US Army Website Hacked By Syrian Electronic Army

swinferno writes: On Monday afternoon, the Syrian Electronic Army claimed on Twitter to have successfully hacked the website of the United States Army, army.mil. Various screenshots that appeared on Twitter reportedly showed pro-Assad propaganda on the site before it crashed. "Today an element of the Army.mil service provider's content was compromised. After this came to our attention, the Army took appropriate preventive measures to ensure there was no breach of Army data by taking down the website temporarily," spokesman Brig. Gen. Malcom B. Frost said in a statement.

Obligatory

[darkain]

https://xkcd.com/932/

Re:Obligatory

[Karmashock]

Hmmm... they actually did get into the webserver... it wasn't just a DDOS attack or something. They actually got in.

Now did they get anywhere near anything we care about? Probably not. But they did get in to something.

Possibly read it this way:

"vandals broke into a sign put up by the US military and changed the letters around to say POOP"... they did get in... just... to a place no one cares about.

Re:Obligatory

[Anubis+IV]

Agreed. It's the Internet equivalent of graffiti. It's an embarrassment, to be sure, but breaking and entering, it is not.

Re:Obligatory

Yes the military has internet sites and intranet sites and air-gaped networks... etc. ... but they also have policies, procedures, and standards for applying security as well as what software vendors they use, etc.

This breach might not leak sensitive data but it does demonstrate an inability to defend from an attack. I would suspect that if it wasn't for the air-gap more secure networks probably have the same vulnerabilities. We can call into question the policies, procedures, processes, and standards; and our government and military leaders should reevaluate their choices.

Re:Obligatory

[Zaelath]

Yeah, that's exactly what that XKCD is saying. They got at an externally hosted server that would have occasionally been accessed FROM a (more, but not highly) secure .mil network, but doesn't have any access TO any .mil network.

It's about as significant as shitting through a recruiting office letterbox in a mall.

Re:Obligatory

[Karmashock]

emmm... not really. just because there isn't secure information in there doesn't mean it is "okay" that it got busted.

First there is a question of prestige here. You don't let shitstain hackers break into your webserver. You just don't.

Second, I'm not sure there was nothing in there of value. It could have contained something that would point them at other systems or give them deeper knowledge of the infrastructure of another network. And they could leapfrog from one to the next.

It definitely was a breach... a breach into a place with no secure information? Possibly... but still a breach. And you don't let a bunch of kids into mil space.

All I'm saying... secure your webservers. Please.

I was dealing with a company webserver that was getting breached every couple weeks. It was constant. Nothing was in it that mattered but people were getting into it and fucking it up.

I talked to the guy responsible for it and he wasn't making any sense. He was saying it wasn't possible to keep people out of the fucking thing. Which just told me that he wasn't competent to do the job. Period. I talked to someone else and explained some of my ideas as to how to secure it, they said "those will all work"... I then put him on that, we secured the system the way I wanted to do it.

It hasn't been breached since. What I did do? A lot of things. But the most extreme thing I did... because I'm a kitchen sink sort of guy that throws fucking everything at anything that gives me a problem... I write locked the server. You literally can't change anything on it. All the parts of the system that are fucking word press or other similar code that was getting screwed with is write locked at the file system level. It doesn't need to be changed on a regular basis. We move something around about every three or four months maybe. And all the web admin has to do is trigger a script that unlocks the files, then he can do what he wants, then he triggers the script again and it locks all the files behind him.

This is an issue I have with stuff like word press. Its really nifty but its got lots of ways to hack it or get into admin functions.

And my attitude with that, is that you need to understand the portions of the system that change and the portions of the system that don't. Then you only permit the segments that need to change to change. And the portions that don't can remain locked.

You do that, and most of the pure word press hacks and exploits don't work. They don't anticipate the configuration files being write locked.

Again, not the only thing I did... but one of the most demonstrative of the core concept... which is to make hacking a system LITERALLY impossible.

Here someone will say "well not literally they could get in and unlock the files at the file system level."... sure... if it is possible to do that... which long story short, it isn't.

Re:Obligatory

Or, some fools wrote on your front fence with chalk, during a rainstorm.

Re:Obligatory

Be careful with that word - Impossible.

Re:Obligatory

[Zaelath]

You can still hack that, just need to go after the DNS server instead.

And yes, Government rank reputation very highly when you do a risk review, but IFF there was anything on this server that wasn't UNCLASSIFIED:For Public Release, then there was *already* a breach.

Experience with some corporate wanker does not reflect the way the military/government do security at all.

Re:Obligatory

[TubeSteak]

It's about as significant as shitting through a recruiting office letterbox in a mall.

Unless they dropped some malware on the site and infected the people who unknowingly visited the page.

Re:Obligatory

[Karmashock]

hacking a dns server doesn't touch the military webserver. That is bypassing it and hacking public systems to redirect you.

Quite different.

Re:Obligatory

Well, that's the theory at least. In actuality, they may have any number of other security failures, some of which could lead an attacker to other targets from this poster website, including very indirectly. A breach is a breach. If you're serious about security, you should always assume the worst.

Re:Obligatory

[Karmashock]

I am... Perfect security possible with computers. You can make things that are unhackable.

It needs to be simple enough to debug, elements that don't change should be made literally static... ideally physically locked, and anything hyper secure should be either encrypted with perfect 1:1 encryption or airgapped. That's if you want PERFECT security. Which again... is possible.

Its like anything that is perfect... either very simple or nearly impossible to do. Make it easy on yourself by making it simple.

Re:Obligatory

Same anonymous coward. A few years ago I had a website hacked. Certain people came in and blasted it from Amazon EC2. Wiped everything every thing on the server. No biggie because of on and offsite backups, just a nuisance. I locked all the files. I have not had a successful hack since. But my job is to be paranoid, and I do not kid myself about something being unhackable. Often the only thing that is impossible is the untried.

