When they're attacking Sony it's "righteous" and "good", when they're attacking companies we like they're "bad" and "immature". They've always stated their intention is to create "lulz" and just do whatever damage they can, apparently people overlooked this when they were attacking people everyone "hated". Luckily Minecraft wasn't down for too long, some of us are directly affected by this stuff, sigh.
These attacks are annoying and damaging but in the long run they make our internet stronger. If these didn't happen so often people would care a lot less about security and robustness.
Sure, and I can go around punching people in the face and tell 'em that I'm doing 'em a favour by reminding them to always wear a full-face helmet when out in public.
But if nobody except me is a big enough asshole to go round punching people in the face at random...
The difference is that one of those people could very well return the favor and give you a proper ass kicking, or determine your identity with relative ease and file a complaint with the police.
The disincentives that exist for your example and those that exist for actions similar to those taken by lulzsec are radically different.
The conclusion that people should walk around with full-face helmets is ridiculous because of the existing disincentives for assaulting someone. The conclusion that companies should secure their networks, not such an unreasonable expectation.
I don't think it's that easy to identify the hackers. Even if you could, which legal jurisdiction applies? What are the legal remedies?
Securing networks is indeed a noble goal, but are we prepared to pay for the infrastructure?
The end result does not justify the means, and we all know how the story goes. More legislation to "prevent" hacking, and everyone suffers under the yoke of over-reaction.
you are ignoring the fact that China (a powerful recent player in math and physics), Russia (long time math and physics powerhouse), or any number of criminal elements have known about these security problems and have possibly been taking full advantage of them for some time, just skipping the publicity bit. LulzSec is, among other things, shaming the companies into tightening up.
Red teaming is a good thing.
Edit: to be clear, I agree there's no red-team value in DDOS. Though some have ascribed a "sit-in" utility to DDOS in certain circumstances (eg: Anonymous vs MasterCard after Wikileaks broke CableGate).
Wearing a helmet in public would be considered over-the-top whilst LulzSec are generally taking advantage of simply holes (Not considered 'over-the-top') in the websites/servers of multi-million/billion dollar companies.
Silly comparison. There is no reason for people to wear a full-face helmet in public. There may be a reason for people to know self defense though, which is why some martial arts clubs go out on the town with the specific goal of beating someone up: to remind that person and everyone else sees it that they need to know how to defend themselves.
Sure, life would be grand if no one ever broke into computers. Security is expensive and not remotely fun. But there will always be someone out there motivated to break in. It's good that these guys are doing it publicly. The more common and nasty ones keep their mouths shut and use our machines to do bad things.
The attacks on the Minecraft and EVE servers were DDOS attacks. Nothing sophisticated, and the easy way to avoid them is to just get more servers, which really isn't a good solution for smaller developers.
EDIT: I suspect the only reason they didn't succeed getting to Blizzard is because WoW was down for Tuesday maintenance.
I suspect the reason is simply because they don't have the resources. EVE maxes out at about 35-40k simultaneous connections, WoW is probably closer to 400-500k per region.
They targeted the EVE login server however, and I doubt that is designed for 35-40k simultaneous connections, as to acomplish those conditions, all users on the server would need to log in at the same time. The same is probabaly true for WoW.
The login server for WoW easily and routinely handles an incredible number of simultaneous connections as huge percentages of the player base attempt to log in at the same time, particularly after a large patch. There used to be incredible issues with the login server, but these days Blizzard is an extremely tightly run ship. They know where their money comes from, and what it takes to protect the cash flow.
Maybe they'll raise awareness of security issues and get companies to take it more seriously. Or maybe we'll just see more security theater and companies will use their lobbying powers to put in place draconian laws against any form of "hacking".
I suppose a bit like firesheep has cause a lot of sites to start pushing SSL more aggressively and even looking into dealing with some of SSL's quirks that have kept it from gaining more popular usage
That's not what happened here, though. There wasn't any release of server info; from the tweets, this was just a string of DDoS attacks.
If my account information or personal details are vulnerable to theft somehow, I want to know about that. But if a server I play games on can be taken down by DDoS, I'd happily go the rest of my life not knowing or caring so long as it doesn't actually happen. It contributes about as much as showing me that that bridge I like to drive over is susceptible to bombing.
My credit card number was used from Turkey this week. I have absolutely no idea which website was compromised. And I am pretty sure that whoever was compromised has no idea either.
Might not be a website - my wife's and my debit cards were compromised last year within two weeks of one another. The only thing they had in common was that they're at the same bank; she has never even once used her card online.
