
MIT website hacked by Lulzsec - Skywing
http://mit.edu/
======
semenko
It's worse than that:

    
    
       $ whois mit.edu
          
       Domain Name: MIT.EDU
       
       Registrant:
          Massachusetts Institute of Technology
          Cambridge, MA 02139
          UNITED STATES
       
       Administrative Contact:
          I got owned
          Massachusetts Institute of Technology
          MIT Room W92-167, 77 Massachusetts Avenue
          Cambridge, MA 02139-4307
          UNITED STATES
          (617) 324-1337
          cunt@mit.edu
       
       Technical Contact:
        OWNED NETWORK OPERATIONS
          ROOT
          US
          DESTROYED, MA 02139-4307
          UNITED STATES
          (617) 253-1337
          owned@mit.edu
       
       Name Servers: 
          FRED.NS.CLOUDFLARE.COM      
          KATE.NS.CLOUDFLARE.COM      
       
       Domain record activated:    23-May-1985
       Domain record last updated: 22-Jan-2013
       Domain expires:             31-Jul-2013
    

<http://whois.educause.net/>

~~~
CrankyBear
I just checked, 1:05 Eastern, Jan. 22, 2013 and I'm getting the correct
registry info from Network Solutions.

~~~
semenko
That may've been TTL-dependent -- though the record was only restored a minute
or two ago. Educause is the EDU authoritative host.

------
manish_gill
This post has 78 points at the time of me writing this, and yet, it suddenly
disappeared from the front page. Older posts with fewer votes are still on it.
Was this post flagged? Any particular reason?

~~~
mattlong
Perhaps the mods didn't want readers clicking through to a page that is still
possibly compromised? Or maybe enough people flagged it for said reason...

------
donpdonp
How can a domain name with incredible value like MIT.EDU expire in July of
this year? Is an ivy-leage school with a $9 billion endowment renewing their
domain name year by year? It looks like the domain registration is not managed
well. My guess is the exploit was guessing a weak password at the registrar.

~~~
nessus42
Please don't lump us in with the Ivy League!

------
gxs
I don't even care about the cause behind this. But the fact that this was
yanked off the front page is fucking despicable.

~~~
ernestipark
It was likely yanked off the front page because going to a compromised website
is dangerous and a security risk.

~~~
thaumaturgy
> _...going to a compromised website is dangerous and a security risk._

...Well, that depends on your system, really.

I think it's more likely that it was ganked because linking to compromised
websites is against etiquette: they don't want to encourage that sort of thing
by drawing attention to it.

------
ultimoo
Wow, this link was the top one on the frontpage for me about 2 minutes back.
Now it has completely disappeared off it. How does this happen?

~~~
Skywing
Looks like a moderator nuked it. Great justice.

------
negativity
I'd just like to take the time to point out, that this is a direct link to a
compromised page.

Sure, the message is championing a tragic victim, but do you see how this
isn't exactly the wisest move?

Do I need to call attention to the recent Java zero-day exploit?

[http://thenextweb.com/insider/2013/01/10/new-java-
vulnerabil...](http://thenextweb.com/insider/2013/01/10/new-java-
vulnerability-is-being-exploited-in-the-wild-disabling-java-is-currently-your-
only-option/)

~~~
ryancl
Who runs java?

~~~
zokier
As if no other software has 0days.

~~~
negativity
Well, it's just an example. When a page is still compromised, and under the
control of someone unexpected, you can't really anticipate the state of the
page, and what it might deliver to your computer. I pointed that one out
because it's a pretty recent drive-by exploit. You dig?

------
mattlong
Was this story just removed from the frontpage of HN?

~~~
burningion
Yep, I think so. Interesting enough, there's almost no mention of it by anyone
else. Instead, the top article is something about a hacker news radio. Hmmm.

------
burningion
Wow, what an incredible hack. Pwnd page well designed and thought out. What a
way to make a tribute to Aaron.

EDIT: Imgur link in case it gets taken down <http://imgur.com/3AADDRT>

------
frdgr
This post disappeared from the HackerNews front page. What's going on? Flagged
by admins?

------
vinhboy
I would love to hear how this could have happened. Social engineering at the
DNS provider? Unpatched server? If someone knows, please do tell. I love
hearing about how people pull off these things. Maybe even an inside job? a
lot of people are sympathetic to the cause, maybe one of those people just
left the window open or something?

