Oh boy, what do we make of this? We haven’t paid that much attention to the whole thing as of yet, but with a recent public statement on why they do what they do, I think it’s about time to address this thing. Yes, Lulz Security, the hacking group (or whatever they are) that’s been causing quite a bit of amok on the web lately.
These guy(s) and/or girl(s) have really been tearing it up lately. They’ve been hacking Sony, PBS, Fox, several porn websites, the servers for EVE Online (well, finally some action in that spreadsheet of a ‘game’), League Of Legends, and Minecraft, the FBI, the CIA – and that’s just the stuff we know. These guys even have a hotline where you can ask them to hack a specific target.
And now, they (or he, or she – whatever) have put out a statement explaining why they do what they do. The general gist? They just want to cause mayhem – or lulz. Yeah, I guess the name kind of gave them away there. There is some actual justification for their actions in there, but even that, they admit, is just a crock of nothing.
For what it’s worth, they argue that it doesn’t really matter if they hack and release a load of information about people – even without them, people are still hacking away at such information. At least Lulz Security, so they argue, goes public with it, so that you know you’re not safe. Most other groups and individuals keep such information for themselves for nefarious purposes.
And this is the bit where it gets interesting. The thing is – most of the mayhem attributed to Lulz Security isn’t actually perpetrated by them at all. You see, Lulz ‘only’ released 60000 email addresses and passwords out in the public – they didn’t actually use said information. Others did.
Other people have started using these 60000 email addresses and passwords to ‘hack’ other accounts associated with those email addresses, since people tend to use the same password on different websites and services. Facebook accounts, PayPal accounts, and so on – they’re being used maliciously by non-Lulz people… For the ‘lulz’. Ars has a few examples.
Before you reach for the comment button to tell me I’m an idiot for defending Lulz – I’m not defending them. I think what they’re doing is wrong and they should be held accountable for it. However, isn’t it interesting to see how many people jump at the opportunity to abuse the power given to them by Lulz and the 60000 email address and passwords? It’s Milgramesque, baby.
Of course, the comparisons to Anonymous are easy to make, but they generally fall foul. Insofar you can speak of Anonymous as a group, they at least had (in my opinion) very valid reasons to go after MasterCard, PayPal, and others who buckled under US government pressure to block WikiLeaks. Intention and reasoning are very much important to establish context; jumping in front of a tank near a military base in the US will get you rightfully in trouble – doing the same thing on a certain square with a difficult name in a certain totalitarian country will get you praise. Context matters.
A concern is that the actions of Lulz will give governments the world over leverage to further regulate the web. This argument may make sense, but the fact of the matter is that governments want control over the web anyway – Lulz or no. It is in governments’ natures to control where it is not needed, to regulate what doesn’t need regulating, and to bureaucratise that which is efficient. The internet is a threat to the establishment, Lulz or no.
“Nobody is truly causing the Internet to slip one way or the other, it’s an inevitable outcome for us humans. We find, we nom nom nom, we move onto something else that’s yummier. We’ve been entertaining you 1000 times with 140 characters or less, and we’ll continue creating things that are exciting and new until we’re brought to justice, which we might well be,” Lulz states, “But you know, we just don’t give a living fuck at this point – you’ll forget about us in 3 months’ time when there’s a new scandal to gawk at, or a new shiny thing to click on via your 2D light-filled rectangle.”
As much as I think Lulz need to be brought to justice, I at least commend the group for their honesty. “This is the Internet, where we screw each other over for a jolt of satisfaction. There are peons and lulz lizards; trolls and victims. There’s losers that post shit they think matters, and other losers telling them their shit does not matter,” the group ends their statements, “In this situation, we are both of these parties, because we’re fully aware that every single person that reached this final sentence just wasted a few moments of their time.”
And… Well, it’s hard to ague with that.
They’re basically demonstrating that crime occurs every day, probably without anyone even realizing it…
They’re showing just how easily it occurs by publicizing the results from sites that others would have assumed were difficult to hack.
There are two sides to this criminal behavior, however – the despicable people who seek to obtain and abuse this information, and the corporations and IT industry that pretend that they’re building “secure” solutions, and convince their superiors and customers that they have done their job properly to begin with.
LuLz has no credo, and even Anonymous fears them because they represent Anarchy.
Anonymous is only feared by those who think they are above the law and immune to justice, which is just about every government on the planet.
-Hack
…and you know this how?
What a crock. “We do it for fun”. Right.
It’s all about the recognition baby.
http://www.ranum.com/security/computer_security/editorials/disclosu…
No, not really. Most people grew out of that phase after puberty.
I”m really happy I’m not part of the segment of that generation these guys represent.
Lets call these guys what they are, immature assholes with zero ethics who’s looking to make a name for themselves.
Edited 2011-06-17 19:06 UTC
But they can’t actually reveal who they really are, lest they end up in prison… so it’s kinda of pointless, no?
How do you make a name for yourself if nobody knows who you are?
They are indeed making a name for themselves. LulzSec is ringing across the internet, even in main stream news sites. Just because we don’t know their real names doesn’t mean squat. I don’t know the real names of people affiliated with lots of well known organizations, doesn’t mean jack.
Making a name for yourself does not necessarily mean people know who you really are.
Then there’s these idiotic companies who think’s it’s a good idea to hire these kind of guys as “security” experts. I mean, come on, a loser like Kevin Mitnick gets fame and fortune and well paying consultancy jobs these days.
How much do you know about the Mitnick case? It had a lot more to do with excessive force of law and inflated charges than justice or what Mr Mitnick actually did wrong. Not to say he was innocient but he was not nearly as guilty as made out to be. I mean, “could whistle into a phone and cause nuclear missile launches”.. and the court believed this claim. “caused millions of dollars in damages”.. never did show any evidence of that one.
The crimes he did commit appear to be for personal knowledge rather than for publicity and disregard of any third parties hurt in the process.
By contrast, lulzsec is showing blatant disregard for innocent third parties harmed in the process. They are indeed seeking publicity. They could expose passwords without usernames. They could expose partial names and partial passwords. They could expose vulnerability details without the trophy necklace of ears. They could even demonstrate responsible disclosure to the organization first as they have apparently done in a few of the cases (US dept of health?).
Since Mr Mitnicks release, there is no evidence of illegal activity. Indeed, he started his own consulting company and helps organizations improve there information security. He’s even abstained from perfectly legal events to stay on the right side of the law.
What Mr Mitnick did and has done since is very different from what Lulzsec is doing currently.
If your open to hearing what actually happened:
http://www.thelasthope.org/media/audio/64kbps/Featured_Speaker_-_Ke…
True, LulzSec is much worse than Mitnick ever was.
It’s a bit silly to attribute intentions to people you know absolutely nothing about. In fact, it tells a lot more about you than about LulzSec.
Perhaps, but not nearly as silly (and childish) as ruining other peoples online experience and causing them pain just “for the fun of it”.
I’m sure LulzSec can use the same argument, pointing to RIAA/MPAA/the gubmint.
My point is, however, not that your judgement is morally wrong, just that it contains no insight.
I think he’s right though and I also think we do have an insight through reasonable deduction.
