October 30, 2014 at 11:09 am
Steve Jones - SSC Editor (10/30/2014)
chrisn-585491 (10/30/2014)
However, even 'more secure' operating systems such as Linux have exploitable vulnerabilities. We are engaged in a constant evolutionary 'predator/prey' race, in which there is no finish line.
I disagree. And Linux isn't more secure than Windows. (OpenBSD might be...)
I don't think commercial software has tried. The current infrastructure is built on the sand of mutual trust/ease of use, not security. There's a ton of easy fruit for the black hat to pick up.
+1
And there's incentives to attack certain platforms more as they're used more.
It is no coincidence that as a lot more people are using Apple devices (including laptops) that their vulnerabilities are being exposed.
That's right, exposed. As in they existed already but were not found/exploited because those that are interested in it did not deem those platforms worthwhile before.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
October 30, 2014 at 11:10 am
Miles Neale (10/30/2014)
Begin Rant!I guess I have a different take on this. We appear to be operating under a broken understanding of crime and punishment. We look at it this way "The hacker does the crime and the company and its IT staff get the punishment."
We have listened too long to the excuses. Stuff like "there are no international agreements in place to ..." "It is too hard to track who is doing this..." "We are able to track this only to an account in the Caymine Islands..." Well instead of punishing the person in the company who is trying to do their job, or the company who has such a tight profit margin that if they buy much more IT Security they will go broke, or castigating businesses for not taking care of things we trust them with, why can't we go find the criminals and freeze or take their assets, put them out of business, and give them a very long all expenses paid vacation on the state?
We should be finding the criminals and punishing them, and not find the working IT person and end their life and career.
End Rant.
There are so many folks these days involved in hacking, identity theft, and other types of financial fraud; I'd hate to see them all locked up at tax payer expense. No, instead I'd like to see them work off their sentences on highway construction "chain gangs". Imagine having 100 former "script kiddies" all tethered together along a stretch of highway in the New Mexico desert, digging ditches for fibre optic cable. Let them do that every day, from sun-up to sun-down, for five years. When they're finally released from that ordeal, you won't see them back at a hacker convention bragging about their exploits. Just take the "cool" out of stealing data and people will stop doing it.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
October 30, 2014 at 11:14 am
Americans have many positive qualities, but a sense of irony doesn't seem to be amongst them.
Can't afford irony, only the top .01 in 'Merica can and they have hidden
most of it in off-shore accounts...
😀
October 30, 2014 at 11:15 am
Rudyx - the Doctor (10/30/2014)
...What about externally facing firewalls, SSL, secure web sites, Intrusion Detection systems and patching ? (yes, ZERO day things still exist). All of these items are way, way before a database gets hit...
They are not if the attack starts internally. Whilst I am sure that Rudyx did not mean to imply he thinks this way, that assumption creates a perception that there is plenty to get through before the database gets hit. Not necessarily true.
There are a huge number of surveys and papers highlighting that the majority of security breaches originate internally. Often with (technical) permissions that allow access to the data.
Are we back to Who Watches the Watchers?[/url]
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
October 30, 2014 at 11:17 am
Imagine having 100 former "script kiddies" all tethered together along a stretch of highway in the New Mexico desert, digging ditches for fibre optic cable. Let them do that every day, from sun-up to sun-down, for five years. When they're finally released from that ordeal, you won't see them back at a hacker convention bragging about their exploits.
Another modest proposal might be to cut off their hands. It's more challenging to hack using a pencil set between one's teeth.
Sorry, I'm letting my sense of irony slip out again.
October 30, 2014 at 11:19 am
Eric M Russell (10/30/2014)
Miles Neale (10/30/2014)
Begin Rant!I guess I have a different take on this. We appear to be operating under a broken understanding of crime and punishment. We look at it this way "The hacker does the crime and the company and its IT staff get the punishment."
We have listened too long to the excuses. Stuff like "there are no international agreements in place to ..." "It is too hard to track who is doing this..." "We are able to track this only to an account in the Caymine Islands..." Well instead of punishing the person in the company who is trying to do their job, or the company who has such a tight profit margin that if they buy much more IT Security they will go broke, or castigating businesses for not taking care of things we trust them with, why can't we go find the criminals and freeze or take their assets, put them out of business, and give them a very long all expenses paid vacation on the state?
We should be finding the criminals and punishing them, and not find the working IT person and end their life and career.
End Rant.
There are so many folks these days involved in hacking, identity theft, and other types of financial fraud; I'd hate to see them all locked up at tax payer expense. No, instead I'd like to see them work off their sentences on highway construction "chain gangs". Imagine having 100 former "script kiddies" all tethered together along a stretch of highway in the New Mexico desert, digging ditches for fibre optic cable. Let them do that every day, from sun-up to sun-down, for five years. When they're finally released from that ordeal, you won't see them back at a hacker convention bragging about their exploits. Just take the "cool" out of stealing data and people will stop doing it.
However it works, is fine. I just really do not like punishing those who are trying to do a good job. Punish the crook!
