12 comments

[ 0.70 ms ] story [ 26.2 ms ] thread
This is not related to today's events but an older article.
This article highlights 2 things for me:

1) White text on black is really hard to read. I had to edit the style to read it comfortably.

2) I now get why I don't like Twitter. It's impossible to have a conversation or debate on it. This post was a direct result of that impossibility.

I now get why I don't like Twitter. It's impossible to have a conversation or debate on it. This post was a direct result of that impossibility.

Slightly OT, but the New Yorker recently profiled Jarod Lanier[1] where he critiques social networking sites as dehumanizing and designed to encourage shallow-interactions. There are also a lot more interesting viewpoints including calling Wikipedia a triumph of "intellectual mob rule". I would highly recommend the article as a "Devil's advocate" sorta reading, which is unfortunately behind a paywall[2].

[1] http://en.wikipedia.org/wiki/Jaron_Lanier

[2] http://www.newyorker.com/reporting/2011/07/11/110711fa_fact_...

Does anybody else think that the kitchen table analogy totally stands? I have things in my house that contain a significant number of other people's personal information in them. I don't lock them in an extra protected safe in my house because I consider my house to be (relatively) secure by both convention and practice. If somebody were to forcibly enter my house and steal that information and publish it on the internet it would be breaking and entering, regardless of any overarching political point that person was trying to make.

It would also be a huge invasion of my personal privacy which to me seems like something only a jerk would do.

I'm not trying to analogize these things to Anonymous or LulzSec, but I am saying I don't think these arguments for their motives pass any kind of logical test.

Depending on the personal information, you may be liable if someone breaks into your house and steals it. Patient records that should never have been taken home come to mind. Secret / confidential information left in a car. Etc.

That doesn't absolve the thief of any guilt, but it DOES mean you are responsible for how well you secure certain types of information.

It's an interesting point that you make, but I think the analogy is generally flawed for most people.

Most people don't carry around a significant amount of personal information of others (I have an electronic address book, but I don't have my friend's credit card/banking/social security numbers).

This rings rather personally to me, and I do consider it an absolutely jerk move. Of course, being irresponsible with other peoples' information is also a jerk move. In 1999, an HR rep copied into Excel the entire contents of the employee database (something he knew was not acceptable practice). A disgruntled support tech discovered this while rummaging through his computer and posted all of that data on a public, searchable web site. At the time (and this may still be the case) it was not illegal to post the information that he did, which included social security numbers, mother's maiden names, birthdays and a bunch of other details. It took a few years to get the site properly shut down, to catch the guy, and to prosecute him for the theft of the data. It's been a fun decade closely monitoring and correcting my credit reports.

I disagree, I have no expectation that my personal friends will be taking measures to ensure my privacy, I have not paid them money and signed off on a TOS that says they will take measures to protect my personal information. So if someone broke into their house and stole my information it would certainly be unfortunate, but I would not have expected them to be keeping this information encrypted or secured in any significant way.

However, those are not my expectations with a company. I paid Sony for a PS3 and by extension to use PSN and I signed their TOS with the understanding that they would protect my personal information. The same goes for the information that I give my bank, or any other business that I provide my personal information too.

The analogy doesn't break down because of the illegality of the act, there is little doubt that both breaking into your house and breaking into your server are both illegal. Instead the analogy breaks down because I have almost no expectation that my friends will take significant steps to protect my personal data, but I do have expect (and in most cases I have a written promise in the TOS) that the companies I provide my information to will protect it.

I see what you're saying here. The notion that this would be more analagous to a corporate office break-in makes more sense, but it still seems like a poor argument for why what LulzSec is doing, though seemingly negative, is actually beneficial.

I mean, if we were talking about LulzSec exploiting the locks on the corporate office doors or socially engineering their way past security to get at physical files, scanning them and then posting them on the internet, I don't think many people would say that what LulzSec is doing is for the good of humankind, you know?

To make the analogy more fair, let's say your house (filled with people's personal information) had an unlocked secret entrance way, even though many lock experts say that unlocked entrance ways are generally unsafe. People may or may not be going into your house everyday while you're gone, and using that personal information while everyone remains blissfully unaware. One day, someone comes in and takes all the personal information and publishes it to show how insecure it is.

Yes, the person breaking in may be a jerk, but maybe people will put locks on their doors now.

I don't think that physical locks are much more secure than a reasonably secured apache instance, which is definitely still exploitable, just like the locks on my door are, which I guess is part of why I think saying the analogy to papers on my kitchen table doesn't work rubs me the wrong way. It's _totally_ analagous.

There wouldn't be any rebuttal or arguing that LulzSec's work is actually good because it's going to increase security if we were talking about physical break ins to real buildings, even though there are many well known attack vectors on most modern locks.

The problem is that many of the recently published hacks are embarrassingly simple. These are hacks that are impossible if you have a decent security policy in place. The biggest issue, and the one that these hacks are highlighting, is that the software industry has a huge security problem. And this is mostly because the industry has a huge quality problem (security is an aspect of quality, it's not a feature).

It's not that it's that much more expensive to build high-quality secure software. The research indicates that high-quality software projects are actually cheaper than average software projects because the maintenance cost is much lower. The state of the art is far removed from the average practition of the art. Nobody has a solution for that. Lulzsec are just a symptom, they are not the problem.

What I find particularly striking in this is that attrition.org has been strongly tied to the antisec movement in the past. This leads me to think that the previous "doxing" or disclosure of lulzsec members identities were either staged or a rogue incident. Older antisec groups then appears to be more involved in this recent lulzsec surge