Why we secretly love LulzSec
Wed, 06/08/2011 - 12:53
Topic Source:
Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold.
So far the "hacker group" has penetrated systems owned by Sony, PBS, the "FBI affiliate site" Infragard, security company (hah) Unveillance and Nintendo, among others.
Wed, 06/08/2011 - 14:39
#2
Can I get an Amen?
Can I get an Amen?
Wed, 06/08/2011 - 15:57
#3
Meanspirited?
I don't think that the author is laughing at or enjoying the pain of his fellow security pros, I think he's enjoying the fact that the media is finally noticing what the pros have all been saying for so long. After years of the Internet largely skating by on the goodwill of decent people, someone has committed a spectacular enough cyber crime spree to make the world notice that cyber security is important and needs funding and support, because it's scary stuff when people run amok on the net.
Wed, 06/08/2011 - 16:47
#4
Gray is 100% right. Thank you
Gray is 100% right. Thank you for the insight, sir.
For too long our infrastructure has lacked REAL protection, and lulzsec is the only group atm that will fuck things up just to laugh about it.
Everyone laughs along because it's pathetically easy to get this info, yet people will carry on with the same old bullshit 6-8 digit password they use for *everything*. I now have separate 15-digit pass-sentences (up from two or three 10-digit passwords) that I use until I get comfortable with my 24-digit pass-sentences.
THE REAL QUESTION IS WHETHER PEOPLE ARE LEARNING FROM THESE MISTAKES.
Wed, 06/08/2011 - 16:55
#5
Yeah, I mean, even something
Yeah, I mean, even something as simple as non-recycled passwords would have stopped HBGary Federal and Unveillance from getting popped, and they're SECURITY COMPANIES.
Wed, 06/08/2011 - 18:20
#6
and another bites
dont forget this from tonight: http://www.blackbergsecurity.us/
luvin the lulz
Wed, 06/08/2011 - 21:52
#7
Natural Born Crackers
Lulzsec are the Mickey and Mallory of whatever they're labelling this time period.
Wed, 06/08/2011 - 22:11
#8
Amen
One of the problems we (security professionals) face is we're not allowed to properly secure our own systems. Someone in management agrees that a Nessus or nCircle scan is "good enough" to prove we're secure, we can't enable BLOCK mode on the IPS because it might break something, we can't embarrass staff by running a password cracker, we can't slap senior management for letting their kids use their work laptops, we can't stand in the way of a new application release.
Far too often security is a rubber stamp, or is worked around, or just simply ignored.
I commend LulzSec for helping to raise the awareness of these issues, for once it would be nice to actually be allowed to do my job properly.
Wed, 06/08/2011 - 22:11
#9
Lulzsec apparently enjoyed
Lulzsec apparently enjoyed your article... they've linked it on the Lulzboat Twitter.
Wed, 06/08/2011 - 23:15
#10
Wow
As a future IT Engineer, seeing things like this makes me ( lmao ) want to go even more in Security..
I just like the fact that you can ( for a while ) be completely anonymous and scare the sh*t out of people without being recognized.
On the other hand, it's ridiculous to see how easy those "experts in security" just got pwned so easily.
http://www.blackbergsecurity.us - Been hacked for 5 hours now, no change...
Thu, 06/09/2011 - 00:06
#11
Great read
Just wanted to say this was a great article.
Thu, 06/09/2011 - 01:24
#12
In your face!!!!
+1
Told like a true gentleman
:) 4 the lulz
Thu, 06/09/2011 - 02:55
#13
No Security...I wish someone would listen
Patrick's comments are dead on about there being NO SECURITY with today's computing. I started my career working with mainframe systems. The OS was not so easily modified. There was integrity. PC's in particular and desktop computing today has NO SECURITY except a false sense of security. IT departments want to think their AV will save them. AV is USELESS especially against nation state hackers. These guys evaded all our defenses where I last worked for more than 10 years. What does that say about computer security? In the early days of the Internet there was a big push to get the corporate network interconnected. Knowing what I do today, there ought to be a push to pull the plug at all costs if you want to have any security! Oh, and lets go back to mainframe systems with pretty dumb terminals to. Seriously, this stealing is costing us our jobs. I know, I lost mine due to this crap. Today's computing model is seriously broken and no one is really doing anything about it. Let them keep stealing!!!
