I think Lulzsec is a pretty cool guy. eh hacks US Senate and doesn't afraid of anything.
June 13, 2011 3:32 PM   Subscribe

LulzSec (twitter account) have hacked senate.gov. The group has previously hacked Bethesda, Pron.com, FBI affilliates amongst others. Although some argue that LulzSec represent the catalyst to improve IT security, this message to the Senate seems likely to provoke a more direct investigation:

Greetings friends,

We don't like the US government very much. Their boats are
weak, their lulz are low, and their sites aren't very secure.
In an attempt to help them fix their issues, we've decided
to donate additional lulz in the form of owning them some more!

This is a small, just-for-kicks release of some internal data
from Senate.gov - is this an act of war, gentlemen? Problem?

- Lulz Security
posted by jaduncan (141 comments total) 18 users marked this as a favorite
 
Time to go to Costco and stock up on popcorn.
posted by entropicamericana at 3:35 PM on June 13, 2011 [1 favorite]


lulzsec is like your dad after seeing how impressed you were watching a dude skateboard. "I'M JUST LIKE -- shit -- THAT SKATER -- whoa -- TERRY -- jesus -- HAWK, BIG GUY! CHECK THIS OUT!" All sql injections and shit. c'mon. that's not lulz.
posted by boo_radley at 3:37 PM on June 13, 2011 [3 favorites]


Ooh, look, at wasps' nest! I wonder how lulzy it will be if I poke it with stick?
posted by unSane at 3:37 PM on June 13, 2011 [2 favorites]


Not to worry: Ceiling Cat is launching a full investigation.
posted by not_on_display at 3:38 PM on June 13, 2011 [15 favorites]


All sql injections and shit. c'mon.

Don't look down on LulzSec for using lame attacks, look down on their victims for being vulnerable to lame attacks.
posted by tylermoody at 3:40 PM on June 13, 2011 [59 favorites]


They should have at least thrown nyan cat up on some random places on all the senate.gov virtual hosts. This is like , whatevs, back to playing Space Junk.
posted by Ad hominem at 3:40 PM on June 13, 2011 [2 favorites]


As for bethesda:
After mapping their internal network and thoroughly pillaging all of
their servers, we grabbed all their source code and database passwords,

Thats not good.
posted by Ad hominem at 3:45 PM on June 13, 2011


When observations along the lines of "we're living in a William Gibson novel" begin to look trite and obvious, that's when you know you're really living in a William Gibson novel.
posted by nasreddin at 3:47 PM on June 13, 2011 [58 favorites]


They said they got the source code from Bethesda, does that mean the source code to the actual games? If so, that's not going to speed up the development of Skrym, like at all. Like they might have to re-write the whole thing, like with Vavle's theft of code in 2004. They have a torrent but I hesitate to look into it...because FBI.
posted by hellojed at 3:47 PM on June 13, 2011 [2 favorites]


All sql injections and shit. c'mon.

Why continue pounding on an open door?
posted by jaduncan at 3:48 PM on June 13, 2011 [5 favorites]


Like they might have to re-write the whole thing, like with Vavle's theft of code in 2004.

Heh, yeah right. That was the best Valve Time excuse ever, more like. Gabe Newell lives the Douglas Adams credo: "I love deadlines. I especially like the whooshing sound they make as they go flying by."
posted by jaduncan at 3:49 PM on June 13, 2011 [8 favorites]


They said they got the source code from Bethesda, does that mean the source code to the actual games?

Thats what I am wondering. I wish the pastebin contained something other than a 1000 line output from netstat.
posted by Ad hominem at 3:51 PM on June 13, 2011


Like they might have to re-write the whole thing, like with Vavle's theft of code in 2004.

AHA! Lulzsec is actually Wheatley!
posted by Mister Fabulous at 3:52 PM on June 13, 2011


I think hackers would get a lot more mileage out of making subtle changes to websites. Next time you hack someone, just add a bunch of old fake matter-of-fake articles about Atlantis, or confirm Batman's cooperation with the FBI, or add Reptilians as the de facto 4th branch of government, some of whom successfully transitioned from the Senate. Stuff like that.
posted by 2bucksplus at 3:55 PM on June 13, 2011 [44 favorites]


See now, call me a pedant, but I don't think we are living in a William Gibson novel at all, especially when it comes to Anonymous and Lulzsec.

This is straight out of Tad Williams's Otherland series.


Possibly volume 3.
posted by titus-g at 3:56 PM on June 13, 2011 [5 favorites]


bigballz727@hotmail.com | smalldickclub

All ball, no shaft.
posted by wcfields at 3:56 PM on June 13, 2011


When you have lame security you get pwned by lame hackers.
posted by GuyZero at 3:58 PM on June 13, 2011 [3 favorites]


The problem with this is that the government will use this as an excuse to wildly overreach in its reaction, to try to grab even more power that they shouldn't have. Not a good move, Lulzsec; the consequences will likely be unpleasant for [i]everyone[/i], including you guys/gals.

If there's one thing the US government is very, very bad at doing, it's admitting fault. "Oops, our mistake" is not in their vocabulary.
posted by Malor at 4:04 PM on June 13, 2011 [12 favorites]


When you have lame security you get pwned by lame hackers.

Groups like LulzSec aren't very a serious risk. They are compelled to brag on the internet, you know, for the lulz, and they would probably give up and move on to the next target if it wasn't easy. Far riskier are serious criminals looking to steal and sell data, they don't brag on the internet, and they pick specific targets. I am convinced half the malware spam corporate users get are targetted attacks. Even riskier still are foreign intelligence agencies, they might have complete control of your shit and you may never know.
posted by Ad hominem at 4:10 PM on June 13, 2011 [2 favorites]


The problem with this is that the government will use this as an excuse to wildly overreach in its reaction, to try to grab even more power that they shouldn't have. Not a good move, Lulzsec; the consequences will likely be unpleasant for everyone, including you guys/gals.

