Linked by Thom Holwerda on Fri 17th Jun 2011 18:49 UTC
Privacy, Security, Encryption Oh boy, what do we make of this? We haven't paid that much attention to the whole thing as of yet, but with a recent public statement on why they do what they do, I think it's about time to address this thing. Yes, Lulz Security, the hacking group (or whatever they are) that's been causing quite a bit of amok on the web lately.
Order by: Score:
High profile criminal behavior
by umccullough on Fri 17th Jun 2011 18:57 UTC
umccullough
Member since:
2006-01-26

They're basically demonstrating that crime occurs every day, probably without anyone even realizing it...

They're showing just how easily it occurs by publicizing the results from sites that others would have assumed were difficult to hack.

There are two sides to this criminal behavior, however - the despicable people who seek to obtain and abuse this information, and the corporations and IT industry that pretend that they're building "secure" solutions, and convince their superiors and customers that they have done their job properly to begin with.

Reply Score: 5

RE: High profile criminal behavior
by hackus on Sat 18th Jun 2011 02:07 UTC in reply to "High profile criminal behavior"
hackus Member since:
2006-06-28

LuLz has no credo, and even Anonymous fears them because they represent Anarchy.

Anonymous is only feared by those who think they are above the law and immune to justice, which is just about every government on the planet.

-Hack

Reply Score: 2

Laurence Member since:
2007-03-26

LuLz has no credo, and even Anonymous fears them because they represent Anarchy.

...and you know this how?

Reply Score: 4

Bah
by Soulbender on Fri 17th Jun 2011 19:00 UTC
Soulbender
Member since:
2005-08-18

What a crock. "We do it for fun". Right.
It's all about the recognition baby.
http://www.ranum.com/security/computer_security/editorials/disclosu...

Most of you reading this love the idea of wrecking someone else's online experience anonymously.


No, not really. Most people grew out of that phase after puberty.

And that's all there is to it, that's what appeals to our Internet generation.

I"m really happy I'm not part of the segment of that generation these guys represent.

Lets call these guys what they are, immature assholes with zero ethics who's looking to make a name for themselves.

Edited 2011-06-17 19:06 UTC

Reply Score: 6

RE: Bah
by umccullough on Fri 17th Jun 2011 19:10 UTC in reply to "Bah"
umccullough Member since:
2006-01-26

Lets call these guys what they are, immature assholes with zero ethics who's looking to make a name for themselves.


But they can't actually reveal who they really are, lest they end up in prison... so it's kinda of pointless, no?

How do you make a name for yourself if nobody knows who you are? ;)

Reply Score: 2

RE[2]: Bah
by jptros on Fri 17th Jun 2011 19:21 UTC in reply to "RE: Bah"
jptros Member since:
2005-08-26

They are indeed making a name for themselves. LulzSec is ringing across the internet, even in main stream news sites. Just because we don't know their real names doesn't mean squat. I don't know the real names of people affiliated with lots of well known organizations, doesn't mean jack.

Reply Score: 3

RE[2]: Bah
by Soulbender on Fri 17th Jun 2011 19:22 UTC in reply to "RE: Bah"
Soulbender Member since:
2005-08-18

Making a name for yourself does not necessarily mean people know who you really are.
Then there's these idiotic companies who think's it's a good idea to hire these kind of guys as "security" experts. I mean, come on, a loser like Kevin Mitnick gets fame and fortune and well paying consultancy jobs these days.

Reply Score: 3

RE[3]: Bah - mitnick
by jabbotts on Sat 18th Jun 2011 16:57 UTC in reply to "RE[2]: Bah"
jabbotts Member since:
2007-09-06

How much do you know about the Mitnick case? It had a lot more to do with excessive force of law and inflated charges than justice or what Mr Mitnick actually did wrong. Not to say he was innocient but he was not nearly as guilty as made out to be. I mean, "could whistle into a phone and cause nuclear missile launches".. and the court believed this claim. "caused millions of dollars in damages".. never did show any evidence of that one.

The crimes he did commit appear to be for personal knowledge rather than for publicity and disregard of any third parties hurt in the process.

By contrast, lulzsec is showing blatant disregard for innocent third parties harmed in the process. They are indeed seeking publicity. They could expose passwords without usernames. They could expose partial names and partial passwords. They could expose vulnerability details without the trophy necklace of ears. They could even demonstrate responsible disclosure to the organization first as they have apparently done in a few of the cases (US dept of health?).

Since Mr Mitnicks release, there is no evidence of illegal activity. Indeed, he started his own consulting company and helps organizations improve there information security. He's even abstained from perfectly legal events to stay on the right side of the law.

What Mr Mitnick did and has done since is very different from what Lulzsec is doing currently.

If your open to hearing what actually happened:

http://www.thelasthope.org/media/audio/64kbps/Featured_Speaker_-_Ke...

Reply Score: 2

RE[4]: Bah - mitnick
by Soulbender on Sun 19th Jun 2011 19:10 UTC in reply to "RE[3]: Bah - mitnick"
Soulbender Member since:
2005-08-18

True, LulzSec is much worse than Mitnick ever was.

Reply Score: 2

RE: Bah
by No it isnt on Fri 17th Jun 2011 19:59 UTC in reply to "Bah"
No it isnt Member since:
2005-11-14

It's a bit silly to attribute intentions to people you know absolutely nothing about. In fact, it tells a lot more about you than about LulzSec.

Reply Score: 3

RE[2]: Bah
by Soulbender on Fri 17th Jun 2011 20:01 UTC in reply to "RE: Bah"
Soulbender Member since:
2005-08-18

Perhaps, but not nearly as silly (and childish) as ruining other peoples online experience and causing them pain just "for the fun of it".

Reply Score: 3

RE[3]: Bah
by No it isnt on Fri 17th Jun 2011 20:12 UTC in reply to "RE[2]: Bah"
No it isnt Member since:
2005-11-14

I'm sure LulzSec can use the same argument, pointing to RIAA/MPAA/the gubmint.

My point is, however, not that your judgement is morally wrong, just that it contains no insight.

Reply Score: 3

RE[4]: Bah
by Laurence on Sat 18th Jun 2011 01:10 UTC in reply to "RE[3]: Bah"
Laurence Member since:
2007-03-26


My point is, however, not that your judgement is morally wrong, just that it contains no insight.

I think he's right though and I also think we do have an insight through reasonable deduction.

We might not know directly, but we understand how DDoS attacks work and what they're normally used for (generally blackmailing - pay us or we'll take your site down).

We further know that these sites were not attacked in protest (Sony being the only exception) nor for blackmail. So that actually doesn't leave many motives.

We also know that LulzSec like to publicly advertise the fact that they were behind the attacks. If you were doing it just for a laugh, then you wouldn't necessarily want to draw excessive attention to yourself.

In fact we know that LulzSec love actively flaunting themselves in the media. From posting stolen personal details on a public site through to having the audacity to set up a telephone hot line, this sort of behaviour is intentionally antagonistic. They are deliberately provoking a reaction from people.

So yes, you are right that we don't /know/ their motives, but it's more than a reasonable deduction that a major incentive is global recognition.


If I had to speculate, I'd also say they were all kids / young adults too - with no-one in the group over the age of 25 and the majority still in their teens. However that /is/ complete guess work based on next to no insight.