Brian Shields
Thu, 06/09/2011 - 03:13
#14
LULSEC
IS MY HERO!
Thu, 06/09/2011 - 04:25
#15
Why they fight
It's not simply because they wish to let people know about terrible security. They fight because our rights are slowly disappearing. Internet censorship, almost a necessity for fascist regimes, is quickly coming to the US. Do you know how our government is working? How our monetary system works? It's all a lie... money is more worthless than you know. Created from thin air, quite literally, they take nothing from their own assets to pay out loans. Since they put nothing up of their own assets, you don't need to pay a loan because they didn't give you anything in the first place.
Learn more:
http://www.youtube.com/watch?v=EewGMBOB4Gg
Thu, 06/09/2011 - 17:09
#16
Wonderful
First, I think this article was wonderful.
Second, I think Lulz Security is wonderful.
We live in a world of non-security, but people would freak out if they realized how compromised they were constantly. LulzSec are my heroes because they've got the skill and balls to remind us all where we really stand.
AND THEY'RE DOING IT FOR THE LULZ! Who would have thought "renegade hackers" would provide an example of integrity frustratingly missing from most public figures?
Thu, 06/09/2011 - 20:07
#17
24-digit pass-sentences?
Are you nuts?
You actually think Patty the receptionist, Joe the contracts manager or Hank the forklift truck driver - all of whom require access to sensitive corporate networks and systems - are going to remember a separate "24-digit pass-sentence" for each system? Or even one?
Patty has a hard time remembering any password that isn't "patty" and so she writes them down on a post-it note and sticks it on the inside drawer of her desk. Worse, the company enforces a rule saying she needs to change her password every six months and she can't use any of the previous {insert random number here} passwords.
Yeah, "24-digit pass-sentences" are really the answer. Not.
Passwords and people having to remember them and type them are a root insecurity in and of themselves. Making them "unmemorable" only makes the insecurity of them worse.
You, yourselves, as "masters of the security universe" are an inherent security weaknesses - any one of you could go rogue or get bought out by a remote interest and whole security infrastructures might crumble as a result.
The author is correct - ultimately there is *no guarantee of security* and there never will be. The very concept is illusory.
We can make best attempts and we should be doing better, but trying to force Barry in accounting to remember 3 x 24-digit pass-sentences isn't it.
Fri, 06/10/2011 - 06:21
#18
While I support LulzSec when
While I support LulzSec when they try to expose vulnerabilities, and sensitize the average Joe to the importance of computer security, I wouldn't call them an "example of integrity".
They've been very partial to Sony (well, it seems very mainstream to hate on Sony these days), releasing private source code and, that's the problem, personal data found on Sony's server.
Those users, whose name/address/etc have been published over the internet, haven't done anything wrong.
It's funny when they hack a so-call security expert's website, when they give Nintendo friendly advice on how to secure their server.
It's not when innocent victims' privacy is broken, just because some hackers hate one company.
Fri, 06/10/2011 - 14:20
#19
I'd like to personally shoot
I'd like to personally shoot every member of Anonymous and LulzSec in the head. Love them? Sure, when I see their corpses paraded on cable TV news. They are zeros, not heros.
Sat, 06/11/2011 - 07:46
#20
Great article
I loved it - for anonymous above go in search of Dead Protocol Society / ADM members. That would be a good starting point I imagine. There is only a few groups in the world that are capable - that these individuals would have been trained and came out of.
Sat, 06/11/2011 - 11:29
#21
bruce loves you baby
looks like Pat has got the attention of bruce schneier......
http://www.schneier.com/blog/archives/2011/06/two_good_rants.html
Sat, 06/11/2011 - 17:15
#22
No so hard as you think.
It's apparent the OP doesn't have English as his native language. By "24 digit pass sentence" he probably means "24 character pass-phrase".
That's something like:
Johnson prepared 3 eels.
Can Patty remember a "password" like that? Well, yes, the many usability trials that have been done suggest that actually, she can. In fact she has no trouble recalling even 40-ish character phrases, like:
She thinks tuna is a type of chicken!
