So, you might have heard of these guys recently when they hacked Bethesda forums. These hackers essentially believe that most companies have woefully bad net security, which is true, and thus decide to demonstrate this by DDoSing the site at the very least and phishing large amounts of passwords and stealing site data at the worst. They've attacked Sony, Riot Games, CCP Games, the public United States Senate page, Bethesda, Minecraft, NHS, and CIA.gov along with a few others, as well as releasing 62,000+ passwords to various sites. So, my question to you is what do you think of these people? What should be done about this?
LulzSec
- Thread starter OakTable
- Start date
They're criminals. So, y'know, punish them according to the law.
It's bewildering how they are still not being penetrated by the long dick of the law. They've fucked with the CIA, the FBI, US Senate, and I think a British agency and failed at hacking Lockheed-Martin. They have phonelines, a public site, and a twitter account. And yet so far there's only a few internet white hats trying (and failing) to dox them.
I think the most disgusting part of the whole thing was when they released all those passwords and spent the day retweeting posts in which dumbass jerks bragged about how they got people's Paypal accounts thanks to LulzSec. Like, fucking wow, way to kill any public sympathy and look like enormous fagots.
I think the most disgusting part of the whole thing was when they released all those passwords and spent the day retweeting posts in which dumbass jerks bragged about how they got people's Paypal accounts thanks to LulzSec. Like, fucking wow, way to kill any public sympathy and look like enormous fagots.
Cimmerian Nights
So Old I'm Losing Radiation Signs
OakTable said:
The Prestigious Duck and Cover said:
Nology5890
Where'd That 6th Toe Come From?
...and they'll be back on it, hacking shit up again in no time. They can go change their name and MO, but still destroy sites for the lulz.
Wintermind
Vault Senior Citizen
I kinda got the impression that they didn't do it for the lulz? Okay, maybe releasing login information is for the lulz but the actual point of it seems relatively good intentioned.
Nology5890
Where'd That 6th Toe Come From?
Yeah, it's good-intentioned in this way:"Here, we've completely infiltrated your networks and shut down your servers, and the only reason you've gotten wind is because WE TOLD YOU here, on Pastebin. Now, get your inferior boats off the seas of lulz or upgrade, because the LulzBoat is sailing these seas." They really like the pirate terminology. A lot of showboating to bring attention to it, but they could have easily not said anything and hacked more shit up. They're for lulz. Lulz they gave, lulz they got.
Wintermind
Vault Senior Citizen
Yes, but they didn't do worse. I don't think throwing out login info is the right idea but it still does send a very strong fucking message that people need to get their shit together on the internet. they may not have done it in the nicest way, or most even in a sensible way but they send out a useful message, no?
I think they're interesting. Obviously, the things they're doing are criminal but they're also demonstrating something that people in the public were blissfully ignorant of before: A lot of the places you store your data online aren't that secure.
A lot of what they're doing, even by their own admission, aren't sophisticated or complicated attacks. They've been dumping user credentials with SQL injection vulnerabilities, the kind of thing that would have been prevented if whoever coded it had spent an extra 15 seconds sanitizing input strings. It also likely would have been caught early if some of these larger/more important companies had done an appropriate audit of the software.
People assume (and why shouldn't they?) that when they sign on with something like Sony that their information is secure. It's that, "Hey, Sony makes millions... why wouldn't their site be bullet proof?" mentality. The other side of the problem, is that many companies have little more than surface level desire for security. You can pay companies like Norton to do "penetration testing" but they won't perform true audits. They will however give you an attestation statement saying that it's, "Good enough" and that is fine enough on paper for management.
You really have to think, the only reason we know about these attacks is because Lulzsec is in it for the 'lulz' and attention. If another group had done the same thing, people might never know their data has been compromised. Few companies would either publicize this information or even be aware of it (because many do not have any form of intrusion detection).
Watching the FBI/CIA hacks is particularly interesting, because it's "real hacking" (not like in the movies). Simplistic and effective. Finding the password of an employee (which they have used on every site/system they are a member of) and escalating your way into different areas via some mundane method. A couple of the people they hacked were actually security professionals, so there's a lot of egg on their face.
A lot of what they're doing, even by their own admission, aren't sophisticated or complicated attacks. They've been dumping user credentials with SQL injection vulnerabilities, the kind of thing that would have been prevented if whoever coded it had spent an extra 15 seconds sanitizing input strings. It also likely would have been caught early if some of these larger/more important companies had done an appropriate audit of the software.
People assume (and why shouldn't they?) that when they sign on with something like Sony that their information is secure. It's that, "Hey, Sony makes millions... why wouldn't their site be bullet proof?" mentality. The other side of the problem, is that many companies have little more than surface level desire for security. You can pay companies like Norton to do "penetration testing" but they won't perform true audits. They will however give you an attestation statement saying that it's, "Good enough" and that is fine enough on paper for management.
You really have to think, the only reason we know about these attacks is because Lulzsec is in it for the 'lulz' and attention. If another group had done the same thing, people might never know their data has been compromised. Few companies would either publicize this information or even be aware of it (because many do not have any form of intrusion detection).
