xkcd

[Dark567]

I am not arguing with either the open source model, or the fact that we shouldn't work toward making software more secure. I am a huge proponent of open source as secure software(fuck, its literally part of my job) and I completely agree with doing everything possible to make software more secure.

What I am arguing against is the idea that we can make software perfectly invulnerable to attack, or that lulsec has helped make software more secure in a constructive way.

[stevey_frac]

I have never said we can get perfectly secure software. I'm at a loss as to where you got that from... Unless you took my statement of 'There are finite bugs' and took it to mean 'We can plausibly find and patch them all'... ?

As for how lulzsec makes the software world more secure:

1) They use some known exploitable bug, and exploit stuff.
2) It goes on the news.
3) People get angry, investors get angry, IT directors get yelled at.
4) Stuff gets patched.
5) Systems are now more secure.
6) ???
7) Repeat.

[KnightExemplar]

I have never said we can get perfectly secure software. I'm at a loss as to where you got that from... Unless you took my statement of 'There are finite bugs' and took it to mean 'We can plausibly find and patch them all'... ?

As for how lulzsec makes the software world more secure:

1) They use some known exploitable bug, and exploit stuff.
2) It goes on the news.
3) People get angry, investors get angry, IT directors get yelled at.
4) Stuff gets patched.
5) Systems are now more secure.
6) ???
7) Repeat.

1) Thief steals from a house using a known technique (ie: Attack the house without an alarm)
2. It goes on the news / people in the neighborhood find out
3. People get angry. They buy alarm systems
4. Stuff gets patched
5. Systems are now more scure
6. ???
7. Repeat

I suggest we all do our best to make the world a safer place. Rob your neighbors, and practice pickpocketing. Rob people on the streets. The more people we educate with "tough love", the safer the world gets. </sarcasm>

(Now if you robbed them, and then gave back their stuff... that'd be more of a Gray hat thing. You accomplish the same damn thing without any damages. Or... in the case of hackers, don't release private information and don't cause any long-term damage to the reputation or work-process of the businesses. Hell, its easier for hackers, cause its easier to remain anonymous / hidden from the FBI if you don't release shit. If you release stuff online, you gotta proxy up that shit to hide yourself from the FBI. You honestly have to be sadistic to go through the trouble of proxying up to release damaging information for no good reason at all...)

You've already agreed with me that what they're doing is unethical and illegal. Why do you support them? You may prefer them over secret criminal hackers... but frankly, there is a difference between "support" and "preference". I can agree with you if you change your wording to "prefer" Lulzsec over hackers... but I will have to disagree with your "support" of Lulzsec.

After all, I prefer (and support) white-hat hackers (or even Gray-hats) who do their best to minimize public damage from their attacks. White-hats are awesome cause they make tons of money doing it too...

[aoeu]

1) Thief steals from a house using a known technique (ie: Attack the house without an alarm)

FTFY

[KnightExemplar]

1) Thief steals from a house using a known technique (ie: Attack the house without an alarm)

FTFY

Yes, my point was that 2 through 7 made no sense. Hence the sarcasm tag.

Its the human error that causes poor security practices. Its Sony failing to upgrade Apache, and failing to configure their Apache server to hide version information from the public. Its websites failing to use super-easy Google-Hacking to pen-test their web-applications for SQL Injection every revision. Spooking people into proper security just doesn't work...

[aoeu]

1) Thief steals from a house using a known technique (ie: Attack the house without an alarm)

FTFY

Yes, my point was that 2 through 7 made no sense. Hence the sarcasm tag.

Its the human error that causes poor security practices. Its Sony failing to upgrade Apache, and failing to configure their Apache server to hide version information from the public. Its websites failing to use super-easy Google-Hacking to pen-test their web-applications for SQL Injection every revision. Spooking people into proper security just doesn't work...

It's about the only thing that does work. Burglary just isn't news.

