Shostack + Friends Blog Archive

 

Are Lulz our best practice?

Over at Risky.biz, Patrick Grey has an entertaining and thought-provoking article, “Why we secretly love LulzSec:”

LulzSec is running around pummelling some of the world’s most powerful organisations into the ground… for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn’t any.

And I have to admit, I’m taking a certain amount of pleasure in watching LulzSec. Whoever’s doing it are actually entertaining, when they’re not breaking the law. And even sometimes when they are. But at those times, they’re hurting folks, so it’s a little harder to chortle along.

Now Patrick’s argument is in the close, and I don’t want to ruin it, but I will:

So why do we like LulzSec?

“I told you so.”

That’s why.

The essence of this argument is that we in security have been telling management for a long time that things are broken, and we’ve been ignored. We poor, selfless martyrs. If only we’d been given the budget, we would have implemented a COBIT ISO27001 best practices program of making users leap through flaming hoops before they got their job done, and none of this would ever have happened. We here in the business of defending our organizations would love to have been effective, except we weren’t, and now we’re mother-freaking cheering a bunch of kids who can’t even spell LOL? Really? I told you so? Is that the best that we as a community will do?

Apparently.

We’re being out-communicated by folks who can’t spell.

Why are we being out-communicated? Because we expect management to learn to understand us, rather than framing problems in terms that matter to them. We come in talking about 0days, whale pharts, cross-site request jacking and a whole alphabet soup of things whose impact to the business are so crystal clear obvious that they go without saying.

And why are we being out-communicated? Because every time there’s a breach, we cover it up. We claim it wasn’t so bad. Or maybe that the poor, hapless American citizen will get tired of hearing about the breaches. And so we’re left with the Lulz crowd breaking and entering for shits and giggles to demonstrate that there are challenges in making things secure.

I don’t mean to sound like a broken record, but maybe we should start talking openly about breaches instead. Maybe then, we’d get somewhere without needing to see Sony, PBS, and Infraguard attacked. Heck, maybe if we talked about breaches, one or more of those organizations would have learned from the pain of others.

Nah.

Let’s just wait for “the world’s leaders in high-quality entertainment at your expense” to let us say I told you so.

It sure is easier than admitting our communications were sub-par.

[Thanks for the many good comments! I’ve written a follow-up post on the topic of communication, “Communicating with Executives for more than Lulz.”]

67 comments on "Are Lulz our best practice?"

  • Joe Hall says:

    Great stuff, Adam. I definitely think there’s more to it than communication and sharing data (as I’m sure you do too). I mean how. many. goddamn. times. have you heard someone respond to security reasoning with, “That’s never happened/been a problem before?” or “The probability of that being an issue is how small?”

    I’ve long said that the area I mostly work in, government elections, could benefit greatly from actual adversaries trying to attack stuff (either they’re not doing it now, or we just don’t detect them). That is, it seems some background level of adversarial behavior can inject some darwinism, so to speak, into the security environment such that if you slack off too much, you will dramatically increase your pwnage probability. I share your mixed feelings and, as I sense, I also fall on the “net not impressed” side. I just hope no one tells LulSec about internet voting efforts… yeah… yikes.

  • kurt wismer says:

    i see, so the reason infosec pros are so enamored with lulzsec is that lulzsec gives them hope that the higher-ups really can be reached and made to understand.

    i’m sorry but they’re out-communicating you because instead of saying to management “the sky might fall on our heads” they’re bringing the sky down on your heads.

    people don’t want to believe the dire warnings that infosec people give them, regardless of understanding. the only way to overcome that denial is with the cold hard reality of an actual incident (which would get you fired if you tried to use it yourself to communicate the point to management).

    and that denial is ultimately going to hold back lulzsec’s communications too. most people in management at orgs that aren’t hit, who don’t feel that sting, are going to continue believing it won’t/can’t happen to them. until it does.