Watching the FBI/CIA hacks is particularly interesting, because it's "real hacking" (not like in the movies). Simplistic and effective. Finding the password of an employee (which they have used on every site/system they are a member of) and escalating your way into different areas via some mundane method. A couple of the people they hacked were actually security professionals, so there's a lot of egg on their face.
Nology5890
Where'd That 6th Toe Come From?
Quite useful. It just wasn't their main aim. It was a delightful side-effect.Wintermind said:
I don't think they're are doing anything that can in any way be described as 'useful'. 'Get your shit together' is barely a message, (and pretty fucking redundant at that considering it's the Internet).Wintermind said:
It's like a guy who robs customers right outside the supermarket, but somehow gets people's sympathies, because he does it 'for the lulz' and is really pointing out how bad the shop security is. I don't see anyone going, 'Yeah, but he's sort of sending out a useful message - it's not safe out there.' Yeah, it's not safe out there because of people like him!
The whole idea that hackers point out system weaknesses that can then be fixed for increased security is retarded.
I'm sure releasing mountains of personal information and encouraging people to use that to take over paypal accounts is well-intentioned.Wintermind said:
Yeah, that wasn't new.korindabar said:
Their members have been personally identified. They're going to be in jail. And rightfully so.Nology5890 said:
Those people are hooligans. Good intentions ? Which one. Showing us that the sites they hack have issues ? Wow. Lets make them the Robbin Hood of modern times!Wintermind said:
Hey. Those people are not hero's. They are punks.
If you entrusted your money and personal information to a party which you believed to be "secure" and found out they were just leaving it all on a table in the food court of a local mall, you should be just as upset with the people who stole it as the people who left it there.
Yes, their activities are criminal. In a perfect world, one shouldn't have to expect that someone might try to steal what's yours. The best we should expect is that companies we shell out our data to at least have a lock on the door.
Yes, their activities are criminal. In a perfect world, one shouldn't have to expect that someone might try to steal what's yours. The best we should expect is that companies we shell out our data to at least have a lock on the door.
Wintermind
Vault Senior Citizen
Okay, you guys seem to ultimately be missing my point? They've actually done a useful service by exposing websites that have shit terrible security. They've also done a bad thing by releasing tons of login data, which wouldn't be as bad if people weren't complete fucktards and USED DIFFERENT FUCKING PASSWORDS FOR THINGS THAT ARE IMPORTANT.
Perhaps it's because I have little sympathy for people who are that dumb who have the same password for everything.
I"m not saying they shouldn't be jailed and punished (after being found guilty by a jury of their peers, etc), it just seems that people are glossing over the fact that if people had their shit together and protected both their own data and the vital personal data of their costumers/users, this never would've happened.
Besides, it's not like these people aren't going to be able to get their money after some phonecalls and paperwork and shit.
Perhaps it's because I have little sympathy for people who are that dumb who have the same password for everything.
I"m not saying they shouldn't be jailed and punished (after being found guilty by a jury of their peers, etc), it just seems that people are glossing over the fact that if people had their shit together and protected both their own data and the vital personal data of their costumers/users, this never would've happened.
Besides, it's not like these people aren't going to be able to get their money after some phonecalls and paperwork and shit.
Wintermind said:
Point ? Which point. That people are dumb ? Like that is any excuse really.
You still get in jail if you drive away in someones car because the owner forgot to close the door and take the keys with him. Was he dumb ? Yes. Does it mean you are doing him a favour when you exploit his stupidness ? No.
Hands down. Those people are doing NO ONE a favour. Hackers like Lulziness do such things for DECADES not just since gaming has become so huge. And has it changed anything ? You still have companies which give nothing about security (see Sonny now).
There are better ways how to address issues. Making it public for example. Telling the companies and the consumers about the holes WITHOUT exploiting them. The German Chaos Computer Club is EXAXTLY doing this. Finding holes and telling it to the people/companies they reported many issues about online banking, Microsoft and other companiese and helped to fix those THAT is doing people a favour. Now if the company is not fixing it and it gets exploited. People can sue them. You don't have to act like a criminal to do something "good".
-----------
korindabar said:
I read this quite often. And even a good friend of mine mentioned it. Just that this is not either about Sonny, EA or Biowhore being dicks. That is a different story.
It is about those punks which get in those companies stealing in formations and starting mayhem with it seeing them self and some others as a cooler Internet version of V or Robbin Hood. But they are not ridding with Butch Cassidy as his Sun dance Kids nor have they learned their hacking from Billy the Kid.
What ever if some company acts like idiots or not is no excuse for criminal actions against them just to "prove a point" - The issue is that some actually romanticise and heroize their actions knowing that what they do is still wrong but they are doing it for a "greater good". What a bullshit.