We might not know directly, but we understand how DDoS attacks work and what they’re normally used for (generally blackmailing – pay us or we’ll take your site down).
We further know that these sites were not attacked in protest (Sony being the only exception) nor for blackmail. So that actually doesn’t leave many motives.
We also know that LulzSec like to publicly advertise the fact that they were behind the attacks. If you were doing it just for a laugh, then you wouldn’t necessarily want to draw excessive attention to yourself.
In fact we know that LulzSec love actively flaunting themselves in the media. From posting stolen personal details on a public site through to having the audacity to set up a telephone hot line, this sort of behaviour is intentionally antagonistic. They are deliberately provoking a reaction from people.
So yes, you are right that we don’t /know/ their motives, but it’s more than a reasonable deduction that a major incentive is global recognition.
If I had to speculate, I’d also say they were all kids / young adults too – with no-one in the group over the age of 25 and the majority still in their teens. However that /is/ complete guess work based on next to no insight.
Edited 2011-06-18 01:20 UTC
Really now. Is the gubmint running around stealing data?
You want insight?
We need to stop idolizing this kind of behaviour. They’re not “tech wizards” or “security geniuses”. They’re petty criminals hiding behind the comfort of their computer screen, which conveniently prevents them from actually ever interacting with their victims. Think it’s hard to hack into a system and find a single flaw? That’s a walk in the park. Try building systems and defenses that can’t be broken into, THAT is hard and no it doesn’t require hacking skills. It does however require understanding of good engineering and security practices but the industry is more interested in the whizbang gadget of the week that will magically solve all your problems or paying “hackers” to “pen test” their systems. Like Marcus Ranum I too wish it was considered cool to properly design your systems and defenses but as long as media is the way it is I doubt that’ll happen. Being the “whiz kid” of the week will always be more cool even if the whiz don’t really know jack.
Edited 2011-06-18 05:18 UTC
Soulbender,
“We need to stop idolizing this kind of behaviour. They’re not ‘tech wizards’ or ‘security geniuses’.”
To be fair, they could be those things, even if we disagree with their judgment.
“Think it’s hard to hack into a system and find a single flaw? That’s a walk in the park. Try building systems and defenses that can’t be broken into, THAT is hard and no it doesn’t require hacking skills.”
Having hacking skills sure helps though. I’m not sure why someone would think otherwise?
“It does however require understanding of good engineering and security practices but the industry is more interested in the whizbang gadget of the week that will magically solve all your problems or paying ‘hackers’ to ‘pen test’ their systems.”
You’re trying to make a distinction between the skill sets being used for good and bad, but I’m not sure such a distinction can be made.
A university might have a course about computer vulnerabilities and network penetration, but effectively educating students about preventing attacks implies giving them insight into how attacks are executed. The same knowledge which helps foil attacks can be used to maliciously forge attacks.
Maybe they could only teach students to use the attack prevention tools without teaching them the theory behind attacks, however I’d have less confidence in these students being able to do the job of keeping the infrastructure secure – too much can slip by them.
Of course I’m not arguing the attacks are right, but it seems silly to understate their abilities.
If anything, these are skilled people who are probably under-appreciated when using their skills productively, and have turned to an underground culture where they can be appreciated.
I don’t have to agree with their choices in order to understand them.
True but unlikely.
Ranum explains this much better than I ever could:
http://ranum.com/security/computer_security/editorials/skillsets/in…
That’s a really lame excuse and it’s just confirms that these people are indeed assholes.
I agree that it’s far harder to build and manage secure systems than to find and exploit a single path into them. I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties.
Hacking and hackers are not inherently criminal; it is a set of skills applied to any topic of interest and in the majority of cases, applied in a perfectly legal manner. In terms of security hackers who work within the law, they should be considered a natural resource. They should be employed to design and test systems. If you are not employing hackers on your own sys admin team and/or having third party pentests done by hackers how can you possibly claim that you’ve designed and hardened your systems in any kind of responsible manner?
Heck, if your federally employed, FISMA makes it a legal obligation to be responsible and prove your systems secure through proactive testing. (which does bring into question these federal systems that are broken into so easily let alone older cases of wide spread use of default passwords and similar stupidity.)
Not contracting people who now have a criminal record; that’s fair. There are lots of law abiding hackers out there to hire or contract.
Proactive testing is just proactive testing, it doesn’t say anything about the security of a system.
It just says it isn’t vulnerable to the attacks it was tested against. However a large part of that testing is done automated with tooling in the production environment so people are careful with how they test.
So even if the tool found a problem like a SQL-injection, the tool or user of the tool might not even have noticed it.
No, pentesting and so on is to find the most obvious problems.
Just look at a recent bank website security problem, when an id in the URL was changed people could get in the account of other people.
I’m very certain banks do those previously mentioned security checks.
If you want real security, there is only one solution to have a 3rd party look at the code. All the code.
You think it’s better to wait for a malicious third party to test your systems for you? Proactive testing can, at minimum, give you an indication of your system’s effective security posture. Properly done, it includes addressing discovered issues and retesting to discover new ones. That would be the “proactive” part of it. If proactive testing is not saying anything about your system’s security, you need to fix your testing methodology.
Automated testing is also very much a part of proactive testing. I’d say it’s like the relationship between signature and heuristics based AV; the signatures to catch the recognizable stuff and the heuristics to catch what is not recognizable. The automated vuln assessment tools for the signatures they recognize followed up by a skilled manual vuln assessment with the creativity and flexibility of a skilled human.
Bingo. “might not even have noticed it”. If your admin or auditor is a Hacker they will indeed notice it though. They will be looking for it. They are self directed learners who think in terms of “hm.. what can I do with this beyond it’s intended purpose?” by default.
Vulnerability assessment says “someone could possibly open that door if left unlocked.” Pentesting says “That door is indeed unlocked, here is what one is able to do in the room behind it if you don’t lock the door.” A vulnerability assessment is a list of potential problems one should address. A pentest provides that list along with confirmation that they are exploitable and evidence as to why you should fix them.
If all you tasked your internal team with or contracted a third party for is a single way into the system then sure. You put that limitation on them in the first place though. Your designing your test to fail. Limiting scope of testing, ordering a pentest when what you wanted was a vulnerability assessment or ordering a vulnerability assessment when what you wanted was a pentest are all great ways to insure failure.
You could alternatively contract the third party to find all the ways in they can, what they can do once in and ways they are able to maintain access during time permitted.
With an internal pentest team, you can run a proper testing cycle; pentest, harden, verify, pentest, harden verify. Now your not just finding a single vulnerability and calling it a day.
If your test is only to find the most obvious problems and your not repeating the test cycle to find your next most obvious problems; your doing it wrong.
And, that’s exactly the problem. You are very certain your bank is doing the proactive testing; do you now for sure that they actually are though?
Everyone was certain Sony, a huge tech company, knew how to manage it’s servers and networks. How did that work out? Lack of network filtering, servers left without latest updates (or even remotely recent updates) customer data stored unencrypted. These are things any competent pentest would have identified. Any responsible company, having those identified, would have addressed them promptly.