  • shrdlu says:

    Let’s not forget that these particular institutions are being deliberately targeted for political reasons, and to make an example of them. They’re not hitting Bob’s Online Linen Shoppe, or the American Cancer Association, or even Fandango.com. Executives can figure out that being targeted isn’t a random or even highly probable event unless you fit particular risk profiles, such as taking a side in the DRM wars. So they really aren’t going to believe the sky is falling unless they also believe that someone can and will choose to bring it down on their heads.

    • hrbrmstr says:

      Mostly agree with the “executives can figure out” part. I can’t tell you how much a certain security executive may have tried to communicate the real threat actor profile (including likelihood & frequency of threat action) and suggested pace of desired new control implementation since the Sony & Lockheed breaches to (almost) no avail.

      Granted, if you’re at -2 on the Security CMMI scale, perhaps knee jerking to the Sony debacle is warranted and even acceptable 🙂

  • Nameless says:

    You sir are a moron. It’s people like you, that will extend pain and suffering in this world for as long a possible.

    How can you write a serious article and you main point is they cant spell? ARE YOU FUCKING KIDDING ME? THATS IT?
    Thats your strong point???

    You seriously believe that they cant spell “lol”?

    Even if they can’t what does this have to do with your point?

    • JayAre says:

      His point was that these kids, while unable to spell even the simplest of acronyms, have us by the short and curlys. He wasn’t saying that literally, of course, but without misunderstanding, folks such as yourself would never get the opportunity to look like a douche. I, for one, am glad you never learned to read good. Context is a bitch, I know… now cunt the fuck off and stop shitting up my interwebs!

      • serp says:

        Read well. Not good.

        The people in security are misusing Lulzsec’s agenda to cover for their own shortcomings.

      • Blah says:

        So….. you experts are getting your asses handed to you by kids that are only semi-literate? That’s what you’re saying? Really? That’s lulzy. Be happy management doesn’t pay attention to you then……. if they did, they’d probably fire you.

    • wow says:

      Wow, you are a serious douche

  • VirtualBlackfox says:

    When you say “The sky might fall” management think mainly of the cost necessary to defend against it. When they see the sky falling on others they think of the disaster that it would have been if it happened to them.

    The best automobile security commercials are the ones showing the “Happy family where dad kill all it’s kids because he was driving back home drunk” not the ones with death statistics.

  • Rando says:

    L2Meme

    Lulz as in “I did it for the lulz” is not a substitute for lol

  • Hmmm. says:

    “Because we expect management to learn to understand us”

    No, we expect them to understand what’s important to their own business. Most of us are perfectly capable of explaining technical concepts in “business” terms but if management won’t make time in their calendar for it, or don’t think it’s a problem because “we’ve been OK so far”, who’s fault is that?

    Was the financial crisis caused by people like Paul Moore http://www.telegraph.co.uk/finance/4582535/Senior-HBOS-executive-sacked-for-warning-of-banking-crisis.html being bad communicators, or by the greedy pricks that were above them?

  • Anonymous says:

    “Lulz” is a deliberate corruption of “LOL.” Their spelling isn’t an accident, and it’s off-putting to see their spelling used as a main point in an otherwise well thought out article.

  • Anonymous says:

    Embrace these events.

    Accept that these events will continue and increase in quantity and level of destruction.

    This is the new normal.

    You should thank them for the increase in business.

    You should thank them for showing people how terrible information security is.

    Respect your enemy.

  • Liveware Problem says:

    Wow. Management apologism and a blanket declaration that security pros are failures because they cannot communicate. That’s just fantastic.

    There are security, infrastructure and network pros that take infosec concerns to management, clearly presenting them in terms of business impact.

    And they still get their requests ignored/unfunded/backburnered.

    As for the breach as an instructive example… I’ve seen instances where a breach occurred, the cause was identified, a workable solution proposed and OK’d… and months or years later a simple configuration change to fix the issue is still not on the implementation schedule.

    Let’s stop, right now always pointing the finger at the technical person who can’t articulate concerns in a way the business can understand as the problem in every case.
    Let’s start to at least consider that management can be wilfully blind to the severity of an issue, even post-breach.