They only hit us because we make 'em mad and because they love us so much.
posted by curious nu at 4:10 PM on June 13, 2011 [5 favorites]


Why has Bethesda not said anything about this yet?
posted by Justinian at 4:11 PM on June 13, 2011


the consequences will likely be unpleasant for [i]everyone[/i], including you guys/gals. never be the same.
posted by Threeway Handshake at 4:11 PM on June 13, 2011 [4 favorites]


Not to worry; I'm sure the feds will dream up legislation that's draconian and ineffective in equal measure.
posted by ZenMasterThis at 4:11 PM on June 13, 2011 [7 favorites]


Why has Bethesda not said anything about this yet?

Bestheda might not know if the data is really compromised. No proof for the user data claim has been shown as yet, after all.
posted by jaduncan at 4:17 PM on June 13, 2011


This is like when the green card lawyers ruined usenet isn't it?
posted by humanfont at 4:17 PM on June 13, 2011 [4 favorites]


C'mon... the narrative worked with the PS network (scorned and all), but this Anonymous Lulz Sect 'cyber-terrorist cell' bullshit is as transparent as a greased wall in Homer Simpson land.

LEAVE OUR INTERNETS ALONE.
posted by panaceanot at 4:18 PM on June 13, 2011


Justinian: "Why has Bethesda not said anything about this yet"

They have.
posted by boo_radley at 4:20 PM on June 13, 2011


This is like when the green card lawyers ruined usenet isn't it?

No.
posted by jaduncan at 4:21 PM on June 13, 2011


Something something pig wrestling
posted by fido~depravo at 4:22 PM on June 13, 2011


I think hackers would get a lot more mileage out of making subtle changes to websites. Next time you hack someone, just add a bunch of old fake matter-of-fake articles about Atlantis, or confirm Batman's cooperation with the FBI, or add Reptilians as the de facto 4th branch of government, some of whom successfully transitioned from the Senate. Stuff like that.

You mean like posting an article stating that Tupac Shakur is alive and living in New Zealand?
posted by indubitable at 4:23 PM on June 13, 2011 [4 favorites]


Far riskier are serious criminals looking to steal and sell data, they don't brag on the internet, and they pick specific targets.

Bingo. Third-class hacks you hear about months or years later. Second-class hacks you never hear about because they're too big or embarrassing to admit. First-class hacks you never hear about because no one ever realizes they happened.

What LulzSec does is on the level of hooliganism and graffiti. Mildly amusing, though.
posted by dephlogisticated at 4:24 PM on June 13, 2011 [1 favorite]


They have.

Oh, they put up a blog post on a blog no doubt read by dozens and dozens of people! Super!
posted by Justinian at 4:26 PM on June 13, 2011


What LulzSec does is on the level of hooliganism and graffiti. Mildly amusing, though.

Unless, y'know, the hooliganism is the misdirection from the actual hack.
posted by Thorzdad at 4:28 PM on June 13, 2011 [2 favorites]


Not to worry; I'm sure the feds will dream up legislation that's draconian and ineffective in equal measure.

We've had it for almost 25 years! The Computer Fraud and Abuse Act of 1986 (18 U.S.C. § 1030) has it's 25th anniversary on October 16th.

You hear that LulzSec? October 16th, 2011 is the 25th Anniversary of the Computer Fraud and Abuse Act of 1986. Maybe you should... celebrate?
posted by Mister Fabulous at 4:32 PM on June 13, 2011


First-class hacks you never hear about because no one ever realizes they happened.

So the RSA compromise and other related attacks are third-rate?
posted by Threeway Handshake at 4:32 PM on June 13, 2011 [2 favorites]


They will get prosecuted. This is where the Bureau gets involved. Had they actually wanted to help the Senate, they could have explained their method to the Sergeant at Arms who handles these things and discussed the vulnerabilities that might exist.
posted by Ironmouth at 4:34 PM on June 13, 2011


"While no personal financial information or credit card data was obtained, the hackers may have gained access to some user names, email addresses, and/or passwords."

Yeah, Bestheda have no clue what has or has not been done.
posted by Hosni Mubarak at 4:35 PM on June 13, 2011


Had they actually wanted to help the Senate

LOL. This is superb deadpan, Ironmouth.
posted by Hosni Mubarak at 4:35 PM on June 13, 2011 [10 favorites]


Justinian: "Oh, they put up a blog post on a blog no doubt read by dozens and dozens of people! Super!"

There are also three (3) different places on their home page where it's mentioned, plus it's on literally every gaming news site everywhere. Soooo, y'know.
posted by boo_radley at 4:39 PM on June 13, 2011


oh, and it's on all of their forums as well.
posted by boo_radley at 4:40 PM on June 13, 2011


They said they got the source code from Bethesda, does that mean the source code to the actual games?

I've had a look at the contents of the Bethesda release torrent, and it appears they got access to public-facing content management servers and the database servers supporting them. No game source code in what was released that I can see.
posted by killdevil at 4:46 PM on June 13, 2011


They said they got the source code from Bethesda, does that mean the source code to the actual games? If so, that's not going to speed up the development of Skrym, like at all. Like they might have to re-write the whole thing, like with Vavle's theft of code in 2004. They have a torrent but I hesitate to look into it...because FBI.

Why would they need to rewrite the game? It's not like they physically stole the source code and Bethesda don't have any source code left.