[stevey_frac]

1) Thief steals from a house using a known technique (ie: Attack the house without an alarm)
2. It goes on the news / people in the neighborhood find out
3. People get angry. They buy alarm systems
4. Stuff gets patched
5. Systems are now more scure
6. ???
7. Repeat

I suggest we all do our best to make the world a safer place. Rob your neighbors, and practice pickpocketing. Rob people on the streets. The more people we educate with "tough love", the safer the world gets. </sarcasm>

(Now if you robbed them, and then gave back their stuff... that'd be more of a Gray hat thing. You accomplish the same damn thing without any damages. Or... in the case of hackers, don't release private information and don't cause any long-term damage to the reputation or work-process of the businesses. Hell, its easier for hackers, cause its easier to remain anonymous / hidden from the FBI if you don't release shit. If you release stuff online, you gotta proxy up that shit to hide yourself from the FBI. You honestly have to be sadistic to go through the trouble of proxying up to release damaging information for no good reason at all...)

You've already agreed with me that what they're doing is unethical and illegal. Why do you support them? You may prefer them over secret criminal hackers... but frankly, there is a difference between "support" and "preference". I can agree with you if you change your wording to "prefer" Lulzsec over hackers... but I will have to disagree with your "support" of Lulzsec.

After all, I prefer (and support) white-hat hackers (or even Gray-hats) who do their best to minimize public damage from their attacks. White-hats are awesome cause they make tons of money doing it too...

This is totally a strawman. There is a big difference between the physical security of a common home, and web security of high value targets. The proper analogy is more like, someone is publicly storing the Mona Lisa behind an unlocked door off of a busy pedestrian thoroughfare. It's still illegal to steal it, but, you had better believe that after the Mona Lisa is recovered, that they will at the very least lock the door.

The point is, that Sony really should have known better. They had the tools. They had the people. They actively choose not properly lock down the customer data of hundreds of thousands of people. Someone showed them the error of their ways, in a publicly humiliating manner. It got fixed. I like it when people fix things.

Now, hopefully, other firms, and not just Sony, review their security policies, bring in a couple of Pen testers, and get their ducks in a row.

You can't deny that in the end, Sony, at the very least, is more secure today then it was before Lulzsec.

[Mordrorru]

Yeah. But how about just saying that the Mona Lisa is unsecure and genuinely trying to help them, rather than doing something that hurts and pisses off a lot of people that ultimately has the side-effect of making things more secure in the future?

[stevey_frac]

That's great in theory. So's communism. The problem comes when you tell them it's not secure, and they scoff, or just flat out ignore you. This is the case with many companies, who don't take security seriously until things get broken.

[Mordrorru]

Very true. But that's not something we should encourage or admire. I can admire Lulzsec for making companies up their security in the same that I can be glad that murdering people highlights the need for keeping yourself and your home secure. But there's no way I'm going to say, "I support murderers because at least they keep people from falling into carelessness. Otherwise people don't give a shit."

Yeah, it's true people genuinely don't give a shit unless there's an legitimate threat, but that's absolutely not a reason for us to actually support legitimate threats.

I'd rather live in a world where you don't need to lock your doors, than live in a world with the best locks. It's idealism, but that's what we should strive for, even if it's not obtainable. Rather than go the other way, and actively encourage and support conflict simply because we know we can't get rid of it.

[stevey_frac]

ahh, that's the thing. Lulzsec isn't the real threat. They aren't interested in doing the most damage. If they had, they wouldn't have published anything. They were in it for the lulz. The act of publishing the data minimizes the damage they can do, since companies can mine it, and quickly disable accounts and freeze credit cards.

The real that is when the chinese government does the same thing, and uses it yup find and execute dissidents, much like they have already tried with google. Lulzsec may have saved lives.

[KnightExemplar]

This is totally a strawman. There is a big difference between the physical security of a common home, and web security of high value targets. The proper analogy is more like, someone is publicly storing the Mona Lisa behind an unlocked door off of a busy pedestrian thoroughfare. It's still illegal to steal it, but, you had better believe that after the Mona Lisa is recovered, that they will at the very least lock the door.

The point is, that Sony really should have known better. They had the tools. They had the people. They actively choose not properly lock down the customer data of hundreds of thousands of people. Someone showed them the error of their ways, in a publicly humiliating manner. It got fixed. I like it when people fix things.

Now, hopefully, other firms, and not just Sony, review their security policies, bring in a couple of Pen testers, and get their ducks in a row.