Edited 2011-06-18 01:20 UTC

Reply Score: 3

RE[4]: Bah
by Soulbender on Sat 18th Jun 2011 05:15 UTC in reply to "RE[3]: Bah"
Soulbender Member since:
2005-08-18

I'm sure LulzSec can use the same argument, pointing to RIAA/MPAA/the gubmint.


Really now. Is the gubmint running around stealing data?

My point is, however, not that your judgement is morally wrong, just that it contains no insight.


You want insight?
We need to stop idolizing this kind of behaviour. They're not "tech wizards" or "security geniuses". They're petty criminals hiding behind the comfort of their computer screen, which conveniently prevents them from actually ever interacting with their victims. Think it's hard to hack into a system and find a single flaw? That's a walk in the park. Try building systems and defenses that can't be broken into, THAT is hard and no it doesn't require hacking skills. It does however require understanding of good engineering and security practices but the industry is more interested in the whizbang gadget of the week that will magically solve all your problems or paying "hackers" to "pen test" their systems. Like Marcus Ranum I too wish it was considered cool to properly design your systems and defenses but as long as media is the way it is I doubt that'll happen. Being the "whiz kid" of the week will always be more cool even if the whiz don't really know jack.

Edited 2011-06-18 05:18 UTC

Reply Score: 2

RE[5]: Bah
by Alfman on Sat 18th Jun 2011 06:07 UTC in reply to "RE[4]: Bah"
Alfman Member since:
2011-01-28

Soulbender,

"We need to stop idolizing this kind of behaviour. They're not 'tech wizards' or 'security geniuses'."

To be fair, they could be those things, even if we disagree with their judgment.

"Think it's hard to hack into a system and find a single flaw? That's a walk in the park. Try building systems and defenses that can't be broken into, THAT is hard and no it doesn't require hacking skills."

Having hacking skills sure helps though. I'm not sure why someone would think otherwise?


"It does however require understanding of good engineering and security practices but the industry is more interested in the whizbang gadget of the week that will magically solve all your problems or paying 'hackers' to 'pen test' their systems."

You're trying to make a distinction between the skill sets being used for good and bad, but I'm not sure such a distinction can be made.

A university might have a course about computer vulnerabilities and network penetration, but effectively educating students about preventing attacks implies giving them insight into how attacks are executed. The same knowledge which helps foil attacks can be used to maliciously forge attacks.

Maybe they could only teach students to use the attack prevention tools without teaching them the theory behind attacks, however I'd have less confidence in these students being able to do the job of keeping the infrastructure secure - too much can slip by them.

Of course I'm not arguing the attacks are right, but it seems silly to understate their abilities.

If anything, these are skilled people who are probably under-appreciated when using their skills productively, and have turned to an underground culture where they can be appreciated.


I don't have to agree with their choices in order to understand them.

Reply Score: 5

RE[6]: Bah
by Soulbender on Sun 19th Jun 2011 18:15 UTC in reply to "RE[5]: Bah"
Soulbender Member since:
2005-08-18

To be fair, they could be those things, even if we disagree with their judgment.


True but unlikely.

Having hacking skills sure helps though. I'm not sure why someone would think otherwise?


Ranum explains this much better than I ever could:
http://ranum.com/security/computer_security/editorials/skillsets/in...

If anything, these are skilled people who are probably under-appreciated when using their skills productively, and have turned to an underground culture where they can be appreciated.


That's a really lame excuse and it's just confirms that these people are indeed assholes.

Reply Score: 2

RE[5]: Bah - hacking skills
by jabbotts on Sat 18th Jun 2011 17:13 UTC in reply to "RE[4]: Bah"
jabbotts Member since:
2007-09-06

I agree that it's far harder to build and manage secure systems than to find and exploit a single path into them. I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties.

Hacking and hackers are not inherently criminal; it is a set of skills applied to any topic of interest and in the majority of cases, applied in a perfectly legal manner. In terms of security hackers who work within the law, they should be considered a natural resource. They should be employed to design and test systems. If you are not employing hackers on your own sys admin team and/or having third party pentests done by hackers how can you possibly claim that you've designed and hardened your systems in any kind of responsible manner?

Heck, if your federally employed, FISMA makes it a legal obligation to be responsible and prove your systems secure through proactive testing. (which does bring into question these federal systems that are broken into so easily let alone older cases of wide spread use of default passwords and similar stupidity.)

Not contracting people who now have a criminal record; that's fair. There are lots of law abiding hackers out there to hire or contract.

Reply Score: 2

Proactive testing
by Lennie on Sun 19th Jun 2011 09:09 UTC in reply to "RE[5]: Bah - hacking skills"
Lennie Member since:
2007-09-22

Proactive testing is just proactive testing, it doesn't say anything about the security of a system.

It just says it isn't vulnerable to the attacks it was tested against. However a large part of that testing is done automated with tooling in the production environment so people are careful with how they test.

So even if the tool found a problem like a SQL-injection, the tool or user of the tool might not even have noticed it.

No, pentesting and so on is to find the most obvious problems.

Just look at a recent bank website security problem, when an id in the URL was changed people could get in the account of other people.

I'm very certain banks do those previously mentioned security checks.

If you want real security, there is only one solution to have a 3rd party look at the code. All the code.

Reply Score: 2

RE: Proactive testing - depends on the test
by jabbotts on Sun 19th Jun 2011 12:16 UTC in reply to "Proactive testing"
jabbotts Member since:
2007-09-06


Proactive testing is just proactive testing, it doesn't say anything about the security of a system.


You think it's better to wait for a malicious third party to test your systems for you? Proactive testing can, at minimum, give you an indication of your system's effective security posture. Properly done, it includes addressing discovered issues and retesting to discover new ones. That would be the "proactive" part of it. If proactive testing is not saying anything about your system's security, you need to fix your testing methodology.

Automated testing is also very much a part of proactive testing. I'd say it's like the relationship between signature and heuristics based AV; the signatures to catch the recognizable stuff and the heuristics to catch what is not recognizable. The automated vuln assessment tools for the signatures they recognize followed up by a skilled manual vuln assessment with the creativity and flexibility of a skilled human.


So even if the tool found a problem like a SQL-injection, the tool or user of the tool might not even have noticed it.


Bingo. "might not even have noticed it". If your admin or auditor is a Hacker they will indeed notice it though. They will be looking for it. They are self directed learners who think in terms of "hm.. what can I do with this beyond it's intended purpose?" by default.


No, pentesting and so on is to find the most obvious problems.


Vulnerability assessment says "someone could possibly open that door if left unlocked." Pentesting says "That door is indeed unlocked, here is what one is able to do in the room behind it if you don't lock the door." A vulnerability assessment is a list of potential problems one should address. A pentest provides that list along with confirmation that they are exploitable and evidence as to why you should fix them.

If all you tasked your internal team with or contracted a third party for is a single way into the system then sure. You put that limitation on them in the first place though. Your designing your test to fail. Limiting scope of testing, ordering a pentest when what you wanted was a vulnerability assessment or ordering a vulnerability assessment when what you wanted was a pentest are all great ways to insure failure.

You could alternatively contract the third party to find all the ways in they can, what they can do once in and ways they are able to maintain access during time permitted.

With an internal pentest team, you can run a proper testing cycle; pentest, harden, verify, pentest, harden verify. Now your not just finding a single vulnerability and calling it a day.

If your test is only to find the most obvious problems and your not repeating the test cycle to find your next most obvious problems; your doing it wrong.


I'm very certain banks do those previously mentioned security checks.


And, that's exactly the problem. You are very certain your bank is doing the proactive testing; do you now for sure that they actually are though?