Also, the Valve delay had nothing to do with the leak, it had to do with the game being far from ready. Valve even admitted so themselves.

The only way a game could theoretically be delayed is if it exposes exploitable bugs. Seeing as Skyrim is a single-player game, the only ones in the position to exploit any part of the game is the players themselves.
posted by ymgve at 4:49 PM on June 13, 2011


From the Pron.com textfile:
Hi! We like porn (sometimes), so these are email/password
combinations from pron.com which we plundered for the lulz

Check out these government and military email
addresses that signed up to the porn site...

They are too busy fapping to defend their country:

....
flag@whitehouse.gov
...
Since that one seemed like an odd email address, I wanted to see where it would be listed publicly. It gets amusing/weird -- Facts are Stubborn Things:
Opponents of health insurance reform may find the truth a little inconvenient, but as our second president famously said, "facts are stubborn things."

...

There is a lot of disinformation about health insurance reform out there, spanning from control of personal finances to end of life care. These rumors often travel just below the surface via chain emails or through casual conversation. Since we can’t keep track of all of them here at the White House, we’re asking for your help. If you get an email or see something on the web about health insurance reform that seems fishy, send it to flag@whitehouse.gov.
Curiouser and curiouser. (Or someone is misusing their nameless company email address; or Pron.com doesn't actually require valid email addresses, and someone was being funny, in a weird sort of way).
posted by filthy light thief at 4:51 PM on June 13, 2011 [2 favorites]


Does anything on the senate text file refer to something that was not already public?
posted by Anything at 5:02 PM on June 13, 2011


The Senate will be unable to act on this incident do to an anonymous hold.
posted by humanfont at 5:03 PM on June 13, 2011 [5 favorites]


Does anything on the senate text file refer to something that was not already public?

It's not sekrit stuff; it's the Web "source code" underlying the publically-accessible bits of www.senate.gov. So no Earth-shattering revelations about little green men at Area 51, but nonetheless not something that was intended to be made public in this form.
posted by killdevil at 5:05 PM on June 13, 2011


The Senate will be unable to act on this incident do to an anonymous hold.

Anonymous hold: fapping in your mother's basement.
posted by jaduncan at 5:06 PM on June 13, 2011 [1 favorite]


I expect the government will revive the punishment of crucafixion, if only for these guys.
posted by crunchland at 5:19 PM on June 13, 2011


Their only crime is curiosity... and being annoying shitty timewasters.
posted by Artw at 5:21 PM on June 13, 2011 [1 favorite]


l33tness is not required for pwnage.
posted by effugas at 5:21 PM on June 13, 2011


This isn't really that big a story on its own... it's the equivalent of, say, hitting Bill Gates in the face with a pie. What interests me is how the aftermath will play out: if the government goes after LulzSec, will the hackers have any real response, or is it all ultimately just for Lulz, as it's been since the days of the phone phreakers?
posted by StrikeTheViol at 5:32 PM on June 13, 2011


> Ooh, look, at wasps' nest! I wonder how lulzy it will be if I poke it with stick?

> The problem with this is that the government will use this as an excuse to wildly overreach in its reaction

Exactly. Gauging by some of the reactions posted today, it seems that at least a few people are trying to ignore the fact that we're all standing right next to that now-poked wasps' nest.
posted by darth_tedious at 5:35 PM on June 13, 2011 [1 favorite]


If you fap in your mom's basement too often you will end up with a hairy reed.
posted by humanfont at 5:44 PM on June 13, 2011


"Mister Speaker, The Lulz boat"
*fapping
posted by clavdivs at 5:45 PM on June 13, 2011


Personally, I think the LulzSec stuff rates more along the "annoying graffiti" end of the spectrum. They seem to be doing it for laughs and because they can, not for really nefarious reasons - back to "old school" hacking really. Their actions are likely to spur companies to invest in more hardening and better security, which will actually be good in the long run. (Unless Congress overreacts, I guess, which could be bad.) I'm much more concerned about the RSA ->Lockheed/IMF hacking. The extent of the RSA issue has yet to be determined, and the stuff likely being targeted for exfiltration from the IMF and defense contractors has the potential to affect global financial markets and compromise U.S. military operations.

Seems like some of the white hats are getting under the skin of some hacker groups, though. A fake story was planted over the weekend, saying that two security researchers had been indicted for credit card fraud (and implying a homosexual relationship). I guess you must be doing something right** if you are being personally slandered, but it would be quite scary still.

**(Brian Krebs has been running a series on ATM skimmers that should be required reading for anyone who ever uses an ATM, for example.)
posted by gemmy at 5:55 PM on June 13, 2011 [4 favorites]


> When you have lame security you get pwned by lame hackers.

Funny. My first thought was: When you have lame security you get pwned by showboaters who piss off all the other guys who had been silently reading and exploiting the data for years before some assholes crashed their party.
posted by ardgedee at 5:58 PM on June 13, 2011 [10 favorites]


Soooo...

When is the torrent with all these files coming out?

Kind of interested in a whole boatload of the more obscure files, like the only one with 'Bradley' anywhere in it's name, or the trade securities files, or...
posted by Slackermagee at 6:02 PM on June 13, 2011


My first thought was: When you have lame security you get pwned by showboaters who piss off all the other guys who had been silently reading and exploiting the data for years before some assholes crashed their party.

