Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

British Crackers Demand Millions in Inforansom 190

RuntimeError writes "The Times of UK report that a group of British Cr/Hackers have broken into the computer systems of atleast 12 multinational companies, stolen confidential files, and are holding the companies to ransom." One of the companies is Visa, as in credit cards. I believe this has far more hysteria potential than the recent CDuniverse inforansom scandal. Expect the usual pundits to be all over this story within the next few days.
This discussion has been archived. No new comments can be posted.

British Crackers Demand Millions in Inforansom

Comments Filter:
  • by Anonymous Coward

    Never ask for more than it would take to have you killed by a professional.

    Hope these kids really know what they're doing...

    Or not. :)

  • by Anonymous Coward
    They're about as technically competent as your average dead-for-three-weeks trout. This may seem like a wanton troll but if you check out these resources you will see that Mr. Ungoed-Thomas and his associates have something of a reputation for poor IT reporting:

    Displaying lack of technical knowledge [ntk.net]

    An example of shoddy reporting... [sunday-times.co.uk]

    ...and an analysis of the 'expert opinion' on which it was based [kumite.com]

    Trundling out the same ol' tired junk [ntk.net]

    This doesn't mean there isn't at least some truth to the reports of attack, but, it does suggest you should take what they say with more than a pinch of salt; in fact, I'd recommend sprinkling on a heavy layer of skepticism and critical thought.

  • by Anonymous Coward
    I have not heard a single thing about this on any other news sources, not saying its not true, but /. should do more indepth reporting than just cutting and pasting headlines.
  • by Anonymous Coward
    Unfortunately, as long as companies keep storing customer's/client's valuable information in insecure places with insecure software, there will always be some cr/hacker that will find a way to nab it.

    Since you seem to know what environment and software is being in use and how to improve things off with you, time to apply for a job.

    Could be though this was just one of those unqualified rants, rated insightful for some arcane reason.

  • by Anonymous Coward
    Thumbprint is less secure against merchant fraud/crackers than smartcards. It is more or less fixed data. It is only as secure as the POS system (not very). With smartcards and electronic wallet, it doesn't matter how compromised the POS terminal is.

    On the other hand, if your electronic wallet has a thumbprint scanner and sends that data (encrypted) along with the transaction information, it might provide extra security. In this case, in addition to physically stealing the card (and possibly also the wallet, depending on how the system works), the thief must aquire a fingerprint. This makes it far harder in situations where the thief doesn't know the victim's identity (say, he's broken into a gym locker).

    If thumbprint scanners can be made small and inexpensive enough, it might be a viable idea.

  • by Anonymous Coward
    I have read most of the articles on this list and I must say that there is one constant:
    Either people support cr/hackers in their attack or they defend corporations. I'd like to compare the views.

    But first of all consider the medium used to bring you the information: Media. I think it is fair to say that the media nowadays (at least those who are funded/run by corporations) behave in a corporate way and take sides with the corporations (because they cannot go against the grain; that would be suicide). So we have to assume that whatever is said in the medias about this subject IS slanted towards the general corporate view of the internet: "It is dangerous, we must gain complete control in order to make it secure for the ordinary citizen". This is made, as usual, with the most altruistic concerns (sarcasm).

    So on with the comparison...

    Pro-cr/hacker: It is important for the people who are subjected to corporative decisions to be able to defend themselves. Although breaking and entering IS against the law, much can be said about how corporations circumvent different laws to impose unwanted condition upon the ordinary citizen. Furthermore, consider the economic cage in which every citizen has been framed; there is ample cause for alienation and that alone is sufficient to excuse the hacking/cracking of the VISA database.

    Pro corporation/economy: The law has been broken. We need to apply the law. If we don't then these corporations that create jobs will be hurt and this in return will cause loss of revenue, loss of dividends and loss of jobs. These acts of vandalism are unnaceptable and should not be tolerated at all. The government must stand strong and help find the individuals that did this crime. Who cares how long it took for VISA to tell the world about the crack? It's a private company, it can do whatever it wishes.

    We can see that what is really a stake with this story is this world division we are seeing more and more. It has two sides that are self excluding (in most cases), either you're for economy, or you're against. Either you're for the people or you're a traitor. This is not very constructive.

    It is my personnal opinion that we need to understand inter-dependancies. Corporations need to work with ordinary people without alienating them. People need jobs and a source of revenue to survive.

    It is also my personnal opinion that big corporations have been pushing too hard lately, forcing states and countrys to let down social services, let down the population without significantly alleviating the tax burden. They have thus, created a breed of angry citizens that are unsatisfied with the current state of things. I should not be surprised, if the trend continues, to see more and more cr/hacking, more violence and more theft.

    How much are we willing to pay to keep driving with our eyes closed and only one hand on the steering wheel?
  • Personally I don't think that these people sould be let off or anything but I don't think they sould be killed. Damn if you start killing crackers, where does it stop? I sure as hell don't think that I sould be shot just because I smoke mirijuana. I'm sure that when these people are caught the prosecuting authorities will throw the book at these people, and make a example out of them. But kill them?

    I don't really thing this could be called terrorism either. Go look up the defenition and I think that you'll agree with me it's not. Usally terroism involves hurting/killing/maming innocent bystandards in order to get a Political View across to some organization that the people might be involved in. This is just a case of theft.
  • Ever seen "Demolition Man"? Personally I'd rather someone just stole my credit card.
  • ...is a well-known cretin and I would take any article with his name in the byline with a very large pinch of salt. His problem is that he doesn't actually understand what the internet is or how it works, and is firmly of the opinion that it is simply a haven for anarchists, animal rights activists, left-wingers and any other group that he despises. He could be dangerous if he wasn't so incompetent. One of his favourite tactics is to approach organisations via email using an assumed name (strangely he usually choses a female identity.) Unfortunately, his understanding of email is so limited that it doesn't occur to him to spoof the From: and Reply-to: headers. See NTKs [ntk.net] passim or do a google search on his name for a really good laugh.

    Nick

  • ... an encrypted ext2 file system which allows for plausable deniability, i.e. you can give them the password to a lower encryption level and they will have no way to prove higher encryption levels exist, thus there is nothing they can do to make you give up you encrypted data

    Not sure about this - as the legislation basically allows them to imprison you on an accusation, could they not simply accuse you of having two keys?

  • And the second question is, if these companies had been running Linux, would the crackers have been able to get in?

    Well, I don't know what computer OS they hacked into. I would assume all of the important information at Visa (credit card #'s, customer info) is sitting on some ancient main frame computer that fills a room.

  • Imagine a geek tabloid, that would rule. Instead of stories about aliens, we'd have stories about upcoming Star Wars plots. Instead of articles on celebrities, there would be articles on Linus, RMS, and ESR. :)

  • Did the crackers use Linux to break into these companies?

    And the second question is, if these companies had been running Linux, would the crackers have been able to get in? (edgy ducks and runs while the M$ and Linux zealots fight it out)

  • Ungoed-Thomas has had a few mentions in NTK [ntk.net], too. Try a search on his (or her) name.
  • Hit the Next Page link at the bottom. It's a story about a guy crashing his car into anti-terrorist gates at Downing Street and the police kicking in the window and dragging him out. Of course cops here in the states would probably have shot the guy...

