
LulzSec Exposed - Garbage
http://seclists.org/fulldisclosure/2011/Jun/75
======
scythe
Only two things are infinite: the universe, and script kiddies, and I'm not
sure about the former.

There will always be another garishly-named group willing to sql-inject and
xss the low-hanging fruit.

~~~
omouse
Sony isn't low-hanging fruit.

~~~
weavejester
Given that a lot of their sites have been broken into with relatively
unsophisticated means, such as SQL injection, I think that many Sony sites are
certainly in the "low-hanging fruit" category.

~~~
Apocryphon
Maybe in terms of vulnerability, but certainly not in terms of importance.

~~~
chromic
Low-hanging fruit simply means "reward" for little effort. The low-hanging
fruit may very well be the biggest, sweetest of the bunch.

------
aw3c2
Are they? Or is this just some random guy who wants to get other random guy(s)
in deep trouble?

edit: Indeed, following the thread reveals
<http://seclists.org/fulldisclosure/2011/Jun/88> ->
<http://pastebin.com/mmvBT7n5> The root entry dated May 13.

~~~
msc
<http://twitter.com/#!/LulzSec/status/77782030020128768>

------
newobj
I'm glad they were doing it for the lulz. Some day someone's going to be doing
it, not for the lulz, and the price we'll have to pay for this kind of massive
developer/it-sec incompetence will be extremely high. Hopefully this has
served as a wake-up call to people who weren't already aware how low the fruit
has been hanging.

~~~
chrislomax
You say you are glad they were doing it for fun and wait for someone to do it
not for fun? How do you know it's not already been done? A true hacker
wouldn't expose their actions and would continue with the exploit.

I think these kids have exposed the true lack of security around the world in
general and it has raised some serious attention for other people to take a
look at their own defence, which is good in some respects.

What they have also successfully done is lowered peoples trust in massive
corporations which in turn is going to hurt the economy globally, which is not
good in any respect.

I think they should have hacked it then made the companies aware, not the
whole world. It's hard enough getting someone to trust and pay for services
from a company when they think they are safe, they really won't when there is
no trust there at all.

~~~
atourgates
Am I misinterpreting your comment?

You said, the hackers "lowered people's trust in massive corporations [...]
which is not good in any respect."

It seems pretty clear to me that Sony is most decidedly not deserving of
consumer's trust - and without these public disclosures, we would have never
known that.

Certainly - as I learned in the Gawker security breach - it sucks to have your
login details broadcasted to the rest of the internets. But, after a few hours
restting passwords across the internet, I was good to go. I expect the
affected consumers in this case will have a similar experience.

And, that experience is a far better one than having your data stolen by a
more malicious group of hackers, who use it for far more damaging means,
without your knowledge.

So, I don't believe that this group of hackers are any kind of heroic. But
even if their motivation is suspect, I do believe they're performing a type of
public service. Teaching us all that it's the height of ludicrous to hand over
your sensitive data to Sony, and expect them to keep it reasonably secure from
basic script-kiddie tactics.

~~~
chrislomax
No, they might not be deserving of customers trust but that doesn't mean that
throwing egg on their face is helping the situation any. If the hackers were
doing it for the good of the community then it's counter productive. They
should have informed Sony of the issue. They are kids who do not understand
what effect the situation has on the economic climate.

Also, defacing the other music sites does nothing more than raise the profile
of their hacking "skills".

As I mentioned, yes they are making people aware that there are security
issues that companies need to iron out and Sony are having some serious bad
media recently but who is this really helping? It's not helping the market and
its not helping consumers?

You and I both know that they should not be storing stuff plain text or with
some bad security practice and we understand what it takes to make it right
but to the common person they are instantly put off all places where they have
to put card details. The overall perception of the web is stepping back 15
years in the eyes of the general consumer, soon people will be afraid to put
their details anywhere.

I agree completely with what you are saying but that's from my point of view,
I'm thinking general consumer confidence.

~~~
wnight
> No, they might not be deserving of customers trust but that doesn't mean
> that throwing egg on their face is helping the situation any.

But not throwing egg on their face was helping less. As long as security bugs
are mostly invisible they don't get fixed.

> They should have informed Sony of the issue.

If Sony needed to be told to lock their doors it's only because they didn't
care. (At least in 2011. It might have been different in 1997...)

> It's not helping the market and its not helping consumers?

In the end, it helps the market and the consumers. If companies get away with
broken security that penalizes, by comparison, other companies who spend more
to develop a secure product, or who produce a less ambitious product because
they know it's all that can be done securely.

Customers win because they get a more realistic view of what they're buying.

> You and I both know that they should not be storing stuff plain text or with
> some bad security practice and we understand what it takes to make it right
> but to the common person they are instantly put off all places where they
> have to put card details. The overall perception of the web is stepping back
> 15 years in the eyes of the general consumer, soon people will be afraid to
> put their details anywhere.

As they should be. You can see how well protected everything isn't.

> I agree completely with what you are saying but that's from my point of
> view, I'm thinking general consumer confidence.

Confidence through ignorance doesn't seem like a gift.

------
gbrindisi
Maybe not.

As reported here some logs are old:
<http://seclists.org/fulldisclosure/2011/Jun/88>

    
    
        http://pastebin.com/mmvBT7n5 (May 13th, 2011)
        boards.808chan.org/fail/res/263.html (2010)

------
getsat
<http://pastebin.com/yut4P6qN>

Guess this was a joke/defamation attempt after all.