*ding ding ding* we have a winner!
posted by killdevil at 6:04 PM on June 13, 2011 [2 favorites]


I'm waiting for the day when all the .gov sites get hacked and replaced with this (fucking) image or some parody thereof.
posted by The Winsome Parker Lewis at 6:11 PM on June 13, 2011 [2 favorites]


(Link SFW, I should probably mention in a lulzy thread like this. One never knows these days...)
posted by The Winsome Parker Lewis at 6:18 PM on June 13, 2011


The best attacks are the ones no one discovers.
posted by tommasz at 6:24 PM on June 13, 2011


It's getting so I've got that Panther Modern quote hotkeyed these days.
posted by Sebmojo at 6:33 PM on June 13, 2011 [1 favorite]


There are also three (3) different places on their home page where it's mentioned, plus it's on literally every gaming news site everywhere. Soooo, y'know.

Lets not play the blame game about who's comments were misinformed. We should work together to make a better future.
posted by Justinian at 6:38 PM on June 13, 2011


WHOSE. Not who's. I'm so ashamed. More ashamed, I mean.
posted by Justinian at 6:39 PM on June 13, 2011


"All this has happened before, and all this will happen again." This is nothing new & it's nothing extraordinary. These sites have been compromised before; sometimes it was noticed, sometimes not. LulzSec are clever, they're a novel distraction. But they're children playing with fire; sooner rather than later the fire's gonna burn them. I hope it was worth it for them.
posted by scalefree at 7:40 PM on June 13, 2011


Surely this opportunity will be taken to improve security rather than wasting even more time and resources trying to hunt down the attackers or trying to pass legislation that further threatens the Internet and/or civil liberties. I don't know why that rarely seems to be the response.
posted by howlingmonkey at 7:43 PM on June 13, 2011


Lulz attacks: US orders review as Senate site hacked

Well, that didn't take long. It's not the security that's their concern, I'd imagine. It's the fact they were publicly kicked in the nuts.
posted by jaduncan at 8:00 PM on June 13, 2011


> Had they actually wanted to help the Senate, they could have explained their method to the Sergeant at Arms who handles these things and discussed the vulnerabilities that might exist.

In all likelihood you'll be ignored. Next most likely possibility, you'll be accused of hacking yourself. Most webmasters just don't want to know.
posted by lupus_yonderboy at 8:46 PM on June 13, 2011


Don't look down on LulzSec for using lame attacks, look down on their victims for being vulnerable to lame attacks.

If there's one thing the US government is very, very bad at doing, it's admitting fault. "Oops, our mistake" is not in their vocabulary.


I don't get this sentiment. I'm no friend of the US gov't or anything, but I fail to see why this is their fault. It's like blaming a guy whose wall was graffitied because he failed to put up enough razor wire and armed sentries to keep the vandals away. I believe we call this "victim blaming" around here. I understand this kind of exploit is part of the hacker mentality, but it's of that childish part of the hacker mentality.
posted by Kraftmatic Adjustable Cheese at 10:02 PM on June 13, 2011 [1 favorite]


Disc wars! Disc wars! Disc wars!
posted by IvoShandor at 10:02 PM on June 13, 2011


> I fail to see why this is their fault.

Because they didn't protect their site and even unsophisticated attackers were able to compromise it.

Let's put it in terms of break-ins. It's one thing if you're a private citizen and someone uses a car jack to open your door - there it's not funny and there wasn't much you could do about it.

It's quite another thing if you're the government and are collecting a paycheck entirely to protect that front door - and you secure it with a twist tie...
posted by lupus_yonderboy at 10:19 PM on June 13, 2011


I fail to see why this is their fault.

I am the bank. I leave the content of your savings account in unmarked bills on a streetcorner. It goes away. I fail to see why this is my fault.
posted by mek at 10:22 PM on June 13, 2011 [1 favorite]


If you fap in your mom's basement too often you will end up with a hairy reed.

It's true. I was bald once.
posted by NoraReed at 10:41 PM on June 13, 2011 [4 favorites]


I don't get this sentiment. I'm no friend of the US gov't or anything, but I fail to see why this is their fault. It's like blaming a guy whose wall was graffitied because he failed to put up enough razor wire and armed sentries to keep the vandals away.

I support this reasoning, and I'm glad that foreign intelligence services would also never attempt to breach governmental sites. Sleep on sysadmins, sleep on.
posted by jaduncan at 10:42 PM on June 13, 2011


While Bethesda being hacked is small beans compared to government websites... it hits a bit close to home for me (a game developer). This newest attack against Bethesda has a lot of people stressed out because it's not just userames/passwords/emails. Sounds like nothing sensitive to development got released despite their claims of having 'source code', but any intrusion into internal networks has the potential to cost developers a lot of money. There's a whole ton of stuff I can think of at my last few jobs that, if released, would be fairly disastrous (canceled games, changing game content, tipping off competitors, more crunch time, etc).

By the way, for those interested, here's the rest of the list of game companies that have been hacked recently (by various copycats): Square Enix/Eidos, Codemasters, Epic Games, Nintendo, and of course Sony's PSN, which has led to some arrests, and in turn spurred another hack - this time against Spain's national police website.

In other news, it seems there's a William Gibson novel I need to read.
posted by subject_verb_remainder at 10:45 PM on June 13, 2011 [1 favorite]


Even riskier still are foreign intelligence agencies, they might have complete control of your shit and you may never know.

Why the disclaimer "foreign"? You trust your intelligence agencies not to do this stuff?
posted by Jimbob at 1:57 AM on June 14, 2011 [1 favorite]


Lulzsec got into an NHS Primary Care Trust's website last week, and were rather sweet about it.
posted by Acheman at 4:27 AM on June 14, 2011


Not a good move, Lulzsec; the consequences will likely be unpleasant for [i]everyone[/i], including you guys/gals.

They will get prosecuted. This is where the Bureau gets involved.