Re:Obligatory

[Karmashock]

To understand how to make something unhackable you have to understand how hacking works.

The whole strategy is basically using the adaptability of the system against the owner. You reprogram the system to do what you want instead of what the owner wanted.

That's hacking. Can you hack non-programmable systems? Nope. Can you hack something that might be programmable but which you cannot access because it literally doesn't communicate bidirectionally over exposed IP addresses? The ability to hack something like that is pretty limited... if possible at all. And that is with just one security change.

If you compound a lot of really solid security concepts on top of each other that means the hacker has to break through each successive step to actually get to the meat.

Now there is technically a way to get through each of these steps and the final probability is still non-zero. That said, there are some very extreme steps you can take that can move the probability from .0000000000000001 to 0.

Some people don't like to use the terms like impossible or perfect because they feel that is arrogant and that it might just mean you haven't thought of something.

I concede the possibility of godlike powers rewriting time and space to make what would appear to be physically impossible possible.

However, excluding godlike redefinitions of basic physical law, there are security protocols that are unbeatable.

It is important to note that hte security being breached is not even good security. Fuck perfect... it isn't even good. The good security isn't getting breached. Its the shitty security that is getting breached. And the stuff I'm talking about is a damn sight better than "good"... its fucking exceptional to perfect. No one is getting through that. the way you get through this kind of security is by throwing a black bag over the head of the admin and then attaching electrodes to his nuts. That's how you get through.

Absent that... it isn't happening.

Re:Obligatory

[dcollins117]

First there is a question of prestige here.

And authority. Who is going to take seriously the idea that backdoored encryption will be be properly safeguarded by the government when just in the past week they just turned over 4 million federal personnel records and an army website over to "hackers"?

One would have to be abysmally stupid to take information security advice from anyone with their track record. The next time you hear a government official claiming that making our systems less secure is a good idea the correct response is open ridicule and a slow, patronizing shake of the head.

Re:Obligatory

[Karmashock]

As to the proper response to idiots in real situations... I've found its best to just humor them and then quietly negate the damage they could possibly do when they're not paying attention.

Re:Obligatory

[gtall]

You are assuming the underlying system is correctly and securely designed. That's a big assumption and one you have no way of ascertaining that.

Re:Obligatory

To understand how to make something unhackable you have to understand how hacking works.

Nothing on the internet is unhackable, period. You can make it difficult enough to discourage all but the most determined of all hackers from going for it, but you can't make it 100% unhackable. Someone will have enough time, resources, and determination to get in if they want. The best you can do - on top of the best safeguards at your disposal - is to be ready to roll out a different setup if your system is compromised.

You can claim that something you put on the internet has never been hacked, and you can even be accurate in that statement, but that doesn't mean it is unhackable. There are always nonstandard methods of hacking a system that a truly determined individual can exploit.

Re:Obligatory

You don't let shitstain hackers break into your webserver.

That is a pretty bold statement about someone you know nothing about, there. Could you hack the system they hacked in to? These were likely not just some random script kiddies out for lulz.

Re:Obligatory

[Karmashock]

Depends... I'm not familiar with their system. I know lots of exploits and bugs. So maybe.

I know I could secure it though.

Re:Obligatory

[Karmashock]

Wrong.

To be hackable it has to be reprogrammable through the web portal.

If it isn't for any reason then it isn't hackable.

Re:Obligatory

[Jason+Levine]

And authority. Who is going to take seriously the idea that backdoored encryption will be be properly safeguarded by the government when just in the past week they just turned over 4 million federal personnel records and an army website over to "hackers"?

Government response: "But, TERRORISM!"
*too many people nod their heads in agreement while the rest of us shake ours in dismay*

Re: Obligatory

This was very irresponsible of the SEA with Assad asking for US assistance months ago.
It possibly demonstrates a great deal of autonomy and lack of oversight.

Put you dogs on a leash before someone uses this to declare outright war lol

Re:Obligatory

I know I could secure it though.

Then why are you spending all day writing on slashdot, when you could be making six figures doing digital security for the army? If you're really better at their job than they are, you should already be working for them. Instead you are armchair quarterbacking with vague overstatements.

Re:Obligatory

To be hackable it has to be reprogrammable through the web portal.

That is a very narrow - and narrow-minded - definition of "hackable". By that definition, the computers that controlled the Iranian centrifuges were not hacked by the Stuxnet worm. For that matter by your same notion Alan Turing was a total failure of a hacker.

There are far more approaches to hacking than just brute force attempts through unsecured ports. Only by your strange and narrow definition could something be "unhackable". By definitions that are understood by the rest of the world nothing is truly unhackable, it just comes down to deincenivizing the hacker from getting in, and then having a backup plan ready to go for when they do.

Re:Obligatory

Yup. And what if the poster hackers sprayed the poster WITH ANTHRAX!

Re:Obligatory

[Coren22]

So because a system was hacked, you can't trust anyone working for the government on security? I heard that a corporate web server was hacked, I guess we can't trust anyone working security for corporations anymore, they couldn't know what they are talking about.

Re:Obligatory

[Karmashock]

They were reprogrammed otherwise the worm would not have been able to imprint itself on them.

My understanding further is that the Iranian worm situation was caused by spreading malware from unsecured systems to the centrifuges.

Are you suggesting that it is impossible to keep a secure network isolated from the facebook and porn network?

Re:Obligatory

[Karmashock]

I do quite well actually... and if everything is locked down and I'm alerted when there is an issue... then what exactly do I have to do?

A lot of bad administration is a lack of automation. Its why the security gets lax half the time. They say "well we'd need more IT people to handle that"... for security you really don't need that many. You just need to the systems to be set up to call for help when something happens. And then have them be fool proof enough that only rarely does anything happen.