    Let’s seriously consider that this attitude just may be an equal contributor to the state of affairs that is being exposed through LulzSec’s spree.

    And also, it’s not a misspelling of LOL, it’s lulz. That’s intentional.

  • Rhonda says:

    Until businesses lose actual money, through theft or loss of their customer base, they simply have no incentive to change.

    Capitalism is a pure money calculation.

    • Dw33b0h says:

      spot on, you have hit that nail on the head! the only organ a businessman thinks with is his wallet….

  • Le Hiboux says:

    LULZ

  • cybr says:

    lulz is how you spell lulz, you dolt.

    It’s an onomatopoeia of ‘lol’s’.

    • ML says:

      I’m a dolt too, by the looks of things, but a grateful one, now that I know thanks to you what the heck that name signifies! I feel so much better, strangely!!

  • jeremi says:

    budget isn’t the problem. never was, and never has been. the problem is with people who think budget is the problem. try throwing engineering skills at security problems instead of money.

    • theonlyone says:

      I have a hard time imagining throwing engineers at money.

      • Phil Ward says:

        Whereas I can easily imagine money being thrown at engineers, but not so much the other way round :/

  • Andre Gironda says:

    “Whoever’s doing it are actually entertaining, when they’re not breaking the law. And even sometimes when they are. But at those times, they’re hurting folks, so it’s a little harder to chortle along”

    To be honest, I hate LulzSec. They are doing all of the work that I need to do for these companies for free. I charge 200 dollars per hour for this “awareness” work, so this is not cool. It’s like they are flushing future money down the toilet for some sort of immediate gratification.

    Maybe in a few years, they’ll be profiting from these breaches like normal, grown-up people do.

    “If only we’d been given the budget, we would have implemented a COBIT ISO27001 best practices program of making users leap through flaming hoops before they got their job done, and none of this would ever have happened”

    COBIT and ISO 27001 are very different. COBIT is closer to ISO 27002, where numerous controls are listed/mapped (ISO 27001 only lists 127 control categories, but also lists guiding principles). GAIT-R can be utilized for scoping, which is a key activity to decide which frameworks fit the target organization(s) best (ISACA would probably always say COBIT, but fortunately that’s not how GAIT-R works).

    I think modern information security management departments can get by on more simple solutions for the program (e.g. Visible Ops Security or the SANS Critical Controls), but need to develop a sidelined information security risk management program (e.g. NIST 800-30 to qualify the bulk of risks, and FAIR to dig deeper into critical or systemic risks).

    I highly recommend the new book, “Security Risk Management: Building an Information Security Risk Management Program from the Ground Up”. It goes into building these programs and I think they can be very enriching. Risk assessments are usually done using practices from the 1980s — we really need to improve our game here.

    “And why are we being out-communicated? Because every time there’s a breach, we cover it up. We claim it wasn’t so bad. Or maybe that the poor, hapless American citizen will get tired of hearing about the breaches”

    Most organizations handle incidents in 1 of 2 ways: 1) They staff based on incidents and have handlers deal with incidents as their primary job. The right incident handling specialist (e.g. NT/Unix systems, database, directory, messaging, network, application) is matched to the right job, and the others provide support/backup/verification. It’s a full time job and the responsibilities are not shared with other tasks. 2) A CISO/CSO/whoever asks the compromised machine(s) to be taken off the network and/or have its disks removed. The disks are placed in a safe and/or hidden from system administrators, security professionals, counsel, and auditors. Nobody is told about the incident and the people who discovered it or took part in the process of shutting off the network and removing the disks are asked to keep quiet (or forced to keep quiet). Two years later (after having done this a few times), the CISO/CSO quits.

    • jeremi says:

      “profiting off breaches”: amazing.

      • Scott says:

        I believe that was meant as “profiting by providing a service that identifies (and corrects) vulnerabilities that are presently leading to breaches”. Honorable and reasonable.

