Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Hacker Who Found the Secrets of the Next Xbox and PlayStation

Soulskill posted about a year and a half ago | from the uncovering-final-console-generation dept.

Microsoft 214

An anonymous reader writes "Stephen Totilo at Kotaku has a long article detailing the exploits of an Australian hacker who calls himself SuperDaE. He managed to break into networks at Microsoft, Sony, and Epic Games, from which he retrieved information about the PS4 and next-gen Xbox 'Durango' (which turned out to be correct), and he even secured developer hardware for Durango itself. He uncovered security holes at Epic, but notified the company rather than exploiting them. He claims to have done the same with Microsoft. He hasn't done any damage or facilitated piracy with the access he's had, but simply breaching the security of those companies was enough to get the U.S. FBI to convince Australian authorities to raid his house and confiscate his belongings. In an age where many tech-related 'sources' are just empty claims, a lot of this guy's information has checked out. The article describes both SuperDaE's activities and a journalist's efforts to verify his claims."

cancel ×

214 comments

Sorry! There are no comments related to the filter you selected.

Sort of interesting, but... (5, Insightful)

Frosty Piss (770223) | about a year and a half ago | (#42996287)

In an age where many tech-related 'sources' are just empty claims, a lot of this guy's information has checked out.

And he still broke into other people's networks without permission. But I suppose that's OK here since the private info that he released was of interest to Slashdotters and was "accurate"? It was OK because the victims where Microsoft and Sony? Or, shall we see another case of the famous Slashdot Double Standard?

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42996315)

There seems to be an implied whiny he's-a-hero-not-a-criminal, but it is not explicit. I choose to pretend that the OP is not a brainless moron, and that the implications were unintended.

Re:Sort of interesting, but... (5, Interesting)

Mitreya (579078) | about a year and a half ago | (#42996331)

And he still broke into other people's networks without permission. But I suppose that's OK here since the private info that he released was of interest to Slashdotters and was "accurate"?

It may be ok to a degree for the cases where he broke in and then notified the company of a breach (without doing any damage or requesting a payment)
Companies should be required by law not to pursue anyone who notified them of security holes in good faith. Instead they choose to harass such people, scaring them off and making MY data less secure.

Re:Sort of interesting, but... (-1)

Anonymous Coward | about a year and a half ago | (#42996387)

Sorry, but if anyone can simply claim they "didn't do any damage" in order to avoid civil and criminal liability your data is going to be much less secure.

Re:Sort of interesting, but... (4, Insightful)

Runaway1956 (1322357) | about a year and a half ago | (#42996687)

Less secure than what, exactly?

Let's use a real world analogy. I have my house locked up tight. My neighbor says that I have cruddy, worthless locks on my door. He proceeds to show me how easy it is to break into my own house. He suggests that I invest in the same type of locks that he uses.

So, what should I do? Call the law, and have the neighbor locked up for showing me that my security is shit?
Or, should I purchase and install the locks that he has shown me to be effective?

In actuality, the neighbor has helped me to be MORE secure, not less secure.

Derp, derp, derp.

Re:Sort of interesting, but... (5, Insightful)

Luckyo (1726890) | about a year and a half ago | (#42996731)

Depends. Did he ask for your permission beforehand? If he did and you gave him OK, that's fine.

If he didn't, he's committing a crime for obvious reasons. Else this would become a perfect excuse to burglars who didn't manage to steal YET. "But I was just showing the residents how weak their lock was!".

Re:Sort of interesting, but... (4, Insightful)

Ogive17 (691899) | about a year and a half ago | (#42996795)

He also told you ahead of time.

Let's say you came home and your neighbor was sitting on your couch watching tv while drinking one of your beers. Then he says "your locks suck, you should try the ones I use".

How would you like that?

Derp, derp, derp.

Re:Sort of interesting, but... (1)

Runaway1956 (1322357) | about a year and a half ago | (#42996983)

You're describing one of my shipmates, not my neighbors.

Re:Sort of interesting, but... (2)

Cassini2 (956052) | about a year and a half ago | (#42997071)

Actually, it is like having a house on a busy street with the door standing open, only you don't know it. Would you rather:
a) Your neighbour pop in, check if you are still alive, and remind you to close the door?
b) or just wander in and out like everyone else does on the street.

The problem isn't that people are breaking into your house. It's that people are breaking into your house, sleeping over, and you don't know it.

Physical property has definite levels of trespass. Walking through an open door is not trespassing in many jurisdictions. Things are way more nebulous on-line. If I can pull data from your webserver without a password, where was the closed door exactly? (People have been charged with pulling open-access data from a webserver, and it really shouldn't have been as easy as knowing which web page to call up.)

Re:Sort of interesting, but... (5, Insightful)

Frosty Piss (770223) | about a year and a half ago | (#42996399)

It may be ok to a degree for the cases where he broke in and then notified the company of a breach...