That really, really depends on how the individuals responsible choose to connect to the Internet in the first place.

Consider:
I go to Best Buy, I buy a $10 USB 802.11G adapter for cash and then wait a few days. I put on a nondescript baseball cap, make sure my laptop's built-in Wifi adapter is disabled, and take the bus downtown (cash, duh), I find a place to sit near a bunch of coffee shops where there aren't any obvious cameras and wait around for 20 minutes or so. I plug in my $10 adapter and boot the laptop off of a bootable Linux CD.

Over the course of the next hour I conduct my attack through some open foreign proxy servers, then power down my laptop, wait a half hour and then take the bus home. I yank the $10 adapter, hit it with a hammer a few times/stick it in a blender, toss the scraps.

How in the hell would the Bureau track that? The attack doesn't come from any IP associated with me, and the foreign proxies are going to make the forensics fairly brutal. Using a $10 NIC that I dispose of immediately after means there's no MAC address on any coffeeshop's wireless router that can be connected to me. Even if they did review all local security camera footage the waits make it difficult to link me to the attack timing and there's no usable shots of my face.

This is just what I can come up with off the top of my head in 2 minutes, and I'm sure anybody capable of hacking senate.gov could improve on it. Effective Internet anonymity is, frankly, extremely cheap and straightforward - whether or not anybody gets caught is entirely a function of how lazy they were or weren't.
posted by Ryvar at 5:18 AM on June 14, 2011 [5 favorites]


Or you could, you know, go after the guy who registered the domain or paid for the hosting. Assistant US attorneys are very good at indicting you for nothing (or rather, getting an indictment because the grand jury has been stuck in those uncomfortable chairs for five hours and is hungry and wants its ham sandwich) and flipping you up the chain 'til they find someone they want.
posted by Vetinari at 7:56 AM on June 14, 2011


Over the course of the next hour I conduct my attack through some open foreign proxy servers, then power down my laptop, wait a half hour and then take the bus home. I yank the $10 adapter, hit it with a hammer a few times/stick it in a blender, toss the scraps.

And then you get home, hop on IRC & get into a fight with that girl who was going to come out & visit you on spring break, but only after you got done bragging about what you just did on that anonymous park bench. She goes out to get wasted with some friends to forget her big fight with you & they all get caught by the cops they didn't see pulling into the parking lot of the Wendy's they'd been vandalizing for 20 minutes. In a desperate attempt to escape being sent to Juvie she rolls on you, giving them your real name, phone number & address along with some incriminating IRC logs for good measure. It's 5AM by the time a dozen FBI agents serve the no-knock warrant on your parents' house & find you passed out & drooling on the keyboard. You wake up to find an army of men in ski masks holding automatic weapons pointed at your head. No white rabbits for you, Neo.
posted by scalefree at 8:29 AM on June 14, 2011 [2 favorites]


yeah, or that. That's good, too.
posted by Vetinari at 8:38 AM on June 14, 2011


In a desperate attempt to escape being sent to Juvie she rolls on you, giving them your real name, phone number & address along with some incriminating IRC logs for good measure

.....I'm guessing you either watch way too many police procedurals or you've never actually interacted with the kind of cops who are responsible for busting teenagers for vandalism.
posted by nasreddin at 8:39 AM on June 14, 2011


And then you get home, hop on IRC & get into a fight with that girl who was going to come out & visit you on spring break, but only after you got done bragging about what you just did on that anonymous park bench...You wake up to find an army of men in ski masks holding automatic weapons pointed at your head.

Have it your way: whether or not anybody gets caught is entirely a function of how lazy they were or weren't and whether they're a fucking idiot.

Personal insecurity is just another vulnerability.
posted by Ryvar at 8:40 AM on June 14, 2011


In the future, everyone will be publicly pwned for 15 minutes.
posted by Eideteker at 10:45 AM on June 14, 2011 [1 favorite]


Unless you own a PS3, and then you'll be publicly pwned every 15 minutes.
posted by crunchland at 10:46 AM on June 14, 2011 [1 favorite]


That's what I meant to type, crunchland, but I was hacked.
posted by Eideteker at 11:34 AM on June 14, 2011


HA HA HA DISREGARD THAT, I SUCK COCKS
posted by Eideteker at 11:34 AM on June 14, 2011 [6 favorites]


Seems like they unintentionally ddosed the minecraft login servers. Notch is on it.
posted by Ad hominem at 11:43 AM on June 14, 2011


As of about an hour ago, they've taken down EVE as well.
posted by 256 at 11:57 AM on June 14, 2011


How clever that are, how charming.

You know what? if they get Mitnicked then fuck 'em.
posted by Artw at 11:59 AM on June 14, 2011


lulz hackers take down EVE online.

It's nerd-on-nerd violence, people. Why do we have to kill ourselves from within???
posted by GuyZero at 12:35 PM on June 14, 2011


In a desperate attempt to escape being sent to Juvie she rolls on you, giving them your real name, phone number & address along with some incriminating IRC logs for good measure.

