Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is This the Golden Age of Hacking?

samzenpus posted more than 3 years ago | from the timing-is-everything dept.

Security 213

Barence writes "With a seemingly continuous wave of attacks hitting the public and commercial sectors, there has never been a more prodigious period for hackers, argues PC Pro. What has led to the sudden hacking boom? Ease of access to tools has also led to an explosion in the numbers of people actively looking for companies with weakened defenses, according to security experts. Meanwhile, the recession has left thousands of highly skilled IT staff out of work and desperate for money, while simultaneously crimping companies' IT security budgets. The pressure to get systems up and running as quickly as possible also means that networks aren't locked down as tightly as they should be, which can leave back doors open for hackers."

cancel ×

213 comments

Sorry! There are no comments related to the filter you selected.

Puhleeze (1)

Anonymous Coward | more than 3 years ago | (#36449952)

This is the Silver Age at best.

Re:Puhleeze (1)

Canazza (1428553) | more than 3 years ago | (#36451170)

With the wacky antics of Anonymous and Lulzsec it certainly feels silver age.
Just pray that it doesn't descend into a Dark age where even Batman is forced to murder kittens.

Methinks it be the script-kiddies (5, Insightful)

amalek (615708) | more than 3 years ago | (#36449962)

Meanwhile, the recession has left thousands of highly skilled IT staff out of work and desperate for money, while simultaneously crimping companies' IT security budgets... ?

Re:Methinks it be the script-kiddies (4, Insightful)

Anrego (830717) | more than 3 years ago | (#36450110)

crimping companies' IT security budgets

Most were already crippled, which is really what I blame for the problem.

For a _long_ time "this could get hacked" was a theory. Yes if someone dedicated resources at you and knew where to look they could get in.. but who is going to target _us_.

The availability of tools that can automagically find these vulnerabilities and exploit them is what I blame. All these little holes no one worried about because "no one will ever bother looking there" are becoming a big deal.

Hopefully companies getting hacked left right and center will put the fear of the great fire cactus to the suits, and they in-turn will invest in real security.

Re:Methinks it be the script-kiddies (3, Insightful)

JoeTalbott (2146840) | more than 3 years ago | (#36450370)

This reminds me of a plumber I once knew who bumped his head on a brick and a gold coin fell out. Ever since then he's been bumping his head on bricks looking for hidden coins. A sad tale indeed from which I learned that 'security through obscurity' depends largely on the obscure remaining so.

Re:Methinks it be the script-kiddies (1)

MickyTheIdiot (1032226) | more than 3 years ago | (#36450504)

Was his name "Mario"? I know a plumber named Mario who hits his head on bricks and gets coins...

Re:Methinks it be the script-kiddies (2)

Culture20 (968837) | more than 3 years ago | (#36450626)

The truly sad part of that story us that the giant dragon turtle who hid all those coins in the bricks lost all his money. He should have diversified.

Re:Methinks it be the script-kiddies (2)

Batmunk2000 (1878016) | more than 3 years ago | (#36450426)

I agree, except these "hackers" need to be labeled criminals and called out by our industry as such. Sure the companies could do better (and need to be called out when they are grossly negligent), but that can be like saying a home owner *could* or *should* have put up cameras, steel doors and bars on the windows to help deter the burglar. Sure we could make every house Fort Knox, but that isn't cost effective nor is it always the proper front of the battle. There is a reasonable amount of security that should be in place, depending on what is being protected, and a reasonable amount of vigilance from the law to go after these criminals.

Re:Methinks it be the script-kiddies (2)

djowatts (2269380) | more than 3 years ago | (#36450854)

I don't think you can draw a comparison between the safetey of a private residence, and the security of a corporations network. Put lightly, If a theif manages to break into your home, it is likely he will only get away with either one arge item (Such as your 40" TV) or maybe pockets full of Jewellry and whatever cash they stumble upon. In comparison, if a hacker can break into the network of a corporation, that means customer data and other valuable information (possibly trade secrets etc.) could be compromised. Another comparison to draw is that items in your home are likely to be secured by insurance, but if this data gets out there then there is no insurance.

Re:Methinks it be the script-kiddies (1)

cgenman (325138) | more than 3 years ago | (#36450898)

Most of these houses lock the front door with a twist-tie and leave the windows open. I'm sorry, but if a simple directory traversal will get your web server to serve up your password file, we're not talking about breaking into Fort Knox here. Most of the security these companies had was security theater. Even more "advanced" tactics, like using holes in common software that was patched two years ago, should never happen.

Re:Methinks it be the script-kiddies (0)

Anonymous Coward | more than 3 years ago | (#36450432)

The suits are still happily living in la-la land, but at least it's harder for them to feign ignorance now, what with Sony, Citi, and such.

Re:Methinks it be the script-kiddies (0)

Anonymous Coward | more than 3 years ago | (#36450470)

For a long long time "this could get hacked" was a theory.

FTFY

Re:Methinks it be the script-kiddies (0)

Anonymous Coward | more than 3 years ago | (#36450536)

I hope the popularity of the word "Automagically" dies a quick death, I hate that word with a passion. Anyways, I do agree with your post though.

Re:Methinks it be the script-kiddies (1)

Anrego (830717) | more than 3 years ago | (#36450640)

Wow, feels different to be the one using one of these silly made up words that everyone (usually including myself) generally hate.

Either way, words been around since perl (that's where I first heard it I think), so probably not going anywhere ;p

Re:Methinks it be the script-kiddies (3, Insightful)

cgenman (325138) | more than 3 years ago | (#36450832)

Citi got hacked because you could plug anybody's account numbers into a website once you had logged in, and it would spit out valid information. That's just a complete lack of basic security. That's just bad initial design that wouldn't have cost any extra to secure if it had been developed by anyone with a clue.

