That's a concern!

IANA, ironically, is the organization responsible for managing the DNS (domain name system) root zone and assigning the DNS operators for the Internet's top-level domains, such as .com and .org.

Makes you wonder how safe any of us are. Then it makes you wonder how much of this happens that is not reported, ya know what I mean?

One thing I never understand about these major hacks is why they always advertise the group/hacker's names. Isn't that what they're aiming for?

Wouldn't it be more of a slap in the face to these dirtbags if nobody knew who really did it?

thats also the reason why I would NEVER use any of google new "services" I will always try to keep my business on private computer, thats why Im also against all this data collecting hype everywhere.

Defacing a site and causing no other harm is good for the industry in the long run. Ethical hackers do it for sports not for cash. The aim is to improve the overall security and point with a BIG RED FLAG to the security holes. Ethical hacking is rare enough these days and I hope they belong to that sort of guys: Young, bright and not afraid of technology without the greed for money... "Snow Crash" anyone?

"Snow Crash" anyone?

Stephenson - yes!

I agree that I'm more comfortable with this kind of thing than with the nasty subterfuge that can be so hard to locate. I'd like to think that somewhere a think tank is working on tightening up DNS security for the Internet, but I'm not so sure.

>>> Defacing a site and causing no other harm

Bull****. The last guy who defaced a site of mine cost me $1000+ in programming, nevermind the loss when my clients saw it. You think that's not harm, send me the $1000. And don't give me crap about how that helped me. 'ethical hackers' is an excuse. Lock them up in federal prison with everyone else.

I could care less about motivation when someone deliberately damages my business. It's a crime, end of story.

Note that the attackers don't appear to have defaced the official sites - just other domains owned by ICANN and IANA which presumable redirected prior to the defacement. DNS for the domains was hijacked and requests routed to the attackers' own web servers. Of course, that's serious enough in the case of something like icann.com.

I find it more than strange that the recent ICANN announcement regarding .anytld came out followed so closely by this.

While I am not a fan of the decision, doing that kind of thing is certainly not the way to win friends and influence enemies.

I must also agree with Wheel's post re damage of business. I would extend it even further to "just hacking to poke around in the server" is entirely unacceptable.

Heck, if someone pics my pocket or picks my wallet off a table to just "look around" in my wallet, I'm going to react quite harshly to that behavior too - I really don't care about the intent.

Take a step up from that and depending upon the time of day, if someone breaks into my home (even if the door is unlocked) to "poke around", they could find themselves an unfortunate statistic with no trial needed for them at all.

-Commerce

Wheel, I'm curious - the $1000 in programming, was that to tighten up the code against the future hacks or to remove backdoors introduced with the defacement, or just to replace lost code?

I think the point pontifex was making was about awareness: better for a hack to be visible, so that you know you have to replace code. I would imagine that if a real black hat in $DISTANT_COUNTRY found a vulnerability it could be much worse. Serve up malware, steal login / cc info... once the bad guys are in, it's game over. And they don't tend to leave big signs saying 'j00 hav bin pwnt by t3h russian ma4ia'.

But I don't want to do the "Got lemons? Make lemonade!" bit; your website[s] got hacked, it sucks big time and it cost you money. If it happened to me I'd be baying for blood too.

It looks like they didn't discriminate, they apparently defaced at least one US based article writing service.

Defacing a site and causing no other harm

Hate to break it to you, but defacing a site is causing harm! If they're defacing the site, why wouldn't they cause further harm?

I find it more than strange that the recent ICANN announcement regarding .anytld came out followed so closely by this.

Yes, funny coincidence, eh? Commerce, your post is excellent. I don't want anyone "poking around" in my servers - or my wallet - or house. If these so-called "ethical hackers" want to "poke around", tell them to get their own servers!

The aim is to improve the overall security and point with a BIG RED FLAG to the security holes.

The aim of who? Not these hackers.

In the past, I have been the victim of hacking. It resulted in a great deal of trouble for myself and my clients. The attack revolved around sending spam email from the server through a bit of software that was installed there. Just as easily, it could have resulted in the theft of data and/or personal information.

It took a while to track down the problem as the footprint was well hidden. It was quite a few days before we'd worked out that it was a hacking problem and not a server malfunction.

I can honestly say that had the site been defaced, whilst it would have been an unwelcome shock at the time, at least I might have been able to deal with the problem (i.e. reimage and patch) before these harmful hackers came along to start sending email.

You do not have to hack a website to prove a point. Almost all of us would listen intently to a person who contacted us directly telling us they *could* have hacked us via x,y and z but did not, and we should have the issue looked at.

Following through with it is the same as following through with stealing an unlocked car to prove a point.

While it is an oxymoron to have an "ethical hacker," I believe some hackers intend to do good. They minimize the harm they cause and point out significant flaws in an established system.

For example, my apartment was broken into this past New Years whilst I was away revelling. My rent check was left on the counter along with about $80 in cash; they didn't even move them. No electronics were taken, no dvds were missing, as far as I can tell nothing had been removed or even disturbed. They even locked the doors on their way out. The only sign anyone had been inside was that EVERY SINGLE WINDOW (including skylights) had been opened and my bathroom faucets were turned on.

My reaction? Of course I felt violated...and called the police. I then had new locks put in, security doors installed, and flood lights on timers put in the parking lot. I even bothered to activate my security system and pay the monthly fees. Was it cheap? No. But it IS cheaper and easier than replacing all of my possessions, even with renter's insurance.

The lesson? A problem was discovered and corrected. So the hackers may have done it for a thrill, the way my violators appeared to have done it, or for more nefarious reasons. My guess is that more good was done for me than harm...the next break-in could have had significantly more disastrous results.

I do not live in a "bad" neighborhood or have shady neighbors. The crime rate in my area is rather low for a larger city, so I had no reason to anticipate such troubles if I consistently locked and deadbolted my doors. No problems since then -- not a single break-in in my entire neighborhood. Maybe my attackers had some sort of ethics and helped me recognize my naivety.

P.S. Anyone seen the movie Sneakers? Give it a watch and think about ethical hackers.

they could find themselves an unfortunate statistic with no trial needed for them at all.

Amen.

Maybe my attackers had some sort of ethics and helped me recognize my naivety.

Did you discover all the hidden cameras they placed around your house? ;)

They wouldn't need cameras to see most things that happen in my apartment...if they wanted to see in my bedroom they would only need to visit a neighbor's roof deck as I am much too lazy to install blinds on my skylights. :o)

This stuff really should be decentralized a bit more...

My site has been hacked three times. Each time it occurred because I had not kept up with security releases on the CMS we use.

The experience cost me money and made me a bit more sensitive to upgrades so maybe that's a good thing. But the lesson was an expensive one.