dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
632

jaysona
join:2000-03-22
Montreal, QC
Asus RT-AC68
Linksys WRT1900AC
Asus RT-AC66

jaysona to Mashiki

Member

to Mashiki

Re: Anonymous takes credit for hacking Montreal police website

said by Mashiki:

The problem is mainly basic network security and human stupidity.

Sadly I wish it really were an issue of stupidity - that would be easy to address. It really comes down to money and being the problem of someones else.

1. It costs more money to write secure code vs code that's insecure but functions properly. so why spend money to make the code secure? There's no incentive to spend more months to write secure code, but every incentive to get the functioning code out the door, hook users to buy the software and maximize revenue. Problems with the code? They'll fix it later - if they have to.

2. Companies know there are security vulnerabilities. It costs money to mitigate and protect against those vulnerabilities. Some companies choose to roll the dice and see if they can get by without spending much on security and hope someone else gets hit. Most companies win at the dice roll, some don't.

Sucks to be company that looses on the dice roll - but good for the likes of myself!
jaysona

jaysona to vue666

Member

to vue666
said by vue666:

Teri Hatcher in that Superman cape was pretty popular too...

Oh yes, very popular! I remember the days when people trying to view those pics brought down more than a few ISDN links.
jaysona

jaysona to lugnut

Member

to lugnut
said by lugnut :

I call baloney on that argument. The reality is that even the most basic Windows or Linux or Mac install has over ten billion lines of code in it.

It is physically, chronologically and mentally IMPOSSIBLE for any single human being out there to know every potential weakness and implement an effective defense against it.

And you're talking about training armies of sysadmins who can secure any sensitive network against every zero day exploit?

That kind of thinking went out in the 90's.

Uh, no it didn't. This is still done today - by companies that either have a federally mandated requirement to do so, have been compromised previously or have determined that a compromise would financially be more costly than the cost of making sure a compromise does not happen. Think silly valley style of company or certain type of gov't contractor organization(s).

I know of several linux machines sitting directly on the Internet - no f/w, no iptables and no compromise - yet. Their sold purpose is to gather attack vectors and to see what works and what does not. There are two Slackware 11 installs still uncompromised.
said by lugnut :

But if you think companies like Sony or Lockheed Martin or General Dynamics are cheap or lazy with their IT departments I want some of whatever you're smoking.

The Sony hack(s) shouldn't have happened, they were due to poor practices and corporate laziness, nothing more.
said by lugnut :

The reality is that modern software architecture is 100% impossible for any single person or team of humans to secure 100%.

The applies pretty much to everything, nothing related to technology is 100% certain.
said by lugnut :

My spin on it is that at the moment probably 99.999% of ALL corporate and government networks are hacked to at least some degree and the only ones we hear about are the ones stupid enough to get caught or announce themselves.

The five nine's is more than a slight exaggeration, but I get your point. Some of what you need to consider also is that only certain parts of a corporate network may be compromised by some varying degree and in many cases the execs are aware of this and have accepted the risks associated. In their (C-Suite) view this low level of compromise (annoyance really) is no different than employees stealing office supplies or stealing company time by using the office phone to make personal phone calls or send personal email using the company computer(s) and email system.
jaysona

jaysona to lugnut

Member

to lugnut
said by lugnut :

I agree that "air gap" isolation of the internal network is the ONLY way to keep your data secure.

Uh no, that is not the "ONLY" way to keep data secure - it may be the most extreme and have the highest probability level of ensuring data are secure, but far from the only way.

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot to lugnut

Premium Member

to lugnut
said by lugnut :

So that's your answer on security? Defend against the script kiddies and ignore the unknown military and professional criminal hackers?

No, that wasn't my answer... you obviously didn't read what I wrote as my answer was to engage competent security profiles.
said by lugnut :

Like I said, you'll never find these vulnerabilities in your RSS feeds simply because these people are not stupid enough to make them public.

Which vulnerability? You're treating this like it's regularly a case of magical brilliance in hacking when that's not the case at all. As was suggested, this is not Hollywood style movies... it's practical information systems security.

lugnut
@dyn.xx.ca

lugnut

Anon

Heartbleed existed for over a year before it was "Discovered" by the white hat crowd.

How much damage do you think was perpetrated by those who knew of its existence much much sooner?

There's nothing "magical" about assuming there are more and more vulnerabilities out there.

Idiot admins who pronounce that everything is "secure because they follow procedure" accomplish nothing more than instill a false sense of security in users while coders continue to release sloppy, buggy code and patches which break ten things while fixing one.

Anyway this argument is circular. You will continue to believe what you want to believe until your firm is hit by the next big thing, Code Red, Melissa, Heartbleed, what have you and suddenly you're struggling with damage control.

I have no time to argue with people who refuse to acknowledge the obvious.

urbanriot
Premium Member
join:2004-10-18
Canada

1 recommendation

urbanriot

Premium Member

said by lugnut :

I have no time to argue with people who refuse to acknowledge the obvious.

... but you seem to have plenty of time to argue with people who have more hands-on insight on a topic than you do.
said by lugnut :

Heartbleed existed for over a year before it was "Discovered" by the white hat crowd.

That's a great example of what I'm referring to - how many sites were still exploitable after Heartbleed was public knowledge?

From Wikipedia (not Genius Hacker Monthly):

"A fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed."

"As of May 20, 2014, 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to Heartbleed." That's more than a month of time to patch... and that was just the 'most popular' sites.

Quite frankly you don't have any credibility when you refer to 'idiot admins' as you exhibit sheer ignorance on the topic of security. People like you are grossly contributing to ineptitude in suggesting that it's not a preventable issue. This attitude gives cheap decision makers a pass for bad decisions, diminishes the wages of skilled technical people, and encourages the hiring of unskilled technical people.

You refer to 'the next big thing' but what you fail to realize is that sites and networks are regularly compromised because people in responsible positions that fail to follow competent security practices.