Why LulzSec Was Un-Hackable, And Why That's A Good Thing
from the neutrality,-naturally dept
UPDATE: As several people have pointed out, the news broke that several LulzSec members were arrested this morning, and that the leader of the group had been working as an FBI informant. We'll have more commentary on this later.
The question of service provider neutrality is central to every debate about internet policy. From PayPal cutting off Wikileaks to Twitter pushing back against the feds to the new Righthaven's "spineful" hosting, the responsibility of companies to neutrally protect their customers is a contentious topic.
New Scientist has an interview with Matthew Prince, the CEO of CloudFlare, a network security/performance service for websites. One of their recent high-profile customers was LulzSec, the controversial hacker group that executed a string of takedowns and data breaches last year, but whose own website proved impervious to constant hacking attempts because of CloudFlare. Prince talks about their decision to treat LulzSec the same as any other client:
Internally, we had a debate about the right thing to do. It's important to note that because of the way CloudFlare works, no hacking activity was launched from our network – it was simply a matter of publishing information. So hacking happened in other places and then when they published the information about their exploits it would pass through the CloudFlare network.
So in that sense we're more akin to network provider than a hosting provider. If we were to terminate Lulz Security as a client that wouldn't make the content go away, it wouldn't take it off the internet, it would just make it slow and more vulnerable to attacks. Our goal is to power a better internet. There are a lot of things on the internet that I personally find quite troubling and the list of those things is maybe very different from yours, but our role as a company wasn't to play internet censor.
It's good to see companies standing firm on this point. Anyone who understands the internet knows that it runs on fundamental principles of neutrality. Similarly, anyone who understands innovation online knows how vital it is that companies are able to build off the services of others without fear of discrimination. Sometimes this puts service providers in a tough spot, because the pressure placed on them can be intense—but the ones who navigate the situation without betraying their customers send a powerful message about their commitment to internet ideals.
Interestingly, Prince also explains that because of the way CloudFlare security works, the aggression from the white-hat hacker community (Update: a commenter raised the question: is this really white-hat? That's a great point, and also a separate debate, so I'll just call them 'hackers' for now) against LulzSec actually helped improve security online:
... the attacks against their website just went through the roof. We were actually able to track what those attacks were and provide better and better security over time to help everyone who was on our network.
CloudFlare's core value comes from the fact that every website that is part of our system helps contribute data in order to better protect other websites. As one website gets attacked, the knowledge about that attack is immediately shared with the rest of the websites, so that the system gets smarter and smarter over time.
Stories like this also show that while net neutrality is an important concept, regulating it is ultimately less than ideal. When permitted to function without interference, the nature of the internet already encourages and rewards neutrality, with everyone benefiting the most when nobody discriminates.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: security, service
Companies: cloudflare, lulzsec
Reader Comments
Subscribe: RSS
View by: Time | Thread
White hats are supposed to be the good guys and black hats the bad guys. Problem being, when is an action "good"? A better and more clear definition is the black hats are the aggressors and the white hats are the ones trying to secure a network. The aggressors in this case are still most likely breaking the law, however good their intentions.
At best this makes them grey hats.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Fascinating article,replys.
I know nothing of the universe under the surface of my comp.screen.i know my speakers howl frm the depths of somewhere beautifully when trying to stream,load a movie in my 280p!
Alas my life missed coding and the comprehension, the beauty of numbers.i went to a convent in the 1980S,where home economics and choir prevailed.URGHH.
My math teacher 9-10 grade was a sadly senile nun hence disengagment.
More rambling: disclaimer-i have flu delerium!
So anyway, i missed my calling somewhat,alot.
So
Respect to the Numbered Man.for coding,hacknsack, is an incredibly ordered business,imaginative logic rules does it not?intrinzic balance must be found.
.freedoms/abuse
Chaos/control.the great dualities.
cath.,melbourne
[ link to this | view in chronology ]
Re: Re:
Exactly. You also have red hat.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
"Evil" Blackhat LulzSec hacked poor innocent companies, and then posted material online. They made many people sad because they used the same password everywhere.
"Good" Whitehat Hackers attempted to take down LulzSec to end the fun and festivities. They were protecting peoples rights to be stupid, and ignore the corporations total lack of concern for their customers.
In the end a few very skilled people managed to make Cloudflare better by focusing tools, like any tool - neutral, on the defenses.
Some people think LulzSec were the white hats, showing corporate greed winning over basic protection of customers.
Some people think LulzSex were the black hats, getting people's account infos and turning them over to people who would order dildos for the account owners on Amazon.
Some people think the Lousie Boat actually exists, but they tend to not be allowed sharp objects.
Unlike old westerns, the hat changes color based solely on the perception of the viewer.
