Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacker Business Models

CmdrTaco posted more than 3 years ago | from the doing-what-they-can dept.

Security 96

wiredmikey writes "The industrialized hackers are intent on one goal — making money. They also know the basic rules of the business of increasing revenues while cutting costs. As hackers started making money, the field became full of 'professionals' that inspired organized cyber crime. Similar to industrial corporations, hackers have developed their own business models in order to operate as a profitable organization. What do these business models look like? Data has become the hacker's currency. More data, more money. So the attack logic is simple: the more attacks, the more likely victim — so you automate ..."

cancel ×

96 comments

ITYM "cracker" (5, Insightful)

Kaz Kylheku (1484) | more than 3 years ago | (#33947558)

I'm a hacker and I break out of loops, not into computers.

Re:ITYM "cracker" (1)

eyenot (102141) | more than 3 years ago | (#33947696)

Slashdot needs to get with the times and have something similar to a like/digg/whatever button.

Re:ITYM "cracker" (1)

mehemiah (971799) | more than 3 years ago | (#33948092)

they do. see here [elamb.org]

Losing battle (4, Insightful)

Infonaut (96956) | more than 3 years ago | (#33947810)

The mainstream media has screwed this one up for years, but it's embarrassing to see hacker and cracker treated as equivalent terms in this, the last bastion of geekdom.

Re:Losing battle (4, Insightful)

Frosty Piss (770223) | more than 3 years ago | (#33947974)

The mainstream media has screwed this one up for years, but it's embarrassing to see hacker and cracker ...

The *only* people that differentiate between the two are the Slashdot crowd. To *everyone* else, an hacker is a hacker is a hacker.

Re:Losing battle (0)

Anonymous Coward | more than 3 years ago | (#33948330)

The slashdot crowd will give up on hacker around the same time the slashdot crowd gives up on begging the question i.e. never.

Re:Losing battle (1)

zeroshade (1801584) | more than 3 years ago | (#33948372)

Actually it's not just the Slashdot crowd. A lot of geeks differentiate between the two. Especially actual hackers.

Re:Losing battle (1)

OldHawk777 (19923) | more than 3 years ago | (#33950398)

Ditto - Even the old geeks...

Maybe an ad campaign will help..., Happy-Hackers, Criminal-Crackers, Phony-Phreaks, MILFs-Bleat with Meek-Geeks....

Re:Losing battle (1)

mjwalshe (1680392) | more than 3 years ago | (#33952328)

yep but unfortunately the hacker vs cracker train has left the station along time ago we aint going to get back to the 60's usage so let it go. Usage changes we have to live with it

Re:Losing battle (1)

Ephemeriis (315124) | more than 3 years ago | (#33948544)

The mainstream media has screwed this one up for years, but it's embarrassing to see hacker and cracker ...

The *only* people that differentiate between the two are the Slashdot crowd. To *everyone* else, an hacker is a hacker is a hacker.

It isn't just the Slashdot crowd. Lots of IT folks understand the difference and use the terms appropriately. Especially folks who would actually label themselves as hackers or crackers.

I suppose it wouldn't be quite so annoying if it was just the mainstream media screwing it up... But this is a publication on a website calling itself SecurityWeek. You'd think they might know something about IT.

Re:Losing battle (1)

mcgrew (92797) | more than 3 years ago | (#33951056)

Sometimes (like when they call crackers "hackers") I think "Security Week" is one of those spellcheck-friendly homophone typos, and it's supposed to be "Suck your I.T. weak".

Re:Losing battle (1)

Tarsir (1175373) | more than 3 years ago | (#33953018)

It isn't just the Slashdot crowd. Lots of IT folks understand the difference and use the terms appropriately. Especially folks who would actually label themselves as hackers or crackers

If IT folks aren't a part of the Slashdot crowd, who is?

I don't think I've ever heard someone say cracker without referring to something edible, except on Slashdot. And even on Slashdot, I mostly only see it used when people complain that it should have been used in place of cracker. It's dead Jim.

Re:Losing battle (1)

fuyu-no-neko (839858) | more than 3 years ago | (#33948728)

I find a car analogy comes in handy at times like these ;)
Something recently broke inside the latch on my glovebox recently. Nissan couldn't replace the part that broke, so I managed a fix by replacing the part with some appropriately bent wire and superglue.
This would be a hack using available resources.

