
My $.02 on the spike in hacking - gapanalysis
http://securityskeptic.typepad.com/the-security-skeptic/2011/07/my-02-on-the-spike-in-hacking.html
======
m0nastic
I work in the security industry, so my point of view about both the incidence
and importance of security vulnerabilities (and subsequent hacking
disclosures) is probably unrealistically skewed. I offer my bias as a caveat.

That said, I don't see a rise in hacking incidents. What I do see, is that
hacking is currently part of the zeitgeist, so much like when someone tells
you about a red car and you start to notice red cars all over the place, the
collective focus on security is just bringing more incidents to light.

Quantifying hacker activity is akin to quantifying IP piracy, in that there's
really no good way to accurately capture the real numbers. For many years,
publicizing breaches was anathema, so the general public were left unaware
just how commonplace attacks were. If you want to see remnants of this
mindset, just ask a security consultancy for references of other clients
they've worked with (It's like asking for a list of someone's sexual
partners). We're now at a point where there is more pressure to go public when
an incident occurs (as well as things being more difficult to hide).

Even if I remove my cynical security consultant fez (which would make me
salivate on the benefits to my livelihood based on the public perception of
the state of internet security), I think it's probably a good thing for this
stuff to be in the public sphere.

~~~
gapanalysis
We've long speculated that incidents are under-reported. Social and other
media are catalysts for transparency. They may also force organizations to be
responsible or accountable. I agree this is a good thing. We may not be able
to find a good way to capture real numbers, but I suspect that we have a more
accurate picture than we did 10 years ago.

RE: benefits to livelihood. My security consulting didn't suffer while
organizations chose not to disclose. The only difference between then and now
was a clause in the contract regarding disclosure :-O

------
wccrawford
FTA: "Bruce Schneier says, "It’s not that things are getting worse; it’s that
things were always this bad.""

Exactly. Everyone in the know has been saying this for a while now.

~~~
misuse-permit
Reporting a DoS attack to the CIA website on the frontpage of a newspaper is
like reporting the egging of a bank as armed robbery.

------
espeed
It appears that they may be trying raise the profile of "hackers" to pave the
way for public support of new "cyber terrorism" policies:

    
    
      "States have an inherent right to self-defense that may be
      triggered by certain aggressive acts in cyberspace,” says
      the policy. Indeed, such aggressive acts might compel a
      country like the US to act even when the hacking is
      targeted at an allied country.
    
      "Certain hostile acts conducted through cyberspace could
      compel actions under the commitments we have with our
      military treaty partners,” says the document. “When
      warranted, the United States will respond to hostile acts
      in cyberspace as we would any other threat to our
      country."
    

_United States International Strategy for Cyberspace_ (PDF) -
[http://www.whitehouse.gov/sites/default/files/rss_viewer/int...](http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf)

------
p4bl0
Not directly related to the article but I think it is also worthy to remark
that this spike in attention that the "hacking" scene got recently (whatever
are the reasons, even if I think espeed[1] might have a point on this) is of
course very welcome by those who perpetrate these acts, but also —and that's
what I want to emphase— very well used by them. The communication of Anonymous
and LulzSec is exemplary at many levels (the language used in the writings,
the use of memes and media...).

I continue to want to compare this movement with the Yippie movement[2], at
least on the handling of media and communications. Having read "Do It!" by
Jerry Rubin several times during high school, I really feel similarities
between the two movements on this subject. I don't have the book with me but
it would really be worth reading it again and try to make some comparisons on
actual examples rather than vague ideas (usage of the medias, "for teh lulz"
as part of the motivations, relation with the authorities...) like I'm doing
here.

[1] <http://news.ycombinator.com/item?id=2804347>

[2] <http://en.wikipedia.org/wiki/Yippies>

------
dromidas
While Bruce and company are correct in that it has always been this bad...
what they are failing to notice, or at least point out, is that this is the
first time it has been so publicized and in such a spearheaded manner. LulzSec
or AntiSec is the first hacker movement that other people are rallying to and
nobody could possibly predict what is going to come of it.

