Slashdot Mirror
The Lesson of Recent Hacktivism
itwbennett writes "LulzSec says they're retired, which may or may not be true. But one thing the world has learned from their 'frightening yet funny escapades is that 'the state of online security stinks,' writes blogger Tom Henderson. LulzSec (and Anonymous) have 'demonstrated that an awful lot of people are either asleep at the switch or believed in arcane security methods like security through obscurity.'"
A related story at the Guardian suggests that governmental attempts to control the internet are spurring these activities.
Its a site that allows celebrities & famous people to make twats of themselves by not speaking through agents, PR or lawyers.
They believed that money spent on security products == we are secure. They were not asleep. They did not believe in security through obscurity. They trusted the industry. They gave it money in return for products that were supposed to protect them. They lived in ignorant bliss. Unfortunately, the security industry (and the rhetoric they proclaim) is all about the end goal of the industry making money. Companies are lured into a false sense of security based on what they are being told, and what they spend money on - and it seems totally reasonable from their perspective. Unfortunately, the public (and the victim companies) are not aware of one tenth of one percent of what is actually going on. Any company that has anything worth significant financial value is either compromised or is a target with a big bulls eye on their gold stash - guaranteed.
LulzSec might have ended, but I can guarantee you the exact same stuff is happening underground, except this time you probably won't know all your information has been stolen. Other than exposing corrupt whitehats I don't really agree with their actions, but I'm not sure if the alternative of keeping it in the hands of underground blackhats and IRC scriptkiddies is any better (not that is wasn't going on during LulzSec as well, but still).
Regardless, the AntiSec movement seems to be picking up some steam, at least within Brazil (protests are planned for July 2nd), and the first AntiSec release has just been posted to Pirate Bay: http://thepiratebay.org/torrent/6502765 with more promised tomorrow.
Regardless of their "supposed" script kiddie status (they did break into a hacking contest website and turned down the 10k), I think it was smart for them to disband and take up a greater cause, and I guess time will tell if they are successful or just run out of water.
Arcane is not really the right word there. There's nothing "arcane" about security through obscurity. Perhaps they meant "archaic"?
V for Vendetta? Seriously? That quote's from W.B. Yeats: Turning and turning in the widening gyre The falcon cannot hear the falconer; Things fall apart; the centre cannot hold; Mere anarchy is loosed upon the world, http://www.potw.org/archive/potw351.html Credit where it's due.
Lulzsec's resounding accomplishment is that it will wake organizations up about the state of their security, and maybe even get us a few anti-negligence laws for the companies who think of security as an afterthought.
Given that these "rogues" or "hackers" are well skilled with network technology, what do these governments think they can do if the are capable of setting up their own internet? They know how to make the hardware; they know how to make the software; they know how to send communications over different spectrums. The governments would have to have complete control and ability to scramble communications over all possible channels. And even then, a new communication channel can be found and used to transfer electronic signals.
It's a futile, stupid effort. I can set up my own intranet... and then what? The government comes in and takes it away... ok, then build another. They'd have to make it so I couldn't buy certain pieces of hardware. Then the same corporations that profit from that hardware would cry foul for dipping in to their revenue stream. Now you get the government fighting against the same corporations they protected, and well, let's face it, the government will back down.
The scales of justice are weighed in both gold and greed.
I don't think people are asleep at the switch, at all.
I also don't think they are relying on security through obscurity.
In large companies I have worked for, there are a lot of very competent people that care a lot about security. But the thing is, security is a minor consideration to spend time and money on compared to making working systems.
Obviously it would be better if that would change, but I don't think honestly it can until someone has had the lesson REALLY driven home to them by a major security issue.
I would bet that within five years Sony security is actually pretty good. It is a good wake-up call to the industry, but remember that generally the alarm clock is only really heard by the owner of the house it rings in...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Nobody wants security. Everyone wants compliance.
From an auditor's point of view, it's very easy to explain the reason why the security in most companies is at a level that's not even laughable. No company is interested in it. What they want is certificates, they want their ISO27k and their PCI-DSS, but not because they want them to know for themselves that they're secure, they want them to display to others that they are, so they can get contracts or are compliant with legal requirements to be allowed to do something.