Everyone was certain Sony, a huge tech company, knew how to manage it's servers and networks. How did that work out? Lack of network filtering, servers left without latest updates (or even remotely recent updates) customer data stored unencrypted. These are things any competent pentest would have identified. Any responsible company, having those identified, would have addressed them promptly.

Everyone was certain that having over a hundred million PSN and SOE customer's private information exposed would convince them to address discovered issues and check for similar issues across all other company systems. Everyone was certain that Sony's PR claims that they have addressed security issues meant they had actually implemented changes. How did all that work out for Sony when the next week the same weaknesses where exposed in other systems?

Everyone was certain Facebook knew how to implement it's software securely. Facebook must be testing it's systems continually right? So what of passing authentication tokens in URLs which has left every facebook user open to exploit since 2007? (that one was discovered around May of this year 2011).

And financial companies; banks and such. They must be doing the previously mentioned security checks; Heartland Payment Systems, 2009, 40 million accounts exposed.

Banks are in the business of making money. They are notorious for "minimizing expenses" any way they can get away with it. "we'll spend the money to fix that if it proves to be a problem" is the mainstay. If it's cheaper to live with the losses instead of fix the problem; they're going to continue living with the losses.

I wish the market success of a company was an indication of it's responsible management of secure systems; it's not. More often, it's the opposite.

Let's toss out another example for fun. RSA; thee security company. When governments, military and billion dollar companies need security they go to RSA. RSA's SecureID database has been compromised. Everyone who uses SecureID for authentication is screwed. RSA has actually said "uh.. make sure you are using strong passwords for your second of the two part authentication because the SecureID part of it isn't stopping anyone."

But how could this happen? We where all certain that RSA would be doing testing. It was a speer phishing email. How is automated vulnerability assessment tools and peer code review going to identify the need for staff training against social engineering attacks?

The string of successful company breaches resulting from the SecureID breach is ongoing and affecting such sensitive information as new weapon designs copied from government contractors.


If you want real security, there is only one solution to have a 3rd party look at the code. All the code.


That, like automated testing, is very much a part of it. Peer review can do a lot to remove bugs from software. It's not the one magic cure solution on it's own though.

Consider some of the vulnerabilities in Windows which exist because the code is correct. Intentional functions like DLL relative paths. Peer review and automated code audits where not going to find that problem because the code was implemented as intended. Discovering and demonstrating that vulnerability took human creativity thinking beyond the software design document. It took someone testing the system after source code was compiled to running binary.

Automated code auditing to find recognizable bugs in your source code.

Peer review to find bugs the automated audit tool missed.

Automated vulnerability assessment to find recognized weak points in your system's security.

Manual vulnerability assessment to find weaknesses missed by the automated tools.

Reply Score: 2

RE[6]: Bah - hacking skills
by Soulbender on Sun 19th Jun 2011 18:09 UTC in reply to "RE[5]: Bah - hacking skills"
Soulbender Member since:
2005-08-18

I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties.


So banks should be employing thieves when they design their bank vaults? Having a generally idea about how hacking works is useful, yes, but specific knowledge is worthless for this purpose.

Heck, if your federally employed, FISMA makes it a legal obligation to be responsible and prove your systems secure through proactive testing


Unfortunately this makes your system "better" by trial and error, not by design.

There are lots of law abiding hackers out there to hire or contract.


Obviously I'm not referring to those and also not referring to hackers who hack on code rather than break into systems.

Reply Score: 2

RE[7]: Bah - Hackers are not criminals
by jabbotts on Sun 19th Jun 2011 19:40 UTC in reply to "RE[6]: Bah - hacking skills"
jabbotts Member since:
2007-09-06


So banks should be employing thieves when they design their bank vaults? Having a generally idea about how hacking works is useful, yes, but specific knowledge is worthless for this purpose.


Let's get the confusion out of the way first. The majority of Hackers are in fact law abiding folks. It's a mental approach to solving problems; a skill set, creativity and curiosity. It is not an indication of ethics or morality. While some folks use hacking skills to break the law, the majority do not.

Hacking is not even inherently computer security or computer related. Law abiding hackers are seen in all areas of interest. Hams; radio hackers. Gearheads; car hackers. Audiophiles; stereo hackers. The US authors of the constitution; political hackers. Builders; physical hackers. Computer Case Modders; case hackers. Researchers who find and responsibly report software bugs; usually software and security hackers. The folks who wrote most of that FOSS software you use daily; software hackers. It's simply a creative curiosity and need to learn applied to any topic of interest and usually resulting in finding ways to use a thing beyond how it was intended.

If what you mean is "someone who breaks the law" then the word you are looking for is "criminal" not "Hacker". A criminal using methods previously discovered by hackers does not make the criminal a hacker any more than using the directions to assemble Ikea furniture makes one a master carpenter.

Now, on to your points.

Should a bank hire thieves to design bank vaults? I'd say it's up to the business management to decide. There are a few ex-cons who now work as contractors testing bank security. I've seen interviews with at least one who specializes in vault security. There are also many physical security hackers (ie. penetration testers) who've never broken the law; the bank may consider hiring one of them instead.

Having a general idea about how a break in occurs helps but it's really not the same as someone with the hacker mind and permission actually breaking in and going "here's how I got in, here's what I could do once in."


Unfortunately this makes your system "better" by trial and error, not by design.


It's not done in a vaccume. You design a secure system and let the guys on your team with the Hacker mind think of ways the system could fail. You update your specs. Once you actually implement the test system you let the Hacker minds try to break it then address how it fails. You repeat this in testing until satisfied that it's reasonable for production use. You then regularly test the production system or a lab duplicate of it to see what new ways it fails which you then address.

Why do you suggest that it's one or the other? Why do you suggest that "design" is inherently superior and need never be tested?


Obviously I'm not referring to those and also not referring to hackers who hack on code rather than break into systems.


Obviously the word you should be using then is "criminals". And, if you did indeed recognize the difference, why did you open this last comment with asking if banks should be hiring criminals to design bank vaults? Was there something to be gained by sensationalizing your comments by referring to "teh 3vi1z hax0rz3z"?

If you did indeed recognize the difference then my first comment stands; how do you know your system is indeed secure if you've never let it be tested by hackers? If you haven't any hackers on your admin or info sec teams then obviously you have room to improve simply by addressing your current lack of creative "outside the box" self motivated staff.

Reply Score: 3

RE[7]: Bah - hacking skills
by Alfman on Mon 20th Jun 2011 02:30 UTC in reply to "RE[6]: Bah - hacking skills"
Alfman Member since:
2011-01-28

"[jabbotts] I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties."


Soulbender,

"So banks should be employing thieves when they design their bank vaults? Having a generally idea about how hacking works is useful, yes, but specific knowledge is worthless for this purpose."

Wait, how did you get from someone being a hacker to that person being a thief? Or any sort of criminal for that matter? Many hackers are in professional occupations and there is nothing unethical about it.

I think maybe there's cross talking going on due to a difference in the definition of "hacker" - yours seems to imply a criminal element, but many hackers don't consider themselves criminals (and nor does the law for that matter).


"True but unlikely."

Can you elaborate?


"That's a really lame excuse and it's just confirms that these people are indeed assholes."

Maybe they are assholes, but they're still skilled ones.

"Is that like being a law abiding bank robber?"

No, not at all the same thing. Robbing banks implies a criminal element, hacking does not.


