A San Francisco-based team has just won the DARPA Shredder Challenge. DARPA, the government agency whose work led to the creation of the Internet, challenged the public to reconstruct five shredded documents. The winning team, called “All Your Shreds Are Belong to U.S.” completed the task in 33 days, spending nearly 600 man-hours building algorithms and piecing together more than 10,000 shreds.

9,000 teams registered to compete. The winning teams gets a $50,000 prize paid for by the U.S. Treasury.

Dan Kaufman, director, DARPA Information Innovation Office says “the most effective approaches were not purely computational or crowd-sourced, but used a combination blended with some clever detective work.”

DARPA Director Regina Dugan adds “The DARPA Shredder Challenge underscores the value of increasing the number and diversity of problem solvers. The varied methods used have potential implications for so-called ‘wicked problems,’ generally considered insolvable by conventional means, and offer the possibility of increased speed, agility and breadth in innovation.” I’ll say.

The shredder challenge also suggests just because you shred something, that doesn’t mean it can’t be put back together.

You can see the puzzle solutions and pictures of the winning submissions at www.shredderchallenge.com.

Update: Here’s a look at the winning teams solution to the puzzle above:

Remember when Google was hacked by Chinese spies about 18 months ago? Well, that just scratched the surface of some of the more serious and persistent hacking operations over the past few years. In a detailed blog post that is both eye-opening and a brilliant piece of marketing, McAfee’s VP of Threat Research Dmitri Alperovitch lays out the details of Operation Shady RAT (Remote Access Tool), an ongoing series of computer system intrusions that began as far back as 2006 and compromised 72 organizations, including the United Nations, the International Olympic Committee, the World Anti-Doping Agency, U.S. defense contractors, U.S. federal and state government agencies, a national security think tank, tech companies, and “even an unfortunate computer security firm” (presumably a McAfee competitor).

The scope of the attacks makes things like the recent Sony Playstation or News Corp hacks look like child’s play. The targets point to a “state actor,” possibly China (the McAfee post does not identify which state actor it suspects, but China does have a history here).

Alperovitch writes quite alarmingly:

I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.

. . . What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.

McAfee learned all of these details by gaining control of a “Command & Control” server directing the exploits. Operation Shady RAT resulted in the long-term harvesting of sensitive information from government agencies, companies, and international organizations. Alperovitch explains how it worked:

The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

Are you feeling scared and vulnerable yet? Well, I’m sure McAfee will sell your company a security monitoring service that will make you feel safer. But will you really be any safer if state-sponsored hackers want to gain access to your files? They could be climbing in your windows right now.

Since Sony’s PlayStation and music networks went down two days ago, there has been a fair amount of public speculation over the cause of the outage. (Largely due to Sony’s tight-lipped handling of public relations.) Many blamed vengeful gremlins loose in Sony’s server clusters and datacenters, while others immediately pointed the finger at Anonymous, the merry band of hackers that metastasized out of 4chan.

Thankfully, after 24+ hours of communication silence, Sony has updated its blog and ended the speculation. According to the electronics colossus, “an external intrusion” is responsible for the ongoing outages of the PlayStation Network and Qriocity. (It probably sounded like this at Sony headquarters. Or this.)

As to who these nefarious “intruders” are: It seems that Sony does not yet know who is responsible for the breach, or if it does, it is instead smartly spending its time sealing areas of vulnerability and trying to get the network back up and running. And though reports of PlayStation’s outage began heating up early Thursday morning, Sony reports that it in fact self-defensively shut down the Network sometime Wednesday evening.

According to the network’s blog, “An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th. Providing quality entertainment services to our customers and partners is our utmost priority. We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share.”

So, when I said Sony has ended all speculation, I was really only half-correct. Sony is still not naming the party responsible for the breach, so the speculation will likely continue. (Can you hear the blogosphere cheering?) Anonymous has prior beef with Sony and has attacked the company before, so it’s not surprising many blamed them for the service disruption. (You can read more about Anon’s prior grievances with Sony in yesterday’s post.)

However, AnonOps (Anonymous Operations), the group’s mouthpiece and network through which members frequently communicate, has adamantly stated via its news wing that it was not responsible for the outage. Though, it seems that this particular announcement was made prior to Sony delivering the news that the problem was in fact due to hacking. So, Anonymous pointing to Sony’s incompetence as the cause of the outages is off base. Sort of.

