Security Vendor Applauds LulzSec Attacks

HardOCP News · Jun 29, 2011

The CTO and co-founder of SecurEnvoy is grabbing headlines today for applauding the LulzSec attacks. And why shouldn't he, security companies are in huge demand now as everyone shores up their (electronic) defenses in the wake of the recent attacks.

While many are claiming the attack is a bad thing what theyre forgetting is, at the end of the day, it comes down to a fundamental failing on the part of the organization that allows these criminals in. If they didnt leave their networks unlocked there wouldnt be a problem.

wolfofone · Jun 29, 2011

More like What it came down to at the end of the day was thousands of people's personal information was compromised

. I get the want to give companies a kick in the pants to secure their stuff but at the same time it wasn't the companies information that was comprised, it was the users' and either way its the customers that lose b/c of these attacks.

Monkey God · Jun 29, 2011

The best way to solve this issue to make companies liable financially for losing customers data. As long as the companies don't pay the price (right now its just ordinary people) nothing will change.

TechLarry · Jun 29, 2011

Those people are insane. Lulzsec has created years of misery for innocent consumers. If they agree with their methods, they should be shut down and sent to jail just like the Lulzsec people.

I bet their customer base shrinks after this BS.

TechLarry · Jun 29, 2011

Monkey God said:
The best way to solve this issue to make companies liable financially for losing customers data. As long as the companies don't pay the price (right now its just ordinary people) nothing will change.

CIO and CEO Jail Time and huge fines. That will do it.

Azhar · Jun 29, 2011

On the other hand, customers loses faith with security companies because all of these attacks show that everything we have today is useless.

How much do you guys want to bet that the FBI and NSA is secretly investigating all of the security software companies for Anonymous and LulzSec members who wrecks havoc in order to create fear among the populace so they can buy their software.

A little too paranoid maybe?

dagamer34 · Jun 29, 2011

That company is happy because they get more business. The worst statement ever to make is to prey on other's misery.

Zarathustra[H] · Jun 29, 2011

wolfofone said:
More like What it came down to at the end of the day was thousands of people's personal information was compromised . I get the want to give companies a kick in the pants to secure their stuff but at the same time it wasn't the companies information that was comprised, it was the users' and either way its the customers that lose b/c of these attacks.

Agreed.

If Lulzsec found the vulnerabilities, and then pressured the organizations into fixing them, then I would agree, it would be for the greater good, but releasing personal information of users is indefensible, and makes them just as bad as the undescribed "bad guys" they purport to be defending us from by finding and forcing the companies to fix these vulnerabilities.

Zarathustra[H] · Jun 29, 2011

Azhar said:
On the other hand, customers loses faith with security companies because all of these attacks show that everything we have today is useless.

No news here.

There is no such thing as an unhackable system. Even the Iranian nuclear research facility that wasn't even connected to the internet could be brought down by the skillfully programmed stuxnet worm taking advantage of the lack o users discipline in using USB devices to transfer data from outside machines.

The key is to make hacking a system difficult enough that it isn't worth it to the potential data thieves. Some hacking groups may take this as a challenge, but hopefully those will be the ones that are more likely to crack it to display its vulnerabilities so they can be fixed, and less likely to be the type to sneakily steal personal data for their own gain.

Now, personally I think one step that could help make hacking into systems a lot more difficult would be to force every socket on the internet to connect via SSL regardless of what it is. This would add an extra load to both clients and servers. Clients will likely not notice much unless on seriously obsolete hardware. Servers will incur some expense, but compared to the cost of lost user data and lawsuits, it may be small.

Zarathustra[H] · Jun 29, 2011

Zarathustra[H];1037447282 said:
Agreed.

If Lulzsec found the vulnerabilities, and then pressured the organizations into fixing them, then I would agree, it would be for the greater good, but releasing personal information of users is indefensible, and makes them just as bad as the undescribed "bad guys" they purport to be defending us from by finding and forcing the companies to fix these vulnerabilities.

Actually, come to think of it, since Lulzsec actually released personal information, rather than just demonstrating their hacks, and pressring companies to fix them, this guys line of reasoning is pretty similar to saying:

"911 was pretty good for world, as it made governments more conscious about terrorism and more active in preventing it." Yeah? But what about the 3,000 people who died?

ghost6303 · Jun 29, 2011

Zarathustra[H];1037447282 said:
Agreed.

If Lulzsec found the vulnerabilities, and then pressured the organizations into fixing them, then I would agree, it would be for the greater good, but releasing personal information of users is indefensible, and makes them just as bad as the undescribed "bad guys" they purport to be defending us from by finding and forcing the companies to fix these vulnerabilities.

so lets use sony as an example here. they were hacked the first time and whoever hacked them released the info to the web. shame on the hackers.

then they were hacked again. more data released. ok, sony was working on a fix, it will be done, it just wasnt in time, right?

then sony gets hacked a third time.

then a fourth

then fifth.

then sixth. and then half a dozen more.

how many times does a company need to leak personal customer data in order for it to share in some of the responsibility of the leaks? this is why "grey hat" security has such a following. if you find some vulnerability and the company, for whatever reason, refuses to do anything about it, then they are essentially saying "we dont care if our customers data is leaked". it then becomes their responsibilty for the breach.

neither the hackers or the customers are not in the position to close those security holes.

