US Army Website Hacked By Syrian Electronic Army

swinferno writes: On Monday afternoon, the Syrian Electronic Army claimed on Twitter to have successfully hacked the website of the United States Army, army.mil. Various screenshots that appeared on Twitter reportedly showed pro-Assad propaganda on the site before it crashed. "Today an element of the Army.mil service provider's content was compromised. After this came to our attention, the Army took appropriate preventive measures to ensure there was no breach of Army data by taking down the website temporarily," spokesman Brig. Gen. Malcom B. Frost said in a statement.

Obligatory

[darkain]

https://xkcd.com/932/

Re:Obligatory

[Karmashock]

Hmmm... they actually did get into the webserver... it wasn't just a DDOS attack or something. They actually got in.

Now did they get anywhere near anything we care about? Probably not. But they did get in to something.

Possibly read it this way:

"vandals broke into a sign put up by the US military and changed the letters around to say POOP"... they did get in... just... to a place no one cares about.

Re:Obligatory

[Anubis+IV]

Agreed. It's the Internet equivalent of graffiti. It's an embarrassment, to be sure, but breaking and entering, it is not.

Re:Obligatory

[Zaelath]

Yeah, that's exactly what that XKCD is saying. They got at an externally hosted server that would have occasionally been accessed FROM a (more, but not highly) secure .mil network, but doesn't have any access TO any .mil network.

It's about as significant as shitting through a recruiting office letterbox in a mall.

Re:Obligatory

[Karmashock]

emmm... not really. just because there isn't secure information in there doesn't mean it is "okay" that it got busted.

First there is a question of prestige here. You don't let shitstain hackers break into your webserver. You just don't.

Second, I'm not sure there was nothing in there of value. It could have contained something that would point them at other systems or give them deeper knowledge of the infrastructure of another network. And they could leapfrog from one to the next.

It definitely was a breach... a breach into a place with no secure information? Possibly... but still a breach. And you don't let a bunch of kids into mil space.

All I'm saying... secure your webservers. Please.

I was dealing with a company webserver that was getting breached every couple weeks. It was constant. Nothing was in it that mattered but people were getting into it and fucking it up.

I talked to the guy responsible for it and he wasn't making any sense. He was saying it wasn't possible to keep people out of the fucking thing. Which just told me that he wasn't competent to do the job. Period. I talked to someone else and explained some of my ideas as to how to secure it, they said "those will all work"... I then put him on that, we secured the system the way I wanted to do it.

It hasn't been breached since. What I did do? A lot of things. But the most extreme thing I did... because I'm a kitchen sink sort of guy that throws fucking everything at anything that gives me a problem... I write locked the server. You literally can't change anything on it. All the parts of the system that are fucking word press or other similar code that was getting screwed with is write locked at the file system level. It doesn't need to be changed on a regular basis. We move something around about every three or four months maybe. And all the web admin has to do is trigger a script that unlocks the files, then he can do what he wants, then he triggers the script again and it locks all the files behind him.

This is an issue I have with stuff like word press. Its really nifty but its got lots of ways to hack it or get into admin functions.

And my attitude with that, is that you need to understand the portions of the system that change and the portions of the system that don't. Then you only permit the segments that need to change to change. And the portions that don't can remain locked.

You do that, and most of the pure word press hacks and exploits don't work. They don't anticipate the configuration files being write locked.

Again, not the only thing I did... but one of the most demonstrative of the core concept... which is to make hacking a system LITERALLY impossible.

Here someone will say "well not literally they could get in and unlock the files at the file system level."... sure... if it is possible to do that... which long story short, it isn't.

Re:Obligatory

[Zaelath]

You can still hack that, just need to go after the DNS server instead.

And yes, Government rank reputation very highly when you do a risk review, but IFF there was anything on this server that wasn't UNCLASSIFIED:For Public Release, then there was *already* a breach.

Experience with some corporate wanker does not reflect the way the military/government do security at all.

Re:Obligatory

[TubeSteak]

It's about as significant as shitting through a recruiting office letterbox in a mall.

Unless they dropped some malware on the site and infected the people who unknowingly visited the page.

Re:Obligatory

[Karmashock]

hacking a dns server doesn't touch the military webserver. That is bypassing it and hacking public systems to redirect you.