More likely, as Anonymous makes mention of in the announcement, the hack was perpetrated by some offshoot of the group, which is either more angry at Sony than the majority, or is more eager to get its precious “lulz”. (While I have to admit that I sometimes find myself sympathetic to some of Anonymous’ philosophical stances, it’s hard not to use words like “fundamentalist” when referring to “factions” within the group, and draw structural comparisons between black hatters and terrorists. There are obviously important distinctions here, and line-blurring, but there it is.) Or, on the other hand, we might soon be learning of an as-yet-unknown hacker entity that is making a run at Anonymous for public notoriety. Gulp.

The PlayStation Network currently has over 70 million users and is Sony’s online medium for its PlayStation 3 and PlayStation Portable consoles. Both the Network, and Sony’s Qriocity music service were targeted. As stated previously, in its most recent blog post, Network spokespeople make no mention of how long the outage will continue, but it’s likely that it may take several more days to sort out. And this is after Sony posted yesterday saying that the outage may last for a “full day or two” — and after Amazon’s web and cloud services suffered from their own major outage.

At this point, the outage has lasted for over 48 hours and has become quite a disaster for Sony. (Or a “kerfuffle”, if you prefer a softer word.) Now, if this were in fact the result of denial-of-service attacks, it’s hard to place the blame entirely on Sony. Few networks can defend against large-scale DDoS attacks, which is, sadly, the point. That being said, the company has known since Wednesday night that there was an intrusion, so I find it odd that it would wait for two days to inform its users — and remove a post from its EU blog early Thursday saying that the outage is a result of “targeted behaviour by an outside party”.

All in all, the company’s public relations strategy is, at the least, very confusing. While it’s true that millions of gamers are being inconvenienced and are being forced offline, sure, it’s certainly not the end of the world. But, both for the sake of the company — and its users — a higher frequency of communication and level of transparency has to be achieved. In today’s world, a company can’t allow its official Twitter streams (@Playstation has nearly 800K followers) to go without an update for 24 hours. Especially when 70 million people are affected.

So, for everyone’s sake, I hope the Network can get up and running before this turns into the longest widespread network outage (due to hacking) in recent memory. If it isn’t already.

We will update this post over the weekend as we learn more. Stay tuned.

UPDATE: Sony said in a message posted at around 8pm Saturday that the network remains down due to the fact that company is “re-building our system to further strengthen our network infrastructure”. I imagine rebuilding its entire network is going to take some time, but in the long run, it’s probably best to do this all at once, even if it takes several more days.

UPDATE 2: As of 1pm Monday, the outage continues. Today’s update from the PlayStation blog offers a whole lotta nothin’. There is still no word about when the Network will be back up and running. Could be tomorrow, could be next week. From Sr. Director, Corporate Communications Patrick Seybold, “I know you are waiting for additional information on when PlayStation Network and Qriocity services will be online. Unfortunately, I don’t have an update or timeframe to share at this point in time”.

NetQin has denied the accusation and chalks up the nasty talk to an upset competitor.

All major Chinese carriers have blocked NetQin from selling their app on their app stores and they can no longer charge users ransom. The company recently filed for an IPO on the NYSE.

UPDATE – Here is NetQin’s response:

NetQin Mobile Inc. has strong ethical standards and abides by all applicable industry rules and regulations. The allegations waged against us are entirely false.

NetQin stands behind the quality of all its products and we are diligent in our work to ensure that all NetQin mobile apps are safe and secure. In fact, we welcome any independent 3rd party to evaluate and audit our products, as we are confident they will be found to be safe, secure and of high quality.

via Cellular News

This is just the first part in Torrone’s long rant against the company. Here’s his opener, an inspiring jeremiad against Sony’s long-departed power and modern failures.

This week I’m going to switch gears a little and declare an enemy for all makers, hackers, and innovators — it’s in a very different space: the consumer electronics industry. And who is this slayer of progress? Sony.

If you’re over the age of 25 you likely have a long history with Sony. They were the company we all had something from. If you only had $20, Sony had the best $20 headphones. If you have $500, again, Sony usually had the best. From their world-changing Walkman to a Sony Trinitron monitor, Sony has been part of our lives in one way or another for decades.