Re:Losing battle (1)

SudoGhost (1779150) | more than 3 years ago | (#33948816)

And the only people who see the difference between Catholics and Protestants are the respective groups. To everyone else they're all Christians. Tell them they're the same thing.

Re:Losing battle (1)

KlaymenDK (713149) | more than 3 years ago | (#33951294)

Erm ... okay, although Ghandi said that "you christians are so unlike Christ" I'm still going to say "bad analogy" because I consider hackers and crackers are not merely variant of the same but very nearly *opposites* (which, mind you, is not the same thing as "opponents").

Re:Losing battle (1)

SudoGhost (1779150) | more than 3 years ago | (#33952248)

Hackers and Crackers interact with the same computer in different ways.

Catholics and Protestants interact with the same God in different ways.

How is this different?

Re:Losing battle (1)

matthiasvegh (1800634) | more than 3 years ago | (#33952474)

Because so does the secretary. And you wouldn't call him/her a hacker/cracker/phreak/etc. Nor would any member of the public.

Re:Losing battle (1)

SudoGhost (1779150) | more than 3 years ago | (#33952648)

You're missing the point. I would call I layman a priest either.

Re:Losing battle (1)

SudoGhost (1779150) | more than 3 years ago | (#33952808)

Thank you pointman, for stating the obvious. "The secretary interacts with the computer in a different way than a hacker." Wow. Only thing is, what does that have to do with these increasingly idiotic analogies? The initial point was Hacker:Cracker::Catholic:Protestant. Outsiders typically don't know and don't care the difference between the two. Anyone who spends five seconds looking at the two can tell the difference between a hacker and a secretary.

Re:Losing battle (1)

arthur01 (1368351) | more than 3 years ago | (#33956934)

The mainstream media has screwed this one up for years, but it's embarrassing to see hacker and cracker ...

The *only* people that differentiate between the two are the Slashdot crowd. To *everyone* else, an hacker is a hacker is a hacker.

So what would *you* call a person who works to dismantle a computer problem, bit by bit, until it is solved?

Re:Losing battle (1)

Reteo Varala (743) | more than 3 years ago | (#33957790)

The mainstream media has screwed this one up for years, but it's embarrassing to see hacker and cracker ...

The *only* people that differentiate between the two are the Slashdot crowd. To *everyone* else, an hacker is a hacker is a hacker.

First, keep in mind that the bulk of the Slashdot crowd happens to fit in the broader "hacker" category, and so would be much more aware of the distinction than the ones using the term as a blanket statement.

Second, keep in mind that times always change. To everyone else, once, geeks were geeks too. Now it tres chic to call oneself a geek when they know how to install and configure desktop applications in Windows.

Third, as times change, so do generations. I've seen enough evidence that the "hacker" label is starting to get positive connotations not to give up hope just yet... mostly because of the fact that the newer generations of people are growing up with these boxes, and are becoming familiar enough to self-apply the "hacker" label once they find out what it means; the primary "hacker is hacker" crowd are the older-school types who didn't get their first taste until the mid-90s, and the 1337 k1dd13z who refused to learn more than it took to pwnz0r a box.

Re:Losing battle (2, Insightful)

LordNimon (85072) | more than 3 years ago | (#33948116)

I'm sorry, but the word cracker is a perjorative for white people [wikipedia.org] , and has been for at least a hundred years. If geeks want to differentiate among "good" and "bad" hackers, they (we) must come up with a better term.

I don't know any geek who uses the word "cracker" to refer to bad hackers.

Re:Losing battle (1)

Noughmad (1044096) | more than 3 years ago | (#33948502)

From Wikipedia, the free encyclopedia:
A cracker is a baked good commonly made from unleavened grain flour dough and typically made in quantity in various hand-sized or smaller shapes.

We definitely need a better word.

Re:Losing battle (0)

Anonymous Coward | more than 3 years ago | (#33948520)

Darn I'm an Anon...
Cracker, from what I see it being is someone who "cracks" something, I usually think of a safe. http://en.wikipedia.org/wiki/Safe-cracking
(The link mentions hackers "breaking in". But, still)

Re:Losing battle (1)

drcheap (1897540) | more than 3 years ago | (#33948572)

Yes, better terms like, say, good hacker and bad hacker?