Re:Obligatory

Therefore you wouldn't mind posting a list of your highly secured servers so that we might bask the glory of their unhackability.

Re:Obligatory

word press

No wonder that server was getting owned every other day. Wordpress doesn't have exploits, it is an exploit as far as I'm concerned.

Re:Obligatory

[elusive_one]

Well if it's not done possibly, it was obviously done impossibly. Simple logic.

Re:Obligatory

[Zaelath]

How does the method change the effect?

Re:Obligatory

[mjwx]

It's about as significant as shitting through a recruiting office letterbox in a mall.

Unless they dropped some malware on the site and infected the people who unknowingly visited the page.

Which is about the same as someone sending you tissue full of mucus and flu germs through the mail. If you're only at threat if you dont throw it away and wash your hands.

Re:Obligatory

[Karmashock]

The effect is not the issue here. What actually happened is the issue.

Furthermore, the DNS effects only systems effected by the DNS hack.

If you use a private DNS system... which you should if it is high security... then you would completely ignore the issue.

What some jerkoff sees when he connects to your system is one thing. What actually happened to your systems is another.

Re:Obligatory

[Karmashock]

I can't disagree... the thing fucking pissed me off with all its problems. The web admin told me that it couldn't be secured without completely rewriting the whole site and upgrading lots of crap in it along the way.

And I thought to my self... "and how long will that work?"... and I concluded that I'd be having the same conversation with the guy in two years.

So I tried to draw him into a discussion about securing the site without bothering with Wordpress's endless bullshit. And he basically had no idea what I was talking about.

So I contacted someone else that I work with a lot and ran the situation by him and we both basically came to the same conclusion pretty fast. And so we basically treated the wordpress site like a black box of broken bullshit. Locked it down the only way you can lock down a black box. Security issue solved.

Web admin has to VPN into the webserver, unlock the file system, and then he can mess with it. Beyond that, the site itself has all its configurations, scripts, passwords, etc locked. It can do things... it isn't entirely static. But it can't be reprogrammed without unlocking the configuration files which control how it works. "people" do still try to hack the thing. I can see the intrusion attempts in the logfiles. But there isn't anything they can do even if they do use an exploit. Its locked.

What I like about little solutions like that is that they're very bruteforce, simple, and from what I've seen totally unexpected. No one sees that coming.

Is there a way around it? I'm struggling to see how. The webserver doesn't have permissions to unlock files. So even if you took control of the web software the OS still wouldn't unlock the files.

Re:Obligatory

[Karmashock]

Doxx myself? First, I don't own the systems so I have no right to do such a thing. Second, only an idiot would doxx themselves... just because some AC dared him to? Comical.

I'd do it if I had permission and if I were getting paid... ideally by you... lots of money.

Short of that... you're basically asking me to betray my employer, subject myself to real life harassment from internet trolls, and for... nothing?

No thanks.

Re:Obligatory

[Zaelath]

Nope, to all that.

Effect is the entirely the issue. The effort required to ensure this kind of thing *NEVER* happens is entirely disproportionate to the effort required to ensure that there is nothing of real value on an internet accessible server (or from it).

Furthermore, a DNS attack that re-delegates the domain to different DNS servers would mean everyone (other than internal users that wouldn't be be using public DNS servers) would see the affected page, which is what they want, "how" is entirely irrelevant to the attackers. It's still news, it would still be covered, and it would be harder to resolve as quickly as taking the server offline as soon as the monitoring detected the change.

The "private DNS system" isn't accessible publicly either, or it's just another attack surface

What some jerkoff sees when he connects to your system is one thing. What actually happened to your systems is another.

Exactly, and when you're the Military "your systems" are those on the high security network, not a poster you hung up outside, which neatly takes us back to XKCD.

Re:Obligatory

my employer

Hah! Good one, there. You don't expect anyone on slashdot to believe that someone who posts all day and all night at your frequency has a job, do you? Add to that how many times you have fallen straight on your face in this discussion and it is clear you are unemployed - and likely have no education or experience to speak of.
 

Re:Obligatory

[Karmashock]

Hey bingo.

I can only make 25 posts a day. How long do you think it takes me to make a post?

The only thing that makes this site take a long time is that I have to wait awhile between posts.

Otherwise, I'd burn my post quota out in about half an hour.

Re:Obligatory

I can only make 25 posts a day

Your comment history shows more than 25 today easily and another 20 yesterday. What do you gain by lying about this? Is it equally as useful as coming here and lying about your employment status?

Re:Obligatory

[Karmashock]

You'd know this if you ever logged in... the system cuts you off if you make more than 25 posts in a 24 hour period. You get an error and it prevents you from posting again for at least an hour. At which point you can only post until your post count in the last 24 hours reaches 25.

Anyway, bingo... I don't know where you get off judging people that actually HAVE records. You don't. You don't get to judge, shithead. ;)

Re:Obligatory

the system cuts you off if you make more than 25 posts in a 24 hour period.

Again, why are you lying? Your own comment history is counter to that. Go ahead, click the link and count your comments. You have written significantly more than 25 comments in the past 24 hours. You were not "cut off" in any meaningful way.

What do you have to gain by lying about this? It is understandable that someone with as fragile of an ego as yours (as demonstrated by you so quickly resorting to profanities and insults instead of having discussions) would want to lie about their employment status in the hopes of appearing reputable. But why lie about how many comments you post in 24 hours when the data is right there for all to see?
 
 

You don't get to judge

This is not a judgment. This is a statement of fact. It is a fact that you are lying about how many comments you have posted here on slashdot in the past 24 hours.

Re:Obligatory

[Karmashock]

So on top of being a troll, obsessed with me, a hypocrite, a coward, and a liar... you're also unable to count?

That link you showed me doesn't show more than 25 posts. That's all it permits per page.

So what is it like being such a failure of a human being?