And automated tools have existed for years. I'd say that the big difference is that it used to be very few people knew how to move 200k freshly stolen credit card numbers. Sellers and buyers had to know specific IRC channels or dial-up BBS's to log into. Now, thanks to social networking and the explosion of 0-configuration bulletin boards, anyone with a use for a million credit card numbers can hop onto Google and find a place where sellers hang out. People can make a good living renting out botnets or selling identities in a way that had been very difficult.

Re:Methinks it be the script-kiddies (0)

Anonymous Coward | more than 3 years ago | (#36450864)

I have a feeling it won't work that way. I think instead more laws will be passed and more government intervention will take hold across the interwebs, and things will become less and less open and free.

Re:Methinks it be the script-kiddies (3, Insightful)

AmiMoJo (196126) | more than 3 years ago | (#36450916)

From the board room's point of view security costs money with no tangible benefit. They find it hard to say to investors "we spent lots of money on securing our systems, it reduced our productivity and increased the size of our IT department but we were saved from all these hacking attempts, honest". On the other hand if they buy some cheap "network grade" anti-virus software they can claim to be both diligent and securing their systems and to be helpless victims of elite cyber criminal masterminds when things do go wrong.

No sympathy for them! (1)

Kamiza Ikioi (893310) | more than 3 years ago | (#36451000)

The availability of tools that can automagically find these vulnerabilities and exploit them is what I blame.

I have no such sympathy. Those tools with find holes are not just as easy for security staff to obtain, but those tools were made FOR the security staff. If someone works in IT Security and don't know how to run Metasploit on their own infrastructure, then they are utterly useless to the point of being the real point of blame. And if companies can't hire those individuals, they are as to blame as banks that don't take security measures to protect tellers from armed bank robbers.

The same trend to "open environment" that has removed the bullet proof glass from bank tellers is the same BS "open environment" pushed by company websites. Yeah, they opened it, alright. They flew so fast to become "social" that they exposed their nickers!

Re:Methinks it be the script-kiddies (1)

fermion (181285) | more than 3 years ago | (#36450746)

It is not the recession. 15 years ago, when every skilled person had a job, the script kiddies were hard at work

What I think it is is that the tools have advanced so much, that one does not even have to rise to the level of script kiddie to call oneself a 'hacker'. Look at the iphone, all one needs to know how to do is run autoinstall and maybe hexedit.

There has always been ample opportunities for real hacker. Just think of the first time that some hacked a stone into a knife. That must have been really cool. This is different from someone who simply applied the technology to make knifes. For instance when I first build my radio from a kit, I was not a hacker, or a maker, but a kit builder. I did not understand what was going on. OTOH, when I hacked my print buffer to connect my printer to my computer, back in the 80's that was not always so easy, I felt like that was a pretty good thing. I was using my skills to void the warranty and make the product do something that it was not intended.

I am not saying that the new hackers are not as smart or capable as the old ones. Certainly the people who make the tools and crack the systems are as cleaver as any other hacker. What I mean is that I see kids hacking together solutions everyday, and the solutions are really quite good, yet what people are proud of are not the original and innovative solutions, which is what hacking is all about, but the breaking of trivial passwords or the running of scripts so they can download and install stuff on their iPhone.

Re:Methinks it be the script-kiddies (1)

Requiem18th (742389) | more than 3 years ago | (#36450930)

Actually the singularity awoke a few months back and it's cutting its teeth on back networks.

Golden Lulz, not plain old gold (4, Insightful)

Beautyon (214567) | more than 3 years ago | (#36449964)

Umm no, its the Lulz age of hacking.

Re:Golden Lulz, not plain old gold (4, Insightful)

Samantha Wright (1324923) | more than 3 years ago | (#36450290)

I'd give you a mod point, but instead I'm going to just try and highlight your point more clearly, since you seem to be accruing mod points anyway.

LulzSecurity is doing a bunch of high-profile, childish, silly things. That's all the weather there is to report. There's nothing else going on. There's no golden age, no silver age, no information age. Just one group being trollish, and otherwise, the attacks we're hearing about aren't that out of the norm. The exponential curve is right on schedule, as usual.

Hopefully, however, the LulzSec attitude—that you don't have to be important in order to be an interesting target for having your pants pulled down in front of the rest of the class—will drive organizations toward better security policies. TFA is obviously not interested in this aspect of things (and ends in a pessimistic note about people asking for help with test configurations) which is... not that surprising from PCPro.

Re:Golden Lulz, not plain old gold (1)

Culture20 (968837) | more than 3 years ago | (#36450750)

There are a lot of other hacking groups out there doing it for profit, first for stealing, then spamming, then encryption ransom for a bit, now it's botnets for hire. The lulz days of hacking were much earlier in the 80s and 90s when viruses and worms were made for fun and breaking into accounts was a kids' sport. Lulzsec is a throwback.

Re:Golden Lulz, not plain old gold (0)

Anonymous Coward | more than 3 years ago | (#36450318)

I'd call it the Eternal September of hacking. Seemingly endless waves of hackers, yet it's more noise than anything else.

1980s (2)

betterunixthanunix (980855) | more than 3 years ago | (#36450008)

I guess they have forgotten about the 80s?

Re:1980s (1)

Canazza (1428553) | more than 3 years ago | (#36451206)

I loved that film

recession has nothing to do with it (0)

bhcompy (1877290) | more than 3 years ago | (#36450046)

Most of these hackers are from foreign countries, and many of them are on government payrolls. Recession impact? Nah.

Re:recession has nothing to do with it (0)

Anonymous Coward | more than 3 years ago | (#36450602)

Yeah, right. You may also want to play the CP and Godwin cards, else you're not fearmongering properly. Scary foreign terrist people, omg omg everyone panic!eleven!

Perhaps not more common, just more visible (5, Interesting)

gman003 (1693318) | more than 3 years ago | (#36450052)

Haven't RTFA'd yet, but I would suspect that hacks aren't any more common now - just more visible and more reported. It's like when the news media has a "summer of the shark" - after a few notable incidents, the media realizes that these stories bring in viewers, and then any further incidents, no matter how insignificant, are publicized when they otherwise wouldn't be. Just look at the recent Bethesda hack - that kind of thing goes on all the time, and I was surprised anyone bothered paying attention to it. Sure, some of them were big - the first Sony attack was significant, and the US Senate hack is noteworthy - but a lot of these recent hacks have been relatively minor.

