While this is true on a theoretical level, in practice the people capable of breaking into a properly secured system are pretty rare, and most breaches occur because a site really screwed up on the security side of things. When you here about sites getting breached because of SQL injections, unpatched servers, re-used admin passwords, etc... it means somebody simply wasn't thinking about security.

Read the whole thing! :)

True. Unfortunately, the number of systems that are improperly secured because somebody who does not know what he is doing prepared the security policy, or did the security design and implementation, or monitors the network, is still very large.

I work with network managers who implement Windows networks regularly. I have yet to see one who did everything right: observes all best practices, keeps everything up to date, knows how to prevent spoofing and intrusions, and actively does so at all times.

I did. Still don't get it. Apparently SPL didn't get it either. Even if that's not what you meant it still comes across as divination.

Ah! Alot better, thanks.

more attack wonder why they would attack minecraft
LulzSec The Lulz Boat
Eve Online, Escapist Magazine and Minecraft are all down. We let Fin Fisher back up (30 minute temporary fire request completed!)

Sadly, this wouldn't be the first time Minecraft was brought down.

Talking about hacker credibility - none left.

And just to emphasize this point, I came across this today, which goes into some of the anatomy of the recent hacking of Citibank (an attack which captured the account details of a bit over 200,000 Citibank customers). It turns out the Citibank website simply used people's account numbers as part of the URL when accessing accounts, and changing the account number in the URL then allowed access to other people's accounts (with no additional authentication other than the account number in the URL). For those who don't immediately recognize how mindblowingly stupid this is, let me put it this way: there is no form of facepalm that can adequately capture the magnitude of this security failure. I used this exact same type of "hacking" technique on a few minor, poorly set up forums back when I was in high school (in the mid 90s) and barely knew anything about computers. For a major bank to have this kind of vulnerability is a WTF of unbelievable proportions, but this is unfortunately the state of security for many large companies and organizations.

The first thing I see that needs to be fixed as far as internet security is 128 bit encryption being the standard instead of the exceptional. Especially when the site involves transactions or is owned by a major corporation. It may not stop all attacks on the database, or any plain attempts to crash a server through ping of death/ping floods etc. But it would vastly limit the openings in security that involves interactions between the client/server.

It was probably Sony, taking revenge on them for showing such preference to Microsoft when it came to release dates in the past. If you can't beat 'em, join 'em.

Just saying that a particular key size should be used for encryption (whether it be encryption of the connections, encryption of the databases, or so on) is pretty meaningless without first having a much broader set of best practices specified and closely followed. For example, it doesn't do much good if a 256 or even 1024 bit key is used if the cipher being used is XOR. Alternatively, it doesn't matter if a database is encrypted with AES-256 if the server containing the decryption key can be trivially accessed due to running software that hasn't been updated in several years and has numerous known vulnerabilities. Simply trying to increase the encryption key size without first addressing issues with the rest of the security architecture is like trying to armor plate your door while the hinges can still be easily unscrewed from the outside.

Without a doubt. But I'm addressing the issue of a complete lack of encryption. I suppose using your metaphor, having hinges on the inside without any door. Websites that store any type of user information should be, IMO, required by law to use a secure connection.

I'm definitely not trying to downplay the importance of other methods of database security.

Do people still think Lulzsec are funny now they are targetting EVE and Minecraft? http://www.rockpapershotgun.com/2011/06/14/lulzsec-minecraft/