But if you make then too long, it becomes a pain to type them long before they become hard to recall.
"Worse, the company enforces a rule saying she needs to change her password every six months ..."
Once you've got her using a 24 character pass-phrase, that rule is pointless and can be abolished.
A more challenging issue it the evil of password reuse. Preventing that in a reasonably secure way is not only technically more difficult, but flies in the face of the move to SSO. (Some SSO solutions authenticate via a trusted central server, similarly to Kerberos, but many work by *forcing* all passwords to be the same!!)
Sun, 06/12/2011 - 19:14
#23
my opinion
lulzsec is a security industry gorilla marketing campaign.
well its probly not, but it might as well be :)
Mon, 06/13/2011 - 17:41
#24
The Cuckoo's Egg
In 'The Cuckoo's Egg' the author tries to warn the US military that their systems have been compromised by an outside hacker.
Even if you haven't read the book - and you should - the results are predictable: he is ignored / threatened / etc - and the fact the [missile] installations have been compromised is completely ignored.
In short, those that point out the obvious - and by so doing rock the status quo - are not thanked, but are rather reviled.
Its is only when the scale of the incident cannot be ignored - and Sony is still trying to downplay the 100 million plus hacked entries as insignificant - that Joe Public & the media become involved. Until then an insignificant starlet's latest sexual exploits are far more important.
Seems that nothing much has changed since the book was published in 1989 ...
So I am pretty much supportive of those hackers that prove just how open our systems actually are. Please note that this does not include destructive & malicious hacking.
Tue, 06/14/2011 - 00:23
#25
Good security, weak users?
"Patty has a hard time remembering any password that isn't "patty" and so she writes them down on a post-it note and sticks it on the inside drawer of her desk. Worse, the company enforces a rule saying she needs to change her password every six months and she can't use any of the previous {insert random number here} passwords."
You know what? This is not an argument for weakening security. This is an argument for testing people's ability to follow basic security procedures at hiring time, and if you can't remember any password more complex than 'patty' without writing it on a Post-It note, you will not be permitted access to ANY SENSITIVE DATA WHATSOEVER. EVER. Even if you're the Director of Mumbling. Put a color-coded bar right there on the employee badge.
"Sorry, sir, per corporate policy I cannot give you access to this information, it is flagged Orange confidentiality and your badge security level is only green. ...Sorry, sir, I don't care if you're three levels of management above me, this policy comes directly from the CSO and he's two levels above you."
Tue, 06/14/2011 - 03:08
#26
Keeping an open mind. My take
Keeping an open mind. My take on this is...
..Software developers are not learning from their mistakes - why should they? Get the product to market asap, right?
..Companies keep producing software that's full of security holes because there is no financial incentive to prevent them from doing so. What are the incentives for opensource developers to produce secure products?
..The patching culture - get it to market, then fix it later. Most of us just put up with this culture and get patching without a second thought.
... no clear measurement of software assurance. To me a lot of software is NOT doing what its designed to do. What is Flashplayer for example ? it provides a rich media experience and helps you get your system owned in so many ways too :)
.. I think, like financial auditing, the software (opensource and proprietory) should be independently tested for basic security assurance and given a rating. After this, let the user decide whether they install or not.
...Security of a product is just assumed to be o.k by most. Also, most users don't care about "security" - I drive 100mph - I take the risk etc, I install flash - I take the risk. The word security is the biggest turn off for most :) and thats why people have crap passwords. They don't care.
...I think the security industry should focus more on protecting user privacy rather than security. Most care however if their "privacy" is compromised. Make users aware of how there privacy is being effected, then talk about changing that password.
finally, does that box really have to be on the internet ? Take the shodan website... yikes!
Tue, 06/14/2011 - 07:04
#27
Spot on
good article.
Tue, 06/14/2011 - 19:43
#28
Geez, you guys still don't get it
The very existence of a pass-word/phrase/egg is the threat. Be it 24 characters or 2.
If Patty chooses as her 24-character pass-phrase "Frank Burns Eat$ Worms!" you somehow think that is more secure than "BozoClown00"? Just because it has more characters to avoid brute force?