Our conclusion was that Chase Manhattan had been compromised. That's kind of scary, really. They have to be spending serious money on security.
To clarify, by "they have to", are you stating a fact or making a demand? One would have thought that Citigroup would have had some pretty tight security as well.
I think I'm accentuating an assumption - and when I saw the Citigroup story, I had precisely the reaction you just expressed here.
And yet you know that Chase and Citigroup are spending money on security in copious amounts. My heart breaks to think of all those guys getting paid not to know jack. (Or, just as probably, all those guys getting paid not to be able to shove jack through the corporate process.)
It could have been coincidence and an offline compromise for your wife. There are a lot of skimming operations out there. Plus when you give your card to a waiter at a restaurant, nothing stops the waiter from copying your information.
In my case the fact that the purchase was made from Turkey suggests that it was an online compromise.
You do understand that lulzsec is deliberately publicizing acts that would usually go untraced, right? Security is security: If you don't have any and you house information, you will eventually be burned.
Yes it's getting annoying, but they're doing it for the lulz. You can't say the same about all the other malicious hackers.
Should I rob every house that doesn't have an alarm or leaves the window open?
I agree with you it "helps" to care more about security and robustness. But I don't agree in the way. I have a dream that one day my website with minimum security won't be hacked for lulz and will be treated with respect. =)
Let's phrase this in another hyperbole, shall we? Should you rob every bank that doesn't have an alarm or leaves the vault open? No. But if a lot of banks had no policies in place to prevent those things from occurring, would you feel more secure that someone was walking into the bank, taking photos of their break-in, and not stealing the money?
I don't agree with their means (it's wrong, IMO, to mess with any machine you don't have permission to mess with) but their end goal aligns with mine: make the world more secure.
> I have a dream that one day my website with minimum security won't be hacked for lulz and will be treated with respect. =)
Would you rather have your site hacked for lulz, or would you rather someone go in and sell your customer's data on the black market?
But if these are just DDOSes, then (a) there's no way to steal sensitive information that way, and (b) there's no real defence against 'em anyway. So this particular argument is pointless, right?
There's an argument for whiteish-hat intrusions, but DDOSes must be intrinsically black-hat, right?
No. While I agree there's no red-team contribution in a DDOS, quite a few people regarded Anonymous DDOSes on Wikileaks detractors (MasterCard, et al) as the digital equivalent of a sit-in. That seems a bit of a stretch to me also, but certainly there's some application of DDOS that's not purely black-hat.
Should you? No. But I guarantee if you did, the publicity would educate people about locks.
A more apt analogy might be: opening a poorly locked door to a business, then walking behind the counter and grabbing full print-outs of all their customers' information that was left lying there.
I hope you don't take the same lax approach to security when it's more than your personal documents at stake.
Anyone want to go conspiracy theory with me and wonder if some government agency wants more power to go after groups like anonymous and wikileaks and so are doing this themselves to get both people and the rest of government on board to give them more broad and exciting new powers (at our expense) to go after the real groups?
I keep hearing this conspiracy theory pop up in almost every thread both here and on reddit about lulzsec's activities.
Can somebody give me a "worst case" scenario for a government crackdown on the internet?
What's to stop me from running tor? From VPNing out of the country myself? How would this alleged crackdown affect me?
And are you all new to the internet? Hacker groups like this have been around since...ever. I will admit that their publicity seems to have been waning in the last 5-6 years, but we're not really seeing anything new here. The only new thing about it is that this time it's happening on twitter.
This isn't a government cover-up. This isn't a conspiracy. It's one or several nerds doing what most nerds love to do: cause trouble. It's just that this time, it's happening on a much more public forum.
What's to stop you? the government making it illegal to run hacking tools like "tor" (see the silk road/bitcoin post on HN from earlier) etc illegal and forcing your ISP to record any use of such and block you off the internet (see france's 3 strikes, you as a person are not allowed on the internet law) and report you and then possibly criminally prosecute you as well.
>the government making it illegal to run hacking tools like "tor"
Do you think that there is nothing illegal that happens on the internet now? How long was it illegal to export encryption? How many people actually cared?
>forcing your ISP to record any use of such and block you off the internet
The encryption standards that we all use are the same encryption standards that are recommended by the NSA. Unless my ISP knows something that the rest of the world doesn't, it's functionally impossible for them to see what I'm doing if I'm either using tor, or tunneling out of the country on the back of a VPN.
Tor was invented by the NSA, by the way, for exactly this purpose.
Look at what Iran/Egypt/etc have done to try and crack down on internet usage. Or even China. Look at how successful that has been.