In this article, we’ll explore Sony’s long history of going after legitimate innovation, hobbyists, and competition. Sony, we’ve been keeping score. We’re tired of you picking on people who want to program their robot dogs to dance. We’re tired of you suing people who want to run their own software on something they bought. Sony has made so many mistakes with technology choices (Memory Stick, Magic Gate, UMD!), perhaps they’ll end themselves soon enough, but we’d like to think there’s at least someone there would wants to avoid Sony spending its last days sending DMCAs to anyone who tweets “46DCEAD317FE45D80923EB97E4956410D4CDB2C2″.

I couldn’t find one location that documented Sony’s all-out war on makers, hackers, and innovators, so I started my own (and it isn’t pretty). The talented artists, designers, and engineers who work at Sony deserve better, and their customers deserve better. Don’t worry, I’m not just going to spank Sony. I’m going to give Sony some ideas to right this ship and also let them know it’s time to reconsider suing George “geohot” Hotz, the Playstation 3 hacker Sony is dragging to court for unlocking his PS3 to run his own software on it.

Read more…

Chinese hackers are at it again. This time they went after five multinational oil and gas companies and got some very sensitive information including bidding contracts, proprietary industrial processes and other financial documents. The attack is being called “Night Dragon” by Dmitri Alperovitch, McAfee’s vice president for threat research. Alperovitch said that, “It speaks to quite a sad state of our critical infrastructure security.” He also added, “These were not sophisticated attacks, yet they were very successful in achieving their goals.” McAfee was able to trace the origin on the attack to Beijing IP addresses and a server located in the Shandong Province. I don’t think anyone here is crying over this virtual kidnapping. “That information is tremendously sensitive and would be worth a huge amount of money to competitors,” said Alperovitch. If the companies were smart, they’d figure out a way to pay a ransom and get their stuff back. If the criminals were smart, they’d run and hide run and hide.

This, ladies and gentlemen, is good clean fun for everyone. It’s a video, yes, and one that shows what could be the world’s worst hacker attempting to create a little mischief. This is genuinely worth the click-through, trust me.

What’s going on is that someone, known only to the outside world as the world’s worst hacker, had tried to break into a honeypot, with hilarious results.

A honeypot, of course, is a computer that’s used to “detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.” You connect a completely vulnerable computer to the Internet in order to study how “hackers” try to exploit security vulnerabilities. It goes back to the old days of spies and counter-spies, where honeypots or honeytraps were usually attractive women whose entire raison d’être was to catch unsuspecting agents and steal information from them while their defenses were down. A fine example can be found in the movie Munich.

Help Mozilla squash a bug, earn some money. Nothing wrong with that, right? The organization that brought us Firefox has expanded its program that pays people between $500 and $,300 for finding and reporting glitches in its software. The program originally only applied to Mozilla’s applications, like Firefox and Thunderbird, but now applies to its various online sites, like getpersonas.com and addons.mozilla.org.

The aim of the newly expanded program is to help secure the rest of the members of the Mozilla family.

Security researchers (who are the real hackers, by the way; push-button script kiddies are not hackers) are to be on the lookout for things like cross-site scripting (XSS) and injection that could cause the Mozilla Organization headaches down the road.

The most troublesome thing I learned by talking with a who’s who of our nation’s security community was that our government doesn’t believe it has the ability to defend us from the rapidly evolving threats. Yes, the National Security Agency and some branches of government have brilliant computer scientists working for them and can defend their own systems; but the rest of us are on our own. The Government simply can’t innovate fast enough to keep pace with the pervasive threats and dynamics of the internet or Silicon Valley’s rapidly changing technologies. Indeed, as George Hoyem, a partner at the CIA-backed venture fund In-Q-Tel, noted, there has been a 571 percent growth in malware since 2006; today, 60 percent of all websites are infected.

The experts agreed that we need private industry to step in and help solve the world’s cyber-security problems.  But we can’t count on the big companies—they can’t innovate as fast as startups can.  So our entrepreneurs need to lead the charge. And many are doing just that.  Robert Ackerman, managing director at Allegiance Capital, said that in 1981 more than 70 percent of research and development in security technology was done by companies with 25,000 employees or more, and less than 5 percent was done by companies with fewer than 1000 employees. Today, the large companies perform 38% of the R&D, and companies with fewer than 1000 employees do about 25%.

