xkcd

[johnny_7713]

<snip>

I would now submit that those said entities, the necessary ones, are a 'more important' necessary than the necessity of the assumption that all data given to a third-party be insecure. Does that not then place the blame on the companies that require your pertinent information? If you must consider all information given toa third-party entity to be insecure, and if <aforementioned third-party entities> are a necessity, than placing the blame on the end-user is the very definition of victim-blaming.

Blaming the companies is just as much a form of vicitim-blaming. Its the hackers who decided to steal the information, and thus they are the ones who are morally responsible. The fact that better internet security practices would make it harder for hackers and are the best way of protecting yourself does not change that.
If I entrust a piece of jewellery to a bank and have them keep it in their vault and subsequently the bank is robbed and my jewels are stolen the responsibility lies neither with myself nor with the bank, but with the people who decided to rob the bank, which is why bank-robbery is a crime and 'failure to make your bank 100% unrobbable' is not.

[aoeu]

How do you balance the necessity of assuming that any data given to such a third-party account-holding entity can/will be breached with the necessity of using said entities? Once it is given to them, you've got little chance of being able to ensure that you have altered (or deleted) all records of your account details with that entity, and yet, with something like PayPal or Amazon or Sony or Sega or EVE or <insert any other applicable entity of the aforementioned type> how can you ignore the necessity of giving your account details?

If it's necessary then you have no choice but to ignore the risks, but it is wrong to assume these things are necessary. Just don't do it until you are satisfied with the risks and benefits. On the Internet it is often the case that even though people don't know exactly what they are getting the risks are limited.

[aoeu]

If I entrust a piece of jewellery to a bank and have them keep it in their vault and subsequently the bank is robbed and my jewels are stolen the responsibility lies neither with myself nor with the bank, but with the people who decided to rob the bank, which is why bank-robbery is a crime and 'failure to make your bank 100% unrobbable' is not.

Actually, it's because the law says so.

[gmalivuk]

it is wrong to assume these things are necessary.

Bullshit. How is it unnecessary to have a bank if you have more money than you can safely carry around in your wallet with you?

[aoeu]

it is wrong to assume these things are necessary.

Bullshit. How is it unnecessary to have a bank if you have more money than you can safely carry around in your wallet with you?

Nobody's been talking about banks (EDIT: I wasn't talking about banks). And banks do tend to arrange their stuff to be very secure, and give you back any money that was lost due to their error. Plus the most paranoid can still do banking offline.

[Ortus]

<snip>

I would now submit that those said entities, the necessary ones, are a 'more important' necessary than the necessity of the assumption that all data given to a third-party be insecure. Does that not then place the blame on the companies that require your pertinent information? If you must consider all information given toa third-party entity to be insecure, and if <aforementioned third-party entities> are a necessity, than placing the blame on the end-user is the very definition of victim-blaming.

Blaming the companies is just as much a form of vicitim-blaming. Its the hackers who decided to steal the information, and thus they are the ones who are morally responsible. The fact that better internet security practices would make it harder for hackers and are the best way of protecting yourself does not change that.
If I entrust a piece of jewellery to a bank and have them keep it in their vault and subsequently the bank is robbed and my jewels are stolen the responsibility lies neither with myself nor with the bank, but with the people who decided to rob the bank, which is why bank-robbery is a crime and 'failure to make your bank 100% unrobbable' is not.

Yeah, I agree with most of that. In fact, had the person I was responding to come back with proper refutations to my argument, I would have brought this up. Having said that, negligence does play a role: ignorance can be forgiven, but within the past few years have been many profiled breaches of online security tossed about on the news. While serious fault can (read: not must) be said to lie at the instigators feet, companies with lax security almost demand the be breached in the eyes of a hacker. That would shift blame nicely from instigator to third-party entity.

it is wrong to assume these things are necessary.

Bullshit. How is it unnecessary to have a bank if you have more money than you can safely carry around in your wallet with you?

