SoylentNews is people
SoylentNews
from the blatantly-obvious-is-hard-to-comprehend dept.
John Arquilla at ACM writes:
What a pity that senior leaders in the American government and intelligence community have decided to play political football with the alleged Russian hacks of John Podesta's and other Democrats' emails. By using these intrusions to gin up fears about the "integrity" of the electoral process—which is already befouled by the focus on finding and spreading dirt on the opposition—the real story is being neglected. And what is that real story? It is that, despite more than two decades of consistent public warnings that have reached the highest levels of government, cybersecurity throughout much of the world is in a shameful state of unpreparedness.
Take the United States, for example. Since the mid-1990s, there have been approximately 200 cybersecurity bills brought before Congress. Only one has passed, quite recently at that, and it only calls for voluntary information-sharing about cyber incidents. Legislation aside, there have also been several government-sponsored commissions and top-level exercises focused on understanding and illuminating the cyber threat. Each of these has signaled that "the red light is flashing;" that is, American cybersecurity is in very poor shape. Indeed, former cyber czar Richard Clarke and Robert Knake, in their book, Cyber War, list the U.S. as having the poorest cyber defenses among the leading developed countries.
TL;DR: The lesson(s) are: we must improve defenses, better use of strong encryption, and don't wait for government policy to protect you.
Previously:
Obama Orders Sweeping Review of International Hacking Tied to U.S. Elections
How Hackers Broke into John Podesta and Colin Powell's Gmail Accounts
(Score: 2) by VLM on Wednesday December 28 2016, @07:33PM
TL;DR: The lesson(s) are: we must improve defenses, better use of strong encryption, and don't wait for government policy to protect you.
Kinda. The first is useless. If you make something idiot proof God will make a better idiot. Its one of the few things I truly believe on faith. Podesta got social engineered, or at least that's the current cover story. "Yo buddy I R the IT dept & could U gimme ur password to fix ur account" and the dumbass did it. Or its the cover story for "I've had enough of Hillaries bullshit lets flush this turd and blame the Russians and I'll tell everyone I dun clicked me this darn hacking link all accidental like" I mean look what they did to Seth Richard or whatever his name is, at least getting Russian HAcked means Podesta hasn't washed up dead... yet. Speaking of that whens the last time anyone saw him alive? The D party plays for keepsies you know.
The second lesson is useless. I can F with server configs like /etc/ssh/sshd_config to only allow AES256 flavors and none of that 128 or 192 bit crap all day long, but as long as the world is full of idiots willing to mail or text ~/.ssh/id_rsa or git commit it and push it to github, or see lesson 1 above, its all a waste of time. Remember a couple years ago when it was "fun" to search github for AWS keys and then mine bitcoin for "free" on those keys? Well I never did that, but I can assure you the solution isn't making AWS keys twice as long or using a sneakier algo, because you'll just have idiots git commit'ing longer commits.
The third lesson is tolerable good but smacks of buying yourself your own gun instead of supporting gun control and hoping the cops save you. The R mindset people don't need to be told to be responsible for themselves, the D mindset people see being told to be responsible for themselves as extremely triggering and problematic and check your privilege shitlord because self responsibility is only for fucking white males now let me retreat to my safe place and knead playdough until I feel less triggered, so again its mostly a waste of time.
I guess a better set of lessons would be
1) Don't be a two faced cheating hateful racist anti-white liar criminal scumbag crook, then if your private stuff is made public you might look like an idiot, we all look stupid once in awhile, but at least you won't look like a wanna be criminal. Like, no one should have nud3z published without their permission, but the only thing that looks worse in public than ur sausage getting a suntan, is trying to hide it from public view in, for example, a childs butt. The easiest way not to BE SEEN as a criminal piece of shit is to not BE a criminal piece of shit. Good luck Democratic party, you got a lot of cleaning up to do, just sayin.
2) You don't own digital stuff, corporations and governments and other people do. Don't write creepypasta about how much you love "CheezePizza", if you know what they meant, and how you're gonna rig debates with the news media, and all the other criminal or questionable stuff they wrote, unless you don't mind the whole world reading it on the front page.
3) Don't trust everything you see online, such as helpful IT personnel merely requiring your password. Just because the mafia would never do a criminal act against you because sharks have each others back, doesn't mean a random script on a powned windows box in the 3rd world won't randomly target you. Jimmy the sledgehammer isn't gonna shake you down for protection money because you're friends with his bosses bosses boss, but some random skript kiddie in the Ukraine has no idea nor does he care nor does he have any control over his botnets random attacks.
Computers being a tool to amplify the actions of their owners, if you're an idiot criminal, all using a computer will do is help you flame out faster, more publicly, and more punishingly. Frankly I don't mind that very much and its fun to watch and I hope more of it happens. That is the true lesson.
(Score: 0) by Anonymous Coward on Wednesday December 28 2016, @08:15PM
I like cheese pizza. It's my favorite. :(
Why does loli have to haet pizza? :(((
(Score: 1) by daver!west!fmc on Wednesday December 28 2016, @11:08PM
Either I'm too trusting of stuff I read online, or John Podesta was spearphished with a "change your password (but first enter your current password)" e-mail (made easier either because he was using a personal Gmail account for DNC work, or because the DNC had outsourced e-mail to Google, e.g. democrats.org), asked a DNC IT staffer to confirm whether it was legitimate, and the IT staffer (being at the end of his day and tired) correctly identified it as not legitimate but mistakenly replied that it was legitimate.
Likewise, other DNC intrusions (administrator-level access to computers on their network) were made possible through other DNC staff being phished.
Now, maybe this is the cover story, but is it good cover? What it says is that the humans were the weakest links, and they got socially engineered (phished) to give up their passwords. It certainly does not exceed my willing suspension of disbelief.
And someone leaked a bunch of DNC e-mail. A friend of Wikileaks met with a cut-out to get that data, and the cut-out told him that it was an insider leak, and he has related that meeting to a news reporter.
As I wrote, perhaps I am too trusting of what I read online. All of the above is my understanding from reading admittedly mainstream news media articles (e.g. the New York Times) for statements of fact. You will note I am not making the same leaps these articles often do to Russian action; my reading is that when these leaps are reported and I can trace them to a source that source is either CrowdStrike (who was brought in by the DNC) or one or another national security establishment, and they're based on some notion of what was done being like what a couple Russian organizations do.