Quite different.

Re:Obligatory

[Karmashock]

I am... Perfect security possible with computers. You can make things that are unhackable.

It needs to be simple enough to debug, elements that don't change should be made literally static... ideally physically locked, and anything hyper secure should be either encrypted with perfect 1:1 encryption or airgapped. That's if you want PERFECT security. Which again... is possible.

Its like anything that is perfect... either very simple or nearly impossible to do. Make it easy on yourself by making it simple.

Re:Obligatory

[Karmashock]

To understand how to make something unhackable you have to understand how hacking works.

The whole strategy is basically using the adaptability of the system against the owner. You reprogram the system to do what you want instead of what the owner wanted.

That's hacking. Can you hack non-programmable systems? Nope. Can you hack something that might be programmable but which you cannot access because it literally doesn't communicate bidirectionally over exposed IP addresses? The ability to hack something like that is pretty limited... if possible at all. And that is with just one security change.

If you compound a lot of really solid security concepts on top of each other that means the hacker has to break through each successive step to actually get to the meat.

Now there is technically a way to get through each of these steps and the final probability is still non-zero. That said, there are some very extreme steps you can take that can move the probability from .0000000000000001 to 0.

Some people don't like to use the terms like impossible or perfect because they feel that is arrogant and that it might just mean you haven't thought of something.

I concede the possibility of godlike powers rewriting time and space to make what would appear to be physically impossible possible.

However, excluding godlike redefinitions of basic physical law, there are security protocols that are unbeatable.

It is important to note that hte security being breached is not even good security. Fuck perfect... it isn't even good. The good security isn't getting breached. Its the shitty security that is getting breached. And the stuff I'm talking about is a damn sight better than "good"... its fucking exceptional to perfect. No one is getting through that. the way you get through this kind of security is by throwing a black bag over the head of the admin and then attaching electrodes to his nuts. That's how you get through.

Absent that... it isn't happening.

Re:Obligatory

[dcollins117]

First there is a question of prestige here.

And authority. Who is going to take seriously the idea that backdoored encryption will be be properly safeguarded by the government when just in the past week they just turned over 4 million federal personnel records and an army website over to "hackers"?

One would have to be abysmally stupid to take information security advice from anyone with their track record. The next time you hear a government official claiming that making our systems less secure is a good idea the correct response is open ridicule and a slow, patronizing shake of the head.

Re:Obligatory

[Karmashock]

As to the proper response to idiots in real situations... I've found its best to just humor them and then quietly negate the damage they could possibly do when they're not paying attention.

Re:Obligatory

[gtall]

You are assuming the underlying system is correctly and securely designed. That's a big assumption and one you have no way of ascertaining that.

Re:Obligatory

[Karmashock]

Depends... I'm not familiar with their system. I know lots of exploits and bugs. So maybe.

I know I could secure it though.

Re:Obligatory

[Karmashock]

Wrong.

To be hackable it has to be reprogrammable through the web portal.

If it isn't for any reason then it isn't hackable.

Re:Obligatory

[Jason+Levine]

And authority. Who is going to take seriously the idea that backdoored encryption will be be properly safeguarded by the government when just in the past week they just turned over 4 million federal personnel records and an army website over to "hackers"?

Government response: "But, TERRORISM!"
*too many people nod their heads in agreement while the rest of us shake ours in dismay*

Re:Obligatory

[Coren22]

So because a system was hacked, you can't trust anyone working for the government on security? I heard that a corporate web server was hacked, I guess we can't trust anyone working security for corporations anymore, they couldn't know what they are talking about.

Re:Obligatory

[Karmashock]

They were reprogrammed otherwise the worm would not have been able to imprint itself on them.

My understanding further is that the Iranian worm situation was caused by spreading malware from unsecured systems to the centrifuges.

Are you suggesting that it is impossible to keep a secure network isolated from the facebook and porn network?

Re:Obligatory

[Karmashock]

I do quite well actually... and if everything is locked down and I'm alerted when there is an issue... then what exactly do I have to do?

A lot of bad administration is a lack of automation. Its why the security gets lax half the time. They say "well we'd need more IT people to handle that"... for security you really don't need that many. You just need to the systems to be set up to call for help when something happens. And then have them be fool proof enough that only rarely does anything happen.