~~~
danielweber
Almost all of MIT's network administration happens within MIT, so you can't
hack it by social engineering an outsider.

~~~
lawnchair_larry
You can if the target is the registrar, which this was.

~~~
jad73994
I doubt it was a social of educause (the edu registrar); more likely some
credentials specific to MIT were compromised.

------
zokier
Yet another example how misguided modern day internet-cowboys with their tar-
and-feather vigilante justice are.

~~~
mpyne
What I really love is how they point to Aaron's wonderful piece on morality
(and I mean this sincerely). Aaron points out that you can logically justify
almost any evil if you think only of the overall good.

Had I read the piece when it was posted I would have thought it was a call to
figure out how philsophers (especially utilitarian philosophers) solve the
dilemma of "the ends justify the means" in such a way that you wouldn't
optimize for committing minor sins to effect major benefits.

But based on hacktivism since, now I'm not so sure. Aaron seemed to fall into
his own philosophical quandry, but if we assume that Aaron was justified in
what he did then we could use the same logic to say that this defacement is
justified as long it achieves some greater good.

I personally don't agree with that logic, and I think it's because it tends to
justify things like this defacement. Whenever you're lead by logic to a false
conclusion it means either your logic wrong or your axioms were wrong. Now I'm
almost confusing myself though; I'm not even sure what axioms we'd be using
for this...

~~~
neumann_alfred
It's impossible to really measure how and how much something achieves in the
long run. Not that I want to compare this defacement to that, but just to
point out the impossibility to measure such things: does the photography of
James Nachtwey help to improve the world? I'm thinking "of course it does,
there is no way it doesn't", but nobody can know how much.

If this made just 10 people reflect a bit on stuff they otherwise wouldn't
have reflected on, how much trouble and costs would this have to cause to not
have been worth it? Everybody fuzzes this kind of "math" for themselves based
on their perception and biases, there is just no clean, objective way to go
about it IMHO.

------
ryancl
Seems like someone hijacked the domain.

------
rlu
This must get pretty frustrating for MIT students...

~~~
delinka
As a university student, how many times did you find yourself visiting the
school's public-facing web site? In my case, I can count my visits on one
hand.

Now, all the other crap-- course scheduling, grades, classwork --is likely not
living on the same server. Many of these things aren't even hosted inside the
school's network but provided by some outside company.

~~~
rlu
I don't know much about this stuff but different server or not - if the domain
is hijacked then everything is broken, no?

E.G. if they had blackboard (course docs, homework, etc.) on
blackboard.mit.edu then that would be hosed right now, wouldn't it?

~~~
delinka
If you're on the _internal_ network, you're most likely using an _internal_
DNS server which would not care that the registrar claims some other DNS
server is now authoritative.

I suppose it could be a problem if you're not on campus; or if any third-party
services are not using their own domains (e.g. mit.blackboard.com)

------
devonbarrett
From <http://3down.mit.edu/3down/>

Tuesday January 22 2013 12:19:

The MIT.EDU domain has been compromised and sites external to MIT are
currently being redirected elsewhere. We are working with the domain registrar
to get this fixed.

~~~
danielweber
Lots of MIT stuff is reachable by IP. They have a /8 so they don't really
worry very much about virtual webservers. <http://18.7.28.68/3down/>

EDIT: If you need to reach an MIT service, contact their native DNS servers:

bitsy.mit.edu 18.72.0.3

strawb.mit.edu 18.71.0.151

w20ns.mit.edu 18.70.0.160

------
jessaustin
Gizmodo sez they stole educause creds from an MIT admin with a "browser
exploit":

[http://gizmodo.com/5978039/hackers-incoherently-deface-
entir...](http://gizmodo.com/5978039/hackers-incoherently-deface-entire-mit-
website)

------
Skywing
The defacing message is pretty deep, too. This is copied from the website, and
is not my own. I'm just pasting it so that it's readable here, too:

