable position because I can't morally agree to these policies unless I really mean it--which means I'm facing a huge security expense overhead added to my business--while my competitors do a shady job but mark all the checkboxes that they are compliant. Guess who wins the bids?

Re:Simple reason: Nobody wants security

[Tom]

Disclaimer: I've worked in compliance until recently, but my background is security.

The problem you outline is real, but you are missing a point: Compliance got traction because companies don't invest in security. The risk/reward just doesn't work out. A million credit cards lost? The PR to fix that is a lot cheaper than the security investment to prevent it. And the real damage isn't for you, it's for the credit card holders and their companies.

That's why compliance became so big, because too many people realized that unless you force them, companies won't do security. The same way that airbags in cars didn't become standard issue until some laws were passed. Human beings are horrible at risk management for everything that falls outside our daily experience.

The quality of your compliance managers determines if you're just following the book, or actually bringing an advantage to the company. I proud myself on IT management being happy they had me (I wasn't part of IT, to them I was an outsider from the finance department, the compliance hand of the CFO). You can do compliance in a way that IT doesn't hate and that gives you actual benefits.

Unfortunately, too few compliance managers are IT people, much less IT security experts. Which leads to them doing things "by the book". Or, as it's called in other contexts: Work-to-rule. As we all know, that's not work, that's sabotage.

Re:Simple reason: Nobody wants security

[pandrijeczko]

It's very true.

I actually work in security for a telecoms hardware vendor and many of my customers believe that if they state that they want PCI compliance, for example, then that is all they need to do and can hand off all the dirty work of achieving that compliance to the vendors.

As a vendor, we provide servers in a "one size fits all" pre-hardened state because any additional hardening we can do usually depends on the customer's specific topology and environment - so the process we adopt is to let the customer drive the compliance standard, then we do our best to harden to it whilst ensuring the server operation is not affected.

What many customers fail to understand is that hardened servers are only a small part of the compliance, you also have to look at controlled access to the physical hardware, how long and how encrypted you store customer data, etc. etc. It therefore makes no sense for the OEM to manage that compliance.

Only yesterday I had an incident where a customer of mine applied an official update to a server and discovered some of the hardening we'd previously done 6 months ago had been put back to default settings. They were quite shocked when I told them that they should have had processes in place that state what activities should be carried out and in what order, and that we ourselves do not design the processes, just advise and work with the customer when they create those processes.

I also have many situations where two days before new systems go into production, the customer's own security team appears from nowhere with vulnerability scans and refusals to let the systems go live until they are fixed - I have no problem with what they are doing but you'd expect these security guys to be involved in the overall implementation process and to build their security work into the overall project plan in order to avoid last minute panics.

If customers *REALLY* understood compliance standards, rather than just wanting a certificate on a wall, none of the above scenarios could actually happen in the first place.

Re:Simple reason: Nobody wants security

[pandrijeczko]

I do security hardening and auditing for a number of customers and I have been tempted to drop in the odd profanity into the reports I produce for them, purely to see if anyone actually reads them or not.

I've certainly been on a number of calls with my customers where questions are asked which are very clearly answered within the reports I send to them.

As far as I can see, they just want something to wave at auditors as completed so that the auditors can put a tick in a box.

Re:Simple reason: Nobody wants security

[ensignyu]

I think maybe if some kind of financial liability was introduced, companies would take notice. Say, $50 for lost personal details (name, address), $100 per lost cc number, $5000 per lost SSN.

Smaller companies would have to use payment processor companies with better security. Larger companies and payment processors would have an incentive to not just follow best practices and minimum compliance, but actively conduct audits to reduce risk. Insurance companies would also insist on good security, in theory.

Of course, there's certainly downsides. Companies have shown time and time again that short-term profits overrule sensible decision making, even if the costs of risky behavior could bankrupt the company. On the other hand, I'm not a fan of government-mandated compliance if it's not kept to date with the latest technology and practices; time spent on compliance and paperwork could be better spent actually improving security instead of just talking about it.

And insurance companies -- not sure if they're a necessary evil, or just plain evil, and it's also not unheard of for insurance companies to go bankrupt failing to consider the risks.

But in principle, adding some kind of responsibility for losses would probably improve security overall.

Re:Simple reason: Nobody wants security

[ikirudennis]

The problem is actually that the internet/http was never designed for security. We've just managed to hack some semblance of security on top of it, but ultimately, it's always going to be insecure to some degree. If we really want a secure internet it will likely have to be redesigned from the ground up.

Re:Simple reason: Nobody wants security

[Opportunist]

Airbags, to pick up on your car analogy (he did it, not me! :), have gained traction, though. Try, just try, to sell a car without airbags today. Security in cars has become a selling point. After decades of it being a minor, if any, point in car design, mind you, but it finally is a topic for car designers and a selling point for salesmen. "This is is a street cam filming someone driving our new model. As you can see, the driver fell asleep during the drive. Here you see him impact at 150mph. And here you see him crawl out unharmed from underneath the wreck".

Security IS a selling point in cars today. Car ads don't honk features like top speed, sleek design or how many chicks you'll pick up. They show you accident statistics, show off that patented microsleep-prevention tool and how many of those new cars they trashed in crash tests, all for your safety! That is the sales angle for cars today.

I guess it still needs a decade or two 'til people want the same in their computers, and done to their data in other people's computers.

Re:Simple reason: Nobody wants security

[Opportunist]

If someone complains about his OEM for failing a security audit, it's time to pack your stuff and go.

I don't expect a lot from my customers. I hold their hand from the moment they start wanting compliance, all through the process development and design phase up to the moment they get audited (of course, then by someone else, since I'm technically not their auditor but their counsel in such a scenario). But if he starts "Uh... that's our OEM/ISP/whoeverelse to blame", pack your stuff and go. You could, technically, sit down with him and explain to him what it means to be (and stay!) compliant with a regulation, but he'll soon find out that this will mean some cost EVEN AFTER he has the cert (or, in the words of a customer of mine, "What??? I have to work the way these processes show??? I thought that's just for the cert!").