Re:Obligatory

[elusive_one]

Well if it's not done possibly, it was obviously done impossibly. Simple logic.

Re:Obligatory

[Zaelath]

How does the method change the effect?

Re:Obligatory

[mjwx]

It's about as significant as shitting through a recruiting office letterbox in a mall.

Unless they dropped some malware on the site and infected the people who unknowingly visited the page.

Which is about the same as someone sending you tissue full of mucus and flu germs through the mail. If you're only at threat if you dont throw it away and wash your hands.

Re:Obligatory

[Karmashock]

The effect is not the issue here. What actually happened is the issue.

Furthermore, the DNS effects only systems effected by the DNS hack.

If you use a private DNS system... which you should if it is high security... then you would completely ignore the issue.

What some jerkoff sees when he connects to your system is one thing. What actually happened to your systems is another.

Re:Obligatory

[Karmashock]

I can't disagree... the thing fucking pissed me off with all its problems. The web admin told me that it couldn't be secured without completely rewriting the whole site and upgrading lots of crap in it along the way.

And I thought to my self... "and how long will that work?"... and I concluded that I'd be having the same conversation with the guy in two years.

So I tried to draw him into a discussion about securing the site without bothering with Wordpress's endless bullshit. And he basically had no idea what I was talking about.

So I contacted someone else that I work with a lot and ran the situation by him and we both basically came to the same conclusion pretty fast. And so we basically treated the wordpress site like a black box of broken bullshit. Locked it down the only way you can lock down a black box. Security issue solved.

Web admin has to VPN into the webserver, unlock the file system, and then he can mess with it. Beyond that, the site itself has all its configurations, scripts, passwords, etc locked. It can do things... it isn't entirely static. But it can't be reprogrammed without unlocking the configuration files which control how it works. "people" do still try to hack the thing. I can see the intrusion attempts in the logfiles. But there isn't anything they can do even if they do use an exploit. Its locked.

What I like about little solutions like that is that they're very bruteforce, simple, and from what I've seen totally unexpected. No one sees that coming.

Is there a way around it? I'm struggling to see how. The webserver doesn't have permissions to unlock files. So even if you took control of the web software the OS still wouldn't unlock the files.

Re:Obligatory

[Karmashock]

Doxx myself? First, I don't own the systems so I have no right to do such a thing. Second, only an idiot would doxx themselves... just because some AC dared him to? Comical.

I'd do it if I had permission and if I were getting paid... ideally by you... lots of money.

Short of that... you're basically asking me to betray my employer, subject myself to real life harassment from internet trolls, and for... nothing?

No thanks.

Re:Obligatory

[Zaelath]

Nope, to all that.

Effect is the entirely the issue. The effort required to ensure this kind of thing *NEVER* happens is entirely disproportionate to the effort required to ensure that there is nothing of real value on an internet accessible server (or from it).

Furthermore, a DNS attack that re-delegates the domain to different DNS servers would mean everyone (other than internal users that wouldn't be be using public DNS servers) would see the affected page, which is what they want, "how" is entirely irrelevant to the attackers. It's still news, it would still be covered, and it would be harder to resolve as quickly as taking the server offline as soon as the monitoring detected the change.

The "private DNS system" isn't accessible publicly either, or it's just another attack surface

What some jerkoff sees when he connects to your system is one thing. What actually happened to your systems is another.

Exactly, and when you're the Military "your systems" are those on the high security network, not a poster you hung up outside, which neatly takes us back to XKCD.

Re:Obligatory

[Karmashock]

Hey bingo.

I can only make 25 posts a day. How long do you think it takes me to make a post?

The only thing that makes this site take a long time is that I have to wait awhile between posts.

Otherwise, I'd burn my post quota out in about half an hour.

Re:Obligatory

[Karmashock]

You'd know this if you ever logged in... the system cuts you off if you make more than 25 posts in a 24 hour period. You get an error and it prevents you from posting again for at least an hour. At which point you can only post until your post count in the last 24 hours reaches 25.