By the way. There are many ways how to show the consumer that they are unsafe. And honestly. How many times has it now been mentioned that all those "online databases" are insecure ? Even Mark Zuckerberg agrees that Face book is not using "Privacy" as most important aspect because he believes their users feel fine with sharing their informations with others in the public (and it is true that new generations care less about privacy and data integrity then before if you ask me a pretty bad evolution but hey I avoid Face book and all those other crap like the plague)
What those Internet-hooligans do either to Sonny or other companies feels for me like blowing up some oil platform in the ocean to prove that "they cause pollution". Makes sense. No.
----
To make one thing clear. I HATE what happens with games currently where you need thousands of accounts and "online registrations" just to play your FUCKING SINGLEPLAYER game. Sure. Not only a ton of security issues (like shown now) but also fucking annoying. But I blame the people behind this concept of this account-madness for a different reason and not because some Internet hooligans decided to blow those networks up.
You confuse intelligence with ignorance, and you ignore the fact that the vast, vast majority of people on the internet know very little about anything to do with computers. They just plug it in and go to work. That's because most people are simply not educated about these things. Expecting them to be diligent about this sort of thing at this point in time is completely unrealistic.Wintermind said:
Should people be more careful with their passwords? Sure. Does that mean that someone gets to go in and steal all their shit? Absolutely not, and I don't see how this excuses Lulzsec in any way.
So? Sure, be pissed at those companies, but Lulzsec is the group that did the actual stealing. Worse yet, they made all this information public, available for anyone with an internet connection. That's malicious, evil, and should lead to a hefty punishment.korindabar said:
If they actually cared about educating the public and forcing companies to be more secure, they could've done all this shit without making any of that information public. But nooooo, they have to go out and fuck with thousands of lives.
TheWesDude
Sonny, I Watched the Vault Bein' Built!
here is my stance on the issue:
1)
this is nowhere near "ethical" hacking. they are not telling people about their vulnerabilities, they are exploiting said vulnerabilities and in a public way.
2)
people have known about buffer overflows and other injection methods for decades. any programmer who creates strings for input on a public facing system and does NOT sanitize/verify that string should be LIABLE. period, end of story. its not the "companies" fault the programmer purposefully allowed an exploit of their system.
and from what i understand, they are using an exploit in the SUN OSes and hash usage.
3)
there are "ethical" hackers out there. they hack sites/domains/networks/etc all the time. and then they tell the makers of the product they hacked of the flaw without going public.
4)
there are only 2 people to blame when a software flaw is discovered.
a) the programmers of the software for creating that flaw in the first place without verifying how it would work with invalid input
b) management for not making sure their software was fully tested and for not hiring programmers who knew what the hell they were doing.
5)
true internet security is both a pipe dream that will never be realized, and is also something that can be accomplished with the right set of security hardware, software, design, and protocols.
the problem is that usually "management" does not want to spend the money to go the full distance. it can be quite expensive.
there is actually a formula that is used to determine if a given security feature is worthwhile, and it is based on $$$.
1)
this is nowhere near "ethical" hacking. they are not telling people about their vulnerabilities, they are exploiting said vulnerabilities and in a public way.
2)
people have known about buffer overflows and other injection methods for decades. any programmer who creates strings for input on a public facing system and does NOT sanitize/verify that string should be LIABLE. period, end of story. its not the "companies" fault the programmer purposefully allowed an exploit of their system.
and from what i understand, they are using an exploit in the SUN OSes and hash usage.
3)
there are "ethical" hackers out there. they hack sites/domains/networks/etc all the time. and then they tell the makers of the product they hacked of the flaw without going public.
4)
there are only 2 people to blame when a software flaw is discovered.
a) the programmers of the software for creating that flaw in the first place without verifying how it would work with invalid input
b) management for not making sure their software was fully tested and for not hiring programmers who knew what the hell they were doing.
5)
true internet security is both a pipe dream that will never be realized, and is also something that can be accomplished with the right set of security hardware, software, design, and protocols.
the problem is that usually "management" does not want to spend the money to go the full distance. it can be quite expensive.
there is actually a formula that is used to determine if a given security feature is worthwhile, and it is based on $$$.
Don't confuse what I'm saying. I'm not saying they aren't criminals and I'm not saying they shouldn't be caught and brought to justice. Perhaps I have a more personal interest in their shenanigans because I've done a lot of work with web security in particular. I can point to their pastebin entries and say, "Look, that's what happens.".
Just within my own company I've reported serious vulnerabilities in our platform to management and engineering teams and it would take months for them to roll out a service release for it or consider it anything higher than low priority.
Just within my own company I've reported serious vulnerabilities in our platform to management and engineering teams and it would take months for them to roll out a service release for it or consider it anything higher than low priority.
Ilosar
Vault Fossil
How is searching for flaws in security, exploiting them, then exposing both the flaws and the ''loot'' of your ''exploits'' in any way commendable? These guys are akin to burglars breaking into a house, stealing the jewelry and such, then going on TV bragging about it all (after selling the valuables, of course), all the while proclaiming it's to encourage people to get better home security. It's bullshit. I don't care how lenient the security was at those companies, nothing justifies what they did, and I also hope they end up in jail. Publishing so much private information can easily ruin lives, and for what? So that these idiots can pretend being on a crusade for Internet security? Sorry, not sold at all.