"Would probably help if the term 'hacker' wasn't so ambiguous. Are we talking about hackers who write code or hackers who (try to) break into systems? Two different beasts, same term."


Security hackers can break into their own systems, do you agree that it's neither illegal nor immoral? They can hack into third party systems with permission, same deal there, right? It's not the skill of hacking which is evil, it's the intent.

Of course, it may be unwise to hire a hacker who's previously demonstrated skill but has also shown malicious intent. However this doesn't describe the majority of hackers, most of whom just hack their own systems to learn about security.

The only reason we hear about all these "evil hackers" is because they're the ones which catch headlines, the good hackers don't get any attention - it's unfair but that's the media for you.

Edit - I guess this is already the conclusion on this thread, so I didn't need to post. Oh well.

Edited 2011-06-20 02:45 UTC

Reply Score: 2

RE[6]: Bah - hacking skills
by Soulbender on Sun 19th Jun 2011 19:18 UTC in reply to "RE[5]: Bah - hacking skills"
Soulbender Member since:
2005-08-18

There are lots of law abiding hackers out there to hire or contract.


Is that like being a law abiding bank robber?

Would probably help if the term "hacker" wasn't so ambiguous. Are we talking about hackers who write code or hackers who (try to) break into systems? Two different beasts, same term.

Reply Score: 2

RE[7]: Bah - hacking skills
by jabbotts on Sun 19th Jun 2011 19:58 UTC in reply to "RE[6]: Bah - hacking skills"
jabbotts Member since:
2007-09-06

I think my meaning in my original post was quite clear in referring to law abiding Hackers not crackers or criminals. Are you just trying to be cute by intentionally misreading what I wrote to mean criminals just because I talked about Hackers and system security?

And really, how can you claim your sys-admin or infosec team is at it's best if you haven't at least one member who can think outside the box, find creative solutions, try the unexpected and take a detail oriented enthusiasts interest in developing and implementing a solution?

My point stands; if your responsible for system management and security, you should be hiring Hackers not nine to five folks looking only for a pay cheque with no real interest in the job topic outside of work hours. You want the type of person who will go home, duplicate wifi settings using there own router, break into it then report back on how easy/hard it was and how your business system can be improved. You want people who spend all day managing and fixing your systems then go home and play with there own systems for the pure joy of developing skills and learning down to the smallest details (aka. Hackers).

Reply Score: 3

RE[2]: Bah
by Bill Shooter of Bul on Fri 17th Jun 2011 21:11 UTC in reply to "RE: Bah"
Bill Shooter of Bul Member since:
2006-07-14

It's a bit silly to attribute intentions to people you know absolutely nothing about. In fact, it tells a lot more about you than about LulzSec.


Its about as silly as saying bankers care about money.

Reply Score: 2

RE: Bah
by WereCatf on Fri 17th Jun 2011 20:27 UTC in reply to "Bah"
WereCatf Member since:
2006-02-15

"Most of you reading this love the idea of wrecking someone else's online experience anonymously.


No, not really. Most people grew out of that phase after puberty.
"

I've actually never wanted to do that, even _during_ the puberty. Other than that, I agree with you and I'll be sure to cheer every time a LulzSec member gets caught.

Reply Score: 2

RE: Bah
by Doc Pain on Fri 17th Jun 2011 21:17 UTC in reply to "Bah"
Doc Pain Member since:
2006-10-08

What a crock. "We do it for fun". Right.


Still, they remind Internet participiants to what security is: It's not a static state, it's an active process. Why do they harm people (or at least support others doing that with the information they publish)? Because that's the only way people actually learn, especially in relation to the Internet.

Because people love car analogies, here's one: Imagine you've been driving too fast. A half year after that event you get a letter from a penalty court that states you have done something wrong, and should pay an (acceptably small) amount of money. But you may appeal to that decision. Lesson learned: none. Now imagine that right after driving too fast, the car gets confiscated and you are prohibited to drive another car. Lesson learned immediately: Driving too fast is bad. :-)

(Apply the same scheme of cause and reaction for youth criminality, tax fraud or other kinds of crime and antisocial behaviour.)

LulzSec makes people aware about what actively maintaining security means. And they address all those who are involved in it, implicitely:

On one hand, there are the "big ones": Governments, companies, industry, content providers, service providers and so on. This is the group that always says: "We do provide a secure <whatever>." This statement is discovered to be a lie.

On the other hand, there are the "small ones": The users. They don't claim anything about how secure they use the Internet. In fact, they don't even care for security on the Internet. One may assume that they don't value their data. But that's not true: They are just not aware of the facts - the facts that "villains" who gain access to their data can do harm to them.

Both "societies" are made aware that it's worth paying attention to security and keep actively working on it. Anything else is just futile.

Just image the "big ones" would be true stating that they are "secure", and the "small ones" would protect their precious data. Would LulzSec have a chance "entering the stage" with what they've done? Surely not.

Most people grew out of that phase after puberty.


Although I do not appreciate what LulzSec did, I may mention that they are in fact aware of the importance of security. This is a state one should never grow out of, but sadly, many (even adult) individuals never actually entered that state.

Basically, it's not that bad making people aware of the dangers present in relation to the Internet, even though the choice of means and the further results cannot be interpreted all positively (at least not by me). Still, the fact keeps standing: People only learn when they suffer. And learning is required for the neccessary change of behaviour.

I"m really happy I'm not part of the segment of that generation these guys represent.


Hopefully you're also not part of their "target audience". :-)

Lets call these guys what they are, immature assholes with zero ethics who's looking to make a name for themselves.


As I mentioned above, making people aware of present dangers that are traditionally denied or ignored... well, I would not call that "zero ethics", although their means are definitely highly debatable.

Reply Score: 7

RE[2]: Bah
by Soulbender on Fri 17th Jun 2011 21:22 UTC in reply to "RE: Bah"
Soulbender Member since:
2005-08-18

Although I do not appreciate what LulzSec did, I may mention that they are in fact aware of the importance of security


Yeah, but that's like saying thieves reminds us about the importance of home security. I"m not going to go out and thank the guy for breaking in and stealing my stuff.

Hopefully you're also not part of their "target audience". :-)


I don't care if I am. Bring it on, bitches ;)

Reply Score: 2

RE[3]: Bah
by Doc Pain on Fri 17th Jun 2011 21:44 UTC in reply to "RE[2]: Bah"
Doc Pain Member since:
2006-10-08

"Although I do not appreciate what LulzSec did, I may mention that they are in fact aware of the importance of security


Yeah, but that's like saying thieves reminds us about the importance of home security. I"m not going to go out and thank the guy for breaking in and stealing my stuff.
"

Good comparison. Although the individual thiefs do not deserve any positive statement about what they do, their pure existence reminds us to maintain home security properly. On the other hand... if they would not eiixst, there would be no need for such security efforts. But in general, people aren't honest. Especially in regards of Internet relations where big companies and small criminals want to profit from you and your data, one should be aware of the pure fact that the Internet is full of evildoers who just seek for a chance to do harm to others, traditionally for profit, Doing it "for fun" doesn't make the situation better, but it may be interpreted as a "less criminal motivation", given that LulzSec's goal is to wake up people, as they do not profit from their actions themselves (in opposite to the "real criminals").