We have the terms now (1)

catherder_finleyd (322974) | more than 3 years ago | (#33948776)

White Hack (http://en.wikipedia.org/wiki/White_hat) versus Black Hat (http://en.wikipedia.org/wiki/Black_hat).

Re:We have the terms now (0)

Anonymous Coward | more than 3 years ago | (#33950598)

wikipedia is so racist

History lesson (0)

Anonymous Coward | more than 3 years ago | (#33948968)

I'm uncertain as to what constitues a "hacker" vs. a "cracker" today.

I started out with computers before they were even programmable. Back then you had to "hack" the hardware to get it to perform other functions than the ones it was designed for (like you'd call it a hack today, if you can get your MP3 player to play FLAC files or whatever).

Later when OS'es became programmable, and interchangeable, games, and programs were sold on highstreet. Computers became a household item. When this happened, people stopped trying to "hack" the computer, and instead started to "crack" the software. The first pieces of software came with it's own OS, so you'd generally want to "crack the shell" or even crack the software to get to the shell, and remove copyprotections, change functions of the program or even add functions as you needed them, oftentimes the underlying OS contained some very useful tidbits. "Crackers" worked their voodoo on the software side only, and some did so brilliantly, carving the software into usable bits that you could play with as you saw fit to. The best could circumvent encryption and even emulate required hardware (like dongles).

This definition of "cracker", being the software exploiter/copier/bundler/whatever, is the one I'm familiar with. I'm unaware of any reason why some people would bother to call all the scanner slaves, or other people doing repetitious work collecting data (by phishing, IP scanning, etc) for crackers ?!? They're not cracking anything, they're just exploiting weaknesses in software or hardware that the actual crackers or hackers have found and shared long ago.

So please enlighten me. What is the definition of a "cracker" today ?!? And why call all the little exploiters for crackers, when they're not cracking anything ?

Re:Losing battle (1)

mcgrew (92797) | more than 3 years ago | (#33952254)

You don't have to know much about computers to crack them, all you need to know is where to find the software to do it for you. Hackers write code and modify hardware.

And I think "cracker" is apt. For one thing, they're in it for the money, which I'm told [slashdot.org] is more addictive than crack cocaine.

As to your hundred year old perjorative, I with my hazel eyes have been called "nigga" and "bro" by black friends; the walls are crumbling down. And you don't know that these crackers are white, I'm sure there are some Asians, Hispanics, and blacks cracking computers and infecting zombiebots. I'm fine with "cracker", if you want a different word than coin one yourself.

Re:Losing battle (0)

Anonymous Coward | more than 3 years ago | (#33952804)

Pleased to meet you, LordNimon.

Re:Losing battle (1)

tehcyder (746570) | more than 3 years ago | (#33961846)

I'm sorry, but the word cracker is a perjorative for white people, and has been for at least a hundred years

Only in the US, and even then only for a certain type of poor white person in the south.

In the UK, for example, the two most common uses for the word are: Jacobs crackers (biscuits for cheese) and safe-cracker (someone who breaks into safes). This latter usage is the one that springs to my mind when I see the word "cracker" and makes perfect sense, referring to someone who breaks into computers.

Re:Losing battle (2, Insightful)

KlaymenDK (713149) | more than 3 years ago | (#33951052)

Perhaps it is a losing battle. Then again, in the spirit of "you miss all the shots you *don't* make", please bear with us as we keep repeating this.

Re:Losing battle (1)

tehcyder (746570) | more than 3 years ago | (#33961912)

Perhaps it is a losing battle.

I believe it is customary to spell that word "loosing" on slashdot. It's an old tradition, or a charter, or something.

Re:Losing battle (0)

Anonymous Coward | more than 3 years ago | (#33954506)

I got into computer science hoping to meet hot geek chicks like Jolie in the movie "Hackers". I'm still quite disappointed; even on the rare occasion you meet a cute one she is hooked up or married already. Oh yeah, it was annoying trying to hack with a Mac too.

Re:ITYM "cracker" (2, Informative)

Lord Ender (156273) | more than 3 years ago | (#33948080)

News flash: in English, words can have multiple definitions. I'm a hacker and I break golf clubs in frustration.