And most of all, he will not want to pay that price, show you the door (and you can start trying to get the money for the time spent from him since "you didn't do anything") and shop around for someone to do his Credit Card payment.

Re:Simple reason: Nobody wants security

[Opportunist]

How deep into the OSI would you like to squeeze security? I agree that stacking security on top of the whole process isn't really securing a lot, but the deeper the layer for security, the more has to change.

Re:Simple reason: Nobody wants security

[Tom]

I guess it still needs a decade or two 'til people want the same in their computers, and done to their data in other people's computers.

My point exactly.

I think we need to force security on people. Once they have to do it, they will come around to appreciating the benefits of doing it right.

Because once the option "ignore it" is taken away, doing it right is often the next-best one, and a more effective use of budget than doing a half-assed job that may blow up in your face.

Re:Simple reason: Nobody wants security

[Tom]

I think maybe if some kind of financial liability was introduced, companies would take notice.

No, they wouldn't.

That's what I was saying about humans being horrible at risk assessment.

There's a reason we didn't make car manufacturers responsible for accident injuries, but instead forced them to build in airbags, no matter what their in-house crash statistics might have said.

We need regulation like that for IT as well. Make it a (very costly) offense to store passwords unencrypted, no matter if there's a breach or not. Stuff like that. Go through the best practice lists - there are a number of well-done collections out there - pick out the stuff everyone agrees on, and make it mandatory by law. Make the IT director personally liable for following that set of minimal security requirements, with jail time for intentional and/or blatant violations.

Oh yes, and make sure that you don't accept "it was too expensive" as a reason. I don't know about the US courts, but I very much enjoy the german courts' general approach to those excuses: "Geld hat man zu haben" is the saying - translates roughly as "you ought to have money". The legal version is that if you don't have money for a required expense, you would have had to file for bancruptcy (because you ran out of liquidity). Since you didn't at that time, you now can't claim in court that you didn't have the money. Simple, yet brilliant.

Re:Simple reason: Nobody wants security

[cusco]

When HIPAA guidelines began to be enforced my company (access control, alarms, video, etc.) was going to hit up our healthcare customers to secure their paper records. Guess what? For all HIPAA cares they could store the paper patient charts in cardboard boxes in the middle of the parking garage. Physical records aren't covered at all, so most of them still lock up their paper records with brass keys, and every person who has ever worked there has a copy.

Re:Prediction: .XXX domain = plans for control of

I will grant the paranoid out there one thing: it seems pretty clear that once XXX becomes "the place on the net for porn", regulatory agencies will try to push porn everywhere else off the net, and push hard. The argument will be it's OK because you can just go to XXX. But it will be a shoehorn to control things in a larger way. That much seems pretty clear.

How is that even legal?

Re:Hell, yeah!

[Nursie]

You're an idiot and should be fired.

You don't post company info on third party sites, end of story. Oh, and there's no such thing as too small for source control.

I have probably just been trolled.

Screw vandalism, especially on "soft targets"

[schnell]

Here's the thing: information security, just like any other type of security or insurance, is completely relative.

My dinky little websites have adequate capacity to serve the few hundreds of people a day who visit them, but would not withstand a Slashdotting or DDoS. My house is secure enough to resist a burglar, but not secure enough to resist a Navy SEAL strike team. Does this mean I'm negligent? No, it means that I could spend thousands of dollars on additional infrastructure for security or capacity but I choose not to because it's highly unlikely I would need to.

That's why the example of LulzSec is pathethic and not instructional. There are lots of "soft targets" on the Internet (in terms of security or capacity) that you could take down pretty easily if you wanted to, just because those sites can't justify full-time security teams or massively extensible infrastructures. I'm not talking about high-profile sites like Sony or the CIA, but stuff like EVE login servers or some county in Arizona. A bunch of douchebag script kiddies taking down some MMO server doesn't necessarily mean that anyone was truly "negligent," it just means that they picked easy targets. And there is not, nor will ever be, a shortage of easy targets on the Internet if you're willing to aim at those.

Re:Screw vandalism, especially on "soft targets"

I think that it makes people question these "small" websites and ask, is my information on this website? It isn't as much an eye opener for the operators but the users...

Re:Screw vandalism, especially on "soft targets"

[antifoidulus]

Often times these sites are in fact "negligent" in how they operate. Many were using outdated software with known vulnerabilities or were very poorly configured etc. Your little site in your example almost certainly will not get hacked if you follow some very basic security guidelines. For example, a quick google search turns up this page on apache security. It took 5 seconds of searching, and would probably only take an hour or two to implement and test, and yet how many sites out there aren't following a lot of these guidelines? Apache is free and these guidelines cost very little to implement and test, so I doubt that someone can claim that they were too "expensive".

Your analogy isn't apt, for most of these sites it was like they installed a security system in their house then neglected to arm it or lock the door. Pretty much anyone that is looking for something to hack can come right in.

Re:Screw vandalism, especially on "soft targets"

My dinky little websites have adequate capacity to serve the few hundreds of people a day who visit them, but would not withstand a Slashdotting or DDoS. My house is secure enough to resist a burglar, but not secure enough to resist a Navy SEAL strike team. Does this mean I'm negligent? No, it means that I could spend thousands of dollars on additional infrastructure for security or capacity but I choose not to because it's highly unlikely I would need to.

The problem with this is that software can be mathematically proven to be secure or not, the real world can't. Creating a perfectly secure software system is entirely possible, there really isn't an excuse for collapsing in a broken pile when someone flicks a toothpick at you.

