A look at moments in infosec history that left us dumbfounded.
What were they thinking?
We asked readers to vote on the most notorious "what-were-they-thinking" moments in the history of information security -- those occasions where people in the industry defied all logic and left the rest of us dumbfounded. Here are 10 of your picks.
When Oracle launched its "Unbreakable" marketing campaign a decade ago, the idea was never to suggest its software could never fall victim to vulnerabilities and exploits. It was more a statement about being committed to the goal of making it unbreakable.
But when it used that word, expectations were raised to a level no software maker could meet.
In the years that followed, when tons of vulnerabilities were uncovered by the likes of researcher David Litchfield, Oracle suffered a reputational blow. To its credit, the database giant has worked feverishly to do better. Under the leadership of CSO Mary Ann Davidson, Oracle has put a rigorous security assurance program in place.
The hubris of Aaron Barr and HBGary
In an early 2011 article entitled, "Cyberactivists warned of arrest," Joseph Menn quoted HBGary researcher Aaron Barr as saying that, "he had collected information on the core leaders, including many of their real names, and that they could be arrested if law enforcement had the same data." Naturally, the hacktivists retaliated, breaking into HBGary's networks and posting archived executive emails on file-trading networks.
Nick Selby, police officer and CEO-Co-Founder of StreetCred Software, Inc., said this in a CSOonline guest column:
"I don't know much about law enforcement, but I do think that, if you're planning, say, to serve a felony warrant, it's a bad idea to phone ahead and let the guy know you'll be by in 15 minutes."
Obama's flat-footed response to Stuxnet leak
When Iranian nuke facilities were attacked by the infamous Stuxnet malware in 2010, many assumed it was the work of the U.S., Israel or both.
Last year, U.S. Attorney General Eric Holder announced a criminal probe shortly after a lengthy article by The New York Times' chief Washington correspondent David Sanger reported that anonymous, high-level sources in the Obama administration had told him that the U.S. and Israeli governments had indeed used the Stuxnet worm to attack centrifuges at Iran's Natanz nuclear plant.
This made the Obama Administration appear flat footed and not in control of classified information related to U.S. cybersecurity efforts. Critics also lashed the administration for trying to crush freedom of the press.
In the final months of the 20th Century, fear escalated that the world would be plunged into darkness at midnight Jan. 1, 2000, because most computers were not programmed to go past 1999. The idea was that internal computer clocks would roll over to 1900, rendering everything from ATM machines to personal computers useless. The New Year came and went without incident. To be fair, an argument could be made that nothing happened because all the FUD led to the necessary fixes before disaster could strike.
No email, no problem
Homeland Security Secretary Janet Napolitano left many in the industry dumbfounded when she suggested she could do the job without using email. At a breakfast for reporters in Washington hosted by the Christian Science Monitor recently, she said, "I think email just sucks up time ... in a job like mine [it's] inefficient." Why the shock? Many believe that in this day and age, without email, it's almost impossible to receive, analyze and understand all the intelligence necessary to ensure cybersecurity. In her job, some argue, email is pretty darn important.
BSidesSF's Violet Blue debacle
BSidesSF ended on an unsettled note in February 2013, after a complaint led to a canceled talk. A lot of people were upset that a talk would be canceled after criticism from just one person. The talk was to be delivered by Violet Blue, a writer and podcaster specializing in sex education.
At the time, we questioned why she was put on the agenda in the first place. But that's not why this incident made our list. Rather, it's because of the ham-handed way in which one of the event organizers handled the matter. The better approach would have been standing up for the talk after putting it on the roster.
World's number-one hacker
Gregory Evans calls himself the world's number-one hacker and that's been accepted by some major TV news networks that invited him over for interviews. This, despite reams and reams of court documents outlining his misadventures, including charges of fraud and plagiarism.
The folks at attrition.org have documented what they see as the Evans-LIGATT conspiracy to fool the world, and it's essential reading.
RSA's APT moment
Security company RSA's revelation that its network had been breached and information relating to its SecurID one-time password technology stolen left customers and industry experts dumbfounded in early 2011. Particularly shocking was that a security company of RSA's size and reputation could be compromised.
Spectators at the Macy's Thanksgiving Day parade in New York City got a surprise last November when they discovered that the confetti raining down on them included confidential information. CNN reported:
Saul Finkelstein, a Manhattan attorney, was watching the renowned parade with his 18-year-old son Ethan, as they do every year, when they noticed a piece of shredded paper that appeared to have a Social Security number on it.
"There were shredded papers all over the place, like snowball size, all over the ground," Finkelstein said. "There were whole sentences, license plate numbers and police reports."
As they looked closer at the confetti, they came to realize the shredded pieces of paper were documents from the Nassau County Police Department.
The perils of legislating security
Though some in infosec have criticized Congress for failing to produce a cybersecurity bill that can pass, others would prefer nothing reaches fruishion. The reason: Congress keeps pumping out legislation that does little to bolster security and much to give the government unlimited power to invade our privacy. For an example of the surreal, take a look at the current version of the Cyber Intelligence Sharing and Protection Act (CISPA).
As written, it would allow private companies to share a wide range of customer information they deem to be related to cyberthreats with U.S. agencies like the National Security Agency.
"It still allows massive amounts of private user data to be shared with secretive agencies," says Evan Greer, campaign manager at digital rights group Fight for the Future.