But then this is about why the net is best left to repair and adapt itself on its own. Without someone trying to make it a civilized place, or give corporations buttons to make things they dislike go away.
Lessons learned -
Never expect a corporation to do anything to protect your info.
Never use the same password everywhere.
Your the first line of your own security, no one else cares enough about you to do it for you... do you care enough?
Oh and... Never get involved in a land war in Asia.
[ link to this | view in chronology ]
Re: Re:
...
...
I think I had a girlfriend that used to do that from time to time...
[ link to this | view in chronology ]
Re: Skillsets
The skills used by hackers of any hot color (mine is brown, for example) are largely the same. A "security expert" needs the same knowledge and skill of infiltration that an infiltrator would use against his facility.
[ link to this | view in chronology ]
Re:
This is a really good point. It was Prince who called them White Hat in the interview and I just sort of let that slip into the post - but now you've got me wondering.
I guess the one distinction that still stands is that The Jester and other "white hat" hackers *announced* that they would be trying to hack LulzSec, and presumably didn't plan on actually taking any data or doing any damage - that seems to be one of the biggest white hat / black hat factors.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
- black hat - hackers that use their hacks for their own gain (monetary? e.g. 0-day exploit sales)
- white hats - working with the company or at least asking for permission
- grey hats - same as white, but not asking for permission and sometimes ridiculing the company by exposing the hack (so, not working with the company but not selling or extorting with that exploit)
Lulsec are not selling 0-day exploits, are they? I see them as grey. Like Adrian Lamo, before FBI informant days.
Jester seems white. But he also could be viewed as grey.
[ link to this | view in chronology ]
Crap, it's the Borg...
[ link to this | view in chronology ]
Credibility
The irony is that this is an article about neutrality.
I'm starting to think that Techdirt cares less about informing and more about preaching to the choir.
Techdirt is an internet news source that I still respect, for now. Please, in the fight against internet ignorance continue to inform, not attack. We musn't become the finger pointing, one-sided lemmings that we fight so hard against.
[ link to this | view in chronology ]
Re: Credibility
I don't think it is practical for every post to explain the full context. It would be boring to read for regular readers and would also leave less time for analysis of the ongoing issues.
As long as there are links back to the earlier posts then I think that is reasonable. The reader has to take some responsibility for their own education on issues.
[ link to this | view in chronology ]
Re: Re: Credibility
I said: "Please, in the fight against internet ignorance continue to inform, not attack. We musn't become the finger pointing, one-sided lemmings that we fight so hard against."
I thought I made it pretty clear that I was questioning Techdirt's priority of attack over information, not assuming them a role as educators. I guess I wasn't. I will continue to work on my rhetoric.
If you'd like me to clarify further, or would like to help me improve my modes of discourse, shoot me a pm so we can stay out of the main comments thread.
[ link to this | view in chronology ]
HAHA
THAT'S the real story. END of story really.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
http://www.foxnews.com/scitech/2012/03/06/hacking-group-lulzsec-swept-up-by-law-e nforcement/
[ link to this | view in chronology ]
Re:
If I was one of the Anonymous leaders right now, I would be shitting my pants. One of your own is pointing you out to the cops right now.
[ link to this | view in chronology ]
LulzSec Down?
I won't believe it till I hear some details, beyond the FBI posturing...
[ link to this | view in chronology ]
Re: LulzSec Down?
[ link to this | view in chronology ]
So here is the question: How much of a discount or kick back does Techdirt get for writing happy and nice pieces about Cloudflare?
Also, why not address the issues that Cloudflare appears to have some outages anyway, and being that they take all the sites likely to get DDoS attacks and other nasty things happening, that the risk that an innocent site is taken down when their network gets attacked is higher.
It's a nice piece their Marcus, I bet Mike didn't have the gall to write it himself.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Transparency
As for CloudFlare having outages, can you name a service that doesn't? Yes, aggregative services like CloudFlare (and, in a different way, any ISPs) increase the likelihood of collateral damage for innocent sites being aggregated with DoS targets, however the risk/cost must be weighed against the benefits of somebody knowledgable actually watching your web infrastructure to make sure it performs well and security issues are addressed.
[ link to this | view in chronology ]
Re: Re: Transparency
You won't be aware of it from reading the piece. It just seems like a nice happy, happy, look how good a service they have thing. It's dishonest for there not be a clear disclaimer about the business arrangements between Techdirt and Cloudflare.
This is the sort of thing the FTC talked about in the past, blogs that don't disclose.
[ link to this | view in chronology ]
Re:
Techdirt does not use CloudFlare.
[ link to this | view in chronology ]
Re: Re:
Got it.