Anyway, bingo... I don't know where you get off judging people that actually HAVE records. You don't. You don't get to judge, shithead. ;)

Re:Obligatory

[Karmashock]

So on top of being a troll, obsessed with me, a hypocrite, a coward, and a liar... you're also unable to count?

That link you showed me doesn't show more than 25 posts. That's all it permits per page.

So what is it like being such a failure of a human being?

I mean... what are you good at?... besides failure of course. You're amazing at failure.

I'm just going to give you a little golf clap for the unbroken track record of failure so far:
https://www.youtube.com/watch?...

Re:Obligatory

[Karmashock]

I've never counted. I get an error every so often saying "you can't post more than 25 times in 24 hours"... so sue me... I thought the error warning was accurate.

Whatever.

ACs still have no ethical or moral right to judge people that log in. We have histories. You don't.

Re:Obligatory

[Karmashock]

Taking a warning message from the slashdot site as being valid doesn't make me a liar... idiot.

Re:Obligatory

[Karmashock]

Next time I get it, I'll screen cap it for you or something. I get it about twice a month. Often there will be some dog pile and I'll have to respond to about a dozen fucktwits and that just burns up my post count allotment.

Re:Obligatory

[Karmashock]

Yes... and if I thought that was correct then I didn't lie.

Being wrong doesn't mean you're a liar. Idiot.

Re:Obligatory

[Karmashock]

Making an honest mistake given reasonable information is neither unethical nor immoral. Your presumption of judgment is comical.

What is funnier is that you're trying blow this up into something that damns me as a person.

And what you possibly didn't realize is that I'm responding to you. Something which you should know by now bingo, I normally stop doing once I realize it is you.

But I'm still responding to you.

Do you know why? Because I'm going to hit that limit And when I do, I'll screen cap it. And win.

So keep whining, you deluded fucktwit. Every post you cause me to make in response gets me closer to my goal. And then I win. :)

Your best bet for retaining any credibility is to stop posting right now. But you won't because you can't help yourself... and it doesn't really matter since you know I don't lie. We have had enough discussions in the past that you know I can back myself up if needed.

And all you're doing is helping me rack up posts to prove you wrong. again.

Re:Obligatory

[Karmashock]

Okay so you admit I wasn't a lair.

k thanks.

I win again, twit.

You so fucking stupid :D Its amazing.

Re:Obligatory

[Karmashock]

There's no goal post being moved. That is what it means to lie and what it means to tell the truth.

You're the one that is goal post moving. Your claim that I lied was so stupid that even you backed off it and rather than admit you went too far you're now trying to cover your mistake with abuse.

You're pitiful.

And that's another post for me. I can't wait until the stupid thing flags me. Then I shall screen cap it and win.

Keep going. :D

Re:Obligatory

[Karmashock]

First, "you"... that implies I did something which I didn't do.

Second, this is continued with you using the word "did" which states that I actually did something which I didn't do.

Third, "exactly" means that something precisely something and you've already admitted that I didn't lie which means I didn't exactly lie.

Fourth, there is that "you" again that suggests I did something.

Fifth, "are" again suggests a state of being but your statement is contradictory with both your own statements and reality.

Sixth, you used that word again "liar" which you already admitted I was not. ... that's the part that I have a problem with... all of it. Every single bit.

Re:Obligatory

[Karmashock]

Nope. I didn't lie about anything. I relied upon what the site told me had happened. The next time it does, I'll screen cap the error message for you.

There's no lie.

A lie requires deliberate deception. An error based on putting too much faith in an error message is not a lie by definition unless I knowingly misrepresent my statement. I did no such thing so it was not a lie.

You don't really understand what a "lie" is do you?

See, this is my issue with ACs... you're astoundingly stupid. How can you not know what a lie is and yet be so fucking dumb that you'd accuse someone of doing it?

This is why ACs need to not exist. Then we can know who the morons are and shame you into silence. The alternative is that so many of you idiots are running around sockpuppeting each other that no one knows exactly how many of you there are... at least of the really dumb ones.

I suspect there are fewer of you then it would appear. But you're very active posters.

Re:Obligatory

[Karmashock]

This thread? who cares. You're following me all over the forum. Who cares what thread we're talking about anymore.

It doesn't matter to you. Why should it matter to me? You already admitted in one of these threads that you were in error on the whole lying thing... You know it. I know it... so who's the liar now?

