Boing Boing » hacking

Paper Man (1971) - early movie about hackers (complete on YouTube)

Mark Frauenfelder — Mon, 13 May 2013 21:56:03 +0000

Edgertor says: "No list of hacker movies i've found includes this one from 1971, it might also be the earliest!"

A prank that starts with a group of college students creating a fictitious person so they can get a credit card develops into a plot that leaves three of them dead.

With Dean Stockwell and Stephanie Powers! I can't wait to watch it as soon as I'm finished with my hard day of posting links here at the Boing Boing headquarters.

Hackers prepare for first "national holiday" in their honor

Andy Meek — Mon, 13 May 2013 14:02:38 +0000

Hackers often encounter public uncertainty at their craft’s virtue. With the forthcoming National Day of Civic Hacking, however, their celebration of creativity, collaboration and technical innovation sees its first “national holiday.”

Groups leading the June 1-2 event include Random Hacks of Kindness, Code for America and the investment firm Innovation Endeavors. They’re working with government agencies such as the U.S. Census Bureau, NASA and the U.S. Dept. of Labor to host activities which invite everyone to join the “civic hacker” community.

The weekend’s events will include block parties, meetups and hackathons, where participants will gather to prototype solutions to community-specific problems. “Challenges” will be identified, and made available to the public shortly before the event in each town, with invitations issued to so-called citizen hackers.

“We believe that government agencies must find groups of people, bring them together around an issue or problem that needs to be fixed, then step out of the way,” said Nicholas Skytland, program manager of NASA’s Open Innovation Program and one of the participants in the weekend’s events. “ ... let the collective energy of the people involved solve problems in creative and imaginative ways that we would never have done ourselves.”

At the start of the 2013 fiscal year, NASA tweaked the mission of its open government group to sharpen interest in “open innovation”. For the event, the space agency will offer a challenge and, potentially, an open data set to support it. NASA representatives also will attend the event to help developers as they develop their solutions.

That some of the participants are still wrestling with how much prominence to give the term “hacking” underscores why the event is being held in the first place: to put into the collective conscience the notion of the hacker as part of a digital bucket brigade—as worthwhile, even heroic, problem solvers.

“This is about recognizing the power of a new form of civic engagement,” said Dr. Michael Brennan of SecondMuse, a PR agency helping to organize the hacking weekend.

While some of the cities already signed up to host events remain skittish, others are planning to advertise their interest with banners on the side of public spaces like a City Hall, Brennan added.

The White House itself blogged about the hacking holiday, and will be hosting its second hackathon June 1. Invitees will be tasked with improving the popular We The People petition website, with the results released under an open-source licence.

“It’s a great cause and we’re excited to take part,” wrote White House online staffer Peter Welsch in his post.

At NASA, Skytland is responsible for leading the agency’s digital strategy and open government plan, with his goals including putting more high-value data sets online, promoting the use of open source software and creating more opportunities for the public to engage with NASA. He has experience planning hackathons, envisioning space exploration missions, designing next-gen space suits, training astronauts, developing open-source software and encouraging partnerships between government, industry, academia and other organizations.

Right now, he’s especially focused on how the government – and the space agency – can benefit from mass collaboration.

“We understand that the future of technology will be largely determined by citizens who will design, build, and hack their own technology together, and (the civic hacking event) is a way for us to really tap into that intelligence,” Skytland said. “Our goal is to inspire, incentivize and equip these communities to develop tomorrow’s technology and for NASA to be a part of the conversation.”

The agency has already let anyone who’s interested get a peek under the hood to see the mountain of information on countless subjects that NASA has collected. At data.nasa.gov, NASA lists more than 500 data sets that range from engineering data, charts and specifications to earth sciences data, atmospheric and environmental data and mission operations data relating to things like flight programs and mission control.

“We are interested in solving the toughest challenges, and we definitely don’t have all the answers,” Skytland said. “By tapping into a global community of expertise, partnering with researchers, scientists, technologists, academics and entrepreneurs as well as collaborating directly with citizens and innovative organizations, we can develop solutions that we would have never come up with on our own. Solutions that may have lasting impacts on both NASA and the world.”

Participants in the National Day of Civic Hacking will be encouraged to develop software, hardware, data visualization, and mobile/web applications. Challenges for the hacking event will be released about one month prior to the event, and there will be about 50 of them.