Hi, I broke into your house and ran may fingers through your dainty underthings and fondled your tooth brush.

Don't you think you should buy a better lock and maybe an alarm system?

Don't bother thanking me, it's what I do...

Re:Sort of interesting, but... (4, Funny)

daremonai (859175) | about a year and a half ago | (#42996463)

Hi, I broke into your house and ran [my] fingers through your dainty underthings

Then you've been punished enough already.

Re:Sort of interesting, but... (1)

Mashiki (184564) | about a year and a half ago | (#42996467)

If you broke into my house to stop someone from stealing my things and in turn ran your fingers through my dainty things while in the progress of stopping the commission of a crime, well we have something completely different right? In turn, someone who finds a security hole and not profiting, and disclosing privately that the issue exists should be lauded. Those that do disclose shouldn't be.

Re:Sort of interesting, but... (1)

Frosty Piss (770223) | about a year and a half ago | (#42996521)

Your scenario has little or nothing to do with the story. This guy broke into some networks and reviled business information to the public.

Re:Sort of interesting, but... (2)

Runaway1956 (1322357) | about a year and a half ago | (#42996703)

I also revile business information. Revilers Unite!

Re:Sort of interesting, but... (1)

tlambert (566799) | about a year and a half ago | (#42997027)

Your scenario has little or nothing to do with the story. This guy broke into some networks and reviled business information to the public.

Uh... where exactly did he criticize business information in an abusive or angrily insulting manner?

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42996543)

If a stranger broke into my house because he heard my wife screaming rape and he stopped the rapist, I'd be okay with him going into my house. He better be damn sure about what he heard, though.

If a stranger broke into my house because he saw someone stealing my television, I wouldn't be okay with it at all. It's just a television. Stay out of my house.

But those are really crappy analogies for what this guy did.

This guy checked all the doors and windows, found one open, went inside, and then let the owner know about it after the fact. The only crimes being committed were being committed by him.

Re:Sort of interesting, but... (-1, Troll)

Runaway1956 (1322357) | about a year and a half ago | (#42996715)

Windows. Why is it always WINDOWS? It wasn't Android, it wasn't Leopard, it wasn't Unix, or Linux, or BSD. He found the WINDOWS open, as usual.

FFS, get a real operating system!

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42996587)

So it's ok for anybody, private individuals, commercial organizations, government agencies, to spy on everybody looking for people who plan to commit crimes. And if they can prevent a single crime through their actions they should be lauded, right?

Re:Sort of interesting, but... (2)

Truekaiser (724672) | about a year and a half ago | (#42996895)

Actually you got it half right. Right now it's okay for Companies and the government to look into your life and control it in a way he did to them, getting all your private information to make sure you're not a 'terrorist'* or to sell that information to others. It's though a high crime to do it to companies, even if they had the digital equivalent of an in plain sight open and unlocked second story window.

*exact definition of the word will be determined by the political climate, but will always be scapegoats for real problems.

Re:Sort of interesting, but... (0)

sycodon (149926) | about a year and a half ago | (#42996665)

Why do people cling to the perception that committing a clearly illegal act is somehow/sometimes justified for some reason?

Re:Sort of interesting, but... (1)

Anonymous Coward | about a year and a half ago | (#42997421)

Because the world isn't black and white. Because laws are made by fallible humans. And because sometimes the ends justify the means.

Re:Sort of interesting, but... (1)

Mitreya (579078) | about a year and a half ago | (#42996509)

Hi, I broke into your house and ran may fingers through your dainty underthings and fondled your tooth brush.

Don't you think you should buy a better lock and maybe an alarm system?

While creepy (particularly the toothbrush fondling part :), it is still preferable to waiting for an even less scrupulous person to break into your house

I see it more as "Hi, I was passing by the street and pushing on everyone's door (for fun, it is what I do). Your door had opened when I pushed it -- you may want to fix your lock".

This may be a tad creepy, but these people are not the problem. The ones who would quietly use this information are the problem.

Re:Sort of interesting, but... (1, Insightful)

xstonedogx (814876) | about a year and a half ago | (#42996591)

If you truly believe such behavior is merely "a tad creepy" and that it isn't a problem, seek professional help. I'm serious. What this guy did to these networks is way less of a problem than your disturbing analogy.

The last time I saw someone "helpfully" checking doors in my neighborhood I called the cops. There is never a good reason to test the security of a stranger's house, or even a friend's house, unless they want you to do so. If you really care, write a damn pamphlet about home security and hand it out or mail it.

Getting back to the network... You only have the word of someone unscrupulous that they didn't commit further unscrupulous activities.

Re:Sort of interesting, but... (1)

Cali Thalen (627449) | about a year and a half ago | (#42996737)

I suspect that any network admins worth their pay would be able to tell 1) if the exploit / entry method the guy was talking about was true, and 2) what he did when he got in there. If not, they have bigger problems.