ShadowStriker · Jun 29, 2011

I don't think I'd want to hire a security company that publicly supports a group that releases illegally obtained personal information to the public.

ghost6303 · Jun 29, 2011

"911 was pretty good for world, as it made governments more conscious about terrorism and more active in preventing it." Yeah? But what about the 3,000 people who died?

who ever said that quote? they should be shot.

9/11 not only saw 3000 people murdered on that day, but then gave our government(s) a preface to destroy their own private citizens liberties, completely ignore the constitution with warrantless wiretaps, engage in an un-winable, now decade long war against an unknown faceless enemy half way around the world that has cost us a trillion dollars and thousands of dead soldiers so far. we have tortured, in every literal and figurative sense of the word, hundreds or thousands of prisoners in the quest for intel on the enemy. all while allowing our own economy to collapse on itself, destabilizing the entire middle east, and putting the US in 14 trillion dollars of debt.

i would say 'the terrorists' have succeeded in much more then just taking down a building in new york. i dont see how 9/11 could ever be viewed as a positive event. except maybe to raytheon, haliburton and dick chieney.

Zarathustra[H] · Jun 29, 2011

ghost6303 said:
so lets use sony as an example here. they were hacked the first time and whoever hacked them released the info to the web. shame on the hackers.

then they were hacked again. more data released. ok, sony was working on a fix, it will be done, it just wasnt in time, right?

then sony gets hacked a third time.

then a fourth

then fifth.

then sixth. and then half a dozen more.

how many times does a company need to leak personal customer data in order for it to share in some of the responsibility of the leaks? this is why "grey hat" security has such a following. if you find some vulnerability and the company, for whatever reason, refuses to do anything about it, then they are essentially saying "we dont care if our customers data is leaked". it then becomes their responsibilty for the breach.

neither the hackers or the customers are not in the position to close those security holes.

True, but as a customer I would be more concerned with having my personal information released by a so called "grey hat" group than having it not released at all, even if that means continuing the poor security practices...

Which I think brings up a good point. The reason that Sony and other companies don't care is because there is not enough incentive for them to do so. When my - then - Fiance's mortgage company was hacked they sent everyone some lame premium credit monitoring package for a year, probably cost them close to nothing and is likely not very effective at stopping any abuse of the hacked data.

For Sony the cost was some free game downloads they likely wouldn't have sold anyway, and since they are distributed online, the only cost was bandwidth, which they undoubtedly must have some pretty amazing contracts for already anyway. So this was almost zero cost to them as well...

You can bet that if the potential damages for losing customer data were in the billions of dollars, these companies would react to security holes a lot more quickly.

I think the FCC has to get involved. Fine companies that lose customer data $5000 per account, and you'll suddenly see a lot more attention to this issue.

Zarathustra[H] · Jun 29, 2011

ghost6303 said:
who ever said that quote? they should be shot.

9/11 not only saw 3000 people murdered on that day, but then gave our government(s) a preface to destroy their own private citizens liberties, completely ignore the constitution with warrantless wiretaps, engage in an un-winable, now decade long war against an unknown faceless enemy half way around the world that has cost us a trillion dollars and thousands of dead soldiers so far. we have tortured, in every literal and figurative sense of the word, hundreds or thousands of prisoners in the quest for intel on the enemy. all while allowing our own economy to collapse on itself, destabilizing the entire middle east, and putting the US in 14 trillion dollars of debt.

i would say 'the terrorists' have succeeded in much more then just taking down a building in new york. i dont see how 9/11 could ever be viewed as a positive event. except maybe to raytheon, haliburton and dick chieney.

I didn't say anyone actually said that. What I did say was that the security guys statement in this article is similarly ridiculous to this fictitious statement.

To me it doesn't matter who does the damage. If my personal information is leaked by so called "grey-hats" who post it online for the world to abuse, or by "black-hats" (is this the correct term?) my data is still out there, and someone may be trying to use it to steal my money/identity/etc.

If the result is just as bad, it doesn't matter to me what their objective is.

Jabroni31169 · Jun 29, 2011

Free advertising....never heard of this company before

wpd7 · Jun 29, 2011

Would be ironic if they got hacked next, just for "lulz".

MrValentine · Jun 29, 2011

I have to agree. I've been watching companies layoff IT people all over, and some of the first to go are the "security" people, because they have a hard time proving to non tech CEO's that they really are doing their job. If someone from IT security gives them a presentation they all sit there staring blankly and think its a load of crap. All they see is a computer nerd making 70k+ a year sitting at his desk that never talks to anyone, and is normally pissed off at all the dumbasses he works with!!