Nobody's been talking about banks (EDIT: I wasn't talking about banks). And banks do tend to arrange their stuff to be very secure, and give you back any money that was lost due to their error. Plus the most paranoid can still do banking offline.

Banks? Nobody here was actually talking about banks; this is a discussion on internet security.

[gmalivuk]

Banks? Nobody here was actually talking about banks; this is a discussion on internet security.

Oh, I apologize. I didn't realize your bank didn't have a website or any other internet presence.

[Ortus]

Banks? Nobody here was actually talking about banks; this is a discussion on internet security.

Oh, I apologize. I didn't realize your bank didn't have a website or any other internet presence.

>.>

<.<

I was trying to point out that aoeu's response, "nobody has been talking about banks" was quite silly with the apparently too-veiled, "you're right, we've not been talking about banks, but we have been talking about the necessity of using certain online services [like what banks offer]". So uh... I take it I failed at pointing that out clearly enough?

[gmalivuk]

Well then I suppose my response didn't need to be directed at you, since you were agreeing with me.

So pretend it's directed at aoeu, who seems to think that going in person to order all of your transactions somehow makes your personal information immune to everything that happens online.

[Ortus]

Well then I suppose my response didn't need to be directed at you, since you were agreeing with me.

So pretend it's directed at aoeu, who seems to think that going in person to order all of your transactions somehow makes your personal information immune to everything that happens online.

Will do, I should have just typed all that out in the first place; I was trying to be sassy

[aoeu]

Banks? Nobody here was actually talking about banks; this is a discussion on internet security.

Oh, I apologize. I didn't realize your bank didn't have a website or any other internet presence.

>.>

<.<

I was trying to point out that aoeu's response, "nobody has been talking about banks" was quite silly with the apparently too-veiled, "you're right, we've not been talking about banks, but we have been talking about the necessity of using certain online services [like what banks offer]". So uh... I take it I failed at pointing that out clearly enough?

Quotations are supposed to be in context, especially if you go out to call them bullshit. My bank does have an online presence, and I don't see why it's relevant. And obviously if you don't have online banking then nothing can be done to your bank account through the Internet, making you shielded.

[Ortus]

Banks? Nobody here was actually talking about banks; this is a discussion on internet security.

Oh, I apologize. I didn't realize your bank didn't have a website or any other internet presence.

>.>

<.<

I was trying to point out that aoeu's response, "nobody has been talking about banks" was quite silly with the apparently too-veiled, "you're right, we've not been talking about banks, but we have been talking about the necessity of using certain online services [like what banks offer]". So uh... I take it I failed at pointing that out clearly enough?

Quotations are supposed to be in context, especially if you go out to call them bullshit. My bank does have an online presence, and I don't see why it's relevant. And obviously if you don't have online banking then nothing can be done to your bank account through the Internet, making you shielded.

Pretty sure I got the context correct on both accounts. Literal meaning =/= intended meaning; I fudged the sassy quip, and then had to clarify it later. The clarification was done in the context of the misunderstood quip's intended meaning, not its literal one. Good try, I guess?

So, to your argument: how can you deposit a check at one location of your bank and withdraw cash from that deposit in another location, be it from ATM's or another branch? Preemptive coup-de-grâce: the internet.

[Dark567]

So, to your argument: how can you deposit a check at one location of your bank and withdraw cash from that deposit in another location, be it from ATM's or another branch? Preemptive coup-de-grâce: the internet.

That's not true. Banks are on a separate network infrastructure that handles transaction like credit card transactions, ATM withdrawals, etc.

Remember all those things existed before the internet and the infrastructure has developed independently of the internet.
http://en.wikipedia.org/wiki/Interbank_network

[Ortus]

So, to your argument: how can you deposit a check at one location of your bank and withdraw cash from that deposit in another location, be it from ATM's or another branch? Preemptive coup-de-grâce: the internet.

That's not true. Banks are on a separate network infrastructure that handles transaction like credit card transactions, ATM withdrawals, etc.

Remember all those things existed before the internet.