Taking Egypt as an example, their attempt was technically pretty successful. The problem that government had was political, and that was because it was a dictator enforcing it on his people without being able to convince the people that it was the right thing to do.
If the US Government were to bring it in as anti-terrorism laws, while some people wouldn't like it, it wouldn't cause riots on the streets and firefights between the army and the citizens.
Will the US try and do this? I doubt it. If they tried, would political opposition prevent them from getting it done? I think and hope so. But the point is that if it did happen, it wouldn't happen in the same way as Egypt, and so wouldn't face the same reaction. In Egypt, action preceded debate. In the US, if it ever happened, by that time the chance to prevent it would have been lost.
Depends on your definition of successful. But I consider it a failure for the people (in the case of China) when the government has a list of people they consider dissidents and when those middle eastern rebellions kicked off they just preemptively arrested them all. I don't know how that list was generated, but if tor usage was enough to get you on well then...
Yes tor was made to hide what you are doing, but if using tor alone is enough to cast suspicion or guilt on you then what?
Actually, Paul Syverson, Roger Dingledine, and Nick Mathewson orginated Tor, and Dr Syverson did the original onion routing work at the Naval Research Lab.
I don't recall seeing "NSA" anywhere on any their resumes, in their papers, etc.
Syverson has made it pretty clear Tor is not so good for serious security, eg, trying to evade nation-states. Evading nation-states is what PGP is for. Fundamentally, if you want a pizza, the pizza delivery guy has to know your address, no matter how many intermediate stops he makes. Also, have you used Tor? Speed is a major issue.
Actually, I'll admit that I can't either. I may be wrong about this, and it may have just been a rumor that sounded about right (NSA has made several contributions to the cryptography community)
Discuss secure coding techniques, perform security analysis on software (and closed-source services with bug bounty programs!), make sure your own projects/products are secure, and generally just keep security -- not just attacks -- in the limelight.
I think it's dismissive to jump to that conclusion - they're likely turning a healthy profit by dumping lists of emails, credit card numbers, and zero-day vulnerabilities on the black market.
If they wanted to do that, then I don' think they would announce it.
Offering someone a bunch of private data, 0 days, credit card info, but then making it useless in a few hours because you announce it to the world, hardly seems like a viable/profitable business.
Not that LulzSec has made sense up until now but why bother taking out online video games? I feel like that's alienating the population that would normally support or at least be indifferent about a group like LulzSec.
There's something that's just...well, for lack of a better word, special, about being the on the same playing field as everyone else, but working under a completely different set of rules and deciding for yourself how the game is scored.
The best example I can give is how my brother used to grief Counterstrike on TK-enabled servers - he didn't do this by killing his own teammates, or by cheating against the other team. Rather, he would lure his teammates into killing him often enough that they got auto-banned from the server; his rationale was that everyone was too freaking good at CS anyways, might as well make the game more interesting and difficult for himself, at least. :)
When you decide for yourself which game you're actually playing, sometimes the lulz are just too tasty to resist...
That said, DDoSing a bunch of game servers for games that are completely unrelated and haven't done anything in particular worthy of retaliation is moronic. There's no poetry there, just a bunch of children playing around with the 2011 equivalent of AOHell (and yes, I realize that most of them are probably to young to even know WTF I'm talking about).
Think of the Lulzsec activities as more of an art than an act of vandalism. (Most taggers/spray painters feel the same way, and are also known to deface their own stomping grounds)
edit to the downvoters: I'm not defending their actions, just putting myself in their frame of mind
Pseudo-anonymity brings out the worst in people, rather. (Or: If there is no risk of being punched in the face or otherwise given a strong physical disincentive, then behavior tends to deteriorate.)
Agreed. It looks very much like a front, or weird viral/marketing operation. Not sure it is by a government but that'd be possible. They piss off literally everybody, and don't even have the remote resemblance of anything like ethics. Smells like a caricature.
They hack company after company in such a short time, are very vocal and cocky about it, but still manage to not make mistakes and get caught. "Too good to be true" rings a bell?
Maybe they're trying to lure people in somehow? I couldn't even guess what the goal is, but it's weird.
> UPDATE: The group now claims to have taken down the League of Legends login servers as well as eight other sites requested by users phoning in.
Their claim is to have taken on phone-in DRM that pissed off users -- to the point the users wished the servers to crash and burn. Pretty much similar reasoning to Sony hacks, if you ask me...
Acting like defacers wasn't low brow enough, now they're just borrowing a ddos botnet? What's next in this high tech crime spree, supergluing all the lock tumblers at the local mall?