SilverSliver · Jun 29, 2011

Guys I think there is a difference between the Stuxnet worm and a bunch of trans-gender script kiddies getting into poorly secured or unsecured networks.

Just sayin.

MRAB54 · Jun 29, 2011

Monkey God said:
The best way to solve this issue to make companies liable financially for losing customers data. As long as the companies don't pay the price (right now its just ordinary people) nothing will change.

If they were found to be negligent, sure. Good luck proving it, though. I'm guessing a lot of CIO's blindly purchase a security suite from whatever vendor is the cheapest just so they can say "look at all the security measures we have in place". Unfortunately, it's not so much about information security as it is risk aversion.

Zarathustra[H] · Jun 29, 2011

MRAB54 said:
If they were found to be negligent, sure. Good luck proving it, though. I'm guessing a lot of CIO's blindly purchase a security suite from whatever vendor is the cheapest just so they can say "look at all the security measures we have in place". Unfortunately, it's not so much about information security as it is risk aversion.

Data lost = automatic presumption of negligence.

Sort of how if you rent a car, they don't care how that scratch got there, you (or your insurance company) are still responsible for it.

(unless you got the extra coverage that is)

Kaitian · Jun 29, 2011

ghost6303 said:
who ever said that quote? they should be shot.

9/11 not only saw 3000 people murdered on that day, but then gave our government(s) a preface to destroy their own private citizens liberties, completely ignore the constitution with warrantless wiretaps, engage in an un-winable, now decade long war against an unknown faceless enemy half way around the world that has cost us a trillion dollars and thousands of dead soldiers so far. we have tortured, in every literal and figurative sense of the word, hundreds or thousands of prisoners in the quest for intel on the enemy. all while allowing our own economy to collapse on itself, destabilizing the entire middle east, and putting the US in 14 trillion dollars of debt.

i would say 'the terrorists' have succeeded in much more then just taking down a building in new york. i dont see how 9/11 could ever be viewed as a positive event. except maybe to raytheon, haliburton and dick chieney.

I got to remind you that that "hundred or thousands of prisoners" is actually three people total before the practice was discontinued. I know it's tempting to preach your point but without evidence, even the Democrats who attacked Bush all those years did not say more than that number. The action of deporting someone back to their country of origin is not something to foresee after that point and the UN Conventions mandates returning people to their country of origins unless they claim political asylum legitimately somehow. Including the warrant less wiretapping which the scope was very limited to who they were targeting nonetheless there was still judicial review in the end. Sensitive issue but you're kind of exaggerating it.

causticspill · Jun 29, 2011

While the guy has a point, he sounds like the auto body shop owner after an ice storm. Congrats, you get to benefit from others misfortune. Here's your gold star.

Did the lulz expose extremely lax online security all over the place? Undoubtedly yes. Did they go about doing it in a proper manner? Hellz no. They get none of my thanks, and they shouldn't get any from security firms either.

dyzophoria · Jun 29, 2011

fine we get it companies suck at security, but release users personal info to the public is right? Im guessing if your personal was on that table you would have a different overview of it as well.

Squall_Rinoa89 · Jun 29, 2011

Of course their applauding lulzsec. They get to make more money than they were prior to this.

Navilor · Jun 29, 2011

"While many are claiming the attack is a bad thing what they’re forgetting is, at the end of the day, it comes down to a fundamental failing on the part of the organization that allows these criminals in. If they didn’t leave their networks unlocked there wouldn’t be a problem. "

How long until Lulzsec hacks this security company because they think that their network is secure?

MRAB54 · Jun 29, 2011

Zarathustra[H];1037447501 said:
Data lost = automatic presumption of negligence.

Sort of how if you rent a car, they don't care how that scratch got there, you (or your insurance company) are still responsible for it.

(unless you got the extra coverage that is)

The thing is, there is some real James Bond type stuff out there - take the stuxnet infection for example. Who would have thought someone could create a worm that destroys centrifuges in Iran used for making nuclear materials. Would you consider Iran negligent in that case? It's damn near impossible to keep everything 100% secure.

Stoly · Jun 30, 2011

I think companies shouldn't store personal information in the first place.

Security Vendor Applauds LulzSec Attacks

[H] News

Gawd

Mangina Full of Sand

RIP [H] Brother - June 1, 2022

RIP [H] Brother - June 1, 2022

Fixing stupid since 1972

Limp Gawd

Extremely [H]

Extremely [H]

Extremely [H]

2[H]4U

[H]ard|Gawd

2[H]4U

Extremely [H]

Extremely [H]

My Future Son-in-Law

Gawd

[H]ard|Gawd

[H]F Junkie

Gawd

Extremely [H]

Supreme [H]ardness

Limp Gawd

Gawd

Limp Gawd

Limp Gawd

Gawd

Supreme [H]ardness