The keyword being ' computer network', here. Whether or not the network is accessible from outside*, it can be accessed through a physical connection and then used like any other network not 'outside'. And I would submit that the same terminology of 'hacker' would apply to the person doing this, again regardless of whether or not he or she is actually using the internet at large.

*As in, not connected to the internet in any way. Perhaps I should have said 'network, thus prone to much the same security issues as the internet', in my coup-de-grâce comment.

[Dark567]

The keyword being ' computer network', here. Whether or not the network is accessible from outside*, it can be accessed through a physical connection and then used like any other network not 'outside'. And I would submit that the same terminology of 'hacker' would apply to the person doing this, again regardless of whether or not he or she is actually using the connected internet.

*As in, not connected to the internet in any way. Perhaps I should have said 'network, thus prone to much the same security as the internet', in my coup-de-grâce comment.

But the banks networks are very different from the internet, anyone who has knowledge of hacking things via TCP/IP is going to be lost. These networks run a completely different protocol, of which the expertise in is very limited, the devices to access it are expensive, and all the data is encrypted. These networks aren't just like any other network not 'outside', they work in a completely different manner.

[Ortus]

The keyword being ' computer network', here. Whether or not the network is accessible from outside*, it can be accessed through a physical connection and then used like any other network not 'outside'. And I would submit that the same terminology of 'hacker' would apply to the person doing this, again regardless of whether or not he or she is actually using the connected internet.

*As in, not connected to the internet in any way. Perhaps I should have said 'network, thus prone to much the same security as the internet', in my coup-de-grâce comment.

But the banks networks are very different from the internet, anyone who has knowledge of hacking things via TCP/IP is going to be lost. These networks run a completely different protocol, of which the expertise in is very limited, the devices to access it are expensive, and all the data is encrypted. These networks aren't just like any other network not 'outside', they work in a completely different manner.

Ignoring the encryption, because I don't know enough about that to counter-argue: aren't uh.. all those arguments arguments that could have been made about TCP/IP? Expertise being limited, devices to access it are expensive? I don't see how that changes my previous argument at all (which doesn't mean your argument is invalid, I just don't know how it changes my argument).

[Dark567]

Ignoring the encryption, because I don't know enough about that to counter-argue: aren't uh.. all those arguments arguments that could have been made about TCP/IP? Expertise being limited, devices to access it are expensive? I don't see how that changes my previous argument at all (which doesn't mean your argument is invalid, I just don't know how it changes my argument).

All it takes me to access a TCP/IP network is a computer, which is what a couple hundred dollars? Access to the interbank network is going to cost thousands, an ATM machine will run you a $2,000 and your not exactly going to be able to hack with just an ATM machine. There are a lot of people that have expertise in TCP/IP. Banknet protocols, not so much.

But really the killer is the encryption. Even if you got access to the info on the line, the data would be useless unless you can break 64-bit and 128-bit encryption. It doesn't make sense for a would be hacker to go after interbank networks when there is online banking they can go after that is much easier.

[KnightExemplar]

http://www.wired.com/threatlevel/2010/0 ... ackpotted/

To conduct the remote hack, an attacker would need to know an ATM’s IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.

Stop talking about "in theory". ATMs can be hacked. Some ATMs are apparently on the TCP/IP network, and others are on modem lines that you can dial into (and thus can be hacked old-school, with a modem card). Both modem cards and TCP/IP connections are cheaply avaliable to the public. So if you use ATMs, this discussion is completely relevant to you.

[Dark567]

Stop talking about "in theory". ATMs can be hacked. Some ATMs are apparently on the TCP/IP network, and others are on modem lines that you can dial into (and thus can be hacked old-school, with a modem card). Both modem cards and TCP/IP connections are cheaply avaliable to the public. So if you use ATMs, this discussion is completely relevant to you.

Retail ATM's. If you use you only use Bank ATMs this doesn't apply. I don't like paying fees so almost never touch retail ATM's. I suspect most other people don't use retail ATMs as often for the exact same reason.