In the situation discussed, LulzSec isn't the thief per se. They just provide keys for your home (as you are "hiding" them right infront of your door). Then others take those secondary keys and come to steal your things. :-)

Edited 2011-06-17 21:50 UTC

Reply Score: 3

RE[4]: Bah
by Soulbender on Fri 17th Jun 2011 21:47 UTC in reply to "RE[3]: Bah"
Soulbender Member since:
2005-08-18

given that LulzSec's goal is to wake up people, as they do not profit from their actions themselves (in opposite to the "real criminals").


But that's not their goal. It is, at best and if you believe them, to have fun. More likely the goal is to gain fame and recognition at the expense of others.
Not exactly gallant, that.

Reply Score: 2

RE[5]: Bah
by Doc Pain on Fri 17th Jun 2011 23:04 UTC in reply to "RE[4]: Bah"
Doc Pain Member since:
2006-10-08

"given that LulzSec's goal is to wake up people, as they do not profit from their actions themselves (in opposite to the "real criminals").


But that's not their goal.
"

Maybe I did use the wrong word. It's the effect, the possible result of their actions.

Users had a hard time learning to treat passwords like underwear, and they are constantly told to do so from one side, while the other side just says that "everything is 100 percent secure", leading to the assumtion that it's not worth caring about anything. And this attitude has developed into the mainstream state of mind for many Internet users. And as I said, it's not just the users, it's also the media and service providers who feel safe in their imaginary world of "everything being secure", exactly until this world is shaken, and as I also said, doing harm seems to be the only way to achieve that. Only if people loose money (as this is the means to identify who they are and what they are "worth" in many societies), followers of LulzSec use the results of the hacking, although primarily for their own benefit (instead of educating others).

It is, at best and if you believe them, to have fun.


I admit that I have a problem seeing the fun in that - if you want to understand fun as more than just pointing with a finger and saying "ha ha".

More likely the goal is to gain fame and recognition at the expense of others.


Well, I basically think so too. But still it's worth mentioning that many "famous names" have been gained on the expense of others, in widest context.

Reply Score: 3

Next Target: OSnews
by pantheraleo on Fri 17th Jun 2011 19:39 UTC
pantheraleo
Member since:
2007-03-07

Why? Because you wrote about them, and because they can.

Reply Score: 1

v The same Tom?
by Berend de Boer on Fri 17th Jun 2011 19:43 UTC
RE: The same Tom?
by Thom_Holwerda on Fri 17th Jun 2011 19:46 UTC in reply to "The same Tom?"
Thom_Holwerda Member since:
2005-06-29

First, learn to spell my name.

Second, you might want to re-read the quoted statement. I'll quote it for you with some clarifying emphasis.

"It is in governments' natures to control where it is not needed, to regulate what doesn't need regulating, and to bureaucratise that which is efficient."

Edited 2011-06-17 19:48 UTC

Reply Score: 2

RE[2]: The same Thom?
by Berend de Boer on Fri 17th Jun 2011 19:54 UTC in reply to "RE: The same Tom?"
Berend de Boer Member since:
2005-10-19

Sorry Thom, learning.

Ah, the right regulation is in the eye of the beholder!

I was afraid so.

Reply Score: 0

RE[3]: The same Thom?
by Thom_Holwerda on Fri 17th Jun 2011 20:07 UTC in reply to "RE[2]: The same Thom?"
Thom_Holwerda Member since:
2005-06-29

Ah, the right regulation is in the eye of the beholder!


Of course it is. Everything is. Unlike you, I don't seem to have a one-minded attitude. You apply regulation where it makes sense. Your attitude seems to be that regulation is always bad, and you seem to posses some sort of eternal everlasting faith in the free market.

Which is just as silly as believing in communism. Both are ideals that do not take human nature into account. Since humans are by definition self-centred pricks, they will abuse both a free market as well as a communist system. That's just the cold and harsh reality of this world.

And the reality I live in. Sometimes, regulation is necessary, as was clearly the case with net neutrality. Without it, the three telecommunications companies we have would unite, impose the same pricing system upon all of us (as was clearly hinted at by all three carriers), and erect even higher barriers to entry for newcomers (i.e., anti-interoperability measures, and we would've been in deep shit. Now, you might say - yeah well in a free market they shouldn't be allowed to do such things! That should be illegal!

That should be - dare I say - regulated?

The free market is an idealist dreamworld. It doesn't exist, and it will never exist. The sooner you realise that, the better.

Reply Score: 5

RE[4]: The same Thom?
by Berend de Boer on Fri 17th Jun 2011 20:24 UTC in reply to "RE[3]: The same Thom?"
Berend de Boer Member since:
2005-10-19

Come Thom, your regulation just outlawed some private companies. I'm sure the big ISPs will think you for that.

Even if you had to pay a few $$ more for your voip, would that have been the end of the world?

Now you have given the state the power to regulate the internet. This is simply the start.

And yes, I believe that free people in a free market will come up with mutually compatible solutions. Trusting politicians and regulations, which always have unintended consequences, to outperform the free market is believing Cuba is a paradise. If you can regulate perfectness, which is what you must believe to believe regulation will help, it would have been done in Cuba.

Reply Score: 0

RE[5]: The same Thom?
by Thom_Holwerda on Fri 17th Jun 2011 20:25 UTC in reply to "RE[4]: The same Thom?"
Thom_Holwerda Member since:
2005-06-29

Okay then. Give me an example of an unregulated market.

Reply Score: 1

RE[6]: The same Thom?
by umccullough on Fri 17th Jun 2011 20:34 UTC in reply to "RE[5]: The same Thom?"
umccullough Member since:
2006-01-26

Okay then. Give me an example of an unregulated market.


Bitcoin?

I dunno actually, but it's been in the news a lot, so I had to say it ;)

Reply Score: 2

RE[6]: The same Thom?
by Berend de Boer on Fri 17th Jun 2011 20:37 UTC in reply to "RE[5]: The same Thom?"
Berend de Boer Member since:
2005-10-19

The internet used to be unregulated Thom. You even didn't have to pay sales tax on the internet. It's still mostly unregulated. But it won't be for long.

May I just point out that the most regulated markets, the financial markets, are in the deepest crisis?

Reply Score: 1

RE[7]: The same Thom?
by Thom_Holwerda on Fri 17th Jun 2011 20:48 UTC in reply to "RE[6]: The same Thom?"
Thom_Holwerda Member since:
2005-06-29

May I just point out that the most regulated markets, the financial markets, are in the deepest crisis?


May I point out that the financial crisis was caused by people who abused their freedom at the expense of us ordinary folk?

Reply Score: 5

RE[7]: The same Thom?
by tylerdurden on Sat 18th Jun 2011 00:42 UTC in reply to "RE[6]: The same Thom?"
tylerdurden Member since:
2009-03-17


May I just point out that the most regulated markets, the financial markets, are in the deepest crisis?


You mean like the billions (or maybe trillions) in unregulated derivatives at the heart of the current economic crisis?

Edited 2011-06-18 00:43 UTC

Reply Score: 5

RE[6]: The same Thom?
by Bill Shooter of Bul on Fri 17th Jun 2011 21:14 UTC in reply to "RE[5]: The same Thom?"
Bill Shooter of Bul Member since:
2006-07-14

Somalia. No regulations there. A pirate's paradise, I hear.

Reply Score: 3

RE[7]: The same Thom?
by Berend de Boer on Fri 17th Jun 2011 21:22 UTC in reply to "RE[6]: The same Thom?"
Berend de Boer Member since:
2005-10-19

Governments have a monopoly on force. That's the difference between anarchy and a country with the rule of law.

Maybe that clears things up?

