Take a bow everybody, the security industry really failed this time

I haven’t said anything about Lulzsec publicly yet and I don’t really have a good reason for the lack of comment. I have been watching their activities with great amusement. On Saturday I saw they released a large list of routers IP addresses and the username and passwords. The passwords looked like they were set to default values. This actually made me laugh out loud and I had two thoughts. First and foremost how was this allowed to happen if you are doing regular security checks? The second thought is who will take the blame for this from the offending company?

First off I've heard a lot of people say that Lulzsec did security a favor by really showing the need for security. I disagree completely. I think Lulzsec has show how ineffective the security community and marketplace really is. These were not mom and pop targets that got hit but instead were several mega corporations that spend more money on security than most people will make in a lifetime. The spending did not stop the compromise and posting of their sensitive data so what good is it?

Shodan scares me

One of the problems of being white-hat hacker is that we scare ourselves. Such is the case of the "Shodan" engine that was released last month. It's a simple idea, one that has been discussed before. It simply scans the Internet for likely web server ports and indexes the HTTP headers that come back. Now that somebody has actually done it, and we can play with it, we find it's a lot scarier than we had imagined.

What this means is that instead of finding an exploit that works on a target system, you can grab any exploit then find a system vulnerable to it.