Slashdot Mirror

← Back to Stories (view on slashdot.org)

HBO Hacker Leaks Message From HBO Offering $250,000 'Bounty Payment' (variety.com)

Posted by msmash on from the definitely-maybe dept.

The HBO hacker has struck yet again. From a report: Variety has obtained a copy of another message released Thursday by the anonymous hacker to select journalists in which HBO is apparently responding to the initial video letter that was sent informing the Time Warner-owned company of the massive data breach. The message from HBO, dated July 27, features the network's offer to make a "bounty payment" of $250,000 as part of a program in which "white hat IT professionals" are rewarded for "bringing these types of things to our attention." While the message takes a curiously non-confrontational tone in response to a hacker out to damage HBO, a source close to the investigation who confirmed the veracity of the email explained it was worded that way to stall for time while the company attempted to assess the serious situation.

60 comments

  1. Hacker is Anarchist or Small Child by Anonymous Coward · · Score: 0

    Only someone who wanted to watch the world burn for the lulz or a rebellious 12yr old would mock his victims in such a manner.
    Of course, these two are not mutually exclusive

    1. Re:Hacker is Anarchist or Small Child by Opportunist · · Score: 1

      Hey, I'm a white hat at day, but I'm not adverse to the idea of watching the world burn.

      There are things you pay me for. But there's also stuff I do for fun. Sometimes they overlap.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Hacker is Anarchist or Small Child by someone1234 · · Score: 1

      Still, the guy who did this isn't a white hat.

      --
      Patents Drive Free Software as Hurricanes Drive Construction Industry
    3. Re:Hacker is Anarchist or Small Child by Anonymous Coward · · Score: 0

      So a self-described "grey hat" who has to be paid to act in the interest of good -- and are out breaking laws for shits and giggle
      So really, a black hat

    4. Re:Hacker is Anarchist or Small Child by Anonymous Coward · · Score: 0

      To me, everyone calling anybody a "hacker", especially an "ethical hacker", or "white hat", or any other colour of hat, is a small child playing with things they don't understand.

      The blackmailers are exactly that, blackmailers. Saying "anonymous hacker" is refusing to say "blackmailer" in favour of empty scarewords. The message still stands: Lots of noise from idiots who don't know squat. Thank you for wasting our time, may we have another?

    5. Re:Hacker is Anarchist or Small Child by Anonymous Coward · · Score: 0

      Until the law breaks them... Have you ever seen what happens to hackers in prison? After the merciless rape and brutalization, there is nothing left but human toilets.

    6. Re: Hacker is Anarchist or Small Child by oobayly · · Score: 2

      Well yes, hackers are people who like playing with things they don't understand in order to understand them. I don't understand why you feel it necessary to denigrate them by likening them to "small children".

      Some is us like taking things apart, whether that's with a screwdriver or a disassembler, it makes no difference.

    7. Re: Hacker is Anarchist or Small Child by Anonymous Coward · · Score: 0

      That's not how nor why I play(ed) the game.
      My mindset is usually: if the devs have been negligent, they may have made such or such logical/mathematical error (usually because most do not master integer or float arithmetic) and then I proceed to test my hypothesis. You would be surprised to know what one can do with a file size limit and an hollow file ;) As for higher level weaknesses, don't get me started with the amount of vulnerabilities in the web in general (it's not even funny anymore).

    8. Re: Hacker is Anarchist or Small Child by Opportunist · · Score: 3, Insightful

      I don't feel denigrated by being likened to a small child. Small children are at least curious and eager to learn (at least before this gets driven out of them when they get confronted by the school system).

      Most adults are lazy fucks that couldn't be bothered to learn something if their life depended on it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    9. Re:Hacker is Anarchist or Small Child by Opportunist · · Score: 1

      Nope. Self-described white hat. But while we're at quotes from that particular Batman movie, there is one quote from Ledger's Joker that I do subscribe to.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    10. Re: Hacker is Anarchist or Small Child by Anonymous Coward · · Score: 0

      Well yes, hackers are people who like playing with things they don't understand in order to understand them. I don't understand why you feel it necessary to denigrate them by likening them to "small children".

      As a playful type, exploring, learning new things, making new things, it's not a slur.