Patty can be compromised 1000-different-ways-from-Sunday without beating a sweat. She can (as most people do) talk her way out of it, she can be videoed typing it in, she can be keylogged and I'll bet your some ingenious soul out there can capture her passegg acoustically as she clatters it on the keyboard.
Passwords in and of themselves are a security hole. Making them "complicated" adds no security except for brute force cracking attacks.
You want something approaching real security on your corporate machines?
You have a well-paid and motivated security staff in your building lobby that verify everyone's access and then those people can only get onto machines and access to systems via a (let's say) 4K-encrypted token on a stick. Plug it in and you're authenticated. you can lock things down further from there.
Even that is still weak because any person in the loop can still become malicious, but it's better than passwords which leech information every single time they are typed.
Wed, 06/15/2011 - 01:13
#29
Great Article, Great Podcast
Just downloaded the whole queue and am now working on getting through them. Keep up the good work!
Thu, 06/16/2011 - 01:15
#30
Right on the money
You are exactly right, and as long as companies have insecure systems; they're going to be hacked and (innocent) user's data will be compromised. People that want to rip on Lulz for being n00bs or whatever completely miss the point and don't make the insecurity go away. I made a similar comment here, and an happy to see people understanding what this really means.
http://www.csmonitor.com/Innovation/Horizons/2011/0614/What-is-LulzSec#c...
Thu, 06/16/2011 - 04:57
#31
Yeah..
Yeah.. I don't know im not amuzed by lulz and it frankly give the goverment more of a reason to choke the internet. And as far as security goes people are at a hands-tied moment about securing networks due to management and higher up authorities that dont stick to what should be done. Network security is done to keep those mediocroe people out. In reality the olny real true safe network is one that is not networked
Thu, 06/16/2011 - 05:23
#32
Sad, Pathetic, Little Losers (Skiddies)...
LulzSec - Losers United Lacking Zyprexa - Sadly Erectile Challenged
Get a job, move out of mommy's basement and contribute something useful to society. If the only way you can feel good about yourself (or have a LULZ) is to tear down something that someone else has built then you have serious issues. The good news is... they make medication for that. Try some!!!
:(
Thu, 06/16/2011 - 18:15
#33
Humans rights abuser with US designed military tech?
Haha. There were already human rights abusers with US designed military tech before they got pwned by the Chinese. They're called the US military. Maybe that's why we love LulzSec?
Thu, 06/16/2011 - 18:37
#34
It's funny, but I absolutely
It's funny, but I absolutely agree -- the yanks hardly have a sterling record on stuff like human rights abuses themselves.
But the Chinese *are* worse...
You know, I'd rather live in the USA than in China where you get thrown in the clink for exhibiting "subversive artworks"...
But I definitely take your point.
Fri, 06/17/2011 - 09:41
#35
Word ;-)
Love the show, and couldn't agree more with you on this topic. I'm a CEH, like others here I have stuff to protect for my employer's customers in the public zector. But the lack of will to spend from above places us right here, right now - bizarre mix of apathetic policy, interspersed with ill-conceived, knee-jerk legislating.
Not hard to spot which of the total losers posting here are part of the problem either, eh?
"Get a life, move out of...." nah, in fact I'm not botheting with the rest, not worth repeating.
I mean, I'd try to see it from your point of view, Anon, since you're so insightful, but sadly I couldn't fit my head up your arsehole there too. Talk about pot calling kettle black?
And the guy making death threats? Suggest you're fitted for a nice new jacket with wrap-round sleeves and a padlock; generally speaking mass murder is more frowned upon than, say, heap-spraying, DoS or even info disclosure.
Respect to you Patrick for salient, considered and - when appropriate- blunt commentary over the episodes. "The Revolution Will Not Be Televised" - but podcasts are available :-D
Shim-Te Master
Tue, 07/12/2011 - 11:13
#36
Wow, angry much????
Dude, you have got some major anger\aggression issues.
Please, seek help.
Is it that people like what they are doing or dont want to be critical online so they dont make themselves a target like HBGARY, etc? It seems if you make a statement against LULZ or ANON you better we willing to bet your networks security on it.
I have a hard time that people who make their money defending networks get enjoyment out of other peoples pain because if you do security for a living you know your network isnt 100% secure.