But here’s the big obstacle: when it comes to Government—which is one of the biggest markets for security technologies, the deck is stacked against the entrepreneur. Nearly all big government contracts go to large contractors. These contracts run not in the millions of dollars, but in billions.  And we don’t get billions of dollars of value—if we’re lucky, we get some clunky old systems that entrepreneurs could have delivered much better versions of in a fraction of the time and a tiny fraction of the cost. Because these contracts are so big, they require many levels of approval—usually by Congress. It typically takes 3-4 years for government to award these.  Companies have to go through a grueling “certification” process to get approved to bid, and it costs millions of dollars to prepare proposals and to lobby government officials and political leaders. Startups can’t wait this long or afford the cost of bidding.

The chasm between government and entrepreneur couldn’t be wider. All of the government officials I talked to were open to change and seemed eager to embrace new technologies; yet they had no idea where to start or how to get around their own bureaucracy.

Silicon Valley and Washington, D.C., are located three thousand miles apart in space and light years apart in concept. Technology managers in government don’t know where to find the entrepreneurs who are ready and able to build innovative solutions.  And when they do come across them, they don’t have mechanisms to fund, support, or purchase technology from startups. So government managers are forced to deal only with the big contractors—who have a greater incentive to add staff (and so increase billing) than to cut costs through innovation. Not only are we wasting billions of dollars, but our nation’s defense industrial base is neglecting the vast majority of innovation from early stage and emerging growth companies.

What should the government do to remove the obstacles? There were some great ideas discussed, by people like Curtis Carlson, CEO of SRI International; Dean DeBiase, of Reboot Partners; Asheem Chandna of Greylock Partners; and SINET’s founder Robert Rodriguez:

1.      Overhaul the acquisition and procurement process to level the playing field for small companies: it must be made easier for startups to bid for government contracts and the selection criteria balanced to weigh equally the risk of technology obsolescence with the risk of a startup’s failing. Procurement times should be reduced to months rather than years; some projects should be done in smaller steps so that the big guys aren’t the only ones qualified to complete them.

2.      Increase awareness between technology buyers, builders, investors, and researchers. The SINET event was billed as the first of its kind. In Silicon Valley, such networking events—between entrepreneurs, investors, buyers, and academics—take place at least every week. Why not bring government technologists to Silicon Valley and other tech centers on a frequent basis? They will understand what is happening in the tech world, and entrepreneurs will get the chance to learn what problems need to be solved and to meet the people they can sell their solutions to.

3.      Provide tax incentives for security innovations—R&D tax breaks, similar to the high-efficiency-energy tax breaks for consumers.

4.      Provide seed funding for startups. One of the reasons for which Silicon Valley has so many Web 2.0-type startups, is that successful entrepreneurs, who have made their fortunes, are playing the role of Angel and VC. They provide funding and mentorship. Why not provide government technology managers with the ability to fund and mentor the startups that they believe can solve critical problems?

One more great idea (not from SINET, but reported by Rob Pegoraro, of The Washington Post) is from Internet pioneer Vint Cerf. Vint advocates the creation of a “cyber fire department”—a recognized, trusted, public entity that companies can call upon when they need help. This would function as Sandia National Laboratories did in battling the Conficker worm.

Bottom line: until changes begin to occur on a national scale, U.S. cyber-security will remain a global backwater in the continually innovating domain that is cyberspace.

Editor’s note: Guest writer Vivek Wadhwa is an entrepreneur turned academic. He is a Visiting Scholar at UC-Berkeley, Senior Research Associate at Harvard Law School and Director of Research at the Center for Entrepreneurship and Research Commercialization at Duke University. You can follow him on Twitter at @vwadhwa and find his research at www.wadhwa.com.

Now here’s a delightful story. A gentleman in Austin, Texas was laid off from his job as a car mechanic. The thing is, he was “pretty good with computers.” So, in order to get petty revenge on his former employers, he used a system to remotely disable more than 100 cars. Fun!