You also fail massively for trying to conflate DDoS and data compromise as the same thing. DDoS is merely a flooding which eats out your capacity; if your pipe isn't wide enough then you're boned, sure. The thing about that is that although the site is offline which is inconvenient to users and may cost you money if you rely on site ads that no-one is actually seeing, no actual data is lost. Having your fortress drown under a broken dam is fine, having the contents of all the safes break out and float away is not.

Re:Screw vandalism, especially on "soft targets"

[wvmarle]

I don't agree with your analogy, as physical and digital security are too different. Not many houses can stand a SEAL attack, yet it is perfectly possible to connect a computer to the Internet with zero vulnerabilities (think OpenBSD).

Secondly, after a few decades of research that is still ongoing, there are plenty of known practices that make it easy to quite thoroughly secure a server. These issues include (list from memory, mainly related to recent attacks where this was the exact vulnerability):

• ssl set up to log in without password,
• SQL injection prevention (just escaping the input prevents most if not all of them - many libraries do this out of the box for you),
• set a session cookie after log-in, and use it,
• not storing passwords as plaintext but as (salted) hash - a preventative measure for in case you do get hacked,
• separate databases, and giving the web-facing script a separate user in the database with minimum permissions - so in case the server does get hacked the attacker still can not see much,
• a port-forwarding firewall letting through only traffic to the ports you need.

That's what I can think of, from the top of my hat. All of them are easy to implement - and when implemented will prevent most attacks from happening. Sure you won't be immune to zero-day attacks on your web server software, or other services. But it limits the attack vectors a lot already.

Not following such "best practice" standards I would call negligence.

Now I readily admit that my own server is also not configured perfectly, there is a bit of "security through obscurity" too of course. Yet I have a software-firewall blocking all but whitelisted ports, my SQL queries are sent to the database through a library that does the escaping and so for me, preventing SQL injection attacks automatically. No-one else has ssl access, so no way you can social engineer the password from me. Oh yeah and I don't need to store any personal details of visitors there, that also helps.

Most of these attacks appear to be SQL injection related. And that is easy to prevent: the MySQLdb module for Python is doing that for you already. That only leaves tests like type checking ("I expect an integer value - let's see if this string can be converted to integer"), and value checking ("this string should be no more than 20 characters", "this should be a positive integer, not larger than 100").

And indeed there will always be lots of soft targets - yet companies that take user's personal details must not be a soft target. High-profile web sites should also know that they will be a target of hackers (the higher the profile, the bigger the lulz for a successful attack after all), and as such have also no excuse to be a soft target. Yet it is several of those that have been proven to be pretty soft targets.

Re:Screw vandalism, especially on "soft targets"

[drsmithy]

Not many houses can stand a SEAL attack, yet it is perfectly possible to connect a computer to the Internet with zero vulnerabilities (think OpenBSD).

Not many houses are built as a small, mostly buried concrete cube with no doors or windows, which is basically what the building equivalent of OpenBSD is.

As soon as you make that OpenBSD system usable by adding functionality, the attack vectors start to open up dramatically.

Re:Screw vandalism, especially on "soft targets"

[SuricouRaven]

Most users reuse passwords, anyway. Crack MothersKnittingForum's user list via a basic SQL injection attack, and it's almost guaranteed that some of those users will have the same password to access their email, facebook and paypal accounts.

Re:Screw vandalism, especially on "soft targets"

[Tom]

I claim that a good part of that is a myth.

Securing your house the same as a bank vault is unreasonable, because the physical changes required are massive, and costly, and require infrastructure.

Removing telnet and moving to SSH is not even in the same category.

Many of the "soft targets" are not soft because someone decided that a lock and a deadbolt are enough for their threat scenario, and the windows don't need to be reinforced - they are soft because nobody thought about threat scenarios at all.

Also, because quite frankly, developers suck. We don't let people who know about beauty and composition, but not about structural analysis build houses. But we do let people who know nothing about writing secure software write our e-commerce applications. No surprise they're breaking down left, right and center. There is something to the old saying that if architects would build houses the way programmers write software, the first woodpecker to come along would destroy civilization.

And that's why LulzSec is important. Exactly because they didn't hit the hit-profile targets, but the second or third tier - the servers of some importance, not your personal blog, but not the White House, either. Because those are the people who commonly think the least about security. The bullshit mantra "we are not a target" is still strong in those circles. If that changes, that alone and nothing else, it would be a huge step forward.

Re:Screw vandalism, especially on "soft targets"

[pandrijeczko]

It's actually a very good point.

LulzSec made no mention of how long, prior to launching the attacks, they had spent actually *SELECTING* their targets - it could have been something they'd planned for months in advance, making lists of potential targets and choosing those which would not only get maximum publicity for themselves, but also because they were the easiest in the list to attack.

Not that I condone anything hackers do anyway, but LulzSec actually made some big mistakes in the targets they chose - if a hacking group is seen to be "sticking it to the man" then they may get a degree of admiration and support from the general populace. But attacking sites like the Sony Network and Eve Online where that same general populace gets some of their entertainment from is not going to win them much in the way of support.

It could be argued that better targets would have been banks because of the current bad feeling the general populace has against rich bankers - one therefore has to ask the question therefore if they did *TRY* to hack banking sites but simply could not get in to do any damage; therefore are they nothing more than a bunch of script kiddies with very limited hacking skills.

Re:Screw vandalism, especially on "soft targets"

[thegarbz]

I don't agree with your analogy, as physical and digital security are too different. Not many houses can stand a SEAL attack, yet it is perfectly possible to connect a computer to the Internet with zero vulnerabilities...

No such thing good sir. Open BSD may stop blaster or some windows virus attaching itself to your system but does zero against attacks on the software that actually make it usable. Rarely are online attacks directed at the operating system hosting the front end. SQL Injection attacks make a database accessible regardless of the system, Vulnerabilities in your HTTP server can give you access to the root of your system, a myriad of poorly coded PHP or other server side code could give access to a system.