Really, you think the free market should decide if you can kill someone????? That is what the free market is about?

The free market is about non-coercive interactions between free people. Government regulation adds coercion here, forbidding certain interactions, outlawing certain firms (which the Dutch government just did, they outlawed "Klicksafe", probably Amazon's Whispernet, and probably more), and creating monopolies (remember Telecom companies used to be government monopolies).

Reply Score: 1

RE[4]: The same Thom?
by WorknMan on Fri 17th Jun 2011 21:18 UTC in reply to "RE[3]: The same Thom?"
WorknMan Member since:
2005-11-13

Of course it is. Everything is. Unlike you, I don't seem to have a one-minded attitude. You apply regulation where it makes sense. Your attitude seems to be that regulation is always bad, and you seem to posses some sort of eternal everlasting faith in the free market.

Which is just as silly as believing in communism. Both are ideals that do not take human nature into account. Since humans are by definition self-centred pricks, they will abuse both a free market as well as a communist system. That's just the cold and harsh reality of this world.


Yeah, humans are by definition self-centered pricks.... except for the ones that run government. Those humans are all saints ;)

Reply Score: 4

RE[5]: The same Thom?
by Berend de Boer on Fri 17th Jun 2011 21:26 UTC in reply to "RE[4]: The same Thom?"
Berend de Boer Member since:
2005-10-19

Ah yes. They would never, never ever, send lewd pictures of themselves to young girls. They would never open up themselves for blackmail. They would never be beholden to lobbyists.

Reply Score: 1

RE[4]: The same Thom?
by kedwards on Sat 18th Jun 2011 15:29 UTC in reply to "RE[3]: The same Thom?"
kedwards Member since:
2009-04-25


Of course it is. Everything is. Unlike you, I don't seem to have a one-minded attitude. You apply regulation where it makes sense. Your attitude seems to be that regulation is always bad, and you seem to posses some sort of eternal everlasting faith in the free market.

Which is just as silly as believing in communism. Both are ideals that do not take human nature into account. Since humans are by definition self-centred pricks, they will abuse both a free market as well as a communist system. That's just the cold and harsh reality of this world.

And the reality I live in. Sometimes, regulation is necessary, as was clearly the case with net neutrality. Without it, the three telecommunications companies we have would unite, impose the same pricing system upon all of us (as was clearly hinted at by all three carriers), and erect even higher barriers to entry for newcomers (i.e., anti-interoperability measures, and we would've been in deep shit. Now, you might say - yeah well in a free market they shouldn't be allowed to do such things! That should be illegal!

That should be - dare I say - regulated?

The free market is an idealist dreamworld. It doesn't exist, and it will never exist. The sooner you realise that, the better.


Great post, while I may disagree with you on net neutrality, your post summed up human nature perfectly. Your post reminded me of a video I saw on youtube a year ago.

http://www.youtube.com/watch?v=RWsx1X8PV_A

Reply Score: 1

RE[4]: The same Thom?
by spudley99 on Mon 20th Jun 2011 12:25 UTC in reply to "RE[3]: The same Thom?"
spudley99 Member since:
2009-03-25

...Since humans are by definition self-centred pricks, they will abuse both a free market as well as a communist system. That's just the cold and harsh reality of this world.


Hmm.. I would consider that to be a bit over-cynical.

I'd say a more accurate way of putting it would be that there is a proportion of humanity who are self-centred pricks and who will abuse whatever system is in place.

The trouble is that this proportion, while a minority, are the ones who end up in charge, and able to screw everyone else.

In fact, if everyone was a power hungry self-centred prick, systems like the free market which play on these attributes may actually work a lot better than they do.

Reply Score: 1

RE[5]: The same Thom?
by Alfman on Mon 20th Jun 2011 15:49 UTC in reply to "RE[4]: The same Thom?"
Alfman Member since:
2011-01-28

spudley99,


"I'd say a more accurate way of putting it would be that there is a proportion of humanity who are self-centred pricks and who will abuse whatever system is in place.

The trouble is that this proportion, while a minority, are the ones who end up in charge, and able to screw everyone else.

In fact, if everyone was a power hungry self-centred prick, systems like the free market which play on these attributes may actually work a lot better than they do."

Wow, this is extremely insightful.

I've always believed that humanity could do far better for itself if only we'd work together more and ceased using resources actively fighting each other over power/wealth.

At the extreme, we could theoretically automate most of the work humans do today, such that food/shelter/clothing could be provided without human workers. We might only need to work a day/week to pay for extra amenities, with the rest of the time used for leisure/arts/learning/whatever.

Theoretically, there's nothing stopping us from achieving this type of civilization. However, this presupposes that humanity can overcome greed, which maybe it cannot.

Reply Score: 2

RE[4]: The same Thom?
by sgtrock on Mon 20th Jun 2011 15:33 UTC in reply to "RE[3]: The same Thom?"
sgtrock Member since:
2011-05-13

<blockquote>Which is just as silly as believing in communism. Both are ideals that do not take human nature into account. Since humans are by definition self-centred pricks, they will abuse both a free market as well as a communist system. That's just the cold and harsh reality of this world. </blockquote>

If you modify that statement to,

<blockquote>"Since a small handful of humans are self-centered pricks that will abuse any idealistic system, we have to recognise that there must be safeguards in place to protect the rest of us. That's just the cold and harsh reality of this world."</blockquote>

I would agree with you 100%. :-)

Reply Score: 1

RE[4]: The same Thom?
by redshift on Tue 21st Jun 2011 13:56 UTC in reply to "RE[3]: The same Thom?"
redshift Member since:
2006-05-06

Very nicely put, Thom. Human nature tends to destroy ideals.

Reply Score: 1

RE: The same Tom?
by Lennie on Sun 19th Jun 2011 09:11 UTC in reply to "The same Tom?"
Lennie Member since:
2007-09-22

Do you mean Solcon can not do filtering anymore ? Eventhough the users want them to do so ? That would be a mistake in the law.

That would also have been a mistake by Solcon as they should have contacted their party or other parties representatives to put an exception in the law. It was very clear that such a law was gonna be created.

The solution to their problems is to start a seperate filtering business.

The ISP can't filter, but they can have a seperate business that puts in filtering at the ISP level and where by the ISP resells the filtering service to the users and bills them accordingly (they just need to make 2 items on their bill).

Edited 2011-06-19 09:24 UTC

Reply Score: 2

Comment by orestes
by orestes on Fri 17th Jun 2011 20:05 UTC
orestes
Member since:
2005-07-06

Assuming Lulsec isn't in fact a false flag effort, which isn't nearly as outlandish as I wish it were, I'm going to find it incredibly entertaining when the three letter agencies they're bear baiting decide to swat them like the cockroaches they are.

Reply Score: 4

governments will love lulzsec
by reduz on Fri 17th Jun 2011 21:10 UTC
reduz
Member since:
2006-02-25

lulzsec is a great reason for governments to push more wiretapping laws, which will in the end not change anything because most of this people is either overseas or connecting through proxies or owned machines overseas..

Reply Score: 2

Berend de Boer Member since:
2005-10-19

You are exactly right. Thom screamed when he had to pay $2 more for VOIP services.

A lot more voters will scream when their email addresses are released. A great excuse for more regulation.

Remember: if it moves tax it. If it keeps moving, regulate it, and if it stops moving subsidise it (we would call that bailout these days).

Reply Score: 0

Thom_Holwerda Member since:
2005-06-29

Thom screamed when he had to pay $2 more for VOIP services.