  • Marcus says:

    I’m not a corporate web developer, so forgive my ignorance. What I’m not understanding is how it’s upper management’s fault that web coders aren’t keeping cross-site scripting and SQL injection vulns out of their code? Most of the vulnerabilities that are being exploited result from poorly filtered user input. Please tell me how the “evil corporate bean-counters” are saving money by keeping coders from writing a few extra lines of code?

    • Andre Gironda says:

      @ Marcus: You mean poorly chosen output encoding contexts, not poorly filtered user input, right?

      While the OWASP ESAPI Validator interface is excellent (returns both canonicalized and validated input), the Encoder interface is much more geared towards the prevention of XSS and SQLi.

      XSS and SQLi are often found in third-party components, which is why secure software acquisition is equally as important to appsec as secure application development.

      I have also noticed an over-reliance on WAF and DAM appliances and an under-reliance on CIS benchmarks for server and application hardening. A few tweaks to Linux, Apache, PHP, and MySQL (LAMP) configurations could go a long way to lowering appsec-related risks and attack surface (even if they don’t fix the underlying issues). Lack of standardization to CIS and OWASP resources is an upper-management governance issue.

      • Marcus says:

        In or out, it shouldn’t matter. It’s not hard to filter user input (or what comes out after it’s input). Shouldn’t it be the responsibility of professional coders to build this into their code? Sure, management exists partially to save money, but that doesn’t necessarily translate into requiring coders to *not* use best practices.

        Again, I’m not a professional coder, but I’m very careful about this on my personal stuff.

        • Andre Gironda says:

          @ Marcus: There is cost-effectiveness and benefit-effectiveness for secure application development and secure software acquisition.

          However, it’s people like you who don’t know how to maximize the cost and benefits of appsec controls. Managers and application development professionals do not know where to turn to because the industry is flooded with people making the wrong recommendations without the proper credentials.

          You need to be a professional coder, a professional business process expert, and a professional expert on information security management and risk management in order to advise anyone on the proper use of appsec controls. Prior experience and a proven track record are absolutely necessary criteria to achieving these needs, but familiarity with OWASP ESAPI, OWASP ASVS, SEI CMU initiatives such as OCTAVE Allegro and CERT-RMM, SAFEcode guidelines, NIST 800-30/37 and SAMATE analysis, NSA CSA analysis, FAIR, and Shared Assessments SIG v6 (from BITS FISAP) are a good start.

          I would guess that Sony and even the others have some sort of security team in place that knows about appsec. However, it is likely that they did not know who to hire, what they have, or what they need to fix. They probably knew that OWASP and/or NIST provide recommendations for appsec controls, but they didn’t know where to start or how to find that information. They may have tried to discuss these issues with the application developers and administrators of those systems/networks — but they also likely lacked the proper expertise as well. It’s hard to find this talent — and difficult to teach to it.

        • kurt wismer says:

          i am a professional coder. i have, in the past, literally been told to stop what i was doing (which wasn’t even security related but just quality related) because it was taking too much time and therefore costing too much money.

          whatever you think management ‘ought’ to be doing doesn’t necessarily translate into what they’re _actually_ doing.

    • jlc3 says:

      What comes to mind is:

      1. Time to Market pressures
      2. Lack of executive acceptance of policy

      What these mean are a product getting to market will get there regardless. As well, modifying production networks on your own as a non-exec is frowned on – it does not matter if it’s The Right Thing.

      Upper management are the Risk Owners. Without buy in from them (i.e., accepting policy changes), it cannot happen. beancounter though I think is an invalid reference – it’s management (or lack thereof)

    • theonlyone says:

      Management refuses to pay for the necessities:
      – decent architects
      – decent programmers
      – QA
      – threat assessment
      – reworking of old code

      They require it to be done cheap and quick. They get what they pay for.

      A friend once described it such (programming and IT in general): “You have to think if it as sitting on a rock and shooting rats in a swamp. You can’t think of the way the architecture should be or you will never be happy because mgmt will never let it happen.”