I mean... what are you good at?... besides failure of course. You're amazing at failure.

I'm just going to give you a little golf clap for the unbroken track record of failure so far:
https://www.youtube.com/watch?...

Re:Obligatory

Not the same AC here, but your claim that

...the system cuts you off if you make more than 25 posts in a 24 hour period.

seemed suspicious to me, so I decided to check for myself. You are objectively wrong.

Here is an example. You made this comment on June 11 at 1:03 AM. Less than 24 hours prior, you made this comment, on June 10 at 2:07 AM. In between, you posted approximately 45 comments, by my quick count. Go through your comment history and you can count them for yourself.

In another recent comment, you said if someone proved you wrong, you would "admit error and thank [them] for the correction." Does that apply here, too?

Re:Obligatory

That link you showed me doesn't show more than 25 posts. That's all it permits per page.

That is why you go to the next page, which shows more comments from you. That next page shows that you went well over 25 in 24 hours. You can see it if you click on it. I can't make you do it, but you don't help yourself when you keep denying reality and demonstrating yourself to be a complete liar.

Getting angry and slinging silly insults doesn't help your cause, either. No wonder you can't get a job, I wouldn't hire you with an attitude like that.

Re:Obligatory

[Karmashock]

I've never counted. I get an error every so often saying "you can't post more than 25 times in 24 hours"... so sue me... I thought the error warning was accurate.

Whatever.

ACs still have no ethical or moral right to judge people that log in. We have histories. You don't.

Re:Obligatory

I've never counted.

So then you admit that you were lying about posting 25 or fewer. Thank you for that clarification.
 
 

We have histories

A history of anger and lying, yes. One to be proud of, no.

Re:Obligatory

[Karmashock]

Taking a warning message from the slashdot site as being valid doesn't make me a liar... idiot.

Re:Obligatory

Taking a warning message from the slashdot site as being valid doesn't make me a liar... idiot.

Except that you are lying about receiving such message. This site isn't perfect, but it can count better than you can reason. Just admit you were lying, and move on. Insulting people won't help your cause either, you should just quit while you're behind.

Re:Obligatory

[Karmashock]

Next time I get it, I'll screen cap it for you or something. I get it about twice a month. Often there will be some dog pile and I'll have to respond to about a dozen fucktwits and that just burns up my post count allotment.

Re:Obligatory

Wait, now you're going to back to lying about having a limit on how many posts you can make? Someone already called you out on that lie, why try for it again? It won't stop being a lie just by repeating it. Hell you made that lie just a few posts ago in this very thread.

Re:Obligatory

Taking a warning message from the slashdot site as being valid doesn't make me a liar... idiot.

Except that you stated, without qualification, that you "can only make 25 posts a day." Someone else pointed out that in the same 24-hour period in which you claimed you can only post 25 messages per day, you posted nearly 50 messages.

So what does that say about you? You might have been outright lying. Or, at best, by stating something as fact when you obviously didn't have a clue, you were being very dishonest. This is something that is ridiculously easy for anyone to verify, but you didn't even bother. And now, not only do you lack the integrity to own up to your error and "thank us for the correction" (as another AC pointed out you recently promised to do in another post), you also haven't apologized for pointlessly berating people because of your failure.

If you are so lacking in integrity on such an utterly trivial matter, what should we conclude about all of the claims you make in other posts that are not so easily verified by others?

Re:Obligatory

[Karmashock]

Yes... and if I thought that was correct then I didn't lie.

Being wrong doesn't mean you're a liar. Idiot.

Re:Obligatory

Yes... and if I thought that was correct then I didn't lie.

Being wrong doesn't mean you're a liar. Idiot.

Still waiting for an actual response, since you just ignored most of the post... I'll repost just in case you failed to read:

So what does that say about you? You might have been outright lying. Or, at best, by stating something as fact when you obviously didn't have a clue, you were being very dishonest. This is something that is ridiculously easy for anyone to verify, but you didn't even bother. And now, not only do you lack the integrity to own up to your error and "thank us for the correction" (as another AC pointed out you recently promised to do in another post), you also haven't apologized for pointlessly berating people [slashdot.org] because of your failure.

If you are so lacking in integrity on such an utterly trivial matter, what should we conclude about all of the claims you make in other posts that are not so easily verified by others?

Re:Obligatory

Being wrong doesn't mean you're a liar.

No, but when you are confronted with demonstrated facts and you continue to claim the opposite of what the facts show, you are lying at that point. You did exactly that; you are a liar.

Re:Obligatory

[Karmashock]

Making an honest mistake given reasonable information is neither unethical nor immoral. Your presumption of judgment is comical.

What is funnier is that you're trying blow this up into something that damns me as a person.

And what you possibly didn't realize is that I'm responding to you. Something which you should know by now bingo, I normally stop doing once I realize it is you.

But I'm still responding to you.

Do you know why? Because I'm going to hit that limit And when I do, I'll screen cap it. And win.

So keep whining, you deluded fucktwit. Every post you cause me to make in response gets me closer to my goal. And then I win. :)

Your best bet for retaining any credibility is to stop posting right now. But you won't because you can't help yourself... and it doesn't really matter since you know I don't lie. We have had enough discussions in the past that you know I can back myself up if needed.

And all you're doing is helping me rack up posts to prove you wrong. again.

Re:Obligatory

[Karmashock]

Okay so you admit I wasn't a lair.

k thanks.

I win again, twit.

You so fucking stupid :D Its amazing.

Re:Obligatory

Making an honest mistake given reasonable information is neither unethical nor immoral.

Keep moving those goalposts, kid. You could have checked your own comment history at any time. Slashdot is configured such that any user can see as far back into their own comment history as they wish; if you had done that you would have known that you had posted more than 25 times in those 24 hours. The information was in front of you and as accessible to you as to anyone else; you willfully and intentionally ignored it. Then you lied to cover up your lack of use of said information, and lied more after that as well.
 