      As a whole industry full of posers, finding breadcrumbs worth of "security problem" and selling each one like it's a four course dinner, calling them small children is a sure sign these people, in fact the entire "security" industry, needs to grow the fsck up.

      And then there's the media and the bandying around of scarewords but no factual discussion on any level whatsoever.

    11. Re:Hacker is Anarchist or Small Child by Anonymous Coward · · Score: 0

      Just rape and brutalization? I have seen people who had been in prison on counts of computer-related crime. Beside the extremely brutal sexual aggression and debasement I have seen them disfigured in way I did not thing possible. Broken and destroyed inside. Forced to eat other inmates' feces... The list is long. Nerds do not last long in prison.

  2. That's not what WSJ/Fox News is saying... by __aaclcg7560 · · Score: 4, Informative

    I was going to submit the WSJ/Fox News article under my alias when the Variety story popped up, which has more insight on what HBO is doing.

    When the hackers came forward late last month, an HBO technology-department employee sent them a letter offering $250,000 to participate in the company's "bug bounty" program, in which technology professionals are compensated for finding vulnerabilities, according to a person familiar with the matter.

    HBO was buying time with that response and isn't in negotiations with the hackers, the person said. The hacker has demanded a ransom of around $6 million.

    The network has also been working with the Federal Bureau of Investigation and other law-enforcement agencies and cybersecurity firms to address the matter, people familiar with the matter say.

    WSJ (paywalled): https://www.wsj.com/articles/hbos-hack-hollywood-is-under-siege-1502443802
    Fox News: http://www.foxbusiness.com/features/2017/08/11/hbos-hack-hollywood-is-under-siege.html

    1. Re:That's not what WSJ/Fox News is saying... by msauve · · Score: 2

      Let me paraphrase:

      "We were going to pay him a relatively modest amount with plausible deniability, but won't now because he leaked that, which only gives incentive for others to hack us."

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  3. You know what else has been leaked? by Anonymous Coward · · Score: 0

    MY BALLS!!! Suck 'em, nerds!

    1. Re:You know what else has been leaked? by Anonymous Coward · · Score: 0

      juicy succulent BALLS!

    2. Re:You know what else has been leaked? by Anonymous Coward · · Score: 0

      Oh that's a nice head lock Sir!

  4. Lesson for HBO: Pay for good IT people by ErichTheRed · · Score: 4, Interesting

    I've been working in IT for over 20 years, and the thing I've seen over and over again is that organizations that cheap out on IT get stung by things like these more frequently. I've been through multi-hour company-wide outages because someone said there was no reason to keep a core application in more than one data center. We constantly see companies where "IT is not our core competency" getting breached when their lowest-bidder contractors leave an open hole exposed, or when the entire company is run on a massive tower of outsourcers that don't communicate with each other. If I remember correctly, that's how the Target breach happened...a contractor running the HVAC for the stores had a security hole in the systems connected to the store networks, which attackers were able to use to get to the registers and credit card terminals.

    You will never convince companies to do this, but in my opinion the only way to prevent breaches from happening or to minimize their damage is to pay in-house IT staff who *actually* understand what's being deployed. Staff who are paid well and not worked to death are going to be a lot more interested in keeping your business alive than some disinterested offshore firm or body shop who cares only about fulfilling the minimum terms in the contract. (The other thing that has to happen is that everything has to be secure by default, but almost nowhere I've worked has been able to wrap their heads around this. Too many places assume that there's an "outside" and an "inside" and spend all their effort defending the perimeter.)

    What's interesting is that $250K is pretty low for a first offer. I haven't looked through the archive of data these hackers claim to have, but summaries say they were able to get access to sensitive corporate data as well as unreleased content. Some group of people at HBO must be going through all the access logs and figuring out what kind of damaging information they may have exposed. Given that they're an entertainment company, just a dump of the company's email should reveal some very interesting exchanges with various high-profile individuals. Worth way more than a quarter million in my opinion....

    1. Re:Lesson for HBO: Pay for good IT people by Anonymous Coward · · Score: 0

      So much this^

      You know it probably would've cost around that much (okay I don't really know for sure) to secure their infrastructure. But for some reason... businesses are still following the "nah security is too expensive" line of thinking and just leaving everything up to chance.