If you think not using Windows is the solution to your security concerns then you are acting as negligently as all the people who got caught out in the recent attacks. Windows itself is also quite secure when well patched, put behind a firewall with no ports open, but just like your mythical bulletproof BSD box it would also be quite useless.

Re:Screw vandalism, especially on "soft targets"

[wvmarle]

The difference with using an out-of-the-box secure system is that at least you know that only what you explicitly open, is open. Nothing else. And the next step is of course to make sure that you do not open anything any more than you intend to.

Re:Screw vandalism, especially on "soft targets"

[DrBoumBoum]

my SQL queries are sent to the database through a library that does the escaping

Just a question in passing, why do you need to send SQL text to the database in the first place? Why not use stored procedures? It seems simpler to me and also cleaner from an architecture perspective (i.e., separating database model from application logic). It also prevents any and all kind of attack against the database, making them impossible even if you for instance forget to escape your strings somewhere.

Re:Screw vandalism, especially on "soft targets"

[Flaming+Foobar]

For example, a quick google search turns up this page on apache security.

There isn't really much there that will significantly improve security, except the suggestions to keep Apache up-to-date and maybe installing mod_security. For instance, hiding the Apache version number might actually decrease security since now you might miss yourself you are out of date. It's not going to prevent any attack from happening.

Re:Screw vandalism, especially on "soft targets"

[wvmarle]

Well six, seven years ago when I built it up, stored procedures didn't exist in MySQL. I believe it's possible now but not sure whether Debian stable has that version included. That's already a major reason.

Secondly most queries are done through a library call, not by sending the actual SQL command. Like db.query(db, fields, where, options, ...). There is nothing more fancy in it than reading information, no calculations or whatever - simply not needed. Really the most basic use of a db.

Re:Screw vandalism, especially on "soft targets"

[timftbf]

not storing passwords as plaintext but as (salted) hash - a preventative measure for in case you do get hacked

This. How anyone is still writing code that does this baffles me beyond all belief. I despair every time I click on a "forgot my password" link and get an email with a copy of my plain-text password...

Re:Screw vandalism, especially on "soft targets"

It seems simpler to me

Until users want to construct queries of arbitrary complexity. THen you end up with five million permutations of search_items_by_size_color_brand_price_salestatus_etc_etc_etc.

Re:Screw vandalism, especially on "soft targets"

[hedwards]

I'm guessing that they spent more time deciding who was the best source of lulz than who was the easiest target. There's just way too many sites that are basically completely unsecured.

Re:Screw vandalism, especially on "soft targets"

[DrBoumBoum]

Or you could use something like

CREATE FUNCTION list_items(p_size IN varchar2, p_color IN varchar2, p_brand IN varchar2, ...)
AS
SELECT it.*
FROM item_table it
WHERE (p_size IS NULL OR it.size = p_size)
AND (p_color IS NULL OR it.color = p_color)
AND (p_brand IS NULL OR it.brand = p_brand)
etc...

which has the advantage that you ever have only one SQL text in database memory, instead of having the database parse, compile and execute a gazillion different versions.

Re:Screw vandalism, especially on "soft targets"

[thegarbz]

Ahhh so I suppose Win2k7 server is a perfectly secure system then. I mean out of the box it blocks all internet traffic except to the windows update site to get the current security fixes, and then queries you to setup your firewall and network.

Good to see we're on the same page now.

Re:Hell, yeah!

You're an idiot and should be fired.

You don't post company info on third party sites, end of story. Oh, and there's no such thing as too small for source control.

IHPBT. IMHL. HAND.

FTFY.

'Suggests'?

[atari2600a]

Don't you mean 'are known to'?

warm and fuzzy.

[villain222]

while i like the idea of security and keeping my stuff secure, i love the fact that this hacktivism shows one very good point. Corporations and the governments they've bought have all been chipping away at society in an attempt to go back to the good old days of serfdom, but when a few people in the masses who happen to know some shit get together, pissed off people get their message across.

governmental attempts to control the internet

[mark_elf]

If we make internets illegal, only criminals will have internets.

Classical deceit from The Guardian

The world is a complex place. It's difficult to trace out exactly what leads to what when it comes to human interrelationships and behaviour. But we are still trained to try our best to do so, and to optimise our society by removing the causes of bad things.

How can this be exploited by the evil?

1. They observe that something bad happens
2. They posit that this is caused directly by something they hate
3. Suddenly they have turned what they hate from a special interest for them into a joint interest for everyone

Is it newsworthy or realistic that The Guardian claims that 'three strikes'-laws caused the LulzSec hacks?

Most countries don't have anything of the sort. What was the relative contribution between this, and e.g. newspapers that claimed three-strikes law are bad? Presumably if everyone had said between themselves that three-strikes are good laws then the hackers would have gone 'oh, well, I guess I am really in a minority and most people are OK with this'. So is the cause of radicalisation the three-strikes, or is the cause the people who egg on others to become radical in the face of three-strikes? Or is three-strikes caused by something else entirely?

That said, LulzSec never referred to three-strikes to the best of my knowledge. So you are saying that, although they threw out a lot of random comments, they just never talked about the REAL underlying cause which concerned them? Doesn't seem very likely.

When you are a newspaper that is so biased you feel you need to declare it openly, you should come with a warning label.

AntiSec == security through obscurity?

[boron+boy]

LulzSec (and Anonymous) have 'demonstrated that an awful lot of people are either asleep at the switch or believed in arcane security methods like security through obscurity.

Wait what? Lulzsec showed that security though obscurity is bad? I thought the whole point to their "AntiSec" cause was to stop security companies publicly announcing vulnerabilities. Isn't that the definition of security through obscurity?