 

What is funnier is that you're trying blow this up into something that damns me as a person.

You have anger issues, and trouble with reality. Those are well documented.
 
 

But I'm still responding to you.

To whom, exactly? You were previously trying to make an argument that the AC comments are not trackable. Hence you have no idea whom you are replying to, or to how many people.
 
 

Do you know why?

Because you are a hypocrite on top of an egomaniac and a liar.
 
 

when I do, I'll screen cap it. And win.

No, you won't. You've already demonstrated that you don't have a limit. But you'll pretend to somehow "win" anyways. Eventually you will move the goalposts far enough to feel justified in declaring yourself a "winner".
 
 

Your best bet for retaining any credibility is to stop posting right now

Excuse me? You really, really, don't know how logic works. And you really, really, really, don't know how slashdot works, either. Furthermore, didn't you claim before that the AC was just wasting your time? If that was the case then you should be the one to stop replying.
 
 

you know I don't lie

Except for when you were just plainly demonstrated to have lied, of course.
 
 

We have had enough discussions in the past that you know I can back myself up if needed.

You really need to look in to how the AC works here. It is a fundamental part of slashdot. I could look back at your earlier posts but based on the anger and profanity you displayed here I don't expect I'll see any case of you showing that you can "back [your]self up".

Re:Obligatory

[Karmashock]

There's no goal post being moved. That is what it means to lie and what it means to tell the truth.

You're the one that is goal post moving. Your claim that I lied was so stupid that even you backed off it and rather than admit you went too far you're now trying to cover your mistake with abuse.

You're pitiful.

And that's another post for me. I can't wait until the stupid thing flags me. Then I shall screen cap it and win.

Keep going. :D

Re:Obligatory

What part of

You did exactly that; you are a liar

Was unclear to you? You are a liar. You lied very plainly. You weren't just wrong, you were lying. Now you are lying about what was written about you obviously lying. Too bad these comments are all there for all to see that you were, indeed, lying - and are continuing to lie more.

Why do you hate the truth so much?

Re:Obligatory

There's no goal post being moved

Why are you lying about that?

That is what it means to lie and what it means to tell the truth.

Sorry kid, but you don't get to set those meanings. By the meanings of truth and lies, you are a liar. Lying about trying to move the goal posts doesn't change that - indeed it only shows you to be more of a liar.

Your claim that I lied was so stupid that even you backed off it and rather than admit you went too far you're now trying to cover your mistake with abuse.

I haven't seen anyone here back off of the claim of you lying. In fact, we have seen multiple posts plainly demonstrate you to be lying.

Re:Obligatory

[Karmashock]

First, "you"... that implies I did something which I didn't do.

Second, this is continued with you using the word "did" which states that I actually did something which I didn't do.

Third, "exactly" means that something precisely something and you've already admitted that I didn't lie which means I didn't exactly lie.

Fourth, there is that "you" again that suggests I did something.

Fifth, "are" again suggests a state of being but your statement is contradictory with both your own statements and reality.

Sixth, you used that word again "liar" which you already admitted I was not. ... that's the part that I have a problem with... all of it. Every single bit.

Re:Obligatory

[Karmashock]

Nope. I didn't lie about anything. I relied upon what the site told me had happened. The next time it does, I'll screen cap the error message for you.

There's no lie.

A lie requires deliberate deception. An error based on putting too much faith in an error message is not a lie by definition unless I knowingly misrepresent my statement. I did no such thing so it was not a lie.

You don't really understand what a "lie" is do you?

See, this is my issue with ACs... you're astoundingly stupid. How can you not know what a lie is and yet be so fucking dumb that you'd accuse someone of doing it?

This is why ACs need to not exist. Then we can know who the morons are and shame you into silence. The alternative is that so many of you idiots are running around sockpuppeting each other that no one knows exactly how many of you there are... at least of the really dumb ones.

I suspect there are fewer of you then it would appear. But you're very active posters.

Re:Obligatory

you used that word again "liar" which you already admitted I was not

No. Nobody ever "admitted" to that in this thread. Indeed you have been demonstrated by more than one person to be a liar in this thread. When you claim otherwise you are only lying again.

And when you keep coming back, and continuing to reply when you claimed that the AC is wasting your time and not worthy of a reply, you are making yourself that much more of a liar. I would imagine that level of lying and hypocrisy to be painful, but it doesn't seem to bother you much.

Re:Obligatory

[Karmashock]

This thread? who cares. You're following me all over the forum. Who cares what thread we're talking about anymore.

It doesn't matter to you. Why should it matter to me? You already admitted in one of these threads that you were in error on the whole lying thing... You know it. I know it... so who's the liar now?

Re:Obligatory

Kid, you cannot undo your lies. Maybe nobody told you this before you started diving headfirst into your lies, but you cannot go back and edit posted comments here; they stay around permanently. This means your lies will be forever associated with your account here - you should have thought about that before committing so whole-heartedly to them. You are now at - at least - 3 or 4 lies just in this one thread. Lying about them won't make them go away. You should really try to show some maturity and just own up to them.

Your comment history shows that is highly unlikely to happen, however. Your next best choice would be to just stop lying about your lies. Walk away from your keyboard, go find a new hobby. You really, really, are truly awful at this one. You don't seem to be learning anything from your mistakes, and you aren't knowledgeable enough on anything to teach anyone anything here either.

Re:Obligatory

You already admitted in one of these threads that you were in error on the whole lying thing

I admitted no such thing. I have not seen any other AC to admit ot any such thing either. Rather I have seen several ACs point out plainly where you have lied, and your list of lies in this thread just keeps growing.
 
 

You know it. I know it... so who's the liar now?