Re:ITYM "cracker" (4, Funny)

Kozz (7764) | more than 3 years ago | (#33948176)

News flash: in English, words can have multiple definitions. I'm a hacker and I break golf clubs in frustration.

I'm a cracker, though I prefer the term "honky".

Re:ITYM "cracker" (0)

Anonymous Coward | more than 3 years ago | (#33948346)

See I would Digg this comment

Re:ITYM "cracker" (1)

Cwix (1671282) | more than 3 years ago | (#33948818)

Perhaps no one gives a damn what youd digg. You are an AC. The mods take care of that stuff for you.

Hunky! (1)

antdude (79039) | more than 3 years ago | (#33950128)

I knew a guy named "Webjunky". I kept teasing him as "Webhunky" so I will do the same for you "hunky". :P

Re:ITYM "cracker" (1)

flappinbooger (574405) | more than 3 years ago | (#33955862)

My kids are crackers, meaning they were born in Florida.

Re:ITYM "cracker" (1)

Trepidity (597) | more than 3 years ago | (#33948208)

Especially since if we're going to complain about "misuse" this way, then the proposed use of "cracker" here is incorrect: in computing, a cracker is a person who cracks copy-protection. A person who breaks into bank accounts or servers is not a "cracker" under the long-accepted definition. (Breaking encryption can also be called "cracking encryption", but those people aren't usually called "crackers", at least not without some other adjective, like "code crackers".)

Re:ITYM "cracker" (1)

nabsltd (1313397) | more than 3 years ago | (#33948698)

(Breaking encryption can also be called "cracking encryption", but those people aren't usually called "crackers", at least not without some other adjective, like "code crackers".)

So, if "Weird Al" can get it right [wikipedia.org] , why can't everyone else?

Wanna be hackers? Code crackers? Slackers
Wastin' time with all the chatroom yakkers?

Re:ITYM "cracker" (1)

slackbheep (1420367) | more than 3 years ago | (#33949810)

What about this guy doesn't strike you as gloriously geeky?

Re:ITYM "cracker" (1)

Eil (82413) | more than 3 years ago | (#33948516)

It's worse than that. Used to be, you could easily guess by context whether "hacker" meant someone who programs, tinkers with, or reverse engineers technology or someone who breaks into other people's systems through technological skill (your definition of "cracker"). And even then, the line was sometimes blurry. In the olden days, you had to be a hacker in order to be a cracker but the reverse was obviously never true.

Now, the media uses "hacker" to refer to anyone who is somehow linked to crime involving computers or technology, even when no technical skill whatsoever was required. Very sad.

Re:ITYM "cracker" (1)

arndawg (1468629) | more than 3 years ago | (#33950072)

It's GNU/Linux not linux. Get over it, will ya?

Re:ITYM "cracker" (1)

mcgrew (92797) | more than 3 years ago | (#33950364)

Agreed. Hackers don't have business models, we just hack our hardware and software. Let the goddamned suits worry about business models.

The crooks who plant viruses for cash aren't hackers, they're businessmen. Sad that these days "hacker" has become synonymous with "electronic burglar" in the common man's mind.

Finally a Job! (1)

eldavojohn (898314) | more than 3 years ago | (#33947580)

A job awaits me after I graduate from Cash Paradise University [krebsonsecurity.com] ! With classes like "Botnet or How to Get My Own Bank Accounts" I'll never need to learn math!

Let me summarize the entire article (0)

Anonymous Coward | more than 3 years ago | (#33947666)

Meh

Cracker != Hacker (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33947672)

Can Slashdot please be the lone voice of reason that doesn't feed into the newsmedia's misuse of the word "hacker"?

Re:Cracker != Hacker (2, Insightful)

autocracy (192714) | more than 3 years ago | (#33948070)

I officially give up on the cracker vs. hacker distinction. Hacker is a word with two meanings related respectively to exploration and compromise of computer systems. Crackers are things that go in your soup.

Re:Cracker != Hacker (1)

tool462 (677306) | more than 3 years ago | (#33948658)

Crackers are things that go in your soup.

I thought those were called "busboys".

Re:Cracker != Hacker (1)

Cwix (1671282) | more than 3 years ago | (#33948852)

You put busboys in your soup? That cant taste good.

Man I certainly hope you tip well.