Re:Obligatory

[Karmashock]

Cite a lie I told, fucktwit.

You say I can't undo my record... but I don't need to. And unlike you, I'm not afraid of my record. You are afraid of your record. And yet you presume threaten me with mine? You're a joke.

I am quite happy to stand on my record. Unlike you, I'm not a coward. ;)

*kiss kiss* shithead. :)

Re:Obligatory

[Karmashock]

Did too. :)

Re:Obligatory

[Karmashock]

Bingo, for me to have lied there, I would have had to known it was not true. You already admitted you fucked up and I didn't lie. So why are you now lying by reversing course and saying I lied about something that you know I didn't lie about?

I mean... who do you think you're fooling here?

Not me obviously. No one else is reading this... so... its you and me... and I'm not fooled... so what is the point?

Different goals

[Bathroom+Humor]

I guess you can tell the ambition of an attack based on how obvious it is.
When the Syrian Electronic Army hacks a website, they simply vandalize it and make a lot of noise. When someone else, say the Chinese government, hacks a web address, they ignore the front pages altogether and go straight for the data centers. Way more discrete, way more dangerous.

I could make a fart analogy out of this. So I will.
The silent ones are the ones you need to fear.

Re:Different goals

[l0n3s0m3phr34k]

I had a theory the recent Chinese break in was to see how their already-placed agents scored on these background checks...plus it gives them intel on how their spies can overcome our checks in the future.

Re:Different goals

[Bathroom+Humor]

That could very well be true. Think of the quietest, closest, most drawn out fart imaginable. Terrifying. Then trying to find out who exactly the culprit is... nobody wants to fess up to something that odorous.

But it does make me wonder; How well is the U.S. set up in China? We HAVE to be snooping in on them, even if it isn't made public nearly as often. That tells me that either we aren't very good at getting sensitive data, or our farts are tremendously delayed and powerful. hmmm...

Re:Different goals

[rtb61]

The Chinese and Russian are both losing interest in the US government and are focusing on where the real power is, US corporations and their executives and board members. Why spy on the puppet, when it is much more effective to spy on the corruption at actual real top.

Manning's USB stick

[l0n3s0m3phr34k]

seems to be similar policy. Manning should have never been able to use a USB stick on an Army system. Snowden should have never been given so much access to various systems. These "failures" are the fault of the organization, not the individuals. The concept of "compartmentalization" exists for a reason. Personally I am glad both people were able to do what they did...but with proper security in place this would have never happened.

Old hat

[Whiteox]

Really? Is hacking the US gov. still a thing?

Re:Old hat

[sound+vision]

Is the US gov. still a thing?

Damage is exagerated

[Trachman]

I think that the damage to USA is very much over-exaggerated. So, the article says, that the informational gate to one of the websites has been messed up for some time.

So here is the prospective: if 50 years ago some some villages boys would have desecrated the entry of the US military base by peeing on the gates, or dropping a dead animal, nobody would care.

Same with the desecration of US website. The readiness and combat abilities did not decreased at all.

Captain Hindsight

[gavron]

Oh good job, Captain Hindsight! You are absolutely right! Manning should have never been able to use a USB stick [takes notes]. Also Snowden should have never been given so much access [takes notes].

"...this would have never happened."

Oh excelsior! Your powers of observation and hindsight deduction are without compare. Between that and your three split infinitives all I can say is BRAVO, SIR, BRAVO! You truly have your finger on the pulse of ... everything that's that wrong.

Re: Captain Hindsight

[NoGuffCheck]

i wish I had mod points, +5 for most sarcastic comment I've read ever.

Re:Captain Hindsight

[l0n3s0m3phr34k]

Glad I can humor you, Grammer Nazi. The Dean of Canterbury who wrote "The Queen’s English" just called from 1864 and said they want their rule book back.

Re:Captain Hindsight

[gavron]

It's grammar, not grammer, and you're welcome, illiterate swinehunt.

failure on the social level

[bzipitidoo]

Forbidding portable media didn't work well in the days of the floppy disk, and doesn't work now. Much better to talk to people, make sure no one has a justifiable grievance against an immediate supervisor. If someone sees something to blow a whistle about, give them a way to do so that isn't so damaging and doesn't have a bunch of organization men conflating treason to the nation with refusal to look the other way when they lie and cheat. We should be grateful to whistleblowers, not treat them with suspicion.