You're starting to work on my nerves here.

It's not about the money. It's about letting private corporations control what I can access, and how I can access it. It's about a private entity peeking into my traffic and looking at my data to find out what I'm doing. That is scary. I don't give on flying fcuk about paying extra - I give a flying fcuk about private entities violating my constitution-given right to privacy.

And please, don't start about your fictional free market again, and about how if the people want it a new carrier could come up. This is simply unrealistic. The barrier to entry is simply too high, and in your completely unregulated market the three carriers would band together even more than they already do to block out any possible newcomers, and to ensure that customers can't easily switch to the new carrier (by blocking number transfer, for instance, or by simply not even allowing calls to and from the new carrier in the first place). That would all be allowed in your dreamworld!

At least I can actually vote on politicians if they screw up. In your free market dreamworld, the three carrier cartel would make it impossible for me to make any choice to vote with my wallet.

Reply Score: 4

Come on
by Ultimatebadass on Fri 17th Jun 2011 22:36 UTC
Ultimatebadass
Member since:
2006-01-08

"EVE Online (well, finally some action in that spreadsheet of a 'game')"

Internet Spaceships is serious business(TM)! ;)

PS. I play it too, against my better judgement...

Reply Score: 2

Comment by allanregistos
by allanregistos on Sat 18th Jun 2011 01:28 UTC
allanregistos
Member since:
2011-02-10

As much as I think Lulz need to be brought to justice, I at least commend the group for their honesty. "This is the Internet, where we screw each other over for a jolt of satisfaction. There are peons and lulz lizards; trolls and victims. There's losers that post shit they think matters, and other losers telling them their shit does not matter," the group ends their statements, "In this situation, we are both of these parties, because we're fully aware that every single person that reached this final sentence just wasted a few moments of their time."

By releasing personal information to the public, they already ruin that so-called "honesty". Hence by saying that the internet is such a harsh environment, they do their own harsh thing and contribute even the worst and feed those robbers with other people's personal information.

Thom, it is like lulz was giving someone the gun and lulz doesn't care if that someone will point the gun to you, and the worst nightmare that it did. How can you commend the group for honesty?

Reply Score: 1

RE: Comment by allanregistos
by sorpigal on Mon 20th Jun 2011 15:01 UTC in reply to "Comment by allanregistos"
sorpigal Member since:
2005-11-02

I don't see any contradiction. They are not hypocritical and are quite forthright about what they do and why. That the result is quite negative does not make them any less honest. There is no attempt to lie or deceive, merely an attempt to harm.

Here's to the bad ones, the miscreants, and the honest thieves. It's better to embrace and admit who you are than to deny it.

Reply Score: 2

They just do it for the lulz!
by Nagilum on Sat 18th Jun 2011 06:31 UTC
Nagilum
Member since:
2009-07-01
My suspicion
by Dasher42 on Sat 18th Jun 2011 07:54 UTC
Dasher42
Member since:
2007-04-05

My suspicion is that these guys are the false flag operation to justify the crackdown aimed at Anonymous and Wikileaks. Seriously, I don't know how anyone would truly think it in their interest to act like LulzSec.

Edited 2011-06-18 07:55 UTC

Reply Score: 4

RE: My suspicion
by sorpigal on Mon 20th Jun 2011 16:16 UTC in reply to "My suspicion"
sorpigal Member since:
2005-11-02

My suspicion is that these guys are the false flag operation to justify the crackdown aimed at Anonymous and Wikileaks. Seriously, I don't know how anyone would truly think it in their interest to act like LulzSec.

I doubt this is the case. From the language, targets and attitude I expect these folks are genuine.

This sort of thing proves more and more that we need something like openid. Most people can't manage so many different passwords for so many different sites across so many different clients, so they turn to re-use of names and passwords. Telling people to not do that, to use separate passwords, is technically correct but infeasible (it doesn't scale). The sad thing is that a viable solution exists but adoption from sites is too low, I think because demand is low. If somehow people could be taught the idea that painful experiences like this could be avoided by demanding openid login then we'd all be in better shape.

Reply Score: 2

v I guess prosecuters will have the last Lulz
by tensigh on Sat 18th Jun 2011 09:32 UTC
Dasher42 Member since:
2007-04-05

Actually, the world got the smoking guns on what the US occupation looks like with its enforcement through helicopter gunships, that the US is going through back-room deals to push Monsanto's genetically modified crops, that we were engaging in war in Yemen without the general knowledge of the American public, that our diplomats were acting as spies in contravention of international law and also involved in the extraordinary rendition of suspects to regimes that had no limits on the cruelty of torture they would apply.

The popular press coverage was all about outing private conversations and focused on trivial examples out of a larger context of exposing a system rife with crimes against humanity. I see by your message that they conveyed the intended impression.

Reply Score: 1

This reminds me of...
by Dryhte on Sat 18th Jun 2011 10:38 UTC
Dryhte
Member since:
2008-02-05

This reminds me of my nearly-3-year-old. When we ask him why he did something bad, he often says 'because I want it'.

I mean, really, when a large(ish) group of supposedly nearly grown up people decides to behave as a 3-year-old hive mind, run and hide, folks. Run and hide. Chaos is coming.

By the way, I didn't know about the Minecraft DDoS attack, but how retarded can you be. If there's one glorious example of how anyone with the right idea and a decent helping of skills can make it big time in today's digital age, it's Notch with Minecraft. What the f*** made him a target? He's no 'Big Bad Evil Guy' however you slice it. Let them take on the CIA and every intelligence or government service in the world and I won't give a damn, but it's just plain stupid to turn onto the little man...

Reply Score: 1

RE: This reminds me of...
by Thom_Holwerda on Sat 18th Jun 2011 10:47 UTC in reply to "This reminds me of..."
Thom_Holwerda Member since:
2005-06-29

As much as I love Minecraft and think Notch is awesome, calling someone who sold oer 2.5 million copies of a game 'the little man' is a bit... Weird ;) .

Reply Score: 1

RE[2]: This reminds me of...
by Dryhte on Sat 18th Jun 2011 10:55 UTC in reply to "RE: This reminds me of..."
Dryhte Member since:
2008-02-05

He's the proverbial little man who made it big. With his own hands. The embodiment of the [strikethrough]American[/strikethrough] Internet Dream.

Reply Score: 1

RE[3]: This reminds me of...
by Lennie on Sun 19th Jun 2011 09:38 UTC in reply to "RE[2]: This reminds me of..."
Lennie Member since:
2007-09-22

So is Facebook. ;-)

Notch is probably fine though.

Reply Score: 2

RE[3]: This reminds me of...
by Soulbender on Sun 19th Jun 2011 18:24 UTC in reply to "RE[2]: This reminds me of..."
Soulbender Member since:
2005-08-18

But you see, that's why he's a target. As opposed to Lulz, he has made it by creating something all by himself. People will still be playing minecraft long after Lulz 15 seconds of fame have run out.
This is also known as "jealousy".

Reply Score: 2

Draconian laws are coming.
by boyfarrell on Sat 18th Jun 2011 11:14 UTC
boyfarrell
Member since:
2008-12-11

This is exactly the kind of behaviour that governments can use as an excuse to usher in draconian Internet control laws. Bad.

Browser: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5

Reply Score: 1

Hashed passwords.
by Timmmm on Sat 18th Jun 2011 11:45 UTC
Timmmm
Member since:
2006-07-25

So are OSnews passwords hashed and salted?

