

LulzSec versus FBI (We Challenge You, NATO) - hornokplease
http://pastebin.com/MQG0a130

======
rdtsc
> Karim, a member of an FBI-related website, was willing to give us money and
> inside info in order to destroy his opponents in the whitehat world.

It is worth highlighting that there is a whole ecosystem of bottom feeders in
the world of government contracted 'whitehat hackers' & 'consultants'. They
know as much about security as one can pick from 'Hacking Exposed IV' kind of
book from your local book store. Some of them are just fakes who just have the
right connection within the agencies (many are just ex-employees, friends of
friends, college buddies and cousins). Then they need to know how to navigate
the red tape of proposals and bids. So this all amounts to a lot of waste,
stupidity (at best) and down-right maliciousness (at worst). We saw some of
this with HBGary and this Karim guy, and this is just the tip of the iceberg.

If you have the right connections and know how to handle the red-tape (you
might have to hire a full-time professional for it), you can make quite a bit
of money bullshitting the govt and selling them crap.

~~~
plainOldText
This is one of the reasons I don't want the government to increase the control
over the internet. We sometimes get the illusion that it's all pure and
butterflies, when in fact even whitehats/government agencies conduct illegal
activities on the web abusing their powers. Better leave it to the people; we
can handle it just the way it is.

~~~
knowtheory
yeah but the fundamental problem here is not whether the government is doing
something or not. The issue is transparency and accountability.

There are corporate entities who are wasting their money on nepotism, graft,
and efforts that are doomed to fail in the "planning" stages too. The
difference is that the way that consumers pay for it is hidden in the cost of
whatever products the company produces.

We can make government behavior suck less if we actually provide better
transparency and metrics for success.

~~~
pemulis
But private companies are constrained by the need to turn a profit and
outmaneuver their competitors. Governments aren't. To keep them from being
wasteful, people have to watch them closely and make a big fuss when something
is wrong, trying to get enough people to care. That's difficult, time-
consuming, often demoralizing work.

~~~
knowtheory
that's just not true. There are many stable oligopolies which can either
resist, tamp down on, or co-opt new upstarts and maintain a status quo for
themselves.

And there are people who have to do the same difficult, time-consuming and
demoralizing work acting as gadflies against the egregious abuses of multi-
national corporations.

And the notion that Governments don't compete is always either false or double
speak. It either is the case that governments compete with the private sector
(e.g. government backed plans for health insurance can operate more cost
efficiently than the private sector, so they're a problem), or they don't (as
you've just claimed).

And there are opportunities where people have successfully competed against
governments as well. Governments collect mapping data and you can pay for
access to that content. And yet there are _tons_ of mapping companies out in
the world, many of whom have better services and capabilities.

Lastly, for people who might wish to claim that government can wield undue
influence over free markets when they get involved in industry, nothing has
stopped them from getting involved in industries they're _not_ directly
involved in. The federal laws banning online poker are a great example.

Industry lobbying is such a powerful and distorting force, again enabled by a
lack of transparency, that it seems laughable to be worried about undue
government influence.

~~~
uriel
> There are many stable oligopolies which can either resist, tamp down on, or
> co-opt new upstarts and maintain a status quo for themselves.

Can you please point out some of this many oligopolies that somehow force me
to do business with them? I can not buy from pretty much anyone I don't like,
if I avoid paying taxes I will probably end up in jail.

~~~
knowtheory
That's a red herring.

Your participation in government and society is still contingent. If you don't
want to pay taxes, go become a monk and take a vow of poverty (yeah you will
still have to file returns, but whatever).

If you participate in society, you are going to have to pay taxes. Just the
same way that if you want to get access to the internet, you will have to pay
a company like comcast.