Everyone was certain that having over a hundred million PSN and SOE customer’s private information exposed would convince them to address discovered issues and check for similar issues across all other company systems. Everyone was certain that Sony’s PR claims that they have addressed security issues meant they had actually implemented changes. How did all that work out for Sony when the next week the same weaknesses where exposed in other systems?
Everyone was certain Facebook knew how to implement it’s software securely. Facebook must be testing it’s systems continually right? So what of passing authentication tokens in URLs which has left every facebook user open to exploit since 2007? (that one was discovered around May of this year 2011).
And financial companies; banks and such. They must be doing the previously mentioned security checks; Heartland Payment Systems, 2009, 40 million accounts exposed.
Banks are in the business of making money. They are notorious for “minimizing expenses” any way they can get away with it. “we’ll spend the money to fix that if it proves to be a problem” is the mainstay. If it’s cheaper to live with the losses instead of fix the problem; they’re going to continue living with the losses.
I wish the market success of a company was an indication of it’s responsible management of secure systems; it’s not. More often, it’s the opposite.
Let’s toss out another example for fun. RSA; thee security company. When governments, military and billion dollar companies need security they go to RSA. RSA’s SecureID database has been compromised. Everyone who uses SecureID for authentication is screwed. RSA has actually said “uh.. make sure you are using strong passwords for your second of the two part authentication because the SecureID part of it isn’t stopping anyone.”
But how could this happen? We where all certain that RSA would be doing testing. It was a speer phishing email. How is automated vulnerability assessment tools and peer code review going to identify the need for staff training against social engineering attacks?
The string of successful company breaches resulting from the SecureID breach is ongoing and affecting such sensitive information as new weapon designs copied from government contractors.
That, like automated testing, is very much a part of it. Peer review can do a lot to remove bugs from software. It’s not the one magic cure solution on it’s own though.
Consider some of the vulnerabilities in Windows which exist because the code is correct. Intentional functions like DLL relative paths. Peer review and automated code audits where not going to find that problem because the code was implemented as intended. Discovering and demonstrating that vulnerability took human creativity thinking beyond the software design document. It took someone testing the system after source code was compiled to running binary.
Automated code auditing to find recognizable bugs in your source code.
Peer review to find bugs the automated audit tool missed.
Automated vulnerability assessment to find recognized weak points in your system’s security.
Manual vulnerability assessment to find weaknesses missed by the automated tools.
OK, I agree on many points, but your post was so long. It is probably best to leave most of it as it is.
I was just trying to point out, 3rd party testing just won’t cut it. These too are businesses and just have a limited amount of time to spend per site. So I don’t think they’ll actually find almost all the problems as is the intention of such a test.
On the issue of banks:
There is a law in my country which says I can not do my own pentests on a website, they probably call it something else.
I’m sure as hell not gonna try that on the site of my bank, as that might get me into more throuble than any other site.
I actually did see problems and reported them to the bank before the law was in place. But I got no replies from the bank and nothing changed.
This shows you how good there policies and systems really are.
So I don’t trust them either I just use pen and paper.
Atleast with pen and paper banking it isn’t as easy to do one thing and affect 10s of thousands of custumers at the same time.
Fair enough. It did get silly long in the end. What can I say, infosec and hacking are topics I could talk all day about. I hear normal people are into sports teams or some such thing.
I’d agree that third party testing on it’s own is not a cure-all. It really is something one should do themselves if running a public facing network is a primary business function though. If you can hire a sys-admin who can also do a periodical vulnerability assessment and pentest then do so. If you can afford to staff a full pentest team, even better. If you can afford third party contractors then fantastic; they’ll have the specialized skills, experience and ten thousand dollar software tools (literally, Nessus is around ten grand). Doing no pentesting at all? That’s like ignoring QA testing in any other product category.
In your country, is that law refering to you being required to have a third party pentest your own website or does it block you from pentesting websites you do not have authority over? Interesting, I’m actually re-reading relevant laws at the moment including USC 18 T 1029/1030.
Pentesting your bank’s website without permission; yeah, don’t do that. Some folks can simply spot vulnerabilities without active testing based on the type of passwords aloud, do they get locked after so many tires, does the site use https and so on. Can they mess with the site using java script (without sending anything back to the servers of course).
Reporting problems and hearing nothing back; sadly, not surprising. They may have addressed the issues, decided that fixing the problem was more expensive then paying out losses or ignored the report all together. Hopefully they did actually do something even if they didn’t respond. Fully transparency would have been better though; “here’s the problem we had reported, it’s been fixed so now we are making problem public so other’s can find and fix it in there systems.”
There is a law against trying to break into other peoples website without permission.
Which is kind of understandable, but the problem is obviously that even if you don’t break anything you can still be prosecuted or whatever it is called in English.
No they didn’t fix anything because I told them about it. I could spot the sloppiness a mile away just looking at the HTML source.
They just got a new website a year or 2 later.
I haven’t even looked at that site, what is the use I don’t use their online services and they don’t listen anyway.
I just took an other look, they are including 3 completely separate other not-bank-owned-domains/javascripts on their site.
Come on guys, this is a bank website !
So banks should be employing thieves when they design their bank vaults? Having a generally idea about how hacking works is useful, yes, but specific knowledge is worthless for this purpose.
Unfortunately this makes your system “better” by trial and error, not by design.
Obviously I’m not referring to those and also not referring to hackers who hack on code rather than break into systems.
Let’s get the confusion out of the way first. The majority of Hackers are in fact law abiding folks. It’s a mental approach to solving problems; a skill set, creativity and curiosity. It is not an indication of ethics or morality. While some folks use hacking skills to break the law, the majority do not.
Hacking is not even inherently computer security or computer related. Law abiding hackers are seen in all areas of interest. Hams; radio hackers. Gearheads; car hackers. Audiophiles; stereo hackers. The US authors of the constitution; political hackers. Builders; physical hackers. Computer Case Modders; case hackers. Researchers who find and responsibly report software bugs; usually software and security hackers. The folks who wrote most of that FOSS software you use daily; software hackers. It’s simply a creative curiosity and need to learn applied to any topic of interest and usually resulting in finding ways to use a thing beyond how it was intended.
If what you mean is “someone who breaks the law” then the word you are looking for is “criminal” not “Hacker”. A criminal using methods previously discovered by hackers does not make the criminal a hacker any more than using the directions to assemble Ikea furniture makes one a master carpenter.
Now, on to your points.
Should a bank hire thieves to design bank vaults? I’d say it’s up to the business management to decide. There are a few ex-cons who now work as contractors testing bank security. I’ve seen interviews with at least one who specializes in vault security. There are also many physical security hackers (ie. penetration testers) who’ve never broken the law; the bank may consider hiring one of them instead.
Having a general idea about how a break in occurs helps but it’s really not the same as someone with the hacker mind and permission actually breaking in and going “here’s how I got in, here’s what I could do once in.”
It’s not done in a vaccume. You design a secure system and let the guys on your team with the Hacker mind think of ways the system could fail. You update your specs. Once you actually implement the test system you let the Hacker minds try to break it then address how it fails. You repeat this in testing until satisfied that it’s reasonable for production use. You then regularly test the production system or a lab duplicate of it to see what new ways it fails which you then address.
