

Done, that was easy. Keep your money, we do it for the lulz - kevinburke
http://www.blackbergsecurity.us/Home

======
dsl
A bit of background for HN: Most security folks consider Joe Black (of Black &
Berg) to be a total joke and snake oil vendor.

See <http://attrition.org/postal/asshats/joe_black/>

~~~
mousa
IMO it's pretty obvious he is trolling everyone. 99% sure he set up this
character then "hacked" his own website. Still funny though, job well done.

~~~
est
I doubt it's a marketing campain. Its dubious homepage looks too amateur-like.

And .us domains, really?

~~~
mousa
Not a marketing campaign, a joke. If you've never done it, you might not think
it's worth the effort (and it isn't but it's addictive). When I was in high
school, I used to get a thrill out of pretending to be the dumbest person
alive and having tons of people make fun of me on the internet. Luckily I'm
through that phase but I like to think I can spot a fellow troll. As long as
they're not being racist, mean, or abusive it's all good fun. If he took money
it's wrong, but I doubt his company has any clients.

~~~
trotsky
It's the classic usenet definition of a troll, deadpanning the wrong side of
an argument, forging headers and replying to yourself, stirring up non-
existent controversy and getting the semi-clued in to waste time telling
people "don't feed the trolls".

Done right and to extremes it's quite a schizophrenic art form. His commitment
to the craft is impressive, I can't really recall ever having seen someone
sell it so hard and so long without breaking character. The youtube videos [1]
from last year especially, even when he throws in an obvious gimme like a
letter from a fan that's over the top he does the whole thing without a crack
of a smile.

He must work in the infosec world somewhere, it's funny that those that know
him don't out him. Not many trolls are willing to go the extra mile and commit
their real likeness, etc.

With all that said I'd give it a 50/50 shot the intrusion wasn't fake, I could
see a website with an intentional vulnerability or two added to troll the
skiddies. It certainly would fit with the rest of the commitment to the
performance.

[1] <https://www.youtube.com/watch?v=5ywUK2Jat5k>

~~~
danssig
Or he could literally be insane [1]. When someone invests past a certain
level, it no longer matters if they're trolling or not. They either really
believe what they say, and are therefor insane or they're dedicated to
trolling to the point of insanity.

[1] <http://www.happehtheory.com>

------
eck
Everyone here seems sure that "Black & Berg" is an actual security company
that issued a challenge and actually intended to pay someone money. Does
anyone have any independent sources on that?

Just from the look of the site, it seems so much like a farcical joke on
HBGary-type companies, I wonder if it's not a viral marketing campaign.

~~~
unconed
No, it's probably real. They need a website, and someone tells them they can
use Drupal and manage it all themselves, after a consultant/developer sets it
all up and wraps it in a generic looking theme.

The site owner, with no sense of design or marketing, will then crap all over
what little structure remains with each new addition, until the final result
looks like a Geocities page.

------
Joakal
If LulzSec had accepted the money, it's likely to become a money trail.
"According to Richardson and Lyon, the NHTCU encouraged Richardson to wire two
[DDoS] extortion payments of a few thousand dollars each to separate Western
Union offices in Eastern Europe. The NHTCU wanted to nab anyone who showed up
to take the cash. (NHTCU won't confirm this; the spokeswoman said the unit
does not discuss investigative tactics.) [0]"

[0] [http://www.csoonline.com/article/220336/how-a-bookmaker-
and-...](http://www.csoonline.com/article/220336/how-a-bookmaker-and-a-whiz-
kid-took-on-a-ddos-based-online-extortion-attack)

~~~
Aloisius
I only accept bitcoins for my extortion payments.

~~~
eloisius
Oh, hi.

------
rdoherty
Honestly they were asking for it. Kudos to whomever hacked them and took the
high road.

Are there _any_ security firms that actually know what they're doing? I'm
beginning to think there isn't.

~~~
Steko
"Are there any security firms that actually know what they're doing?"

I think the takeaway is that knowing what you're doing is less then half the
battle here.

Just as most people know how to lose weight (diet and exercise), actually
making those lifestyle changes can be very difficult. Similarly businesses,
even security companies, let their security lapse because it's hard to take
the time, effort and focus away from products, sales, cash to set up proper
standards and controls.

~~~
djcapelis
But aren't security companies supposed to be in the business of reducing the
time, effort and focus away from products, sales and cash that's required to
set up proper standards and controls?

Shouldn't they be able to prove their own concepts internally?

~~~
bphogan
The shoemaker's children have no shoes. This happens all the time. How many
programmers do you know that spend all day automating the processes of others
and yet still manually copy files to the production server instead of
automating their own processes?

------
arkitaip
Is this still up?! Now that's embarrassing.

~~~
ChuckMcM
It was still up for me.

Step 1) Don't use a CMS for your web site. Step 2) see step 1.

~~~
butterfi
Or if you do, (in this case drupal) maybe you should apply the security
patches

------
prayag
This is not even worth the time it takes to click and wait for the god awful
page.

Attention is what this guy wants. Why are we even bothering about this on the
first page?

------
JackDanger
That domain name is running an open FTP server. I'll bet a dictionary attack
against the 'root' or 'admin' user was all that was necessary.

~~~
presty
on the bottom of the page:

Warning: INSERT command denied to user 'dbo325141527'@'74.208.180.97' for
table 'bs_watchdog' query: INSERT INTO bs_watchdog (uid, type, message,
variables, severity, link, location, referer, hostname, timestamp) VALUES (0,
'php', '%message in %file on line %line.', 'a:4:{s:6:\"%error\";s:12:\"user
warning\";s:8:\"%message\";s:636:\"INSERT command denied to user
&#039;dbo325141527&#039;@&#039;74.208.180.97&#039; for table
&#039;bs_accesslog&#039;\nquery: INSERT INTO bs_accesslog (title, path, url,
hostname, uid, sid, timer, timestamp) values(&#039;Cybersecurity For The 21st
Century, Hacking Challenge: Change this website&amp;#039;s homepage picture
and win $10K and a position working with Senior Cybersecurity Advisor, Joe
Black. DONE, THAT WAS EASY. KEEP YOUR MONEY WE DO IT FOR THE LULZ&#039;,
&#039;node/1&#039;,
&#039;[http://news.ycombinator.com/item?id=2639058&#039](http://news.ycombinator.com/item?id=2639058&#039)
in /homepages/6/d325020610/htdocs/includes/database.mysql.inc on line 128

~~~
catshirt
weird- why is there a link to this post?..

~~~
ahupp
It's the referer.

~~~
verroq
Yep it's clearly the access logger, but it's database password got changed by
the attacker.

~~~
benregenspan
The other day an editor at work was complaining that a link they added only
worked when visited directly, not when clicked. It turned out the target site
had an access logger that synchronously downloaded the referring page, got its
title, and then attempted to insert the title into its DB - without escaping
it of course. Our post linking to the target site had an apostrophe in its
title...

------
clark-kent
I think Joe Black is a parody <http://www.youtube.com/watch?v=5ywUK2Jat5k>

------
cromulent
Also see <http://news.ycombinator.com/item?id=2632290> .

------
tribeofone
These LulzSec guys are _GREAT_

------
bitwize
"Done. Hacked."