~~~
invalidOrTaken
And looks like it backfired:

"Someone just sent over $7200 worth of BitCoins. Whoever you are... thank
you... Balance: 7853.35 USD #Speechless"

<http://twitter.com/#!/LulzSec>

------
philthy
Not surprising since they are just a bunch of weekend warriors and kids. Any
real smooth operator wouldn't be working out of his house, and especially not
on a personal browsing machine. From the opposite perspective of that, the
government hasn't seen diddly when it comes to digital terrorism. Just wait
until the FBI can't track down the culprits from their broadband bill and
drive over to their parents house and make the arrest...

~~~
Bud
Uh, when will that be?

From what I observe, it just keeps getting progressively easier for the FBI to
do that. Not harder.

~~~
JonnieCache
I would imagine the professionals are using other peoples cracked wifi
networks, then routing through tor or a similar onion routing system,
eventually hitting a VPN endpoint on some anonymous-hosting account in russia,
etc etc.

The truly paranoid might like to rent a botnet and build their own tor network
on top of it or something like that.

In short: the fundamental nature of TCP/IP is such that if you are
sufficiently motivated, and dont mind horrible latency, even the FBI/tptacek
cant identify you.

~~~
tptacek
I'm thrilled to report that it isn't my business _at all_ to track down people
on the Internet, and so I am not a good standard for what is and isn't
feasible vis a vis IP traceability.

We break apps and build products and that is just about it. (We've also never
done business, to my knowledge, with the government.)

------
TheloniusPhunk
Not surprised. Hacking Sony is one thing. Hack the FBI and you end up in a
dark room somewhere. I almost feel bad for these kids, if they are indeed
kids.

~~~
redthrowaway
This wasn't the FBI, it was some other hacker who was pissed at him. The
screenshots [1] show that quite clearly. That guy likely just turned xyz over
to the feds after doxing him (and rooting him, and taking over most of his
online accounts)

[1]

~~~
peterwwillis
What's _really_ funny is that going after an official FBI site would have
gotten less of a backlash from real hackers. Attacking Infragard is like
slapping a bunch of hackers (white-hat and black) in the face, so they're
going to be a lot more motivated to expose the perpetrators. It's all pretty
silly.

------
grimen
Wow, I would def not consider myself a security expert but I seriosly have
higher standards than this when it comes to security. Most obvious fails on
this dude: 1) Windows, 2) Gmail (if i would be a hacker i would not use this
for obvious reasons), 3) specifying any personal credentials in my "hacker"
acount, 4) same username (...i would not use same user-id). I mean, c'mon...I
had higher expectations on this guys really (considering I'm not into those
kind of networks - call be hacker noob). Let's hope the other guys was more
paranoid than this.

Btw, what will be the jail-sentence in US for this you think? Let's hope he's
a minor - looks like a teenager.

------
saulrh
They seem to be still tweeting new cracks. Wonder how long it'll take them to
realize that they're being arrested by the FBI.

(edit: seriously, though, something seems just a bit off here.)

~~~
lwat
The kid that got busted by the FBI was not actually a lulzsec member, he was
just hanging around the lulzsec public IRC channels.

Lulzsec response here: <http://pastebin.com/yut4P6qN>

------
dmix
The kid who apparently got caught was using Windows.

<http://89.248.164.63/dox/xyz/3.png>

~~~
christoph
Browsing around that site, there seems to be a lot of information... much of
which i'm guessing probably shouldn't be on a public website?

~~~
JonnieCache
That site _is_ a cache of items which shouldnt really be public. Thats what
the term 'dox' in the url means: (sensitive) documents.

------
jackie_singh
I was on ED IRC #lulzsec when they accused me of being a spy for the military.
I laughed.

------
derrida
Last I checked they were alive and well. As for them supposedly being
Amateurs, no... no they are not. The attacks they are pulling they could get
away with if they kept the secret. But something is motivating them.

------
Apocryphon
Seeing as how Anon has moved up to hacktivism against third world
dictatorships and other government agencies, I wonder if LulzSec is a splinter
group.