Not all gray hairs are Dinosaurs!
October 30, 2014 at 11:21 am
Can't afford irony, only the top .01 in 'Merica can and they have hidden most of it in off-shore accounts...
'Sall right, mate, everyone outside of London is broke, too.
October 30, 2014 at 11:22 am
Miles Neale (10/30/2014)
Begin Rant!I guess I have a different take on this. We appear to be operating under a broken understanding of crime and punishment. We look at it this way "The hacker does the crime and the company and its IT staff get the punishment."
We have listened too long to the excuses. Stuff like "there are no international agreements in place to ..." "It is too hard to track who is doing this..." "We are able to track this only to an account in the Caymine Islands..." Well instead of punishing the person in the company who is trying to do their job, or the company who has such a tight profit margin that if they buy much more IT Security they will go broke, or castigating businesses for not taking care of things we trust them with, why can't we go find the criminals and freeze or take their assets, put them out of business, and give them a very long all expenses paid vacation on the state?
We should be finding the criminals and punishing them, and not find the working IT person and end their life and career.
End Rant.
Miles, I agree that the "hacker" should be located and punished for crimes committed, however, dereliction of duty is also a crime. The company officers (term may differ by legal/corporate system) are responsible to and report to the shareholders.
Think banks. If the a bank branch is held up then the crime is committed by the bank robbers. If inadequate security was in place then the senior management have failed in their duties. These are separate. Punishing one action does not preclude punishing the other. Both are, or should be, crimes.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
October 30, 2014 at 11:30 am
Gary Varga (10/30/2014)
Miles, I agree that the "hacker" should be located and punished for crimes committed, however, dereliction of duty is also a crime. The company officers (term may differ by legal/corporate system) are responsible to and report to the shareholders.
I agree dereliction of duty is a crime, but most are making an honest good faith effort to secure that which is intrusted to them. But it seems as if we are spending all the time and focus on the company and little if any effort on catching and punishing the true criminal.
Not all gray hairs are Dinosaurs!
October 30, 2014 at 11:47 am
Miles Neale (10/30/2014)
Gary Varga (10/30/2014)
Miles, I agree that the "hacker" should be located and punished for crimes committed, however, dereliction of duty is also a crime. The company officers (term may differ by legal/corporate system) are responsible to and report to the shareholders.I agree dereliction of duty is a crime, but most are making an honest good faith effort to secure that which is intrusted to them. But it seems as if we are spending all the time and focus on the company and little if any effort on catching and punishing the true criminal.
Then we agree. Appropriate amounts of effort needs to be placed in both directions. (Appropriate to be defined ;-))
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
October 30, 2014 at 11:55 am
GoofyGuy (10/30/2014)
Imagine having 100 former "script kiddies" all tethered together along a stretch of highway in the New Mexico desert, digging ditches for fibre optic cable. Let them do that every day, from sun-up to sun-down, for five years. When they're finally released from that ordeal, you won't see them back at a hacker convention bragging about their exploits.
Another modest proposal might be to cut off their hands. It's more challenging to hack using a pencil set between one's teeth.
Sorry, I'm letting my sense of irony slip out again.
No, cutting off their hands would be cruel and unnecessary. I consider myself a fair and practical person.
But I was serious when I suggested the idea of sentencing hackers to a forced labor program. Even if it were my own kid (just hypothetically speaking because she's only nine), and assuming the state could prove to my satisfaction that she was actually involved in stealing financial data, I'd consider a few years hard labor to be more rehabilitating than time spent in prison where she'd still be hanging out with the same crowd. It would give her time to think, and maybe even teach her some marketable skills besides hacking. I don't know if the idea would get broad support, because folks in the age of social media are so uptight, but I think it's a practical solution.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
October 30, 2014 at 12:51 pm
Have you been hacked? Why yes, yes I have. Got my new card from the bank a couple of weeks ago. I still get fishing phone calls from a bank hack over 5 years ago too. Winning!
Aigle de Guerre!
October 30, 2014 at 3:32 pm
Occasionally I expose the 1433 port on a SQL server instance to the outside world for testing purposes.
Every time within ~12 minutes I see failed sa login attempts and buffer overflow attempts coming from IP address of Chinese origin.
October 30, 2014 at 3:33 pm
Yes they are, or are browsing as part of their job. Like when I go into a Best Buy and tell them I can buy product X on Amazon for $100 cheaper, they will browse to the Amazon site to verify. And I am sure that with that capability, they are using it for other things.
October 30, 2014 at 3:40 pm
Occasionally I expose the 1433 port on a SQL server instance to the outside world for testing purposes.
Every time within ~12 minutes I see failed sa login attempts and buffer overflow attempts coming from IP address of Chinese origin.
I have heard rumours the PRC government has underwritten an enormous 24 x 7 hacking operation, which is attempting to discover, and possibly exploit, vulnerabilities in the governmental, military, and commercial circles of the PRC's potential adversaries.
Viewing 15 posts - 31 through 45 (of 62 total)
You must be logged in to reply to this topic. Login to reply