Security Analyst Explains Why We Love Lulzsec

[-Samurai-]

While I don't support the theft of personal data, I do in fact support the cracking of websites to send a message that the bottom line of multi-million/billion dollar corporations should include the security of their customers data.

The problem is, everyone already knew that any website/security system can be cracked. We didn't need these jokers actually doing it to point it out to us.

You could throw a rock through my living room window to show me that it isn't secure, but I already knew it could be broken.

No security measure will ever be fully secure. We don't need an unending string of people showing us what we already know. And I know that people will eventually hit Sony again just to prove that they still aren't secure enough, but they can never be secure enough. No one can.

 

[Random Argument Man]

That guy seems to take the positive out of this too seriously. Yes, it showed that the security is weak. It doesn't excuse the fact that they hacked in the first place.

 

[Low Key]

Truth be told recent events have made me a little more cautious with my online dealings. Anyway, I'm using Chrome, so that isn't of much help to me, however I did found a similiar extension for Google Chrome - https://chrome.google.com/webstore/detail/flcpelgcagfhfoegekianiofphddckof . As far as I know it's not as refined as the Firefox one, but at least there is one for users of that browser.

It's better than using nothing at all, and the best thing is that it will only improve over time. Chrome is still in it's infancy, and its certainly much better than Internet Explorer. So many business use that for their browser internally and it just makes me cry.

 

[Jabberwock xeno]

Excuse me?

we don't "love" luzsec.

I appreciated Anonymous at times, since they generally had a good cause, but...

 

[Keava]

The problem is, everyone already knew that any website/security system can be cracked. We didn't need these jokers actually doing it to point it out to us.

You could throw a rock through my living room window to show me that it isn't secure, but I already knew it could be broken.

No security measure will ever be fully secure. We don't need an unending string of people showing us what we already know. And I know that people will eventually hit Sony again just to prove that they still aren't secure enough, but they can never be secure enough. No one can.

So why don't you just remove windows and locks from your door, after all someone could just blow a hole in your wall if they wanted to break in.
You use those basic measures to make sure not everyone walking by can get into your house however, and you can at least offer some level of security as company to your customers.

New exploits and holes are found pretty much every day in every iteration of any relevant software. Web browsers, server software, OS, firewalls - yeah it all can be potential gateway, but a good security team should actually follow the reports of all those exploits and make sure they react to them accordingly. Most 0day exploits are really well known plenty security blogs warn about them.

You know how RSA was hacked? By Flash 0day that Adobe warned about, despite those warning one of the workers of RSA opened an attachment from spam mail. It's like leaving your door wide open with big neon sign saying "HEY! FEEL FREE TO BREAK INTO MY HOUSE".

 

[Low Key]

While I don't support the theft of personal data, I do in fact support the cracking of websites to send a message that the bottom line of multi-million/billion dollar corporations should include the security of their customers data.

The problem is, everyone already knew that any website/security system can be cracked. We didn't need these jokers actually doing it to point it out to us.

You could throw a rock through my living room window to show me that it isn't secure, but I already knew it could be broken.

No security measure will ever be fully secure. We don't need an unending string of people showing us what we already know. And I know that people will eventually hit Sony again just to prove that they still aren't secure enough, but they can never be secure enough. No one can.

While a network may not be secure, personal data can be. If you are not a security professional or someone who is in college to be one, then your word on internet security means absolutely nothing.

Please, go read about 256-bit AES encryption. For a brief overview:

"For cryptographers, a cryptographic "break" is anything faster than a brute force attack - trying every possible key. Thus, an attack against a 256-bit-key AES requiring 2[sup]200[/sup] operations (compared to 2[sup]256[/sup] possible keys) would be considered a break, even though 2[sup]200[/sup] operations would still take far longer than the age of the universe to complete."
Source [http://www.zdnet.com/blog/ou/is-encryption-really-crackable/204]

The only known crack 256-bit AES has ever had is when hackers didn't actually go through the encryption, but found a side route into the system. And while you may initially be like "well that means it's not secure", regular security audits, properly maintained privileges, strong firewalls, and secure root passwords would keep the damage done by hackers to a minimum and they wouldn't be getting anywhere near personal data. That is what we call active security. Most companies, like Sony, practice passive security.

And in any case, my point still stands from my other posts that only YOU can fully protect YOU. If you don't take the proper steps to protect your personal data, what makes you think some random company will?

 

[ObsessiveSketch]

But I thought that there were some serious consequences of the hacks. Weren't credit cards stolen? For the lulz means that you have the ability to take the info, and you showcase that ability, but you don't ACTUALLY take the info! Lulzsec is still on my shit list, although it's nice that some people out there finally recognize this as a group independent of Anonymous.

 

[AngryFrenchCanadian]

"He noted that the popular response to the PSN attack has been to heap scorn upon Sony but claimed that such an attack could, and still can, happen to anyone."

Frigging finally! Moving from the PS3 to the Xbox 360 isn't going to make your information more secure, it's just moving it around even more. People saying "Oh, I'm selling my PS3 because PSN isn't secure" are really, really missing the point.