Honestly (ex-Riot Games, League of Legends contractor) I wondered how well the infrastructure choices for their login server would hold up. There was a huge amount of complexity involved in it, which is REALLY hard to get right.
I just hope it wasn't code that I actually wrote that let them in. :) If I was betting, though, I would bet that it was a vulnerability in Adobe LiveCycle Data Services.
I admit, I was at work for the entire downtime so it didn't bother me, but I am pleased with their response to the situation. Hitting the big red button may be a drastic step in response to DDOS, but at least they were willing to take security seriously.
I wonder if there's an ideological "faction" (not an actual group or organization) of Anon hackers, the ones behind the hacktivism (pro-Wikileaks, anti-dictators, anti-corruption in democracies), who feels like groups such as LulzSec are tarnishing the reforming image of Anonymous. Prior to this month, they were getting almost mainstream approval as supporters of liberation movements in the third world.
Isn't this exactly what we're seeing? A split of "anonymous" into folks who want to piss on things for (often misguided but still there) political reasons and folks who just want to piss on things for the, as it were, lulz?
meaning it is much easier to break something than to build it in the first place. And it holds so very true for virtually any networked app or service.
Agreed. I wasn't going to say anything about it, but then every other day I see a new story and I roll my eyes in disbelief that they have struck again - then I don't say anything thinking it will be the last and wake up 2 days later and the cycle repeats itself. So I had to say something this time.
The most ironic thing about all of this though is they are likely destroying the very feature (anonymity) that they are exploiting.
All this does is give ammo to the record companies that want tight restrictions on the internet. Once that happens, it's game over. They can't win that one.
Why is this article suggesting people change their login details? Is this anything more than a ddos, have the servers actually been compromised? Or is it a warning to change before they get compromised?
Better safe than sorry. After the DDoS, CCP took the entirety of EVE down to do a security audit. Minecraft seems sure that it was only a DDoS, but they don't personal details on their servers like CCP does.
'Hackers' used to have a special status, but soon enough they'll be considered like pirates were in the 17th century. It's just isn't cute anymore. Or harmless.
They have an twitter account, thus a quick phonecall to twitter from US gov for an IP and mac address should put an end to all of this. Also they have a site up, so simply check their dns and domain provider for a whois (most likely private - so might require pushing). They are also on The Pirate Bay, so they might have some IP data too. meh
No. Not that easy. They use VPNs offshore chained together not to mention the off shore vps' they have. Of course they would use protection when even just getting on Twitter, so a phone call from the government would do very little as the give would receive an IP from somewhere offshores that doesnt give a damn about US law, providing time and security to lulzsec.
I wonder how secure those VPN providers are. Regardless, my bet is that these guys will get taken down via a Kaczynski vulnerability. That is, someone that personally knows them will figure out that they are responsible and report them to the authorities.
"David Kaczynski had once admired and emulated his elder brother, but had later decided to leave the survivalist lifestyle behind.[74] He had received assurances from the FBI that he would remain anonymous and that his brother would not learn who had turned him in, but his identity was leaked to CBS News in early April 1996."
I doubt they use only "paid for" services in their chain. There are very likely normal user-boxes (like your moms) and "forgotten" servers involved as well.
It's not easy to back trace when you have to send in someone to do forensics on a computer.
Do you honestly think that they make such rookie mistakes?
It wont be that easy to track them down.
But im pretty sure the .com domain will be seized soon.
Does anyone else see this as an excuse to limit Net Neutrality by various world governments? I hope these actions which are carried out for the sheer 'lulz' don't lead to more concerns with the freedom of our wonderful worldwide web.
Notice that certain targets are avoided? What I mean by targets is that everything is low hanging fruit only..a sql injection here and sql injection there...nothing really highly skilled. Also targets missing from the list is
heavy duty military and gov sites. For example, a low level FBI contractor was attacked not FBI itself, not CIA, non DoD,etc.
The conclusion I come up with is that LulzSec was infiltrated to get anonymous by government agents. After they get anonymous they might figure that they than have info on how to get wikileaks.
I just hope that the league of american white old men doesn't meet and decide that the answer to Lulzsec is naturally the removal of more freedoms for the sake of security and much easier wiretapping by the FBI.
It has apparently become unfashionable to mention this fact. I hereby retract "league of american white old men" and substitute instead "league of american over-reacting nannystate citizen-leaders of indeterminate age, race, or sex".(1)
(1) They also may or may not have formerly said "Ni!" Hacker News, like Camelot, can sometimes be a very silly place.
The internet is a shitty place.