    Anyway, it's more interesting than this tripe about contract cracker data thieves.
  • Secondly, it would apear that they suspect a competitor (or someone with an interest in seeing them lose money) is behind the hack. Interesting, don't you think ??

    Crackers. They don't take American Express. Visa - Your information is everywhere you don't want it to be!

  • Sure... uh... just send us your name, credit card #, and expiration date and we'll take care of the rest... really.

    OK, to be serious for a second, if someone charges stuff to your VISA card without your approval you will only be responsible for the first $50 of charges. (Disclaimer, this is true in the U.S., not sure about other countries.)

    Now, given that VISA itself is the one who screwed the pooch here, I'm willing to bet that you wouldn't have to pay a dime. Assuming, that is, that the misuse of your card could be traced back to this breakin. I've heard that often times the issuer of the card will not even charge you the $50 in cases of fraud. They'll just eat it.

    Reality-wise, you don't really need to worry. Since the breakin happened last July, any compromise to your account probably would have been exploited by now.

    #include the obligatory "credit cards are really, really a stupid way to exchange funds" rant.
  • Indeed, my first reaction is "hoax !" just like the "crackers hijack spy satellite" story from '99 ...

    search the archives of Need To Know [ntk.net] for more details (see also Sunday Times)

    Also interesting that none of the mainstream media have picked up this enormous scoop ...

    OTOH !!! there are attributed quotes in there -- so if theyr'e wrong, they'll get the arse sued off 'em. And then it really will be the end for the editor, can't remember his name now ...

    --

  • The time required to brute force a 128-bit key exceeds reasonable comprehension on any normal time scale.

    A brute force attack is the upper bound. More sophisticated attacks may be possible. A simple substitution cipher has approximately 88 bits of key.

  • I've heard it time after time, and I never stop to wonder. Why on earth do people think Linux equals cracking-tool ?

    Probably because they've bought ino the popular misonception that hacker = crackr, then hear someone refer to Linux as being "more a hacker's OS". (As opposed to being suitable for someone who thinks that they're using Windows 97, because that's the version of Office they've got installed :o) )

    Just a thought.

    Tim
  • well i think the last thing to happen is the govt has gone forward with requesting all "r rated" andover content to be removed off all australian sites, but there is still legal access to r rated content and over on overseas sites. Until they figure out how to firewall and filter the whole country i guess. Slowly but surely wins the race?
  • No! Security by filtering out dangerous ports does not work. Rather, one should filter unknown ports by default and specifically let "safe" ports through the firewall. Look at Hotmail/other webmail providers' problems with embedded javascript in email that are supposed to be escaped out or removed.

    I disagree. By "default deny" - you deny your own workers the freedom they should enjoy. Your workers will not like the fact that they cannot sit at their office 'after hours' and IRC (and DCC) all they want. If you by default deny UDP, then they cannot use ICQ all they want. And so forth.

    Of course, one doesn't want the workers to use IRC in the day -- but by denying them access to it - you make them "pissed". The employees won't like to be 'limited'. They feel untrusted then.

    I know that if I was at a workplace where the policy was "default deny" - then I would either try to crack the system, or I would find myself a new job - since they obviously didn't trust me.

    The filtering of default netbus/bo/other ports, is because the standard-scanners only scan for standard-open ports. Nobody would take the time to scan a large corporation on every port on every host. That would send the alarmclocks of the firewalls chiming all day and night. A single probe for one machine on one port - wouldn't trigger very much.

    No, block all ports known trojans reside on, and continue blocking new ports, when new trojans use new ports. But don't do a "default deny" - since that would block to much.


    --
    "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
  • In order to hire competent staff in this area, you have to already have staff in place that knows how to hire competent people. Can HR do this?

    What is HR ?
    But, as long as they have a server admin, they have someone that knows a BIT about security, not necessarily MUCH. But I would say that most server admins are competent to find the people who can secure the systems.

    When time to market is the most crucial factor, "Security? we can just add that on later".

    I know, the system I admin (kvinesdalsnett), was cracked 24.des'98 . It was the worst christmas of my life. Stupid me had overlooked the bufferoverflow in qpopper2.2. Boy, did I learn that I needed to read bugtraq everyday (Ohyes, I did.. :-)

    We didn't rush things to the market though. It was just (then) incompetent little me who forgot to check all daemons.

    Would you now buy from CD Universe with a credit card?

    Of course I want to. They're bound to have tighter security than fort knox about now. Their sysadmin is probably having nightmares about people breaking into their system, and using most of his spare time digging into more books about securing their sites, and so forth. I'll bet their site is one of the safer sites on the net about now. :)


    --
    "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
  • Did the crackers use Linux to break into these companies?

    Sorry to disappoint you, but linux isn't a tool to crack into other peoples machines, even though a lot of kids these days seem to think so.

    And the second question is, if these companies had been running Linux, would the crackers have been able to get in?

    That depends on the configuration, as does it with Windows NiceTray.


    I've heard it time after time, and I never stop to wonder. Why on earth do people think Linux equals cracking-tool ?


    --
    "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
  • >a) How reliable is this news source

    Not very, The Times is well known for printing rubbish regarding computers. It seems they have no tech editor, and often print press releases as stories (falling for every lie), and stories full of dubious facts.

    In fact they once printed an urban myth as a true story.

    Best not to believe any tech stories in The Times.

    F
  • Hmmm, ok, that's pretty much what I figured.

    >#include the obligatory "credit cards are really, really a stupid way to exchange funds" rant.

    What obligatory rant would that be? A "there's a better way which currently exists" or a "there's a better way that could be implemented"?
    Oh, and it's not really a credit card, but a debit card. Not that that's a huge improvement.
  • Ok, so, I have a Visa card.

    What should I do? Anything?
  • Ah. You seem to have read the National Socialist Dummy's Guide to Nietzche. Untermensch. :P
  • Referring to the previous story as the "CDuniverse inforansom scandal" fits in quite well. I really hope Slashdot can stand the temptation to become the geek tabloid.
  • Because you're a clueless wannabe script kiddie?

    Because you don't realize that you can't trust any compromized system, because you have no way of knowing if trojans and backdoors have been installed. That these systems must be repaired from backups, and the effort involved can take hours and cost thousands of dollars on large production systems.
  • But consider the pansies in the planters in front of the building. They don't put them in the vault overnight. A few things, banks and such, need to be rather secure. For most things, it seems better to depend on a rational and trustworthy populace.
  • I think the next thing we need a word for, after "benchcrafting", is "hacksationalism" (or maybe "cracksationalism" before people flame me) to cover all these media stories trying to spread panic about cracks amounting to nothing.

    I can't be bothered to look it up now, but I'm almost convinced that The Times has featured a number of stories like this before, all of which indeed did lead to end of civilisation as we knew it (or maybe not...)

    This particular journalist has a penchant for these type of stories. You get the general idea by searching for "ungoed" from NTK [ntk.net].
  • I have seen a half-dozen questionable or blatantly wrong stories from the Sunday Times in the past month. It's quite clear that they're a tabloid, not a newspaper. Slashdot should stop picking up stories from them...it's like if we were getting tech news from the Weekly World News!

    "Three Headed Baby Hacks Government Computer System! CIA Stunned!"
  • Interesting take on the whole situation. But if they have the ability to kill you they have the ability to grab you. After hundreds of years of experience in hurting people, traditional intelligence agents have developed techniques to break anybody. They don't have to kill you in the end, just hurt you bad enough that you can't even see mention of the company's name in the papers without breaking into a cold sweat knowing that the wrong actions on your part will return you to the intimate embraces of some sadistic bastard.