[KnightExemplar]

Stop talking about "in theory". ATMs can be hacked. Some ATMs are apparently on the TCP/IP network, and others are on modem lines that you can dial into (and thus can be hacked old-school, with a modem card). Both modem cards and TCP/IP connections are cheaply avaliable to the public. So if you use ATMs, this discussion is completely relevant to you.

Retail ATM's. If you use you only use Bank ATMs this doesn't apply. I don't like paying fees so almost never touch retail ATM's. I suspect most other people don't use retail ATMs as often for the exact same reason.

Hmm, well, I don't know much about ATMs either, so I'll have to trust you on that. Assuming that the bank-based ATMs are secure, then sure, I guess you can avoid the issue by sticking with only bank ATMs. However, I doubt the general population cares about this, and I still say its a good example on how unavoidable it is to lose track of personal data. Going back to this quote:

Really now? When something happens as a consequence of your actions and was entirely foreseeable it's the definition of responsibility.

There are plenty of examples where hacks are unforeseeable. For more examples, the largest hacks of the past few years show how much you have to trust the security of the companies you deal with. The TJX Companies hack (owner of TJ Max and Marshalls), The Heartland Payment credit card system hack, and more recently, Citibank hack and PSN Hacks.

When you give your credit card to the server at a restaraunt, do you check the credit card system that she swipes it (Was it the Heartland Payment Credit Card system, which was hacked??). Do you check to see if the waitress double-swipes your card? (There were recent reports of Waiters who stole credit card numbers as they swiped them into the computer)

Anyway, I think I agree with the overall point. The personal information that companies request from us needs to be regulated. Companies need to share the responsibility of protecting our information, but hackers as well need to be punished. (True, the company may have been criminally negligent, but hacking cannot go unpunished.)

[johnny_7713]

Yeah, I agree with most of that. In fact, had the person I was responding to come back with proper refutations to my argument, I would have brought this up. Having said that, negligence does play a role: ignorance can be forgiven, but within the past few years have been many profiled breaches of online security tossed about on the news. While serious fault can (read: not must) be said to lie at the instigators feet, companies with lax security almost demand the be breached in the eyes of a hacker. That would shift blame nicely from instigator to third-party entity.

Of course serious fault must be laid at the instigators feet. They are the ones who without duress chose to commit an act that is both morally wrong and criminal. Whether I should have a right to compensation from a company with lax security on grounds of their negligence does not change where the moral blame should be laid.

[sje46]

Lulzsec has joined forces with Anonymous and declared war on...the System, I guess. They want people to hack into government and financial institutions and leak info, and leave the word "antisec" on the page.

I'm wondering if all this hacking of gaming sites/etc was simply a way for them to get 200,000+ followers.

http://twitter.com/#!/LulzSec/status/82667686647177216

[Hawknc]

I'm getting a Joker vibe from all of this. "Some people just want to watch the world burn" and all that.

[KnightExemplar]

I'm getting a Joker vibe from all of this. "Some people just want to watch the world burn" and all that.

Generally speaking, its more of a "V" vibe. "People should not fear their governments --- Governments should fear the people".

Illogical distrust of the government because a movie said so. Everything they do seems to be some corrupted form of that movie. Meh, its a good movie, but I dislike how people seem to have glorified its message.

[yoni45]

Blaming the companies is just as much a form of vicitim-blaming. Its the hackers who decided to steal the information, and thus they are the ones who are morally responsible. The fact that better internet security practices would make it harder for hackers and are the best way of protecting yourself does not change that.
If I entrust a piece of jewellery to a bank and have them keep it in their vault and subsequently the bank is robbed and my jewels are stolen the responsibility lies neither with myself nor with the bank, but with the people who decided to rob the bank, which is why bank-robbery is a crime and 'failure to make your bank 100% unrobbable' is not.

Something doesn't have to be a crime for one to be responsible for it -- there's always civil court.