The man, one Omar Ramos-Lopez, 20, didn’t take kindly to behind laid off. Hey, it’s tough out there, so I can understand that he’d be upset. The shop where he worked used a system that can be used to remotely disable the ignition system or cause the horn to honk uncontrollably. (It can’t be used to disable an already on car.) So, activate the system!

And he did, causing the cars to either not start or, more hilariously, honk until the battery was removed.

The system used a Web interface to remotely control the cars. Its original, non-prank intention was to kindly remind people to make their car payments.

Police were able to trace the “attacks” to Ramos-Lopez by examining the site’s logs. The logs pointed right to his IP address.

You’d think he’d at least run the attacks through a proxy server or whatever…

From now on, any story about “hackers” or “hacking” will be accompanied by a link to the song “Halcyon And On And On,” as made famous by the movie Hackers. With that in mind: who made more money last year, Wall Street fat-cats or hackers? The U.S. FDIC says that online scams cost businesses $25 million last year. These scams include phishing and other associated nonsense, which you really ought to be smart to nowadays.

The most common way for people to be bilked out of their money is that they’re tricked into giving away the bank account info. You get an e-mail from “Citybank” that says something is wrong with your account, or that it needs to be “verified” or whatever. So you put your info in, and now some punk kid in St. Peterberg or Kazan has your bank info. Have fun dealing with that!

I’ve said it at least 80 million times in the past year: do not go around giving your info to anybody. Nobody!

Here’s some troubling news for my fellow World of Warcraft players. It seems that hackers, account thieves, and other miscreants have now embraced man-in-the-middle (MITM) attacks to further their evil ways. Blizzard says it’s not a widespread issue, and it’s rather difficult to pull off, but it’s something y’all should be aware of.

The deal is that WoW hackers are able to infect your PC—this is a PC-only problem, mind you, so Mac players can more or less ignore all of this—with a bit of malware that’s then able to initiate the MITM attack. The purpose of this is to intercept your login name, password, and authenticator number so that they can log into your account. Once online, they can do whatever it is you’d be able to do inside the game world: sell items, mail gold to other players, etc. They cannot, it should be noted, delete your actual account or anything like that. Still, it’s potentially devastating, selling all your epics for fast gold, then turning around and selling that gold for real money to someone else.

MITM attacks aren’t new or anything. There’s plenty of programs out there can initiate them rather easily, letting people intercept passwords, instant messages, you name it. They work in that they sit in between your PC and the server you’re trying to connect to. So, if you’re playing WoW, instead of your username and password and authenticator number going directly to Blizzard’s servers, they first go to the hacker’s rogue server, which then passes the info onto your intended server, capturing the information in the process. It’s essentially invisible to you, the end-user, which is why the attacks are so dangerous.

Blizzard has already identified the piece of malware that initiates the MITM attack, so be on the lookout for emcor.dll. Be sure to keep your anti-virus software up to date.

One final bit: the odds of you being a victim of such an attack are quite low, if only because it requires so much work for the hacker to pull off; you’d have to be hacked a the very moment he wants to break into your account, and that’s something that simply doesn’t happen. Rather, your account will be compromised on, say, Monday, but it won’t be until the following Saturday that the hacker actually access your account. And again, the worst thing that could happen with this kind of attack would be for someone to sell off your character’s items and gold, then, for good measure, delete your character—your actual account cannot be tampered with. That may be a distinction without meaning, yes.

So yeah, just be sure to keep your anti-virus software up to date, and keep your wits about you. Stay away from the shady parts of the Internet!

via wow.com

More news from that China hacking deal. Investigators have tracked the attacks that befell Google and other victims to two schools in China, one of which has ties to the Chinese military. Whether or not this was an officially sanctioned series of attacks, or merely a couple of comp-sci students testing out their skills, clearly nobody knows. That’s the beauty of these hacks: there’s not a chance in hell there’s going to be a “smoking gun,” giving the hosts of The Today Show a three minute segment on Chinese hacking.

The schools are the Shanghai Jiaotong University and Lanxiang Vocational School. It’s the latter that has ties to the Chinese military, initially set up to train future computer scientists.

Of course, people will see that connection and be all, “You see! The Chinese government knew all along about these hacks!”