  • Anonymous says:

    You dont get it, do you? These guys are not some stupid kids. They are professionals.

    • Andre Gironda says:

      Cite your source(s)

        • Andre Gironda says:

          I see some stolen ASCII art and some links that involve an over-focus on gift-economies, including a link to ThePirateBay and a donation capability with BitCoin along with some PR/Marketing/Social-Media (if you can call it that).

          How is any of that professional? Looks like amateur-hour to me. If I put up this website, I’d be ashamed of myself, even if I took out all of the illegal activity and over-focus on gift-economies.

          I think that LulzSecurity members should leave LulzSec and go make 200 US dollars per hour for their hard work, but that they should get a signed contract with their targets (and visit techinsurance.com for quotes and pricing so that they buy this sort of insurance in their first year of business) before they begin their work. Is that so hard? Do they not like money?

          • svelte says:

            Andre, I’m curious. Is there any way for you to not sound like a complete prick? Or is that how you always talk?

            “Over-focus on gift-economies” – seriously? Is money your only motivator in life?

            You may be a professional, but only in the worst sense of the word. LulzSec seems to enjoy what they’re doing, and revel in what they’re reaping. You sound like a passionless security snob who knows a ton of buzzwords and is about to have a mid-life crisis.

          • Adam says:

            Hi Svelte,

            Since this is a rant (on my part) I’m being pretty open in letting all comments through, but saying that someone is “about to have a midlife crisis” is pushing past the bounds of civility we like to (and usually do) see here.

            Adam

          • Colin says:

            Maybe they got tired their professional reports identifying vulnerabilities left, right and centre and having their work ignored. Maybe they thought the most vulnerable organisations are also those least likely to contract them. Maybe they are actually just genuinely concerned about the state of global infosec and thought this would be the best way to make a difference… As Svelte says, money is not the only motivator, in fact it should be the last

          • Colin says:

            I like to add that their website is highly effective – simple, minimalist, clear, etc.

          • Cornerstone says:

            Or maybe they’re just a CIA front geared towards spreading fear so that the government can move to lock down the net with public consent and regain control of public discourse.

          • Hairy Giant Unicorn says:

            Andre – given you’re a massive feather-mucking hard-on & clearly think you’re riding Maverick’s tail pipe.

            Here’s a challenge:

            Name a site / corp / company you have charged $200 to make ‘safe’.

            Then we’ll all tweet http://twitter.com/#!/lulzsec and see how you fare.

            Otherwise, disappear, HB Gary wannabe.

          • Hairy Giant Unicorn says:

            P.S.

            Is your password “kibafo33”?

  • Jables says:

    From what I hear they are past Dead Protocol Society Members – agree with anonymous above.

  • Mark says:

    So many of the comments here are coming from people whose cheeks are so thin that they can not find the room to put a tongue into them. The “out-communicated by kids who can’t spell” is a sound bite. How about concentrating on the message?

    • Anonymous says:

      I agree I think most people just need a recap on ethics and morals 101. Yes most dull minded people would jump at your throat with things like “do you think destroying someones business is right?” and such.

      As you can see (hopefully) very short minded, they forget that there is a much bigger picture here. I’m not going to spoil it for you guys. But think about it long and hard you’ll get it.

      • Phil Ward says:

        Is that business destroying somebody else’s livelihood or environment? It’s not _quite_ 1.01 there…

  • Dan says:

    Well, I don’t know much about data security laws in other countries, but over here in Germany you’re breaking the law if you DON’T inform your customers of a breach, thus making it public!

    I really have no idea if there are similar laws elsewhere in the world, but that approach feels right to me. Anyone working in computer security who sweeps an attack and a breach under the rug should get hit by Lulzec and other hacker group, because they’ve earned it for being so dishonest to their customers.

    That being said, I’m really not excited about the 16th or 17th Sony hack, but I can agree with Patrick Grey somewhat that we secretly like Lulzec and I’m also of the opinion that we need them, kind of.