    
    
      I used to think I was a pretty good person. I certainly didn’t kill people, for example. But then Peter Singer pointed out that animals were conscious and that eating them led them to be killed and that wasn’t all that morally different from killing people after all. So I became a vegetarian. Again I thought I was a pretty good person. But then Arianna Huffington told me that by driving in a car I was pouring toxic fumes into the air and sending money to foreign dictatorships. So I got a bike instead. But then I realized that my bike seat was sewn by children in foreign sweatshops while its tubing was made by mining metals through ripping up the earth. Indeed, any money I spent was likely to go to oppressing people or destroying the planet in one way or another. And if I happen to make money some of it goes to the government which spends it blowing people up in Afghanistan or Iraq. I thought about just living off of stuff I found in dumpsters, like some friends. That way I wouldn’t be responsible for encouraging its production. But then I realized that some people buy the things they can’t find in dumpsters; if I got to the dumpster and took something before they did, they might buy it instead. The solution seemed clear: I’d have to go off-the-grid and live in a cave, gathering nuts and berries. I’d still probably be exhaling CO2 and using some of the products in the Earth, but probably only in levels that were sustainable. Perhaps you disagree with me that it’s morally wrong to kill animals or blow up people in Afghanistan. But surely you can imagine that it might be, or at least that someone could think it is. And I think it’s similarly clear that eating a hamburger or paying taxes contributes — in a very small way; perhaps only has the possibility of contributing — to those things. Even if you don’t, everyday life has a million ways that are more direct. Personally, I think it’s wrong that I get to sit at a table and gaily devour while someone else delivers more food to my table and a third person slaves over a stove. Every time I order food, I make them do more carrying and slaving. (Perhaps they get some money in return, but surely they’d prefer it if I just gave them the money.) Again, you may not think this wrong but I hope you can admit the possibility. And it’s obviously my fault. Off in the cave, I thought I was safe. But then I read Peter Singer’s latest book. He points out that for as little as a quarter, you can save a child’s life. (E.g. for 27 cents you can buy the oral rehydration salts that will save a child from fatal diarrhea.) Perhaps I was killing people after all. I couldn’t morally make money, for the reasons described above. (Although maybe it’s worth helping fund the bombing of children in Afghanistan in order to help save children in Mozambique.) But instead of living in a cave, I could go to Africa and volunteer my time. Of course, if I do that there are a thousand other things I’m not doing. How can I decide which action I take will save the most lives? Even if I take the time to figuring out, that’s time I’m spending on myself instead of saving lives. It seems impossible to be moral. Not only does everything I do cause great harm, but so does everything I don’t do. Standard accounts of morality assume that it’s difficult, but attainable: don’t lie, don’t cheat, don’t steal. But it seems like living a moral life isn’t even possible. But if morality is unattainable, surely I should simply do the best I can. (Ought implies can, after all.) Peter Singer is a good utilitarian, so perhaps I should try to maximize the good I do for the world. But even this seems like an incredibly onerous standard. I should not just stop eating meat, but animal products altogether. I shouldn’t just stop buying factory-farmed food, I should stop buying altogether. I should take things out of dumpsters other people are unlikely to be searching. I should live someplace where others won’t be disturbed. Of course all this worrying and stress is preventing me from doing any good in the world. I can hardly take a step without thinking about who it hurts. So I decide not to worry about the bad I might be doing and just focus on doing good — screw the rules. But this doesn’t just apply to the rules inspired by Peter Singer. Waiting in line at the checkout counter is keeping me from my life-saving work (and paying will cost me life-saving money) — better just to shoplift. Lying, cheating, any crime can be similarly justified. It seems paradoxical: in my quest to do good I’ve justified doing all sorts of bad. Nobody questioned me when I went out and ordered a juicy steak, but when I shoplift soda everyone recoils. Is there sense in following their rules or are they just another example of the world’s pervasive immorality? Have any philosophers considered this question?
      
