We're Hacked... But it's a secret....
Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: We're Hacked... But it's a secret....

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    We're Hacked... But it's a secret....

    Source

    As Advertised on AO's main page right now.....

    Let's think about this.... The product hides the fact that the content is compromised.... Why would you purchase such a system?

    1. You are incompetent and you know it?
    2. When you think you might have been compromised you check your site in your browser because that's the only way you know how - but you'll be lied to.... but it doesn't matter.... It looks good?
    3. You hold customer confidential infomation and you don't want to deal with the lawsuits?
    4. Etc. etc. etc.....

    C'mon.... IMO, this is crap... I'm unsure why a "security" site would even accept this kind of advert.... What are JupM saying about the quality of their own site? Don't worry about security - now you can hide your inadequate admin's work from the world. The most laughable thing is, and I quote from their site....

    Hackers have proven they can gain access to even the best protected corporate and government web servers. Conventional security solutions were designed to detect and prevent attacks from trespassing across the organization's network perimeter; but they do not offer a remedy in case the attack was originated from within the perimeter. Nor do they limit the public damage if and when hackers get in a highly probable event.

    In response, BreachGate Sitegrity offers a solution that fills in this dangerous gap by controlling and securing the data as it leaves the organizations' application and perimeter.
    They freely admit that they lie about the compromise to the users of their customers sites..... I'll be telling my bank that if they purchase this crap I want to know.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    I don't think this would pass muster in California. It kinda boggles the mind that someone thinks it is better to set up a duplicate of the web content and install this filter system to check the authenticity of the data, in case you get hacked.

    Hey, Tiger, maybe this is the current version of the old Vietnam "plausible deniability" thing. Whaddaya think? Pay no attention to the man behind the curtain.

    If the system gets hacked or defaced, and data gets damaged, don't you think it could happen to the duplicate system, too? If your core system is potentially that vulnerable, what confidence is there in the duplicate data? Don't see the logic.

    As for Jupitermedia Corp., they are just in it for the bottom line. That was a paying advertiser.

  3. #3
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    I'll admit the advert sucks, but I think this is targeted at web based businesses who make a living off their traffic and content, but who are not entirely responsible the security of some of the content they recieve and distribute. How do you know if your content is being poisioned up the stream? The idea is to not pass on the polution to your clients (in a networking and business sense), which may not be such a bad idea since we are seeing more exploits using compromised servers to distribute malware to clients. This merely verifies content you are distributing based on a digital signature before passing it, otherwise replaces it with a 'known good' copy. This might have helped someone like the UK's The Regsiter in this recent attack on FALKs load balancers. Business is Business, how do make sure this doesnt happen?

    -Maestr0



    EDIT: Some of you may remember a similar attack on *gasp* SecurityFocus by Fluffi Bunni.
    http://www.securityfocus.com/news/4320
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Kind of like a home security system that only checks the integrity of the people that LEAVE the house......interesting concept, duh.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Yes, it's a bit like those online backup facilities in a way?

    But this bit is quite true:

    Hackers have proven they can gain access to even the best protected corporate and government web servers
    I most certainly have, and been paid for it.............I did need MoD, DoD and NATO security clearance though

  6. #6
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Interesting concept...especially considering that if your customer information is held inside a database and all the hacker's trying to do is STEAL the information, then it wouldn't matter about what's "shown". The best hacker leaves behind no definable trace that he was there, that nothing was blatantly deleted in a show of skiddy-ism, and that there's a few backdoors to ensure his return.

    If the hacker is to steal your information and use it at his whim, then there's nothing you can do about it and this product completely fails in that arena. I mean, based on their claim of signature-based authentication for HTML/GIF/JPG files, how're you going to validate PHP-driven content, especially if it's database-retrieved? Their product only works upon defaced website and the like, not when you're dealing with altered database schemas and the like, if I read it correctly. Good concept, but horribly executed and definitely not something I'd EVER support.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  7. #7
    Senior Member
    Join Date
    Apr 2004
    Posts
    228
    Shouldn't it be runing along with all the other securtiy measures?
    Don\'t post if you\'ve got nothing constructive to say. Flooding is annoying

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Bravo nightcat. The only person who can look at the usefulness of this kind of application. This is not the first company to push this type of product, and they won't be the last.. I think it is a great way to insure that the proper data is presented to the end user.

    Look at it this way.. Your main page is hacked and you get an alarm telling you it has been changed, and it will take about 30-45 minutes for the alarm to get generated, for you to login and switch it back.. Meanwhile the hole is still in your system and the attacker is still changing other sites.. But you know what? For your end users reading whatever you are publishing everything still looks the same and you have not incurred any downtime on your internet portal. This software combined with a good security plan and practices is a great way to insure high availability of content on a web site.

    It has nothing to do with not disclosing to the end user that you were hacked... You can always publish that somewhere else. No law in the world says you have to leave a hacked webpage up so that your users can see that the site was hacked. You just have to notify a user if there is reasonable belief that their private information was hacked. How does the main page or a news article apply to that law??? It doesn't. This is more for static content, not dynamic content such as user information. This is for places such as cnn.com or msn.com where they can make sure that the article people are reading is the article that they signed and approved.


    If the hacker is to steal your information and use it at his whim, then there's nothing you can do about it and this product completely fails in that arena. I mean, based on their claim of signature-based authentication for HTML/GIF/JPG files, how're you going to validate PHP-driven content, especially if it's database-retrieved? Their product only works upon defaced website and the like, not when you're dealing with altered database schemas and the like, if I read it correctly. Good concept, but horribly executed and definitely not something I'd EVER support.
    It's not intended to protect dynamic data such as that coming from a database or PHP scripts. It is for published static data that where there is a limited number of authorized publishers and the data does not change frequently. I can think of a ton of uses for this type of product. State government publishing laws and minutes from meetings, universities publishing scientific studies, authors publishing works of fiction/nonfiction, etc... You can't say that this product sucks because it won't secure dynamic data because it isn't intended to. That is like saying that MS Exchange sucks as a network management tool.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    mohaughn:

    And what percentage of the installed base this company has do you think will use it in the utopian manner you describe?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    By the busload:

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •