Is it possible to fight Anonymous?
The movement is proud of saying that an idea can't be arrested or killed, but it seems like the Boston Police Department has thought of one way of fighting back: sarcasm.
A week ago, the BPDNews.com website which provides news about the Boston police and crime in the area was hacked by Anonymous. The hackers replaced the home page of the site with a message and a video of American rapper KRS-One performing his song "Sound of Da Police".
After almost a week of downtime, Boston Police have managed to bring their website back up - and have proven they have got a sense of humour by making a video about the hack.
With straight faces, police officers explain how they were in Dunkin' Donuts when they first heard about the hack, and how they are struggling to make sense of a world without access to BPDNews.com:
As one officer explains, "My reaction was, 'Why would anybody want to destroy a perfectly good KRS-One song?'"
Follow @gcluley
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
Although I'm no fan of the U.S. Government's jaundiced view of the rest of the World, I have to ask:
WHY... attack a community website that is there to help people?
And the repairs to the BPDNews website, with KRS-One in the back-ground, is just sublime.
Help People? DID YOU NOT SEE THE BEATINGS AND PEPPER SPRAY? How do the police "help" people? Name one instance where calling police makes anything better. Usually, they arrive after the fact, despite what is portrayed on TV. The only tool they have is arrest. If all you have is a hammer, everything looks like a nail.
Of course one can debate about hacking websites and defacing them.
But then we should also debate about websites being hacked, integrated in bot nets, abused for malware spread and phishing for weeks, because without being defaced admins don't notice or don't care.
Why would the police not take care about their website? Why would they hand it over to criminals and let them abuse it? Why do they run a website with staff that obviously cannot protect it and risk that others get harmed by it.
Obligate car comparison:
If someone has a car with defect brakes and the police notices, he'll get a fine and is no longer allowed to drive that car until it is fixed, because he imposes a risk to others. If someone other notices and slaps a sticker "defect brakes" on the windshield, for others to notice and to protect, everybody would applaude.
If someone slaps such a sticker on a website they are criminals.
The "sarcasm" of those police officers is just ignorant bigotry.
So I take it that I have your permission - should I ever see your front door unlocked, or if I can work out how to pick the lock, or if I can get in by breaking a window - to spray paint a message about how your house isn't secure enough all over the inside of your windows so your neighbours can see?
Of course I started by saying "I take it I have your permission" but that was just me being nice. I can see from your response that you don't care if I have your permission and I should just do it anyway.
That is what you meant right?
L.
You don't get it.
If I don't lock my home I am the only only one that takes damage. My neighbors aren't harmed if *I* don't lock my door, neither are other people.
If you don't lock your webserver/host and criminals break, in they can abuse it. They can make it the source of scanning other sites for vulnerabilities, the source of a DDoS attack against other sites, they can use it as a command server, they can host phishing pages and try to steal other people's banking information and money and they can modify the existing data to harm the website owner and the visitors/customers.
With a public service website of the police they can even modify already present information to harm other people instead of helping them. It's from the police, it has to be correct, right?
They did neither. They posted in big fat letters "this site is not secure, be careful".
I have notified sysadmins for years about hacked servers that were not defaced. They give a shit in 90% of all cases. It takes days and weeks until they fix it.
So they shouldn't have forced the police to shut down the server and give criminals more time to find and abuse the server as to their likes and rob people by stealing their bank account and credit card information or get the user database of the community or provide wrong information to those seeking help from the police?
That is what you meant right?
The ends don't really justify the means; I doubt it would be hard to notify the police/sysadmin about the weak security.
They would get the point across in the same time too. Heck, probably less time.
But if you don't lock your doors and I break in I may go checking other houses to see if they're vulnerable too... or I may put yours on fire to make a point of how insecure it was which puts all the houses around yours in danger as well...
My point is - It's how you address the vulnerability that matters.
If a cop gives you a ticket because your breaks have an issue it's to protect you and others. If I break into your house because you've left the door open - leaving a note or locking the door for you with a reminder "please lock your doors" is also protecting you, your stuff, your family, and potentially others.
If I hack a website - I should report it to the appropriate people so that action can be taken to correct it, making the site more vulnerable or putting it's information and it's customer's/client's information for all to see online is NOT making ANYONE more secure. It's hurting innocent people.
Yes, I know - not everyone/every business/every site takes as much care with other people's information as they should... but two wrongs DO NOT MAKE A RIGHT. If it's reported and nothing is done, keep reporting it higher up the food chain. There are people who care - it's their business... and if the fact that their brand may be in damage isnt' enough - the impact to their wallets will be. But there are other ways to get people to listen without putting innocent people in the middle.
I understand this particular hack didn't really put innocent people at harm - but I'm referring to your comments of how the insecure website could've.