    I'd bet that given a future of six months (or more) of daily torture any would-be cyber-protectionist will rat out his compatriots with rapid alacrity.
  • That was really not my point, and you really had to try very hard to take it out of context to get that slant on it. Great job, smartypants.

    I'm not saying that those people aren't guily of a pretty heinous crime, they ARE.

    What I'm saying is this (analogically): If you leave the front door of your house open, people will most certainly eventually come into your house, and due to some people's lack of morals (or whatever you wish to call it), things will get stolen. If you have a house full of Picassos and Rembrandts, instead of a couple of ripped posters on the walls, be prepared to have bare walls.

    This doesn't exonerate the thieves by any means, it simply exposes what is the darker underbelly of human nature. It is the online company's DUTY to make sure that their client's confidential information stays that way.

    I was not commenting on the thieves' guilt or innocence, in fact, you'd have to be pretty fucking confused to think that they are not guilty of malicious network intrusion, not to mention extortion. So do us all a favor, konstant, and get off your ethical high horse. No one said they were innocent.

    duh.

    dr_strang
  • You aren't a sysadmin are you? It doesn't matter *where* you put information or what software you use to protect it, it will still be insecure. It's just a matter of the degree of security. Certainly there are more or less secure systems than others, but it is very difficult to make a system extremely secure, and still usable. In these company's cases, I'm sure the crackers were very good, or had some kind of inside knowlege. It's too bad, but it happens to even the best companies.

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • Hopefully all UK net users have already seen the following, but it's worth pointing out just the same:

    Gasp in awe [stand.org.uk] as you watch Jack Straw, Home Secretary of the UK (ie, important government chap), find himself liable for two years imprisonment (if this law was to pass) because someone sent him an encrypted message that he can't decrypt.

    This law is really so incredibly fscked, and demonstrates a completely lack of understanding, on par with the 'net filtering legislation that's just come in to effect in Australia (Oz /.'ers: what's happening down there?).

    ...j
    (an Australian living the UK)
  • If your clients can't have access to all ports outbound without opening up all ports inbound, you need better firewall software [anu.edu.au]. It's called "stateful packet filtering", "keeping state", or "shortcuts". It's common in NAT, where the translation host needs to keep track of the TCP/UDP/ICMP connections it supports.

    All machines except for those in a DMZ should be denied all incoming packets by default. Opening up all ports on all hosts (as default) is just plain stupid--why even have a firewall?

    --

  • If thumbprint scanners can be made small and inexpensive enough, it might be a viable idea.

    Under my proposal, the thief needs the card and the passphrase. I do like your thumbprint idea as an additional measure since people seem to have a habit of picking stupid passwords.

    With all of that, stolen credit cards would be completely useless. Add in digital cash (with similar security) and mugging becomes useless.

  • but scream that big brother is coming if they want a thumb print that is of little value other then for ID purposes.

    Thumbprint is less secure against merchant fraud/crackers than smartcards. It is more or less fixed data. It is only as secure as the POS system (not very). With smartcards and electronic wallet, it doesn't matter how compromised the POS terminal is.

  • but it is very difficult to make a system extremely secure,

    That is true, but many businesses don't even seem to try. The CDuniverse case is a perfect example, the card numbers were apparently stored as plaintext on the web server (NT running Microsoft-IIS/4.0).

    To be fair, various encryption export laws don't help matters any. If strong encryption could be freely exported, it would be used in a lot more software. That would go a long way (but not all the way) to preventing these problems.

  • Ever seen "Demolition Man"? Personally I'd rather someone just stole my credit card.

    Yes, good movie, and AGREED!

    I read specs on a thumbprint scanner once that included infrared scan as well. It claimed to be able to detect duress as well as dismemberment/death and refuse access under those conditions. I doubt the commercial scanners are that good though.

  • Nice idea but I can't see that this is much better suited to the Internet than standard cards. It's not what this is designed to do, either - this is a digital replacement for hard currency.

    Most people allready shell out for a wallet to hold cash, DL, and credit cards. They don't have to cost all that much more. Since they'd be no smarter than a 4 function calculator which can be had for $1.99.

    I am also aware that the Mondax system is for hard currency. What I propose is added functionality based on the same hardware. Since smart cards are smarter now than they were when Mondax was first proposed, I don't see any reason they can't serve both purposes.

    For people who won't buy a wallet, they can use the keypad at the POS terminal and take their chances. They're still more secure than the current system.

  • This is not true, based on a similar scam by an American company. (I was a victim, so I know this.)

    A US group was randomly generating card numbers, and then tried to charge around $20 to the card via standard means. They didn't have any expery data, but apparently, the one checker they used did NOT require this information. The result: the company got about $20 charged (one time only) to a number of accounts, and collected that cash for themselves. They are still in operation, as far as I can tell, and are rather 'small time' for both credit card companies (who tend to only chase after $100 or more PER CARD scams) and the US govt (who tends to need $100k or more to put down the smack). Yes, they're illegal, but considered small time by the 'authorities'. At least, if you are smart enough to watch your CC statement, you'll notice the odd $20 charge and can dispute it.

  • Huh, why did I get moderated as offtopic? I post regarding the credibility of the cited author and look what happens. Either the moderator didn't read the article so doesn't know who Ungoed-Thomas is or *gasp* Ungoed-Thomas has moderator access!!! :-)

    Enough whining for now...

    Nick

  • By "do not ask me to explain", I really meant that it was not anything to do with me and that I can see the stupidity of the situation. It arose from the sort of thing that I was writing about. The firewall was set up when the percieved threat of Jave (and there are ways of using Java to get data out) were known and ActiveX was not yet common. Since its installation the only work that has been done is to install the software updates. No changes have been made to the configuration.

    I think this type of security problem is common. Especially when consultants are used to install firewalls etc. Once the consultant has gone home and the budget is spent then the problem is forgotten. In our situation it is even more stupid as I work at a university and we have some great people working here but the computer services department is run by winders kiddies that do not understand the Sparcs (or anything much harder than installing Office) and therefore leave them to the consultants. Budget cuts mean that they can only offer 18,000 UKP for a sysadmin and therefore they can't get one.
  • I hope that these companies will take responsiblity for the flaws in their security and not, as most do, claim that it is all the fault of the evil cr/hackers. Visa should be so secure that no one could get in. Sensitive data should not be accessible from the outside.

    What often happens is that a supposedly secure system is put in and the opperators are so happy that they do not look at security again until, a few years down the road, someone breaches that security.

    Security is a developing science. What was secure last year is transparent this year. I work behind 2 firewalls, yet because they are too restrictive we pierce holes through them so that we can use things like UDP. They were not designed to stop activeX but they do stop all Java (do not ask me to explain).
  • If you want credit card numbers, go to the dumpster of any restaurant and start digging. Want good gold/platinum card numbers? Go to the good restaurants.

    These stories are so damned stupid. People get all up in arms about giving their credit card numbers to online merchants yet they give them to complete strangers at restaurants, bars, and retail stores everyday. I trust amazon.com more than I trust most of the restaurant workers around here to my credit card number.
  • This article is a typical tabloid boom. It starts with a "It has issued ransom demands of up to £10m and is also suspected of hiring out its services" and later talks about "Visa confirmed last week that it had received a ransom demand last month, believed to have been for £10m."