Re:Cracker != Hacker (1)

jdgeorge (18767) | more than 3 years ago | (#33948076)

Traditionally, people who worked around computer security restrictions were referred to as "hackers" [wikipedia.org] . My understanding is that "cracking" [wikipedia.org] generally only refers to breaking the encryption that protects something, whereas "hacking" is a general term that refers to using a variety of methods to get elevated privileges on a system. Unfortunately, "hacking" also generally refers to any manipulation of the code on a system, which can muddy the distinction between "black hat hackers" and code developers who are commonly referred to as "hackers."

So, technically, the terminology in this case seems to be properly applied. The hackers in question aren't necessarily breaking encryption or other data security devices on the system, but may be using a other means of getting elevated privileges on a system including possibly social engineering. Note that social engineering is certainly NOT "cracking", but is likely to be part of the of "black hat hacker" tool set.

Re:Cracker != Hacker (0)

Anonymous Coward | more than 3 years ago | (#33948264)

You're wrong.

Re:Cracker != Hacker (1)

jdgeorge (18767) | more than 3 years ago | (#33948906)

You're wrong.

Heh... thanks, I got a chuckle from this. There's something poetic about that response. :-)

No. I have proof! (1)

AnonymousClown (1788472) | more than 3 years ago | (#33948204)

Can Slashdot please be the lone voice of reason that doesn't feed into the newsmedia's misuse of the word "hacker"?

No - Hackers == crackers.

Here's is my proof - a movie about hackers that break into things [imdb.com] .

It wasn't called Crackers but Hackers!

:-P

And...? (1)

iONiUM (530420) | more than 3 years ago | (#33947680)

This isn't exactly a crazy revelation. OMGZ "HACKERS" (that's not even the right term) WANT MONEY. There's so many things wrong with this article, especially the fact that it's not even bringing new information, that I don't understand why this is even on /.

Re:And...? (0)

Anonymous Coward | more than 3 years ago | (#33948000)

There's so many things wrong with your post.
"There's so"
>"There is so"
>>"There is so many things wrong with this article..."
>>>**There are so many things....

Grammar police, out.

Re:And...? (1)

Maarx (1794262) | more than 3 years ago | (#33948744)

I propose the use of there're as an abbreviation of there are.

Re:And...? (1)

Cwix (1671282) | more than 3 years ago | (#33948878)

How do you pronounce it?

Re:And...? (0)

Anonymous Coward | more than 3 years ago | (#33950492)

there-err...

They accually supply a pricelist (0)

Anonymous Coward | more than 3 years ago | (#33947772)

http://crackstation.net/bruteprice.php

Like picking candy at the store!

Basic rules of business don't necessarily apply (3, Insightful)

digitaldc (879047) | more than 3 years ago | (#33947808)

"They also know the basic rules of the business of increasing revenues while cutting costs."

True, but not all hackers/crackers/slackers do it to cut costs and increase revenue. Sometimes, it is just for notoriety.

There's some perfectly cromulent words for the... (2, Insightful)

Chris Tucker (302549) | more than 3 years ago | (#33947862)

...thieves and vandals that steal data, set up botnets or vandalize websites.

"Thieves and Vandals".

Thank you for your kind attention.

Re:There's some perfectly cromulent words for the. (1)

maxume (22995) | more than 3 years ago | (#33948250)

It's bizarre that you would highlight the malleability and flexibility of English while complaining about a word changing meaning.

Re:There's some perfectly cromulent words for the. (1)

Chris Tucker (302549) | more than 3 years ago | (#33948950)

Yeah, I know. Used to be, "nigger", "chink", "wop" were all socially acceptable words.

But not today.

Funny how that happened, isn't it?

Re:There's some perfectly cromulent words for the. (1)

maxume (22995) | more than 3 years ago | (#33949424)

I do not follow.

Re:There's some perfectly cromulent words for the. (1)

Chris Tucker (302549) | more than 3 years ago | (#33951792)

Yeah, that doesn't really surprise me.

Re:There's some perfectly cromulent words for the. (1)

maxume (22995) | more than 3 years ago | (#33952098)

No no, I get that you are making an argument about the people fighting for cracker choosing the wrong battle, I just don't get how your reply pertains to my post (unless you are complaining that the word 'hacker' is headed towards the same status as the ones you threw around).