Why do you suggest that it’s one or the other? Why do you suggest that “design” is inherently superior and need never be tested?
Obviously the word you should be using then is “criminals”. And, if you did indeed recognize the difference, why did you open this last comment with asking if banks should be hiring criminals to design bank vaults? Was there something to be gained by sensationalizing your comments by referring to “teh 3vi1z hax0rz3z”?
If you did indeed recognize the difference then my first comment stands; how do you know your system is indeed secure if you’ve never let it be tested by hackers? If you haven’t any hackers on your admin or info sec teams then obviously you have room to improve simply by addressing your current lack of creative “outside the box” self motivated staff.
So, we’re pretty much in agreement. You should hire hackers, as in the words original meaning, and not morons like LulzSec and Anonymous. Unfortunately there seems to be quite a number of IT execs who think hiring those kind of morons is the right thing to do for improving security. That’s a problem
Computer Security is not black-magic arts that only whizkid geniuses understand, it’s an engineering practice.
It’s unfortunate that the word hacker has, in the mainstream media, come to mean the LulzSec kind of person and not the, say, Linus Torvarlds or Theo DeRaadt kind.
Edited 2011-06-19 21:23 UTC
(would have saved me a lot of typing if this post appeared before I finished my last near short essay of a post)
But, bingo. I meant hackers in the proper sense of the word. Not the media sensationalized criminals and crackers or kids who waste skills with the antics of lulzsec. In those terms, we do agree.
“[jabbotts] I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties.”
Soulbender,
“So banks should be employing thieves when they design their bank vaults? Having a generally idea about how hacking works is useful, yes, but specific knowledge is worthless for this purpose.”
Wait, how did you get from someone being a hacker to that person being a thief? Or any sort of criminal for that matter? Many hackers are in professional occupations and there is nothing unethical about it.
I think maybe there’s cross talking going on due to a difference in the definition of “hacker” – yours seems to imply a criminal element, but many hackers don’t consider themselves criminals (and nor does the law for that matter).
“True but unlikely.”
Can you elaborate?
“That’s a really lame excuse and it’s just confirms that these people are indeed assholes.”
Maybe they are assholes, but they’re still skilled ones.
“Is that like being a law abiding bank robber?”
No, not at all the same thing. Robbing banks implies a criminal element, hacking does not.
“Would probably help if the term ‘hacker’ wasn’t so ambiguous. Are we talking about hackers who write code or hackers who (try to) break into systems? Two different beasts, same term.”
Security hackers can break into their own systems, do you agree that it’s neither illegal nor immoral? They can hack into third party systems with permission, same deal there, right? It’s not the skill of hacking which is evil, it’s the intent.
Of course, it may be unwise to hire a hacker who’s previously demonstrated skill but has also shown malicious intent. However this doesn’t describe the majority of hackers, most of whom just hack their own systems to learn about security.
The only reason we hear about all these “evil hackers” is because they’re the ones which catch headlines, the good hackers don’t get any attention – it’s unfair but that’s the media for you.
Edit – I guess this is already the conclusion on this thread, so I didn’t need to post. Oh well.
Edited 2011-06-20 02:45 UTC
Yeah, that went a bit wrong but the kind of hacker we’re talking about in this thread isn’t the professional kind.
I wish we could go back to calling the bad guys crackers, like in the old days (the 80’s).
Edited 2011-06-20 17:23 UTC
Is that like being a law abiding bank robber?
Would probably help if the term “hacker” wasn’t so ambiguous. Are we talking about hackers who write code or hackers who (try to) break into systems? Two different beasts, same term.
I think my meaning in my original post was quite clear in referring to law abiding Hackers not crackers or criminals. Are you just trying to be cute by intentionally misreading what I wrote to mean criminals just because I talked about Hackers and system security?
And really, how can you claim your sys-admin or infosec team is at it’s best if you haven’t at least one member who can think outside the box, find creative solutions, try the unexpected and take a detail oriented enthusiasts interest in developing and implementing a solution?
My point stands; if your responsible for system management and security, you should be hiring Hackers not nine to five folks looking only for a pay cheque with no real interest in the job topic outside of work hours. You want the type of person who will go home, duplicate wifi settings using there own router, break into it then report back on how easy/hard it was and how your business system can be improved. You want people who spend all day managing and fixing your systems then go home and play with there own systems for the pure joy of developing skills and learning down to the smallest details (aka. Hackers).
Ok, so you’re definition of a hacker is someone who’s passionate about his job and thinks out of the box and is not a 9-5 paycheck person? Sure, then you should hire hackers but I’m not so sure that’s the definiton most have of “hacker”.
What we’re talking about here is the media-hyped “hacker” who breaks into other systems and those are not the guys I need on my team. I need creative and skilled engineers, not hot-shot media darlings who’s claim to fame is to deface websites.
How many Hackers do you know? How many hacker conferences have you attended and/or watched talks from? Have you been to HAR over in europe? Been to Maker Fair? Been to your local Hacker Space? The definition of “a criminal who specializes in breaking into computers” does fit most Hackers.
With regard to Lulzsec, yeah, we’re talking about a group of crackers who break into systems end expose private information. We can even drop the sensationalizing and simply call them by the more accurate term; criminals. The fact that they demonstrate hacking skills does not make them criminal; the fact that they break into systems without permission does. They’d be just as criminal if they demonstrated no hacking ability at all.
With regard to the admins who have to implement, maintain and defend information systems. Yeah, having real hackers on the staff would help a significant amount. I mean real hackers not kids who haven’t yet matured beyond throwing rocks through windows just because they are walking past.
Honestly, I was trying to keep it short and on topic. Defining hackers could easily be a sever page essay. Let’s try and keep it short though.
Consider http://www.lifehacker.com which provides a view of a broad cross-section of hackerdom.
Hackers are nearly obsessive self directed learners who value hands on experience. Don’t just read about programing; write a program. Don’t just read about a vulnerability; test it in your own lab systems. Don’t just look at knitting patters; make a sweater.
Hackers focus on there topic of interest down to the lowest details. It’s not enough to press a key and see a letter appear on the screen; they want to know how the electric signal travels along the bus to end up on the monitor. Why and how does a thing happen not just “wow.. a thing happens”. A normal user wants to open email and write a letter to a friend. A power user wants to customize the email programs options and probably has solid reasons for preference of program. A Hacker wants to understand how all the settings affect the program, what addons are available, how the email is stored and managed, how the email is transmitted and probably how to encrypt the whole process. What is the minimum needed to send an email? (telnet or netcat..) What is the most one can do with email beyond it’s intended purpose?
Hackers take creative “out of the box” approaches to problems. Who cares if the manual says a thing can’t do this; let’s see if it can. Sometimes it’s an ugly McGuiver hack, sometimes it’s so elegant you won’t believe it’s not originally designed that way.
Hackers share what they learn. Information should be free if one has the authority to distribute it. Learn from each other and build on that. Keeping discoveries secret benefits no one. Your hacker on staff wants to come into work the next day and talk about what they learned the previous evening. They are very social people when not being pidgeon holed by stereotypes based on ignorance.