Still you, and that is another addition to your list of lies in this thread. In fact, it is really becoming quite hard to find any honest statements from you in this thread. You really should just quit now. You were never ahead, and hence never could have "quit while ahead", but you could quit right now, before lying any more. That would be an improvement.

Re:Obligatory

[Karmashock]

Cite a lie I told, fucktwit.

You say I can't undo my record... but I don't need to. And unlike you, I'm not afraid of my record. You are afraid of your record. And yet you presume threaten me with mine? You're a joke.

I am quite happy to stand on my record. Unlike you, I'm not a coward. ;)

*kiss kiss* shithead. :)

Re:Obligatory

[Karmashock]

Did too. :)

Re:Obligatory

Cite a lie I told

At this point more comments you have written in this thread have lies than not. You have even tried lying about lying, which just digs you in even deeper. It all started with something that you could have gotten away with by just admitting "oops, karmashock has no idea what he's talking about!" but you dug in instead and were proven a liar. Then you lied about lying about it. Then you got mad and lied about being angry. Then you lied some more about everything else that was proven about you.

So if you want a citation, start here and work through the rest of the thread. You laid down some real whoppers along the way.

And unlike you, I'm not afraid of my record

Considering how many lies are embedded into it, you probably should be.

I am quite happy to stand on my record.

Well, if you want to take pride in your lies and your anger, that is your own prerogative.

Re:Obligatory

As of this recent comment on 11:55 PM, June 12, it looks like Karmashock had posted about 35 comments in the previous 24 hours. We're all looking forward to that "screen cap" stating that he/she can only post 25 comments in 24 hours.

Time to fire up Photoshop and get busy, huh?

Re:Obligatory

[Karmashock]

Bingo, for me to have lied there, I would have had to known it was not true. You already admitted you fucked up and I didn't lie. So why are you now lying by reversing course and saying I lied about something that you know I didn't lie about?

I mean... who do you think you're fooling here?

Not me obviously. No one else is reading this... so... its you and me... and I'm not fooled... so what is the point?

Re:Obligatory

You already admitted you fucked up and I didn't lie.

You're delirious. Your lie was exposed, and the AC comments have consistently pointed that out in this thread. Since then you have taken up lying about that, as well. You can't make your lies go away by lying about them. Your best next move is to just admit that you have been lying consistently throughout this thread, and give up. You can't win, as all the facts are against you. Pretending that there exist any other facts is absurd.
 
 

why are you now lying by reversing course and saying I lied about something that you know I didn't lie about?

Nobody said that in this thread. You are making that up. Why are you lying about lying? Double negatives don't help you here, you are still just a liar.
 
 

I'm not fooled

The only lies in this thread are in the posts that you write. If you're not fooled, then that would imply you don't believe your own lies - so why are you continuing to lie? Nobody is lying in this thread but you.

More problems caused by Bush incompetence

His rule is going to continue to cause problems for decades.

Re: More problems caused by Bush incompetence

Ohhhh lookie here, folks! We got ourselves a Putin troll from Internet Research! These fuckers are paid by the Kremlin to troll blogs spouting random anti-western nonsense... Not paid well enough I suppose lol

NSA

Where were you on that one, dipshit?

Re:NSA

They like to collect but they don't like to share!

Different goals

[Bathroom+Humor]

I guess you can tell the ambition of an attack based on how obvious it is.
When the Syrian Electronic Army hacks a website, they simply vandalize it and make a lot of noise. When someone else, say the Chinese government, hacks a web address, they ignore the front pages altogether and go straight for the data centers. Way more discrete, way more dangerous.

I could make a fart analogy out of this. So I will.
The silent ones are the ones you need to fear.

Re:Different goals

[l0n3s0m3phr34k]

I had a theory the recent Chinese break in was to see how their already-placed agents scored on these background checks...plus it gives them intel on how their spies can overcome our checks in the future.

Re:Different goals

[Bathroom+Humor]

That could very well be true. Think of the quietest, closest, most drawn out fart imaginable. Terrifying. Then trying to find out who exactly the culprit is... nobody wants to fess up to something that odorous.

But it does make me wonder; How well is the U.S. set up in China? We HAVE to be snooping in on them, even if it isn't made public nearly as often. That tells me that either we aren't very good at getting sensitive data, or our farts are tremendously delayed and powerful. hmmm...

Re:Different goals

Uh.. have you seen the shit Edward Snowden released? It's naive to think CIA/NSA combined don't have a foothold in Chinese networks.

Re:Different goals

[rtb61]

The Chinese and Russian are both losing interest in the US government and are focusing on where the real power is, US corporations and their executives and board members. Why spy on the puppet, when it is much more effective to spy on the corruption at actual real top.

Manning's USB stick

[l0n3s0m3phr34k]

seems to be similar policy. Manning should have never been able to use a USB stick on an Army system. Snowden should have never been given so much access to various systems. These "failures" are the fault of the organization, not the individuals. The concept of "compartmentalization" exists for a reason. Personally I am glad both people were able to do what they did...but with proper security in place this would have never happened.

Old hat

[Whiteox]

Really? Is hacking the US gov. still a thing?

Re:Old hat

[sound+vision]

Is the US gov. still a thing?

Damage is exagerated

[Trachman]

I think that the damage to USA is very much over-exaggerated. So, the article says, that the informational gate to one of the websites has been messed up for some time.

So here is the prospective: if 50 years ago some some villages boys would have desecrated the entry of the US military base by peeing on the gates, or dropping a dead animal, nobody would care.

Same with the desecration of US website. The readiness and combat abilities did not decreased at all.

Re:Damage is exagerated

Ok, so it's not that big a deal.

But, why does this happen at all? Bugs in the software? Poor passwords? Phishing?

Websites have been around over two decades. Is it *that* *hard* for someone / some organization to sit down and write a reference webserver and backend once and for all "this is how it's done"? Throw the best fault-analysis tools there are at it. Pretend it's an avionics system and code accordingly. Yes it'll be hellishly expensive. But, once done, release it for all, and take care of a whole swath of problems all at once. Bet it would end up saving a lot more money than it costs, over the long haul.

