It puts me on edge that these idiots would pick such media-friendly targets to strafe with their clueless bandwidth wastage; not looking forward to the next round of "cyber security" laws one bit.
"Hey dad, tell me just one more time about how when you were a kid you used to be able to make TCP connections freely and without the connection first being authorized by the NSA." "Go to sleep, son."
More each day, I'm feeling like an old gun slinger watching the freedom of the wild west die, from my rocking chair in front of the cafe as one of those new-fangled automobiles goes smoking down the street.
It isn't, there's no point in doing that, not to mention how illegal that would be. The US govt doesn't need any more scandals of this nature (wiretapping is enough I think).
Also, whenever a government really wants to do something, they'll use any excuse that's available. For example; PATRIOT ACT, DMCA, Iraq Wars, etc. etc. For cyber-security, if none of this Anon or LulzSec stuff happened, it would be Russian or Chinese hackers that are infiltrating and by god we must protect Americans from those evil foreign hackers. Or they would rely on the terrorist excuse: the terrorists are losing in real life so they need to re-build support and attract younger people so why not hack some sites and gain new supporters that way? Beheadings and suicide bombings really fuck up the recruitment rate for terrorist organizations.
See how easy it is to come up with an excuse that the internet needs to be locked down?
"It isn't, there's no point in doing that, not to mention how illegal that would be. The US govt doesn't need any more scandals of this nature (wiretapping is enough I think)."
Just some random examples I pulled in 5 minutes. I don't believe the argument "...not to mention illegal that would be." or "The US govt doesn't need any more scandals..." has any bearing whatsoever on their decision making process at the level of authority needed to authorize something as a false flag operation for various reasons.
You're right of course, but my main point is they don't need to do much in order to come up with an excuse to do something. I'm sure there are easier ways to get consent for locking down the internet than to create a false flag operation; just use something that already exists (copyright infringement, terrorism, porn, war on drugs, etc.)
here's a thought: perhaps the fact that LulzSec is perpetrating this stuff rather than scarier alternatives like China or Russia will point out the absurdity of the situation rather than forcing heavy-handed legislation.
headlines like 'witty 19 year old college student breaks into CIA' is a lot less scary to the general public than 'chinese hackers exploit CIA website'.
I hear this concern, but I'm not quite sure what the government can even do to "civilize". What would it mean exactly? Tighter regulation of domains, criminalization of encryption, tracking down and harshly sentencing crackers, forcing an "Internet ID", registering hardware? Any of these measures seems extraordinarily expensive. Maybe doable if the CIA drums up a War on Hacking, shifting attention away from the War on Terror, post-bin Laden.
In Vernor Vinge's novel Rainbows End governments have done pretty much what you describe - running any kind of computing device that isn't part of their "secured" infrastructure is illegal:
Is there any evidence at all, though, that it's a false flag operation? So far as I can tell, the argument is implicitly "It's impossible for anyone in the world to be anywhere near as stupid as LulzSec appears to be, so it has to be a government plant." Unfortunately, that runs afoul of the maxim to never underestimate the depths of human stupidity...
Or is this more said in jest, a way of just pointing out that the script kiddies behind LulzSec are really, really stupid and doing something that threatens to undermine a free and open Internet?
OK, why's this almost a 100% sure a false flag op? Because they're using a giant botnet ("Lulz Cannon"), and not something like LOIC (Low Orbit Ion Cannon, what Anonymous used). Who uses botnets? ScriptKiddies? Maybe if they've got access to rich Daddy's gold credit card to buy these botnet minutes from the web crime pros in russia; but for sure they can't build a powerful botnet like this. The "good guys" Anonymous apparently had some very skilled people; the chance that the "idiot ScriptKiddies" LulzSec has even more of them is very small.
And on the other hand: What would a false flag op use? LOIC on their own PCs at home? Or in the agencies? LOL, for sure... No, they'd use a giant botnet; what else...
And lastly: Always ask the question "Cui bono?" (Latin for "who's gonna profit from it?"). In the Anon case it was clear; they were activists trying to express their support for wikileaks and their anger on organizations that ceased support for wikileaks. But who's profiting from what LulzSec does? They themselves? Think again!
Yeah, past couple years have not been good at making the case for a free internet. Rampant hacking, information leaks such as WikiLeaks and attacks on infrastructure like Stuxnet. The more we move towards network centric warfare the less the government will want to leave the internet free and open.
What happens when 11 year olds can Metasploit a predator drone and drop a Hellfire on their school?
depends on which corporations you ask, Comcast would love to be able to sell you just certain websites in a package deal. Starter package, including Fox, CNN and Comcast.com, for 30$/mo next step up is the premium package including Facebook and twitter for 60$/mo.. but if you want YouTube and Netflix you need the platinum package for 120$/mo.
I really hope that scenario never happens, but if we get more Lulzsec like things we will get laws making sure everything is regulated and monitored.
While I strongly dislike telecoms, what you're describing is pretty much the opposite of a highly regulated Internet.
I suspect telecoms would actually oppose most forms of regulation a government may be interested in, not out of any desire to protect their customers, but simply because it would decrease profits.