Re:There's some perfectly cromulent words for the. (1)

ergean (582285) | more than 3 years ago | (#33949386)

As a member of the former roaming tribes of barbarians that invaded and pillaged Europe I'm displeased by the use of "vandals" in this context.

Re:There's some perfectly cromulent words for the. (1)

Chris Tucker (302549) | more than 3 years ago | (#33951920)

As a descendant of the indigenous peoples your ancestors invaded and pillaged, I understand your concerns and I feel your pain

Obtain (1)

NoSig (1919688) | more than 3 years ago | (#33947876)

I think it's too complimentary to say that these people "make" money, though they may succeed in taking money.

Re:Obtain (1)

Crudely_Indecent (739699) | more than 3 years ago | (#33947980)

They steal data.
They sell data.

I'm sure a significant portion wouldn't be caught dead using stolen identities. It's far safer to sell them.

Re:Obtain (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#33948284)

Well yeah -

You think the guys boosting cars are the ones who want to own them?

Hackers should hack for free (0)

Anonymous Coward | more than 3 years ago | (#33947914)

And make their money on touring.

Re:Hackers should hack for free (1)

sleeper0 (319432) | more than 3 years ago | (#33952732)

you are fucking awesome

Sources, or GTFO (2, Informative)

Rogerborg (306625) | more than 3 years ago | (#33947950)

Reads like a lot of obvious consultant-wank generalities to me.

I don't care who this broad claims to be, she needs to either cite case examples, or go bake me some cookies.

Oh, client confidentiality. Well, that's convenient, ain't it? On the internets, nobody can prove you're not a 1337 security ninja.

Re:Sources, or GTFO (1)

Moe1975 (885721) | more than 3 years ago | (#33956804)

Wish I had mod points for you Sir.

>I don't care who this broad claims to be, she needs to either cite case examples, or go bake >me some cookies.

No one could have said it better even if they tried!

I am going to remember that one "bake me some cookies"

ROFLMAO!

Thank you kindly for this post :)

Moe

Re:Sources, or GTFO (1)

Geminii (954348) | more than 3 years ago | (#33971272)

On the internets, nobody can prove you're not a 1337 security ninja.

Did you fail to turn up on my security payroll without me hiring you or noticing the addition? Then you're not a security ninja. :)

What's more dangerous? (3, Interesting)

Monkeedude1212 (1560403) | more than 3 years ago | (#33948112)

Industrialized hackers or non-industrialized hackers?

We recently had a run-in with a hacker, very recently, not this past Friday but the one before. Exploit because our Web Server wasn't patched up on Windows Updates (or so one expert tells us), we weren't more than a month behind. All that really seemed to occur is that the index.html file was overwritten by the hacker's web page. This has, of course, brought the spot light on IT and the CEO is now asking about our security practices.

This is the same CEO who insisted that we as IT staff dole out the passwords for users, make them simple enough to remember, and don't let them change. It is quite possibly the weakest password security I've ever seen and I have no doubts that this could have easily played a part in why there was a security breach. Reason being, sometimes a manager doesn't let us know of a person's dismissal till after they are gone - so their account is still fully active for a while. If they put in the request AFTER 5 on a Friday? Well lets hope we check our email when we get home and do it remotely. Just September we're dealing with the blow of someone leaving the company and taking contact information with them to their next job (I think that falls into trade secrets?), so theres a whole bunch of legal stuff around that, and of course people are asking if they were able to access this information after they left the company. Regardless, if someone puts in their 2 weeks - and they intend on taking it to their next job, they're going to grab what they can to take it off-site, and we have the worst policy regarding cell phones with data plans as well. Essentially if its not a blackberry, we set up the email forwarding, if it is a blackberry, we have an Enterprise server, and we can send the kill command to wipe all data from the blackberry including grandma's phone number... it's a pretty stupid policy, lets just leave it at that.