Yeah, I'd love to try that the next time a cop tried to arrest me for drunk & disorderly: "Let me go and I can give you the name of a guy who told me he hacked the senate or the government or something...it was Bethesda! Washington D.C.'s in Bethesda, right?"
posted by straight at 1:01 PM on June 14, 2011 [1 favorite]








The activism aspect is not in the slightest bit convincing - they are a disaster to any cause they align themselves with.
posted by Artw at 2:34 PM on June 14, 2011


LulzSec aren't activists. That's the whole point. It's about the lulz.
posted by nasreddin at 2:39 PM on June 14, 2011


So what exactly is their strategy here? To incite nerdrage? Because seriously, I don't have much time to game, and they've done a great job of making the little time I have not fun...
posted by This Guy at 3:29 PM on June 14, 2011


8 Phone requests? They're the Casey Kasem of script kiddies.
posted by boo_radley at 3:37 PM on June 14, 2011


8 Phone requests? They're the Casey Kasem of script kiddies.

Um, I know waving your 1337 dick around is de rigeur around here, but it seems to me that if there ever was a group of people who doesn't deserve to be called "script kiddies," it's these guys. (the DDOS thing aside.)
posted by nasreddin at 3:54 PM on June 14, 2011


(er, "rigueur")
posted by nasreddin at 3:59 PM on June 14, 2011


In the last couple of hours LulzSec has been taunting /b/ thoroughly. It makes me wonder of his tweet:

/b/, most of you are probably infected right now and don't realize. You know those times your Internet freaks out? Yeah, that's us firing.

means he's infected /b/.
posted by Mister Fabulous at 4:28 PM on June 14, 2011


I assume it's a he. I hope the leader of LulzSec is a she.
posted by Mister Fabulous at 4:38 PM on June 14, 2011


So what exactly is their strategy here? To incite nerdrage?

Exactly. This is classic style Anonymous. I have to say, in recent times, the banner of Anonymous has been taken up by a lot of hacktivist style protests, but you have to remember, these are the people who once hacked epilepsy forums and added flashing gifs and flash files. They are chaotic neutral. They are kicking dogs to hear them howl. And gaming web sites are easy to bring down, and easy to cause many people to complain.

In some ways Anonymous have been hijacked by the rah rah revolution crowd, which thinks of Anonymous as the second coming of the Situationist International, which explains a bit of Lulzsec's animosity towards 4chan, and their mention of being from the 2005 crowd.

Um, I know waving your 1337 dick around is de rigeur around here, but it seems to me that if there ever was a group of people who doesn't deserve to be called "script kiddies," it's these guys.

I dunno, they seem to be mostly using canned attacks on people who didn't have their shit together. I'd like to see them trying to attack something that would actually put up a fight, like Google, Blizzard, Facebook, Microsoft, something.
posted by zabuni at 4:45 PM on June 14, 2011 [1 favorite]


I remember a conversation I had with some Anons a couple years ago, who were unhappy about all the energy & attention the activist wing was getting. They were looking to reclaim the anarchist/nihilist spirit Anonymous started out with. Looks like they've found it.
posted by scalefree at 5:32 PM on June 14, 2011




The Washignton Post reports

The vulnerability was traced to a part of the Senate site that is maintained by an individual Senate office, which Bradford did not name. Each senator and committee maintains its own presence on Senate.gov and may not adequately protect the site, she said


This information and the config posted by the hackers indicates a server that is a tangled mess of shell accounts and unsecure cgi scripts and redirects. Bradford's statement is not confidence inspiring.
posted by humanfont at 6:16 PM on June 14, 2011


A perfect intersection of keen technical knowledge and profound lack of imagination. All this learning, analyzing, time, effort, resources... and at the end of it, what you have made is a bunch of broken websites. It's just so lame.
posted by vanar sena at 1:24 AM on June 15, 2011


boo are you waving your dick around?


How in the hell would the Bureau track that? The attack doesn't come from any IP associated with me, and the foreign proxies are going to make the forensics fairly brutal.

A name on a list and two guys part-time. Good question and scenario, quite effective in a operational sense. What you describe, it is fair to say, is akin to espionage. The problem is physical surveillance. The problem that law enforcement has is catching large amounts of people for something like a misdemeanor. Unrelated but most saw this Spanish bust. 3 people? How much resources’ to catch them? An authorization regime has lots of physical resources,. this is not a new situation. What is new is that resources are being spent at an alarming rate to catch a few and protect the IT industry/GRID from further penetration.

And then you get home, hop on IRC & get into a fight

then there is that.
posted by clavdivs at 1:58 AM on June 15, 2011


What the last few years have shown to the people now doing these attacks is that you can get a lot of attention from 'morbidly fascinated' people from all around the internet by harassing people who would just want to be left in peace. Onlookers who sould have had nothing to do with this crap have been half-grinningly propagating various bits of this b-tard culture and the message these assholes have taken from it is "we're looking at you and we want more".
posted by Anything at 5:12 AM on June 15, 2011


Lulz just took down cia.gov.
posted by notmydesk at 2:54 PM on June 15, 2011


... and 4chan (lol)
posted by 2bucksplus at 3:24 PM on June 15, 2011


...and are reportedly directing a phone DDoS at random targets, including the FBI division in Detroit.
posted by dephlogisticated at 3:39 PM on June 15, 2011


> Lulz just took down cia.gov.

If they did it wasn't for long. I wouldn't be surprised if they hadn't bothered cracking www.cia.gov, and just claimed they did, knowing the rumor would be sufficient to incite a rush of traffic and effectively DDOS the site for an hour or two.
posted by ardgedee at 4:15 PM on June 15, 2011


Lulz just took down cia.gov.

DDoS against an unclassified Public Affairs site. Very impressive. Wake me up when they touch NIPRnet.
posted by scalefree at 4:29 PM on June 15, 2011 [1 favorite]


Ryvar, this is just speculation, but what if your WiFi adapter "phoned home" as soon as it got a connection and sent along its unique identifier and IP address?
posted by Crabby Appleton at 8:02 AM on June 17, 2011


Crabby Appleton: I think you are either confused or I am not understanding your question.