There's also the possibility that all this attention is actually causing more hacks - after the initial Sony hack, hackers realized that Sony was a big, vulnerable target. By extension, they realized that big companies actually aren't bulletproof - in fact, many of them have terrible security. I'm sure such knowledge was widespread in the black-hat world, but now the secret is public knowledge.

Re:Perhaps not more common, just more visible (1)

GameboyRMH (1153867) | more than 3 years ago | (#36450196)

This. The idea that there is some outbreak of intrusions is all because of the Anonymous "hacktivism" which opened the floodgates for attacks on Sony's poorly secured systems and the spinoff of LulzSec's random attacks which were both intentionally publicized.

Re:Perhaps not more common, just more visible (1)

betterunixthanunix (980855) | more than 3 years ago | (#36450466)

Frankly, I would think that there is less cracking activity these days than there was 20 years ago. The phone system is a lot more secure, which certainly killed off a lot of hacking. People have access to very powerful computers in their own homes, so there is less incentive to try to gain access to corporate or research computing systems. We have the Internet, which lets us communicate over unspecified distances at a fixed rate (say what you will about the behavior of ISPs, we are still better off than we were when people were dialing into BBSes over long distances).

Sure, there is still plenty of activity, but a lot of would-be crackers are able to put their creative abilities to other uses now, and they probably do. The only incentives crackers have today are lulz and money; those incentives were around 20 years ago, along with plenty of other incentives.

Now, if we use the more correct definition of "hacking," then I suspect that there is little change.

Re:Perhaps not more common, just more visible (0)

Anonymous Coward | more than 3 years ago | (#36451034)

True, and more corporate intervention to prevent hacking itself at all levels. Proprietary systems, eula's, patents, cease and desist letters. Well, at least it is a golden age for lawyers.

Re:Perhaps not more common, just more visible (1)

bigpet (1695756) | more than 3 years ago | (#36450726)

I wish they would stop their "look what we can do" campaign. If you are gonna do some cracking then keep it to yourself and your l33t crew-mates. The only thing that the publicity is going to give us is even more stupid internet regulations which won't affect the guys behind an array of proxies anyhow. It's like they are hellbent on annoying not only corporations but also provoking governments into more regulations.

Hacking vs Cracking (1)

trrichard (1774338) | more than 3 years ago | (#36450076)

You probably meant Cracking not Hacking. See http://www.catb.org/jargon/html/C/cracker.html [catb.org]

Re:Hacking vs Cracking (4, Insightful)

gman003 (1693318) | more than 3 years ago | (#36450168)

I think it's time we give up on this. Sure, most of us know about the technical distinction between "hacking" and "cracking". But the mass public hasn't picked up on that, and even many hackers (old sense) now use the term hacking (new sense) for cracking.

At this point, trying to push the term "cracking" is futile. We won't change anyone's mind. In fact, all we'll do is come across as semantics-arguing dweebs. It's probably best to just accept that "hacking" now means "gaining unauthorized access to a system". It'll be easier to make a new term for "person who messes with computer systems for fun".

Re:Hacking vs Cracking (2)

metlin (258108) | more than 3 years ago | (#36450366)

Indeed. And I think we can use black hat vs. white hat to distinguish the intent of the hacker.

That's something that the public can relate to a lot more easily, and in fact I've seen the terminology used in non-technical journalism as well.

Re:Hacking vs Cracking (1)

Darfeld (1147131) | more than 3 years ago | (#36450652)

Black hat and white hat only distinguish the intent of "crackers" (using this word for clarity purpose...)
We need a word for people messing with there computer on any level, not just on the security stuff. Hacker is a cool word, but it seems desperate to keep it for that.

Also I don't see a better word to give to people messing with there computer on whatever level... Stupid media! (Yeah I know, nothing new here.)

Re:Hacking vs Cracking (0)

Anonymous Coward | more than 3 years ago | (#36450696)

It'll be easier to make a new term for "person who messes with computer systems for fun".

TInker.

It even works with the British connotation of "marginalized persons" because those poor tinkers have been lumped in with a bunch of lulz-loving, black-hat hackers.

Re:Hacking vs Cracking (0)

Anonymous Coward | more than 3 years ago | (#36450850)

I thought the word was "boffin".

Re:Hacking vs Cracking (1)

gman003 (1693318) | more than 3 years ago | (#36450856)

Hmm. I like how that is mostly a homophone for "thinker", but for some reason it just seems lame. Can't tell exactly why, but that doesn't seem right.

I would think that something related to "cyborg" might be better, since to most hackers the computer is an extension of the brain. "Borg" itself is obviously out, but "Cybe" might not be. Kinda close to the slang verb "cyber", ie. "to have cybersex", though, which might not be good either.

Maybe I should check some different languages. Once I get home, I'll crack open my Esperanto dictionary, see if there's anything good.

Re:Hacking vs Cracking (1)

Eulogistics (905277) | more than 3 years ago | (#36451094)

I've also seen "modder" used in a lot of hobbyist literature - this includes software modding like the original Counter-Strike and hardware modding like cutting blowholes into a standard aluminum case and adding water colling.

Re:Hacking vs Cracking (1)

steelfood (895457) | more than 3 years ago | (#36450970)

a new term for "person who messes with computer systems for fun".

I believe we're called geeks now--computer geeks.

Re:Hacking vs Cracking (1)

TapeCutter (624760) | more than 3 years ago | (#36451088)

At best the general public just see computer Vandals as a sub tribe of vandals, much like graffiti is a form of vandalism. They care about the details as much as I, (a member of the general public), care about the details of graffiti tags.

Re:Hacking vs Cracking (1)

arielCo (995647) | more than 3 years ago | (#36451166)

I'm not sure about this. When I read the title I was updating CyanogenMod7 in my rooted smartphone and my background thoughts were about some nifty projects I'm going to post on Instructables.com [instructables.com] . Imagine my disillusion upon reading the summary.

Re:Hacking vs Cracking (1)

Anrego (830717) | more than 3 years ago | (#36450264)

Oh give it up all ready.

"Cracker" was a lame attempt to regain our beloved word. It failed. The battle is lost. Hacker as used to refer to someone who breaks into a system with criminal and/or malicious intent has been absorbed by the masses and it's not gonna change. Saying "don't you mean cracker" at this point is just silly.

Re:Hacking vs Cracking (1)

MickyTheIdiot (1032226) | more than 3 years ago | (#36450598)

One thing about English is so many words have different meanings and connotations depending on the context. I still hear people use "hacker" in a positive context, though not as much...

Re:Hacking vs Cracking (1)

Anrego (830717) | more than 3 years ago | (#36450740)

I actually think "hacker" as used in a positive context is gaining some traction in mainstream. As you say, words often have different meanings, and I think the two can generally co-exist.

I've definitely used "hack" used outside of the geek community to refer to something that words but is "not quite proper". "Yeah it's a hack, but it'll work".

At the very least, it's probably easier to come up with a new term for the positive meaning of "hacker" than try to get it back. Just don't let the guy who came up with the word "cracker" do it.

Seriously.. cracker.. how the hell did someone come up with that and think it would go. I can just see someone on the news: "yeah, a team of crackers broke in and stole some credit card info". Maybe we could have saved our word with a term like... cyber criminal (ew, but much more media friendly).

Re:Hacking vs Cracking (1)

ginbot462 (626023) | more than 3 years ago | (#36450932)

As others have said, proponents of this should give up convincing "the mainstream". The word will eventually swing somewhere else after this as well. Repeatedly performing the same action and expecting a different action is just gay. I think that's how the quote went ...

Yeah but I miss the Demos (1)

commodore64_love (1445365) | more than 3 years ago | (#36450080)

By "demos" I mean the programs you would download and run for no other purpose than to see how far your computer could be pushed in the sound & graphics department. It was a fun time (80s and early 90s). Like this: www.youtube.com/watch?v=c5kuYfTCGLg

That's what hackers used to create, in addition to cracking disks and sharing illegal music. Today's hackers rarely create this unique piece of art.

Re:Yeah but I miss the Demos (1)

Darfeld (1147131) | more than 3 years ago | (#36450722)

Indeed since hackers now refer exclusively to the people doing bad stuff on the Internet. Well maybe not exclusively on the Internet, but you get the idea.

Recession is important (1)

biodata (1981610) | more than 3 years ago | (#36450092)

not especially because of the number of engineers with time on their hands, but because of the number of people who watch their wealth being given to the wealthy by those they voted for, and decide they have had enough and why not burn it all down..

We need to take users out of the loop. (3, Insightful)

FyRE666 (263011) | more than 3 years ago | (#36450118)

The problem most websites have is one of users choosing insecure login details, either through ignorance, laziness or disinterest. Although this is not a huge problem if it's front-end users, the same problem exists with admins, and those with elevated privileges. The most secure fortress is little protection if the passcode to open the front door is "1234".

I don't think this problem can be fixed by "forcing" users to choose long passwords, or to have a different password on every site they use. As we've seen, they simply won't do it, and why should they? It's different if you have a technical, or security-related background, and understand the risks - the average Joe isn't interested in spending the effort to maintain and organise a secure list of passwords in an offline location.

i think the only way this can be fixed is by using SecureID style authentication - either with stand-alone units, mobile apps, or units built into laptops or keyboards (separate from the other components). Obviously it would need to be physically separated from the machine being used to login (or at least sandboxed, in the case of a mobile app). We just need a good cross-platform authentication API that's easy for developers to implement, and cheap hardware/free software for the client.

Wasn't 'Secure'ID one of the victims? (1)

biodata (1981610) | more than 3 years ago | (#36450236)

Centralising security creates a single weak point, as recently demonstrated when someone stole the keys from SecureID. If Facebook can recognise us from our friends' pictures now, perhaps all our systems should be doing the same through webcams. It's too creepy to contemplate but not too far fetched technically.

Cryptographic authentication (1)

betterunixthanunix (980855) | more than 3 years ago | (#36450338)

The way to fix the problem of bad passwords is to do away with passwords entirely, and start using cryptographic authentication methods. It may require us to issue a special dongle to users, but at the end of the day people should be able to use their public key to log in to online systems. Naturally, there would be some issues -- users would need to have a way to revoke keys, increase their key sizes to compensate for new algorithms and faster computers, etc., but it would still be an improvement over what we have been doing for the past few decades.

Re:We need to take users out of the loop. (2)

dkleinsc (563838) | more than 3 years ago | (#36450372)

If you are authenticating a user, the user will be involved. That's the reality of it.

Any of the pure hardware solutions you describe suffer from the fatal flaw that they aren't authenticating that the user is who they say they are, they're authenticating that the user has access to a particular piece of hardware. If, for instance, it's built into Alice's cell phone, and Mallory steals Alice's cell phone, then as far as Bob knows he's talking to Alice rather than Mallory, and if Alice tries to talk to Bob to correct the situation then Bob won't recognize Alice's new hardware.

There is no silver bullet in security.

Re:We need to take users out of the loop. (2)

Anrego (830717) | more than 3 years ago | (#36450888)

I've never seen a pure hardware solution. Enter multi-factor authentication, which while not a silver bullet, is a lot better than a password.

Mallory can guess Alice's password. He can also steal her cell phone. Doing both however is considerably more difficuly. He needs the phone to even start guessing passwords, and once the phone is stolen there is only a short window for the guessing.