In the case of banks, if anything, the robber is responsible to the bank for having robbed it. The bank is responsible to the client for having security lax enough to allow it to be robbed.

If the bank didn't have any responsibility to the consumer regarding the safety of the money, we wouldn't need them -- we may as well all place our money into nice piles outside and expect no one to take it.

[Xeio]

I'm getting a Joker vibe from all of this. "Some people just want to watch the world burn" and all that.

Generally speaking, its more of a "V" vibe. "People should not fear their governments --- Governments should fear the people".

Illogical distrust of the government because a movie said so. Everything they do seems to be some corrupted form of that movie. Meh, its a good movie, but I dislike how people seem to have glorified its message.

Except they've targeted government as only a portion of their attacks. Unless Eve Online or The Escapist started oppressing people while I wasn't looking. Burn the world is much more accurate.

[johnny_7713]

Blaming the companies is just as much a form of vicitim-blaming. Its the hackers who decided to steal the information, and thus they are the ones who are morally responsible. The fact that better internet security practices would make it harder for hackers and are the best way of protecting yourself does not change that.
If I entrust a piece of jewellery to a bank and have them keep it in their vault and subsequently the bank is robbed and my jewels are stolen the responsibility lies neither with myself nor with the bank, but with the people who decided to rob the bank, which is why bank-robbery is a crime and 'failure to make your bank 100% unrobbable' is not.

Something doesn't have to be a crime for one to be responsible for it -- there's always civil court.

In the case of banks, if anything, the robber is responsible to the bank for having robbed it. The bank is responsible to the client for having security lax enough to allow it to be robbed.

If the bank didn't have any responsibility to the consumer regarding the safety of the money, we wouldn't need them -- we may as well all place our money into nice piles outside and expect no one to take it.

I agree that the bank has a responsibility to the consumer regarding it's safety procedures, however that doesn't change the fact that the moral blame for a hacking attack should be placed on the hackers, not on the company being hacked or the consumers, regardless of the (absence of) security measures.

I am arguing against that idea that has been voiced several times in this thread, that the hackers are not to blame in any way because the security measures taken by consumers and companies were insufficient*.

*Side note, when are security measures sufficient such that the blame shifts to the hacker?

[Rainsborough]

I'm getting a Joker vibe from all of this. "Some people just want to watch the world burn" and all that.

Generally speaking, its more of a "V" vibe. "People should not fear their governments --- Governments should fear the people".

Illogical distrust of the government because a movie said so. Everything they do seems to be some corrupted form of that movie. Meh, its a good movie, but I dislike how people seem to have glorified its message.

Except they've targeted government as only a portion of their attacks. Unless Eve Online or The Escapist started oppressing people while I wasn't looking. Burn the world is much more accurate.

I don't think either is really an accurate description as far as Lulzsec goes. Mistrust of those in power certainly pays a part in their mindset but I think they really are just in "for the lulz." I mean taking the EVE servers offline is just trolling on a massive scale, in fact most of their operations have been more cerebral versions of the Habbo Hotel raids, which I suppose fits in with them claiming to be the cream of /b/ circa 2005.

[Box Boy]

*Side note, when are security measures sufficient such that the blame shifts to the hacker?

The blame is always on the hacker, but the hackee also has their own separate blame for other things if they used crappy security measures. for example, sony isn't responsible for it being hacked, but it is responsible for not protecting sensitive user data sufficiently and the money lost by it's users as a result. (actually, has anyone so far actually lost money due to their psn account info being stolen? I'd like to see some numbers for that, if they exist)

Also, I always felt it pretty obvious lulzsec is claiming that the ones they hack are responsible as further trolling, and to get enough followers to start their antisec campaign properly.

[Internetmeme]

Ladies and gents, we are in the endgame here.
The gist of the above link is that it is a blog where a "team of web-ninjas" has dox'd every major member of LulzSec.
According to the blog, they reported that info to the FBI.

[Box Boy]

According to the blog, they reported that info to the FBI.

For once, I'm okay with this.

