The End Of LulzSec Is Not The End Of Hactivism
from the don't-be-misled dept
Lots of news over the weekend concerning the surprise announcement that LulzSec -- the group of "hactivists-for-the-lulz" who were able to generate so much attention -- had announced plans to disband just a day or so after promising many more hacks. The speculation, of course, was that they realized that law enforcement might be closing in on some of them. The group, not surprisingly, denies all this and insists it always planned to call it quits about now anyway. I doubt this is true, but I don't think it really matters. I think the thing that people are underestimating is that LulzSec wasn't so much an "organization," as it was a group who got together in an ad hoc manner and decided to go on this hacking rampage. The point is that pretty much any group of decently skilled hackers could decide to do the same thing. Hell, the same group could decide to do the same thing under a different name. Between LulzSec, Anonymous and others, people are beginning to recognize that they can have a pretty big impact with some pretty straightforward hacks. That realization isn't going to go away any time soon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hactivism, hactivists, lulzsec
Reader Comments
Subscribe: RSS
View by: Time | Thread
Anytime a small group gets attention, it's likely either an intelligence op,
[ link to this | view in chronology ]
Re: Anytime a small group gets attention, it's likely either an intelligence op,
[ link to this | view in chronology ]
Re: Re: Anytime a small group gets attention, it's likely either an intelligence op,
http://www.zerohedge.com/article/operation-intifada-hacker-group-anonymous-prepares-ddo s-attack-israel-parliament
[ link to this | view in chronology ]
Sony claiming it would take super hackers to get into their systems, and their systems fell like dominoes pushed over by a gust of wind.
The Government "response" was what we have come to accept, hearings that mean and accomplish nothing. They put on a pretty crappy dog and pony show, hell Sony felt it was such a joke they opted to not attend.
The media and many people want to focus on OMG THEY PUT MY PASSWORD OUT THERE!!!! Well there are a couple things that should make you more pissed.
1 - Your a moron using the same password for EVERYTHING. But our personal responsibility has been slashed to this being someone else's fault.
2 - While the technical details of how they got the information might sound like "Mission Impossible" tactics, to put it into more concrete terms - imagine your bank sold you a safety deposit box, promised you it was super safe, and then locked it with duct tape.
3 - As Sony pumped out more stories about this being an isolated super hacker attack, their network was being infiltrated left and right with tools that in real world terms would be a straighten paper clip.
4 - The US Government has taken the stance of if you launch a cyberattack on us, we will bomb you. Rather than question why super critical systems are plugged into a AOL account. And then you see the Senate hacked and a challenge of is this enough to get us bombed?
5 - People with .gov and .mil email accounts have time to use their official accounts to look at porn, seems like a failure of what should be safe security practices.
6 - WHY OH WHY RELEASE THIS INFORMATION!!!! Because if they had claimed they had it with no proof, it would have been blown off as boasting.
If Lulzsec made it in using the techniques they claimed, they were NOT the first ones to gain access.
By shining a huge fireball on all of this people became aware that the Corporations can not and will not protect their consumers unless you make that failure more expensive than basic security steps. And given the lack of anyone stepping up to inflict penalties, this is something we should accept.
The rest of the story wrote itself, the FBI seized servers completely uninvolved and their new powers mean they can keep a copy of that data for future use. The people who crippled the economy are barely looked at, while there is a world wide manhunt for a 19 yr old on the autism spectrum who ran an IRC server and MIGHT have DDOS's a website or 2.
One can only hope that the Government will not pat themselves on the back and declare all is well and continue on the same path. Things need to change, and while you can force the people into "Free Speech Zones" so far removed from the events no one else notices, your assumption that we punished a 19yr old and they will scare the rest off is a bad one to make.
With CCTVs, kettling, and infiltration of any group who dislikes how things are happening, sometimes the safest place is in cyberspace to make your voice heard. Given how quickly information spreads and often avoids the spin machines used by the media, it is a very fast way to get the word out that the King is naked.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
2 strong passwords might be hard, but when they use simple words, they aren't trying at all.
There are methods that can use used, each with its own upsides and downsides, but when you have someone consulting for the Government using a simple password for everything from his servers to his mail... there is a problem.
Not everything needs an RSA auth token... er wait that got fooked too, but when people think the dogs name is the best password ever for every site... we have issues.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Steve Gibson has posted a tool that allows you to test how much time it might take to really randomly hit your password if they try every other permutation.
https://www.grc.com/haystack.htm
They upside is length and using all four character sets makes it harder to search for. Using uppercase letters, lowercase letters, numbers and symbols in a long enough password makes you a hard target. So you can use something like pA$$W0rd!!!!!!!!!!! and be more secure than someone who only used lower case letters and a password that is 40 characterless long. Just padding out shorter passwords with a repeating pattern will increase security.
Lastpass at https://lastpass.com/ generates a secure password for every website you visit after you log in with your one good secure password. It stores your passwords in a secure encoded file on your local machine and sends that file to their server. To access that file you use your strong password and login.
[ link to this | view in chronology ]
Re: Re: Re:
Sure your Facebook password can be the dogs name if you want, but assume that will fall quickly. The damage that can be done on Facebook might seem horrible, but less concrete than the damage done when you loose your bank or amazon account because your password was banking+dogname or dogname+amazon.
And if they were practicing real security the passwords shouldn't have been in plaintext for the taking from the server.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
It doesn't use a sever on the net, but also can be run from a flash drive if you need to travel with it.
The portable version is packaged for the PortableApps platform, and they have many useful tools all designed to run from a flash drive and leave no traces behind on the host machine.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I'd log in more but this site doesn't autofill and I'm too lazy to log in every time.
The good news is that if your password is complicated enough you won't be the low hanging fruit that gets easily hacked.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
It absolutely doesn't matter. I find myself in the bizarre position of being a public scold to thousands of people who are trying to publicly scold a bunch of psuedononymous amoral pranksters.
They were in it for their own amusement, and for publicity. Even if you catch them (I drive past this place on my way to work every day, so if you say the FBI will catch LulzSec: lulz), that's not going to put the genie back in the bottle. The disease of our age is narcissism, and narcissists never think there are real consequences attached to their actions, so once LulzSec makes hacktivism cool (too late) it's going to breed a resurgence of the script-kiddie tomfoolery some of us might remember from the early/mid-90's.
The motivation for the retreat doesn't matter, the impression was made.
[ link to this | view in chronology ]
To be cool now you get to embarrass the government or you are just a little fishy.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Bill Hicks
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
If mom finds out what they have been doing, they are going to get a serious spanking.
[ link to this | view in chronology ]
And the hacks are continuing.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Hacktivism?
I don't want any more groups to follow that example.
[ link to this | view in chronology ]
Re: Hacktivism?
Maybe you expect that company will fess up they were breached.
Maybe you expect that they will help clean up the mess they turned your life into.
[ link to this | view in chronology ]
Password keepers...
Even *if* I were dumb enough to use weak passwords across multiple sites, someone obtaining that password doesn't necessarily know on *what* sites that password will work.
If I have a single point of entry to ALL my passwords... Then they only have to get that one file. Even worse if that file is in "the cloud." Who says the keepers of these password services are any more secure?
[ link to this | view in chronology ]
Re: Password keepers...
Here is an example. You have to register with your email address, you decide to use the same password you use to access your email.
I can raid your email history to find out what sites you belong to, and even if your crappy password doesn't work well I have control over your email account and I can just use the handy "forgot password" button and have access in minutes.
There may not be a perfect solution yet, but anything is better than what we have seen that people are doing in real life.
[ link to this | view in chronology ]
Re: Password keepers...
All this talk of "good/strong passwords" - but what good is that if the password is stored in a database totally unencrypted when a hacker gets his/her hands on it? Four or forty characters, if it's there, it's there.
[ link to this | view in chronology ]
realization isn't going to go away any time soon - but the hackers are.
Just as they are beginning to realise that what they do is not appreciated by many other people, and many other hackers, who will happily attack them, and hack them and make public the identities of those responsible for those acts.
They also realise, that once this occures, they are DONE!
They have out outsmarted, out hacked, and outed.
they are also aware that when they are caught, they might do prison time, and would probably desire to leave their arse intanct.
There is a great deal of very stupid people in the world, so im sure there will be others following their lead, and achieving the same results for themselves.
Script kiddes trying to make a name for themselves and worked out that making a name as a low grade hacker who cannot even hack without being caught!
No wonder he is getting out, probably going back to flipping burgers...
[ link to this | view in chronology ]
What 'big impact' did they have ?
it's nice to use terms like "big impact" sounds good, but if you do not state what the 'big impact' actually is, then it is impossible for anyone to guage that impact.
If you were aware of any 'big impacts' that this group and achieved I am sure that you would have stated what that impact was.
At least for the vast numbers of people who see what they have done, and want to also make a 'big impact', but seeing that their actual impact appears to be minimal, and the fact that they LOST and QUIT, after being 'uncovered' I would say the only impact on that group is ON THAT GROUP,
Yes, they did have a big impact on their own futures and on the perception of everyone else, that being "these guys are not very good at what they claim to be very good at".
After all they got caught, and they gave up the fight, once they knew that they had been found out.
So I guess they just put up the "mission accomplished" flag, fly out to the nearest aircraft carrier and claim "we've done it"!!! Done what ?
[ link to this | view in chronology ]
Re: What 'big impact' did they have ?
The impact is largely that the general populace is more aware of how pathetically insecure some major systems are. That even data stored with seemingly safe organisations such as Sony is actually unsafe.
Time will tell if it has any real impact in the long term, but this is now being discussed in the mainstream media, and a lot of people are aware that even large scale organisations can be taken offline. Whether you consider this particular group to be "real" hackers or not, the issue is now on the table and, sadly, it taken the kinds of damage done to get peoples' attention nowadays.