“Selfishly, for NASA, we want to develop a map of innovation around the nation,” Skytland said. “So this is a way for us to tap into talent in a way we haven’t considered before. NASA does space exploration really well, and we collect a lot of data, but we don’t always do those things in partnership with other agencies or the public.

“The idea of engaging a broad group of diverse people focused on pushing forward the development of a solution to a challenge – why this is so exciting is I personally feel the grand challenges of our time will require the talents of us all. Imagine what we could do if we focused on collaborating to improve something like the prosperity of our community over the course of a weekend. In general, this is not the kind of thing we do as a nation. This could be a movement focused on making the world a better place.”

The full list of participating cities is at the Hack for change website.

Build your own quantum entanglement experiment at home

Maggie Koerth-Baker — Fri, 08 Feb 2013 15:00:23 +0000

It may be a little late for folks on the East Coast to round up the necessary parts before the blizzard really hits, but this would be a fun trapped-in-the-house project. It's not cheap, but it does give you the opportunity to see how subatomic particles interact with one another in the privacy of your own home. In a post at Scientific American George Musser explains how he put his experiment together. A follow-up promises to show you how to use it, and what he found when he did.

Edward Tufte on Aaron Swartz and his own hacking career

Cory Doctorow — Mon, 21 Jan 2013 21:57:43 +0000

Designer and theorist Edward Tufte was a friend and mentor of Aaron Swartz's. At Saturday's memorial to Aaron at the Cooper Union in NYC, Tufte remembered both Aaron and his own hacking career, inventing "blue boxes" and using them to make illegal calls on AT&T's network, and wondered about what would have become of him had he run into the same prosecutorial zeal as Aaron faced. Here's a quote from Dan Nguyen's transcript of the Livestream video feed:

…[Bowen] then became president of the Mellon Foundation and he had retired from the Mellon foundation. But he was asked by he foundation to handle the problem of JSTOR and Aaron.
So I wrote Bill Bowen an email about it. And I said first that Aaron is a treasure. And then I told a personal story about how I had done some illegal hacking as a student and had been caught at it and what happened.
In 1962, my housemate and I invented the first blue box. That’s a device that allows for free, undetectable, unbillable long-distance telephone calls.
And we got this up. And played around with it and at the end of our research came when we completed was what we thought was the longest long distance phone call ever made, which was from Palo Alto to New York time of day, via Hawaii.

Edward Tufte’s defense of Aaron Swartz and the “marvelously different”

The LED dawn at 29c3, the 29th Chaos Communication Congress

Quinn Norton — Sun, 30 Dec 2012 15:28:37 +0000

Dawn is breaking over last day of the annual Chaos Communication Congress in Hamburg, Germany. CCC is the meeting of the Chaos Computer Club (also CCC), a group of German hackers hanging out together since 1981. Congress (as it is also known) is one of the great gatherings of tribes in the hacker world -- which, in the time it has existed, has gone from being a tiny, sometimes gothy and mathematically inclined subculture to being a big, elitist community whose work, values, and aesthetics touch the lives of billions of people. CCC has grown and flowered with the community.

The mad and beautiful landscape of the conference this year covers four floors of a Hamburg conference center like and electrical/human forest undergrowth. The topics range as wildly as technology itself. Sessions include the mathematics of factoring (cracking) RSA encryption, the state of the surveillance state in Russia, SCADA vulnerabilities, often in critical infrastructure, Romantic poets, and massively hacking tamagotchis. The halls and "assembly" areas for affinity groups all full of the interests of hacker culture: coding tables, hackerspaces, lockpicking, blinky lights, food hacking, etc. The undercurrents and background noise of the conference saturate in the hallway track. Legal crackdowns and the rising surveillance states crowd on in on us from outside, old fights over misogyny, sex and violence, and exclusion riddle the event from within. And through it, also the revitalization of friendships that are, in some cases, four days wide but decades deep. The starts and ends of countless projects, some of which will amuse us all, some fail, and others that will in time shape the world.

The hacker community that comes together at CCC is an extraordinary thing, physical and ethereal, a communion of wizards and fools, often trading roles through the day.

This year's theme is Not My Department, ominously lifted from Tom Lehrer's song about Wernher von Braun and the nuclear age. It's a self-conscious choice, a sign of growing awareness that this community is poised to sit in a position of strange power in the 21st century -- without yet knowing what kind of ethics should accompany that position. A nest of geeks whose real-world influence has grown out of all proportion in the last 30 years, these hackers, coders, and makers are struggling with the weird machine they have created in the heart of the world.