And, when it comes down to it, the oil and automobile companies, as a
practical matter, have done a pretty good job of ensuring that Americans have
to have cars, and have to pay for gas in order to live in society. That is for
all intents and purposes the same thing.

~~~
arvinjoar
From your logic I can only draw the conclusion that government owns society.
You may believe that it is so, and that it's even rightfully so. I choose to
disagree. I was born free, and the soil that I was born on can in no way be
owned by the government. The government never homesteaded it. Since the
government can't have greater powers than those of individuals who choose to
delegate their powers to the government some individual has to have
homesteaded the soil and explicitly signed it away to the government. Of
course, this never happened, we all know how our governments came to claim
sovereignty over huge land areas. I say that might does not necessarily make
right, I say you own what you mix your labor with. Although government claims
to be the highest authority and backs that up with the threat of violence, you
can't assume that their claim is rightful.

------
Mithrandir
Here's the IRC log: <http://pastebay.com/125179>

and a phone conversation:
[http://lulzsecurity.com/releases/Unveillance_Secret_Conferen...](http://lulzsecurity.com/releases/Unveillance_Secret_Conference.mp3)

Very interesting conversations.

They also had a "warmup" with the Nintendo servers:
<http://pastebay.com/125180>

The emails consist of LinkedIn confirmations and "secret data" (PowerPoints w/
PDFs) about various smallish tech/data companies.

Sample PDFs in case anyone is interested:

 _Apptap_ (formerly Mplayit):
[http://www.2shared.com/document/1Q_QkBxY/apptap-
execsummary_...](http://www.2shared.com/document/1Q_QkBxY/apptap-
execsummary_final_22nov.html)

 _BlackRridge Technology_ :
[http://www.2shared.com/document/csuHua1e/Blackbridge_Investo...](http://www.2shared.com/document/csuHua1e/Blackbridge_Investor_Deck_-_11.html)

 _CloudFusion Cconnect_ Business Plan:
[http://www.2shared.com/document/yi6bYjDC/cConnect_Business_P...](http://www.2shared.com/document/yi6bYjDC/cConnect_Business_Plan_-
_Prese.html)

 _Gatekeeper Security_ Investor Presentation:
[http://www.2shared.com/document/Ec3FaP0p/Gatekeeper_Investor...](http://www.2shared.com/document/Ec3FaP0p/Gatekeeper_Investor_Presentati.html)

 _videoNEXT Network Solutions Inc._ Corporate Qualifications and Capabilities:
[http://www.2shared.com/document/9OSbAgDM/videoNEXT_Investor_...](http://www.2shared.com/document/9OSbAgDM/videoNEXT_Investor_Briefing_2-.html)

~~~
Mithrandir
Two more interesting PDFs:

 _DHS Proposal/Comprehensive Understanding of Malicious Overlay Networks_ :
[http://www.2shared.com/document/5tCGtYKK/Lee_DHS1102_TTA6.ht...](http://www.2shared.com/document/5tCGtYKK/Lee_DHS1102_TTA6.html)

 _Unveillance Federal Report_ :
[http://www.2shared.com/document/7SJljKpc/Unveillance_-
_Fed_1...](http://www.2shared.com/document/7SJljKpc/Unveillance_-
_Fed_10-2-10.html)

------
comex
On a tangent-- the PBS NewsHour's bemused reaction to LulzSec hacking them
(which they discussed in a segment on hacking) is the best I've ever seen an
organization take something like that. The FBI is a much worthier target.

~~~
dmix
The video: <http://www.youtube.com/watch?v=qrH92TjV4ZM>

------
sbierwagen
Mirror of the smaller file, (17 KiB) for when mediafire takes it down:

<http://bbot.org/Fuck%20FBI%20Friday%20(FFF).rar>

The IRC log is _really_ damaging... assuming, of course, that Lulzsec hasn't
embellished it.

EDIT: The archive is actually a ZIP file, with a RAR extension, which makes
some decompressors unhappy. A copy with the correct extension:

<http://bbot.org/fff.zip>

~~~
redthrowaway
I'm getting a corrupted archive error... is there a password?

~~~
sbierwagen
I didn't add one, so nope.

I just downloaded it again from myself and the new copy worked fine.

EDIT: Lulzsec created a ZIP file, but changed the file extension to RAR. Doh
ho ho, those wacky guys. Your unrar tool is apparently more fragile than
WinRAR, which decompressed it without even throwing an error.

Since I want to preserve the filename, I made a copy:

<http://bbot.org/fff.zip>

~~~
redthrowaway
Thanks, I appreciate it. UnRarX does appear to be fragile.

------
dublinclontarf
Kind of funny that they have a bitcoin donation address, and have recieved
about $300USD worth of donations already.

------
woodall
When, or if, any LulzSec member get caught. Well, I don't want to think about
it.