Hackers find exploiting what they’ve learned for financial gain and/or harming other’s distasteful. Social engineering is not for committing fraud. System vulnerabilities are not for breaking into systems and exposing data. An open window spotted when walking past a house should not be used to commit robbery. Such things should be responsibly disclosed and fixed. Security hackers using there skills to help other’s protect there systems; very much so. Security hackers using there skills to steal stuff; this is the minority.
Hackers, my majority, are as ethical and law abiding as anyone else. We don’t call all doctors criminals because one is caught speeding through a red light. Why should we call all Hackers criminals because one is caught breaking into a system? Being a hacker does not make one a criminal any more than being a bus driver makes one a criminal.
Financial gain is not the most important motivation. They don’t hack a subject because it will bring them money; they do it because they love the subject. Security hackers work in security because they get to spend all day at there hobby; being paid is a bonus. Improving security systems is what brings the satisfaction. Computer hackers tend to work in IT because they get to spend all day at there hobby; being paid is a bonus. Improving and refining computer network is the motivation. Someone’s not going to strike it rich making chess pieces on a 3D printer; woopty do, they get to make stuff on a 3D printer which is satisfaction in itself.
There are hackers that focus on pretty much every topic of interest one can think of. Political hackers, computer hackers, case hackers, food hackers, physical hackers, psychology hackers, body hackers, stereo hackers, radio hackers. It’s not simply “your a hacker so you must only be into programming or security.” It’s about the commonly found way of learning, thinking, solving and creating across all kinds of areas of interest.
Sure, lulzsec may be a group of crackers representing the media mis-representation of hackers. That doesn’t change the fact that those maintaining and defending systems can benefit from having hackers – in the real sense – on staff. Those attacking your systems think creatively beyond how things are supposed to be used. You need people who think just as creatively beyond how things are “supposed” to behave and well into how things can be made to behave. You need people who are skilled and self motivated beyond professional obligation to remain on top of technological advancements.
Its about as silly as saying bankers care about money.
I’ve actually never wanted to do that, even _during_ the puberty. Other than that, I agree with you and I’ll be sure to cheer every time a LulzSec member gets caught.
Still, they remind Internet participiants to what security is: It’s not a static state, it’s an active process. Why do they harm people (or at least support others doing that with the information they publish)? Because that’s the only way people actually learn, especially in relation to the Internet.
Because people love car analogies, here’s one: Imagine you’ve been driving too fast. A half year after that event you get a letter from a penalty court that states you have done something wrong, and should pay an (acceptably small) amount of money. But you may appeal to that decision. Lesson learned: none. Now imagine that right after driving too fast, the car gets confiscated and you are prohibited to drive another car. Lesson learned immediately: Driving too fast is bad.
(Apply the same scheme of cause and reaction for youth criminality, tax fraud or other kinds of crime and antisocial behaviour.)
LulzSec makes people aware about what actively maintaining security means. And they address all those who are involved in it, implicitely:
On one hand, there are the “big ones”: Governments, companies, industry, content providers, service providers and so on. This is the group that always says: “We do provide a secure <whatever>.” This statement is discovered to be a lie.
On the other hand, there are the “small ones”: The users. They don’t claim anything about how secure they use the Internet. In fact, they don’t even care for security on the Internet. One may assume that they don’t value their data. But that’s not true: They are just not aware of the facts – the facts that “villains” who gain access to their data can do harm to them.
Both “societies” are made aware that it’s worth paying attention to security and keep actively working on it. Anything else is just futile.
Just image the “big ones” would be true stating that they are “secure”, and the “small ones” would protect their precious data. Would LulzSec have a chance “entering the stage” with what they’ve done? Surely not.
Although I do not appreciate what LulzSec did, I may mention that they are in fact aware of the importance of security. This is a state one should never grow out of, but sadly, many (even adult) individuals never actually entered that state.
Basically, it’s not that bad making people aware of the dangers present in relation to the Internet, even though the choice of means and the further results cannot be interpreted all positively (at least not by me). Still, the fact keeps standing: People only learn when they suffer. And learning is required for the neccessary change of behaviour.
Hopefully you’re also not part of their “target audience”.
As I mentioned above, making people aware of present dangers that are traditionally denied or ignored… well, I would not call that “zero ethics”, although their means are definitely highly debatable.
Yeah, but that’s like saying thieves reminds us about the importance of home security. I”m not going to go out and thank the guy for breaking in and stealing my stuff.
I don’t care if I am. Bring it on, bitches
Good comparison. Although the individual thiefs do not deserve any positive statement about what they do, their pure existence reminds us to maintain home security properly. On the other hand… if they would not eiixst, there would be no need for such security efforts. But in general, people aren’t honest. Especially in regards of Internet relations where big companies and small criminals want to profit from you and your data, one should be aware of the pure fact that the Internet is full of evildoers who just seek for a chance to do harm to others, traditionally for profit, Doing it “for fun” doesn’t make the situation better, but it may be interpreted as a “less criminal motivation”, given that LulzSec’s goal is to wake up people, as they do not profit from their actions themselves (in opposite to the “real criminals”).
In the situation discussed, LulzSec isn’t the thief per se. They just provide keys for your home (as you are “hiding” them right infront of your door). Then others take those secondary keys and come to steal your things.
Edited 2011-06-17 21:50 UTC
But that’s not their goal. It is, at best and if you believe them, to have fun. More likely the goal is to gain fame and recognition at the expense of others.
Not exactly gallant, that.
Maybe I did use the wrong word. It’s the effect, the possible result of their actions.
Users had a hard time learning to treat passwords like underwear, and they are constantly told to do so from one side, while the other side just says that “everything is 100 percent secure”, leading to the assumtion that it’s not worth caring about anything. And this attitude has developed into the mainstream state of mind for many Internet users. And as I said, it’s not just the users, it’s also the media and service providers who feel safe in their imaginary world of “everything being secure”, exactly until this world is shaken, and as I also said, doing harm seems to be the only way to achieve that. Only if people loose money (as this is the means to identify who they are and what they are “worth” in many societies), followers of LulzSec use the results of the hacking, although primarily for their own benefit (instead of educating others).
I admit that I have a problem seeing the fun in that – if you want to understand fun as more than just pointing with a finger and saying “ha ha”.
Well, I basically think so too. But still it’s worth mentioning that many “famous names” have been gained on the expense of others, in widest context.
Why? Because you wrote about them, and because they can.
Thom: It is in governments’ natures to control where it is not needed, to regulate what doesn’t need regulating, and to bureaucratise that which is efficient.
Eh this is the same Thom who was so in favour of giving the Dutch government powers to regulate ISPs? Making a few companies illegal providing essential services for users along the way?
I.e. certain companies in The Netherlands provided filtering services for people who chose them as an ISP. But that’s now illegal.
But usually people who are against government legislation are for it when they like it. I.e. they are against certain government legislation which is inconvenient for them, but for it when it is convenient.
Thanks Thom for a totally consistent message. But perhaps you have seen the light. Welcome aboard in that case.
Edited 2011-06-17 19:53 UTC
First, learn to spell my name.