Basically, its going like this: The company went from small to medium pretty fast, and the plans are set to grow into a large company very quickly. All along the way, security was never that much of an issue, at least network wise. We had issues with people downloading movies and seemingly random attacks on the webserver, most of which have been dealt with by our firewall. All in all, the IT group is too small though, there's a team of 4 programmers to handle all the in-house applications we need, one of our critical systems is still on powerbuilder 5 or 6... Ontario just went from GST+PST to the Harmonized Sales Tax... Lets just say the Programmers are swamped. On the other side we've got 4 technicians and a manager. The manager contracts out our firewall setups to some guy who really doesn't seem any more competant than the rest of us, in fact he tries to keep us distracted while he does his work so we can't actually learn his job. I guess most contractors are probably like that though. But otherwise, its just 4 of us to handle ~800 PCs which is probably going to bump up to 1000 before December here, as we have roughly 5 new locations opening up.

So we're not equipped to handle hackers - and we've officially been hacked. What do we do? Turn to an industrialized hacker and hope we can pay more than our competitor's might pay? After all, it's a double edged sword. If we go looking for help on our security, it shows we have a weakness, and if we don't want to pay for his services he can go right next door and try and sell our goods with confidence. To me that sounds like a scenario where they can name just about any price they like. And with the current state of the company (growing) it would seem we have a lot of money to lose.

More devastating though, would be a hacker who ISN'T in it for the money. We get a lot of turn over here - and not just the summer student temps but in pretty much every division but IT and accounting. Someone who wants the company to fail and has a friend with expertise, or the expertise themselves, could easily bring this place down. I think we got lucky that we were hit by someone who seems to do nothing but self promotion of his abilities. Things aren't good right now, but they could be a lot worse.

Re:What's more dangerous? (1)

umberleigh (793964) | more than 3 years ago | (#33948664)

So, where do you work?

Re:What's more dangerous? (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#33948718)

Haha, figured that'd be brought up.

I fear I've already given away enough already - that anyone with sufficient expertise might already figure it out.

Re:What's more dangerous? (1)

drcheap (1897540) | more than 3 years ago | (#33948670)

Exploit because our Web Server wasn't patched up on Windows Updates

Hacked web server, Windows, same sentence, tl;dr.

Sorry, had to ;)

Re:What's more dangerous? (1, Informative)

Anonymous Coward | more than 3 years ago | (#33949030)

Your server updates should be applied as soon as they come out. Being a month behind was unacceptable. Sometimes Microsoft releases them out of band (outside of Patch Tuesday). Those are really important and should be installed and the server rebooted that night. Web server should be in a DMZ. Should only have one or two local admin accounts that only the IT people know. Should not have any ports open to the internet except 80 and 443 if you need it. Any other server software on it should be fully updated (apache?).

What exploit was used to access your web server? What update was not installed that would have prevented it? Were you running IIS or some other web server?

I have a feeling that being one month behind on your Windows Updates was not actually the cause of this one. Did you check your security logs for any unusual activity? The stuff I wrote above is minimal, and there is no reason for it not to be setup that way. Web servers that get hacked like you described are on clusterfucked networks, in my experience. Your CEO is correct to question your security practices since you were a fucking month behind on your patches.

Re:What's more dangerous? (2, Informative)

savanik (1090193) | more than 3 years ago | (#33949150)

So we're not equipped to handle hackers - and we've officially been hacked. What do we do?

Hiring 'hackers' is a media fiction - you wouldn't hire someone who was convicted of armed robbery to guard your local bank just because he was really good at it, would you? Hire a security professional who actually takes what they do for a living seriously, has credentials to prove it, and has a reputation for honesty and integrity they're not afraid to defend with references from previous employers and clients. Or contract the same. Or hire a consulting firm that specializes in security. A CISSP should be a minimum bar to get over.

Security is all about setting appropriate levels of trust on personnel. If you don't trust your security professionals (and by the way, the guy who sets up your firewall there should be one of them) then you can't trust the security they're putting in place. Audit the work they do. Trust, but verify. And for your size of network, you should have at least one full-time IT security person on staff.

Re:What's more dangerous? (2, Informative)

BigSlowTarget (325940) | more than 3 years ago | (#33953728)

>Turn to an industrialized hacker and hope we can pay more than our competitor's might pay?
NO NO NO NO. If you hire a criminal they will steal from you. This is like hiring a wolf to guard the sheep except the sheep are chopped up into cutlets and served to him on fine china.

Turn to a decent computer consulting company and bring in an integrated security solution, practices and policies. Use the breach as a lever to get the CEO to cough up the money for it. Business case goes like this: Get good security = Spend big $. Don't have good security = delaying expansion plans, legal exposure, unknown potential economic impacts, cobbled together solutions that could fail at any moment. Conceptually describe security as entirely different from normal IT so you don't lose your job. Stay on top of your consultants so you don't lose your job or get screwed with scope change and billing creep.