You can't deny that in the end, Sony, at the very least, is more secure today then it was before Lulzsec.

Please, tell me. How do you "recover" the personal information of thousands of customers after a hack attack?

Lulzsec has caused irreversible damage to the community. Its the equivalent of stealing the Mona Lisa and then destroying it in your analogy. Sure, it will improve the security of paintings in the future, but it was accomplished by irreversible damage. BTW: Neither Lulzsec nor Anonymous claimed responsibility over the Sony Hack. Customer Information was not published... and it took a few weeks for Sony to even admit that it lost the customer database. So no, LulzSec did NOT improve the security of Sony.

Anyway, "fixing" the problem is like Team America. When your "fixing the problem" causes just as much damages as the terrorists, you're no longer "fixing the problem". You are "causing the problem".
http://www.youtube.com/watch?v=bBlnN7qVn_M#t=4m

We stopped the Terrorists!!

[Xeio]

ahh, that's the thing. Lulzsec isn't the real threat. They aren't interested in doing the most damage. If they had, they wouldn't have published anything. They were in it for the lulz. The act of publishing the data minimizes the damage they can do, since companies can mine it, and quickly disable accounts and freeze credit cards.

Well they sure as hell aren't interested in doing minimal damage, I mean, hey, it's not like limited disclosure is a thing.

Also, publishing user info is directly damaging to the users, there are numerous ways they can cause a stink without resorting to that.

So yes, they are a real threat to user security. Are they the only threat, or the worst threat? Probably not.

[stevey_frac]

Vaccines hurt a limited number of people. Even kill a few if they are allergic. But the net result is a positive.

The reason why disclosing the information isn't that big a deal is because, you cancel your credit card, you change your password, possibly in multiple places if you've reused it, and voila: You're good. There's your recovery of the Mona Lisa, in that overstretched analogy.

[Xeio]

And you wouldn't have to do any of those things at all if they didn't just release all your personal data and just disclosed the vulnerability to be fixed.

Also, this is hurting every one of the users to "help" the users, you're making a big assumption that the data would have been compromised anyway, so instead you compromise the data... to stop it from being compromised potentially in the future... Because I'm sure every user heard about the sony break and changed their passwords/credit cards in time. Nobody was a victim of fraud, right?

[stevey_frac]

I am assuming someone else could have done it, and thus, security has improved. Not just at Sony, but at all the companies that saw what happened, rang up their IT staff and said: Here's $50k, make sure that that doesn't happen to us.

[KnightExemplar]

Vaccines hurt a limited number of people. Even kill a few if they are allergic. But the net result is a positive.

Viruses hurt a limited number of people. They even kill a few if they are young / old. But the net result is a positive. Dying people is very good motivation for the doctors, and without that motivation, doctors would never make vaccines in the first place.

We continue to argue by analogy, I hope that I've demonstrated an understanding of your argument. I however don't fully believe you understand mine. But... thats why arguments by analogies are bad.

The reason why disclosing the information isn't that big a deal is because, you cancel your credit card, you change your password, possibly in multiple places if you've reused it, and voila: You're good. There's your recovery of the Mona Lisa, in that overstretched analogy.

I think it would be more appropriate if we both focused on this fact instead of the "argument by analogy". You seem to think that people were not harmed in these attacks, because they had the ability to cancel their credit cards? As Xeio has pointed out, your argument is faulty. It is trivial to prove that people were harmed by these hack attacks.

I am assuming someone else could have done it, and thus, security has improved. Not just at Sony, but at all the companies that saw what happened, rang up their IT staff and said: Here's $50k, make sure that that doesn't happen to us.

I'm assuming that a white-hat could have done it, and thus, damages could have been minimized. Mind you, I am not doubting that security has "improved" from the situation... I'm saying it could have been improved without inflicting damages upon the population.

[stevey_frac]

In the end, I guess my argument is somewhat Machiavellian. The end justifies the means. I'm not denying that there was not damage done. I'm saying, in the end, it was worth it.

It wasn't just what was done, but the manner how it was done. They did it for the lulz. To watch the world burn. We got to watch as they beat some of the most powerful organizations in the world into the ground, with no ulterior motive, other than to show they could.