  • digitalvigil says:

    “we’re only as sick as our secrets”

  • GSH says:

    “the revolution will not be televised”

  • montrealdude says:

    These are not kids, they are security professionals that switched for fun. Look at the way they talk about security, they are experienced in corporate politics.

  • Brad says:

    “It sure is easier than admitting our communications were sub-par.”

    Well, /my/ communications are most definitely not sub-par. The listening and comprehension skills of non-technical managers are sub-par. I believe that was the point of Patrick’s rant – we can break out the crayons and draw big pretty pictures presented with as much documentation and as many verifiably damning statistics as your heart desires, but you can’t fix stupid. You can show people MATH. Show them MATH, and they will not fix the problems. Here is what /will/ happen if you don’t fix this. “Well, we just don’t have it in the budget this year.” So, with the understanding that your choices are between paying $100k and $1m, you’re conciously choosing $1m. Gotcha.

    I’m with Patrick on this one.

  • Chad says:

    It’s futile to argue who is at fault. It’s the “problem” that needs fixing, not the blame. It is always the job of the “speaker” to communicate their message, not the job of the listener to understand. One thing is for certain, the actions of “LulzSec”, “Anonymous”, and others like them will affect change. However, they have no control over what that change will be. Will “those in power” to effect the change simply constrict access of the internet across the board? Will we see a fragmented internet with each fragment physically separated such that no two fragments are connected? Will we see a contraction of the commercial services offered by businesses to the consumer public such that; businesses such as Amazon go away, online banking consists merely of a banks “webpage” with at most branch locators and hours, and “cloud computing” no longer has a public cloud in which to operate.

    Granted, those are extreme scenarios, but they do provide a picture as to what is at risk. It is one thing to “disrupt” when you have control over how the disruption is handled, it is another thing altogether to “disrupt” something over which you have no control over the response. Besides, you always catch more flies with honey, than with vinegar. LulzSec and Anonymous seem to prefer vinegar to honey.

    • Brad says:

      “It is always the job of the “speaker” to communicate their message, not the job of the listener to understand.”

      Bullshit. If I fly to Germany on vacation, there is an emergency situation and nobody speaks English… I guess it’s the Germans’ fault I’m dead because they didn’t learn their visitor’s language. Preposterous. There is an onus on both sides of any exchange of ideas. In IT, the responsibility is simply skewed a little.

      • Chad says:

        Your metaphor is illogical for the topic at hand. Aside from the disjointed nature of “vacation” and “paid/business communications”, another reason being your metaphor has a significant (though not insurmountable) barrier to communication. Namely, the difference in language. This ordinarily isn’t the case in a business environment. The communicator would almost always be able to speak the language of their target audience. Especially, if they are “in house counsel”. As a practical matter, most businesses hire employees that can speak, write, and understand the language common to their business.

        For argument sake, if you are in Germany on vacation and you have informed the local consulate, then you would be informed of the impending disaster by the local consulate. Your hotel would likely have English speakers, they would inform you. Most European countries learn to speak English as a second language (English has replaced Latin as the “lingua franca”), so I doubt you would have difficulty finding someone to warn you of your impending danger.

    • Hmmm. says:

      “It is always the job of the “speaker” to communicate their message, not the job of the listener to understand.”

      But it’s the job of the listener to listen. If they don’t get that bit right then it doesn’t matter what language the speaker is using.

      And don’t say that it’s the job of the speaker to get their attention. Gatecrashing their office and slapping the CEO about the face doesn’t usually end well.

      • Chad says:

        “But it’s the job of the listener to listen. If they don’t get that bit right then it doesn’t matter what language the speaker is using.”

        Yes but “listening” and “understanding” are two separate things. You could “listen” all day, and hear nothing. You could “hear” what I have to say and still not understand it’s meaning.