Now, some might think security and compliance with security requirements is the same. Both mean that you "want" security. And that's the fallacy. Security is something you want yourself. You want security because you want to be secure. Security is in this case the primary interest and the focus by itself. Compliance is something that is forced onto you. You want security because someone else wants you to be secure. Security is in this case only the means to the goal, be it to conform with legal requirements to continue operations or be it to be allowed to process credit card payment.
Within the last decade or so, the number of companies where I actually had the idea that they wanted security for themselves, even if only as a side effect to the compliance requirements, was very, very low. Most want to get done with it, preferably fast and without hassle. If the compliance requirement is that your door is locked and barred but doesn't say anything about your windows, they won't even listen to you if you tell them they have no windows but just big holes in the wall. Their door is sealed, that suffices to be compliant. The windows? Not part of the compliance requirement, we don't care.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You're an idiot and should be fired.
You don't post company info on third party sites, end of story. Oh, and there's no such thing as too small for source control.
I have probably just been trolled.
Here's the thing: information security, just like any other type of security or insurance, is completely relative.
My dinky little websites have adequate capacity to serve the few hundreds of people a day who visit them, but would not withstand a Slashdotting or DDoS. My house is secure enough to resist a burglar, but not secure enough to resist a Navy SEAL strike team. Does this mean I'm negligent? No, it means that I could spend thousands of dollars on additional infrastructure for security or capacity but I choose not to because it's highly unlikely I would need to.
That's why the example of LulzSec is pathethic and not instructional. There are lots of "soft targets" on the Internet (in terms of security or capacity) that you could take down pretty easily if you wanted to, just because those sites can't justify full-time security teams or massively extensible infrastructures. I'm not talking about high-profile sites like Sony or the CIA, but stuff like EVE login servers or some county in Arizona. A bunch of douchebag script kiddies taking down some MMO server doesn't necessarily mean that anyone was truly "negligent," it just means that they picked easy targets. And there is not, nor will ever be, a shortage of easy targets on the Internet if you're willing to aim at those.
"95% of all Slashdot
Dealing with the kids now modding the slashdot scene is beyond formulaic.
don't mod me down, if you do you must be a kid.
Say shit you like = Yay!
don't mod me down, yay.
Try to get somebody to fucking read something, maybe listen for a damn change = incur the wrath of the hordes!
don't mod me down, my post shouldn't be modded down.
here's a tip: instead of coming to the baseless conclusion that this is a generational thing maybe ask why certain people feel that way, you'll get a better response than your branding of a generation as 'stupid' and 'pricks'. you get modded down your post has 'back in my day we were smarter and more considerate and your opinion is stupid' superiority complex overtones.
FWIW i didn't mod you.
Don't you mean 'are known to'?
I swear to fucking god - look at how my posts are modded on this thread.
Don't bring up Bush and claim your post isn't flamebait. I mean, seriously, this is what you said:
"I actually blame the parents (the Bush-haters) for breeding such a bunch of twats as LulzSec. Please don't mark this down as flamebait"
while i like the idea of security and keeping my stuff secure, i love the fact that this hacktivism shows one very good point. Corporations and the governments they've bought have all been chipping away at society in an attempt to go back to the good old days of serfdom, but when a few people in the masses who happen to know some shit get together, pissed off people get their message across.
CEO sociopaths? Well, maybe to a degree, but that isn't the underlying cause. Greed is rather the reason. Greed, but not (only) on the CEO's side.
The CEO is under pressure, like everyone else in the company: He has to perform, and he has to perform well. He has to generate revenue, and lots of it. Else he's being replaced by one who does.
The sociopath CEO now does it without remorse. The conscious CEO does it because he rationalizes that a lot of people have invested their money, probably all their life savings, into the stocks of that company and he has a responsibility to do his best to justify that trust. That's the beauty of the system, nobody is a sociopath, everyone can rationalize what he does. Your boss fires you, who's knee deep in dept, but he can rationalize it because he has to fire someone from the team or he has to fire everyone 'cause his budget doesn't allow him to continue the project else. His boss in turn, who signed the budget, couldn't give him more because he, in turn, only had so much money to spend and he doesn't even know you, he only knows that if he distributes his money well, a lot of people will be able to keep their jobs. This chain goes up to the CEO, who in turn rationalizes his layoffs with the responsibility to the investors. Who, in turn, don't even know what they invest in because that's something their bank's investment manager does. Who in turn can rationalize that he has to do his best to invest that money in those companies that perform best because people trusted him with money to invest for them.