      R.I.P Aaron Swartz
      
      Hacked by grand wizard of Lulzsec, Sabu
      
      GOD BLESS AMERICA
      
      DOWN WITH ANONYMOUS
      
      reddit sucks, k hacked by aush0k and tibitximer
    

Screenshot, too: <http://i.imgur.com/TCRteRw.png>

~~~
haberman
I don't know hacker culture, but would Sabu really do this and use his own
name after his true identity has been revealed and turned informant?

<http://en.wikipedia.org/wiki/Sabu_(hacktivist)>

Seems like it would jeopardize whatever arrangement he had with the feds.

~~~
ewillbefull
Of course it's not actually hacked by Sabu, the entire message is sarcastic.

------
mikhael
The site that usually shows which MIT services are down/unavailable has
evidently been hacked, too:

<http://3down.mit.edu/>

------
viseztrance
Google fonts, html5 doctype, oh my, times have changed.

------
mkuhn
And the page is down. I currently only get a Cloudflare error page.

------
zaidf
So the cops are going to bust whoever did this.

And MIT will scream "NO, let them go!" hoping to make up for what they didn't
do with Swartz.

Except they'll just be showing to the world that they still don't get it.

------
frdgr
Website is back up (for how long?). Registrar information is still erroneous
tho.

~~~
ryancl
Registrar shows nameservers as the compromised ones still, so I guess that's
just on your end.

------
hnriot
how completely childish.

~~~
kordless
I have a 10 year old daughter who is quite childish at times and other times
she's brilliant. Still, the immaturity is expected. She's a kid!

This was expected as well. MIT had their part to play in it.

~~~
hnriot
I'm sure she is, to you. But this wasn't done by a 10 year old, and using your
daughter as a metaphor is completely inaccurate and irrelevant.

It was a stupid, childish stunt designed to show off. This does nothing to
change anything. MIT's involvement is unchallenged, all this does is
inconvenience MIT students and makes the person/people responsible for the
hack look childish and callous for using Aaron's tragedy to garner publicity
and stroke their ego.

If the hacking community really wants to get behind this MIT bashing, how
about we all boycott any software under MIT license for a while?? It's easy
defacing a website, but I bet nobody is willing to give up their MIT software.

It also further tarnishes the "hacker" image as a bunch of pimply teenage boys
trying to wave their disco sticks around in the only way they know how.

It's just plain embarrassing.

------
malu99
wasn't Sabu working for the government? and the most affected pages were the
MIT opensourceware, libraries and iniciatives, concidence?

------
wgrover
Also plays "The Star Spangled Banner"...

~~~
mkuhn
And the page title has a "Hackers" reference:
<http://www.youtube.com/watch?v=21lUsGr6YMQ>

------
ultimoo
It's back now.

------
rrredr09
aush0k is back??

------
rellik
it's back up

------
paulhauggis
This is how children react (which is what I think of lulzsec).

~~~
neumann_alfred
To me this is just graffiti. Yeah it's vandalism, that's the point, and I'm
not sure if I wanted to live in a world completely devoid of it.

 _"Every normal man must be tempted at times to spit on his hands, hoist the
black flag, and begin to slit throats."_ \- H. L. Mencken

Men slit throats, door posts do nothing, children paint and sing. Count me in
with the children.

~~~
sigzero
There is no correlation between this and graffiti. Graffiti does not prevent
you from using service. This is criminal vandalism.

~~~
neumann_alfred
Graffiti prevents you from looking at the bleak, clean surface. And this has
already been cleared up, while graffiti often requires more then a few
keystrokes. Graffiti can really destroy surfaces, and they will never be as
before. Then there's tagging, which is just the equivalent of dogs peeing
everywhere; as opposed to people actually trying to make a statement... to the
law that distinction doesn't even exist, to me it does, and it does make a
difference.

 _This is criminal vandalism_

Graffiti isn't exactly lawful, so that's quite redundant? Unless of course you
wanted to stress that your outrage is completely guided by "is it lawful", as
opposed to, say, "is it good".

Oh, and unless you're a student of MIT, or _anyone_ who was actually
inconvenienced by this, or at least know someone who was, I really wonder
where this is coming from, and where it's supposed to go. I mean sure, by all
means criminally persecute a bunch of "children", that surely must be the
ticket, that's the lesson here. Lock them away!

