Stolen Pixels #260: The Dark Fortress
- Thread starter Shamus Young
- Start date
The same is true of your home, if an intruder wants in they will get in, doesn't mean you shouldn't bother locking your doors and using an alarm.JDKJ said:
I don't think anyone expects Sony's servers to be unassailable, but they could have been more secure and better monitored. There are hackers who do things for the prestige, or an axe to grind, but the typical criminal hacker is doing things to make money - the easier the target the easier it is to make that money, if you make something suffieciently hard and the reward for success isn't that great they will be discouraged and look at juicier targets.
But it doesn't appear in Sony's case that financial gain is the objective. That it could be is undermined by the fact that the data stolen from the San Diego server hasn't been used in any reported fraudulent activity and the data stolen from the Greece server was posted to the internet. If it is the case that financial gain isn't what motivates the hacks, then the hackers are unlikely to move on to easier pickings no matter how unattractive a target Sony tries to make itself. They're likely to continue their hactivities unabated. And, if they do, it'll only be a matter of time before another one of Sony's servers is hacked.Anti-Robot Man said:
And if the motivation wasn't financial gain, then there's little Sony could have done in the first instance to prevent the San Diego hack. The hackers, not being calculating criminals, would have kept on attempting to intrude until they found a way to intrude. Regardless of how "secure" Sony's server was at the time.
I agree in this particular case that the most prominent attacks were specifically to hurt Sony (and it's userbase). But I find it highly improbable that the motive isn't finacial gain for many hackers. If it wasn't wouldn't they stick to DoS attacks, why go after userdata/accounts?JDKJ said:
Even if the attacks were entirely ideological/vandalism, we could argue that Sony could have taken the preventative step of not antagonising the hacking community to the degree they did - particularly if they were aware that their system was as vulnerable as it proved to be. I'm not saying they could have anticipated the level of attacks they received, nor should they let piracy slide, but the combination of antagonising hackers with a network with a dubious level of security was a terrible miscalculation on their part. We're still seeing reports of relatively simple and easy attacks being viable.
I understand how fast any security tech becomes vulnerable, but the only viable option is to keep on the bleeding edge as much as possible, time & difficulty are the only deterrent - this incident has been and will continue to be extremely costly for Sony. I hope both they and other companies learn that network security and data protection have to be among their highest priorities.
I don't know for sure what level security clearance he had, but as he was not very high ranking or in a sensitive position, I wouldn't think it would be that high. Also, from everything I've read about the case, none of the info he leaked was classified top secret. The windows permissions problem I referenced was related to the fact that they can't prove that Manning took the files because they didn't have secure, individual logins for each user on their pcs, which is very basic security stuff.JDKJ said:
That's quite the dilemma, isn't it? The choice between making the pirates happy or making the hackers happy. Fucked if you do, fucked if you don't.Anti-Robot Man said:
I don't think specifically hurting the userbase was intended. That's just a collateral consequence about which the hackers don't give a rat's ass.
Instead of guessing and since you're sitting right in front of the internet, why don't you just do a quick Google search of "Bradley Manning" AND "clearance?" Then you'll know for a fact that he was an intelligence analyst with "top secret" clearance, the highest level of security clearance the Army can grant.Postal47 said:
The computer from which he downloaded the information was contained in a guarded room to which only those with "top secret" clearance were admitted.
Well, yes, it kinda does. Your points, as I understand them, are that the Army's computer set-up was lacking in security owing to a lack of a user log-in requirement which somehow made it easy for Manning to take the information. But the fact that the computer from which he took the information was in a room guarded by Military Police who don't allow access by anyone who doesn't have "top secret" clearance and Manning had the clearance required to access and use the computer does discount your points. The Army's mistake doesn't lie in not having some freakin' log-in requirement on a computer. It lies in giving a clearly mentally disturbed person "top secret" clearance.Postal47 said:
So the computer was in a locked and guarded room, but they let him enter and leave the room with removable media? Physical security is a major part of network security. P.S. You'd be mentally disturbed too if you were put in solitary confinement for almost a year.
Can I ask why you chose the Manning case as an example of whatever when it seems to me that you don't know much about the facts of that case?Postal47 said:
P.S.: Manning was manifesting odd behavior long before he was arrested by the military. In fact, he was about to be discharged from the Army for "adjustment disorder."
I didn't know his security clearance, so I automatically don't know anything else about the case? I've read extensively about this case, but I've read mainly about his detainment, not his alleged crime, because frankly I don't care much about the allegations. I have never claimed to be an expert on the case, and I've politely taken you at your word about every aspect of the case, because contrary to your prior statement I am not sitting in front of a computer, I am writing this from my phone on my breaks from work, and I don't have much time for fact checking. Yes, I have heard the claims that Manning had issues prior to his alleged crimes, but this only a) makes the nature of his detainment that much more despicable and b) makes the Army's network security policies look that much worse. My initial point about the Manning case was that the Army neglected basic physical security measures on their network, and nothing I have heard so far contradicts that point.
Except the US government totally did. And they even put guards in front of the locked room. GUARDS!! WITH GUNS!!Agayek said:Except there really is. Disconnect your network and no one's getting in at allJDKJ said:
No security is failsafe. There's bound to be some ***** in the firewall, some vulnerability in the operating system, some failure in the multiple interacting software, some wire tapped from outside the secure areas, some sniffer picking up data between computers, some gullible employee to con his/her password... etc... and even if you saved against all that, you'd still have a person who you would think can trust with your life, walking in and emptying your database.