[sje46]

Ladies and gents, we are in the endgame here.
The gist of the above link is that it is a blog where a "team of web-ninjas" has dox'd every major member of LulzSec.
According to the blog, they reported that info to the FBI.

Lulzsec said that most of those people aren't part of lulzsec, but were simply active in the IRC channel (which I was, as well, in most of the time).

http://techland.time.com/2011/06/19/cyb ... c-members/

It may or not be end-game...I don't know how good Th3_J35t3R's information is (yeah, that blog-spot is owned by The Jester, the jingoistic pro-American hacker that DDoSed Wikileaks a few months back and took it down. A major douche.) It may be end-game. This may be lulzsec going out in a blaze of glory as it were.

A part of my mind is expecting all of this to be a false-flag attack...a cyber version of 9/11 as an excuse to regulate the Internet more. I'm worried...I don't know what will become of this.

[netcrusher88]

The Jester's a douchebag but LulzSec makes him look like a saint.

[Cheezwhiz Jenkins]

I don't understand their latest blog post, unless they're just being ridiculous. "U Jelly?" is...ummm...not a distinctive phrase. But if calling it one is meant sardonically, I don't understand the humor...

[Sizik]

"U jelly?" is short for "Are you jealous?".

[Cheezwhiz Jenkins]

I understand that. What I don't understand is the assertion that this meme is a unique phrase or that separate instances of its usage imply that the same person/entity is behind both.

[Rainsborough]

I understand that. What I don't understand is the assertion that this meme is a unique phrase or that separate instances of its usage imply that the same person/entity is behind both.

I think it ties in with their claim that they are the original /b/. The "cream of the crop." So they claim ownership over those memes that originated from 4chan around that mid noughties time.

[Babam]

I understand that. What I don't understand is the assertion that this meme is a unique phrase or that separate instances of its usage imply that the same person/entity is behind both.

I think it ties in with their claim that they are the original /b/. The "cream of the crop." So they claim ownership over those memes that originated from 4chan around that mid noughties time.

U jelly is from /sp/ 2009


They're just using memes.

[netcrusher88]

I understand that. What I don't understand is the assertion that this meme is a unique phrase or that separate instances of its usage imply that the same person/entity is behind both.

I think it ties in with their claim that they are the original /b/. The "cream of the crop." So they claim ownership over those memes that originated from 4chan around that mid noughties time.

U jelly is from /sp/ 2009


They're just using memes.

Rocketboom says c. 2010 even, and they're pretty good with that site.

If they were the original /b/ they'd be talking about teh rei and such. get off my lawn stupid little volunteer botnet zombies

[Ortus]

Yeah, I agree with most of that. In fact, had the person I was responding to come back with proper refutations to my argument, I would have brought this up. Having said that, negligence does play a role: ignorance can be forgiven, but within the past few years have been many profiled breaches of online security tossed about on the news. While serious fault can (read: not must) be said to lie at the instigators feet, companies with lax security almost demand the be breached in the eyes of a hacker. That would shift blame nicely from instigator to third-party entity.

Of course serious fault must be laid at the instigators feet. They are the ones who without duress chose to commit an act that is both morally wrong and criminal. Whether I should have a right to compensation from a company with lax security on grounds of their negligence does not change where the moral blame should be laid.

That wasn't my point; there is no must about any of it, morality is like that. When you see a man on the street shouting to high hell about the gays or the coloreds or <insert popular groupist target here>, demeaning a group of human beings with every word and not a hint of shame on that person's face, are you not almost bound to do something about it? If not speak up, then judge? I'm willing to lay stakes that poor website/server security is like that to a particular kind of hacker - the kind of hackers that LulzSec claims to be comprised of. They see and, for all intents and purposes, cannot resist making an example of it.

So in that, you're right: it is the instigating party here that the fault ultimately lie; but the instigating party would not be the hacker, in these terms, it would be the company whose server or website is being hacked - because they let something so fantastically simple to breach house important information that paying customers entrusted to be safe kept.