    2. Re:Lesson for HBO: Pay for good IT people by Baron_Yam · · Score: 4, Insightful

      >I've been working in IT for over 20 years, and the thing I've seen over and over again is

      Let's generalize a bit. You've seen that corporations collect knowledge but not wisdom, so they keep repeating the fundamental mistakes while avoiding repeating the exact circumstances of them.

      Outsourcing vs. in-house. Cubical farms vs. offices. Part time vs. full time. Exploiting vs. 'partnering' with employees. It all goes in cycles of about half a career-span, as new people take over and experience is lost.

      Unfortunately, you do need to import new knowledge and youthful enthusiasm from time to time, and people do tend to calcify as they age and eventually they go and die on you.

      I simply find it very frustrating that I can see these loops and I'm not a genius, I'm simply in my 40s. Which leaves me wondering what kind of idiots are running the show, given that most of the people above me in the org structure are older.

    3. Re:Lesson for HBO: Pay for good IT people by NicknameUnavailable · · Score: 0

      Think of it like this: a good IT guy will spend 99.9% of their time sitting on their ass playing videogames because they've automated everything and only have to respond when it fails. That makes management think "well Hell, I could pay any moron off the street a lot less to sit around all day" and then the whole thing falls apart before anyone realizes it because the automation scripts weren't perfect or requirements for them changed or the load changed, or someone forgot to restore them after a backup, etc. It's easy to get the impression IT doesn't do anything but the truth of the matter is nobody goes into IT because they want to be debugging things all day, they do it because it has a very high learning curve followed by a very relaxed workload if they know the job well enough. What is often overlooked is that that relaxed workload took a decade or two of experience to get to.and work for the sake of work is a dumb concept, work for the sake of achieving an objective is what makes sense.

    4. Re:Lesson for HBO: Pay for good IT people by bravecanadian · · Score: 1

      It will never happen until regulations demand it, or at least there is real accountability and real penalties to the careers of the executives responsible.

      The fundamental problem is that people are horrible at assessing risk.

      Then add in that the people who end up being decision makers over IT often don't have a clue about the things they are making decisions about.. and of course it ends in disaster.

      IT decision-makers end up being finance guys rather than tech guys at most non-tech organizations. Their bonus comes from keeping the budget looking good so what do you expect?

      The reality is that IT and IT Security are simply not respected disciplines at most organizations (that are not directly tech related) and they never will be until there are some fundamental changes.

    5. Re:Lesson for HBO: Pay for good IT people by Anonymous Coward · · Score: 0

      "a good IT guy will spend 99.9% of their time sitting on their ass playing videogames"

      A good IT guy will be finding new things to work on, or at least be pretending to work. Playing videogames all day is going to get everyone but the CEO and his friends fired.

    6. Re:Lesson for HBO: Pay for good IT people by Pascoea · · Score: 3, Insightful

      $250k will buy you two mid-level security engineers for a year. (source) That doesn't seem like that would cut it for an organization as large as HBO.

    7. Re:Lesson for HBO: Pay for good IT people by nnull · · Score: 1

      Unfortunately, this situation is going to get worse. There are so many businesses with lousy IT and security, it's mind blowing. When I warned one company about their network being insecure and I could access all their PLC's, they just scoffed and laughed at it. Many businesses don't even have an IT department and contract with someone. This often results in servers not being kept up to date. I knew someone that had a CentOS server that wasn't updated for 10 years and no firewall protecting it, because the database developer said they needed access to it from the outside, EDI and ssh (This was their main company server, with all their clients, production scheduling, inventory, etc).

      The costs of setting up proper security procedures and a proper network is pretty negligible for many businesses. The costs of hiring a good IT guy to handle everything is also pretty negligible. But unfortunately, when many management types look at IT and also maintenance as a bunch of janitors, instead of firemen, this is the end result you get.

    8. Re:Lesson for HBO: Pay for good IT people by nnull · · Score: 1

      A lot of idiots. You should see the amount of vendors I have to drop because they can't follow simple procedures.

    9. Re:Lesson for HBO: Pay for good IT people by Baron_Yam · · Score: 1

      > a good IT guy will spend 99.9% of their time sitting on their ass playing videogames because they've automated everything and only have to respond when it fails.