You can even throw in a biometric method, though personally I don't see much future for them. Most can be copied, and you can't just change your fingerprint when someone at the gas station makes a copy. As a third factor maybe they add some security, but I would never rely on them to replace either a token or a password.

Re:We need to take users out of the loop. (0)

Anonymous Coward | more than 3 years ago | (#36450894)

The hardware is still an improvement. Alice may notice that her physical key was stolen, but she may not notice that there are billions of people who might try to guess her password ("1234", of course) remotely.

That's part of the fact that good-old-fashioned keys (the ones used for opening mechanical locks) remain so successful, despite their obvious weaknesses. Yes, someone can pick the lock, but they have to be there, so you don't need to worry about someone picking your lock from China. Someone could steal or copy your key, but again that requires some physical contact, which entails some risk and precludes automated, parallel attacks. So while stealing the key or picking the lock work wonders in spy/heist movies, it's not something you need to worry about when logging into your email (as long as you are not a big enough target that someone would want to assume the risk and expense of sending a real "spy" after you).

Re:We need to take users out of the loop. (1)

Culture20 (968837) | more than 3 years ago | (#36450922)

I don't think this problem can be fixed by "forcing" users to choose long passwords

It can be fixed by forcing users to use long passwords: "Your new password is 'lately watching Seinfeld, I drink Pepsi'. Write it down, repeat it a hundred times, whatever. You can request a change, but you can't choose a password because we don't trust you." Bonus is that you can maybe get some ad money from Seinfeld or Pepsi for making people memorize the password.

Re:We need to take users out of the loop. (1)

Darfeld (1147131) | more than 3 years ago | (#36450962)

Yeah right!

Almost none of the recent mediated hacks involved password breaking. At this point I think password isn't the biggest issue with internet security today. Breaking a password isn't fast enough for profitable mass-hacking. And a good password won't be of any use against key-loggers (or any other method to get a password without force breaking it).

A bad password is an issue if you are a particular target, not if you are one of the crowd. (Except maybe an exceptionally bad password like "1234"... damn!)

The Negative Side of a Fight for Users' Rights (2, Interesting)

eldavojohn (898314) | more than 3 years ago | (#36450138)

What has led to the sudden hacking boom? Ease of access to tools has also led to an explosion in the numbers of people actively looking for companies with weakened defenses, according to security experts. Meanwhile, the recession has left thousands of highly skilled IT staff out of work and desperate for money, while simultaneously crimping companies' IT security budgets. The pressure to get systems up and running as quickly as possible also means that networks aren't locked down as tightly as they should be, which can leave back doors open for hackers.

But by that logic, we could have seen similar things when the dotcom bubble burst, right?

My view of this comes from a completely different place. I see an exceptionally large amount of users' rights being debated and discussed and we're seeing communities popping up devoted to this. Frankly, it seems like the users are just getting shit on. And, like any struggle for rights, there are negative things that happen. There are always going to be people that take it to an extreme level and there are going to be innocent bystanders turned into victims. While I still see this as a bad thing, some of these actions remind me of a sort of John Brown at Harpers Ferry incident. Similarly, there's the mindless looting during rights demonstrations and protest crowds at the G8 summit but it's not the overall message that's doing that. The opportunists come out of the woodwork.

Similarly the public and citizens of the internet are demanding more rights. While this fight is going on with Facebook, Sony, world governments, etc, the communities are going to pop up that take it to an extreme offensive. They will do bad things and I'm not going to be one condoning it but I see it as part of the growing pains of companies respecting peoples' rights.

It's a sort of vigilante justice that I don't agree with nor condone but I can somewhat sympathize when I feel like I've been unjustly wronged by some of the targets and have had no sense of justice in the matter. People who feel strongly about this and have that negative spark in them would have a motive to become a part of these new communities. And in my opinion that's a more plausible explanation as to why you're seeing an explosion -- not the recession or turnover in network employees.

Re:The Negative Side of a Fight for Users' Rights (1)

PenisLands (930247) | more than 3 years ago | (#36450248)

Hello eldavojohn. You're looking insightful today. Heh heh. PENIS. BIG PENIS.

Re:The Negative Side of a Fight for Users' Rights (1)

dintech (998802) | more than 3 years ago | (#36450348)

It's a sort of vigilante justice that I don't agree with nor condone but I can somewhat sympathize when I feel like I've been unjustly wronged by some of the targets and have had no sense of justice in the matter.

that's a more plausible explanation as to why you're seeing an explosion

Can anyone name the other fans of explosions that think this way?

This? (2)

rossdee (243626) | more than 3 years ago | (#36450226)

"Is This the Golden Age of Hacking?"

This what?

This century?
This decade?

How long is an 'Age'

Re:This? (1)

artor3 (1344997) | more than 3 years ago | (#36450378)

Since I'm pretty sure they're talking about the PSN hack, it looks like an age is about two months.

These things just don't take the time they used to.

Re:This? (1)

haxwk (2268722) | more than 3 years ago | (#36450380)

And for that matter, what do they mean by "Golden". Are hackers using gold computers now? Did they give up on those diamond computers they were developing?

I just don't get this figurative language stuff.

Re:This? (1)

Zephyn (415698) | more than 3 years ago | (#36450720)

They're probably drawing a parallel between this and the 'Golden Age of Piracy' in the 16-1700's. A surplus of people capable and willing to take from the system what they've been unable to legally earn, and a lot of poorly defended, inviting targets.

Re:This? (-1)

Anonymous Coward | more than 3 years ago | (#36451046)

"Golden" as in "golden showers."

You neckbeards are into that. amirite?

Re:This? (1)

ginbot462 (626023) | more than 3 years ago | (#36450948)

20 turns by default - Civ III. Hey, you asked :)

I'd argue the opposite (0)

Anonymous Coward | more than 3 years ago | (#36450246)

Of course, I didn't RTFA or even the RTFS, but I did RTFT, and based on that I'd argue that as time has moved on, we're moving further and further from whatever was the Golden Age of hacking.