You see, nobody has to be a sociopath anymore to be an asshole.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If we make internets illegal, only criminals will have internets.
Wait what? Lulzsec showed that security though obscurity is bad? I thought the whole point to their "AntiSec" cause was to stop security companies publicly announcing vulnerabilities. Isn't that the definition of security through obscurity?
Yet another blogger begging for an audience.
> "A related story at the Guardian suggests that governmental attempts to control the internet are spurring these activities."
I have to admit, I read that sentence in the summary and I scoffed. Then I read the article, and I still scoffed.
How about my interpretation of Loz Kaye's article: people who are deeply involved in some cause always find the reason "bad thing happened" to because of "bad thing that they don't like and have been working against". It reminded me a lot of Pat Robertson's claim that 9/11 happened because of the gays and feminists and abortionists. Uh huh. Sure it did.
"Hacktivism." Ugh.
Technicalities. In theory ICANN could easily ban porn from .com, .net, .org, etc - and, as they are still heavily influenced by the US government, they may do so if the right(ie, wrong) politicians come to power. The legal bit wouldn't even be hard - firstly, they could argue that they arn't really a branch of the government (Which is technically true) and secondly, within the US, pornography - or more specifically, the legally obscene - is already illegal. It's just that very few police departments consider that law worth the effort of enforcing.
.com - the respectable ones set up in .xxx, and the less-respectable ones set up in the country-code TLDs so they can continue using their google-manipulating, email-spamming ways as before. Nothing is really changed, but the self-declared defenders of the family can pat themselves on the back for defending the country against the pernicious pornography.
The real problem such an effort would come up against would be the country-code TLDs. The US has no influence there, not even through it's proxy ICANN. So the worst case scenario is that all the porn sites leave
The obvious next step after that would be to filter the porn out from overseas, a Great Firewall of America, but I can't see that happening for a long time. Not because the anti-porn forces wouldn't want to, but because it takes years to push the envelope that far.
The governments of the western world seem to have it in mind that criminalizing everything will protect them from some sort of boogeyman/men. Hackers, and in general people who steal whats "theirs". People who just want to share their free thought. What the people in power want is for you to second guess everything you say or do, and to live in fear of the consequences. They want to create a cyber police and regulate every aspect of our lives. For what? For profit. To maintain control. No other reason. We've seen thanks to the actions of Anonymous and wikileaks and others how deep the corruption is. We've seen first hand what happens when some group destroys an entire eco system (the gulf of mexico) compared to when someone attacks the state. Now all the cards are on the table. They want to shut it all down. They want three strikes laws. They want search and seizure laws. They want to do things without due process or warrents. They want to impose their twisted morality on the populace. They want to frame Anonymous/Wikileaks and the like and make them out to be pedophiles or terrorists or pirates or rapists. It's rather disgusting how obvious it is. And the most shocking thing of all is that they are actually SURPRISED by the retaliation they are receiving, as minimal as it is! The actions of what appear to be just a few people have terrified the companies who thought they had carte blanc to do as they pleased. However it hasn't pressed them to change their ways, but to hide behind a veneer of superiority and attempt to stop those selfish robin hoods of the internets.
The first law of security is that if anyone get in, anyone can get in. If you make sensitive data available via the web, it is accessible via the web. By anyone. You can make it hard to access, even extremely hard to access, but not impossible. So the very first step in security is the question why the hell you would want to hand over your responsibilities to some automaton that can be accessed by anyone.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Funny - a couple of years ago, bringing up Bush-hatred into totally unrelated conversations was considered obligatory, something normal people would do. It was serious and sane and anyone who modded flamebait was in league with Bu$hitler. People seriously used Bu$hitler, on this website, and were, in their tiny minds, not using flamebait. Look up "Bush Derangement Syndrome".
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
[disclosure: I do this for a living]
If you look over what happened over the last 5 years or so in security you'll see that nothing really new has happened. We get more sophisticated with defenses, stuff gets more expensive, but fundamentally it's deja vu all over again. 99% of what I come across suffers from a pure tactical focus - no long term thinking, no attempt at understanding the mindset of those seeking to cause harm or steal information, no strategy or root cause analysis of assaults.
