Linked by Thom Holwerda on Fri 17th Jun 2011 18:49 UTC
Privacy, Security, Encryption Oh boy, what do we make of this? We haven't paid that much attention to the whole thing as of yet, but with a recent public statement on why they do what they do, I think it's about time to address this thing. Yes, Lulz Security, the hacking group (or whatever they are) that's been causing quite a bit of amok on the web lately.
Thread beginning with comment 477664
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Bah
by Soulbender on Sat 18th Jun 2011 05:15 UTC in reply to "RE[3]: Bah"
Soulbender
Member since:
2005-08-18

I'm sure LulzSec can use the same argument, pointing to RIAA/MPAA/the gubmint.


Really now. Is the gubmint running around stealing data?

My point is, however, not that your judgement is morally wrong, just that it contains no insight.


You want insight?
We need to stop idolizing this kind of behaviour. They're not "tech wizards" or "security geniuses". They're petty criminals hiding behind the comfort of their computer screen, which conveniently prevents them from actually ever interacting with their victims. Think it's hard to hack into a system and find a single flaw? That's a walk in the park. Try building systems and defenses that can't be broken into, THAT is hard and no it doesn't require hacking skills. It does however require understanding of good engineering and security practices but the industry is more interested in the whizbang gadget of the week that will magically solve all your problems or paying "hackers" to "pen test" their systems. Like Marcus Ranum I too wish it was considered cool to properly design your systems and defenses but as long as media is the way it is I doubt that'll happen. Being the "whiz kid" of the week will always be more cool even if the whiz don't really know jack.

Edited 2011-06-18 05:18 UTC

Reply Parent Score: 2

RE[5]: Bah
by Alfman on Sat 18th Jun 2011 06:07 in reply to "RE[4]: Bah"
Alfman Member since:
2011-01-28

Soulbender,

"We need to stop idolizing this kind of behaviour. They're not 'tech wizards' or 'security geniuses'."

To be fair, they could be those things, even if we disagree with their judgment.

"Think it's hard to hack into a system and find a single flaw? That's a walk in the park. Try building systems and defenses that can't be broken into, THAT is hard and no it doesn't require hacking skills."

Having hacking skills sure helps though. I'm not sure why someone would think otherwise?


"It does however require understanding of good engineering and security practices but the industry is more interested in the whizbang gadget of the week that will magically solve all your problems or paying 'hackers' to 'pen test' their systems."

You're trying to make a distinction between the skill sets being used for good and bad, but I'm not sure such a distinction can be made.

A university might have a course about computer vulnerabilities and network penetration, but effectively educating students about preventing attacks implies giving them insight into how attacks are executed. The same knowledge which helps foil attacks can be used to maliciously forge attacks.

Maybe they could only teach students to use the attack prevention tools without teaching them the theory behind attacks, however I'd have less confidence in these students being able to do the job of keeping the infrastructure secure - too much can slip by them.

Of course I'm not arguing the attacks are right, but it seems silly to understate their abilities.

If anything, these are skilled people who are probably under-appreciated when using their skills productively, and have turned to an underground culture where they can be appreciated.


I don't have to agree with their choices in order to understand them.

Reply Parent Score: 5

RE[6]: Bah
by Soulbender on Sun 19th Jun 2011 18:15 in reply to "RE[5]: Bah"
Soulbender Member since:
2005-08-18

To be fair, they could be those things, even if we disagree with their judgment.


True but unlikely.

Having hacking skills sure helps though. I'm not sure why someone would think otherwise?


Ranum explains this much better than I ever could:
http://ranum.com/security/computer_security/editorials/skillsets/in...

If anything, these are skilled people who are probably under-appreciated when using their skills productively, and have turned to an underground culture where they can be appreciated.


That's a really lame excuse and it's just confirms that these people are indeed assholes.

Reply Parent Score: 2

RE[5]: Bah - hacking skills
by jabbotts on Sat 18th Jun 2011 17:13 in reply to "RE[4]: Bah"
jabbotts Member since:
2007-09-06

I agree that it's far harder to build and manage secure systems than to find and exploit a single path into them. I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties.

Hacking and hackers are not inherently criminal; it is a set of skills applied to any topic of interest and in the majority of cases, applied in a perfectly legal manner. In terms of security hackers who work within the law, they should be considered a natural resource. They should be employed to design and test systems. If you are not employing hackers on your own sys admin team and/or having third party pentests done by hackers how can you possibly claim that you've designed and hardened your systems in any kind of responsible manner?

Heck, if your federally employed, FISMA makes it a legal obligation to be responsible and prove your systems secure through proactive testing. (which does bring into question these federal systems that are broken into so easily let alone older cases of wide spread use of default passwords and similar stupidity.)

Not contracting people who now have a criminal record; that's fair. There are lots of law abiding hackers out there to hire or contract.

Reply Parent Score: 2

Proactive testing
by Lennie on Sun 19th Jun 2011 09:09 in reply to "RE[5]: Bah - hacking skills"
Lennie Member since:
2007-09-22

Proactive testing is just proactive testing, it doesn't say anything about the security of a system.

It just says it isn't vulnerable to the attacks it was tested against. However a large part of that testing is done automated with tooling in the production environment so people are careful with how they test.

So even if the tool found a problem like a SQL-injection, the tool or user of the tool might not even have noticed it.

No, pentesting and so on is to find the most obvious problems.

Just look at a recent bank website security problem, when an id in the URL was changed people could get in the account of other people.

I'm very certain banks do those previously mentioned security checks.

If you want real security, there is only one solution to have a 3rd party look at the code. All the code.

Reply Parent Score: 2

RE[6]: Bah - hacking skills
by Soulbender on Sun 19th Jun 2011 18:09 in reply to "RE[5]: Bah - hacking skills"
Soulbender Member since:
2005-08-18

I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties.


So banks should be employing thieves when they design their bank vaults? Having a generally idea about how hacking works is useful, yes, but specific knowledge is worthless for this purpose.

Heck, if your federally employed, FISMA makes it a legal obligation to be responsible and prove your systems secure through proactive testing


Unfortunately this makes your system "better" by trial and error, not by design.

There are lots of law abiding hackers out there to hire or contract.


Obviously I'm not referring to those and also not referring to hackers who hack on code rather than break into systems.

Reply Parent Score: 2

RE[6]: Bah - hacking skills
by Soulbender on Sun 19th Jun 2011 19:18 in reply to "RE[5]: Bah - hacking skills"
Soulbender Member since:
2005-08-18

There are lots of law abiding hackers out there to hire or contract.


Is that like being a law abiding bank robber?

Would probably help if the term "hacker" wasn't so ambiguous. Are we talking about hackers who write code or hackers who (try to) break into systems? Two different beasts, same term.

Reply Parent Score: 2