Plus, myself, and members of the security community grabbed some popcorn, and sat down to watch the show. We watched as stuff that should have been pinned down got horribly, horribly broken. Over and over again. And I'm willing to bet that at least for a couple of years... this will drive security audits, and pen testing to a new level, something that many have been advocating for a long time.

[KnightExemplar]

While I find your optimism commendable, I don't really think its a "useful" way of looking at things. Everything works towards the greater good eventually IMO, so I'd prefer to hold people up to a higher standard.

I can't say that you're "wrong" for holding that viewpoint, but its not a viewpoint that I can take on for myself.

[Velict]

The Neo sunglasses were a nice touch.

[plumcandy]

they want to start another hacking game. ah...

[PhoenixEnigma]

Bumping as we probably don't need a thread for every Anonymous/Lulzsec/etc story out there, but this one was rather interesting - Anonymous leaks conference call on Anonymous.

As mentioned in the comments, I think the interesting part of this story has less to do with Anonymous, and more with the FBI being compromised in such a way. Of all the scenarios I can come up with, this is one of the most innocuous for such incursions - a nation with dedicated resources could probably pull off something similar, and that's quite concerning, particularly as I'd expect this group to be more aware of 'cyber-threats'* than, say, a room full of economic policy makers.

EDIT: And this was in the "other news" thread. Ought to check the fora for my news before the actual news sites, I suppose

*I hate cyber- with a passion. Can we get a better prefix?

[Aikanaro]

Digital threats? Online threats? Data? Network? Islamohactivism?

Or, to be honest.....trolling?

[sje46]

Bumping as we probably don't need a thread for every Anonymous/Lulzsec/etc story out there, but this one was rather interesting - Anonymous leaks conference call on Anonymous.

As mentioned in the comments, I think the interesting part of this story has less to do with Anonymous, and more with the FBI being compromised in such a way. Of all the scenarios I can come up with, this is one of the most innocuous for such incursions - a nation with dedicated resources could probably pull off something similar, and that's quite concerning, particularly as I'd expect this group to be more aware of 'cyber-threats'* than, say, a room full of economic policy makers.

EDIT: And this was in the "other news" thread. Ought to check the fora for my news before the actual news sites, I suppose

*I hate cyber- with a passion. Can we get a better prefix?

Didn't Assange say that it's shocking just how poorly the FBI secures it's private communications? Apparently this leak happened because they just sent the audio as an attachment via email to the whole office.

[Triangle_Man]

Digital threats? Online threats? Data? Network? Islamohactivism?

Or, to be honest.....trolling?

Probably some twisted combination of everything you just listed...

[vodka.cobra]

UPDATE: Allegedly, the rest of the Lulzsec members have been arrested.

http://content.usatoday.com/communities/ondeadline/post/2012/03/top-members-of-hacking-group-lulzsec-arrested/1

[Bharrata]

It appears that it was never reported in this thread, but a little while back the FBI got the Lulzsec "head" to turn into an "informant".

http://news.yahoo.com/fbi-says-lulzsec-hacker-kingpin-informant-150748397.html

The Federal Bureau of Investigation says that they've identified and arrested all of the key members of the now defunct hacktivist group LulzSec thanks to the clandestine cooperation of the group's chief who told many of Anonymous's secrets. According to Fox News' sources, the hacker that goes by the handle Sabu -- a.k.a. Hector Xavier Monsegur, an unemployed father of two living in New York City -- has been feeding the Feds information since they unmasked him last summer. But those familiar with the hacker ways will know that doxing (that's hackerspeak for exposing one's true identity) can be a very complex game, and this is hardly the first time that someone's claimed to identify Sabu or other LulzSec leader.

However, it kind of throws into doubt the whole "elite hacker" thing and if Lulzsec was ever that smart to begin with when their supposed head was talking about it on his twitter and getting other member's personal info...while posting about this kind of thing on his twitter.

http://www.foxnews.com/scitech/2012/03/06/hacking-group-lulzsec-swept-up-by-law-enforcement/

Sabu and his FBI handlers also disseminated false information to the public and hacker community—often through Twitter, sometimes through unsuspecting reporters who thought they’d landed an online interview with the notorious hacker. Their correspondence was sometimes directly with agents. More often it was with Sabu acting on strict guidance from the agents sitting with him, reading his every word.