I think it reflects worse on the companies getting hacked than the need to fight hackers. Of course there will be hackers, but how many people now don't trust Sony or Citi?
that is very true, but the media seems to spin it purely against the big bad hackers. Trust me, I love that these companies are finally getting a reality check! I mean the Citi hack was URL modification. please thats like figuring out if theres http://something.com/2.jpg there is probably also 1.jpg and 3.jpg
Ahem, who has all the guns and tanks and helicopter gunships in your country? I'll bet it's not the phone company. A corporation has 1% of 1% of the real power of any government.
Could LulzSec actually be working for the Government to help create that "civilized" Internet Sarkozy was talking about. They've certainly created the "worst case scenarios" that politicians can point to now.
But the most surprising thing about them is how confident they are they won't be caught. Can they really be that sure that they will never be caught doing these attacks? Or are they just reckless?
But if they are for real, it might be understandable if they actually had a cause, and a good one. Doing it for the lulz, doesn't seem like a very good cause, and it's only going to give politicians more ammo to restrict the Internet because of "these crazy hackers" that prove the Internet is very "chaotic".
At least when Anonymous attacks they have a pretty good cause, that could actually be supported by most of the public. LulzSec attacks are getting less and less defensible, and maybe even suspicious.
"Recklessness", in particular due to youth, is a plausible scenario. ISTM that attack surfaces have been growing faster than our capability or willingness to secure them. LulzSec is scoring a lot of websites but has not uniformly gotten access to a lot of really valuable data, only sometimes.
Hacking websites isn't really that hard. Especially if you're just shopping around the net for vulnerabilities and then announcing what you hit post-facto (a "called shot" would be a bit more impressive). This is well within reach of invincible-feeling teens. It's a statement about the poor level of security we have; this stuff really is way easier than it should be.
The crazy thing is (I believe) large botnets are worth a lot of money on the black market. It makes no sense that they would waste their network to take down government websites "for the lulz". Something is missing about the situation.
I don't think something has to be missing here. My experience tells me otherwise, that many botnet ops go for fun and profit and it's not so strictly "just business".
But the politicians will make it seem like it is. These are the kind of people that thought "hacking the Internet" in The Core was a plausible scenario.
This has been mentioned frequently. Whether it is the case or not, we can do little more than donate a few bucks to the likes of Demand Progress and EFF.
I just wonder... would merely announcing the CIA.gov is hacked on LuLzSec's highly-popular website be enough to cause such spike of curious visitors that the servers collapse?
Kind of self-fulfilling prophecy, it'd be; also a neat hack. Truly anonymous DDoS, too ;-)
All these hacks are nothing but the modern version of kids going out at night and spraying graffiti on public buildings, or going in them to vandalize the hallways, then bragging to their friends at school, and then one day they attack a bigger target and get caught. Only this time they can do all this stuff from their own home so they feel invincible until they get a knock at their doors.
Hilariously, the massive media frenzy surrounding the site outage will send the site enough traffic to DDOS it, even if LulzSec never meaningfully impacted it in the first place.
My first thought too. I immediately tried to load CIA and then thought, "Maybe they didn't hack it at all but just put out their Twitter message to drive traffic at it?"
Or more interestingly, if they were in the process of hacking or something and wanted the cover of a torrent of strangers trying to reach their site.
I just happened to be looking at my Twitter feed the very moment they posted, and clicked the link immediately. No go.
Would this effect happen so quick? I guess they do have a lot of followers, but I'd hope that even if all of them did what I did they could survive that amount of hits?
The other thing to keep in mind is that cia.gov is probably not made to handle lots of traffic, since I cant imagine them having a massive day-to-day userbase.. hence I assume it would be rather easy to get them choked up with traffic
cia.gov does not appear to be behind akamai or similar.
Usually (always?), when a site is using akamai, a reverse DNS lookup for the site's IP yields some akamai domain name, rather than the original one. (This is the case for whitehouse.gov, for example.) This is /not/ the case for the CIA - they seem to do their own hosting. (root.ucia.gov and relay1.ucia.gov come up)
So, it's plausible that the site is in fact run by a very small collection of servers, and that they were sitting ducks for the next red-bull-drinking teen wanting to "hack the CIA".
I can load cia.gov just fine. It doesn't even appear to be slow. I opened up the CIA World Factbook then checked their press section & what's new on cia.gov and there was nothing about it going down.
Also, kudos to the CIA for flipping to HTTPS by default.
Hacking CIA.gov, if they're half as good as one would expect, should yield no more than the static web content hosted. If there half as good as government contractors tend to be, I expect my tax return to be posted shortly.
Even if they don't care that they site id down they will probably care about the public opinion that a couple of script kiddies took down the site if a top US government agency.
True, it's probably little more then a coat of paint on it's house. That being said, they're probably paying more attention to those that just threw eggs all over it, and if they chose, to act accordingly. Not like there woudl be much that would stop them.
I agree with the coat of paint comment but if we have learned anything about government agencies or large corporations being hacked in the past it is that their Internet security practices can sometimes be painfully bad.
@Below and HBGary was a IT security firm after all...