I sympathize with the views here, on both sides. Yes, this guy did something wrong, and at least in some cases seems to have been genuinely grey (if not white) hat about it. But if a system as a flaw big enough, how do you want the company to find out about it, this guy or Anonymous/Lulzsec?

Honestly, he's in a no-win situation, and he put himself there, so it's hard to feel too sorry. But I'd hope that there would be a way for people like this to constructively use their skills, since there seems to be no end of backdoors and holes that need to be fixed. Aside from companies understanding the situation, you're taking your freedom into your own hand when you poke around like this.

Re:Sort of interesting, but... (1)

Anonymous Coward | about a year and a half ago | (#42996899)

He wasn't just some gray-hat poking around people's networks and offering security consulting. He leaked proprietary info to the press, and fraudulently acquired an xbox dev kit in order to resell it on ebay.

default passwords + open IP is a big issue. (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42997317)

default passwords + open IP is a big issue and you don't even need to be a be good hack to pull that off.

Re:Sort of interesting, but... (1)

Mitreya (579078) | about a year and a half ago | (#42996773)

The last time I saw someone "helpfully" checking doors in my neighborhood I called the cops. There is never a good reason to test the security of a stranger's house, or even a friend's house, unless they want you to do so.

I am not saying that I would encourage such behavior. But once a problem is found, I'd prefer to be notified about it (and I want the companies in question to be notified about it). There has to be a mechanism to allow this.

Getting back to the network... You only have the word of someone unscrupulous that they didn't commit further unscrupulous activities.

If they are not requesting anything in exchange then they are not benefiting from notifying you about the breach. You, however, DO benefit from being notified of a security breach.

I also assume you do not take their word for it and perhaps verify that they haven't done anything untoward on your system.

Re:Sort of interesting, but... (2)

Ardyvee (2447206) | about a year and a half ago | (#42996985)

The real issue here is why we, as a society, couldn't put his skills to good, lawful use. (There is also unlawful good, but I won't go there, since what matters is the lawfulness) He seems like somebody with the skills. Why isn't he working for a security firm? Why isn't he making software more secure through lawful methods?

To follow the physical lock analogy, instead of him going around your neighborhood checking locks/doors, why wasn't he a locksmith? A locksmith should be able to obtain access through any/most locks. He should also be able to tell the flaws of each lock and help build a more secure lock. Thus, why wasn't this guy working as a security specialist? It seems to me that not only did he fail in finding a good, lawful use to his skills, but we as a society failed to point him to those areas.

So yes, he's probably going to get a harsh sentence. According to law, he deserves it. Instead of simply saying "it's illegal, so he gets punished", let's go a bit further: how can we turn the next guy like him that seem like a grey hat into a full fledged white hat? There is a reason ethics exist, and we use them.

Re:Sort of interesting, but... (1)

Maxx169 (920414) | about a year and a half ago | (#42997245)

I prefer chaotic neutral, personally.

Re:Sort of interesting, but... (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42997449)

Why isn't he working for a security firm?

what is doing is kind of in the trade school / hands on area and HR does not like them even when people who to them know more then people in college.

Re:Sort of interesting, but... (1)

spire3661 (1038968) | about a year and a half ago | (#42996955)

You have a strange perspective. IF someone random person is going around pen-testing the neighborhood, im going to have him arrested. THe problem is self-appointed idiots like this who thinks its ok to pen-test shit that does not belong to them.

Re:Sort of interesting, but... (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42996567)

If I'm in charge of millions of people's credit card information, THANKS! You're better than dealing with hackers who would rather take that credit card information, sell it on the black market and have to deal with legal charges for failure to properly secure financial information!

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42996413)

How do you prove good faith?
You can't. And because of that, it makes them a target, anyone trying to attack them, would say, we're not trying to break in and steal your data, we're just trying to improve your security.

You know the funny bit? If he had access to the financial side of those companies, they'd be paying through the nose and begging him to keep things quiet, keeping the authorities away themselves.

Re:Sort of interesting, but... (0)

craigminah (1885846) | about a year and a half ago | (#42996471)

That's kind of like me trying to rob a bank but I have a note in my pocket saying "I was just trying to verify your security was adequate" in case I get caught. WTF? Hacking is illegal no matter what the intent.

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42996621)

And he still broke into other people's networks without permission. But I suppose that's OK here since the private info that he released was of interest to Slashdotters and was "accurate"?

It may be ok to a degree for the cases where he broke in and then notified the company of a breach (without doing any damage or requesting a payment)
  Companies should be required by law not to pursue anyone who notified them of security holes in good faith. Instead they choose to harass such people, scaring them off and making MY data less secure.

So you want to make loopholes for criminals correct? Because thats what your short sighted and incredibly dumb "idea" would do.

Besides. If someone kicked in your front door and rummaged through your home and when he got arrested he told you "Hey man the lock on your front door is substandard" you think the cops should just let him go free with no recourse because he tested your home security?

I really hope you arent this damned stupid all the time.

Re:Sort of interesting, but... (1)

spire3661 (1038968) | about a year and a half ago | (#42996921)

NO. Simply put, dont break into other people's networks, regardless of intent. It is never ok to trespass in the name of self-righteousness. Also, its not YOUR data, it is data about you.

at least have whistleblower protection and eula (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42997395)

at least have whistleblower protection and other stuff like company who use eula's to make you at fault for bugs or even website typo's that let you get pass security with out even trying to hack.

whistleblower protection is needed to cover stuff like what happened to Stephen Heller and others like him.

http://en.wikipedia.org/wiki/Premier_Election_Solutions [wikipedia.org]

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42996347)

He's acting moral in one sense and expecting that to shield him against his other immoral actions. He is in the wrong.

I'm no apologist for the police. I know they often have disproportional responses. But it's not clear to me that his home was "raided". Executing a search warrant is not a raid per se.

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42996369)

I am sorry if you cannot understand the fallible beliefs of slashdot, maybe you should venture to a place where LOGIC and VERIFICATION are the norm as we have no need for either here.

Re:Sort of interesting, but... (1)

K. S. Kyosuke (729550) | about a year and a half ago | (#42996447)

And he still broke into other people's networks without permission.

That's really scary. And that's just a rather neutral individual. Imagine what would happen if large institutions with agenda like FBI or CIA started doing the same thing! Oh, wait...

Re:Sort of interesting, but... (1)

Stan92057 (737634) | about a year and a half ago | (#42996627)

What agenda is that ? Oh wait the catch criminals its there job.

Re:Sort of interesting, but... (1)

Anonymous Coward | about a year and a half ago | (#42996497)

In an age where many tech-related 'sources' are just empty claims, a lot of this guy's information has checked out.

And he still broke into other people's networks without permission. But I suppose that's OK here since the private info that he released was of interest to Slashdotters and was "accurate"? It was OK because the victims where Microsoft and Sony? Or, shall we see another case of the famous Slashdot Double Standard?

Generally I'm in favour of being cautious about rewarding tossers who release malware on the net, hack and wreck systems, or in some other way wreak merry havoc and then expect fat job offers. They should not be rewarded but rather should be put in fuck-you-in-the-ass jail. But In this case I'd be wiling to compromise. If that guy really did no damage, and If I was MS, I'd compensate him for the damages done by the FBI and the Aussie cops, make him a job offer and put him to work in my security department doing destructive security testing. The CIA used to hire safe-breakers, burglars forgers and con artists to teach their agents trade-craft and probably still does so why not do something similar as long as you are not rewarding people for being complete assholes?

You don't get it. (0)

excelsior_gr (969383) | about a year and a half ago | (#42996555)

I think that obtaining the info on the Xbox and the PS just served as a proof of his feat. He infiltrated the networks of two mega-corps that spend millions on security and employ hundreds of experts using his skills and knowledge. Maybe he didn't even care about the specs of the consoles. He just wanted the kind of information that would prove that he had actually gained access.

The one with the twisted perspective on the subject is you in this case. You completely ignore the black/gray/white-hat categorization and try to make us believe that this guy should be treated like a common criminal. Well, he should not. Depending on the way he gained access, MS and Sony should probably consider hiring him.

Re:You don't get it. (1, Redundant)

dreamchaser (49529) | about a year and a half ago | (#42996681)

He broke the law, if his story is true, plain and simple. You're the one with twisted perspective on it. He had no right to access their networks or proprietary information. I hope they don't go TOO hard on him as he did seem to have relatively benign intentions, but he hacked into systems without permission. The companies in question did not contract him to do penetration testing or an overall security assessment.

Re:You don't get it. (0)

Anonymous Coward | about a year and a half ago | (#42996721)

I think that obtaining the info on the Xbox and the PS just served as a proof of his feat. He infiltrated the networks of two mega-corps that spend millions on security and employ hundreds of experts using his skills and knowledge. Maybe he didn't even care about the specs of the consoles. He just wanted the kind of information that would prove that he had actually gained access.

The one with the twisted perspective on the subject is you in this case. You completely ignore the black/gray/white-hat categorization and try to make us believe that this guy should be treated like a common criminal. Well, he should not. Depending on the way he gained access, MS and Sony should probably consider hiring him.

It isnt hard to break into anyones security. All it takes is the will to do it. Breaking into a companys, no matter how big it is, isnt that difficult. It happens every single day. All it requires is the will to do so. Because nothing is fool proof, for every lock ever created no matter how complex it is there are a thousand guys that can open it.

And he is a common criminal. You justify his methods and acts simply because he didnt steal, but he still commited a criminal act. Thats like if you say a guy broke into a bank vault that he shouldnt be considered a criminal simply because he didnt take the money and that the bank should praise him and thank him for breaking into their vault. He justify his acts because your on his side. Even robin hood is still a common criminal regardless of what he did with what he stole he still broke the very basic and common laws. By your logic if the guy broke your window in your home and came in and went through all of your stuff but didnt take anything you would be happy because he proved your window was a weak entry point. Youre a complete and utter moron.

And why should someone hire him? "Oh you broke into our security and made us look bad? Hell work here please and have unfettered access to us from the inside". You want to reward criminals for criminal activity? And I hate to break it to you, but just because he broke in doesnt make him a good security person because anything he can put in place can be defeated by a thousand other people because like I said, nothing is secure.

Re:You don't get it. (1)

Sir_Sri (199544) | about a year and a half ago | (#42996801)

You realize there are firms that sell that sort of security right? And academic programs on how to do so etc.

There are legit was to enter the business he simply chose a different route.

Re:Sort of interesting, but... (1)

cultiv8 (1660093) | about a year and a half ago | (#42996565)

another case of the famous Slashdot Double Standard?

Citation please. ;)

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42996685)

still broke into other people's networks without permission. But I suppose that's OK here since the private info that he released was of interest to Slashdotters and was "accurate"?

I wouldn't exactly use the word "OK" here, but I will say I don't give a shit about someone who breaks into a company just for some joyriding. It's the digital equivalent of taking a car with the keys in it for a spin around the block and then returning it. Not really criminal behaviour, but also not something that's really legal or OK.

But then I wouldn't expect much of Slashdot to understand, since the culture around here is one of a binary right and wrong rather than any form of nuance. Bloody engineers and linear, categorical thinking. Especially when it comes to silly shit that doesn't matter, like "oh knows... someone hacked our server and didn't do anything with the data".

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42996751)

Information wants to be free!

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42997007)

In an age where many tech-related 'sources' are just empty claims, a lot of this guy's information has checked out.

And he still broke into other people's networks without permission. But I suppose that's OK here since the private info that he released was of interest to Slashdotters and was "accurate"? It was OK because the victims where Microsoft and Sony? Or, shall we see another case of the famous Slashdot Double Standard?

Slashdot Double Standard (colloq.), is when one visits a web site with thousands of different people all voicing their opinion, and expecting them to share one single opinion,.yet at the same time expect them to be different individuahls. Something like that.

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42997155)

It's entirely ok to break into Sony, what goes round, comes around.

Re:Sort of interesting, but... (0)

Anonymous Coward | about a year and a half ago | (#42997267)

SuperDaE doesn't give a shit.

Need to nip it in the bud (5, Funny)

Anonymous Coward | about a year and a half ago | (#42996305)

It starts out like this, a hacker looking for the latest games, then it leads to Global Thermonuclear War.

Re:Need to nip it in the bud (0)

Anonymous Coward | about a year and a half ago | (#42996673)

Greetings, Professor Falken.

Exploit (0)

Anonymous Coward | about a year and a half ago | (#42996313)

Man, if you're going to get fucked by the authorities anyway, you might as well exploit everything you can to make some money and GTFO.

Re:Exploit (0)

Anonymous Coward | about a year and a half ago | (#42996329)

Yeah, totally Bro! The government should, like, not prosecute anyone unless they murder like 5 people!

Re:Exploit (0)

Anonymous Coward | about a year and a half ago | (#42996341)

More like he should have known he was going to get prosecuted, so why hold out and white hat it?

No damage? (1, Informative)

l00sr (266426) | about a year and a half ago | (#42996339)

There seems to be this common misconception that a network can be broken into without causing any damage. Tell that to the IT department that has to re-flash and re-image every damn machine on the network to make sure no backdoors were left behind.

Re:No damage? (0)

Anonymous Coward | about a year and a half ago | (#42996439)

There seems to be this common misconception that a network can be broken into without causing any damage. Tell that to the IT department that has to re-flash and re-image every damn machine on the network to make sure no backdoors were left behind.

Outside of some 3-letter agency, find me an IT department who actually executes said scenario, and manages to convince every single employee (including all executives) that a complete wipe and re-image of their machine is necessary within the next 12 hours. Sure this is a proper response. It's also a ludicrous one.

Come to think of it, even 3-letter agencies don't do this shit. If they actually did, then their security audits wouldn't be so fucking piss-poor.

Re:No damage? (1, Informative)

93 Escort Wagon (326346) | about a year and a half ago | (#42996609)

Having been through such a situation in the past - while the GP contained some hyperbole, I can tell you our guys spent a couple days checking and cleaning up after an intrusion. If you don't think there's a (necessary) significant investment of time that goes into dealing with an intrusion, you've likely never actually worked in IT.