[ link to this | view in chronology ]
Re: Re: Re:
TechDirt briefly tried out CloudFlare - and decided not to continue using it. If you don't believe me, you can go look up the DNS records.
[ link to this | view in chronology ]
Re: Re:
"Domain Name:
8 Characters Length:
#12,551 Alexa Traffic Rank:
Nameservers:
jim.ns.cloudflare.com
kate.ns.cloudflare.com"
http://webcache.googleusercon tent.com/search?q=cache:ROGzClif89kJ:webipaddress.net/www.techdirt.com+&cd=8&hl=en&ct=cl nk&gl=ca
You can apologize now, or look like an asshole. Your choice!
[ link to this | view in chronology ]
Re: Re: Re:
Those records are two weeks and four days expired. As I said - they tried it, then stopped. The updated records point to dnsbox:
http://dns.l4x.org/techdirt.com
[ link to this | view in chronology ]
Re: Re: Re: Re:
Nah, didn't think so either...
[ link to this | view in chronology ]
Re: Re: Re:
Tell me, hoe retarded are you, really?
[ link to this | view in chronology ]
Re:
We are not. Nice try, though.
We did test Cloudflare briefly a couple weeks ago.
So here is the question: How much of a discount or kick back does Techdirt get for writing happy and nice pieces about Cloudflare?
Considering we're not using them and that we don't do kickbacks/discounts in exchange for posts no matter what, the answer is absolutely none.
You might want to just admit you were wrong and move on.
[ link to this | view in chronology ]
Re: Re:
I have shown you DNS records that indicate you were on Cloudflare.
I have shown that you have (on more than on occassion now) written nice pieces about them.
We even had a discussion a few weeks ago about your whois information being hidden (private), and how you had moved to this service.
Are you denying it?
Holy crap. You guys won't give up, will you? Trying to discredit someone who points out what is really going on, using the same sort of things you use to try to discredit everyone else. Come on Mike admit it - Marcus should have mentioned something. The FTC wouldn't be impressed!
[ link to this | view in chronology ]
Re: Re: Re:
Wow... how much time do you have?
[ link to this | view in chronology ]
Re: Re: Re:
Why don't you go and tell them all about it. Will you post a copy of their response to you when they laugh at your mixture of desperation, paranoia and incompetence? I doubt it... Never mind, we're all having a laugh at you anyway.
[ link to this | view in chronology ]
Re: Re: Re:
You falsely claimed that we are on Cloudflare and that we have a relationship with them. You falsely suggested that there was some sort of quid pro quo for writing about a company where there was no such deal and we have no relationship with (in fact, a firm whose service we tested, but chose not to use -- so, if anything, there's a negative relationship in that we chose not to use them).
And when caught, you're too clueless to stop digging. Okay, you weren't "wrong" about that. You just look silly.
Holy crap. You guys won't give up, will you?
I believe you're referring to yourself.
Trying to discredit someone who points out what is really going on
No we're pointing out that you're wrong because you are wrong. "What is really going on" is that you're wrong.
using the same sort of things you use to try to discredit everyone else
This makes no sense.
Come on Mike admit it - Marcus should have mentioned something.
Hahah. What should he have mentioned? Really. What should he have mentioned?
The FTC wouldn't be impressed!
Please, tell them. And send me a copy of the complaint and their reply. This ought to be fun.
[ link to this | view in chronology ]
Re: Re: Re: Re:
"You are aware that Techdirt is now using the service, right?"
When was the last time you were on cloudflare? A couple of weeks ago? I don't check your network status every day. Last I saw, you were on Cloudflare (and floundering badly). Since I didn't see any public post about changing hosting since our last discussion, it is a fair assumption that you are still with them. Congrats on changing hosts (again!).
Would you care to point out your post about changing hosts?
"It's dishonest for there not be a clear disclaimer about the business arrangements between Techdirt and Cloudflare."
The type of disclosure you made earlier "We did test Cloudflare briefly a couple weeks ago." is the sort of thing that should have been in the original article. It would provide context for Marcus's rah-rah post (a poorly timed one too, I might add). It would clear up any potential for misunderstanding. Clearly, Techdirt has used Cloudflare services, and positive articles have been posted about them. Why not just say it, get it out there, and make it clear that you no longer have any business dealings with them?
You have used much flimsier material to try to discredit or slam other groups on your site over the years. Don't you think that you should be working to more clearly explain your business relationships with the companies that you blog about? This is especially true when the stories read almost more like press releases?
I think the FTC already has a file on you. You might want to try a FOIA to see... :)
[ link to this | view in chronology ]
You might want to check that again...
