I'd be blaming the company more than those releasing it. If these guys can how are you to know if someone hasn't come across the db silently? At least this way there is some warning.
You're kidding, right? The people releasing it are presumably the ones who stole it in the first place. In a bank robbery, do you blame the manufacturer of the safe that was cracked? Or home invasions on the alarm system that failed to catch the thieves? No, the perpetrators of the crime are at fault.
Even if I agreed with you on who was at fault here (which I clearly don't), do you think any significant number of victims of this leak will honestly blame Stratfor more than they blame the hackers behind the attack? If not, the point I made above still stands: Anonymous has alienated anyone who has ever paid for a Stratfor membership. Which is quite a diverse, and likely intelligent, group of people.
To continue using your metaphor of a real world safe:
I also blame the manufacturer of the safe because the safe was not as secure as they claimed and because it's not like securing things correctly is an unsolved problem or even just np-hard.
information can be stolen more than once, and if it can be stolen by these people, then you can damn well bet that it can be stolen by people who might not want to let you know that they took the information. how long has that data been sitting there unsecured? how many times has that data been stolen through unauthorized access? is it even reasonable to ask to be able to run a pen test against anyone who wants my information, so that i can actually know my data is secure?
First: If you use a Master Lock (heh or an old pen-hackable Kryptonite lock) on your Bank Vault, obviously you are at fault. Doesn't matter what kind of world you want to live in, you need to secure your wares adequately.
Second: It's a dick move of these guys to release all this info. They are hacktivists, or so they claim. (If they wanted to profit off this they'd sell the hacked db to Russians and not release the data) People like MLK and Gandhi also pissed off a lot of people. For example by sitting at white lunch counters, getting spit on, etc. Sorry, that's the idea behind civil disobedience / hacktivism / etc.
Third: this has been stated before, but how do you not know that this database wasn't already cracked 2 years ago by malevolent forces who've been using it for evil, but not telling you about it?
I think it's safe to say Statfor probably wasn't using a Master Lock, but clearly they didn't do enough pen testing or whatever it would've taken for them to more securely lock down their shit.
(Thought experiment: if a YC company got owned, do you think pg would blame the thieves, for their smash & grab kind of job? Or the coders who left a gaping security hole / social engineering attack vector open?)
not sure what pg would say, but for me (if i were in his shoes) it would depend entirely upon what/how the company was owned. there's a big difference between, say, a hacker exploiting a hole in a well-vetted, well-known encryption api and a hacker exploiting a hole an encryption api that you rolled yourself.
This is ludicrous. That's like blaming the rape victim for wearing alluring clothing going to a club, but not carrying a gun and learning martial arts to defend themselves.
Yes, Stratfor is guilty of having lax security (I've been affected by this), but the bottom line is that these hackers are the ones that committed the crime and released this credit card information.
if you want to switch analogies to rape, fine, but i think that's a much worse analogy to use.
blame isn't a zero-sum game. if a hypothetical human walks down the street in provocative or revealing clothing in a bad part of town without any way to defend themselves, then you can argue that, at the very least, he (or 'it' if you don't believe in the genderless 'he') should not be surprised that someone attempted to rape him (it). That in no way excuses the rapist for what he (it) did, or lessens the blame apportioned to the rapist.
relating your analogy back to the stratfor situation, the blame stratfor gets should in no way lessen the blame that the hackers get, but stratfor should be held accountable for the fact that they essentially walked into an area known to be infested by opportunistic rapists wearing provocative clothing with no means of protection. regardless of how wrong it was that stratfor got metaphorically raped, one still needs to look at stratfor and ask, why in the world would you do that? how could you even expect anything different to happen?
not like securing things correctly is an unsolved problem or even just np-hard.
Given that Google, RSA and Intel have all been penetrated (that we know about), and all have a passing knowledge of security I think this has turned out to be harder than you seem to think it is.
I didn't say it was easy; it's usually pretty hard/expensive to do it right.
But there are known best practices, and it looks like those weren't followed (at the very least, have a good password policy and salt the goddammed passwords before hashing).
here are two examples of companies doing security right:
In what way is this any different than someone picking the lock to the front door of your house, smashing things up with a baseball bat, carrying your valuables out to the street and then leaving you a note saying "you should have bought a better lock"?
I'd far rather live in a world where we didn't need the lock in the first place.
the issue (for me) is how valuable the valuables are and how much security is protecting the valuables. There's a good reason why there's a major difference between the security protecting the mona lisa and the security protecting my car, even though both are secured and both are valuable.
when people under-secure assests that they claim to be securing, especially when those assets aren't theirs, I think they're partially to blame when the assets are eventually stolen. I'm blaming stratfor because i think they did a shitty job securing their customers' info, especially since the info belonged to paying customers.
I don't think the leak of the password hashes is that serious. Sh*t happens.
What I find inexcusable 1) the hashes being weak and not salted (I couldn't confirm that - and yes, I downloaded the data) and 2) the leak of credit card data, billing addresses and other personal info. That information should never, ever, under no circumstances, be accessible.
My information was released without warning. They dumped everything days ago. They could have informed Stratfor about the vulnerability, or even waited to give people a chance to cancel their cards.
Stratfor probably is to blame for lax security. But the hackers are as much to blame for violating my privacy.
I think Dan's point about alienating the wrong people by picking the wrong battles is the most important. Treating innocent people as 'collateral damage' is dehumanizing.
Edit for zobzu:
They posted everything days ago.
My post contains none of the implied strawmen you assume. I believe we're on the same side, so I'm not sure why you are flaming me. You didn't address anything I said in my post.
Yeah I agree they haven't take the best form of action which would be to email everyone in the dataset and give them a chance to change their credit card without giving out the whole set. At the same time though this is a better outcome than the information being silently sold.
But yeah, I agree with you, you're much better off when people hack those accounts, steal the money and not do tell anybody, so they can keep stealing from it from time to time, and since you don't know about it, you're secure!
Plus I guess it's only ok to see collateral damage when it's poor people getting killed by the army in other countries, on TV. Cause yeah it's TV. Feel sad for 2 min and go grab a coffee.
Heck in this war all you have to do is switch credit card. Not switch a leg for a plastic one.
If the person/people who did this just wanted to expose security flaws, releasing a DB filled with innocent people's personal information is really over the top.