Re:AntiSec == security through obscurity?

Wrong anti-sec. They used the term for a joint-op with Anonymous who just pick names out of a hat.

Re:AntiSec == security through obscurity?

[MimeticLie]

According to your Wikipedia link:

Graffiti reading "Antisec" began appearing in San Diego, California in June 2011 and was incorrectly associated with the original Antisec movement. According to CBS8, a local TV affiliate "People living in Mission Beach say the unusual graffiti first appeared last week on the boardwalk." They also reported "...it was quickly painted over, but the stenciled words were back Monday morning." It was later realized to be related to the new Anti-Sec movement started by LulzSec and Anonymous, some local news have seen and corrected this error.

Same name, different movement, apparently.

Guardian Article

[brit74]

> "A related story at the Guardian suggests that governmental attempts to control the internet are spurring these activities."
I have to admit, I read that sentence in the summary and I scoffed. Then I read the article, and I still scoffed.

How about my interpretation of Loz Kaye's article: people who are deeply involved in some cause always find the reason "bad thing happened" to because of "bad thing that they don't like and have been working against". It reminded me a lot of Pat Robertson's claim that 9/11 happened because of the gays and feminists and abortionists. Uh huh. Sure it did.

Terminology

[bonch]

"Hacktivism." Ugh.

Re:Prediction: .XXX domain = plans for control of

[SuricouRaven]

Technicalities. In theory ICANN could easily ban porn from .com, .net, .org, etc - and, as they are still heavily influenced by the US government, they may do so if the right(ie, wrong) politicians come to power. The legal bit wouldn't even be hard - firstly, they could argue that they arn't really a branch of the government (Which is technically true) and secondly, within the US, pornography - or more specifically, the legally obscene - is already illegal. It's just that very few police departments consider that law worth the effort of enforcing.

The real problem such an effort would come up against would be the country-code TLDs. The US has no influence there, not even through it's proxy ICANN. So the worst case scenario is that all the porn sites leave .com - the respectable ones set up in .xxx, and the less-respectable ones set up in the country-code TLDs so they can continue using their google-manipulating, email-spamming ways as before. Nothing is really changed, but the self-declared defenders of the family can pat themselves on the back for defending the country against the pernicious pornography.

The obvious next step after that would be to filter the porn out from overseas, a Great Firewall of America, but I can't see that happening for a long time. Not because the anti-porn forces wouldn't want to, but because it takes years to push the envelope that far.

The problem as I see it.

[Reed+Solomon]

The governments of the western world seem to have it in mind that criminalizing everything will protect them from some sort of boogeyman/men. Hackers, and in general people who steal whats "theirs". People who just want to share their free thought. What the people in power want is for you to second guess everything you say or do, and to live in fear of the consequences. They want to create a cyber police and regulate every aspect of our lives. For what? For profit. To maintain control. No other reason. We've seen thanks to the actions of Anonymous and wikileaks and others how deep the corruption is. We've seen first hand what happens when some group destroys an entire eco system (the gulf of mexico) compared to when someone attacks the state. Now all the cards are on the table. They want to shut it all down. They want three strikes laws. They want search and seizure laws. They want to do things without due process or warrents. They want to impose their twisted morality on the populace. They want to frame Anonymous/Wikileaks and the like and make them out to be pedophiles or terrorists or pirates or rapists. It's rather disgusting how obvious it is. And the most shocking thing of all is that they are actually SURPRISED by the retaliation they are receiving, as minimal as it is! The actions of what appear to be just a few people have terrified the companies who thought they had carte blanc to do as they pleased. However it hasn't pressed them to change their ways, but to hide behind a veneer of superiority and attempt to stop those selfish robin hoods of the internets.

Re:The problem as I see it.

[Intrepid+imaginaut]

The governments of the western world seem to have it in mind that criminalizing everything will protect them from some sort of boogeyman/men.

I think its more that its the easiest line to sell to the voters, at least that's what the politicians believe. Maybe if they had more respect for the intelligence of their citizens and less for Saturday night psychology the world might be a better place.

Re:The problem as I see it.

There is a fine line between control and anarchy. The bigger and more complex the system is the harder it becomes to maintain the necessary control needed to ensure a working society. People are up in arms about losing their rights but what they are really upset about is being told they can't just do anything they want anytime they want.

Wrong line of thought

[Errol+backfiring]

The first law of security is that if anyone get in, anyone can get in. If you make sensitive data available via the web, it is accessible via the web. By anyone. You can make it hard to access, even extremely hard to access, but not impossible. So the very first step in security is the question why the hell you would want to hand over your responsibilities to some automaton that can be accessed by anyone.

Not asleep - in a rut

[cheros]

[disclosure: I do this for a living]

If you look over what happened over the last 5 years or so in security you'll see that nothing really new has happened. We get more sophisticated with defenses, stuff gets more expensive, but fundamentally it's deja vu all over again. 99% of what I come across suffers from a pure tactical focus - no long term thinking, no attempt at understanding the mindset of those seeking to cause harm or steal information, no strategy or root cause analysis of assaults.

The result is that defense has simply turned into an arms race. Immensely profitable for providers, no added value for the customer.

About 5 years ago we started to work on different approaches which normal risk assessment never touches. As a consequence of the insights gained we stamped out bank data theft for our clients without imposing new regimes or buying new equipment - all it took was a month worth of work. However, that requires people that can really think differently, whereas HR has moved towards cookie cutter tick box selections that seem to be aimed at filtering out exactly those people who can make a difference (the use of HR management seems to exacerbate this trend).

Security management has become predictable, and with predictability comes failure. The message is clear: start thinking differently - or lose the battle.

Re:Not asleep - in a rut

That is a hell of a comment. I agree with the first two paragraphs. Care to elaborate on your experience with reform?

Re:Not asleep - in a rut

"Care to elaborate on your experience with reform"

Very hard work.