Was it the 1990s that elevated Open Source to the mainstream's radar--whether or not it was able to achieve mainstream acceptance as an option. The creation of GNU/Linux, and eventually spawning what would become the Mozilla project.

Was it the 1970s-1980s with the Homebrew Computer Club and a culture that spawned several modern day behemoths (Apple, MicroSoft)?

Was it the 1940s where we we split the atom, and rooms full of people were biological calculators working on solving nature's mysteries? Enigma and the intelligence/counter-intelligence measures in place around them.

Does it predate our modern idea of technology? The analytical engine? The mechanical turk was a social hack. Complex but memorable and human-only usable ciphers have been popular for centuries.

Given our modern view point, and view that more-recent history is always most important, I'd say the late 70s to mid 80s was the golden age. Never was so much technology readily available and hacking actually encouraged by the companies in place.

But is this? Where even the "open source" Android platfom is usually provided via devices that require bypassing firmware crypto, and you can't even view without breaking the law, privately, on your personal computer, the contents of a medium you purchased in a reputable retail store?

Well, given the amount of effort spent hacking around CSS, encrypted firmware, and a mess of other attempts to keep people out of their toys, I guess you could make a case for it.

Re:I'd argue the opposite (0)

nomadic (141991) | more than 3 years ago | (#36450482)

Was it the 1990s that elevated Open Source to the mainstream's radar--whether or not it was able to achieve mainstream acceptance as an option. The creation of GNU/Linux, and eventually spawning what would become the Mozilla project.

Did the creators of GNU/Linux break into other people's computer systems? It's not hacking to write software that isn't intended to do so; unless you are going by the incorrect jargon file definition of hacking. By the way, Mozilla's significance is severely overrated; a better example of successful, brought-to-the-mainstream open source design is Apache.

Re:I'd argue the opposite (2)

Darfeld (1147131) | more than 3 years ago | (#36451168)

If you consider that "Hacker" now mean "Evil Spawn who do something illegal with a computer", I would say TFT is right, by your own argumentation. More and more people feel the need to break law on a level or an other to do what they want with their devices. So effectively the number of hackers raise.

Me I think that the more lucrative informations will be hackable, the more hackers will be happy.

Dawn of the novice script-kiddie (1)

Anonymous Coward | more than 3 years ago | (#36450316)

The issue is that ANYONE can crack these days. People with non-existent computer skills can easily acquire tools with point-and-click interfaces for hacking. Combine this with epic-level apathy on the part of the targets and it is a little like the destruction of the buffalo population during the wild west. Only if the cowboys were 12 years old, rode tanks, and had auto-target.

Re:Dawn of the novice script-kiddie (1)

betterunixthanunix (980855) | more than 3 years ago | (#36450494)

That was true 20 years ago too. Script kiddies are not exactly a new phenomenon. The term "script kiddie" was developed a long time ago...

Re:Dawn of the novice script-kiddie (2)

Anrego (830717) | more than 3 years ago | (#36450498)

The issue is that ANYONE can crack these days.

In an ideal world, this wouldn't matter because with decent security these script-kiddie attacks shouldn't have any teeth. Things like "got in because they were using an unpatched version of..." just shouldn't happen.

The _real_ problem is that people said for years "well yes technically it's probably a vulnerability, but who is ever gonna target us and find it". For a long time this was true. People ran outdated software on public facing systems and left them fully connected to the internal network, fully aware it was a bad idea, because unless someone dedicated time and energy at them (and who is gonna do that to _us_), it wouldn't be a problem.

Now script-kiddies just run a (sometimes _graphical_) tool that scans an entire network for any of 10 bazillion vulnerabilities, and all these little holes suddenly get found.

Retroactive only. (1)

Chardansearavitriol (1946886) | more than 3 years ago | (#36450328)

A golden age can only exist by looking back on what was. Anyone declaring anything to be a golden age is therefor automatically wrong.

Re:Retroactive only. (1)

haxwk (2268722) | more than 3 years ago | (#36450402)

Luckily for journalists, that little thing called a question mark lets you make big claims without actually "declaring" anything ;)

Weak Security (3, Insightful)

wintercolby (1117427) | more than 3 years ago | (#36450342)

What do you expect to happen when you hire Systems Administrators for 6 month contracts to build your systems, and then let the contract expire after the servers are built? Servers don't usually patch themselves, nor do they remain compliant with your security standards once you give developers and DBA's root access.

Re:Weak Security (1)

magamiako1 (1026318) | more than 3 years ago | (#36450450)

I wish I could mod you up significantly.

Re:Weak Security - and COST (1)

gr8_phk (621180) | more than 3 years ago | (#36450724)

What do you expect to happen when you hire Systems Administrators for 6 month contracts to build your systems, and then let the contract expire after the servers are built? Servers don't usually patch themselves, nor do they remain compliant with your security standards once you give developers and DBA's root access.

I was going to say something about cost. As the hacking becomes more widespread, companies will notice it is a problem and start to DO something about it. Systems are more vulnerable now because the money has not been spent to secure them - because it hasn't been too much of a problem. We'll probably go through a phase of increased security breaches until people take it seriously and fix it. Now would be a good time for some data driven analysis comparing various OSes and their configurations from a security point of view. That's difficult, but we need to start looking at what works, doesn't work, and why.

Not exactly golden (1)

Anonymous Coward | more than 3 years ago | (#36450410)

If you look at some of the 'hacks' like getting into CityBank, there isn't any real 'l33t uber haxor' going on here. Those sites were remarkably insecure. No stateful inspection of ID/Password, unsalted passwords/ids, declaring what should be very private information in the clear for all the world to see, multiple access points to private data, likely an unencrypted (non-ssl) connection, its also very likely that packet sequencing was non-random, so a border gateway protocol man in the middle attack using packet injection would work, as well as (much easier) ribbon tables to break poor passwords (brute force, but not that much force). The list goes on. Golden age? Not really. This is like when the kid taking his first introduction to scripting course came up with the ILUVYOU virus. If a newbie script kiddie can make off with the keys to the kingdom, then clearly the castle walls shouldn't be made of single ply wet tissue paper.

