
"Military Meltdown Monday": 90K military usernames, hashes released - evo_9
http://arstechnica.com/tech-policy/news/2011/07/military-meltdown-monday-90k-military-usernames-hashes-released.ars
======
lucasjung
Anonymous need to read some books on strategy, because this just doesn't make
any sense: what are they trying to accomplish? With their previous targets
like HBGary, at least you could say that they were taking down corrupt and/or
incompetent contractors, but this is different. Booz Allen is a much bigger
organization, not some fly-by-night that can easily be folded up. Furthermore,
while this does demonstrate that their security had serious problems, it does
not demonstrate the kind of gross malfeasance that could actually take a
company down.

As for the U.S. military, this is certainly going to cause the U.S. military
some inconvenience, but not any serious long-term harm. What _will_ happen as
a result of this is that federal law enforcement will now start going after
Anonymous in a way that they have not previously done: federal felonies have
been committed, and further such crimes are highly likely. Serious resources
are going to be devoted to tracking down the responsible parties. Anonymous
have developed a false sense of security because nobody has yet gone after
them with the full resources of the federal government, and because their
interactions have largely been limited to exceptionally inept contractors.
While there are plenty of incompetents working for the government, there are
also lots of people who are very talented and capable, and Anonymous is now
going to find themselves dealing with the latter category.

In summary, they have not done any lasting damage to the government, but they
have turned themselves into priority targets. I don't see the upside for them.

~~~
pavel_lishin
> what are they trying to accomplish?

They are Anonymous. They're doing it for the lulz, of course.

But seriously, what makes you think they aren't just the modern Loki, doing
this simply because it amuses them and creates chaos?

~~~
lucasjung
Even if that's their goal, most of my points still apply: this didn't cause
very much chaos, but they put themselves in a very dangerous situation. If
their goal is to create as much chaos as possible, their strategy should
incorporate considerations about their ability to continue sowing chaos in the
long-term. Instead, they have exposed themselves to a dramatically increased
chance of being caught and stopped. If their goal is to amuse themselves to
the greatest degree possible, the above applies just as much, plus they should
factor in the "non-amusing" nature of residence in a federal penitentiary.

~~~
pavel_lishin
That's a very good point - it also reminds me of this article about how true
guerilla warfare works (or ought to work): <http://exiledonline.com/wn-38-ira-
vs-al-qaeda-i-was-wrong/>

------
DanHulton
Pretty sure this is a dupe.

Hm, yup: <http://news.ycombinator.com/item?id=2751782>

Then I shall dupe my comment from that article as well, or at least the
content of it.

Inspired by these recent break-ins, I have set up a service to monitor your
email account for break-ins by hackers: <http://www.emailambush.com>. I figure
that with hackers like Anonymous running wild, that extra level of security
and assurance has to be worthwhile to some.

------
olsonjeffery
FTA: _"Unlike the passwords taken from government contractor IRC Federal, the
passwords from the Booz Allen system have been hashed using SHA-1. This will
make breaking into further systems using the released account information
harder—but it's likely that at least some of the passwords will be crackable,
and so further damage could follow."_

<insert critique of prevailing orthodoxies re: password hashing, a horse
beaten to death on HN already>

~~~
matthavener
A lot of people will assume "hashed using SHA-1" means simply SHA1(salt +
password) but in practice many password hashing libraries use SHA-1 with a
work factor, similar to bcrypt. I think NIST currently requires at least
100,000 rounds of SHA-1.

~~~
olsonjeffery
My read of the original announcement on piratebay (sorry, link not handy) was
that the group who made the release asserted that:

1) the passwords were unsalted 2) they had already recovered plaintext
passwords

has anyone followed up on this?

~~~
trotsky
<http://news.ycombinator.com/item?id=2752711>

