Not a marketing campaign, a joke. If you've never done it, you might not think it's worth the effort (and it isn't but it's addictive). When I was in high school, I used to get a thrill out of pretending to be the dumbest person alive and having tons of people make fun of me on the internet. Luckily I'm through that phase but I like to think I can spot a fellow troll. As long as they're not being racist, mean, or abusive it's all good fun. If he took money it's wrong, but I doubt his company has any clients.
It's the classic usenet definition of a troll, deadpanning the wrong side of an argument, forging headers and replying to yourself, stirring up non-existent controversy and getting the semi-clued in to waste time telling people "don't feed the trolls".
Done right and to extremes it's quite a schizophrenic art form. His commitment to the craft is impressive, I can't really recall ever having seen someone sell it so hard and so long without breaking character. The youtube videos [1] from last year especially, even when he throws in an obvious gimme like a letter from a fan that's over the top he does the whole thing without a crack of a smile.
He must work in the infosec world somewhere, it's funny that those that know him don't out him. Not many trolls are willing to go the extra mile and commit their real likeness, etc.
With all that said I'd give it a 50/50 shot the intrusion wasn't fake, I could see a website with an intentional vulnerability or two added to troll the skiddies. It certainly would fit with the rest of the commitment to the performance.
Or he could literally be insane [1]. When someone invests past a certain level, it no longer matters if they're trolling or not. They either really believe what they say, and are therefor insane or they're dedicated to trolling to the point of insanity.
Don't you really mean: You were on IRC all the time, and subjected everyone else bored enough to be on IRC to your lies? You enjoyed acting stupid on IRC, that's fine.
Admit it, you still do. Look at how you talk about it. You haven't moved on.
Not that that's super relevant; it's a hacker game, hacker website, SHODAN is something of a hacker icon, too, I'd wager, and I happened to notice it. Bleh.
Everyone here seems sure that "Black & Berg" is an actual security company that issued a challenge and actually intended to pay someone money. Does anyone have any independent sources on that?
Just from the look of the site, it seems so much like a farcical joke on HBGary-type companies, I wonder if it's not a viral marketing campaign.
No, it's probably real. They need a website, and someone tells them they can use Drupal and manage it all themselves, after a consultant/developer sets it all up and wraps it in a generic looking theme.
The site owner, with no sense of design or marketing, will then crap all over what little structure remains with each new addition, until the final result looks like a Geocities page.
If LulzSec had accepted the money, it's likely to become a money trail. "According to Richardson and Lyon, the NHTCU encouraged Richardson to wire two [DDoS] extortion payments of a few thousand dollars each to separate Western Union offices in Eastern Europe. The NHTCU wanted to nab anyone who showed up to take the cash. (NHTCU won't confirm this; the spokeswoman said the unit does not discuss investigative tactics.) [0]"
"Are there any security firms that actually know what they're doing?"
I think the takeaway is that knowing what you're doing is less then half the battle here.
Just as most people know how to lose weight (diet and exercise), actually making those lifestyle changes can be very difficult. Similarly businesses, even security companies, let their security lapse because it's hard to take the time, effort and focus away from products, sales, cash to set up proper standards and controls.
But aren't security companies supposed to be in the business of reducing the time, effort and focus away from products, sales and cash that's required to set up proper standards and controls?
Shouldn't they be able to prove their own concepts internally?
The shoemaker's children have no shoes. This happens all the time. How many programmers do you know that spend all day automating the processes of others and yet still manually copy files to the production server instead of automating their own processes?
I guess to some extent. I think the reality is somewhat murkier. It's possible a lot of these companies startup with niche skills and lack broad expertise meaning they're going to have holes.
If you've got a handful of employees and your expertise is DDOS protection then are you going to use your next hire on a DDOS specialist to work on your DDOS protection product or bring in someone to make your website safer?
we've had , HB Gary, Sony, and a couple of others get hacked by sql injection or poorly configured web facing CMS systems.
Is it really that hard to figure out that if you're a target that is a stupid way to do things?
Put your CMS inside your firewall and "publish" it by generating a copy of your website as write only output.
Its not up to me of course. Sure put your open FTP server up there, maybe turn on anonymous access. Its like leaving the keys in your car in the long term parking lot, sure its convenient when you get back from your trip but are you really surprised when your car is stolen? Really?
In this day of drive-by malware injection by JPG or Flash zero-day vulnerabilities every single web site in the frickin' universe is fair game to get 0wned. Used to be if you ran some off the beaten path blog or enthusiast site it was pretty much too small to worry about. Not any more. Put up a machine with a web server and watch them come at you, Brazil, Argentina, the Ukraine. Blam, Blam, blam, test after test. IIS exploits? Apache Exploits? Got a CGI in there? Can you do local page execution? All your .htaccess files correct? Odd UIDs have logins?
I believe that there are better (and by that I mean less prone to being compromised) ways to manage the content on a web site of the OP's caliber than connecting it to a database.
Maybe I should sponsor a CMS version of the Pwn2Own contest.
Uh, yeah. Every time we want a new website we should absolutely hand-code every user login system, online calendar, forum, feed parser, 3rd party integration, content templating system.....
Contemplate all possible interpretations of "technical debt" until enlightenment is achieved.
Warning: INSERT command denied to user 'dbo325141527'@'74.208.180.97' for table 'bs_watchdog' query: INSERT INTO bs_watchdog (uid, type, message, variables, severity, link, location, referer, hostname, timestamp) VALUES (0, 'php', '%message in %file on line %line.', 'a:4:{s:6:\"%error\";s:12:\"user warning\";s:8:\"%message\";s:636:\"INSERT command denied to user 'dbo325141527'@'74.208.180.97' for table 'bs_accesslog'\nquery: INSERT INTO bs_accesslog (title, path, url, hostname, uid, sid, timer, timestamp) values('Cybersecurity For The 21st Century, Hacking Challenge: Change this website's homepage picture and win $10K and a position working with Senior Cybersecurity Advisor, Joe Black. DONE, THAT WAS EASY. KEEP YOUR MONEY WE DO IT FOR THE LULZ', 'node/1', 'http://news.ycombinator.com/item?id=2639058' in /homepages/6/d325020610/htdocs/includes/database.mysql.inc on line 128
The other day an editor at work was complaining that a link they added only worked when visited directly, not when clicked. It turned out the target site had an access logger that synchronously downloaded the referring page, got its title, and then attempted to insert the title into its DB - without escaping it of course. Our post linking to the target site had an apostrophe in its title...
See http://attrition.org/postal/asshats/joe_black/