Software (2)

DaMattster (977781) | more than 3 years ago | (#36450442)

I think it is more bugs in software than the network infrastructure! Everyone is so quick to blame the infrastructure engineers when I have seen more poorly written applications with memory leaks and ones that run with root privileges than poor network designs.

Blame? (1)

Kingrames (858416) | more than 3 years ago | (#36450446)

It takes a special kind of person, who, when presented with lots of free time and the tools to do amazing things, says: "I think I'm going to horribly violate the entire online world today."

Perhaps I should be thankful that I'm turning my talents to more productive ends. But I doubt I'll be hired before these assclowns find work.

If you want to blame someone, we could blame Obama, whose administration has practically continued the war on hackers and then wondered "why are we so short on competent programmers?" or we could blame wall street and its "rape the economy and then blame those that tried to stop us" philosophy, or we could blame industries that engaged in military action against america, deliberately using their racketeering scheme to attack children and college students, knowingly and willfully attacking our country's supply of future skilled labor - something they did for over a decade prior to "the crash", or there's china and india who are or at least were doing so well in spite of our country's failures, or there's our own prior administration who spent countless times more money than we had or would ever have to wage war against iraq, an enemy of the terrorists that bombed us on 9/11, or there's the new fascists of america who are using the words "liberal" and "homosexual" instead of "undesirable" and "jew", or there's global climate change, or those that deny it, or sick and twisted people in power in every position they could be in...

Fuck it. When the world runs out of victims and points in my direction I'll be happily enjoying life on Mars, in my secret volcano lair at Olympus Mons, with my consciousness-infused computer "phylactery" keeping me immortal, enjoying the ability to do in the real world what we do online now.

Media attention (0)

Anonymous Coward | more than 3 years ago | (#36450474)

Is it that there are more incidents of hacking, or just higher publicized ones?

You know how our media works. Summer of shark attacks, and all that.

Most of what lulzsec has done, for instance, is really penny ante script kiddy bullshit that's been overhyped. Wow, you saw the httpd.conf -- but didnt and couldnt edit it. Just like any other untrusted user with access to the box.

Insecure designs (0)

Anonymous Coward | more than 3 years ago | (#36450510)

Javascript, Java, ActiveX in our browsers, trojans on phones!? Did I mention my neighbours have WEP wifi networks? Why are routers still being made that don't warn people when they turn WEP on that it is largely insecure... There is a systematic culture of choosing convinence over security in software design.

Golden opportunity, maybe (1)

zbrook (2266600) | more than 3 years ago | (#36450516)

Golden age implies that great (or, at least, impressive) things are accomplished. Nothing much impressive about (to paraphrase) shooting fish, in a barrel, twice in the head, with an elephant gun.

More online services each year = more targets each year. Inadequate investment in security = easier targets. I'm sure crackers are getting more sophisticated, but probably no more than in any other field. It's definitely easier to find victims.

One could imagine an age of some kind which grows from all this, but not quite there yet.

Cloud solutions (0)

Anonymous Coward | more than 3 years ago | (#36450530)

People rely more on the Web, putting more stuff up into clouds from different providers. Thus, the target interest shifted. Why hack one PC if you can hack one ps3 network and access millions of users data?

The recent hacks show how the cloud computing world does not solve any problem, it creates them.

Perfect storm actually... (5, Informative)

mlts (1038732) | more than 3 years ago | (#36450552)

There are a lot of reasons for this to be an age of intrusions galore:

1: Corporate philosophy. I mention this often, but it is very true -- security is a cost center, so in a lot of firms, it gets hind teat in the budget.

2: Ease of getting away with intrusions. Got a botnet? Just create some PPTP/L2TP connections and you can manually try breaking into machines and one can either not be traced, or have the blame shifted to another party. Especially if the intrusions come from a country that is disliked.

3: Lack of international cooperation. All it takes is one proxy to be in a country that doesn't like another, and there is no way an intrusion can be traced, much less prosecuted.

4: Lack of meaningful security tools. A lot of the tools used in businesses are all sizzle, and not much steak. Take AV programs. They are great at catching last week's stuff. However, most attacks are polymorphic 0-days that just zing past AV program detections.

5: Ease of infecting via ad rotation services. Ad rotation services can sling malware without ever getting caught because people will blame the website, not the servers slapping the ads on it. The same ad servers that can target by demographic can target a company and just that company for malware.

6: Using the Internet for all traffic. In the past, there were backbones that were not accessible to anyone that transactions ran across. Now the same wire that gets pr0n to Joe Sixpack also carries bank data and transactions.

7: Failure to use basic security protocols in password storage. Hell, crypt(3) is better than most ways passwords are stored. The best thing is to look at known secure utilities like TrueCrypt and follow their example.

8: SQL injections and parametrized queries. Simple stuff, but because a lot of dev projects just want a code base regardless of bugs, this stuff gets ignored until the breaches start.

9: No real network security. A firewall doesn't cut it anymore. Instead, companies have to use VLANs and keep departments separated. This way, a compromise in receiving doesn't mean finance or HR is pwned too.

10: Legacy protocols. FTP (other than anonymous FTP), telnet (except for use for debugging), and other insecure protocols need to either be limited via packet filtering mechanisms and router ports, or eliminated altogether. Instead, if two machines need to share data, have them use a LUN presented to them and a filesystem that allows for this.

11: Lack of internal policies and procedures. Security isn't just clicking "secure mode" on an appliance and walking off. There needs to be a process if someone calls in from an internal line demanding info, or someone physically is picking a lock.

12: Separation of duties and data. This is expensive relatively, so it tends not to be done, and the same server with the source code build may have the HR payroll data. This makes for a field day for an attacker.