    In general this thing looks much like a bad plot for another Hollywood blockbuster. There is only some lack of green color and antenas over the head of the baddies...
  • The media has always said: "Be very careful using your credit cards online." That's good advice, but it should have been mentioned that you should be equally careful using it in a resaurant, over the phone, etc.. In the last while in the news some people have gone so far as to say: "Don't use your credti card online." So, now Visa's security has been comprimised. Now what? "Destroy all you credit cards."? Sure, it's clear that now, just as always, we should all be careful with our credit cards. But c'mon, the situation is not THAT dire. I've never seen a newscaster mention to viewers that credit card holders are generally only liable for the first $50 of purchases made, should your card or number be stolen. Perhaps if this were mentioned, the hysteria would calm down somewhat.

    --

  • I'd say it's pretty transparently a reaction to Y2K.

    The "computers are going to destroy us" articles sell a fair amount of newspapers. That space was well-filled with Y2K articles over the last few months, but since that whole issue obviously went nowhere, the space needs to be filled with something else. IOW, we're back to the hacker/cracker stories, except we can expect to see the focus on "professional hacker groups" rather than kids in their bedrooms.
  • It wouldn't surprise me in the least if this were some part of a larger plan to get the backing of the less-computer savvy parts of British society for the proposed bill.

    Unless they can swing popular opinion behind it, there is little chance that it will be passed. Why? Those who don't understand it or care about it will do nothing, while those of us that do understand it, and oppose it, will do everything we can to ensure that it never comes into force.

    On the other hand, if there are enough high-profile, "your money is in danger, even your most personal details!" kind of stories, Jo Public is going to sit up and take notice, and call for the bill's introduction without ever knowing that there is anything bad about it. The majority will buy the party line that it is necessary for their protection, just like the cameras on our streets and public transoprt are. (Not that I'm totally opposed ot them, but there are an awful lot of them these days...)

    From the article:
    "The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator.

    Well, duh. I bet they've been using 'phones and even meeting face to face, too. Maybe I'm reading far too much into this, and letting my paranoia run away with me, but why was this comment even necessary? They've (allegedly) cracked the compuer systems of 12 multinational companies, of course they were using sophisticated techniques!! (To say otherwise would be to imply that it was easy.) Being computer savvy, and net connected, of course they've been communicating via email and "internet chat".

    If this isn't part of some conspiracy to get popular support for one of the most potentially dangerous bills that has ever come to my attention, then someone somewhere is probably unable to believe their luck that such a fine supporting story has been handed to them on a plate.


    Cheers,

    Tim
  • Well if past records are anything to go on, any second now someone will post here about how we should be thanking the crackers for forcing the companies to get their acts together. This will come despite the fact that the crackers are thieves, blackmailers, and dealers (of illegally obtained information).

    _These_ crackers are thieves, but not all crackers are. If some group hacks Hotmail and replaces the main page with a message saying "Your security sucks. Hacked by F00fc8C7" then I say more power to them. When someone defaces a web page, it, like you said, forces the company to get their act together. It is a PR loss to the company, but having a secure site is much more important than that. Everyone wins.

  • Its time for companies to start securing their systems. First off, *really* important information should not be on computers hooked up to the internet. But, a lot of computers need to be on the net - so here we go.

    First of, they all need a computer-staff, and their own "computer security officer". There should of course be password security - but more important - people should be educated about email attachments, trojan horses, and so forth.

    Servers should be under constant surveilance. The admins should always know every single program, which version it is, and so forth. They should keep their eyes open, reading bugtraq and other sources every single day.

    A firewall is also a very good idea, for these kind of companies. They do need to be configured correctly, and block out common "trojan-ports" (12345 (netbus), 31337 (bo), and so forth). This to ensure that no sloppy employee gets his computer backdoored -- and the rest of the net gets access to it. If anybody gains access on ANY of the hosts behind the firewall, the entire network is "compromised" (to a certain degree).

    They should also have a fully switched network, or preferably, implement encrypted protocolls for data transfers internally, so that even if ONE host got cracked, packetsniffing would do no good.

    Ohwell, the list goes on and on and on. The important things is -- every big company should tighten up their security REALLY good. They should have their own staff looking after it.

    Smalltime companies should do their very best too -- but they don't have that many computers to protect - and therefore don't need that big a staff.


    --
    "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
  • No. The sysadmins should know *as much as possible*, and in bigger companies, there should be *several* of them. There will always be the risk of an inside job - but the sysadmins SHOULD be trusted people. Only then can they do their job the way it should be done.

    The sysadmins should have full access to everything, and know as much as possible, so that they can squash a bug if they find one, without delay.

    If an article about a bug in program foo is published tomorrow, it should be fixed as soon as the first sysadmin reads about it. He should not need to call sysadmin 4, so that he can fix it. Especially not if sa.4 is on vacation..


    --
    "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
  • This is good in that hopefully companies will get serious about protecting their information systems.

    No it's not. Companies should be serious about protecting their information systems because it's the right thing to do, not because some criminals (albeit clever ones) have made it necessary.

    Analogy time! Would you be thankful for criminals who break into your house and steal valuable things? Even if they stole nothing, but merely left a note saying that they'd be back to steal your property later, if you don't pay them a big ransom? Hell no. You'd be angry, and rightly so. You might add better security, and that might be a Good Thing(tm) but it's still not good that some thugs threatened you or your property.

  • I've always thought that simple access to the card itself being protected is pretty unreasonable (ie if you have the number & epiration date, you have the keys to the store).

    Isn't it time now in this day of ease of access to information to add something smarter to credit cards for security?
  • This so called "reporter" is a menace and a proven liar. If you would like to read more about his so called journalistic coups, take a look at the very very good British newsletter Need To Know.

    They have been covering his misreporting and his bumbling attempts to infiltrate direct action groups in the UK by "fakemailing" them for some time now.

    Please, do not even consider believing a word that this buffoon says. How he still holds a post at the Times is quite beyond me.

    http://www.ntk.net/index.cgi?back=archive99/now0 827.txt&line=52#l

    http://www.ntk.net/index.cgi?back=archive99/now0 820.txt&line=48#l

  • In order to hire competent staff in this area, you have to already have staff in place that knows how to hire competent people. Can HR do this?

    When time to market is the most crucial factor, "Security? we can just add that on later".

    Such places aren't going to deploy enough security the first time around. They can only react to this matter after the crack happens.

    Security is always someone else's problem until it becomes their problem - on the front page of major news sites.

    Would you now buy from CD Universe with a credit card?
    probably not.
    Should you?
    I'll be that within a month, they'll have the most secure setup in their business market. They will have thrown tons of money at the security hole, and try to market their newly increased security as a strength, not a weakness.
    So I'll look for their "check out our new, improved site, now with 'Security' coupons" soon.

    If they're still around.

    Paul
  • ... and I'm the guy who moaned to the bank when 60ish pence (around $1 US) disappeard without permission :) For UK users, The Woolwich happily dealt with this and changed my card.

    Seriously, what security methods are there on credit/debit cards? Two. The signature on the back to stop you nicking someone else's card and using it due to your inability to convincingly duplicate the signature, and the hologram on the front to stop you making your own (fake) cards and using them illegally. Both rely on eyesight and retailer, card and user being together.