The first line of defense is not to make enemies in the first place. That goes for other nations as well as insiders.

Re:failure on the social level

[l0n3s0m3phr34k]

Quite true, but from an ITSEC standpoint the fact that the USB ports aren't physically disabled seems to be just asking for a leak.

sadly, yes

In the early days of the rebellion, there was hope that moderates would rise up, and turn Syria into a moderate Republic. However, the CIA could not find enough militant moderates. Branches of al qaeda in Syria and Iraq have since taken over the rebellion. al qaeda in Iraq broke off, and became ISIS. al qaeda in Syria is still on good terms with al qaeda HQ, and is now called Nusra Front. The moderates don't care if al qaeda conquers Syria. They want Assad dead. So does the European media.

Sure sure. I believe you.

[REALMAN]

I bet ten hard drives that the Army hacked it's own site and blamed it on Syria for propaganda reasons. Any takers?

Re:Sure sure. I believe you.

[vikingpower]

Accepted. I bet one prostitute against your bet. Reason: too much loss of prestige involved in doing such a thing.

Has anyone ever hacked /.?

[jfdavis668]

You think with all the nonsense that happens here, someone would have taken offense and hacked into the /. servers.

Sorry, but that's nonsense

[Giant+Electronic+Bra]

I've taught computer security and web application security at an undergraduate level, and I can tell you that this is just not true. Now, its possible you can have foreclosed all the most obvious direct methods of breaking into your system. You've closed every possible content injection hole, you've configured the network such that even if someone started a rogue process on your machine it couldn't talk to anything outside your network, you've locked down every file using SELinux rules so no process exposed to any outside influence can write to any file whatsoever. Great, that's all wonderful!

Now, are all the other systems on your network, even the appliances and your connectivity providers routers all 100% secure? No? Gosh, now I've defeated the network origin based aspects of your setup. Now, is the IPMI properly secured on the physical server your instance is running on? Is the VMWare hypervisor unhackable? Could I get into the management infrastructure (maybe through an insecure operator workstation, etc) and say create an instance of my own that I can use to leverage an attack on that hypervisor? Or maybe I can just poison the image you use and force VMWare to restart your instance. Once I'm on your network, eventually I own you. I don't care what you do, I WILL own you. If its worth my time and energy to own you then I will. And all of the suggestions above? Those are the HARD way to do it. As the Chinese have amply shown you can ALWAYS count on human weakness. You can spearfish someone, etc, own their machines, get their ssh keys, run APTs on their system that can spread through a network by means you don't even know exist.

There are basically 2 things you do. First you do what you're doing, its not valueless, its just that all it does is keep out the riffraff. It makes you uninviting to the casual, inept, and poorly resourced threats. That allows you to concentrate on the REAL threats. Next you analyze your assets and determine which things are most valuable to protect. You can now determine what might be viable pathways for an attacker to get to those things. You can now use active defenses, monitoring and threat response systems to make attacks on those things so difficult and expensive that they're just not economically worth it. There still might be some insane guy that won't quite and he'll beat you perhaps, but that's life. No Russian mobster or Chinese corporate hack will bother, its not cost-effective to them.

And that is the key point, static defenses, as good as you may make them, are worthless. You wouldn't defend a ton of gold by just locking it in a safe. A safe is great, but if I can stand in front of that safe for a week its GOING to fail. You must have active defenses, guard dogs around the safe, watchmen that can catch intruders, etc. Likewise, you need active defenses. Not only do they (hopefully) detect intrusions, but they at least allow you after the fact to narrow down what happened, find out which files the bad guys got, which machines they accessed, etc. They are both security AND mitigation methods, and they're the most important things. Even the simple ones, running some sort of file system integrity checker on each server and keeping track of the results, etc.

There's a LOT more to security than write protecting all your files and such. You can NEVER lock down everything and the attack surface of your machine always extends beyond the reach of any single sysadmin.

Re:Sorry, but that's nonsense

[Karmashock]

Are all the systems on the network secure? Yes. In so many ways. The workstations are locked down. You can't run un-authorized code on them.

Are the appliances secure as well? Yep. This one is actually easier. The appliances are either non-programmable or they're firewalled.

What is more, when I was talking about things being unhackable, I meant from the outside. If you're in the building then things become difficult because I have to start fighting the first law of computer security, which is physical security.

I have to keep you from physically touching some systems. If I can keep your hands off them then even from within you can't get access without authorization or using someone else's authorization. I mean, if some user left their machine logged in... then you could have access to that.

that would be about it.

Could you get into the management infrastructure... I don't see how. You can't even open a command prompt unless you're logged in on an admin account much less run executable code. How are you going to hack my system if you can't run non-authorized code? Those machines can't even run scripts under the user account.

As to you owning me if you're on the network, I'll point out again that any sort of activity like that is going to start creating a lot of security logs and the serious ones get immediately sent to me by text message. So... do you think you could do it before four people come up behind you with fire arms and put a pistol to the back of your head?

You underestimate the situation. You don't have the access or the time. You couldn't even stick an unknown machine into the network without getting flagged. The router would create a security log of an unknown system and I'd be notified immediately.

As to active defenses... That's me. The system is full of traps and alarms. You're not going to avoid them. They all operate on the principle that if you don't do everything JUST so things either don't work or it doesn't work and it triggers a security log. If you're sitting there physically inside my network going through possible vulnerabilities one at a time... you're going to create a serious security log very quickly... and best case I'll check on you first. Worst case I'll come with "help" to deal with you. Depends on the type of alarm you set off. Set off something I see a lot that is sort of innnocent and I'll eye ball you. Set off something that can't be innocent and I'll assume it isn't innocent.

As to write protecting all files... that was just one stop gap on one system because I was tired of it getting fucked with. I was also annoyed that the guy responsible for it was telling me that he couldn't secure it because it was impossible. So I just did something brute force that made a point.

As to the attack surface of a machine extending beyond the reach of the admin... depends on what you mean by "the machine"... a single machine is stupidly easy to secure... I can kick the power cord out of the wall... I mean you can't attack something if it isn't connected and if you can't find it.

I have home court advantage which counts for everything in this game.

Systems like mine are not breached electronically. You get into my system by physically infiltrating and getting physically too close to certain assets. Short of that, you can beat your brains in on it.

Re:Sorry, but that's nonsense

[Giant+Electronic+Bra]

OK, dream on. I've worked with some damned fine security guys in my time. You really could learn a few things from them.

Re:Sorry, but that's nonsense

[Karmashock]

and what would I learn?... Seems like the lesson you want to teach is despair.

Why would I want to learn that lesson when I can just win? I'm fine thanks.

Look, I'm not saying perfect security is practical in all cases. I'm just saying it is possible. And when you are dealing with high security environments you can secure them so that they do not get hacked.

Saying you can't do it because how would we check our facebook is itself naive, soft, and frankly irresponsible.

You lock it down and you don't get touched.

Re:Sorry, but that's nonsense

[Karmashock]

You were saying you would run an active hack from inside a high security network.

If you don't think such facilities have men with guns then you know less about such networks than you think.

Ever tried to walk into an investment bank? You wouldn't leave the lobby. You need an ID card at a minimum to get the elevator to go to the right floor. And that assumes there aren't four or five other security systems being used in correlation with that.

I'm always amazed at what people think is "actual" security.

Take something as rudimentary as a night club. They have a big guy standing out front that will twist your head off and shit down your neck if you decide to challenge him. And that's a fucking night club.

The security situations you're familiar with apparently have LESS security than a night club... meant to kept drunks and people girls don't want to dance with out of the club.

Doesn't that raise a red flag for you as to what you consider valid security?

Believe me. You physically intrude into a secure network and spook the admin... A men with guns will be there. Whether they draw them and point them will be their discretion. But they'll have them.

The movies? No... sadly there are no 20 something chicks that work in the building with huge tits, puffy lips, and run way make up. However, high security environments are high security because the stakes are high. You cannot let people breach them.

In the corporate environments, billions of dollars ride on the security. In national security you're talking about the fate of nations.

If you think someone wouldn't raspberry jam your brains all over the walls with those stakes on the line you're kidding yourself.