ONCE-THE.ROCKETS/ARE-UP..WHO>CARES-WHERE.THEY/COME-DOWN. THAT'S N.O-T/MY-D/E.PA/R.T-ME-N-T. 2.9-C/3

Nearly all the talks are available on Youtube within a day of being completed -- follow along at home, and on Twitter at the #29c3 hashtag. But for the hallway track, there is only here.

Andrew "Weev" Auernheimer, the Adrian Chen profile

Xeni Jardin — Wed, 28 Nov 2012 12:39:16 +0000

Weev. Photo: Gawker

Adrian Chen at Gawker has a must-read profile on Weev: so-called "iPad hacker," founder of the anti-blogging Internet-trolling organization "Gay Nigger Association of America," and born-again Mormon troll. Snip:

For Auernheimer, the AT&T breach was one of his finest works as a troll. He personally didn't hack anything—the program used to collect the email addresses was written by Spitler—except the media. He was the hype man for Goatse, and he claims blew the breach up far beyond its actual significance. "The bug that I'm indicted over isn't a big deal," he says. "What made it big is the way I presented it." He boils down his success at promoting the AT&T job to three bullet points: "Rhetoric, persuasion, and meme reference."
But was collecting the email addresses actually a crime? "If somebody mistakenly puts information out there on the web and somebody mistakenly gets that information, that's not illegal," says Jennifer Granick, a lawyer and the director of the Center for Internet and Society at Stanford. This is why Auernheimer decided to fight his charges instead of take a plea deal, as Spitler did last year.
"I contend there is no crime in telling the truth or using AT&T's, or anybody's, publicly accessible data, to cite it to talk about how they made people's data public," he told CNET.
Auernhemier's jury disagreed.

Read: The Internet's Best Terrible Person Goes to Jail: Can a Reviled Master Troll Become a Geek Hero?.

Ad-blocking box maker seeks funding

Rob Beschizza — Mon, 12 Nov 2012 13:36:22 +0000

AdTrap is a planned $150 firewall box for consumers. Plugged in between your internet connection and router, it strips the web of advertising without requiring a moment's configuration. Unlike browser-based plugins, it covers the whole pipe rather than a single app: every device in the house managed from a single setup screen.

It's open-source and hackable, too, but the moral hazard with these concepts is always the same: the more successful they are in becoming a de facto middle-man between readers and publishers, the greater will be their incentive to research their way to concluding that you like some advertising after all.

Report: SEC's computers were vulnerable to security breaches

Xeni Jardin — Fri, 09 Nov 2012 15:10:16 +0000

U.S. Securities and Exchange Commission employees did not encrypt some computers that contained "highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks, according to people familiar with the matter." Reuters has the full story. The SEC spent $200K to confirm that "no hacking or spying on the SEC's computers took place," however, and there is no evidence that any data was actually breached.

National Institutes of Health and Cancer.gov sites hacked this week

Xeni Jardin — Sat, 03 Nov 2012 12:58:01 +0000

Man, come on, who hacks cancer.gov? Well, they did. And then a few days later, the National Institutes of Health Website was compromised. 5,000 user records were leaked. What's next, kittens.org? Cuddlybabies.tumblr.com? (via Chris Wysopal)

Data recovery firm gives man happy ending

Xeni Jardin — Thu, 23 Aug 2012 18:16:34 +0000

Technology writer Mat Honan was "epically hacked," in a widely-circulated cautionary tale that should have you changing your passwords and turning on secondary authentication measures. The Novato, California-based firm DriveSavers helped Mat get his data back, and he traveled to the clean room to see how they did it. (wired.com)

Ecuador's president denies granting asylum to Wikileaks' Assange

Xeni Jardin — Wed, 15 Aug 2012 16:45:30 +0000

Rumor de asilo a Assange es falso. Todavía no hay ninguna decisión al respecto. Espero informe de Cancillería.
— Rafael Correa (@MashiRafael) August 14, 2012

The Guardian reports that the Ecuadorean government will grant asylum to embattled Wikileaks founder Julian Assange. The New York Times notes that the president of Ecuador denies this.