    What we need is for someone to recognise that cards are simply not suitable for the purposes they're being used for now - remote ordering - and setting up something stronger, like sending out encryption keys for use with online transactions.

    But this is relatively expensive and makes spending money harder, so isn't going to happen all that soon...

    Greg
  • These wallets, nice as they are, aren't free. Someone has to pay for them and I can't see the card companies and banks being all that keen to shell out until they absolutely have to. Plus, it makes them harder to use as you've go it to your computer, so I can't see the average user being all that keen, either.

    Nice idea but I can't see that this is much better suited to the Internet than standard cards. It's not what this is designed to do, either - this is a digital replacement for hard currency.

    Greg
  • Whoops...

    Forgot to preview it AND forgot to account for a slow communal computer overunning the text buffer as I typed while it was locked :(

    Plus, it makes them harder to use as you've go it to your computer, so I can't see the average user being all that keen, either.

    should have read:

    Plus, it makes them harder to use as you've got to connect it to your computer, so I can't see the average user being all that keen, either.

    Sorry :(

    Greg

  • They only want £10 million ransom? Are they crazy? If they get £10 million in ransom, they'll have to jump through some really insane hoops to get that money laundered so the Scotland Yard, FBI, and whoever else can't find them. In fact, if they take that £10 million, it's almost guaranteed they'll be caught.

    But they've (supposedly) got thousands of credit card numbers! They could squeeze far more money out of those credit cards than £10 million, and if they did it carefully, it would be very difficult to catch them at it. Silly crackers...learn how to play the game before you start.

    --

  • Seems to conjure up the right sort of negative connotations.
  • As a recent victim of credit card fraud(from a "legit" company), I gotta say that this scares me a little. However, it is the price I pay for convenience. The time that I spent working out my last credit card fraud problem is nothing compared to the time I save by not having to stop for cash, not having to write a check, etc. The convenience of being able to whip out my card is nice. In addition, it's nice to be able to order things online/over the phone without having to mail them a check of some sort.

    However, I must ask - why now? We've seen two stories like this in the last week, and they both seem to have been planned for a while. Is there some sort of reason this is suddenly more prevalent?
  • Unfortunately, as long as companies keep storing customer's/client's valuable information in insecure places with insecure software, there will always be some cr/hacker that will find a way to nab it.
    Even more unfortunately, the media will skew and distort this to the point where the spoonfed masses won't see the real point (which is that better security is needed at these online companies). Such is life.

  • One of the few things that large corporations listen to is public embarassment. When people privately tell microsoft of a security flaw they've discovered, MS just sits on its hands until it gets leaked publicly.

    Vandalism is petty crime, and far more people are hurt by incompetent companies that don't find they have reason enough to care about the security levels they inflict upon their patrons. A pointy reckoning to them all!
  • Ungoed-Thomas has moderator access!!! :-)

    Stop that! Just the thought that JU-T might ever read our precious slashdot and use it as a source for future works of fiction is going to lose me some sleep tonight. :-)

    I'm going to chant over and over again, the moderator didn't read the article, and didn't understand who double-plus-ungoed is, and why all the higher moderated posts in this thread are all about the Times, JU-T, and...

    the AC
  • Interestingly, the UK government has laws going through, as I'm sure everybody knows, that would allow law enforcement to demand encryption keys from anyone without the need for judicial oversight or reasonable grounds, and also to then require you not to tell anyone. I'm sure the promulgation of stories like this one is supported by the agencies that stand to benefit.

    Wow! That is just plain evil. This means someone should start a campaign to get Linux boxes in the UK to use StegFS [cam.ac.uk]. StegFS (Steganographic File System) is an encrypted ext2 file system which allows for plausable deniability, i.e. you can give them the password to a lower encryption level and they will have no way to prove higher encryption levels exist, thus there is nothing they can do to make you give up you encrypted data (it also wipes unused blocks so none of this taking the disk to find shit you deleted).

    Now, the requiring you not to tell anyone is a seperate issue. I donno what to do about this. I suppose you could just tell people anyway.. maybe someone could run a web page which publishes lists of incedents where they have used this power? Is anyone tring to fight this?

    Jeff
  • TWINKLE [counterpane.com] - The Weizmann INstitute's Key Locating Engine

    You people need to learn about smartcards. Start at Schlumberger [slb.com] and Litronic [litronic.com] (they have a good intro [litronic.com] to smartcards.) and go from there. The people at ZeitControl [zeitcontrol.de] have this cool programmable card [basiccard.com] that you should look into.

  • It never fails fry my brain when I hear the indignation expressed by the technically clueless in response to tabloid -esque puffery [zdnet.com] like this. These are the same people who, after thier meal at Olive Garden, think nothing of handing thier card to an unknown person who disappears with it for five minutes. The same people who think nothing of pulling out thier cards and receiving cash at an ATM in a dark, empty parking lot at night. The same people who never even perceive the strangers jammed into the supermarket checkout lane behind them as they whip out thier card and pay for groceries.

    These people seem think that the idea that some 'evil haxor' may come along seeking your card number successfully is somehow more repugnant than knowing that management at Best Buy has reports listing the zillion or so numbers thier checkout computers recorded over the holidays just sitting around on desks all day.

    Anybody know how many lost Mars probes ZDNet helped recover today...?

    ======
    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16


  • Gasp in awe as you watch Jack Straw, Home Secretary of the UK (ie, important government chap), find himself liable for two years imprisonment (if this law was to pass) because someone sent him an encrypted message that he can't decrypt.

    [an american sighs] Why is all the really useful legislation overseas? There are more than a few politicians I would rather gleefully remove via such a practical ordinance!

    :-)

    ======
    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

  • Should I appreciate the message they sent my by spray painting my wall with, "Your locks SUCK DOOD!!!"?

    Defacing a web-page is a little different. It's closer to putting a post-it note on the inside of your door saying "eY3 0wN u!" or something. Scary but not necessarily all that much work to clean up.
  • And don't forget the risk of an inside job, by greedy or disgruntled [ex-] employees, contractors and anybody else that has access. This might be a good argument against any one sysadmin knowing too much about the system, actually; if one compartmentalizes, this restricts the damage that any one person can do.

    I'm idly curious to see whether the Gartner Group's predictions about a backdoor-enabled heist by "Y2K" consultants were ever borne out...
  • Aren't the good people of Britain proud to have such a principled politician as Jack Straw, Home Minister, in the New Labour government?

    Some of his recent accomplishments include:
    1) allowing Colonel Pinochet, the Chilean dictator and alleged perpetrator of crimes against humanity, to escape justice on the grounds that he is too frail to face the hardships of a court trial. This decision is further to a private medical report on Pinochet's condition, which by its nature seems pretty difficult to challenge.

    What exactly about his mind/body is unable to sit through a trial? What are the odds of his staging a "miraculous" recovery upon arrival back to Chile, where he has immunity from prosecution?

    2) then there's the case of his letting Mike Tyson, former heavyweight champion boxer, rapist of a teenager and ear gourmet into Britain. The UK law says that aliens convicted of a crime that would carry a prison sentence of 12 months in Britain are denied entry, unless on extreme compassionate grounds. Compassion towards Tyson not towards the British businesses who had invested in the fight!

