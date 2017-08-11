HBO Hacker Leaks Message From HBO Offering $250,000 'Bounty Payment' (variety.com) 59
The HBO hacker has struck yet again. From a report: Variety has obtained a copy of another message released Thursday by the anonymous hacker to select journalists in which HBO is apparently responding to the initial video letter that was sent informing the Time Warner-owned company of the massive data breach. The message from HBO, dated July 27, features the network's offer to make a "bounty payment" of $250,000 as part of a program in which "white hat IT professionals" are rewarded for "bringing these types of things to our attention." While the message takes a curiously non-confrontational tone in response to a hacker out to damage HBO, a source close to the investigation who confirmed the veracity of the email explained it was worded that way to stall for time while the company attempted to assess the serious situation.
Hey, I'm a white hat at day, but I'm not adverse to the idea of watching the world burn.
There are things you pay me for. But there's also stuff I do for fun. Sometimes they overlap.
Still, the guy who did this isn't a white hat.
Well yes, hackers are people who like playing with things they don't understand in order to understand them. I don't understand why you feel it necessary to denigrate them by likening them to "small children".
Some is us like taking things apart, whether that's with a screwdriver or a disassembler, it makes no difference.
I don't feel denigrated by being likened to a small child. Small children are at least curious and eager to learn (at least before this gets driven out of them when they get confronted by the school system).
Most adults are lazy fucks that couldn't be bothered to learn something if their life depended on it.
Nope. Self-described white hat. But while we're at quotes from that particular Batman movie, there is one quote [youtube.com] from Ledger's Joker that I do subscribe to.
I was going to submit the WSJ/Fox News article under my alias when the Variety story popped up, which has more insight on what HBO is doing.
When the hackers came forward late last month, an HBO technology-department employee sent them a letter offering $250,000 to participate in the company's "bug bounty" program, in which technology professionals are compensated for finding vulnerabilities, according to a person familiar with the matter.
HBO was buying time with that response and isn't in negotiations with the hackers, the person said. The hacker has demanded a ransom of around $6 million.
The network has also been working with the Federal Bureau of Investigation and other law-enforcement agencies and cybersecurity firms to address the matter, people familiar with the matter say.
WSJ (paywalled): https://www.wsj.com/articles/hbos-hack-hollywood-is-under-siege-1502443802 [wsj.com]
Fox News: http://www.foxbusiness.com/features/2017/08/11/hbos-hack-hollywood-is-under-siege.html [foxbusiness.com]
"We were going to pay him a relatively modest amount with plausible deniability, but won't now because he leaked that, which only gives incentive for others to hack us."
I've been working in IT for over 20 years, and the thing I've seen over and over again is that organizations that cheap out on IT get stung by things like these more frequently. I've been through multi-hour company-wide outages because someone said there was no reason to keep a core application in more than one data center. We constantly see companies where "IT is not our core competency" getting breached when their lowest-bidder contractors leave an open hole exposed, or when the entire company is run on a massive tower of outsourcers that don't communicate with each other. If I remember correctly, that's how the Target breach happened...a contractor running the HVAC for the stores had a security hole in the systems connected to the store networks, which attackers were able to use to get to the registers and credit card terminals.
You will never convince companies to do this, but in my opinion the only way to prevent breaches from happening or to minimize their damage is to pay in-house IT staff who *actually* understand what's being deployed. Staff who are paid well and not worked to death are going to be a lot more interested in keeping your business alive than some disinterested offshore firm or body shop who cares only about fulfilling the minimum terms in the contract. (The other thing that has to happen is that everything has to be secure by default, but almost nowhere I've worked has been able to wrap their heads around this. Too many places assume that there's an "outside" and an "inside" and spend all their effort defending the perimeter.)
What's interesting is that $250K is pretty low for a first offer. I haven't looked through the archive of data these hackers claim to have, but summaries say they were able to get access to sensitive corporate data as well as unreleased content. Some group of people at HBO must be going through all the access logs and figuring out what kind of damaging information they may have exposed. Given that they're an entertainment company, just a dump of the company's email should reveal some very interesting exchanges with various high-profile individuals. Worth way more than a quarter million in my opinion....
but at the same time, for a company the size of HBO; that's a paltry sum per year to prevent these kinds of shenanigans.
>I've been working in IT for over 20 years, and the thing I've seen over and over again is
Let's generalize a bit. You've seen that corporations collect knowledge but not wisdom, so they keep repeating the fundamental mistakes while avoiding repeating the exact circumstances of them.
Outsourcing vs. in-house. Cubical farms vs. offices. Part time vs. full time. Exploiting vs. 'partnering' with employees. It all goes in cycles of about half a career-span, as new people take over and experience is lost.
Unfortunately, you do need to import new knowledge and youthful enthusiasm from time to time, and people do tend to calcify as they age and eventually they go and die on you.
I simply find it very frustrating that I can see these loops and I'm not a genius, I'm simply in my 40s. Which leaves me wondering what kind of idiots are running the show, given that most of the people above me in the org structure are older.
> a good IT guy will spend 99.9% of their time sitting on their ass playing videogames because they've automated everything and only have to respond when it fails.
The problem is that's not a job, its jobS.
The first job is automating the system, the second is maintaining it, and the third is being ready for disaster recovery.
You probably need vastly fewer bodies for the second job, and while you need more bodies, you don't need them for very long for the third.
It will never happen until regulations demand it, or at least there is real accountability and real penalties to the careers of the executives responsible.
The fundamental problem is that people are horrible at assessing risk.
Then add in that the people who end up being decision makers over IT often don't have a clue about the things they are making decisions about.. and of course it ends in disaster.
What giving IT PE powers with big fines that will get PHB asses in line.
also pay for good infrastructure not well we can't do X to make it very secure as that will cost to much to have the infrastructure set up to be super secure
Pay for good IT people
... lowest-bidder contractors
Unfortunately some companies pay incompetent people huge sums and promoting them to upper management, while ignoring their own good lower-level people that are aware about the problems but not empowered to fix them.
Or lose them.
How any system, internal or external, has access to the systems where "valuable" information/data/media content exists without multiple levels of authentication, encryption and access controls seems to be something HBO shareholders should be seriously investigating.
There isnt a CISSP section on stalling for time by bullshitting people who are clearly far more intelligent than you. If anything, you've just hardened their resolve to leak more out of sheer animosity.
No, but if you put a cheap lock on your door and it gets picked, and then they slowly steal everything in your house over a long period of time, I'd say they are.
In other words, don't even bother to pay because they're going to leak anyways
Yo dawg I heard you liked Slashdot discussions, so I linked the discussion to the discussion so you can not RTFA while you're not RTFAing!
HBO is a subscription based service. Do they think people will stop signing up or quit because there is a chance some of their shows may be leaked early? Anything they show is pirated within an hour after first showing. While they certainly should make an effort to try to do better and stop this, I don't think there were a ton of 2am meetings discussing it.
Agreed. I'm currently a subscriber & would not cancel if pirated copies of their shows were available.
The thing that'd make me cancel is when I'm no longer getting good value for money - so if they don't get greedy & don't stop producing good content they'll be fine.