The result is that defense has simply turned into an arms race. Immensely profitable for providers, no added value for the customer.
About 5 years ago we started to work on different approaches which normal risk assessment never touches. As a consequence of the insights gained we stamped out bank data theft for our clients without imposing new regimes or buying new equipment - all it took was a month worth of work. However, that requires people that can really think differently, whereas HR has moved towards cookie cutter tick box selections that seem to be aimed at filtering out exactly those people who can make a difference (the use of HR management seems to exacerbate this trend).
Security management has become predictable, and with predictability comes failure. The message is clear: start thinking differently - or lose the battle.
Insert
the legally obscene - is already illegal
what are you talking about
DDoSing is very hard to counter and small sites can be DDoSed by legitimate requests as well (see Slashdotted). Also, you don't leak sensitive data while being down. However SQL injection is just fucking pathetic. There's no excuse for that. That's developer negligence. I'm not excusing LulzSec for it, they comitted a crime etc., but it's like leaving your frontdoor open, being robbed, and then lamenting about "what the world has come to".
Also shared PHP hosting sites are vulnerable to other malicious user, but that's also more of a money problem not direct negligence.
When doing consultancy a lot of people told me flat out they didn't care about security. Quotes like "Anyone can walk in here during lunch and steal whatever they like; why would I (as the IT director) spend $$$ on computer security when management doesn't even care to lock the door." were very common. While the logic is obviously flawed it does illustrate that it simply wasn't a priority - which is not the same as living in ignorant bliss.
Eh, this really ain't that hard. It is similar to how the Nazi's showed us how hate is bad.
This article ain't about the agenda of Lulzsec but on what the results of their actions have revealed about IT security.
Yes, antisec is idiotic, it is however not relevant.
The large number of successful hacks recently have shown IT security is in a bad state. The motivations for those hacks are not relevant nor even that a single group did it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
you should know that it is already illegal for a minor to be exposed to porn. This would only help us stay in the law better.
Of course this would also be a tremendous help to most businesses who need to avoid sexual harassment lawsuits.
So you need a bad law to protect you from other bad laws. Got it.
he meant: what is defined in the "legal" world or in terms of law as obscene is already illegal.
this is different from saying "the obscene is illegal" as different people have different views of what is obscene.
That is what he meant, thought it was obvious, i guess not.
Have a nice day!
Anyone who doesn't believe in Security through Obscurity should post their passwords and credit card numbers on /.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
What Opportunist says is true in the great majority of cases. I have seen the truth of it myself. There are, however, notable exceptions:
#1 For some years I was a senior secure-systems developer for Symantec's Norton Store. With personal details and financial information on 60+ million people, huge flows of money, plus the fact that we were a security company, we knew we had a huge glowing orange target reticle painted on us. Security was a huge aspect of corporate culture. While we were very careful to maintain COMPLIANCE with assorted standards, we were equally careful to always go above and beyond the requirements of compliance in order to achieve REAL security. The corporate culture for my (admittedly elite) team treated COMPLIANCE as the starting point for security: if we were not compliant with, e.g. PCI Standards, then we DEFINITELY had a security problem, but compliance was just the start point.
#2 When lives, possibly your own and those of your family and friends, are truly at stake, security takes on a whole new meaning. Being compromised is then not about being embarrassed or losing money, it is much more serious. There is a different gut feeling. One thinks about ALL aspects of security, not just how well the network is secured. I was once involved in such an operation. My security skills were good enough to help protect the Norton Store, but were not adequate for this standard. Instead, a high military security standard was required. When the stakes are very high, different issues arise. In my case, I became a security risk to the project because my children could not be adequately protected, leaving me vulnerable to compromise by threats or actions against my children.
So it is with obscurity. Provided it is not the ONLY security feature used, it has a place in reducing the visibility of a target - just as camoflage has been doing in the military for hundreds of years. It also adds to the overall difficulty of getting into a secure location (be that a website or building) and therefore has a deterrent effect: even if that's only to move the baddies along to try the next target on the list, rather than yourselves.