    3) there's the example of the alleged Nazi war criminal Konrad Kalejs who is accused of killing >30,000 civilians in Latvia during World War II. He was found living in a residential countryside home. Instead of prosecuting him, Straw allowed his deportation from the UK as he had *gasp* overstayed his 6 month visa.

    It makes me *so* proud to be a part of such an ethical government. *sob* I'm choking up here.

  • Well, acutally, VISA _DID_ inform those people whose accounts were affected. Or, at least, they informed their banks, and I happen to bank at a "good" bank (a credit union, actually), that in turn informed me. They cancelled my existing VISA card, and sent me a new one. They did say that the card number had been compromised at VISA, and that VISA had alerted them. At the time, I thought it odd that I had not heard of numbers being compromised at VISA, so I thought it must have been a small scale leak.

    SO, if you were not informed of the compromise either (1) your card was not affected or (2) your bank chose not to tell you. Door number 2 is a black eye for your bank, not VISA.

    Does VISA really have an obligation to tell the whole world that some of their numbers were compromised? IMHO, No. They do have an obligation to tell those people who were affected, and I think they did a good job there, at least in my case. Perhaps they chose not to tell the whole world because their investigation (along with whoever else) was on-going. Perhaps (more likely) they chose not to tell the whole world for fear of a mass canceling of VISA cards prior to Christmas. As long as the affected people were notified, which seems to have happend, I really don't think they screwed up here.

  • I don't believe anyone feels that the people taking the information are not guilty. Whats at issue here is the security the companies are using to prevent theft. If you leave your car alone, running out in a parking lot with the doors unlocked, someone will steal it. No one says the person doing it is not guilty, but it was also your fault for not providing good security.
  • Well, that 'trillions of dollars a year' is basically their throughput. Their gross income will be substantially less than that. (and their net income less than that, etc.)

    But the thing is, $10 million is big enough to be HUGE for the average band of thieves, but maybe small enough for Visa to consider paying instead of hunting for blood. If it was only $1 million, they almost definitely would have paid. If it were $100 million, then the crackers would be hunted to the ends of the earth.

    As it is, it sounds like they erred a bit too close to the $100 million mark. Too bad for them.

  • "The media has always said: "Be very careful using your credit cards online." That's good advice, but it should have been mentioned that you should be equally careful using it in a resaurant, over the phone, etc.."

    This is something I've been fighting with for a while. On the one hand, it's far easier to steal a credit card number in a restaurant or store than it is online. On the other hand, the persistence of information online makes it a more tempting target. You can dig and hack away at (for instance) the Visa site for ages, and if you're careful, not be noticed. If you're successful, you can get a lot more card numbers than in a month of working at a store, and less tracably.

    Given that, where are your numbers really safer? The answer is deep in your pocket, unused. Doesn't do a lot of good, does it? That's one of the reasons that the card companies put that $50 liability ceiling in place--to defray the (percieved) risks to the consumer, and encourage use of the cards. If you can prove that the number was stolen through no negligence on your part, then you can usually get that $50 waived.

    Media be damned. You are not directly at risk of the consequences of credit card theft. Security breaches and other expensive problems are reflected in the interest rates you pay on the cards. Use your cards in good conscience, keep tabs on your statements (to spot possible theft), and pay your bill off every month, and you'll be about as safe as possible.

  • Come on. QC will not be practical for at least a couple of decades; quantum decoherence and other interference effects will be very difficult to surmount as the number of qubits increases (search xxx.lanl.gov for the precise references). Normal computers, regardless of how small the process technology and architectural design, will never be able to brute force a 128-bit key. Period.

    Shamir's device is an advanced photoelectronic computer that performs the sieving phase of the NFS or MPQS factoring algorithms several orders of magnitude more cost-effective. However, the major obstacle is not the sieving phase, which is easily distributed, but rather the matrix reduction phase which must be done on a machine with immense ammounts of memory and low latency. Even with SGE and block Lancos methods, it's inconceivable that enough memory will ever be built to accomodate reducing the matrix from a 768-bit RSA key. The situation is even worse for discrete log systems by a couple orders of magnitude.
  • by sjames ( 1099 ) on Sunday January 16, 2000 @10:28AM (#1367682) Homepage Journal

    But this is relatively expensive and makes spending money harder, so isn't going to happen all that soon....

    It shouldn't be all that expensive when reduced fraud losses are considered. What is needed is a smart card and an electronic wallet more or less like the Mondex [mondex.com] wallet. The card would contain an encrypted signature key. The card owner enters password and total amount into the card through the wallet. Card then goes into slot in the POS terminal. The terminal gives the card a transaction record in plain text. The card compares the amount, and if it matches, signs the record and hands it back.

    When that signed record is submitted to the credit card company, there can be little doubt that the customer authorized the transaction. Since the secret key is itself passphrase encrypted, it is useless to anyone but the owner. Entering the passphrase on the wallet eliminates fraud at the POS terminal. A simple serial connection to the wallet (like that on a Palm) enables it to be used for internet transactions. Phone orders can be handled by the cardholder entering the merchant's info into the wallet and calling out the signature value OR by accoustic modem. Recurring charges could be set up by a customer using the card to sign an authorization which names the company, maximum charge/month and duration of the agreement. Early cancellation can be managed by the cardholder sending a cardsigned termination to the credit card company.

    Really, all of that is only slightly harder than calling out the credit card number (or handing it over to a clerk), and is many times more fraud proof. It would also aviod the annoyance of having to get a new card every few years.

    A side benefit of all of that is that semi-anonymous charges could be made. the cc company would still know all, but the retailer would not need to know anything about you at all.

    The system could be given even more value by making the same card/wallet capable of electronic cash and secure ATM transactions.

    The interim peroid could be handled by placing a standard magstrip and number on the new card so it can be used the old way. Hopefully, that period wouldn't last TOO long.

  • by jilles ( 20976 ) on Sunday January 16, 2000 @02:02PM (#1367683) Homepage
    As long as there is no standard we'll just have use our credit card. We have a standard for networking (TCP/IP), we have a few standards for mail (pop3, smtp, imap, etc.).

    While I agree that not every standard is as good as it could be, having a standard means that you've got something to work with. If a standard for exchanging money is not good enough the credit card companies have to pay for it. If their losing a lot of money they'll have to fix the standard or accept their loss. It isn't their customers problem.

    For that reason I'm not so afraid for bad standards. I can't stress this point enough: standardization is what made the industrial revolution happen. We'll need standardization on the internet too. Hell, the internet is all about standards. Bad standards are outcompeted (gopher) by other standards or fixed (IP).

    Right now there isn't any standard for something very obvious: exchanging money. The only thing you can do is exchange credit card numbers. It's not a technical problem it's standardization problem.

    Your post sounds very anarchistic. You're afraid of losing your freedom and you assume a central authority. I can't take away the first but the lack of the second thing is the whole problem. In a way the software community is way beyond the banking world in that they've recognized that it is more profitable to agree with your competitors than to compete with an incompatible 'standard' (recent example: internet messaging).
  • by jilles ( 20976 ) on Sunday January 16, 2000 @09:45AM (#1367684) Homepage
    I don't agree with you on this. Sure absolute security is difficult but it should at least be possible to get more or less the same level of security we had before the internet (which was adequate most of the time).