------
bromagosa
Are you serious? Hackers using windows? :'(

~~~
jff
Almost: script kiddies using Windows. It helps the script distributors, by
making it easier to target the script kiddies with embedded botnet software :)

------
bxr
So they got exposed because they were acting like a bunch of children and
taking no precautions?

Man, if people who don't know what they're doing are this successful, imagine
what it means about people who are. And how any laws we make about computer
security are just security theater.

~~~
willidiots
When you talk about IT security with people with real secrets (governments),
they talk about LulzSec-types being the "lowest risk" category of attackers.

The mid-risk category are the real professionals; they leave no trace, you
never hear about them, you never know they were on your system, they just take
your data and sell it.

The highest-risk category is true information warfare, targeted attacks by
other governments and large entities. As the previous replier said, just look
at Stuxnet. You don't have to be a government for this to be a real threat.
Imagine if Nintendo had compromised Sony's servers, and somehow loaded corrupt
firmware onto the Playstation update system...

These threats are real and constant, and anyone with sensitive data needs to
be aware of them. Simply firing up iptables and disabling root SSH isn't
sufficient - you need to be aware of the intricacies of your system on a day-
to-day basis.

~~~
JonnieCache
To be honest, if your opponent has a couple of million dollars or more to
spend on hacking you, and you aren't willing to expend several multiples of
that on defence, you should probably give up on the convenience of having your
secret data on the internet and just have it encrypted on HDDs surrounded by
handpicked armed guards who owe you a blood debt.

Computers and especially networks are just fundamentally insecure for the
purposes of high-value information.

This is the same reason why internet voting will never be a good idea.

~~~
jsmcgd
check this out:
[http://www.ted.com/talks/david_bismark_e_voting_without_frau...](http://www.ted.com/talks/david_bismark_e_voting_without_fraud.html)

~~~
JonnieCache
I'll see your 7 minutes of TED and raise you 60 minutes of Google TechTalks!

<http://www.youtube.com/watch?v=_GjmRwfkRXY>

Electronic and Internet Voting (The Threat of Internet Voting in Public
Elections)

It goes into all sorts of electoral fraud, the finer points of designing
elections from a hacker perspective, the diebold hacks, and that awful rails
app that those students (?) wrote in the hopes of using it in some US local
elections a while back.

In brief, that system isn't safe because someone can obtain your reciept and
therefore your voting rights from you by coercion/incentives. Votes should
never be verifiable, because then they can be bought. Vote reciepts would be
pretty valuable...

~~~
anonymoushn
They are already verifiable. You provide the seller with an absentee ballot,
he or she fills it out, and then you exchange the completed ballot for the
beer/cash/delicious pie.

~~~
JonnieCache
True, but a crucial difference is that the cryptvoting allows verification
after the fact, while absentee ballots must be verified in the window between
the ballots being sent out and polling day.

------
leon_
what am I reading? anyone care to translate that?

~~~
younata
Sure!

starts off with <Topiary> telling everyone to get off this network, ED IRC (it
could be a server in their own network, but if that were the case their
network would already be breached)

<pwnsauce> calls for a new operation (similar to how anon has various
operations).

Then <Topiary> admits to hiring a botnet to help them.

<joepie91> chimes in, talking about an irc server exploit is basically killing
his computer.

<storm> asks for an exploit, <lol> says he has it, but is scared to get it out
and give it to him (meaning that, for all his "security knowledge" he still
managed to get viruses on his stuff.

About half an hour later, <Topiary> insults a few people they want to crack,
and mentions an apache 0 day exploit. The rest is them asserting their
masculinity, and a mention of the gawker root.

oh, and then a message saying one of the guys is in FBI custody, but I assume
that's not part of what you wanted translated.

~~~
burke
ED almost certainly refers to <http://encyclopediadramatica.ch/Get_On_IRC_Fgt>
(usually semi-NSFW)

~~~
18pfsmt
Thanks. This train wreck caught my eye this weekend and I can't, for the life
of me, identify with these people. I am ambivalent about lulzsec's actions,
but I understand both sides' issues. Not sure what to make of it, and I am
trying to ignore it (simply failing).

------
shareme
whoops I guess you really are not anonymous on internet after all

~~~
weavejester
It looks like they were just connecting to a private IRC server directly from
their own machines. It is possible to remain reasonably anonymous online, but
only if you take certain precautions.

~~~
rbanffy
But only as much as the other side doesn't take some even more extraordinary
measure to locate you.

------
jvandenbroeck
haha I think they pissed of the wrong people hacking FBI affiliates:p

Check this email, it's the USA looking to hack Libya's oil infrastructure:
<http://pastebin.com/Jf406RVs>

I didn't know war got that advanced:)

~~~
stef25
One of these companies' names is Treadstone71, straight from the Bourne
trilogy.