I don’t know, I think it’d be silly to assume that all the big countries in the world don’t have dedicated teams who snoop around each other’s computers. Why wouldn’t they? There’s so little chance of these attacks being tracker to one, singular source.

I operate under the assumption that both the U.S. and China are actively going back and forth on the Interwebs. I’m cool with that.

There’s a guy named Kevin Mitnick who, once upon a time, was public enemy number one when it came to computer crime. Mitnick has turned over a new leaf and is now a computer crime consultant and, apparently, his disloyalty to the script-kiddie credo has made him a target for hackers.

These hackers are attacking Mitnick’s account with relative impunity and posting his account info almost daily. As a result, his webhost and AT&T have knocked him off their networks. As Kevin notes:

“They can’t seem to secure my account,” Mitnick told The Register. “And then instead of doing something about it, they try to kill the messenger and want to boot me off their network when all I want them to do is to secure my account so no one gets access to my phone records.”

One would assume that Mitnick has some fairly good protection put up around his private information and it’s clear that AT&T is the semi-truck-sized hole in his armor. If hackers can get Kevin Mitnick’s information while AT&T sits blithely by and eventually decides rather than fixing the problem they oust him, then I can only imagine that our information is probably in boxes in front of a AT&T store in Scranton with the words “PRIVATE CUSTOMER INFORMATION DO NOT DISPOSE” written on them.

UPDATE – AT&T responds:

We investigated Mr. Mitnick’s claims and determined they were without any foundation. We refused Mr. Mitnick’s demands for money, but did offer to let him out of his contractual obligations so that he could find a carrier that he would be comfortable with.

Here’s a fun story. Police in Australia thought they were being mighty clever when they took over an “underground hacking forum.” (The forum is r00t-y0u.org, though it seems to be down right now.) One of the hackers on the forum then retaliated by breaking into police computers using a simple SQL injection. Security fail.

The police computer that the hacker broke into was supposed to be a honeypot, something put there so police could “trick” the hackers into exposing themselves. Unfortunately for the police, the PC ran Windows, and the hacker was able to rock a SQL injection. The police “left the MYSQL password blank.” Smart.

Of course, the police say that no “real” data was compromised in the hack.

The lesson is, of course, not to mess with script kiddies and their message boards. Or, maybe, to at least set a password every once in a while.

One mule was dumbfounded at her luck. A job in this economy!

The first person I spoke with, a 34 year-old woman from Miami, had been editing texts e-mailed to her by Fairlove representatives for a couple of weeks. Shortly after she inquired about when she would be paid for her work, she received an e-mail asking if she’d be interested in a position as a “local agent,” for the company. The Fairlove representative who contacted her via e-mail said something about how the company often had trouble getting money to its clients overseas as quickly as they needed it, and desperately needed help speeding up that process (at least they were honest on that claim). A description of the local agent job position, as sent to this woman, is available here.

The hackers were essentially able to take over the police departments bank accounts simply by tunneling through their treasury PC to the bank’s website.

Listen, folks: this is a series of lucky breaks for these guys assisted by a treasury official who quite clearly trusted his or her bank more than they should have. The sheer fact that they were able to take complete control of the department’s computer as well as take over their bank account online is an indictment of the fools at the bank, not the prowess of the hackers.

The maturity of a certain segment of the pro-Pirate Bay brigade continues to impress. In the wake of last week’s guilty verdict, people had taken to the streets in Sweden. Fair enough, that’s not hurting anyone, and protest is a time-honored way to register one’s disgust with a government or institution or whatever. But now? Yeah, now hashmob-organized DDoS attacks are being orchestrated against the International Federation of the Phonographic Industry. Good idea, guys!

The attacks, thus far, have been organized by a group of hackers on the AnonNet IRC network. A channel admin told TorrentFreak:

They [the hackers] seem to be doing it to demonstrate to the record industry that the Internet is our domain and they can keep the fuck out of our business or face the consequences. They [the IFPI] represent most of the record companies, therefore attacking them represents an attack on all of the people who try to stop websites like The Pirate Bay without really understanding what they are really about.”

Again, on what planet is this the rational course of action? Who sits their at their desk and thinks, “Damn, this trial is years away from being concluded, but let’s go ahead and tear apart the server of the other side. That’ll win people to our cause!”? It’s ludicrous.