 

[Biodeamon]

I loved when they did this. it made me laugh so hard


They're like anymous except with a sense of humor and no rules

 

[Psycho Cat Industries]

Why not just store your data on an ethernet seperate from the web?

 

[ProjectTrinity]

I never looked at it that way. 0_o But I guess this makes sense.

*tries to resist*

*tries really hard*

*fails*

Looks like this wasn't a good day to... meet Joe Black.

http://mirrors.rit.edu/instantCSI/

 

[RThaiRThai]

Sure, anyone could get hacked, but in case nobody has pointed it out yet (and this time I only very lightly skimmed the other posts), Sony had *exceptionally* bad security. And it's not just whether you get hacked, it's how prepared you are for being hacked and how much damange it will do and other security stuff that I would have to be more of a security expert to actually comment on.

Sony was storing passwords unhashed (and I *do* know enough about security to know what that means), credit card numbers unencrypted, and apparently what people were most angry about is that their Apache servers were unpatched. On a non PS3 related site, they also fell victim to an SQL injection, which is kind of amusing seeing how that's a pretty basic security issue. It wouldn't be funny if it happened to me, and it's an easy mistake to make, but it's a really basic mistake too.

Well, security's hard. It's interesting stuff.

 

[Ice Car]

Who the fuck "loves" Lulzsec now? I sure don't, and anyone who does like the carnage they are causing for no real reason deserves a punch in the face.

Huh, I just realized how I always use "Deserves a punch in the face" a lot.

 

[smudgey]

Yes Yes Yes. So far Lulzsec has embodied true hacker ethos. They will wreck a company's shit but not to steal or hurt customers.

I think there's some PSN customers who'd disagree with you.

Didn't they also release PERSONAL details of customers when they hacked Sony Pictures?
Come to think about it, it wouldn't surprise me if lulzsec were actually IT security firms trying to drum up business....

 

[Frylock72]

Please be joking.

Anyways, I have zero respect for lulzsec despite all this "improving online security" talk, if they really were in it to improve security so less people have a chance of getting hacked, they wouldn't have released all that personal information during the PSN disaster.

Pretty much this. I'm not interested in Lulzsec or any brand of online hacker. Anyone who says that they're not stealing info should look at when they posted all of that personal information they took 'to prove a point'.

Lulzsec is bringing about security awareness in about the stupidest way imaginable, because they're internet culture kids who have no respect for anything.

Why not just store your data on an ethernet seperate from the web?

Because then what would be the point? They store it on live databases so you don't have to enter the information in every time you make a purchase. Sites like Amazon, Gamestop, the PSN, credit card companies, all of them store your information specifically for that purpose. And even if they did find a way to make it accessible from the site to the server, that's still a vulnerability (and a really roundabout way of doing it).

This from an armchair computer geek, but that's what I believe is the case. Don't quote me or anything.

 

[samsonguy920]

This is why I will never use a cloud data storage service. Putting family photos and such on a server that will be ripe to get hacked is just plain stupid. True a hacker could just decide to try to get on my pc itself, but why? That actually requires more effort with a lot less reward. Doing it "for the lulz" would mean making sure the largest number of people at a time are affected.
Lulzsec has no doubt increased awareness of internet security, that is no argument there. What they are doing is illegal. This is true, too. The best way that this all comes to a win is people demand for and also implement better security on their systems, both corporate and private, and everyone at Lulzsec gets incarcerated. If some of them strike a deal where they work for the government or such in exchange for suspended sentences, that will be fine with me. But there comes a time when there is building awareness and then just outright destroying things for laughs or such. I think the latter falls under the definition for terrorism.

 

[Duskflamer]

Correct me if I'm wrong, but if you prove yourself to be inferior to the hackers, why would anyone want to be your client?

because people are dumb panicky animals. Increase in awareness that cyber security is needed will mean increased business for any cyber security company that can stay afloat, regardless of how capable they actually are at stopping the hackers

 

[Twilight_guy]

So basically what your saying is that security people love them because they are showing that security people are impotent?

I'm no sure what this is supposed to tell us. No security is perfect, thanks for that, but its not like you can run something like the PSN without any information at all. Its not about not getting hacked its about stopping it as best as possible since its a necessity to have information. So your saying that it points out security is not good but all that means is throw more money at it. Its not like we've come to some big epiphany where were not going to use servers anymore or something.

 

[commodore96]

Security Analyst Explains Why We Love Lulzsec

He also pointed out that "state-sponsored hackers, likely Chinese," have even been able to break into networks belonging to major U.S. military-industrial corporations and make off with sensitive information.

Permalink

Wow that freaked me out a little more than this whole article. I thought the government would be pretty lock downed with internet security.

 

[Sinclair Solutions]

I guess this is sort of true. I am sort of glad that companies will learn from this. A huge fuck up now may mean better security in the future. But I don't respect these people. Doing heinous crimes "for the lulz" or whatever contrived reason makes me lose faith in humanity.