First of all, as you are looking at strategy you are mentally about 4 years ahead of management - you see a picture they haven't even considered and as a consequence you always end up with an educational exercise before you can even sell, let alone fix their problems. At present we're usually called in to put out the fire, and there is little interest in really fixing the broken fundamentals. All they want is the noise to die down - until the next problem occurs. Personally, this is really not the kind of business I want, I hate ambulance chasing, but I reckon we have to suffer this for a year or so.

Secondly, you hit the aforementioned problem with HR if you try to fix it internally. I general I get very disappointed with HR - there too a comfortable tickbox rut has developed instead of reading CVs and focusing on the person that exists between the lines. HR thus goes for the sellers: people that can sell themselves well, not for the stars who don't actually care about marketing themselves well - the guy in the 3 piece suit who talks management speak instead of the guy in jeans who wanders in late because he found a really interesting problem to fix which distracted him somewhat. In this context I find classification actually becoming a hindrance. In the UK there is a scheme called CLAS which is supposed to rate people for government work. In reality, it just checks if they are security cleared, are of British nationality (really funny because AFAIK their core infrastructure was built by foreigners) and can fill in a tickbox list. There is ZERO focus on character and attitude, so you end up with (a) total idiots which sell because they passed a rubbish test (and you continuously have to dig out of trouble they got themselves into) and (b) exclusion of the good guys who either can't be bothered to go through this process, do not want to be associated with idiots or who happen to be of another nationality. This is partly a result of flawed management styles: strong leaders seek a degree of friction, staff with their own opinion and insight that can debate, and pick from that interaction the best for business. Weak leaders seek people that say "yes", and thus fail to use the talent they have in their teams. As a matter of fact, some of them actively go out of their way to remove talent as it's "troublesome", and the results are easy to see.

Thirdly, for this to work you need *really* good people, and they are hard to find. That's why I focus on VIP work - they can afford to pay the sort of tariffs you need to charge if you want to keep the good guys (although the fact that it's interesting work helps). Try to find people who have deep technical skills but are also socially capable, can explain complex matters in normal English (and other languages) to non-experts, understand media exposure and still also have a strategic view - so far I found three, two of whom I trained myself years earlier..

The good news is that we're starting to get a reputation. Clients like us because we don't do BS - they can understand what we do, we tend to creatively solve problems at root level so they don't appear again and we're not consultants who always happen to absorb all available budget. We come, act, leave. Dry, military style, no BS, discrete, simple.

As for my observations, I will eventually write a white paper about it when I have time. It's too important a deficiency not to draw attention to, and I've already been asked to support a new security related university course because of my observations - if I only had time..

Re:Not asleep - in a rut

[cheros]

Sorry, the above is me - must have ticked "anon" out of habit :-)

Re:Prediction: .XXX domain = plans for control of

[jpate]

the legally obscene - is already illegal

what are you talking about

not everything is relative

[sourcerror]

DDoSing is very hard to counter and small sites can be DDoSed by legitimate requests as well (see Slashdotted). Also, you don't leak sensitive data while being down. However SQL injection is just fucking pathetic. There's no excuse for that. That's developer negligence. I'm not excusing LulzSec for it, they comitted a crime etc., but it's like leaving your frontdoor open, being robbed, and then lamenting about "what the world has come to".
Also shared PHP hosting sites are vulnerable to other malicious user, but that's also more of a money problem not direct negligence.

False assertions allows

a false set off derivitive assertions.

We cant/wont be hacked.
Our data, including data we hold on behalf of our customers wont be stolen.

If someone says they are x, they are x.
If someone knows an account number, a name, and a date of birth, they are x.
If someone knows a secret question they are x.

A trusted servers cant be hacked.
We always accept what a server says.
If a server says something happened, they it did.

People cant use attacks for an agenda.
People wont place demands on us.
If someone is attacked, it is because they dont have the security we have.

The attack didnt happen because it cant.
The attack didnt result in a significant breach of data.
The attack happened 3 months ago.
It wasnt our fault.

We want to force people to do things we want.
People wont force us to do things they want.

Re:Prediction: .XXX domain = plans for control of

[reasterling]

regulatory agencies will try to push porn everywhere else off the net

What is wrong with that? You seem to think that a change in name equals a change in location. So what if your favorit porn site now ends in xxx instead of com or whatever? This would be a tremendous help to all us parents who do not want porn in our house. And before you say that this is just another "think about the children" reaction you should know that it is already illegal for a minor to be exposed to porn. This would only help us stay in the law better. I for one welcome the day when I can set up my own bind server with all xxx tld sent to 127.0.0.1 or [::1]. Of course this would also be a tremendous help to most businesses who need to avoid sexual harassment lawsuits.

This is not censorship. The government would simply be demonstrating good grouping skills. This seems very much like the unix way. User files are in the home dir, config files are in etc, constantly changing sys files are in var, and your porn is in the .xxx folder. I personally welcome a decently regulated much more expanded top level domain naming system. I think there should be a .home for our private home networks. Perhaps we could have .fire for the local fire department, or .police, .library, .postoffice etc... I think it would be far simpler to type cityname.service or even address.city.state to reach your house.

Not everyone cares

[xnpu]

When doing consultancy a lot of people told me flat out they didn't care about security. Quotes like "Anyone can walk in here during lunch and steal whatever they like; why would I (as the IT director) spend $$$ on computer security when management doesn't even care to lock the door." were very common. While the logic is obviously flawed it does illustrate that it simply wasn't a priority - which is not the same as living in ignorant bliss.

Oh dear

[SmallFurryCreature]

Eh, this really ain't that hard. It is similar to how the Nazi's showed us how hate is bad.

This article ain't about the agenda of Lulzsec but on what the results of their actions have revealed about IT security.