Second, you might want to re-read the quoted statement. I’ll quote it for you with some clarifying emphasis.
“It is in governments’ natures to control where it is not needed, to regulate what doesn’t need regulating, and to bureaucratise that which is efficient.”
Edited 2011-06-17 19:48 UTC
Sorry Thom, learning.
Ah, the right regulation is in the eye of the beholder!
I was afraid so.
Of course it is. Everything is. Unlike you, I don’t seem to have a one-minded attitude. You apply regulation where it makes sense. Your attitude seems to be that regulation is always bad, and you seem to posses some sort of eternal everlasting faith in the free market.
Which is just as silly as believing in communism. Both are ideals that do not take human nature into account. Since humans are by definition self-centred pricks, they will abuse both a free market as well as a communist system. That’s just the cold and harsh reality of this world.
And the reality I live in. Sometimes, regulation is necessary, as was clearly the case with net neutrality. Without it, the three telecommunications companies we have would unite, impose the same pricing system upon all of us (as was clearly hinted at by all three carriers), and erect even higher barriers to entry for newcomers (i.e., anti-interoperability measures, and we would’ve been in deep shit. Now, you might say – yeah well in a free market they shouldn’t be allowed to do such things! That should be illegal!
That should be – dare I say – regulated?
The free market is an idealist dreamworld. It doesn’t exist, and it will never exist. The sooner you realise that, the better.
Come Thom, your regulation just outlawed some private companies. I’m sure the big ISPs will think you for that.
Even if you had to pay a few $$ more for your voip, would that have been the end of the world?
Now you have given the state the power to regulate the internet. This is simply the start.
And yes, I believe that free people in a free market will come up with mutually compatible solutions. Trusting politicians and regulations, which always have unintended consequences, to outperform the free market is believing Cuba is a paradise. If you can regulate perfectness, which is what you must believe to believe regulation will help, it would have been done in Cuba.
Okay then. Give me an example of an unregulated market.
Bitcoin?
I dunno actually, but it’s been in the news a lot, so I had to say it
The internet used to be unregulated Thom. You even didn’t have to pay sales tax on the internet. It’s still mostly unregulated. But it won’t be for long.
May I just point out that the most regulated markets, the financial markets, are in the deepest crisis?
May I point out that the financial crisis was caused by people who abused their freedom at the expense of us ordinary folk?
But that is partially because the government requested that banks provide housing loans to people who wouldn’t otherwise qualify for them… and also encouraged it.
As Lessig suggests, this is caused by both too much government and too little government.
That’s exactly my point: the world isn’t black and white .
Thats a really BS reply the government never required or even asked them to give out interest only loans, to require zero income verification, to abuse a risk pooling algorithm to absurdly wrong data. Its like a kidnapper blaming his career of crime on his parents for asking him to make a living.
What were the two biggest banks that blew up? Ah the two government banks: Freddie Mae and Fanny Mac, rescued for untold trillions.
The government banks had nothing to do with this?
The government backed up untold numbers of loans, essentially promising they could not fail. Banks got the rewards for successful loans, the government got the shaft for the failed ones. Please tell me how that wasn’t a golden parachute instituted by the government? With Fair Housing acts and other “projects, they basically created the bubble int eh first place.
There’s plenty of documentaries, articles, and essays on this topic out there – please don’t come telling me I’m full of shit without doing some research of your own first.
Edit: Oh, and in case you think I’m somehow bitter about it – I’m not. In fact, this economic crash has turned out to be an awesome situation for me
Edited 2011-06-19 01:27 UTC
umccullough,
“Edit: Oh, and in case you think I’m somehow bitter about it – I’m not. In fact, this economic crash has turned out to be an awesome situation for me”
Well now I’m pretty bitter about it. Do you live in the US? What’s your angle?
Yes, I do.
Hint: This is a real estate investor’s dream right now!
Edit: Actually, I think I’ll just keep it simple – no need to reveal my private life too much on the internet.
Edited 2011-06-19 02:38 UTC
umccullough,
Well, I guess it depends on your POV. On average, the US residential construction industry is in terrible shape. Some relatives of mine had to close up shop.
There are some bargain real estate prices for anyone who’s already got money, but the other side of that is when we consider that these houses come from families who’s houses were reposed through record numbers of foreclosures. The net effect is more wealth and property lost by the middle class to the upper classes.
There are many like me who simply cannot afford a home in the first place, even with prices back at 2000 levels. I’m still looking for a job suitable to my abilities.
We’ve gotten really off topic for this thread
I’d love to respond to this post – and I have a *lot* to say about it… but I think I’d rather keep some of that out of the public for now.
If you wish, feel free to email me (you shouldn’t have a hard time figuring out where), if you want to hear my further opinions on the matter.
Clearly all that existing regulation didn’t prevent that…
And I would say exacerbated the problem.
Caused by the private market? Why did it happen in the most regulated market? And why did the government not just let them fail, but bailed them out? Maybe their interests collided a bit too much?
Mr. Holwerda:
You said,
<blockquote>May I point out that the financial crisis was caused by people who abused their freedom at the expense of us ordinary folk?</blockquote>
Come, Sir, when have people NOT “abused their freedom at the expense of … ordinary folk?”
There must have been something else afoot in 2008 that wasn’t otherwise for the crash to happen.
When the Fed cut rates in 2002, people borrowed huge amounts of money that bid up housing prices. When general price inflation became a strong possibility in 2007, the Fed increased interest rates, which sucked money OUT of the housing market, causing prices to crash. Sadly, those still in–both borrowers and lenders–were left “holding the bag.”
People tend to be rational, and thus, they react to incentives. As I often told my econ students, “If you provide perverse incentives, never be surprised to see a bunch of perverts!”
I think it’s hypocritical to change people into perverts, “cutting them off at the knees,” then blaming those maimed people for becoming perverts.
Please forgive if I’m too huffy!
Getting back on topic, another example of an unregulated market is–at least in the USA (which DOESN’T have a monopoly of the airwaves!)–talk radio, where people all over the political spectrum–from right-wing nut jobs to moderate milquetoasts to left-wing loonies and those of good will throughout–flourish in a teeming environment.
Even unregulated markets, however, have limits and valid governmental functions. One such function is to protect people from predators–and LulzSec have all the hallmarks of predatory bullies. According to these “in-DUH-viduals” of LulzSec:
–Your baby got candy taken from her? Tough luck; she deserved it, because she was too weak to hold onto it.
–Your house was broken into, and all valuables taken? Tough; you deserved it. You should have made your house an impenetrable fortress.
–All of your computer accounts were hacked, and you lost everything? Too bad, so sad, sucks to be you! You were too stupid to secure your computer and Internet connexion. You only got what was coming to you!
–Your bank’s computers were hacked, and all of its money drained–including your life’s savings deposited therein. So what? You got your just desserts for being a moron in NOT doing business with a bank that was secure!
EXCEPT…
EVERYBODY is stupid, at least some of the time. Maybe in the next world, they will have to deal with demons who terrorise them for being too stupid to know their own limitations. That MIGHT be their just desserts for the bullying manor in which they destroy others!
