Yakk wrote:The question the thought experiment I posted is aimed at answering: When falling in a black hole, do you see the entire universe's future history train-car into your ass, or not?
stevey_frac wrote:I have never said we can get perfectly secure software. I'm at a loss as to where you got that from... Unless you took my statement of 'There are finite bugs' and took it to mean 'We can plausibly find and patch them all'... ?
As for how lulzsec makes the software world more secure:
1) They use some known exploitable bug, and exploit stuff.
2) It goes on the news.
3) People get angry, investors get angry, IT directors get yelled at.
4) Stuff gets patched.
5) Systems are now more secure.
aoeu wrote:KnightExemplar wrote:1) Thief steals from a house using a known technique (ie: Attack the house without an alarm)
KnightExemplar wrote:aoeu wrote:KnightExemplar wrote:1) Thief steals from a house using a known technique (ie: Attack the house without an alarm)
Yes, my point was that 2 through 7 made no sense. Hence the sarcasm tag.
Its the human error that causes poor security practices. Its Sony failing to upgrade Apache, and failing to configure their Apache server to hide version information from the public. Its websites failing to use super-easy Google-Hacking to pen-test their web-applications for SQL Injection every revision. Spooking people into proper security just doesn't work...
1) Thief steals from a house using a known technique (ie: Attack the house without an alarm)
2. It goes on the news / people in the neighborhood find out
3. People get angry. They buy alarm systems
4. Stuff gets patched
5. Systems are now more scure
I suggest we all do our best to make the world a safer place. Rob your neighbors, and practice pickpocketing. Rob people on the streets. The more people we educate with "tough love", the safer the world gets. </sarcasm>
(Now if you robbed them, and then gave back their stuff... that'd be more of a Gray hat thing. You accomplish the same damn thing without any damages. Or... in the case of hackers, don't release private information and don't cause any long-term damage to the reputation or work-process of the businesses. Hell, its easier for hackers, cause its easier to remain anonymous / hidden from the FBI if you don't release shit. If you release stuff online, you gotta proxy up that shit to hide yourself from the FBI. You honestly have to be sadistic to go through the trouble of proxying up to release damaging information for no good reason at all...)
You've already agreed with me that what they're doing is unethical and illegal. Why do you support them? You may prefer them over secret criminal hackers... but frankly, there is a difference between "support" and "preference". I can agree with you if you change your wording to "prefer" Lulzsec over hackers... but I will have to disagree with your "support" of Lulzsec.
After all, I prefer (and support) white-hat hackers (or even Gray-hats) who do their best to minimize public damage from their attacks. White-hats are awesome cause they make tons of money doing it too...
stevey_frac wrote:This is totally a strawman. There is a big difference between the physical security of a common home, and web security of high value targets. The proper analogy is more like, someone is publicly storing the Mona Lisa behind an unlocked door off of a busy pedestrian thoroughfare. It's still illegal to steal it, but, you had better believe that after the Mona Lisa is recovered, that they will at the very least lock the door.
The point is, that Sony really should have known better. They had the tools. They had the people. They actively choose not properly lock down the customer data of hundreds of thousands of people. Someone showed them the error of their ways, in a publicly humiliating manner. It got fixed. I like it when people fix things.
Now, hopefully, other firms, and not just Sony, review their security policies, bring in a couple of Pen testers, and get their ducks in a row.
You can't deny that in the end, Sony, at the very least, is more secure today then it was before Lulzsec.
Well they sure as hell aren't interested in doing minimal damage, I mean, hey, it's not like limited disclosure is a thing.stevey_frac wrote:ahh, that's the thing. Lulzsec isn't the real threat. They aren't interested in doing the most damage. If they had, they wouldn't have published anything. They were in it for the lulz. The act of publishing the data minimizes the damage they can do, since companies can mine it, and quickly disable accounts and freeze credit cards.
stevey_frac wrote:Vaccines hurt a limited number of people. Even kill a few if they are allergic. But the net result is a positive.
The reason why disclosing the information isn't that big a deal is because, you cancel your credit card, you change your password, possibly in multiple places if you've reused it, and voila: You're good. There's your recovery of the Mona Lisa, in that overstretched analogy.