Social engineer hacks Wal-Mart from Defcon

Xeni Jardin — Thu, 09 Aug 2012 02:22:01 +0000

In a contest at the hacker conference Defcon, security specialist Shane MacDougall successfully penetrated Wal-Mart. "Social engineering is the biggest threat to the enterprise, without a doubt," MacDougall said after his call. "I see all these [chief security officers] that spend all this money on firewalls and stuff, and they spend zero dollars on awareness." (via @kevinmitnick)

Dropbox: "We wuz hacked"

Xeni Jardin — Wed, 01 Aug 2012 18:05:06 +0000

A couple weeks ago, a few hundred Dropbox users noticed they were receiving loads of spam about online casinos and gambling websites, at email addresses those users had set up only for Dropbox-related actions. The online file storage service now admits that hackers snagged usernames and passwords from third party sites, and used this data to break into those Dropbox users' accounts. Dara Kerr, reporting for CNET:

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," the company wrote in a blog post today. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam."

Over at Ars Technica, Jon Brodkin has more. Evidently, the illicit access happened because a Dropbox employee’s account was hacked.

Dropbox noted that users should set up different passwords for different sites. The site is also increasing its own security measures. In a few weeks, Dropbox said it will start offering an optional two-factor authentication service. This could involve users logging in with a password as well as a temporary code sent to their phones.

Good to hear. Google is another popular service that offers such two-step authentication for its services, and I'm a big fan of that. And, of course, it's always smart not to use, say, the same easily-cracked password for Dropbox that you do for your onling banking.

Report: complexity of cyberspying botnets greater than previously known

Xeni Jardin — Mon, 30 Jul 2012 14:42:55 +0000

Brian Krebs interviews Joe Stewart, a security researcher "who’s spent 18 months cataloging and tracking malicious software that was developed and deployed specifically for spying on governments, activists and industry executives." Speaking at Defcon in Las Vegas, Stewart says the "complexity and scope of these cyberspy networks now rivals many large conventional cybercrime operations.

A first for Black Hat hacker con: Apple in the house

Xeni Jardin — Tue, 24 Jul 2012 19:40:59 +0000

Apple has never before participated in Defcon or Black Hat, but Bloomberg reports that this will change Thursday "when Dallas De Atley, manager of Apple’s platform security team, is scheduled to give a presentation on key security technologies within iOS, the operating system for iPhones and iPads" at Black Hat in Las Vegas, NV.

It’s significant because in recent years, Apple products have been stripped of their image of being hack-proof. The company’s rise has made it a bigger target, as hackers have been discovering bugs in the iPhone since it came out in 2007. Earlier this year, more than 600,000 Macs were infected, the first major malicious software attack targeting Apple computers.

Weev: Not Amused.

Report: hackers targeting Iranian nuclear facilities "AC/DC-rolled" workstations after attack

Xeni Jardin — Tue, 24 Jul 2012 18:14:39 +0000

Mikko H. Hypponen of F-Secure publishes an email he claims is from a scientist with the Atomic Energy Organization of Iran (or AEOI), which details a new "cyber attack" wave against Iranian nuclear systems.

Snip: "There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing 'Thunderstruck' by AC/DC."

Mikko can't validate the email or the tale therein, and neither can we, but if it's true? Heh.

* The 'shoop above is mine, not the hackers'.

Hackers take Yahoo: 453,000 login credentials nabbed

Rob Beschizza — Thu, 12 Jul 2012 04:54:55 +0000

Dan Goodin at Ars: "The dump, posted on a public website by a hacking collective known as D33Ds Company, said it penetrated the Yahoo subdomain using what's known as a union-based SQL injection. ... To support their claim, the hackers posted what they said were the plaintext credentials for 453,492 Yahoo accounts."

Cable hacker jailed

Rob Beschizza — Fri, 29 Jun 2012 12:26:59 +0000

A good old fashioned hardware hacker is off to jail for 3 years for selling rooted modems. The boxes gave cable users actual unlimited internet. P.S. His book, Hacking the Cable Modem: What Cable Companies Don't Want You to Know, is available at Amazon.

NSA Built Stuxnet, but Real Trick Is Building Crew of Hackers

Mark Frauenfelder — Tue, 12 Jun 2012 13:34:08 +0000

After decades of waging a scorched earth war against hackers, the US government is now complaining about a shortage of hackers it needs to conduct cyberwarfare.