You mean like the billions (or maybe trillions) in unregulated derivatives at the heart of the current economic crisis?
Edited 2011-06-18 00:43 UTC
Somalia. No regulations there. A pirate’s paradise, I hear.
Governments have a monopoly on force. That’s the difference between anarchy and a country with the rule of law.
Maybe that clears things up?
Really, you think the free market should decide if you can kill someone????? That is what the free market is about?
The free market is about non-coercive interactions between free people. Government regulation adds coercion here, forbidding certain interactions, outlawing certain firms (which the Dutch government just did, they outlawed “Klicksafe”, probably Amazon’s Whispernet, and probably more), and creating monopolies (remember Telecom companies used to be government monopolies).
I was really just trying to be a smart a**. But you beg another deeper point to reflect on.
Is there such a thing as a non-coercive interaction between any two people? Money will coerce people into doing things they otherwise wouldn’t.
I think you’d have to define the free market to meet your definition. Something like : a free market is one in which two people interact without a non immediate threat of violence.
Even a transaction such as buying bread can involve implicit violence, as a purchaser may starve if he is unable to meet the asking price. If you have enough such purchasers and you end up breaking the governments monopoly on force French Revolution style.
The free market is a very nebulous term when you get down to it. Everyone has their own idea of what it really is depending on their idea on what society should look like. By suggesting Somalia, I was trying to introduce a society that lacked all of the things that many people say prevent a true free market from arising, while not appearing like what you want an idea society to look like. It may for the purposes of our discussion be easy for you to add a rejoiner that excludes violence, but if you were given God like powers to set all the laws of their society, you would end up in arguments with others over the line between violence prevention and economic regulation. The line simply is far too grey in practice.
So you want the government to have a monopoly on force, but you demand that the government NEVER actually use that force?
Interesting.. I think your have found your way to a logical paradox, now you just need to draw the logical conclusion from reaching a paradox: That you are wrong!
Yeah, humans are by definition self-centered pricks…. except for the ones that run government. Those humans are all saints
Ah yes. They would never, never ever, send lewd pictures of themselves to young girls. They would never open up themselves for blackmail. They would never be beholden to lobbyists.
Great post, while I may disagree with you on net neutrality, your post summed up human nature perfectly. Your post reminded me of a video I saw on youtube a year ago.
http://www.youtube.com/watch?v=RWsx1X8PV_A
Hmm.. I would consider that to be a bit over-cynical.
I’d say a more accurate way of putting it would be that there is a proportion of humanity who are self-centred pricks and who will abuse whatever system is in place.
The trouble is that this proportion, while a minority, are the ones who end up in charge, and able to screw everyone else.
In fact, if everyone was a power hungry self-centred prick, systems like the free market which play on these attributes may actually work a lot better than they do.
spudley99,
“I’d say a more accurate way of putting it would be that there is a proportion of humanity who are self-centred pricks and who will abuse whatever system is in place.
The trouble is that this proportion, while a minority, are the ones who end up in charge, and able to screw everyone else.
In fact, if everyone was a power hungry self-centred prick, systems like the free market which play on these attributes may actually work a lot better than they do.”
Wow, this is extremely insightful.
I’ve always believed that humanity could do far better for itself if only we’d work together more and ceased using resources actively fighting each other over power/wealth.
At the extreme, we could theoretically automate most of the work humans do today, such that food/shelter/clothing could be provided without human workers. We might only need to work a day/week to pay for extra amenities, with the rest of the time used for leisure/arts/learning/whatever.
Theoretically, there’s nothing stopping us from achieving this type of civilization. However, this presupposes that humanity can overcome greed, which maybe it cannot.
<blockquote>Which is just as silly as believing in communism. Both are ideals that do not take human nature into account. Since humans are by definition self-centred pricks, they will abuse both a free market as well as a communist system. That’s just the cold and harsh reality of this world. </blockquote>
If you modify that statement to,
<blockquote>”Since a small handful of humans are self-centered pricks that will abuse any idealistic system, we have to recognise that there must be safeguards in place to protect the rest of us. That’s just the cold and harsh reality of this world.”</blockquote>
I would agree with you 100%.
Very nicely put, Thom. Human nature tends to destroy ideals.
Do you mean Solcon can not do filtering anymore ? Eventhough the users want them to do so ? That would be a mistake in the law.
That would also have been a mistake by Solcon as they should have contacted their party or other parties representatives to put an exception in the law. It was very clear that such a law was gonna be created.
The solution to their problems is to start a seperate filtering business.
The ISP can’t filter, but they can have a seperate business that puts in filtering at the ISP level and where by the ISP resells the filtering service to the users and bills them accordingly (they just need to make 2 items on their bill).
Edited 2011-06-19 09:24 UTC
Assuming Lulsec isn’t in fact a false flag effort, which isn’t nearly as outlandish as I wish it were, I’m going to find it incredibly entertaining when the three letter agencies they’re bear baiting decide to swat them like the cockroaches they are.
lulzsec is a great reason for governments to push more wiretapping laws, which will in the end not change anything because most of this people is either overseas or connecting through proxies or owned machines overseas..
You are exactly right. Thom screamed when he had to pay $2 more for VOIP services.
A lot more voters will scream when their email addresses are released. A great excuse for more regulation.
Remember: if it moves tax it. If it keeps moving, regulate it, and if it stops moving subsidise it (we would call that bailout these days).
You’re starting to work on my nerves here.
It’s not about the money. It’s about letting private corporations control what I can access, and how I can access it. It’s about a private entity peeking into my traffic and looking at my data to find out what I’m doing. That is scary. I don’t give on flying fcuk about paying extra – I give a flying fcuk about private entities violating my constitution-given right to privacy.
And please, don’t start about your fictional free market again, and about how if the people want it a new carrier could come up. This is simply unrealistic. The barrier to entry is simply too high, and in your completely unregulated market the three carriers would band together even more than they already do to block out any possible newcomers, and to ensure that customers can’t easily switch to the new carrier (by blocking number transfer, for instance, or by simply not even allowing calls to and from the new carrier in the first place). That would all be allowed in your dreamworld!
At least I can actually vote on politicians if they screw up. In your free market dreamworld, the three carrier cartel would make it impossible for me to make any choice to vote with my wallet.
“EVE Online (well, finally some action in that spreadsheet of a ‘game’)”
Internet Spaceships is serious business(TM)!
PS. I play it too, against my better judgement…
By releasing personal information to the public, they already ruin that so-called “honesty”. Hence by saying that the internet is such a harsh environment, they do their own harsh thing and contribute even the worst and feed those robbers with other people’s personal information.
Thom, it is like lulz was giving someone the gun and lulz doesn’t care if that someone will point the gun to you, and the worst nightmare that it did. How can you commend the group for honesty?
I don’t see any contradiction. They are not hypocritical and are quite forthright about what they do and why. That the result is quite negative does not make them any less honest. There is no attempt to lie or deceive, merely an attempt to harm.
Here’s to the bad ones, the miscreants, and the honest thieves. It’s better to embrace and admit who you are than to deny it.