    For that to happen we need two things:
    1 - a global standard on how to exchange money. Such a standard would need to include encryption + a protocol to establish a secure connection + a protocol to exchange the money over the connection + a secure way to allow both sides to identify each other

    2 - Adequate laws to warrant the rights of both parties involved in a transaction similar to what applies to conventional ways of exchanging money and a more relaxed encryption policy of for instance the US government.

    The technology to do all this has been around for a couple of years and things like this newsitem will make it more likely that banks and credit card companies will actually make this happen.
  • I suppose if Taco and Hemos had posted this under a humour heading we would understand we should all laugh at it. But they are just re-posting drivel in the hopes of getting their failing andover stock to go up in price :-)

    The article is by one of the most ridiculed "journalists" in Britian, which puts him out in front of a large pile of pathetic scandal-mongers. JU-T has been pointed out to the /. community several times before as a creator of the worst lies about computing we have seen. His job is to create shocking headlines to try and sell a few more papers in an overcrowded market. His dishonoured name makes a regular appearance on www.ntk.net [ntk.net], I would suggest you go on over there and do a search on double-plus-ungoed.

    Some of the "stories" which only he has uncovered lately include one whereby his "highly placed source at the FBI" confirms that drug lords all over the world are hiring thousands of programmers to write software drugs, and then they can download them to cyber-junkies and make trillions of $$$ untraceably over the evil internet. Another story regurgatated the claim by a far right wing US research group that 70% of all material on the internet was hard-core pr0n.

    The reason you don't see any other newspaper cover these stories or run more truthful versions is that these articles are completely works of fiction, and even the other scandalsheets in Britian won't stoop low enough to answer the Times garbage.

    This story first broke last summer, when some kids tried to extort money from VISA. They were stupid, they even made the phone call from their home phone. Scotland Yard closed that case out without blinking. Now the Times pulls it up along with a few hints of other cases, but offers no facts or details, to prove to their readership the internet is a big evil thing which needs strong government regulation.

    I can see there are a few other /.ers laying this one open as well. Its amusing how most /.ers are blaming VISA security, when the real story is in tearing apart this piece of "journalism" as the fiction it is.

    the AC
  • by fpepin ( 61704 ) <fpepinNO@SPAMaei.ca> on Sunday January 16, 2000 @09:13AM (#1367686)
    From their point of view there's no reasons to tell it, you avoid the panic and anyway, you're going to pay for whatever happens so the public doesn't loose anything by not knowing.

    They stole corporate secrets and things like that, they didn't steal credit cart numbers, so this is more of an internal matter and all it does is make them seem incompetent, which I'm really not sure if it's true or not.

    Companies have the right to have a little privacy too, maybe not much, but enough that they don't need to tell the public if it doesn't effect it (and Visa would need to loose a lot more than 10 millions of pounds before the customers see a difference).
  • by Money__ ( 87045 ) on Sunday January 16, 2000 @08:37AM (#1367687)
    They were not designed to stop activeX but they do stop all Java (do not ask me to explain).
    ummm ok I realize you've asked not to be asked to explain this novel aproach to security, but I would like to point out (for the benifit of other readers) how un-informed this decision is. Java has a wonderfull security model and stays in it's own sandbox.

    ActiveX, on the other hand, is like a drunken super-model on crack. Sure, it's sexy, but you never know what it's going to do next.

    I would favor blocking the later, and letting through the former.
    _________________________

  • by Money__ ( 87045 ) on Sunday January 16, 2000 @09:25AM (#1367688)
    After many posters voiced concern over the reliability of "The Times UK", I took it upon myself to investigate some of their other headlines. First of all, we have the one being discussed here today:

    Hacker gang blackmails firms with stolen files
    £10m ransom demands sent out

    Along with the story we're discussing here, we have this little jem:
    Pollution set to rip giant hole in ozone layer
    More than half the ozone is likely to disappear by March, climatologists warn

    Rip a hole? March is 2.5 months away!

    Along with that little story, we have more "all the news that's fit to spit":
    Call girl fights Vat man's bill for £500,000
    Flesh-coloured stockings not claimable - but lacy ones might be

    Is this hard news? I think not.

    And this little tidbit about Mr. big lips:
    Do not arise Sir Mick Jagger
    Downing Street blocks planned honour because of errant ways

    looks like a gossip rag to me, but then again, I'll let you be the judge. [the-times.co.uk]
    _________________________

  • by Money__ ( 87045 ) on Sunday January 16, 2000 @08:06AM (#1367689)
    . . Visa confirmed last week that it had received a ransom demand last month, believed to have been for £10m.

    "We were hacked into in mid-July last year," said Russ Yarrow, a company spokesman. "They gained access to some corporate material and we informed both Scotland Yard and the FBI."

    Also . . "These are professionals and there is some evidence that suggests some of the activity was contracted and paid for," said a computer expert involved in the investigation.

    First of all, the initial Hack was way back in July? Shouldn't there be better disclosure on these matters? Keeping their customers uninformed is by far the worst offence here. Months and months passed before this was finaly disclosed, and in that time billions of dollars were at risk.

    Secondly, it would apear that they suspect a competitor (or someone with an interest in seeing them loose money) is behind the hack. Interesting, don't you think ??
    _________________________

  • by Money__ ( 87045 ) on Sunday January 16, 2000 @08:21AM (#1367690)
    1 port scanner: $25.
    1 cable modem: $200.
    Knowing you're bringing down the worlds largest financial transaction institution?: Priceless.
    _________________________
  • by swordgeek ( 112599 ) on Sunday January 16, 2000 @12:02PM (#1367691) Journal
    "One of the few things that large corporations listen to is public embarassment. When people privately tell microsoft of a security flaw they've discovered, MS just sits on its hands until it gets leaked publicly."

    True 'nuff. OK, how about a week grace period after the private mail, and then public disclosure on Bugtraq or the like? There are perfectly acceptable ways of letting the victim and the community know about security breaches, other than defacement. Let's be honest; How many crackers are going to say to themselves (regardless of what they say to the media), "I feel morally required to deface this page to illustrate serious security bugs that took me three weeks of work to discover." Now how many are going to say, "C00l! I br0k3 it! I AM 31LEET D00DZ!!!" (As an aside, I suspect that they really talk like that, even internally :-)

    In other words, the end (better security) doesn't justify the means (cracking and vandalism), especially when other equally effective means exist.

  • by swordgeek ( 112599 ) on Sunday January 16, 2000 @04:59PM (#1367692) Journal
    Like I said, "bring on the defenders...."

    OK, so what if they copied the file?! How about if I change my analogy to use water soluble paint instead?

    What, on the other hand, if the crackers decided to rootkit the system, then cp index.html to index.html.bak, so it _appeared_ to be a harmless prank?

    If a site has been compromised, the usual (and proper) course of action is to rebuild from trusted tapes. None of this affects the original point, though, which is this:

    Vandalism, regardless of the financial consequences, is still vandalism. Similarly, theft is still theft. Both cause harm, both destroy trust, and both break down open and free dialog.

  • by swordgeek ( 112599 ) on Sunday January 16, 2000 @10:48AM (#1367693) Journal
    While not all crackers are thieves, most are criminals in some form. The hotmail crackers you mention are vandals. If they want to be known as something other than criminals, then they could privately email Hotmail with the details of their security flaw. Even this would be in a grey area.