Stuxnet, the worm that targeted Iran's nuclear facilities, was created by US and Israel

Xeni Jardin — Fri, 01 Jun 2012 16:00:33 +0000

Iranian President Mahmoud Ahmadinejad inspects centrifuges at a uranium enrichment plant.

Reporting for the New York Times, David Sanger confirms what internet security researchers suspected all along: Stuxnet, the worm that targeted computers in Iran's central nuclear enrichment facilities, was a US/Israeli project and part of an expanded effort at cyberweaponry by the Obama administration.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.
At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.
“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.
Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

Read the full story here. Don't miss the related infographic that explains, in simple steps, how the secret cyberwar process operated.

Related reading: Why did antivirus firms fail to detect phenomena like Stuxnet, and the more recent Duqu and Flame, for so long? Writing for Wired's Threat Level blog, Mikko Hypponen explains. "The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets."

The Washington Post reports on plans to further expand US cyberwarfare. And a response in Time: on this matter, the American public is being played by the Pentagon.

Cyber-weapon Flame, "most complex malware ever," identified by Kaspersky Lab

Xeni Jardin — Mon, 28 May 2012 17:28:16 +0000

The Moscow-based security firm credited with solving various mysteries around Stuxnet and Duqu today announced the discovery of Flame, a data-stealing virus said to have lurked on thousands of computers in the Mideast for as long as 5 years. A Kaspersky Lab spokesperson described it in a Reuters interview as "the most complex piece of malicious software discovered to date."

Adds Bruce Sterling, "Given that this has been out in the wild for a couple of years now, what’s five times bigger than 'Flame' and even less understood?"

Writing today at Wired News, Kim Zetter reports that Flame is believed to be "part of a well-coordinated, ongoing, state-run cyberespionage operation."

Kaspersky has a FAQ about Flame, here.

(Image: Kaspersky Labs)

New Skype malware threat reported: Poison Ivy

Xeni Jardin — Tue, 15 May 2012 23:02:42 +0000

Dancho Danchev reports an incident in which a friend pinged him at an odd hour on Skype "with a message pointing to what appeared to be a photo site with the message 'hahahahaha foto' and a link to hxxp://random_subdomain.photalbum.org." Yup, malware. The Poison Ivy trojan is spreading across Skype. [webroot via Joseph Menn]

Fooling facial recognition surveillance cameras with cunning and crocheting

Xeni Jardin — Wed, 21 Mar 2012 02:08:54 +0000

[Video Link]

Canadian yarn-lover and privacy-lover Howie Woo has developed an ingenious system for thwarting surveillance cameras that use face recognition technology. His solution involves crochet and LOLs. Here are more photos (via the Boing Boing Flickr Pool). More about Howie's playful creations here.

Anonymous rocked by revelation that top LulzSec hacker was FBI snitch

Xeni Jardin — Thu, 08 Mar 2012 16:48:37 +0000

Quinn Norton has an excellent piece over at Wired:Threat Level on the reactions within "Anonymous" to the news that LulzSec frontman "Sabu" (photo above) was collaborating with the FBI. Kim Zetter's take on the arrests and secret plea deals is here.

LulzSec frontman Sabu was FBI informant, fed Stratfor docs to Wikileaks from an FBI-owned computer

Xeni Jardin — Wed, 07 Mar 2012 17:06:15 +0000

The Guardian has more on the big hacking news which Fox News broke yesterday (as noted in a post by Rob). "Sabu," the trash-talking, self-appointed leader of LulzSec, has been working for the FBI for the last six months. The FBI says he helped the US and various European governments identify and arrest five alleged LulzSec members charged with participating in defacement, DDOSing, and "doxing" against high-profile government and corporate targets. Sabu (above) is, in now identified as Hector Xavier Monsegur, a 28-year-old unemployed Puerto Rican guy living in New York, and a father of two. He was charged with 12 criminal counts of conspiracy to engage in "computer hacking and other crimes" last year, pled guilty in August, 2011, then "snitched" on his LulzSec friends.

Here's the FBI news release, which notably omits the names of any prosecutors (perhaps for fear of Anonymous attack).