The CIA should be relatively secure: they are an intelligence agency, after all. Breaching a intelligence agency's website will cause the agency to lose more face than a Senator does after his or her website is hacked.
Can someone explain to this newbie why mine disappeared so quickly, but this stayed? I don't have a problem at all, I just wish to understand the system thanks.
> A broken link gets it immediately marked down? Makes sense.
If we can't open the site, we scratch our heads and move on. On the other hand, if we can open the site, we scratch our heads and say: "Yeah right! The site isn't down! No upvote for you!"
I've seen a lot of the sites they have compromised before; can't disclose where. I wrote f-secure back in 2007 about it. Never a response. A few to watch for in the future Noth Korea's main site; Adam Sandler's home page. I'll have to dig trough my logs to find more. Again, no bodies listening, http://news.ycombinator.com/item?id=2651275.
Maybe a good start-up idea, Internet 911. Grey/White hats find vulns => report => issue gets the attention it deserves. Made me laugh, but something like cyber-police :D
Many Fox news opinion sites(Glen Beck, Hannity, ect) are vulnerable to multiple attacks- read LFI(getfile.php), XSS(search), ect. I would try to contact them, however, the LFI leaves their mail servers vulnerable to ease dropping. As a well established security reseach company I feel disclosure of this should be left to you(the pros); plus it would make a good blog post.
LulzSec feels (to me) like just a group of bored teenagers messing around, randomly attacking whatever websites they can. I suspect if the gov't wanted to scare people, they wouldn't just sponsor/create a group doing things "for the lulz" - they'd make it out to be something larger and scarier.
Wow, without civilians being able to access www.cia.gov for a short period of time due to a ddos I'm sure the military industrial complex will crumble.
Why bother running stories about random DDOS's and defacings? It's even less interesting or important news than mainstream media's celebrity gossip.
This is actually a damn good point. The best way to fight DDOSes is to stop making a big deal out of them. We need to show some restraint, and also to educate the media -- folks being unable to access cia.gov has (to a reasonable approximation) zero effect on the CIA.
yes, i can see no downside to this. i would never expect that there would be an irrational, overblown response that causes lots of people to be arrested and made examples of.
The Jester, greyhat patriot who hacked Talibans' websites and forced Wikileaks to change their hosting, is now going after LulzSec. This is a lot more entertaining than TV: https://twitter.com/#!/th3j35t3r
I bet The Jester is as middle-class as the LulzSec people
Well, almost certainly. I doubt he'd claim to be anything else (isn't everybody middle-class nowadays? [1]) so I'm not sure the point of this comment.
[1] OK, not everybody is middle-class. The people who aren't are either too uneducated to use a computer, or too busy snorting coke off hookers asses on their private jets to be interested in this crap.
My point is that the upper-class is fighting a different war and being divided from others by nationalism and protecting a war-mongering police state from other middle-class folks is retarded.
There's a bigger game that's being played: making the internet safe for commerce. The Jester is not playing that game, he's going to be playing the "middle-class squabbles" game that distracts people from the bigger game.
uh there's no conspiracy theory, what I say is in plain sight. Who benefits from the DMCA, PATRIOT ACT, TSA patdowns, wars in Iraq and Afghanistan? Surely not us who are in the middle class.
Seriously, at what point can we start attributing things to malice? Attributing such large things to incompetence is kinda scary; we're hiring or voting for morons. That doesn't frighten you?
I love the fact that LulzSec actually calls him out constantly, calling him a "schizo retard" and threatening to reveal the exploit he's using to take down sites. It's immature, of course, but entertaining as an observer.
Don't believe me, just search through Twitter convos[1] between them. It's pretty funny actually. Lulzsec does something. th3j35t3r gets terrimad and says they are all that is wrong in the world. Lulzsec chortles `u mad bro`? GOTO 10.
He's actually laid another ultimatum (for the umpteenth time in the last 3 months) promising revenge. His first act seems to be that irc.lulzco.org is down. We shall see if anything else comes from his indignation.
No, I don't actually want an answer to that. Calling him a "greyhat patriot" is sufficiently descriptive to mark him out as some kind of Lulzsec mirror image.
If we're gonna have a Lulzsec, we might as well have an anti-Lulzsec as well. Makes life slightly more entertaining.
It's pretty embarrassing that none of these big corporations (PBS, Sony) can't even take some time to test for security flaws considering that SQL injection like you mentioned is easy to test for.
This doesn't have to do with security updates. This is most likely a simple ddos/flooding attack and there are not many things you can do against them.
Do I need to remind people that these laws are voted on by your elected representatives?
The patriot act is a result of democracy. Don't want cyber security laws? Start by educating people and voting for people who don't want cyber security laws.
Where is the evidence of this false-flag operation? There is none. Why would congress need to conduct such a false-flag operation when they wouldn't have much trouble passing such a law regardless?
It puts me on edge that these idiots would pick such media-friendly targets to strafe with their clueless bandwidth wastage; not looking forward to the next round of "cyber security" laws one bit.
"Hey dad, tell me just one more time about how when you were a kid you used to be able to make TCP connections freely and without the connection first being authorized by the NSA." "Go to sleep, son."