Reply Score: 3

RE: Hashed passwords.
by Lennie on Sun 19th Jun 2011 09:53 UTC in reply to "Hashed passwords."
Lennie Member since:
2007-09-22

Even if it is, it would also be a good idea to choose the right hash. :-)

Offline attacks have been getting really really fast these days:

http://blog.zorinaq.com/?e=43

I think http://en.wikipedia.org/wiki/Key_stretching should probably also be on that list.

I've started thinking I should improve my site to do that as well.

Reply Score: 3

No better than anti-social street chavs
by lindkvis on Sat 18th Jun 2011 14:00 UTC
lindkvis
Member since:
2006-11-21

I wouldn't commend them on anything at all. Despicable bunch of cowards and low lives that hurt people for their own amusement hidden behind the anonymity of the Internet.

Reply Score: 1

...
by Hiev on Sat 18th Jun 2011 15:13 UTC
Hiev
Member since:
2005-09-27

Hey LulzSec, I dare you to hack OSNews, I bet you can't.

Reply Score: 2

RE: ...
by Tuishimi on Sat 18th Jun 2011 16:53 UTC in reply to "..."
Tuishimi Member since:
2005-07-06

Ha ha! Good one! ;)

Reply Score: 2

RE: ...
by Thom_Holwerda on Sat 18th Jun 2011 17:10 UTC in reply to "..."
Thom_Holwerda Member since:
2005-06-29

Hey LulzSec, I dare you to hack OSNews, I bet you can't.


Well, in all honesty - I did check with the team if our passwords (and yours) are all properly secured. I don't want to dive into specifics, but suffice it to say they are all properly encrypted ;) .

Edited 2011-06-18 17:12 UTC

Reply Score: 1

RE[2]: ...
by Alfman on Sat 18th Jun 2011 19:42 UTC in reply to "RE: ..."
Alfman Member since:
2011-01-28

Thom Holwerda,

"Well, in all honesty - I did check with the team if our passwords (and yours) are all properly secured. I don't want to dive into specifics,"

Ah, security by obscurity then. (just kidding Thom)

" but suffice it to say they are all properly encrypted ;) ."

Well, not exactly since it's over plain HTTP.

If hackers did get in, they could alter anything in the database. They could install keyloggers or modify the hashing function such that they are able to decrypt passwords easily.

Am I right in thinking it's extremely unlikely that you'd notice?

Even a single XSS vulnerability would give an attacker the opportunity to steal your credentials if you follow a malicious link.

If you were a high profile target, it'd probably be worth hiring someone else to do penetration testing, which most companies fail to do.

Many companies around here don't even want to pay to fix known vulnerabilities. Like sony, a theoretical attack vector isn't important until it has been actively exploited.

Reply Score: 3

RE[2]: ...
by Alfman on Sat 18th Jun 2011 20:31 UTC in reply to "RE: ..."
Alfman Member since:
2011-01-28

Thom Holwerda,

Another point to make is that by allowing third parties to execute code on your web pages, you've implicitly given them access to our credentials as well.


For example, your pages are running scripts from google adsense, google analytics and quantcast. Any one of these could target osnews users if they wanted to and capture credentials without even touching anything on the site.

I'm often a little surprised how little this bothers people.

Reply Score: 3

RE[3]: ...
by Lennie on Sun 19th Jun 2011 10:02 UTC in reply to "RE[2]: ..."
Lennie Member since:
2007-09-22

Ohh really ? I didn't see them. ;-)

Sorry OSnews crew, I would like to see them. :-(

Really I do, although they can be a bit distracting at times.

But scripts loading from other sites and document.write just don't cut it for me. They affect performance and security a tad to much for my liking.

I block every external file with a plugin right now, which is highly annoying with people adding more and more domains to their site and loading JQuery and it's plugins and more of the same from Google, Microsoft and Yahoo.

Still I do run those adds on my own site though. :-(

They are at the bottom of the page, where they have the least impact on performance.

The site makes less money than the hosting would cost but that is currently free for us, so is the site for the users.

I wish SPDY/HTTPS/SNI would be in widespread use that would really help to speed up websites and make them secure. And not need to use HTTP like Alfman mentioned above.

While I'm talking things which could be really improved, the Certificate Authority system (as used by HTTPS and friends) could really be improved by the use of DNSSEC.

So now this comment is long enough. :-)

Edited 2011-06-19 10:09 UTC

Reply Score: 2

RE[2]: ...
by Soulbender on Sun 19th Jun 2011 19:06 UTC in reply to "RE: ..."
Soulbender Member since:
2005-08-18

but suffice it to say they are all properly encrypted


I certainly hope you mean hashed, rather than encrypted.

Reply Score: 2

RE[3]: ...
by Lennie on Sun 19th Jun 2011 23:30 UTC in reply to "RE[2]: ..."
Lennie Member since:
2007-09-22

I've got a feeling Thom doesn't know the difference, so you are actually asking the wrong person.

Reply Score: 2

RE[4]: ...
by Thom_Holwerda on Sun 19th Jun 2011 23:36 UTC in reply to "RE[3]: ..."
Thom_Holwerda Member since:
2005-06-29

I mean hashed.

Reply Score: 1

RE[5]: ...
by Lennie on Mon 20th Jun 2011 08:41 UTC in reply to "RE[4]: ..."
Lennie Member since:
2007-09-22

Thanks.

Now that I look again at my previous comment, I intended to have a ;-) -smiley on the end.

Reply Score: 2

RE[4]: ...
by Soulbender on Mon 20th Jun 2011 17:28 UTC in reply to "RE[3]: ..."
Soulbender Member since:
2005-08-18

DUde, he's dutch. He knows all about the hashish..err.hashing.

Reply Score: 2

RE[5]: ...
by Lennie on Mon 20th Jun 2011 21:15 UTC in reply to "RE[4]: ..."
Lennie Member since:
2007-09-22

LoL

Reply Score: 2

Objectivity
by Tuishimi on Sat 18th Jun 2011 16:52 UTC
Tuishimi
Member since:
2005-07-06

A lack of objective morality leads to people doing whatever they please whenever it pleases them without regard to others.

Reply Score: 3

RE: Objectivity
by orestes on Sat 18th Jun 2011 17:36 UTC in reply to "Objectivity"
orestes Member since:
2005-07-06

Not morality, that's just a convenient construct we use to keep ourselves in line so that society can more or less function. What the hackers is appropriate fear of what will happen to them once the game ends.

Reply Score: 3

RE: Objectivity
by Nth_Man on Sun 19th Jun 2011 16:57 UTC in reply to "Objectivity"
Nth_Man Member since:
2010-05-16

True, nowadays the egotistic way of thinking is the one most frequently seen.

Reply Score: 2

Bastards!
by quarkvanlepton on Sun 19th Jun 2011 17:59 UTC
quarkvanlepton
Member since:
2008-03-08

But on the other hand, _why_so_serious_ ? Really.

Reply Score: 1

Comment by tuma324
by tuma324 on Sun 19th Jun 2011 22:21 UTC
tuma324
Member since:
2010-04-09

These kids (LulzSec) need to grow up.

Reply Score: 1

Pro tip
by sorpigal on Mon 20th Jun 2011 16:13 UTC
sorpigal
Member since:
2005-11-02

Lulzsec are anonymous.

If this seems wrong or surprising to you then you don't really have a clear idea of what's going on.

Reply Score: 2