Snip from Guardian story:

His online "hacker" activity continued until very recently, with a tweet sent by him in the last 24 hours saying: "The feds at this moment are scouring our lives without warrants. Without judges approval. This needs to change. Asap."
In a US court document, the FBI's informant – there described as CW – "acting under the direction of the FBI" helped facilitate the publication of what was thought to be an embarrassing leak of conference call between the FBI and the UK's Serious and Organised Crime Agency in February. Officers from both sides of the Atlantic were heard discussing the progress of various hacking investigations in the call.
A second document shows that Monsegur – styled this time as CW-1 – provided an FBI-owned computer to facilitate the release of 5m emails taken from US security consultancy Stratfor and which are now being published by WikiLeaks. That suggests the FBI may have had an inside track on discussions between Julian Assange of WikiLeaks, and Anonymous, another hacking group, about the leaking of thousands of confidential emails and documents.
The indictments mark the most significant strike by law enforcement officials against the amateur hacker groups that have sprung out of Anonymous. These groups, which include LulzSec, have cost businesses millions of pounds and exposed the credit card details and passwords of nearly 1 million people.

Report: LulzSec members arrested

Rob Beschizza — Tue, 06 Mar 2012 14:33:38 +0000

Fox News' Jana Winter reports that LulzSec's Sabu was caught and turned by the authorities last June and has been working with them since. Other members of the group were arrested today as a result, she writes; details will be unsealed today in district court. The name given, Hector Xavier Monsegur, would confirm earlier outings and doxings from the same period. Last June saw the group publicly suspend operations, if you'll recall, and suffer its earliest arrests.

Spain, South America arrest 25 in Anonymous crackdown, with Interpol assist

Xeni Jardin — Tue, 28 Feb 2012 23:09:59 +0000

With help from the international police organization Interpol, Spain and three South American countries today arrested 25 people who are suspected of being Anonymous activist/hacktivist/hackers. They are accused of defacing government and corporate websites. Reuters:

Spanish police also accused one of four suspects picked up in the cities of Madrid and Malaga of releasing personal data about police officers and bodyguards protecting Spain's royal family and the prime minister.
Other arrests were in Argentina, Chile and Colombia, and 250 items of computer equipment and mobile phones were seized across 15 cities, Interpol said. Colombia's Ministry of Defence and presidential websites as well as Chile's Endesa electricity company were among the targets of the hackers, it said.

And not coincidentally, the Interpol website has been intermittently offline today.

Shit programmers say

Cory Doctorow — Tue, 31 Jan 2012 21:31:41 +0000

"Shit Programmers Say" -- a worthy addition to the series and a trenchant comment on the inherent interiority of programming.

Shit Programmers Say (via Waxy!)

Newt threatens Russia, China with cyberwar

Xeni Jardin — Wed, 25 Jan 2012 21:27:19 +0000

“I think that we have to treat state-based covert activities as the equivalent of acts of war. And I think that we have to respond to that and create a level of pain which teaches people not to do it.” US presidential candidate Newt Gingrich, responding to a question about countries that target U.S. corporate and government information systems.

Stratfor hacked; clients and credit card numbers exposed

Rob Beschizza — Mon, 26 Dec 2011 03:47:38 +0000

Intelligence and security research group Stratfor was hacked Saturday, and a a list of clients, personal information and credit card numbers purloined from its servers.

Having exposed the group's customers, the hackers apparently used the card numbers to make donations to the Red Cross and other charities.

The New York Times' Nicole Perlroth writes that the attack was also likely intended to embarrass Stratfor. She ends with a curious quote from Jerry Irvine, a member of the Department of Homeland Security's cybersecurity task force:

“The scary thing is that no matter what you do, every system has some level of vulnerability,” says Jerry Irvine, a member of the National Cyber Security Task Force. “The more you do from an advanced technical standpoint, the more common things go unnoticed. Getting into a system is really not that difficult.”

Sure, if it's a web server, exposed to the public by design.

But Stratfor didn't just expose a website to the public. It also, apparently, put all this other stuff online, in the clear, for the taking.

It's true that websites are like storefronts, and that it's more or less impossible to stop determined people from blocking or defacing them now and again.

Here, however, it looks like Stratfor left private files in the window display, waiting to be grabbed by the first guy to put a brick through the glass.

Now, I'm not a member of the national IT security planning task force. But I'm pretty sure that putting unencrypted lists of credit card numbers and client details on public-exposed servers isn't quite explained by "no matter what you do, every system has some level of vulnerability."

UPDATE: One Anon claims that the hack was not the work of Anonymous. However, the usual caveats apply: no structure, no official channels, no formal leaders or spokespersons.