Re:No damage? (0)

Anonymous Coward | about a year and a half ago | (#42997347)

If you were not an IT Whore, you would not comply with the demands to run Acrobat Reader and Flash Player. You would have no intrusions. You simply deserve what you get.

Re:No damage? (1)

spire3661 (1038968) | about a year and a half ago | (#42997013)

Its not ludicrous. We could and should be able to do it, but we dont design our networks to a handle that kind of thing. IMHO, every machine in the building should have a hot spare HDD ready to go and a full user profile stored on the network/backups. We dont have this functionality because its more important to slap a cheap vendor workstation on a desk then it is to build a a proper machine with extra hardware.

Re:No damage? (1)

Em Adespoton (792954) | about a year and a half ago | (#42997197)

Its not ludicrous. We could and should be able to do it, but we dont design our networks to a handle that kind of thing. IMHO, every machine in the building should have a hot spare HDD ready to go and a full user profile stored on the network/backups. We dont have this functionality because its more important to slap a cheap vendor workstation on a desk then it is to build a a proper machine with extra hardware.

The other problem is that you need to deal with when the intrusion was detected when dealing with cleanup and mitigation. If there was an undetected intrusion, followed by backups cycling, user profiles getting backed up to hot spares, etc. and THEN someone notices the intrusion... well, you have to first figure out when the intrusion took place and what systems were possibly touched -- after which you need to follow the cascade of tainted systems until you reach the end.

There's nothing worse than losing a week of work to restore to a tainted snapshot -- other than maybe being unable to audit and verify whether you've cleaned everything up in the first place.

Re:No damage? (1)

Xugumad (39311) | about a year and a half ago | (#42997405)

I do that for systems I maintain.

I've nuked systems just for looking suspicious, despite not being able to prove someone cracked them (half the binaries in /bin stopped working, I figure that's fairly damn suspicious).

Anyone who doesn't re-image a cracked system is unbelievably naive, and it will come back to bite them hard one day. Like hell am I going to take the word of someone who broke into my systems that they didn't leave a rootkit.

Re:No damage? (1)

Anonymous Coward | about a year and a half ago | (#42996443)

So, you're saying that IT shouldn't fix backdoors on their network as long as no one ever breaks in using them (that they know about)?

Re:No damage? (0)

Anonymous Coward | about a year and a half ago | (#42996779)

The backdoors are assumed to have been installed by the hacker, they never existed had the hacker not existed.

Re:No damage? (0)

Anonymous Coward | about a year and a half ago | (#42997365)

Shertainly. Flash, Acrobat Reader, MS Office would never have any flaws if there were no criminal hackers who exploited them. China would never fuck the west via the Internet if there were no hackers who told about it. If nobody tells about something, it does not exist !!

Re:No damage? (5, Insightful)

K. S. Kyosuke (729550) | about a year and a half ago | (#42996475)

There seems to be this common misconception that a network can be broken into without causing any damage. Tell that to the IT department that has to re-flash and re-image every damn machine on the network to make sure no backdoors were left behind.

There seems to be this common misconception that having to fix a network to remove holes and backdoors is somehow worse than having lived with it for some time without knowing it Not to mention the fact that your second sentence does not substantiate the first, also known as the non sequitur fallacy: not having caused any damage and being under suspicion for having caused some are two completely independent things.

Re:No damage? (1)

lkangaroo (2663383) | about a year and a half ago | (#42996569)

Guess there is a difference between your definition of "damage" and the GP's. In a business setting, any time, effort, or money that you spent, and would not have to spend if there were no breach is considered "damage".

Re:No damage? (1)

K. S. Kyosuke (729550) | about a year and a half ago | (#42996869)

Guess there is a difference between your definition of "damage" and the GP's. In a business setting, any time, effort, or money that you spent, and would not have to spend if there were no breach is considered "damage".

And as long as you can make things up, any word can mean anything you want. So, to continue your line of reasoning: my dictionary tells me that "breach" can mean the same thing as "crack" or "fissure", and the hole was there before the guy got in there, so logically, they'd have to spend effort anyway.

Re:No damage? (2)

Namarrgon (105036) | about a year and a half ago | (#42996881)

Your front door lock is broken, but you didn't realise it. A passer-by tells you that is broken. Do you blame him for the "damage" to your wallet that comes from fixing it?

Or how about this: You're understandably unhappy that he pushed your door open and poked his head in. He claims he didn't take anything (and given how he volunteered the information about your door, there's no reason to disbelieve him), but are you angry at him that you now feel the need to double-check everything you own, just in case he (or someone else) took something?

Re:No damage? (0)

Anonymous Coward | about a year and a half ago | (#42997389)

Businessmen are spineless whores with lots of money and they keep themselves an obedient Zoo Of Spineless Half-Assed "IT" Whores. Do you really think whores have any consistent system of morals ?