If you're worried about gouging get your purchasing people involved but ride herd on them too. Get bids from multiple companies, fixed price lists of services where possible, case examples as available and recommendations.

Re:What's more dangerous? (1)

severn2j (209810) | more than 3 years ago | (#33958572)

You don't need to hire a '{cr|h}acker' for this, as others have said, wolf -> hen house.. Firstly tho, don't let your CEO dictate your IT security policy. Seriously. That's your IT managers job, he should've pushed back on that one, so he should be getting flak for not doing that. If you want to improve security, I would hire a sysadmin with a decent background in security, and get him to manage that side of things (patching, hardening, etc) and also to spread the knowledge and a more security focused attitude around the rest of the IT department, which he will more than likely have an incentive to, purely so that he isn't constantly patching up holes left by the rest of the team.. In my experience contracting stuff out to a third party costs more and you end up with less..

help needed! (2, Insightful)

Kvasio (127200) | more than 3 years ago | (#33948912)

Seems that kdawson has "hacked" into CmdrTaco's /. account

Re:help needed! (0)

Anonymous Coward | more than 3 years ago | (#33950184)

kdawson is still around?

Re:help needed! (0)

Anonymous Coward | more than 3 years ago | (#33957658)

In Soviet Russia CmdrTaco's /. account "hacked" into kdawson

Alternative hacker business model (1)

Target Practice (79470) | more than 3 years ago | (#33949276)

Never heard of Security Week beyond a CIO/CEO's reading table, but that's probably just me showing my ignorance. I guess I still get offended by people messing with the word "hacker", but it especially hits home with something as greasy and vile as this. Here's an alternative Hacker Business Model:

0) Grow up infatuated with all things mechanical and electronic
1) Spend countless hours playing with Linux and Perl while the other kids smash heads together on the football field
2) Convert that time into "years of experience with Linux and Perl" on a resume
3) Get a job where they actually pay you to do what you like, albeit with some weird social obligations
4) Back to the basement, ad nauseum.

I don't necessarily see money as the direct result, though the money from your job certainly helps to buy more gadgets that run Linux, or even a mini trebuchet for your desk. Your personal Hacker Business Model may vary, but this one worked for me and many of my coworkers.

Re:Alternative hacker business model (1)

dave562 (969951) | more than 3 years ago | (#33950998)

It worked for me as well, but do you think it is still valid? I started working in IT back in 1996 when I was 18 years old. At that point the knowledge I had gained from tinkering on my own, and going to 2600 meetings and Defcon was enough to get me a job doing IT. When I look back at it, I think that I was able to do what I did and embark on the career path that I was on because I was in the right place at the right time. People with the skills to configure networking gear and servers and firewalls were in short supply. Because of that, my boss gave me a shot and I happened to flourish.

Here we are almost fifteen years later. Things have changed. There are colleges that are turning out IT employees with technical skills. The market is saturated with IT people. How many companies are going to take a chance on someone who has tinkered their whole life, versus someone who has tinkered their whole life and also gone to school for it?

replace word 'hacker' by 'cracker' (2, Informative)

Device666 (901563) | more than 3 years ago | (#33954124)

Come on the editors of Slashdot should know about the difference between the word hacker and cracker. A hacker has only a negative sound to those who don't know the history about the word or know what they are talking about, you know the way Hollywood uses the word for example. Crackers are the criminal oness. Or at least say something like "black hats" instead of hacker, when it's the criminals you are writing about.

More and more articles seems to suffer from the same lack of geekyness in multiple different ways..

Re:replace word 'hacker' by 'cracker' (1)

neminem (561346) | more than 3 years ago | (#33964322)

Important consideration: words often have multiple meanings that are made distinct only through context. Yes, the MIT-type hacker is totally different from the average black hat hacker. But it's obvious which the article meant, in the same way that you can tell that the piracy off Somalia doesn't involve copyright infringement, and the piracy of Windows in Russia doesn't involve boats or guns.

Heck, if you start going around talking about crackers being evil, won't people think you're being racist against Caucasians? (No. Because words have context.)
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...