If it's poor passwords and phishing that did it in, then I don't know what to say. Perhaps intentionally send periodic "phishing" emails and find those who aren't as aware as they should be, and explain it to them?

Reminds of early Judas Priest stuff

Ah those were the days, when a gay metal guy could hide in plain site. And then, no one cared anyway.

Captain Hindsight

[gavron]

Oh good job, Captain Hindsight! You are absolutely right! Manning should have never been able to use a USB stick [takes notes]. Also Snowden should have never been given so much access [takes notes].

"...this would have never happened."

Oh excelsior! Your powers of observation and hindsight deduction are without compare. Between that and your three split infinitives all I can say is BRAVO, SIR, BRAVO! You truly have your finger on the pulse of ... everything that's that wrong.

Re: Captain Hindsight

[NoGuffCheck]

i wish I had mod points, +5 for most sarcastic comment I've read ever.

Re:Captain Hindsight

[l0n3s0m3phr34k]

Glad I can humor you, Grammer Nazi. The Dean of Canterbury who wrote "The Queen’s English" just called from 1864 and said they want their rule book back.

Re:Captain Hindsight

[gavron]

It's grammar, not grammer, and you're welcome, illiterate swinehunt.

Re: Captain Hindsight

Except these are policies that should have been in place. It doesn't take hindsight to realize that.

Re:More problems caused by Bush incompetence

Part-time atheist, muslim, homosexual, and full time elected-dictator anti-american president, many are starting to think that these conflicting traits are the result of a mental illness such as multiple personality disorder. Some are even questioning whether we should coast it for another 1.5 years and countless more trillions wasted or start the process to change now...

failure on the social level

[bzipitidoo]

Forbidding portable media didn't work well in the days of the floppy disk, and doesn't work now. Much better to talk to people, make sure no one has a justifiable grievance against an immediate supervisor. If someone sees something to blow a whistle about, give them a way to do so that isn't so damaging and doesn't have a bunch of organization men conflating treason to the nation with refusal to look the other way when they lie and cheat. We should be grateful to whistleblowers, not treat them with suspicion.

The first line of defense is not to make enemies in the first place. That goes for other nations as well as insiders.

Re:failure on the social level

[l0n3s0m3phr34k]

Quite true, but from an ITSEC standpoint the fact that the USB ports aren't physically disabled seems to be just asking for a leak.

propaganda

Pro-Assad propaganda? No, it was counter-propaganda, everything the western governments and media are telling you about Syria is false, just as it was about Gaddafi.

sadly, yes

In the early days of the rebellion, there was hope that moderates would rise up, and turn Syria into a moderate Republic. However, the CIA could not find enough militant moderates. Branches of al qaeda in Syria and Iraq have since taken over the rebellion. al qaeda in Iraq broke off, and became ISIS. al qaeda in Syria is still on good terms with al qaeda HQ, and is now called Nusra Front. The moderates don't care if al qaeda conquers Syria. They want Assad dead. So does the European media.

Sure sure. I believe you.

[REALMAN]

I bet ten hard drives that the Army hacked it's own site and blamed it on Syria for propaganda reasons. Any takers?

Re:Sure sure. I believe you.

[vikingpower]

Accepted. I bet one prostitute against your bet. Reason: too much loss of prestige involved in doing such a thing.

deres haxx0rz in de army nao

They were recruiting anyway, weren't they? Ain't no pleasin' some people.

I think the U.S is in control

of this Twitter account. They can force Twitter to hand it over and make them not say a word about it. And I don't believe for a second that some people from Syria, which the U.S has now helped reduce to rubble and sand, has the resources and expertise to hack into U.S servers like this. U.S propaganda.

None of that is "hacking"

It's like calling youths with cans of spray paint vandalizing the neighbourhood, "painters". Such artsy fellows.

Has anyone ever hacked /.?

[jfdavis668]

You think with all the nonsense that happens here, someone would have taken offense and hacked into the /. servers.

DICE SUCKS - DICE SUCKS - DICE SUCKS - DICE SUCKS

I just hacked this reply! It was a reference to the last time it happened, but I thought it better to give you a new example.

Sorry, but that's nonsense

[Giant+Electronic+Bra]

I've taught computer security and web application security at an undergraduate level, and I can tell you that this is just not true. Now, its possible you can have foreclosed all the most obvious direct methods of breaking into your system. You've closed every possible content injection hole, you've configured the network such that even if someone started a rogue process on your machine it couldn't talk to anything outside your network, you've locked down every file using SELinux rules so no process exposed to any outside influence can write to any file whatsoever. Great, that's all wonderful!

Now, are all the other systems on your network, even the appliances and your connectivity providers routers all 100% secure? No? Gosh, now I've defeated the network origin based aspects of your setup. Now, is the IPMI properly secured on the physical server your instance is running on? Is the VMWare hypervisor unhackable? Could I get into the management infrastructure (maybe through an insecure operator workstation, etc) and say create an instance of my own that I can use to leverage an attack on that hypervisor? Or maybe I can just poison the image you use and force VMWare to restart your instance. Once I'm on your network, eventually I own you. I don't care what you do, I WILL own you. If its worth my time and energy to own you then I will. And all of the suggestions above? Those are the HARD way to do it. As the Chinese have amply shown you can ALWAYS count on human weakness. You can spearfish someone, etc, own their machines, get their ssh keys, run APTs on their system that can spread through a network by means you don't even know exist.