      The problem is that's not a job, its jobS.

      The first job is automating the system, the second is maintaining it, and the third is being ready for disaster recovery.

      You probably need vastly fewer bodies for the second job, and while you need more bodies, you don't need them for very long for the third.

      So it makes more sense to hire contract for the first, have an employee for the second, and a support contract for the third than to have one group of people for all three but idle most of the time.

    10. Re:Lesson for HBO: Pay for good IT people by CodeHog · · Score: 5, Insightful

      "Everything is running fine, why are we paying IT so much?" "Everything is broken, what are we paying IT for?"

      --
      Fat, drunk, and stupid is no way to go through life, son.
    11. Re:Lesson for HBO: Pay for good IT people by NicknameUnavailable · · Score: 0

      This is where that concept of "work for the sake of work is dumb" comes from. It takes a great deal of skill to make an organization operate with that little effort on the part of the guy maintaining it. How he maintains it is up to him, he's the expert, as long as it gets done. Inundating the IT guy with busy work is just going to increase the likelihood of a disaster because as long as he's in maintenance/planning mode it might take him an hour a week, but damn if he isn't going to be quadruple checking everything to ensure his cushy job is secure. On the other hand when the IT guy is flooded with work he will miss things. It takes months or longer to get a system to the state of low-maintenance most IT guys prefer, once there it's his unique blend of it which allows him to maintain it well, that doesn't translate to hot swapping the guy with someone who is paid lower nor should it. The entire notion of a marginally high business major treating a genius IT guy as a disposable cog is morally reprehensible on several levels.

    12. Re:Lesson for HBO: Pay for good IT people by NicknameUnavailable · · Score: 0

      IT isn't a utility, it's a force multiplier. It allows you to take whatever you could do without it and multiply that by some factor. How that happens is irrelevant, as is the case in most knowledge professions.

    13. Re:Lesson for HBO: Pay for good IT people by rogoshen1 · · Score: 2

      but at the same time, for a company the size of HBO; that's a paltry sum per year to prevent these kinds of shenanigans.

    14. Re:Lesson for HBO: Pay for good IT people by Solandri · · Score: 1

      Ego drives it. About 95% of people believe they're smarter than the average of their peers. So they tend to be dismissive of the collective wisdom built up from the company's past experiences. When they implement a new change which is the same as an old change, they think "this time it'll be different because I'm in charge."

      The best (actually only) solution I've been able to find is to compartmentalize the damage. Instead of implementing a change company-wide or product-wide, implement it in a small section first. Let them try out the change for a few months, and then having to deal with the problems it causes is usually enough to overcome their ego. Then they can objectively re-evaluate whether the change really was a good idea before you implement it company-wide or product-wide.

      This works well for changes which affect events that occur with moderate frequency (happens often in the few months trial). Unfortunately it doesn't work for changes which increase the likelihood of black swan events, like cutting IT and increasing your chances of being hacked.

    15. Re:Lesson for HBO: Pay for good IT people by edtice1559 · · Score: 1

      There's an assumption in here (one that I would probably dispute) that if Target had better security people, the breach wouldn't have happened. I'm not convinced that's the case at all. Yes this was a silly oversight, but the security team (no matter how large) would probably have been looking at things like updating the OS on PoS systems or whether or not the fact that attackers have physical access to the self checkout machines creates new attack vectors. The problem with being in the defensive team is that you can be almost perfect and the attackers still win. Sometimes it just takes one mistake. A mistake that is made because there is just so much attack surface.

    16. Re:Lesson for HBO: Pay for good IT people by Anonymous Coward · · Score: 0

      True, but if HBO's IT is anything like most non-IT companies, it's either staffed by a revolving door of contractors who leave every 6 months or completely outsourced to a body shop. In either case, no one has enough institutional knowledge to understand the impact of changes. Even with full documentation (and admins who don't intentionally hide details to provide the illusion of job security,) there's a difference between reading about a system and understanding the 34,000 other systems it depends on and connects to.