Re:No damage? (1)

tlambert (566799) | about a year and a half ago | (#42997095)

Guess there is a difference between your definition of "damage" and the GP's.

In a business setting, any time, effort, or money that you spent, and would not have to spend if there were no breach is considered "damage".

Excuse me...

Why is it that you think that a breach that is committed by someone who reports it to you and potentially faces repercussions for their having a Bushido-style sense of honor about things causes less damage than a breach committed by someone who then proceeds to profit from said breach without disclosing it to you, up to and including selling the details of how to repeat it to third parties?

Do you somehow think that the people who open themselves up to the repercussions are smarter than the ones who keep quiet and face less risk?

From your "business perspective", I'd call the people who kept their mouth shut "smarter". Why is it you think a "smarter" person would be unable to get into your system -- or hasn't already -- than one you would, by your own lights, class as "less smart"?

Re:No damage? (0)

Anonymous Coward | about a year and a half ago | (#42996479)

by that logic, you would leave your doors unlocked because of the time it would take to ensure that each is closed and locked?

Re:No damage? (4, Insightful)

Jah-Wren Ryel (80510) | about a year and a half ago | (#42996501)

There seems to be this common misconception that a network can be broken into without causing any damage. Tell that to the IT department that has to re-flash and re-image every damn machine on the network to make sure no backdoors were left behind.

Those actions and associated costs are not the result of having your network broken into. They are the result of being told your network is vulnerable - even if you have no knowledge that the network was actually broken into.

Re:No damage? (1)

bwcbwc (601780) | about a year and a half ago | (#42997133)

No, you're conflating two different types of security vulnerabilities:
1) The gap the guy originally used to get in, plus any other pre-existing vulns.
2) the gaps the guy may have introduced into the network while he had access, via new malware, etc.

The re-flashing and stuff mentioned on the GGP is primarily to mitigate #2.

#1 is definitely not the guys fault, but any precautions required to mitigate #2 definitely are.

And whether you agree with the law or not, breaking into secured networks is still illegal regardless of the harm. Even if you throw out the remediation costs, the argument that "no damage was done" isn't necessarily true: from a business POV, breaking into their corporate network and leaking game console specs ahead of announcement qualifies as industrial espionage. What if the leaked XBox specs inspired Sony to upgrade the CPU or the graphics on the PS4 to improve their performance? The leak takes away a competitive advantage that MS had due to their trade secrets.

Re:No damage? (0)

Anonymous Coward | about a year and a half ago | (#42996557)

Or the IT department can live on ignorantly after having their network hacked with countless backdoors left behind and deal with the incalculable cost of corporate espionage/sabotage for months/years/decades.

I'll gladly take the hacker who humiliates me over the hacker that subversively drives my company into bankruptcy.

Re:No damage? (0)

houghi (78078) | about a year and a half ago | (#42996683)

If I am able to break into your system, you have a problem with your security.

In Belgium there was a 'hacker' that hacked into a banking system by using the password 'pswrd'. As he just did trial and error, many did not want to call him a hacker.
Some people thought that it was better that it was not a real hacker. For me it was worse.

Look at it in another way:
1) I hack your system and tell you what I have found. I might or might not have left backdoors behind.
2) I hack your system and do NOT tell anybody. I might or might not have left backdoors behind.

Re:No damage? (0)

Anonymous Coward | about a year and a half ago | (#42996935)

You are looking the wrong way.
The security guy will have to put in some hours after a security breach, that is true but that is because the security of that system was not good enough.
So being lazy or making bad decisions has a price tag to it.

Looking back the job was not good enough so it had to be done properly plus some extra checks for backdoors, looking forwards that mistake will not happen again. Lucky they were told. Checking for backdoor still needs to be done not because the guy who went public might have leave one behind (very improbably) but because someone else could have got in and plant one.

If a guy figures out a way to break into my house, does it without stealing anything and tells me how he did it I will not complain I have to spend time and money replacing a lock.

Durango hasn't been revealed (1, Insightful)

Anonymous Coward | about a year and a half ago | (#42996363)

> he retrieved information about the PS4 and next-gen Xbox 'Durango' (which turned out to be correct)

"Durango" hasn't been revealed yet. How do we know his info is correct?

Re:Durango hasn't been revealed (1)

Sir_Sri (199544) | about a year and a half ago | (#42996835)

They might mean he had info on early development kits, a lot of that info has leaked out (there are after all lots of companies that have said kits).

Early development kits aren't final hardware though, so they don't mean much to consumers or people on the outside.

