FBI targets companies that hire hackers to protect them against hackers


#1

[Permalink]


#2

Another example of three-letter agency meta-fuckery :angry:


#3

The jargon for this is called, “Active Response” , and I doubt a general counsel in any financial org hasn’t had this conversation. The most common is basically doxxing a suspect, but different ways of DoSing have floated around (that’s a nice bgp peering table you have, be a shame if anything were to happen to it…)


#4

I don’t get what Valerie Plame has to do with all of this.


#5

BTW, protip here: if you ever need to defend your network against an individual, send them an official Cease and Desist letter (preferably through the mail). This knocks off the activity 99% of the time, even with l33t haxors. It proves you know who they are, where they are, and are willing to escalate. But it only costs you a less than a dollar.


#6

Yup, place an envelope in the mail and wait several days for it to be delivered. Meanwhile, you are being attacked… More of a just the tip than a pro tip.


#7

Don’t knock it till you try it. As a root-cause fix it is waay more effective than more sandvine/Cisco/RSA gear.


#8

There’s little indication, though, that military and intelligence agencies have used their most powerful tools to shut down attacks on businesses…

That’s what we used to call a foreign policy failure.


#9

Works as intended. Won’t fix.

Vigilanteism is just as illegal online as it is offline.


#10

A lot of the core problem is that we have a widespread delusion about the actual nature of security and defense and how to achieve them.

I blame the NSA. But then, I also blame the NSA for the 3rd Hobbit movie…

IT Security is infatuated by attack. It seems we all secretly want to be attackers. Almost all training focuses on learning attack as a prelude to learning how to defend. But then, for most, the training stops. We are left to assume there is a way we can attack our way out of our problems.

Attack focuses on short term objectives. When immersed in the dance of attack and react, you lose sight of your long term objectives. Focusing on Attack gives all initiative to the attacker. Being driven by attack causes you to accept the attackers agenda and forget about your own. If you base your defense on attack, you doom yourself to a lonely battle against insurmountable odds. I love anime. But, almost all of it teaches that any problem can be solved with a big enough punch. It is like that bit in Pacific Rim where they decide to eliminate Giant Monsters by building Giant Monsters and punching Giant Monsters. There HAS to be a better way.

Our biggest problem is we are not taught the real meaning of security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.

And, the skills required to effectively defend are very different from the skills learned by attack. Attack can inform defense, but that is the limit of it’s contribution. You have to refine new skills to maintain an effective defense.

The beginning of security and defense is to create community. Attack can be sharp and pointy. Defense must be deep and broad. The more people involved in Defense, the better. They must agree on purpose. They must be a community.

  • The first and most important layer of defense is to engage and motivate the community.
  • The second critical layer of defense is to create, prioritize and maintain clearly articulated and agreed on community goals.
  • The third critical layer of defense is to defend the goals against substitution, dilution or distraction. Only here at the 3rd layer do you begin to consider the lessons learned from attack.
Security is most commonly attacked when somebody convinces you to adopt goals that are not in your best interests. Being able to break security on demand is the holy grail of modern marketing.

#11

Sure, because people who know they are engaging in activity of dubious legality are likely to be impressed by what a court thinks of it.


#12

Hey, I am not talking theoretical here. And the success rate surprised me as well.

–edit–

My hypothesis is the emotional impact of receiving a physical object acknowledging their identity and location causes the attacker to deprioritize the entity that sent the letter. But that is only a guess as to why the strategy works as well as it does.

Phone calls are also surprisingly effective. And the positive sides of these techniques (as opposed to calling your local FBI field office) is you give the attacker the chance to back off without ruining their chance at a career.


#13

That, and there’s always the option of a tearoom chat and swapping war stories with “an enemy”.

Like in so many wars, enemies are usually just potential friends whom the fate assigned to wrong sides. (Edit: keep this in mind whenever somebody peddles that us-vs-them crap.)


#14

This topic was automatically closed after 5 days. New replies are no longer allowed.