All network devices have MAC addresses that can, for the purposes of this conversation, be considered a "fingerprint" - if you enable access controls lists on your home WiFi like you should, the MAC address is what is used to perform the filtering. A MAC address can be intentionally misreported to the network by the operating system, (ie "sudo ifconfig en0 lladdr 00:01:02:03:04:05" in OSX Terminal), but it seems safer not to rely on that and instead just use physically different hardware from the viewpoint of the wireless router you're connecting to. It costs less than $10, so why not?

For a WiFi adapter to "phone home" it would have to be programmed to do so, and there are several reasons why nobody would hardcode this behavior in either the hardware or software stack. Since in the example I cite we're booting off a Linux Live DVD (Knoppix, for instance), the code for every layer of the network stack has been vetted by many, many large companies like Google as well as paranoid anti-authoritarian basement dwellers (and thank God for them). It's worth pointing out that sysadmins everywhere would flip the fuck out and actively discriminate against Windows and/or the makers of any closed-source network adapter drivers that engaged in explicit phone home behavior, as it's a huge security weakness if your hardware broadcasts its existence to the outside world (the equivalent of shouting HEY KIDS, LOOK FOR VULNERABILITIES IN THIS TYPE OF HARDWARE IF YOU WANT TO HACK US to unknown parties). On the hardware side this would involve a huge amount of effort to produce a product that would be boycotted immediately for the same reason, particularly and especially by the people buying USB WiFi adapters for illegal ends.

Finally, even if somehow your WiFi adapter did do this, all it really does is short-circuit the foreign proxy step. In the scenario I posited, if the FBI/NSA/whoever gets their hands on the foreign proxy server or traffic logs to/from it, they'll have the IP address of the coffee shop and, a polite knock on the shop's door later, the MAC address of the USB adapter you used to connect to their router. They'll know you were within reception range of the shop's router during a certain period of time, which any arrival/departure security camera footage from nearby shops would at best loosely sync up with due to your waiting and departing from a different bus stop than the one you arrived on.

If, however, the WiFi adapter you bought for some reason broadcast directly back to the NSA "HI I AM THIS MAC ADDRESS AND HERE IS MY IP ADDRESS" then all that does is cut out the foreign proxy as a buffer - they'll get the IP of the coffee shop router you're connecting with, and the MAC address of the USB adapter. It removes a painful first step for them, but doesn't solve their basic inability to link you to the activity sufficiently to determine your identity.

Does that answer your question?
posted by Ryvar at 7:20 PM on June 17, 2011


"LulzSec Exposed". If this is true, I assume there's going to be lawyer lulz.
posted by vanar sena at 7:48 AM on June 18, 2011


Set sail for jail!
posted by Anything at 7:54 AM on June 18, 2011


And set sail for mom & dad & sis discovering you've been bullying strangers for entertainment.
posted by Anything at 8:24 AM on June 18, 2011


One of the other interesting side-stories to the LulSux saga has been the feud that's developing between them and "patriotic hacktivist" th3j35t3r (links to Twitter account).
posted by gemmy at 8:51 AM on June 18, 2011


Yes. What really got weird was the business between th3j35t3r and anonakomis.

Here and here.

Is Gardiner nakomis, and jester caught him, after which Gardiner/nakomis tried to feed bullshit that instead..

Gardiner is some poor random individual whom nakomis thought was jester, and whose id nakomis stole only to get caught by jester who thought Gardiner was nakomis?

Go figure.
posted by Anything at 9:07 AM on June 18, 2011


Does that answer your question?

Yes, Ryvar, it does, very well, in fact. Thanks.

I should have mentioned that the MAC address is a unique identifier for network interface hardware. More importantly, I should have thought it through before I posted. As you say, if they want your MAC address, they can get it in the manner you described.

Not having completely learned my lesson, I guess, I'll engage in a little more speculation here. It would be possible to track the MAC address from the manufacturer to the point of sale. I don't know whether this is actually done, and my guess would be that it's not, but it could be done. Then the MAC address could be associated with the record of sale, which would also include date, time, and the point-of-sale terminal identifier. Then they could go to Best Buy and ask for the video camera footage for that checkout aisle for that date and time—assuming, of course that there is a video camera and that the video is stored that long. So, if you're really paranoid, at least be careful where you buy the adapter.
posted by Crabby Appleton at 9:26 AM on June 18, 2011


MAC addresses are unique identifiers, sure. Each manufacturer is assigned one or more 3 byte Organizationally Unique Identifier (OUI); the other 3 (or 5 for IPv6) bytes are required to be unique within that OUI.

But they are easily spoofed, depending on the device & OS in question. There's tools for it for most modern OSes that let you change your MAC address to whatever you want; in some cases for UNIX you can do it with the built in ifconfig command. It's not something you should rely on in dealing with a skilled opponent.
posted by scalefree at 9:54 AM on June 18, 2011


As an attacker what I would worry about much more than my MAC address is my web browser profile. It's been shown that by combining a number of browser metadata elements such as OS, browser type & version, installed plugins & versions, you can create a fairly unique profile of the web browser that can be used to track its usage across multiple sites. A skilled forensic invetigator with unrestricted access to web server logs of many sites (say the FBI or DHS) could correlate the logs of your hacking activity that you've taken care to hide behind an assortment of proxies with logs of your usage of legitimate sites like Amazon, Facebook, etc. It might not be enough evidence to justify an arrest but it'd certainly give enough to warrant a closer look at you. Of course this technique would be negated by use of a bootable CD as you'd look exactly like every other user of that CD.
posted by scalefree at 10:29 AM on June 18, 2011


I think the smash the USB wifi device would work well in a techno-thriller. I don't think it is a realistic plan. In the movie Keanu will have a girl with him and explain the MAC adress concept with a 30 second animation taking us through the NET, then he could drop it into a blender to destroy it before trashing it saying, "will it blend"
posted by humanfont at 10:51 AM on June 18, 2011 [1 favorite]


Regarding 'LulzSec Exposed': them having already produced one false positive (kayla) doesn't exactly raise confidence.
posted by Anything at 5:46 PM on June 19, 2011


scalefree: the web-browser profile bit is why I suggested a bootable Linux distro that you shred the disk for afterward: they might be able to tie together the facts that hacks A and B were done by the same person, but the user agent string, TCP sequence number randomization, ACK response times... blah blah blah all the usual fingerprinting tricks ...will be for an OS your home connection never sees and, should the worst happen, there's no forensic evidence of you having ever used.