13: Chain of custody of data. Either the machine it sits on is properly secured, or the data is stored encrypted with proper key management. For example, some enterprise level backup programs have data encrypted at the client end, and only that end has the key. This way, if the enterprise backup server gets compromised, the data can be destroyed, not accessed or modified.

14: Morale. Morale is so easily forgotten, especially with companies that do the low bidding among the last 3-5 candidates. High morale means people are proactive on security. Low morale means people will ignore breaches assuming they won't be thrown under the bus.

15: Cloud computing. There is no benefit for a cloud provider to give anything but token gestures for security financially, so one is begging to be compromised unless there is solid encryption with good key management done before the data leaves the client. Even then, blackhats can have free and unfettered access to the encrypted data and can detect patterns over time. SLAs are meaningless; a cloud provider can change hands or go bankrupt and all the privately stored data can be made into a torrent or sold to anyone with cash.

Because most businesses pay lip service at best to security, it is no wonder why blackhats are having a field day.

No it's not (3, Insightful)

blahbooboo (839709) | more than 3 years ago | (#36450566)

The golden age of hacking was the late 1970s and 1980s. Things they pulled off back then were far more impressive and interesting to watch.

Oh they are talking about cracking... (1)

Lumpy (12016) | more than 3 years ago | (#36450568)

I did agree, more people are hacking now than ever before, Magazines like Make and Makerfaire as well as the rise of the Hackerspace has significantly made inroads on bringing hacking back to the masses...

But the article is written by a illiterate journalist that seems to not realize that the term "Hacker" has been retaken and what he is talking about is simply a cyber-criminal or cracker.

Re:Oh they are talking about cracking... (1)

Chardansearavitriol (1946886) | more than 3 years ago | (#36450880)

I dont get this definition of hacking. At all. It seems to share the definition of "Life" or "Doing stuff with stuff." Its among the most bizarre names for a very simple idea that i know of. You should check out my room. Ive hacked my enviornment so that, instead of a lack of oxygen causing panic, my breath refelx works off rising Co2 levels! Or, hey, I hacked this peice of wood by hacking some metal and hacked myself a table whih my hacked physics box hacks on. It seems completely redundant.

Re:Oh they are talking about cracking... (2)

elrous0 (869638) | more than 3 years ago | (#36450968)

Denial isn't just a river in Egypt. "Hacker" was decided back in the 80's. You can keep pretending if you like, though. Myself, I still like to delude myself that there's a chance "Firefly" may come back.

"continuous wave of attacks" (1)

mcmonkey (96054) | more than 3 years ago | (#36450582)

Are they talking about hacking or cracking?

For hacking, this could be a silver age. The days of HomeBrew and phone phreaks were the golden age.

For cracking, as others have noted, it's the lulz age.

Could it possibly be...all the crappy code (1)

AngryNick (891056) | more than 3 years ago | (#36450718)

I'm not longer writing code myself, but I'm constantly amazed at how utterly horrible the code being written by my successors appears and works. Where is the craftsmanship and pride in writing clean, fast code today?

Jealousy, or Stupidity? (2)

Subratik (1747672) | more than 3 years ago | (#36450788)

Now, I do not condone Lulz Security or Anonymous, but the fact of the matter is they're not just 'script-kiddies'. Every tech-savvy webpage I've gone the ones that are user-submitted have belittled the efforts of both hacking groups as if they could do the same things so easily. I'm not sure why there is such a pretentious atmosphere of 'pro' coders here... but to be real honest with everyone, they have spent a lot of time researching web security vulnerabilities, and the biggest joke of all is that a good portion of readers on slashdot are probably sysadmins who think their system is protected by a golden firewall, which they probably bought from some other software vendor.. Blah, blah, it's just sql injections... lol, yeah... that's the greatest joke of all, they guessed your table names and you allowed escape characters... And these people certainly realize they don't even have to lie or fabricate their stories considering they get in with the simplest, MOST known vulnerabilities.. I think some of lulz's actions deserve merit, the fact that they haven't been caught yet is a sure sign that they're somewhat competent at what they do.... much better in-fact than the security companies that supposedly get paid top-dollar to ensure data protection.. In essence, the biggest joke is not the simple attacks of the hacking groups, it's honestly the over-abundance of hypocrisy and finger pointing that essentially does nothing next to actually coming up with valid security solutions.. The best example of all this is simply Mitnick, he didn't even have to hack.. he just called someone up for a password.. you know why, because the smartest hacker doesn't waste 9 years trying to guess/crack a hash, especially when people are so much easier to manipulate than software.

Re:Jealousy, or Stupidity? (1)

Chardansearavitriol (1946886) | more than 3 years ago | (#36451024)

Bugs are inevitable. You can never be sure you you dont have bugs. Hows your head doing? Sure you didnt replace that period with a decimal? What, youre gonna run checking software? Thats all well and good once you can know tha tit will always report correct values. Please see http://en.wikipedia.org/wiki/Trilemma [wikipedia.org] for the faults in your reasoning.

Have to leave this age first. (0)

Anonymous Coward | more than 3 years ago | (#36450818)

The "Golden Age of XXXX" can only be determined when it has been left.

Hackers 2 (2)

jimmerz28 (1928616) | more than 3 years ago | (#36450946)

Can we make another movie with Angelina and just throw in Brad Pitt so we can get the 2x the eye candy in a techy movie? Keep Megan Fox out she's way too dumb for a hacker-esque movie...

The golden age has passed... (1)

Anonymous Coward | more than 3 years ago | (#36451038)

Actually most would consider the "golden age of hacking" to be the mid-to-late 80's.

None of the large, corporate scale intrusions that have been in the news of late were born out of curiosity, or executed using self-derived skillsets or self-crated tools.

On the other hand, it's probably a good time to be in security, as the expected overreaction from the corporates is sure to be the gravy train the various HBGary-esque security firms have been waiting for.

If hacking tools are outlawed (1)

amliebsch (724858) | more than 3 years ago | (#36451230)

Then only outlaws will have hacking tools

QED

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>