Yes, antisec is idiotic, it is however not relevant.

The large number of successful hacks recently have shown IT security is in a bad state. The motivations for those hacks are not relevant nor even that a single group did it.

Re:Prediction: .XXX domain = plans for control of

[selven]

you should know that it is already illegal for a minor to be exposed to porn. This would only help us stay in the law better.

Of course this would also be a tremendous help to most businesses who need to avoid sexual harassment lawsuits.

So you need a bad law to protect you from other bad laws. Got it.

Re:Prediction: .XXX domain = plans for control of

[SenseiLeNoir]

he meant: what is defined in the "legal" world or in terms of law as obscene is already illegal.

this is different from saying "the obscene is illegal" as different people have different views of what is obscene.

That is what he meant, thought it was obvious, i guess not.

Security through Obscurity

[Dan541]

Anyone who doesn't believe in Security through Obscurity should post their passwords and credit card numbers on /.

Nobody wants security, but exceptions occur

[EnergyScholar]

What Opportunist says is true in the great majority of cases. I have seen the truth of it myself. There are, however, notable exceptions:

#1 For some years I was a senior secure-systems developer for Symantec's Norton Store. With personal details and financial information on 60+ million people, huge flows of money, plus the fact that we were a security company, we knew we had a huge glowing orange target reticle painted on us. Security was a huge aspect of corporate culture. While we were very careful to maintain COMPLIANCE with assorted standards, we were equally careful to always go above and beyond the requirements of compliance in order to achieve REAL security. The corporate culture for my (admittedly elite) team treated COMPLIANCE as the starting point for security: if we were not compliant with, e.g. PCI Standards, then we DEFINITELY had a security problem, but compliance was just the start point.

#2 When lives, possibly your own and those of your family and friends, are truly at stake, security takes on a whole new meaning. Being compromised is then not about being embarrassed or losing money, it is much more serious. There is a different gut feeling. One thinks about ALL aspects of security, not just how well the network is secured. I was once involved in such an operation. My security skills were good enough to help protect the Norton Store, but were not adequate for this standard. Instead, a high military security standard was required. When the stakes are very high, different issues arise. In my case, I became a security risk to the project because my children could not be adequately protected, leaving me vulnerable to compromise by threats or actions against my children.

Re: Nobody wants security, but exceptions occur

[Opportunist]

I have one (ONE, a single ONE) customer who actually wanted security. And I always love going back to him, working for him is actually a lot of fun.

At first it didn't look too good. The CSO at first came across as paranoid in the worst tin-foil-hat way you could think of. Everyone's working against him, everyone's trying to bypass his security measures, everyone's just watching YouTube all day, they disable their Antivirus just to spite him and install cracked software (which the AV would disallow), you know the kind of guy. Worst was, it was true (hey, just 'cause you're paranoid doesn't mean they ain't out to get you). Despite rather reasonable locks in place (none of the usual "I'm the boss and I have to show you by imposing nonsensical limitations on what you can do while you're at work") with a fair lot of exceptions where sensible, people still couldn't accept, e.g., using a proxy to access webpages or abstain from using freemail accounts (despite agreements that management won't even monitor what you do on the internet or what mails you receive, all they did was check for malware, which is in my books not only very sensible but also VERY lenient).

It was my first (almost) no bars red team audit. Ever had one of those? Fun if you do them. Horrible if you're subject to them. No, seriously, I would have done it for free, it was REALLY awesome and very rewarding. It's about as close as you can get to "legal hacking". You get a lot of information about the inner workings of a company, get (almost) free reign in the choice of your means (our first one included having one of us being hired as a new programmer for them, it gets harder with time when the people there start to get paranoid about every new guy ;)), only limit is deliberate damage or damage of third party (not in the possession of the company) property.

You will never get something like that from someone who is just interested in a compliance certificate. He doesn't really want his security to be tested. He wants a piece of paper. If anything, this showed me that that CSO really had a keen interest in the security of his company. It also wasn't just to prove that he is right (and everyone who doesn't share his opinion about paranoid security is a dumb idiot), mind you, but it was his last chance to show to upper management that some restrictions have to apply, not because he wants to be an ass to the people or he wants to show that he's not utterly useless, but because he's responsible for their ability to do their job.

Obscurity is a useful component

[petes_PoV]

The point of security is to increase the amount of time it will (would?) take a baddie to do bad things. We know that security can NEVER provide an absolute guarantee that the wrong people won't do the wrong thing - it can only reduce the possibility of that happening.

So it is with obscurity. Provided it is not the ONLY security feature used, it has a place in reducing the visibility of a target - just as camoflage has been doing in the military for hundreds of years. It also adds to the overall difficulty of getting into a secure location (be that a website or building) and therefore has a deterrent effect: even if that's only to move the baddies along to try the next target on the list, rather than yourselves.

Where does that leave obscurity? Right where it needs to be: as a valuable tool in preventing and delaying security breaches. The key thing about it (as with all security features) is to know when it is no longer effective and then to either revamp it or replace it. However, it obviously is still effective for the vast majority of institutions and therefore should not be dismissed.

Call it what it is - Lulzsec is teh scaredz

[xyourfacekillerx]

They've seen the government is willing to track down hackers, and apparently have the resources and means to do so. If it's true they're backing off, it's because their sense of survival has kicked in and they realize they'd prefer not to be caught by giving the authorities even more avenues of evidence to pursue.

Lulzsec was probably not one of those very professional hacker criminal organizations that utilized a hundred thousand zombie pc's to conduct its information stealing activities [we're talking mafia, foreign governments, or very sophisticated and probably personally acquainted hacker groups, etc in that case]. So their tracks probably aren't that well covered.

Otherwise, why quit? Their (apparent) manifesto doesn't suggest a time-frame. "We've done it, we've shown the world they're not secure". Uhh, no, we already all knew that.

