While I found the article on your personal thoughts and opinions about the recent LulzSec activity interesting, I can’t quite entirely agree. Is it bad that people’s information got dumped? Sure. Did I find it funny? Somewhat (blame my upbringing on the Internet for that one). Did the attacks get us talking about security again? Yes. Should organizations be doing more to secure their infrastructure and applications in the first place? Absolutely. Was all of this LulzSec’s true intention? Who the hell knows.
All of that aside, the one comment from your posting which I believe is way off is:
“When you attack someone for fun, all you do is contribute to the picture some execs have of security pros as young punks who care more about notoriety than about helping them secure their infrastructure”.
Really? You sincerely believe an executive is sitting in their office right now going…”Hell, I better get down to IT and watch those young punk security folks we hired, they may be up to no good or hacking stuff for notoriety”. Or do you think it is more likely they are sitting there saying, “Damn, we aren’t paying enough attention to them when they bring up issues with our security. How do we make it better?” I’d like to think it is the latter; at least that is what the little practical guy inside my head and real world experience is telling me.
Since the internet is “free” and I’m open to sharing, here are my thoughts:
1. The attacks shed light on the fact that we are, as a whole, fairly insecure even in 2011. We’d like to think that is not the case but the sad reality is that it is true.
2. We’d like to think we just learned about security and are behind because of our late entry into the game, but that is definitely not the case. We’ve been at this since NT4, and RACF before that.
3. Secure application development (oxymoron) has a long way to go. Does anyone else find it ironic that we can’t even say injection anymore and that it has to be shortened to SQLi because we say it so much?
4. These attacks have been going on without our knowledge for some time, by LulzSec or others who don’t have a Twitter account with witty sayings and posts. At least LulzSec released the files so everyone could see what was accessed…which saves a ton of time on the initial incident response from my perspective.
5. How many people does China have dedicated to infosec warfare again? Last time I checked I didn’t see any tweets from them telling me my data was available via torrents.
6. The media will report on anything as “fact”, true facts will be determined later. Must. publish. first.
So, we can write them off as “a bunch of punk kids”…or, we can take a lesson and move on. I pick option number 9000, I mean 2.
Comments