You'll find:
Domain Name: Techdirt.com
Length: 8 Characters
Alexa Traffic Rank: #N/A
Nameservers:
ns.dnsbox.net
ns2.dnsbox.net
I have shown you DNS records that indicate you were on Cloudflare.
And they responded that they did temporarily. So there's no argument there. But they've moved on since then. Constantly accusing them of still being on Cloudflare when your own updated link says they're not shows you're just arguing for the sake of arguing.
[ link to this | view in chronology ]
Re: You might want to check that again...
It's equally amusing to see that the service wasn't good for Techdirt, yet "saved" Lulzsec. Not sure how that works out.
[ link to this | view in chronology ]
Re: Re: You might want to check that again...
[ link to this | view in chronology ]
Re: Re: Re: You might want to check that again...
Don't you have some copyright stuff to go make?
[ link to this | view in chronology ]
Re: Re: Re: Re: You might want to check that again...
Wow, you're still trying to make that one stick? It was a pathetic enough attack when I worked at National Post.
[ link to this | view in chronology ]
The FBI busted LulzSec !!!
"For the last eight months, the self-styled “hacktivists” who make up LulzSec and the international hacker community beyond have been led by a turncoat.
Like a Mafia don who wears a wire to ensnare his own soldiers, Hector Xavier Monsegur, aka “Sabu,” has been helping the FBI track down and gather evidence against his associates, tweeting out misinformation and even protecting the CIA among other government and financial institutions from hacks, according to sources close to the LulzSec leader and law enforcement officials in charge of the months-long international hacking probe capped by international arrests of the remaining LulzSec leaders on Tuesday morning.
Flipping Monsegur wasn’t easy. But with a charge of aggravated identity theft and a two-year prison sentence to hang over his head, the FBI forced Monsegur to weigh the political beliefs that drove him and his allegiance to cohorts around the world against his desire to be with his kids—he is the guardian of two children—and his extended family.
“He didn’t go easy,” a law enforcement official involved in flipping Sabu told FoxNews.com. “It was because of his kids. He didn’t want to go away to prison and leave them. That’s how we got him.”
“He really cares about these kids,” a source said. “They’re young [and] he is really worried about what will happen.”
On August 15, 2011 Monsegur pleaded guilty to more than ten charges relating to his hacking activity. In the following few weeks, he worked almost daily out of FBI offices, helping the feds identify and ultimately take down the other high-level members of LulzSec and Anonymous, sources said"...
...
http://www.foxnews.com/scitech/2012/03/06/exclusive-inside-lulzsec-mastermind-turns -on-his-minions/
[ link to this | view in chronology ]
Re: The FBI busted LulzSec !!!
HAHAAHAHAHAHAHAHAHAHAHAHAHAH!
[ link to this | view in chronology ]
Re: Re: The FBI busted LulzSec !!!
I think the best part about this is that it makes the entire piece from Marcus null. Basically, they weren't hacked because, well, they were protected.
Umm, no. CloudFlare still blocked tonnes of attacks from numerous parties directed against the LulzSec website, using the same tech they use for countless other sites. I don't see how their secret involvement with the FBI has anything to do with that.
[ link to this | view in chronology ]
Re: Re: Re: The FBI busted LulzSec !!!
I would guess that anyone attacking Lulzsec would have gotten a door knock from the FBI. After all, they were probably monitoring the stuff very closely. I wonder if Cloudflare provided them info?
[ link to this | view in chronology ]
Re: Re: Re: Re: The FBI busted LulzSec !!!
Would be interesting to see if anyone gets nabbed for those attacks on Lulzsec's webpage or Anonymous public outlets.
[ link to this | view in chronology ]
Re: The FBI busted LulzSec !!!
you know, the whole 'you wouldn't want something to happen to your kids now, would you?' angle...
probably just an unfortunate arrangement in the quoted article, but still.
[ link to this | view in chronology ]
OUR Internet
Governments have no right to have ANY say on how it works unless we tell them they do! We need to make this very clear to them.
[ link to this | view in chronology ]
Organisms try to infiltrate other organism and they all learn something in the process and evolve.
Networks apparently do the same thing, unless you are a US government IT manager.
Ok that is low and uncalled for still, one can gauge the level of sophistication in Washington just by seeing them get outed by Mike here for their astroturf initiatives LoL
ps: It doesn't happen just here everywhere the people in Washington and law enforcement apparently get owned every time. One can only hope that the NSA and the CIA can do better since at least the CIA have some experience in not losing their field agents in hostile territory.
Every politician and law enforcement agent should be mandated to attend Shmoocon or DefCon to get pwned and realize they need to do better.
Even normal people are doing it, as downloads for darknets can attest. Slowly but surely we are going into a encrypted network with all the bad and the good that brings.
[ link to this | view in chronology ]