    Honestly, my apartment security sucks compared to, say, Intel's fab plants. Does that mean that I should thank thieves and vandals for breaking in, stealing my stereo, and destroying my records? Should I appreciate the message they sent my by spray painting my wall with, "Your locks SUCK DOOD!!!"?

    There's no reason we should accept that security less than NSA levels is an acceptable invitation to invasion, either physically or cybernetically. Criminal Trespass is indefensible no matter where it takes place.

  • by aliebrah ( 135162 ) <ali @ e b r a him.org> on Sunday January 16, 2000 @08:04AM (#1367694) Homepage
    We need to ask ourselves the usual questions:

    a) How reliable is this news source?
    b) What is the potential for harm to Visa customers?
    c) Have the hacker group(s) actually stolen credit card numbers, or gained access to some other part of the system?
    d) What can Visa do about it in terms of guaranteeing that IF card numbers have been stolen, that customers will not be liable for any charges made illegally (or is this already provided for)?

    Before we start to create mass hysteria and hype over this, we need to assess the actual potential for damage so that we do not let this get blown out of proportion.

    I mean taking a realistic view, Visa is going to be damn well careful to keep their data secure, this hack is most certainly not due to negligence on their part. They're probably working their asses of right now to fix it. IF card numbers have been stolen, Visa has to pay for illegal purchases - and you can be sure that they're making every effort to avoid this.
  • by sjames ( 1099 ) on Sunday January 16, 2000 @10:50AM (#1367695) Homepage Journal

    The sysadmins should have full access to everything, and know as much as possible, so that they can squash a bug if they find one, without delay.

    Not necessarily. For example, the sysadmin only needs to know where and how credit card numbers are stored, not the passphrase needed to decrypt them. Or the threat could be reduced by using a capabilities based system where most admin duties are performed with only a subset of root capabilities. Full root could require a valid login from two sysadmins. That wouldn't preclude insider fraud, but it would be less likely and harder to get away with.

  • ... is the author. Jon Ungoed-Thomas has managed to embarrass himself several times in the past, once by e-mailing Earth First! pretending to be an anti-corporation activist called "Jo", trying to provoke them into letting him in on something illegal. He sent the e-mail from the address jonathan.ungoed-thomas@sunday-times.co.uk!

    More details at NTK [ntk.net] - search for "Ungoed".
    Gerv
  • by Hobbex ( 41473 ) on Sunday January 16, 2000 @08:53AM (#1367697)
    I think the next thing we need a word for, after "benchcrafting", is "hacksationalism" (or maybe "cracksationalism" before people flame me) to cover all these media stories trying to spread panic about cracks amounting to nothing.

    I can't be bothered to look it up now, but I'm almost convinced that The Times has featured a number of stories like this before, all of which indeed did lead to end of civilisation as we knew it (or maybe not...)

    So what about this one, well:

    "The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator.

    Wow, malicous hackers that can use email and IRC! They have got to be a dangerous threat!

    It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system.

    Now that is good journalism! Don't bother explaining that "code" has two meanings in computers, and that the "source code" has nothing to do with accessing the site (unless it was broken to begin with, but...) But then we do know how expensive it is when a hacker gets your source code, look at poor Sun who had to recode Solaris from scratch after Mitnick looked at its source (what? Didn't they? They must have since they claimed the entire cost of it in damages.)

    Also, in both this and the CDUniverse case, the hackers are (apparently) trying extortion as a way of making money off their cracks. Extortion is a really, really, really, bad way of committing crimes without getting caught. Unless you happen to have serious underworld money laundering connections, you are going to get caught when you try to get your hands on the money - for sure. If these guys think they can walk a way with a suitcase of "100 thousand quid in unmarked twenties" they have watched too many movies.

    -
    We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
  • by konstant ( 63560 ) on Sunday January 16, 2000 @08:22AM (#1367698)
    Unfortunately, as long as companies keep storing customer's/client's valuable information in insecure places with insecure software, there will always be some cr/hacker that will find a way to nab it.
    Even more unfortunately, the media will skew and distort this to the point where the spoonfed masses won't see the real point (which is that better security is needed at these online companies). Such is life.


    DEFENDANT: Your honor, I only killed that man to demonstrate how extremely poor most people are at self defense! Consider it an act of charity to society at large.

    JUDGE: I never saw it that way! I will enroll in a Tai Jitsu Kata class immediately! Case dismissed!!!!

    ---

    ATTORNEY: And so you see ladies and gentlemen of the jury, my client did not rob the bank as an act of theft per se, but rather as valiant display of public zeal! How many of you slept easy last night entrusting your money to the poorly secured bank vaults of the neo-syndicalist dogs at First National Savings?!!?!

    JURY FOREMAN: This man is a hero! I am going to stuff my money into my mattress forthwith! Down with the WTO! Case dismissed!!!!

    ---

    JUDGE: For your crimes against society, I hereby sentence you to hang by the neck until dead!

    DEFENDANT: But your honor, by poisoning the water supply of the local KiddieCare Nuture Center, I indicated strikingly the need for higher quality water filtration. And by ransoming the life of 2 year old Phiddeas Quilch (whom I knew already to be dead) I displayed the ironic certainty that a society designed around monetary transactions is inherently debased with greed and treachery!

    JUDGE: You are a wonderful person!!! Thank you!!! Cased dismissed!!!

    -konstant
    Yes! We are all individuals! I'm not!
  • by kojak ( 84203 ) on Sunday January 16, 2000 @08:08AM (#1367699) Homepage
    The Times was, a very long time ago, the paper of the elite in the UK. Then Murdoch bought it and took it downmarket in the search for sales after its traditional userbase migrated to the Telegraph / FT / Independent / Guardian.

    Hence they're a bit clueless now. This story has been going for a few days in the UK, but no details are apparent, no arrests have been made, no evidence shown. I'm sure somebody has made some threats, but then there's always somebody out there who'll make threats.

    Interestingly, the UK government has laws going through, as I'm sure everybody knows, that would allow law enforcement to demand encryption keys from anyone without the need for judicial oversight or reasonable grounds, and also to then require you not to tell anyone. I'm sure the promulgation of stories like this one is supported by the agencies that stand to benefit.
  • by aphor ( 99965 ) on Sunday January 16, 2000 @09:18AM (#1367700) Journal
    You seem to be oblivious to the distributed dead-man switch of internet data release/publication.

    I die. I forget to log into any one of many "magic" accounts out there, or something. A script in several places on the net times out, and lets the cat out of the bag on Usenet.

    ask for *WAY* more than it would take to kill you professionally. *WE* of technologically endowed brain, beyond good and evil are the masters here.
  • by swordgeek ( 112599 ) on Sunday January 16, 2000 @08:17AM (#1367701) Journal
    Well if past records are anything to go on, any second now someone will post here about how we should be thanking the crackers for forcing the companies to get their acts together. This will come despite the fact that the crackers are thieves, blackmailers, and dealers (of illegally obtained information).

    I wonder how culpable Visa really is in this. I suspect that they had good solid security in place, and that the criminals broke in through some actual code bugs. (i.e. some new buffer overflow, rather than something like poor/no password selection)

    I'm not sure what to make of the fact that Visa didn't tell the public, though. That's a bit disturbing.

Ever notice that even the busiest people are never too busy to tell you just how busy they are?

Working...