So if I can think of any way that gaining illegal entry to anyone's house can be used to harm somebody other than that house's owner then I'm OK to vandalise your house and blame you. Cool.
L.
@T.Anne
So how about Google safe search included in Browsers like Firefox and Chrome.
If there is a vulnerability detected they block access to that site telling the user that the site is dangerous.
They are not however notifying the sysadmin (at least not that I have heard of).
About the fire: websites are scanned automatically for common security flaws by black hats. Yet alone my small private server is hit by scans like 50 times a day. It is not like those criminals choose one and try to hack it by hand. 10000s of webservers are compromised each day like that and are abused. Black hats like webservers as they have high speed internet connections and a fixed IP address (unless most computers at home)
My point was that the cops being "sarcastic" just shows that they have no idea what is going on byond the surface of the Internet and how those criminals work.
Even if people here think so, I am not defending Anonymous. But just blaming the hackers in that case is IMHO wrong.
A hackable unsecure webserver isn't just an "ooops".
Perhaps "just blaming the hackers" is wrong - it is a two way street, but that does not justify the hackers' behavior either...
1. The hackers are at fault because they chose to commit the crime
2. Whoever manages the site MAY be at fault IF they did not adhere to at least the basic / generally accepted standard of security. IF they were neglegent - yes, there is also fault there. But IF they did at least the minimum they're required to do - legally they cannot be held responsible.
Now yes, I believe many sites should be held to higher security standards than they are, and I do not believe just doing the bare minimum should be acceptable - but those standards were put in place and there is always going to be someone happy with just doing what is required and nothing more. And sadly - depending on the type of site, it may not have any requirements.
Was the cops response appropriate? That can be debated. Was the crime any less of a crime because of how they responded? No. You cannot negate the responsibility of the hackers regardless of if those responsible for the site failed in their responsibilities of security or met their internal and any legal requirements.
@Lateral
Was it illegal? I don't know too much about US law with that regard.
Did they vandalize? Did they delete all data? Did they steal anything? As far as I could see they just put a sign up. That's not exactly vandalized.
And despite the direction you are trying to push me, I was not defending Anonymous. I was attacking the police for ridiculing the fact that a hackable insecure webserver is a threat to each and everyone on the net.
Unauthorised access to a computer system is a crime in the USA, and many other countries.
@Graham
Thanks.
Wasn't sure, as IMHO some countries only see this as a crime if you modify/delete/steal existing data and IIRC there was a case where a judge ruled a defacing not as a crime, as they had just moved the "normal" home page aside, keeping it unmodifed. However they lost later in a civil lawsuit about the damages to the brand.
Most places that have Computer crime legislation have a particular clause that defines intentional unauthorized access as a criminal act. There have been a few cases in which the letter of the law was used to wriggle out of a charge such as where unauthorized access of a router wasn't prosecutable because the law defined a computer too narrowly.
Most of that has been, or is being sorted out now.
We have a good list of Cybercrime legislation if you want to read up :-)
http://cybercrimeforum.org/LMS/home/subpage/Laws....
Really, Markus?! Then you have some bad experiences with webmasters. Come hire me! Monitoring security is a part of proper web mastery.
I didn't really notice much sarcasm. Is "I was at Dunkin' Donuts" sarcastic? Ironic, maybe. Satire, possibly. The only DD still in business in my town is across the street from the public safety building. Just sayin'.
The video is hilarious. I only wish they had put a little more effort into it. Anonymous probably have primarily good intentions, albeit an idiotic and immature logic for the end justifying the means. Good for BPD in showing Anonymous the figurative finger.
Not to be outdone, the comment above is hilarious as well. Comparing an insecure website to a car without brakes... The childish logic on the part of Anonymous pales in comparison to Markus' asinine comparison.
I'm really curious if you would still think it is asinine, if someone had modified the "sex offenders" page they have on BPDNews.com to list your name and address. Or just put some photo of you with your name on the "most wanted" list they have.
Or how about they use it to just blow the webserver of your company out of the net for like a week with a DDoS?
I don't think I'd be blaming the compromised server for anon blowing a "webserver out of the net for a week". Seems pretty clear who to blame then.
First read up on botnets please.
Then read about Distributed Denial Of Service Attacks please.
Here is a research paper on the spread of Asprox bots by attacking insecure webservers.
Seems pretty clear who is helping the criminals spread viruses and spam and do credit card fraud by phishing credit card information with fraud websites.
botnets aren't generally from willing participants.
I'm quite aware of what both are.
I also understand you're wanting to put the blame on people who have 'hackable webservers'.
It's a fact of life that there will be insecure websites, through zero day vulnerabilities, bad practices, humans doing what they aren't supposed to for the sake of convenience, or some internal setup done from an employee.