But officer, I just broke in! (0)

Anonymous Coward | about a year and a half ago | (#42996373)

"simply breaching the security of those companies was enough to get the U.S. FBI to convince Australian authorities to raid his house"

Simply? Yes, simply breaking the law will get you the attention of the police... This must be the first /. post by a 8yr old... (a stupid 8yr old)

Re:But officer, I just broke in! (1)

Osgeld (1900440) | about a year and a half ago | (#42996539)

yes, breaking in and taking information

people would oppose someone breaking into their house and stealing all their financial documents, but its apparently harmless to break in and commit industrial espionage

Chinese Army (4, Insightful)

the eric conspiracy (20178) | about a year and a half ago | (#42996385)

Ugh.

If some surfer dude from Oz can do this imagine what the Chinese Army and the TLAs have gotten into.

I don't know is this is good or bad, Mutually Assured Destruction can be a good thing, as well as can be the dissemination of information.

However it sure should give people pause when they put a server online. Or make their bank accounts available on the web.

It might be a case of not if but when.

Re:Chinese Army (0)

Anonymous Coward | about a year and a half ago | (#42996633)

Go China! At this point, they're our best hope of saving the world from the Americans.

Re:Chinese Army (1)

the eric conspiracy (20178) | about a year and a half ago | (#42997189)

> Go China! At this point, they're our best hope of saving the world from the Americans.

Be careful what you wish for. You might get it.

I think what you're looking for is... (0)

Anonymous Coward | about a year and a half ago | (#42997293)

"May your wishes come true, and may you live in interesting times."

Don't get caught (0)

Anonymous Coward | about a year and a half ago | (#42996395)

Kids. KIDS. Don't do stuff like this through an identifiable Internet connection.

Yuo Fail It (-1)

Anonymous Coward | about a year and a half ago | (#42996441)

ultimately, we Part of GNNA if wall: *BSD faces a about half of the official GNAA irc she had no fear get how people can failure, its corpse

who cares (2)

Vince6791 (2639183) | about a year and a half ago | (#42996595)

So, it's okay for the u.s government and even corporations to spy on our communications(facebook, phone calls, chats), emails, and whatever we upload to the cloud without a court warrant but when somebody does it to a corporation or government it's time for the feudal u.s system to go bat shit crazy on his/her ass. If u.s does not follow the constitution why should we, remember by the people for the people. Hah, who cares it's a feudal system. People just stop hacking it's not worth losing your life over.

Re:who cares (1)

bwcbwc (601780) | about a year and a half ago | (#42997169)

No it's not OK for the government to do that. But just because the government screws you over doesn't mean you can go screwing over 3rd parties. The problem isn't that the law against cracking networks is necessarily bad (although I'll agree it's not perfect and overreaches), it's that the government and corporations aren't held to the same standard as individuals, which is a completely separate issue.

Its funny... (1)

Anonymous Coward | about a year and a half ago | (#42996659)

Because no one seems to be blaming the companies like usual, no one is blindly angry for no reason and no one seems pissed off. Why? Because he stole information that users here find interesting.

I mean he did the same thing that hackers have done to companies before and you people lined up to spout the same comments and blame the companies for being hacked many many many times but now all the sudden you change your tune simply because he wasnt trying to steal personal information about you. He commited the same crime. Its like saying someone who breaks in your home to steal your wallet is bad, but if he breaks in and steals nothing then youre perfectly fine with it.

It is called the Geohot effect (1)

argee (1327877) | about a year and a half ago | (#42996745)

You would think that after Geohot showed the way (not!), that people would leave
Sony alone to wither on the vine.

Friends don't let friends buy Sony Products.

Re:It is called the Geohot effect (1)

spire3661 (1038968) | about a year and a half ago | (#42997053)

You mean the guy that completely capitulated, tucked his tail between his legs and ran? Yeah Geohot sure showed the way........

Really? (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42996809)

Summary: Kid breaks in networks of corporate entities, accesses trade secrets, purchases development hardware using fraudulent information, brags about it on the internet and then cries about being "ruined".

There is nothing "ethical" about any of this kid's shenanigans. He cried about them taking his toys away, and doesn't even realize he's going to pound-me-in-the-ass prison yet.

Moral of the story: Common sense eludes hacker.

Shall we Play a Game? (1)

RiscIt (95258) | about a year and a half ago | (#42996841)

Haven't we seen this movie before?

Inevitable lesson (0)

Anonymous Coward | about a year and a half ago | (#42996849)

Be a pirate. Exploit every hole ye shall find. Gives nothing back!

Arrrr.

if you have to cheat... (1)

glitch23 (557124) | about a year and a half ago | (#42997065)

to gather information to 'one-up' your competition or to make yourself look good to your friends then you aren't very good. And in this case, breaking the law by breaking into companies is cheating.

banking fraud can get you time in a FPMITA (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42997271)

banking fraud can get you time in a FPMITA and he did it on the International level.

Seriously? (1)

Seumas (6865) | about a year and a half ago | (#42997367)

Slashdot is linking to Kotaku content? Why not just link directly to blogspam (which, frankly, would be better quality than the link-bait drivel on Kotaku)?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?