> Or security on all of these websites really sucks
Ding ding ding, we have a winner. I know nothing about the specific cases here, but web security is generally a joke. Very, very few companies take it seriously and have a proper security methodology. Without this, it's like stealing candy from a baby... with no arms or legs.
> Or security on all of these websites really sucks
Yup. The status quo / baseline of security online is terrible.
Slashdot rumor has it they've got themselves an Apache 0-day, but other hypothesizes have then SQL injecting or otherwise exploiting the webapps themselves.
Either way, the rate of attacks in the world hasn't changed, just these guys have gone back to the old way of yelling about what they accomplish rather than remaining silent.
Their data-dump attacks have been by SQLi, I think; they generally publish the URL of the vulnerable input in their release.
They're using other means to root machines, though. My guess is that anybody that took the right classes in college could be doing exactly what they're doing now.
This incident is much less of a big deal than any of the others, since (having looked at the actual files they accessed) there's nothing even slightly sensitive or even interesting in there.
If it is, it would be the stupidest reason for going to war, ever.
Not that an assassination or bogus claims of WMD or the slicing of a captain's ear are any less stupider, but wouldn't it be funny if WW3 would start because of an April 1st joke done for the lulz?
What is Gmail doing on that list? The only news I've seen mentioning them has been a spear-headed phishing attack directed at a small subset of their users. People falling for scams is no fault of the software provider.
They're pointing out what many of us have observed for years in our work-a-day lives.
I used to try to point such problems out to responsible parties, when I'd come across them in my work or personal affairs. Most often, at best I received complete indifference. As often as not, I received hostility.
Mind you, I didn't hack anything. Just told a product owner or officer 'you have a problem here, with this (specifically this), that you might want to take look at'. For the sake of your customers. For the sake of the/your business's reputation, not to mention risk exposure.
I have very little sympathy for many of the people/agencies currently falling "victim". Especially not considering the budgets at their disposal. Where they are not outright incompetent, they've been practicing willful ignorance.
And then, we get yet more draconian laws as a lame, but destructive, attempt at a compensation mechanism.
Do your fucking jobs. Don't legislate (or "black ops") a "three monkeys" burden for the rest of us. The responsible parties (and not just "the techs") should be fired for nonfeasance, if not misfeasance or malfeasance.
The second comment there (and the people agreeing with it) are the real problem. They actually think things are more secure if nobody talks about them being insecure. They're more worried about troublesome security issues than the safety of their own information.
So I'm going to solve their problems: If it ever comes to a point that internet services are too hard to use because of the necessary security measures, I will happily create a low-security site of the same type. You can give me your info and money and I will happily hold it on my insecure site so that it's easy for you (and everyone else) to access.
17 comments
[ 1.9 ms ] story [ 46.4 ms ] threadSo the past couple of weeks I can remember the following sites getting pwned:
All Sony sites. GMail. The I.M.F. Citibank Pron.com Nintendo Epic Games Senate.gov
From all the high profile services hacked one can start making the following hypothesis:
> There's a major hole in the linux kernel or OS and they're just having so much fun with it.
> They have infiltrated all of these organizations and have people from within opening the doors
> They are the X-Men of hacking
> They're the Chinese government X-Men of hacking
> Or security on all of these websites really sucks
(Keep adding your hypothesis)
Most plausible hypothesis
Ding ding ding, we have a winner. I know nothing about the specific cases here, but web security is generally a joke. Very, very few companies take it seriously and have a proper security methodology. Without this, it's like stealing candy from a baby... with no arms or legs.
Yup. The status quo / baseline of security online is terrible.
Slashdot rumor has it they've got themselves an Apache 0-day, but other hypothesizes have then SQL injecting or otherwise exploiting the webapps themselves.
Either way, the rate of attacks in the world hasn't changed, just these guys have gone back to the old way of yelling about what they accomplish rather than remaining silent.
They're using other means to root machines, though. My guess is that anybody that took the right classes in college could be doing exactly what they're doing now.
Not that an assassination or bogus claims of WMD or the slicing of a captain's ear are any less stupider, but wouldn't it be funny if WW3 would start because of an April 1st joke done for the lulz?
I used to try to point such problems out to responsible parties, when I'd come across them in my work or personal affairs. Most often, at best I received complete indifference. As often as not, I received hostility.
Mind you, I didn't hack anything. Just told a product owner or officer 'you have a problem here, with this (specifically this), that you might want to take look at'. For the sake of your customers. For the sake of the/your business's reputation, not to mention risk exposure.
I have very little sympathy for many of the people/agencies currently falling "victim". Especially not considering the budgets at their disposal. Where they are not outright incompetent, they've been practicing willful ignorance.
And then, we get yet more draconian laws as a lame, but destructive, attempt at a compensation mechanism.
Do your fucking jobs. Don't legislate (or "black ops") a "three monkeys" burden for the rest of us. The responsible parties (and not just "the techs") should be fired for nonfeasance, if not misfeasance or malfeasance.
http://online.wsj.com/article/SB1000142405270230425930457637...
WW3 is fought on the internets.
So I'm going to solve their problems: If it ever comes to a point that internet services are too hard to use because of the necessary security measures, I will happily create a low-security site of the same type. You can give me your info and money and I will happily hold it on my insecure site so that it's easy for you (and everyone else) to access.
Problem solved.
That's the real lulz!