Crabby Appleton:
It would be possible to track the MAC address from the manufacturer to the point of sale. I don't know whether this is actually done, and my guess would be that it's not, but it could be done.

Under current large retail chain logistics, it's not possible - Best Buy and most major computer retailers will log shipments of X number of USB Wifi Adapters of a certain product number leaving their warehouses, and any purchases of that product at specific registers in specific stores at a specific date and time. Actual individual units do not have a specific ID number assigned to them within retailers' systems nor logged as part of the sale, so there can be no database for mapping specific retail boxes to MAC addresses. Additionally, there are a lot of stores similar to Best Buy as far as "sells that $10 USB wifi adapter" goes.

In order to get footage of you buying one of these, the FBI would have match the MAC address (assuming you didn't spoof it, which you DID, right? RIGHT??) to a specific product #, which is extremely straightforward. Once they have that, they would have to figure out every store within reasonable driving distance of the hack that might sell that product to confirm that they do, and then request sales records for every purchase of that product in, say, the two weeks prior to the hack. After doing that, they'd have to get every store who sold one of those adapters in those two weeks inside a major metropolitan area to provide video footage of the sale, and deal with the lack of standardization between the various shops' arcane systems. All for grainy footage of you in a baseball cap paying with cash. Maybe.

Even then there's no guarantee, whatsoever, that this is going to snare you. Because you were smart and spoofed the MAC address your adapter was using in the first place, right?

Point is: it's moot, even if they could do what you're talking about, which they can't.
posted by Ryvar at 7:46 PM on June 19, 2011


Lulzsec Outs "Snitches" After UK Arrest
The age-old adage that there's "no honor among thieves" appears to be playing out in the world of hacking, as well, as members of the online hacking group Lulzsec published information identifying two associates they accuse of informing on them to authorities.

The outing followed the arrest on Monday of a 19 year old UK man, identified as Brian Cleary, who is alleged to be an active member of the anarchic online group LulzSec. The two individuals who were identified by Lulzsec on Tuesday, both U.S. residents, are accused of leaking logs on LulzSec "associates," according to a message posted online by the group.

The leak is just the latest public release to identify, or "dox" members of Anonymous and the closely related LulzSec. In recent months, a large number of chat logs and other documents that claim to identify the leadership of Anonymous and Lulzsec have been leaked to publicly accessible Web sites like Pastebin.com.

In March, a splinter group known as Backtrace Security published what it claims was a list of full- and partial identities of Anonymous's leadership. Also in recent days, Internet Relay Chat (IRC) logs claiming to be from a restricted administrative channel used by top Lulzsec members was published online. The chat depicts members discussing hacks against Sony, sharing information on vulnerable Web sites and discussing future actions.

Also on Wednseday, a blog called LulzSec exposed posted personal contact information for an individual it claims is a top IRC administrator in the group who goes by the name Power2All.
So, I think that counts as at least partial credit for me, yes?
posted by scalefree at 11:04 AM on June 22, 2011


Lulzsec suspected in Bitcoin attack from The Guardian.
posted by humanfont at 6:19 PM on June 22, 2011






And now they've decided to stop. Methinks someone got closer to their real identities than they'd imagined.
posted by ymgve at 4:20 PM on June 25, 2011


Methinks someone got closer to their real identities than they'd imagined.

Yeah, about that...
posted by scalefree at 8:52 AM on June 26, 2011


Yikes, there's some pretty vile transphobic vitriol directed at several specific named individuals in that article scalefree linked.
posted by Acheman at 9:56 AM on June 26, 2011




Yikes, there's some pretty vile transphobic vitriol directed at several specific named individuals in that article scalefree linked.

If it weren't for the high profile computer intrusions this whole saga would be better suited for LiveJournal or some backwater Chan site. They're all a pack of emotionally stunted teenagers acting out with power far beyond their ability to use wisely, abetted by a lazy media looking to feed our appetite for sensationalism and a security community whose failure to improve the overall security of the Internet is frankly embarrassing.
posted by scalefree at 11:11 AM on June 27, 2011


The hackers who released the Tony Blair contact info now claim to be releasing proof of lulzsec identities some time in the future. Link and link.
posted by Anything at 1:26 PM on June 27, 2011


Well, I guess there really is no honor among thieves.
posted by crunchland at 3:32 PM on June 27, 2011


Sure there is, there has to be a common interest that coincides with self-interest. It is akin to anarchy in the notion of protecting the group before all others. The question of morals is settled, thievery is wrong in any culture. The only thing left is ethics. In this world ethics are re-enforced with a actions that go beyond the law in most cases.

everyone knows you don't rat.
and violent coersion is not ratting, ratting is giving up what you value to protect your freedom from a place you know you should or could be in the first place.
posted by clavdivs at 3:42 PM on June 27, 2011




« Older "What we’re about to do is redefine what the...   |   He put a ring on it, and it felt like a kiss Newer »


This thread has been archived and is closed to new comments