      And in the Target case, having multiple outsourced vendors stacking stuff up on the store networks might have had something to do with it. No one likes the grumpy network admin with the BOFH personality, but someone has to be asking questions like "What are you plugging into my network? What ports and protocols does it use? What does it need to talk to and why? How are you securing the endpoints?" Etc...

    17. Re:Lesson for HBO: Pay for good IT people by Anonymous Coward · · Score: 0

      Video games is a bad call.

      Smart ones will instead spend the time coding their own pet project. It gives them plausible deniability as code is often indistinguishable to non-programmers, and even if they do figure it out you can claim you're exploiting down time by training yourself on whatever framework/technology happens to be involved in order to keep your skills sharp or to evaluate it for possible future use. Managers call that last one "initiative" instead of "laziness" even though it's still just you screwing around on your own stuff while being payed.

      Fundamentally however the core point, which is that the value if an IT worker is tied to their laziness. Somone who looks at a task that needs to be done and thinks anything that isn't "man i don't want to do that, I wonder if I can automate it instead of doing it myself" will simply not have the right skills and mindset to maintain computer systems long term.

    18. Re:Lesson for HBO: Pay for good IT people by Mattcelt · · Score: 1

      $250k is only the tip of the iceberg.

      The blackmailer is demanding $6 million.
      Nearly the entire IT organisation, much of senior management, and fair number of people at Time Warner (their parent company) are now at least partially dedicated to resolving this problem. My guess is that they're spending roughly $20k per hour just in employees' time working on this. And that doesn't even account for the special contractors they've brought on, the delays in other projects, the reputation hit for the company, or the harm the blackmailer could do by releasing sensitive media.

      I think this will cost HBO around $20M by the time all is said and done. They could have hired a few more than two 'mid-level security engineers' for that.

      But for a company that profited $1.7 billion last year, that's hardly a drop in the bucket.

  5. So by NicknameUnavailable · · Score: 0

    HBO is "leaking" their own content to generate hype as a way to offset the lower quality content now that it's all HBO writers and 0% GRRM.

  6. Protect your family jewels by bobstreo · · Score: 1

    Or lose them.

    How any system, internal or external, has access to the systems where "valuable" information/data/media content exists without multiple levels of authentication, encryption and access controls seems to be something HBO shareholders should be seriously investigating.

  7. dont bullshit the hangman. by nimbius · · Score: 4, Informative

    When someone has proof theyve penetrated your network security and is holding your bread and butter hostage you have two choices: 1. pay the bounty and reassess the network. 2. dont pay, eat the loss, and still reassess the network.

    There isnt a CISSP section on stalling for time by bullshitting people who are clearly far more intelligent than you. If anything, you've just hardened their resolve to leak more out of sheer animosity.

    --
    Good people go to bed earlier.
    1. Re:dont bullshit the hangman. by Anonymous Coward · · Score: 0

      "clearly far more intelligent than you"

      I think that bit is up for debate.
      Extortion isn't exactly a highly intellectual criminal enterprise.

    2. Re:dont bullshit the hangman. by Anonymous Coward · · Score: 0

      Perhaps you missed the part where they hacked HBO's network and stole their cookies?

    3. Re:dont bullshit the hangman. by tlhIngan · · Score: 2

      When someone has proof theyve penetrated your network security and is holding your bread and butter hostage you have two choices: 1. pay the bounty and reassess the network. 2. dont pay, eat the loss, and still reassess the network.

      There isnt a CISSP section on stalling for time by bullshitting people who are clearly far more intelligent than you. If anything, you've just hardened their resolve to leak more out of sheer animosity.

      In other words, don't even bother to pay because they're going to leak anyways. If not them, someone else will mysteriously get passed the data and it will leak out. So it's not even worth bothering paying it off.

      Plus, the data is time-sensitive. It will go stale and worthless over time. If they claim to have full episodes, it likely will only be of the next couple of episodes (TV shows are barely finished editing when they air) so in the end after a while it's worthless. Oh yay, a bunch of people got to see next week's episode early.

      Scripts, plans and other things? Sure they're nice, for the small crowd of videophiles that care about having every single thing about their favorite movie, but the vast majority of people just do not care about it. (Plus, everyone knows just because you have the shooting script, doesn't mean you have what they shot - shooting scripts and on screen action has diverged before and last minute edits aren't uncommon.).

