this post was submitted on 09 Feb 2025
1069 points (97.1% liked)
Technology
62005 readers
4379 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Anything supposedly said by "Anonymous" as a hacker group should always be treated with immense skepticism.
There do exist somewhat legitimate sub-factions that actually take serious actions and do serious ops, and also semi-legitimate "outlets" for their statements... but there's also an overwhelming amount of smokescreen bullshit "anon news outlets" and little script kiddies running around. It's important/intentional that those continue existing as smoke screen for the more "serious" factions.
Beyond that, being an anonymous group with no real methods of confirming membership to outsiders (insiders can just check if you're in the private IRCs and etc) it means that just about anyone and everyone can make some big declaration like this. The proof will be in the results, not some announcement that could be made by a rando.
All that said, there's convincing and considerable evidence (collected by Krebs) that members of Elon's DOGE group have background in the actual hacking ops spaces.
No matter who is really making these threats/warnings, I think things are going to get pretty dire in the US government IT space. It's been well known for decades that most government orgs have absolutely abysmal cyber security, and now you have a bunch of young adult tech-bros with no true accountability running roughshod over all of it. Then there's the fact that more than one of them have "serious black hat hacker" backgrounds.
Going to be one wild ride.
Any examples or sources for me to learn more about these? The only Anonymous news I've heard of since the early days is updates on Kirtaner.
Yeah, they're running around the Treasury Dept right now.
Having worked with government agencies and a lot of large private organizations the thing that keeps them mostly secure is the amount of red tape involved with things. Patching a production system requires a teleconference with at least five different people and no one person knows everything.
The idiots without any security experience coming in to "streamline" things will just make the systems even more fragile and insecure.
Known and vetted systems are always the most secure. Until RSA is broken, and then they'll need to update to a quantum resilient standard. Which we've had in the wild for 6 years already and the NIST has officially approved for 2 years.
We're still at least a decade away from a machine with enough qbits to do it. So i feel like we should be fine.
It's the fucking Credit Bureaus, Telecoms, and Energy Companies I worry about. They keep fucking up.
https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms
Anyone who complies with the NIST standards is in a good place.
The problem is that a lot of places are not in compliance with NIST standards.
I know, I've helped patch them.
Yep, but we've got at least a decade to do it, and when new systems are stood up they "should" be in compliance.
Based on my experience if we say it needs done in a decade it will never be done.
See also: All the unemployment systems running on FORTRAN
FORTRAN could be said to be security through obscurity though /s
I don't know about government overall, but the military and HHS have has some of the most stringent security stances I've encountered. To the point where just working for them was a massive chore. (How effective they were I guess I don't know, but working for them sucked.)
That said, I'll take what you said on faith, because I think you're spot on with everything else.
Often, ridiculous and onerous procedural security is hiding massively incompetent actual software security or is used to constrain people from discovering security by obscurity holes. Everything I've done in government interfacing as a vendor would seem to confirm this, at least back when I was doing it a few years ago. You'd be hard pressed to convince me it's changed much since.
I once answered a phone call inside a com closet on base. Military IT was already escorting me. Security came because the cameras in the closet detected the camera on my phone. It's definitely physically tight security.
I mean, it's not a secret that governments everywhere run really outdated software (think things like Windows 7 and older) because "it works", so it really shouldn't be too surprising.
I had to help the SSA implement SAML authentication once and they weren't even allowed to share their screen so I could see what they were doing. Totally agree that it's a massive chore.
Yeah. I've only spent a few moments skimming through the linked article but if you were part of a legitimate hacktivism group planning a significant operation why would you publish this statement ?
It's really just spooky hyperbole - as though written by an adolescent that want's to sound scary and powerful.
I would absolutely love to see hacktivists cause some chaos, and maybe even some real financial harm.
The whole point is to being attention to the rise of fascism. Hacking without releasing a statement like this is just terrorism. Releasing a statement after hacking can make it easier for the govt to cover up, like "no we weren't hacked, someone in our server room just accidentally tripped over a power cable"
I guess its pointless to believe their words since there is no way to know if its them. Just look at what they actually do and judge based on that.
I've seen Muni and Regional gov and also dotcoms.
The Govs I've been at were crazy-tight about security. They were unionized and could decide based on conscience vs costs. Dotcoms, though, followed a different trending, one that really focused on costs.