Where does that leave obscurity? Right where it needs to be: as a valuable tool in preventing and delaying security breaches. The key thing about it (as with all security features) is to know when it is no longer effective and then to either revamp it or replace it. However, it obviously is still effective for the vast majority of institutions and therefore should not be dismissed.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
They've seen the government is willing to track down hackers, and apparently have the resources and means to do so. If it's true they're backing off, it's because their sense of survival has kicked in and they realize they'd prefer not to be caught by giving the authorities even more avenues of evidence to pursue.
Lulzsec was probably not one of those very professional hacker criminal organizations that utilized a hundred thousand zombie pc's to conduct its information stealing activities [we're talking mafia, foreign governments, or very sophisticated and probably personally acquainted hacker groups, etc in that case]. So their tracks probably aren't that well covered.
Otherwise, why quit? Their (apparent) manifesto doesn't suggest a time-frame. "We've done it, we've shown the world they're not secure". Uhh, no, we already all knew that.
I am going to play Devil's Advocate here...
Instead of "the government is behind this to create new laws to lock down the interwebs," I would say it is entirely as plausible to say "the government is behind this to create new jobs and interest in information security to better arm the future with the tools needed to guard against such things, and also create more IS jobs."
The tinfoil hat works both ways.
Something witty.
No-one accuses a store with a glass window of being "asleep at the wheel' with respect to security just because they don't have bars in the window. Cyber security's mentality that if you haven't implemented all security features you have somehow invited the attack is simply unfair and removes the mentality of malice from those who are breaking the law. Ultimately, a culture shift to seeing those breaking into websites as common criminals to be dispised needs to happen. High-value targets will always need bars on the windows, but the rest of the internet should be able to get by without an IPS, web app security gateway, etc, etc, etc.
I do security
To these groups for getting them thinking about these matters before China starts bringing their full might to bear and busting down cyber doors all over the place.
You are, simply put, wrong. And on a number of levels and from a number of angles. Let me count:
1) It is, in fact, the "security guys" fault for not anticipating all the chaos that is possible in the world. That's their job. They are there to provide security, mitigate risks, and generally make people safe. And it is entirely due to their lack of diligence and their general incompetence. For the intrusions that I've gone over, LulSec did not make use of zero-day vulnerabilities or unknown mystical powers. They used well known vectors that competent "security guys" could have protected against. The only other positions you can share the blame with is their boss. And of course, LulSec themselves.
2) You hate lulsec, that's apparent. It's going beyond that though. You are so biased that you are making presumptions about them by calling them children. Calling them pricks and twats is simply name-calling, but the point where your demonizing influences the facts you know about them is self-deluding.
3) Pride. You elevate and praise yourself. It's good to speak well, and a little ego is good, but you're just kinda coming off as a douche.
4) You generalize that all teenagers are full of hate.
5) You also generalize that your entire generation is somehow above being this sort of "big prick", even after having just stated that your generation performed similar actions.
6) Sociopaths really do make the most productive CEOs. You have to remove yourself to a certain degree to be able to crush a persons livelihood. Not everyone can be a hatchet-man. Anyway, there have been studies and the signs of a good CEO are similar to the signs for sociopaths. But everyone has a little bit in them and sociology is a ludicrously soft science.
7) You drag politics into it for no apparent reason. Really, I just can't do this justice without looking at it again:
I actually blame the parents (the Bush-haters) for breeding such a bunch of twats as LulzSec.
My god. It's like the hate is palpitate. If you think every ill of the world is all the democrats fault then really, I'd advise that you need to relax a little.
8) The grammar in your first paragraph is atrocious.
as to think that we just didn't understand the situation sufficiently clearly yet.
Wut? But I guess at this point I'm merely being nitpicky. The wrongness of your post on other counts is more than sufficient to earn you for negative karma. But seriously, you need to re-evaluate your life if these are your honest views. Or simply GTFO and leave us be.
Sorry for my being extra nerdy here but its true how they both exist because of each other. The hacker groups claim to exist because governments are cracking down on freedom, and the governments claim they are cracking down because of the hackers. I don't think either side is to be praised because neither side seems to be making much progress and it is the middle users freedom and privacy that suffers. However, sadly i see it more likely that if the government would back down the hackers would disband, where as if the government had no friction against them they might start moving slower but still in the same direction.