    4. Re:dont bullshit the hangman. by Anonymous Coward · · Score: 0

      Is someone smarter than me if they kick my door in?

    5. Re:dont bullshit the hangman. by GameboyRMH · · Score: 1

      No, but if you put a cheap lock on your door and it gets picked, and then they slowly steal everything in your house over a long period of time, I'd say they are.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    6. Re:dont bullshit the hangman. by Gilgaron · · Score: 1

      This sort of thing is more or less blackmail, though... get them to identify themselves for the bug bounty or have them pound sand because there's no point in paying the blackmail.

    7. Re:dont bullshit the hangman. by edtice1559 · · Score: 2

      In which case, what HBO did makes a lot of sense. Stall for time since the value of data is going down. Of course that assumes that the hole has been plugged.

  8. Get it in bitcoins by Anonymous Coward · · Score: 0

    Get payment in bitcoins.

    Or that 'voluntary $250k bounty reward for white hat IT professionals' will suddenly become an 'illegally extorted $250k blackmail payment for black hat hackers' as soon as they can trace your bank details :P

  9. original article link? by Anonymous Coward · · Score: 0

    Would the mods mind please "leaking" the original article link instead of just linking back to the slashdot page? I guess it is too much work for a company that is 169% focused on advertising.

  10. also pay for good infrastructure not well we can't by Joe_Dragon · · Score: 1

    also pay for good infrastructure not well we can't do X to make it very secure as that will cost to much to have the infrastructure set up to be super secure

  11. Self referring links by Anonymous Coward · · Score: 0

    why does the link in the story go back to the story

    1. Re:Self referring links by GameboyRMH · · Score: 1

      Yo dawg I heard you liked Slashdot discussions, so I linked the discussion to the discussion so you can not RTFA while you're not RTFAing!

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  12. Don't kill the hangman. by Anonymous Coward · · Score: 0

    3-send out a hit squad.

  13. No tears for HBO by Anonymous Coward · · Score: 0

    They shall reap what they have sown.

  14. What giving IT PE powers with big fines that will by Joe_Dragon · · Score: 1

    What giving IT PE powers with big fines that will get PHB asses in line.

  15. Why do they care? by sunking2 · · Score: 1

    HBO is a subscription based service. Do they think people will stop signing up or quit because there is a chance some of their shows may be leaked early? Anything they show is pirated within an hour after first showing. While they certainly should make an effort to try to do better and stop this, I don't think there were a ton of 2am meetings discussing it.

    1. Re:Why do they care? by Anonymous Coward · · Score: 1

      HBO is a subscription based service. Do they think people will stop signing up or quit because there is a chance some of their shows may be leaked early? Anything they show is pirated within an hour after first showing. While they certainly should make an effort to try to do better and stop this, I don't think there were a ton of 2am meetings discussing it.

      Agreed. I'm currently a subscriber & would not cancel if pirated copies of their shows were available.

      The thing that'd make me cancel is when I'm no longer getting good value for money - so if they don't get greedy & don't stop producing good content they'll be fine.

  16. You have described the wave. by Anonymous Coward · · Score: 0

    You have described the wave.

    Now you ask why the successful surfers work with what it gives them and ride it, instead of fighting it.

  17. Paying isn't the hard part - finding them is. by ron_ivi · · Score: 1

    Pay for good IT people ... lowest-bidder contractors

    Unfortunately some companies pay incompetent people huge sums and promoting them to upper management, while ignoring their own good lower-level people that are aware about the problems but not empowered to fix them.

  18. im 47 and id do exact same thing by Anonymous Coward · · Score: 0

    in fact i even have motive.....warner brothers screwed me form starting a business i had a local city wiling to invest into me in.....for 3d special affects and animations. ya see warner was using slave labour in canada at less then min wage and got caught, then subbed it out to there buddies on other side of nation to sony where i never bothered to see what happened cause why bother they are screwing us all

    they al deserve to go bankrupt

  19. Narrow down by adding details by Anonymous Coward · · Score: 0

    They should've sent out the bounty notice to all their employees and coded in slight variations in each. Like a word change, or a few extra spaces here and there, or something basically unnoticeable. Then they could narrow down their leak.