There are basically 2 things you do. First you do what you're doing, its not valueless, its just that all it does is keep out the riffraff. It makes you uninviting to the casual, inept, and poorly resourced threats. That allows you to concentrate on the REAL threats. Next you analyze your assets and determine which things are most valuable to protect. You can now determine what might be viable pathways for an attacker to get to those things. You can now use active defenses, monitoring and threat response systems to make attacks on those things so difficult and expensive that they're just not economically worth it. There still might be some insane guy that won't quite and he'll beat you perhaps, but that's life. No Russian mobster or Chinese corporate hack will bother, its not cost-effective to them.

And that is the key point, static defenses, as good as you may make them, are worthless. You wouldn't defend a ton of gold by just locking it in a safe. A safe is great, but if I can stand in front of that safe for a week its GOING to fail. You must have active defenses, guard dogs around the safe, watchmen that can catch intruders, etc. Likewise, you need active defenses. Not only do they (hopefully) detect intrusions, but they at least allow you after the fact to narrow down what happened, find out which files the bad guys got, which machines they accessed, etc. They are both security AND mitigation methods, and they're the most important things. Even the simple ones, running some sort of file system integrity checker on each server and keeping track of the results, etc.

There's a LOT more to security than write protecting all your files and such. You can NEVER lock down everything and the attack surface of your machine always extends beyond the reach of any single sysadmin.

Re:Sorry, but that's nonsense

[Karmashock]

Are all the systems on the network secure? Yes. In so many ways. The workstations are locked down. You can't run un-authorized code on them.

Are the appliances secure as well? Yep. This one is actually easier. The appliances are either non-programmable or they're firewalled.

What is more, when I was talking about things being unhackable, I meant from the outside. If you're in the building then things become difficult because I have to start fighting the first law of computer security, which is physical security.

I have to keep you from physically touching some systems. If I can keep your hands off them then even from within you can't get access without authorization or using someone else's authorization. I mean, if some user left their machine logged in... then you could have access to that.

that would be about it.

Could you get into the management infrastructure... I don't see how. You can't even open a command prompt unless you're logged in on an admin account much less run executable code. How are you going to hack my system if you can't run non-authorized code? Those machines can't even run scripts under the user account.

As to you owning me if you're on the network, I'll point out again that any sort of activity like that is going to start creating a lot of security logs and the serious ones get immediately sent to me by text message. So... do you think you could do it before four people come up behind you with fire arms and put a pistol to the back of your head?

You underestimate the situation. You don't have the access or the time. You couldn't even stick an unknown machine into the network without getting flagged. The router would create a security log of an unknown system and I'd be notified immediately.

As to active defenses... That's me. The system is full of traps and alarms. You're not going to avoid them. They all operate on the principle that if you don't do everything JUST so things either don't work or it doesn't work and it triggers a security log. If you're sitting there physically inside my network going through possible vulnerabilities one at a time... you're going to create a serious security log very quickly... and best case I'll check on you first. Worst case I'll come with "help" to deal with you. Depends on the type of alarm you set off. Set off something I see a lot that is sort of innnocent and I'll eye ball you. Set off something that can't be innocent and I'll assume it isn't innocent.

As to write protecting all files... that was just one stop gap on one system because I was tired of it getting fucked with. I was also annoyed that the guy responsible for it was telling me that he couldn't secure it because it was impossible. So I just did something brute force that made a point.

As to the attack surface of a machine extending beyond the reach of the admin... depends on what you mean by "the machine"... a single machine is stupidly easy to secure... I can kick the power cord out of the wall... I mean you can't attack something if it isn't connected and if you can't find it.

I have home court advantage which counts for everything in this game.

Systems like mine are not breached electronically. You get into my system by physically infiltrating and getting physically too close to certain assets. Short of that, you can beat your brains in on it.

Re:Sorry, but that's nonsense

[Giant+Electronic+Bra]

OK, dream on. I've worked with some damned fine security guys in my time. You really could learn a few things from them.

Re:Sorry, but that's nonsense

All this talk about pistols and "dealing" with people... I think you are watching too many movies.

Re:Sorry, but that's nonsense

[Karmashock]

and what would I learn?... Seems like the lesson you want to teach is despair.

Why would I want to learn that lesson when I can just win? I'm fine thanks.

Look, I'm not saying perfect security is practical in all cases. I'm just saying it is possible. And when you are dealing with high security environments you can secure them so that they do not get hacked.

Saying you can't do it because how would we check our facebook is itself naive, soft, and frankly irresponsible.

You lock it down and you don't get touched.

Re:Sorry, but that's nonsense

[Karmashock]

You were saying you would run an active hack from inside a high security network.

If you don't think such facilities have men with guns then you know less about such networks than you think.

Ever tried to walk into an investment bank? You wouldn't leave the lobby. You need an ID card at a minimum to get the elevator to go to the right floor. And that assumes there aren't four or five other security systems being used in correlation with that.

I'm always amazed at what people think is "actual" security.

Take something as rudimentary as a night club. They have a big guy standing out front that will twist your head off and shit down your neck if you decide to challenge him. And that's a fucking night club.

The security situations you're familiar with apparently have LESS security than a night club... meant to kept drunks and people girls don't want to dance with out of the club.

Doesn't that raise a red flag for you as to what you consider valid security?

Believe me. You physically intrude into a secure network and spook the admin... A men with guns will be there. Whether they draw them and point them will be their discretion. But they'll have them.

The movies? No... sadly there are no 20 something chicks that work in the building with huge tits, puffy lips, and run way make up. However, high security environments are high security because the stakes are high. You cannot let people breach them.

In the corporate environments, billions of dollars ride on the security. In national security you're talking about the fate of nations.

If you think someone wouldn't raspberry jam your brains all over the walls with those stakes on the line you're kidding yourself.

yes

also the spy agencies have hijacked the website for there ip data mining

Except for the fact that . . .

You can't blame the people for misunderstanding. People hear what poor journalism tells them.

Popularnews

Thanks for sharing this article you may have an excellent blog here! top laptop brands