Some things that happen are genuine accidents, some aren't.
Besides. You don't even know how it was attacked. What was there vulnerability? Were they phished? Do we solely put the blame on the person who gave out the password? Or the entire company for hiring the person?
It isn't about who is to blame.
It is about the police ridiculing the fact that their website was hacked (even if they call it sarcasm).
This is my entire point from the beginning (sorry if this wasn't clear).
A hacked website is no funny thing.
Btw. yesterday they hit on the website http://www.asmaalassad.com, the name of Asma al-Assad, the wife of the Syrian dictator. They put a ironic message on it about how she fully supports her man torturing and killing people written in first person form. Nobody seemed to think this is condemnable. Why?
Do you even hear yourself? So you are saying that it's ok to break the law just for law's sake? Just because you left your door unlocked and were vandalized and robbed, that's ok because it was your fault and only you got hurt by it. But if you had a gun in the house and they stole it and killed someone with it, then you should be put in jail because it was your fault, right? and the person who robbed you and killed someone with your gun, should be able to even brag about it to the world, and tell everyone that they will continue to kill people with your gun, until you secure it, but that's right, you can't secure it because you're in jail. I suggest you put on your dunce cap, go sit in the corner and shut up, because you're disrupting the rest of the world with stupid nonsense.
Where exactly did I say it is ok to break the law? Who was vandalized and robbed?
Ah now we have the gun topic. In most countries, if you have a gun you have to take additional precautions to protect the gun from abuse/theft because a gun imposes a large security risk (aka their life) for others.
A hackable, insecure webserver is a massive threat and security risk for others. And I repeat myself even once more: it will be integrated in botnets, it will be used for sending out spam and viruses, it will be used to set up rogue web servers to phish credit card information (and thus rob people) and it can be used in DDoS (distributed denial of service attacks) to blow other sites from the Internet (and thus used with blackmail for not doing it).
This happens on the Internet every day a few thousands of times.
See Cost of Cyber Crime
The damage of cybercrime in 2010 is estimated about $1 trillion globally.
Most of the hacked webservers are hackable because the admin don't do software and security upgrades on a regular basis.
Do you think they are guiltless?
Don't you think sysadmins should have to take special precautions to prevent their web servers being abused just like gun owners have to?
Do you think it is ok for the police to try to make fun of the fact that they (or their admins) - potentially - contributed by *not* securing their web server?
Where's your stats on:
"Most of the hacked webservers are hackable because the admin don't do software and security upgrades on a regular basis."
I don't like your gun argument. Say you put your gun in a lockbox and secure it. That's good right? So now suppose a family friend is in the house who knows how to pick your tumbler lock on the box. He/She steals the gun and commits a robbery; are you at fault?
http://www.cisco.com/warp/public/778/security/vul...
Citing: 21.8% of the vulnerabilities identified were associated with Web service (TCP port 80). Today, nearly all companies require a Web presence. However, securely managing a Web server requires some diligence. Most of the vulnerabilities we identified were associated with older, outdated Web server configurations or applications that had been added to the Web server with inherent vulnerabilities. Most of these vulnerabilities can be resolved with a little research and some diligence on the part of administrative staff.
Why do you allow the family friend access to the lockbox that contains your weapon? I guess we both agree that there is no such thing as "total security". But you can have reasonable precautions. Putting a gun in a lockbox is one, doing security updates to a web server is another.
And if your friend stole your gun and committed a crime, would you be "sarcastic" about how meaningless this is to you? Or would you rather be shocked and apologize?
Win for the police :D *lol*.
Not epic, but quite good.
Markus Stumpf, So by your logic, when a man beats his wife, it her fault because she's not sufficiently capable of defending herself. Speaking of ignorant bigotry.........
This may be your "logic" but it is not mine and it is in no way related to what I have written.
Go trolling somewhere else.
That made no sense. Websites aren't people, defacing them might annoy people but it isn't doing harm to anyone.
Dudes point is that the hackers pointed out serious security flaws in a way hard to miss, when instead they could have been sneaky and done far more damage.
LOL
Luv the Fuzz.
rolmao..I cannot believe people in America still believe that the Police services are doing their work? They deliberatly let crime and criminals run amok, so they can introduce new laws and legal acts of congress, to take a way the rights of the ordinary citizen.
BPDNews ? that is a name for police services indoctrination of the moronic.
As has been seen on Internet feeds from all over the world, the modern Police service in any country, is run by corporate masters, and the police are there foremost to shut down dissenters, secondly enforce what is now called legal authority, and thirdly and most importantly, to raise revenue for their corporate Masters.
For anyone to try and disrupt there official police indoctrination is a damned hero.
They are using IE8???
Who's the first people you call if theres a crime against you or your family home etc etc
The Police.
:)