I am assuming someone else could have done it, and thus, security has improved. Not just at Sony, but at all the companies that saw what happened, rang up their IT staff and said: Here's $50k, make sure that that doesn't happen to us.
Shivahn wrote:I am a motherfucking sorceror.
PhoenixEnigma wrote:Bumping as we probably don't need a thread for every Anonymous/Lulzsec/etc story out there, but this one was rather interesting - Anonymous leaks conference call on Anonymous.
As mentioned in the comments, I think the interesting part of this story has less to do with Anonymous, and more with the FBI being compromised in such a way. Of all the scenarios I can come up with, this is one of the most innocuous for such incursions - a nation with dedicated resources could probably pull off something similar, and that's quite concerning, particularly as I'd expect this group to be more aware of 'cyber-threats'* than, say, a room full of economic policy makers.
EDIT: And this was in the "other news" thread. Ought to check the fora for my news before the actual news sites, I suppose
*I hate cyber- with a passion. Can we get a better prefix?
Aikanaro wrote:Digital threats? Online threats? Data? Network? Islamohactivism?
Or, to be honest.....trolling?
The Mighty Thesaurus wrote:My moral system allows me to bitch slap you for typing that.
The Federal Bureau of Investigation says that they've identified and arrested all of the key members of the now defunct hacktivist group LulzSec thanks to the clandestine cooperation of the group's chief who told many of Anonymous's secrets. According to Fox News' sources, the hacker that goes by the handle Sabu -- a.k.a. Hector Xavier Monsegur, an unemployed father of two living in New York City -- has been feeding the Feds information since they unmasked him last summer. But those familiar with the hacker ways will know that doxing (that's hackerspeak for exposing one's true identity) can be a very complex game, and this is hardly the first time that someone's claimed to identify Sabu or other LulzSec leader.
Sabu and his FBI handlers also disseminated false information to the public and hacker community—often through Twitter, sometimes through unsuspecting reporters who thought they’d landed an online interview with the notorious hacker. Their correspondence was sometimes directly with agents. More often it was with Sabu acting on strict guidance from the agents sitting with him, reading his every word.
“About 90 percent of what you see online is bulls---,” said one of Monsegur’s handlers, referring to the Twitter posts from Sabu’s account and “interviews” he’s given to the press on direction from the FBI as part of their disinformation campaign.
With Sabu’s help, the FBI learned the identities of other LulzSec members, gathered evidence and records from private chatrooms used by the elite hackers to plan and discuss their cyber attacks, and found out about planned hacks in time to minimize or prevent damage without blowing their star witness’ cover.
When the CIA found itself under siege from LulzSec hackers, Sabu stepped in. With his underlings launching so-called DDoS attacks -- denial of service cyberattacks that basically flood a website with traffic to overwhelm it -- the CIA’s public website was threatened.
“We told Sabu to tell them to stop,” an official said. “‘It’s embarrassing for the CIA,’ we told Sabu, ‘Make them stop, now.’”
Sabu sent out the order: “You’re knocking over a bee’s nest,” he warned his associates. “Stop.”
The example showed the power of the alienated young father who used his brilliant mind to wreak economic havoc around the world from the least likely computer command center until the feds unmasked him. Afforded cult-leader status by his fellow hackers, Monsegur evoked both respect and envy.
Bharrata wrote:The FBI seem to be taking the 1984 approach of using plants or compromised hackers to rein in other hackers.
This would probably be better posted in Computer Science but there was a debate about computer/web security itt, so it's relevant.
What are people's thoughts on this idea/lecture?
The Science of Insecurity
and their website if you want the idea without the hour lecture: http://www.cs.dartmouth.edu/~sergey/langsec/
Doable, even if not market practicable?
KnightExemplar wrote:Somewhat relevant: http://www.pcworld.com/article/229597/1 ... _says.html
It has been reported that 1/4 of hackers are FBI informants. Adrian Lamo (who snitched on Bradley Manning) and now Sabu have proven to be informants. I'm still surprised that all of Lulzsec was captured however. I would have thought that Lulzsec was smarter than this. With so many hackers being FBI informants (and plus, its common knowledge that they are...), you're not really supposed to trust even your fellow hackers.