Re:Call it what it is - Lulzsec is teh scaredz

[tqk]

We've done it, we've shown the world they're not secure". Uhh, no, we already all knew that.

Uhh, no, not everyone did. Go back and read the comments related to the CitiBank hack. Damned near every one expressed astonishment that such a high profile banking site like that could be so complacent about securing its customers' accounts. Client-side session mgmt? Really?!?

I'm astonished to see such massive corps cheaping out on hiring expertise, and I've seen it on more than a few really big outfits which could easily afford better (the cost to their operation would be a speck of dust in comparison to their revenues and profits), but couldn't be bothered to care. IT is a cost center, really?!? The cost center really is any and all within the org who don't see the value to the overall operation in doing it right.

I wonder how many customers that's cost CitiBank so far. I wonder how much the class-action lawsuits for negligence this's going to cost them in the very near future.

Devil's Advocate

[SeeSp0tRun]

I am going to play Devil's Advocate here...
Instead of "the government is behind this to create new laws to lock down the interwebs," I would say it is entirely as plausible to say "the government is behind this to create new jobs and interest in information security to better arm the future with the tools needed to guard against such things, and also create more IS jobs."

The tinfoil hat works both ways.

Perfect security is a fairytale

There is no such thing as perfect security, modern software and networks are so complex there will always be holes.

It is easier for a determined attacker to break into a computer system than it is to defend one from a determined attacker.

I would have loved to see Lulzsec set up a web server and try to defend it from other groups.

A windows and a brick

[Gyorg_Lavode]

No-one accuses a store with a glass window of being "asleep at the wheel' with respect to security just because they don't have bars in the window. Cyber security's mentality that if you haven't implemented all security features you have somehow invited the attack is simply unfair and removes the mentality of malice from those who are breaking the law. Ultimately, a culture shift to seeing those breaking into websites as common criminals to be dispised needs to happen. High-value targets will always need bars on the windows, but the rest of the internet should be able to get by without an IPS, web app security gateway, etc, etc, etc.

Re:A windows and a brick

[biodata]

That would be OK, but the quid pro quo is that the rest of the web should not be putting the personal details of private individuals in their windows. If they go doing that they would be foolish not to expect people to break their windows in protest.

These corps and govs should be saying thank you...

[__aasehi2499]

To these groups for getting them thinking about these matters before China starts bringing their full might to bear and busting down cyber doors all over the place.

Hairyfeet (going to blow your mind): 110% with you

The fools always get themselves in the end Hairyfeet: Mgt. today is of the ENRON BUILD so to speak. Like ideals, & it's ALL ABOUT YOUR BONUS, not doing a good thorough job man!

Yes - I've seen the SAME SHIT, & got fired for it once @ a major insurer whom I was hired to do secured coding for data transfers of folks' medical & insurance claims data for... BLEW MY FUCKING MIND in fact!

E.G. -> I pointed out that, yes, we can secure SQL Servers, IIS, as we have thusfar, and our code too (using stored procs & bind variables, plus moving any business logic OUT of the "Front Ends" in apps of any kind (web or local) & by moving from VB6 to ASP.NET/VB.NET apps (more for the garbage cleanup abilities built in on the latter though))... but, they were NOT securing down endpoints (workstations/laptops/printers etc.) & only using "std. stuff" (here is the funny part, getting to it).

I get chewed out & told "Your CIO & network managers get paid very well to do their job, and it's their job, not yours" & I said "They are making my job a lot less effective, & possible".

About a month later?

I turn up this funny executable running on my system (that I never setup in the first place & found out they just gave it to me from another user, not fresh reinstall either, but was pretty "blank" anyways, so I went with it & went to work coding secure FTP systems). I figure they were "shadowing me" @ first, so, I asked if they were. They said no. I pointed out the WEIRDLY named .exe in memory in taskmgr.exe (like aXpSIgaoi.exe for example)... guess what?

Turns out said "well paid CIO (no computer know how at all & yet he's leading an IT dept & coders too?) & network manager (paper MCSE & little experience @ all, like less than 1 yr.)" had setup the Trend Micro AntiVirus wrong for network clients & it was 6 MONTHS OUT OF DATE & NOT WORKING RIGHT EITHER!

So - What happens, even though I turned up right?

I GET FIRED!

And, after writing them 10 programs that ran perfectly per the points I use to secure app & server-side stuff too, bulletproof & bugfree + totally fully errtrapped too!

I got fired... just for pointing out problems they were facing (told them to harden the endpoints too, because users are the weakness ala PEBKAC).

In the end?

I found out from running into a co-worker shopping for groceries taht the then "well paid CIO & network manager" got fired, because they went to FREE AVG antivirus in a CORPORATE SETTING (a big no-no), & the same from another co-worker the same thing via email (great guy, one of the BEST .NET coders I've ever met in fact)...

Gee, I wonder who "ratted out the rats", eh? NOT!

APK

P.S.=> It's the world today man... not you, so don't let it get you too badly (yea, I know - easier said than done) but rats ALWAYS screw themselves in the end (after taking a lot of money for doing piss poor work though first). I think YOU did the right thing & went out on your own man... smart move, I did the same & went 100% contractor!

... apk

Reminds me of Batman and Joker

[Uhhhh+oh+ya!]

Sorry for my being extra nerdy here but its true how they both exist because of each other. The hacker groups claim to exist because governments are cracking down on freedom, and the governments claim they are cracking down because of the hackers. I don't think either side is to be praised because neither side seems to be making much progress and it is the middle users freedom and privacy that suffers. However, sadly i see it more likely that if the government would back down the hackers would disband, where as if the government had no friction against them they might start moving slower but still in the same direction.

so this article is...

yet another excuse to talk about lulzsec....

Should have used Norton...

Should have used Norton you chuckwadding farkburglar!