I understand that these guys are upset, but they’re only doing themselves a disservice by acting out like this. What’s to stop the IFPI or whatever other organization from saying, “See, this is what happens. We received a legal judgement in our favor (one that will be appealed till we’re all tired of the story), and then these guys attack us. What are we supposed to do?”

Well? What are they supposed to do? At the very least let the legal proceedings play out before freaking out, guys.

Or, to put it in dumb message board lingo, you’re doing it wrong.

via Foreign Policy’s Net Effect

Internet security experts, and the people who pretend to be them, often only track hacks and the like when there’s money or personal information involved. You know, stolen credit card numbers, eBay phishing scams, etc. That’s all well and good—“I just want to make sure my money is safe!”—but a study detailing a sample of last year’s Internet hacks, and found that 24 percent of them had nothing at all to do with stealing money or personal information, but were rather carried out for no reason other than to deface and disrupt . Or, as Ars Technica so artfully put it, sometimes hackers just hate you. Or, as Nicholas Deleon will put it, sometimes hackers are just big stupid heads.

This shocking revelation comes to us by way of the Web Hacking Incident Database’s annual report, 2008 edition. Yes, there are incidents where “hackers” are looking to steal your personal information, but there are plenty of incidents where no money or personal information is at risk. Rather, there are times when people are just looking to be jerks: defacing Web sites for the “fun” of it, or to advance a political point (see: Russia/Georgia from last year; when that CNN guy called the Chinese government a bunch of thugs, etc.). People with the wherewithal and time to wreak havoc, just because they can.

As far as the research goes, all these silly acts of Web vandalism, or even “hacktivism,” give IT folk another opportunity to secure their servers and so forth, so it’s not a total wash.

What a day! While Apple was busy announcing, relatively speaking, nothing at MacWorld, 4Chan, the bad boys of the Internet, went ahead and hacked MacRumors’ live coverage of the show; Twitter freaked out, which is to be expected. Hardly confusing wrechedness.

It is, however, another high profile “hack,” following Facebook’s and Twitter’s own problems with phishing in recent days. (How people still fall for phishing, I don’t know.) That said, I can’t help but think that many of my fellow Apple watchers went overboard with their reaction to the hack.

Shortly after the keynote began, vandalism started to appear in MacRumors’ commentary. It was mainly childish nonsense—I can understand how people might think the Steve Jobs lines were insensitive, though—that, while annoying, isn’t worth losing any sleep over. (This comment on MacRumor’s message board made me laugh: “The folks who hacked in are straight up losers who have nothing better to do with their pathetic lives.” Casting stones, I see! What is so noble, then, about reading a live stream of a series of product announcements?)

The only people that should be upset is the MacRumors crew, primarily because MacWorld, one would think, is their biggest day of the year; Lord knows their advertisers won’t be too thrilled to learn that the site was so terribly insecure, and have subsequently been associated with this tomfoolery. But for everyone else, the people who reacted as if the sun suddenly ran out of helium hydrogen, chill out. (Edit: I should be tarred and feathered; maybe we’ll make a contest out of it.) You were briefly, marginally inconvenienced; you had to wait a few more minutes, or visit another site, to learn that iWork now lets you share documents, for a fee.

In summary: calm down, friends.

Dear school administrators,

What’s the best way to ensure that your computer network remains riddled with security vulnerabilities that leave you, your personnel and [someone think of the] schoolchildren in danger? Why, to demonize the student who discovered the vulnerability and alerted you to it, of course. Have him charged with a felony while you’re at it.

A student in a Saratoga County (New York) school alerted his principal to a computer security vulnerability that could expose the names, social security numbers and addresses of school employees. While the student tried to do it anonymously, he was eventually tracked down. Then the school threw the book at him.

The student is now being charged with three felonies for his unauthorized use of the computer network. The best is this quote from a state trooper:

The kid committed an intentional criminal act. He deceitfully used someone else’s name and password so he would not get caught and was looking to profit from his criminal act.

The only thing we can take away from this is, even if you discover a security vulnerability, it’s completely in your best interest to keep it to yourself, otherwise you’ll be branded a criminal terrorist when you were merely trying to do a good deed. Or, if you insist on doing the right then, use Wikileaks.