<img src=”https://a248.e.akamai.net/assets.github.com/img/aabb523e9605d363cc23… width=”599″ height=”479″>
My suspicion is that these guys are the false flag operation to justify the crackdown aimed at Anonymous and Wikileaks. Seriously, I don’t know how anyone would truly think it in their interest to act like LulzSec.
Edited 2011-06-18 07:55 UTC
I doubt this is the case. From the language, targets and attitude I expect these folks are genuine.
This sort of thing proves more and more that we need something like openid. Most people can’t manage so many different passwords for so many different sites across so many different clients, so they turn to re-use of names and passwords. Telling people to not do that, to use separate passwords, is technically correct but infeasible (it doesn’t scale). The sad thing is that a viable solution exists but adoption from sites is too low, I think because demand is low. If somehow people could be taught the idea that painful experiences like this could be avoided by demanding openid login then we’d all be in better shape.
1. These guys are idiots. Most of them get caught, and they won’t be an exception. Anonymous is slowly getting whittled away, and lulz will eventually fall, too. Most criminals aren’t smart enough to keep their mouths shut.
2. Wikileaks did what they did for one reason; Wikileaks. I love the romanticisation of these a–holes (Ass-ange-holes?) What Wikileaks did wasn’t only wrong, it was non-productive. What did we learn – that the Saudis fear Iran? Wow, that really broke ground. I think from the whole Wikileaks caper what we really learned is that Julian Assange likes to have sex with women while they sleep (all of them, maybe?)
Please stop overromanticising a bunch of arrogant, egotistical know-it-alls who didn’t reveal anything really newsworthy.
Actually, the world got the smoking guns on what the US occupation looks like with its enforcement through helicopter gunships, that the US is going through back-room deals to push Monsanto’s genetically modified crops, that we were engaging in war in Yemen without the general knowledge of the American public, that our diplomats were acting as spies in contravention of international law and also involved in the extraordinary rendition of suspects to regimes that had no limits on the cruelty of torture they would apply.
The popular press coverage was all about outing private conversations and focused on trivial examples out of a larger context of exposing a system rife with crimes against humanity. I see by your message that they conveyed the intended impression.
This reminds me of my nearly-3-year-old. When we ask him why he did something bad, he often says ‘because I want it’.
I mean, really, when a large(ish) group of supposedly nearly grown up people decides to behave as a 3-year-old hive mind, run and hide, folks. Run and hide. Chaos is coming.
By the way, I didn’t know about the Minecraft DDoS attack, but how retarded can you be. If there’s one glorious example of how anyone with the right idea and a decent helping of skills can make it big time in today’s digital age, it’s Notch with Minecraft. What the f*** made him a target? He’s no ‘Big Bad Evil Guy’ however you slice it. Let them take on the CIA and every intelligence or government service in the world and I won’t give a damn, but it’s just plain stupid to turn onto the little man…
As much as I love Minecraft and think Notch is awesome, calling someone who sold oer 2.5 million copies of a game ‘the little man’ is a bit… Weird .
He’s the proverbial little man who made it big. With his own hands. The embodiment of the [strikethrough]American[/strikethrough] Internet Dream.
So is Facebook.
Notch is probably fine though.
But you see, that’s why he’s a target. As opposed to Lulz, he has made it by creating something all by himself. People will still be playing minecraft long after Lulz 15 seconds of fame have run out.
This is also known as “jealousy”.
This is exactly the kind of behaviour that governments can use as an excuse to usher in draconian Internet control laws. Bad.
Browser: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5
So are OSAlert passwords hashed and salted?
Even if it is, it would also be a good idea to choose the right hash.
Offline attacks have been getting really really fast these days:
http://blog.zorinaq.com/?e=43
I think http://en.wikipedia.org/wiki/Key_stretching should probably also be on that list.
I’ve started thinking I should improve my site to do that as well.
I wouldn’t commend them on anything at all. Despicable bunch of cowards and low lives that hurt people for their own amusement hidden behind the anonymity of the Internet.
Hey LulzSec, I dare you to hack OSAlert, I bet you can’t.
Ha ha! Good one!
Well, in all honesty – I did check with the team if our passwords (and yours) are all properly secured. I don’t want to dive into specifics, but suffice it to say they are all properly encrypted .
Edited 2011-06-18 17:12 UTC
Thom Holwerda,
“Well, in all honesty – I did check with the team if our passwords (and yours) are all properly secured. I don’t want to dive into specifics,”
Ah, security by obscurity then. (just kidding Thom)
” but suffice it to say they are all properly encrypted .”
Well, not exactly since it’s over plain HTTP.
If hackers did get in, they could alter anything in the database. They could install keyloggers or modify the hashing function such that they are able to decrypt passwords easily.
Am I right in thinking it’s extremely unlikely that you’d notice?
Even a single XSS vulnerability would give an attacker the opportunity to steal your credentials if you follow a malicious link.
If you were a high profile target, it’d probably be worth hiring someone else to do penetration testing, which most companies fail to do.
Many companies around here don’t even want to pay to fix known vulnerabilities. Like sony, a theoretical attack vector isn’t important until it has been actively exploited.
Thom Holwerda,
Another point to make is that by allowing third parties to execute code on your web pages, you’ve implicitly given them access to our credentials as well.
For example, your pages are running scripts from google adsense, google analytics and quantcast. Any one of these could target osnews users if they wanted to and capture credentials without even touching anything on the site.
I’m often a little surprised how little this bothers people.
Ohh really ? I didn’t see them.
Sorry OSAlert crew, I would like to see them.
Really I do, although they can be a bit distracting at times.
But scripts loading from other sites and document.write just don’t cut it for me. They affect performance and security a tad to much for my liking.
I block every external file with a plugin right now, which is highly annoying with people adding more and more domains to their site and loading JQuery and it’s plugins and more of the same from Google, Microsoft and Yahoo.
Still I do run those adds on my own site though.
They are at the bottom of the page, where they have the least impact on performance.
The site makes less money than the hosting would cost but that is currently free for us, so is the site for the users.
I wish SPDY/HTTPS/SNI would be in widespread use that would really help to speed up websites and make them secure. And not need to use HTTP like Alfman mentioned above.
While I’m talking things which could be really improved, the Certificate Authority system (as used by HTTPS and friends) could really be improved by the use of DNSSEC.
So now this comment is long enough.
Edited 2011-06-19 10:09 UTC
I certainly hope you mean hashed, rather than encrypted.
I’ve got a feeling Thom doesn’t know the difference, so you are actually asking the wrong person.
I mean hashed.
Thanks.
Now that I look again at my previous comment, I intended to have a -smiley on the end.
DUde, he’s dutch. He knows all about the hashish..err.hashing.
LoL
A lack of objective morality leads to people doing whatever they please whenever it pleases them without regard to others.
Not morality, that’s just a convenient construct we use to keep ourselves in line so that society can more or less function. What the hackers is appropriate fear of what will happen to them once the game ends.
True, nowadays the egotistic way of thinking is the one most frequently seen.
But on the other hand, _why_so_serious_ ? Really.
These kids (LulzSec) need to grow up.
Lulzsec are anonymous.
If this seems wrong or surprising to you then you don’t really have a clear idea of what’s going on.