I'm not holding my breath for lasting change, but at least it's being discussed... until the next group...
"I guess they just put up the "mission accomplished" flag, fly out to the nearest aircraft carrier and claim "we've done it"!!! "
Well, at least they be more truthful than Bush was when he did that...
[ link to this | view in chronology ]
benefits
The other beneficial effect was a real test of the effectiveness of the Tor onion routing network in preserving anonymity. Lulzsec not only used Tor for the actual hacks but for their IRC chats and twitter proclamations. The FBI has been trying really, really hard to catch them, but tracing them through their network activities was, apparently, a dead end. However, be wary of renewed US efforts to ban anonymity, from the government at least, on the internet.
[ link to this | view in chronology ]
Re: benefits
And they dont know because they dont care, you think this is making governments more aware of hacking ? you are freaking kidding right!
And they were FOUND OUT, he was named, so much for TOR security !!!
how was he found out? a "REAL" hacker decided to 'hack the hacker' end result, they quit...
yes, now that is something to strive for !!!
[ link to this | view in chronology ]
Re: Re: benefits
As for government organizations, I assure you the Arizona Department of Public Safety is correcting their ridiculously low level of computer security. The password of several members accounts were found out by either a password cracking program trying multiple passwords for each particular account over the internet, or by running a cracking program on the password hash file somehow copied off a server. They should have in place a small limit to login attempts before the account is locked out. In addition, the password hash file should be protected and accessible only to network administrators. At any rate, the base problem was weak passwords. They should have software in place to enforce strong passwords. Microsoft Windows can be configured to do this at varying strengths. A fix is fairly easy for this vulnerability and I'll bet all sorts of law enforcement agencies across the country are looking into this. Arizona's DPS surely didn't think they would be a hacking target. Other government organizations can look at that and say it could just as easily been them.
We don't know how Ryan Cleary was caught and the LEOs don't want us to know. If Tor was fully compromised all of the Lulzsec members would have been caught. I think it is very unlikely that enough Tor nodes were compromised that even one member would have, randomly, been caught. I think it much more likely he made a mistake along with someone who had contact with him deciding to snitch. My point about Tor was that Tor itself was not compromised. I wasn't saying they couldn't be caught even though they were using Tor.
I don't see any point in belittling the, supposed, lack of skills of the guy who was caught. The most experienced hacker will want to write, or use, tools that automate the hacking. Just because someone didn't write the tools they are using doesn't make them stupid, or less dangerous. The fact that these hackers are battling among themselves is something that law enforcement approves of or even enables (e.g Cointelpro).
I definitely have mixed feelings about Lulzsec. They should not have published home addresses of law enforcement agents. The DDOS attack on the CIA public website was pointless. Their choice of targets sometimes seemed to have juvenile motivations. A more dedicated hacktivist would argue that they wasted opportunities by not keeping their hacking successes secret and then monitoring government and corporate websites for useful information to leak.
[ link to this | view in chronology ]
Re: Re: Re: benefits
Or maybe they are... they got into many many places that did not get as much attention.
If they are to be believed, and I would not doubt them at this point, they have compiled several times more than what was released.
It is very possible that they are holding onto some trump cards to protect themselves, as well as keeping a very quiet finger on the pulse of those who wish them harm.
The penetration of the UK health system with nothing leaked but just enough to prove access was gained and explaining how they did it was not so juvenile. There were no lulz in leaking health records, and that system is now more secure for their efforts.
A little public bravado is sometimes needed to focus people on the issue.
[ link to this | view in chronology ]
Re: Re: benefits
and to suggest that nobody knows about the sony hack is inane. have you been living in a box on mars? it's been everywhere. this SHOULD BE a massive wake-up call...but it won't be, because of folks like you who just presume superiority to the "lesser" hackers you deride in your post.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
to which I ask: Who claimed otherwise?
[ link to this | view in chronology ]
Why jump ship now?
http://pastebin.com/iVujX4TR
gn0sis (nigg, eekdacat, uncommon, kayla, laurelai)
madclown, topiary, avunit, sabu, tflow, joepie91
Side note:
I have just been monitoring a twitter spat between teamp0ison and anonymouSabu (sabu). I am not sure if I am watching a sequel to hackers or a playground fight.
[ link to this | view in chronology ]
Re: Why jump ship now?
If you watch Hackers backwards it is a story about a bunch of kids who fix the gibson and then go back to their crappy lives.
I wonder if their Gibson was the state of system security.
[ link to this | view in chronology ]
Re: Why jump ship now?
[ link to this | view in chronology ]
Re: Why jump ship now?
Laurelai used to live in Fayetteville Arkansas, population 73,000. This is the same town where Andrew Auernheimer (AKA Weev) lived last year and was arrested for the AT&T/iPad email hacking incident.
[ link to this | view in chronology ]