“About 90 percent of what you see online is bulls---,” said one of Monsegur’s handlers, referring to the Twitter posts from Sabu’s account and “interviews” he’s given to the press on direction from the FBI as part of their disinformation campaign.

With Sabu’s help, the FBI learned the identities of other LulzSec members, gathered evidence and records from private chatrooms used by the elite hackers to plan and discuss their cyber attacks, and found out about planned hacks in time to minimize or prevent damage without blowing their star witness’ cover.

When the CIA found itself under siege from LulzSec hackers, Sabu stepped in. With his underlings launching so-called DDoS attacks -- denial of service cyberattacks that basically flood a website with traffic to overwhelm it -- the CIA’s public website was threatened.

“We told Sabu to tell them to stop,” an official said. “‘It’s embarrassing for the CIA,’ we told Sabu, ‘Make them stop, now.’”

Sabu sent out the order: “You’re knocking over a bee’s nest,” he warned his associates. “Stop.”

They did.

The example showed the power of the alienated young father who used his brilliant mind to wreak economic havoc around the world from the least likely computer command center until the feds unmasked him. Afforded cult-leader status by his fellow hackers, Monsegur evoked both respect and envy.

Someone pinch me so I can wake up from this mid-tier noir flick.

[KnightExemplar]

Somewhat relevant: http://www.pcworld.com/article/229597/1 ... _says.html

It has been reported that 1/4 of hackers are FBI informants. Adrian Lamo (who snitched on Bradley Manning) and now Sabu have proven to be informants. I'm still surprised that all of Lulzsec was captured however. I would have thought that Lulzsec was smarter than this. With so many hackers being FBI informants (and plus, its common knowledge that they are...), you're not really supposed to trust even your fellow hackers.

[Bharrata]

The FBI seem to be taking the 1984 approach of using plants or compromised hackers to rein in other hackers.

This would probably be better posted in Computer Science but there was a debate about computer/web security itt, so it's relevant.


What are people's thoughts on this idea/lecture?

The Science of Insecurity

and their website if you want the idea without the hour lecture: http://www.cs.dartmouth.edu/~sergey/langsec/

Doable, even if not market practicable?

[KnightExemplar]

The FBI seem to be taking the 1984 approach of using plants or compromised hackers to rein in other hackers.

This would probably be better posted in Computer Science but there was a debate about computer/web security itt, so it's relevant.


What are people's thoughts on this idea/lecture?

The Science of Insecurity

and their website if you want the idea without the hour lecture: http://www.cs.dartmouth.edu/~sergey/langsec/

Doable, even if not market practicable?

This lecture attacks only a small subset of bugs / exploits. As she coughs "ASN.1"... she has a point. A lot of exploits are aimed at protocols and languages. Especially excessively complicated languages like ASN.1, or HTML (aka: XSS attacks)

On the other hand, it doesn't cover all exploits. A directory traversal for instance happens on a language that is defined to be a regular language. (the simplest and easiest language to parse and recognize). So even restricting inputs to simple languages isn't going to help you... unless you fully understand the size and scope of your language.

I think its a good lecture to understand these sorts of things... however, it doesn't really present a real solution to the problem.

[vodka.cobra]

Somewhat relevant: http://www.pcworld.com/article/229597/1 ... _says.html

It has been reported that 1/4 of hackers are FBI informants. Adrian Lamo (who snitched on Bradley Manning) and now Sabu have proven to be informants. I'm still surprised that all of Lulzsec was captured however. I would have thought that Lulzsec was smarter than this. With so many hackers being FBI informants (and plus, its common knowledge that they are...), you're not really supposed to trust even your fellow hackers.

LulzSec was not started by old school hackers. (Their age alone proves this!) They weren't there when the LoD was raided by the FBI, for instance. You can't say "I would have thought that Lulzsec was smarter than this," when intelligence wasn't the issue, experience was.

Someone isn't stupid for not having experienced the hardship necessary to know. Someone is stupid for having experienced it and still not known.