        Besides, your argument presupposes that the listen might not want to listen. In which case, there can be no communication as no meeting would be allowed. In other words, it is a moot point. I’m specifically addressing the instance when an audience has been arranged. At that point, the delivery of the message and control over the content is the responsibility of the speaker (communicator). If you are communicating an important message, then you will undoubtedly make sure that your audience understands (this can be troublesome for large crowds). You will reiterate your message using metaphor. You will provide examples where appropriate. You will engage in a dialog, not a presentation. You will ask your audience to repeat back what you have told them, so that you can hear in their own words, their understanding of your message. If it is wrong, then you can correct.

        • Hmmm. says:

          Yes, I see what you’re saying. I was thinking of the cases where a CEO gives 10mins of their time to a security guy and they have to spend the first 9mins explaining who they are and what a computer is. Makes it difficult to get messages across without grabbing their attention with some FUD or other dangerous tactic.

  • Tim says:

    Management decide how much time developers spend training or designing a product, they pay for security tools which can identify some sorts of risks (e.g. uninitialised variables), they support the development teams scheduling time for documentation, code review and testing (including security issues). Coders can make a lot of difference (and they improve with experience) but I feel most applications are released based upon functionality rather than any other metric, which probably boild down to the invisible hand of economics at work.

    The successful attack and embarrassment of a victim is pretty much the only way you can “see” security. This is where real security works and theatre/bluster/snakeoil fails. Removing ineffective controls that waste effort to no avail and making managers more aware that security matters are two very important strategies which will make the Internet safer for us all in the long run.

  • Henry says:

    Call me different, but i think people are wrong in thinking that they deserve to have completely impenetrable software. Don’t get me wrong, it would be GREAT to never have to worry about hacking, but it does cost a lot of money to do so. All lulsec are doing is going around punching people. We already know there are bad people out there who do it, so there’s no point in joining in. Imagine that there are people trying to figure out how to stop murders happening in a community. There options would be to either arrest people if they decide to do it, or give everyone stab proof vests. Both options wont fully stop the matter, but there results wouldn’t be too far apart and putting in the law would be far cheaper than buying lots of vests. I think we need to do the same with the internet. Heres another analogy. If you went to a shop and brought a sandwich, but then someone stole your sandwich you wouldn’t complain to the store for making a sandwich that’s so easy to steal, you would complain to the police. Basically, i think that we need to make hacking a straight up law offence.

    Guy: ow, you stabbed me!
    lulsac: its your fault for having such soft skin!

    • Brad says:

      I understand where you’re going with your example, but it’s a little off…

      It’s more along the lines of:

      Guy: OMG you stole my TV!
      lulzsec: …there is a “FREE TV” sign in the yard. The front door was locked so I came in thru the patio, which was wide open…

      • Kitch says:

        If you’re using this analogy to justify Lulz’ actions, you are way off base. Where or what was Sony’s “FREE TV” sign? The TV was located in a private dwelling. What law or lack thereof allows you to enter said private dwelling? (BTW, in some states, I’d be legally justified in shooting you in the head).

        Henry’s analogy stands.

  • Kaian says:

    “We poor, selfless martyrs. If only we’d been given the budget, we would have implemented a COBIT ISO27001 best practices program of making users leap through flaming hoops before they got their job done, and none of this would ever have happened.”

    Hardly. What about those of us forbidden to install patches because “the application vendor will terminate our support contract”? What about the bottom feeders who refuse to set root passwords because the agency’s policy doesn’t say anywhere that it has to be done? What about engineering teams who fail assessments miserably, take machines offline, and rebuild them without installing any patches? How about sysadmins who have something on their managers (like porn habits) who leverage that knowledge to get away without hardening boxen? Code reviews that magically never seem to happen? Remediation activities that slip so far down the priority list due to the next release that they never occur? How about organizations that enforce no punishment or motivation to secure anything and let their personnel get away with it?

    How about the spreadsheets that say that paying for cleanup after a compromise is cheaper than proactive security?

  • juniper says:

    I 100% agree not dead protocol society members they don’t do malicious hacks they are too elite for some petty b.s.

Comments are closed.