It's also interesting that they are using BitCoin. Say they try to cash out a
block chain donated/given to them that was mined by a known IP; honeypot. Then
whom ever sits in wait and watches the log waiting for that chain to get
cashed out via a fiat exchange. Records are subpoenaed and it is determined
who cashed out that block at what IP/PayPal/ect? I don't know if thats
possible so don't trust me.

~~~
saulrh
IP is probably useless; these people know what they're doing, and Tor,
proxies, and public wifi plus a cantenna can make you pretty anonymous.

As for the bitcoins themselves, I believe that they'd be instantly anonymized
by putting them through one or more bitcoin transaction before they reach real
life. The FBI would have a very, very difficult time following the real-life
"oh, I got them from person X" tree back to lulzsec, especially if lulzsec
transactioned the bitcoins to the right person the first time around.

~~~
MostAwesomeDude
Additionally, people can always create new wallet IDs and self-launder the
money, assuming they aren't using the Bitcoin Laundry
(<http://bitcoinlaundry.com/>) to do it for them.

~~~
woodall
That is interesting, but the trail is still there; i.e. the block chain we are
following as it never changes. It's not the transferring them from BC wallet
to BC wallet that I'm worried about, but the cashing out for fiat.

~~~
Vitaly
no its not. you put your 'marked' 100$ in the laundry service and you get 100$
that came from some random dude. Assuming the laundry service doesn't keep
logs (very big assumption though) the money that came through such a service
can't be used to identify anyone

~~~
woodall
Logs are critical for this tracing to work, without them the trail ends. I was
looking over Bitcoin Faucet and it does appear that, at least, they log all ip
address. Then I made my way to <http://blockexplorer.com> and was able to
trace all those block.

In the end, BitCoin is only as anonymous as you make it.

<https://freebitcoins.appspot.com/recent_sends>

------
derrida
Lulzsec.com registered at Dreamhost (check whois). Stupid mistake? Diversion?
Domain squatters?

------
TheAmazingIdiot
Ok. The internet is getting interesting.

We have Julian Assange leaking secrets from nearly every country and major
organisation. National governments are toppling left and right, with the
internet as the tool to gather and convene. We have Anonymous who generally
wreaks havoc on whomever pokes that hornets nest. We have Chinese hackers (or
hackers using Chinese servers) that are whittling away on European and US
servers. And we now have LulzSec hacking and publicly insulting the FBI.

What a weird world we live in.

~~~
noibl
We should civilize this internet thing before life gets any weirder.

Nah:

1\. Not so much 'leaking' as 'hoarding'... the dripfeed of leaks is mainly
from the single cables dump (a non-renewable resource). Nearly every major
organisation? I don't think so.

2\. I'm guessing you mean Egypt, where the military has indeed appointed a new
cabinet. Not sure that counts as 'toppling' but we'll see, come September.
That accounts for the 'right', who's left?

3\. Yes we have an organised collective of vigilante hckers exposing the
hypocrisy and corruption of other hckers, much as has always been done. Two
differences now: (a) national governments have started outsourcing to the
second group more and also hyping the word 'cyber', leading to (b) the public
has started to become mildly amused by these skirmishes.

4\. Interesting configuration of actors there. For those in Europe or America,
the interesting part of alleged Chinese hacking is the unwanted free transfer
of lucrative IP, which is to say trade secrets. But the US government already
has behind-the-scenes access to a vast amount of global internet traffic so
any large scale spying effort on its part wouldn't need to be so overt as
would that of, say, China. And China is certainly not alone in facing these
allegations.[1]

5\. Aaand back to 3.

[1] [http://www.dbune.com/news/business/3370-france-accused-of-
be...](http://www.dbune.com/news/business/3370-france-accused-of-being-
europes-worst-industrial-spy.html)

~~~
redthrowaway
2\. Don't forget Tunisia, whose revolution was sparked at least in part by the
revelations about Ben Ali in the State Dept cables, or the swing in election
results in Kenya back in the stone ages from one of WikiLeaks' first releases,
or the "Twitter Revolutions" (overblown though that title may be) throughout
the rest of the middle east...

4\. The NSA has taps on the major telecom hubs, and is actively sorting
through reams of data to gather intelligence. I can't find the links right
now, but the story was on HN about the project's creator and his misgivings
about how it was eventually used. Yeah, China's bad, but just wait until the
US finds itself toppled from economic primacy and see what information they
start pulling out then.

~~~
kmfrk
I really dread what is going to happen, by the time Anonymous or someone else
start setting their sights in Israel/Palestine. It can only be a matter of
time before it happens.

~~~
redthrowaway
Dread it how? What outcome do you fear?

~~~
pbjorklund
Well, thats a hornest nests with some bad queen bees armed with more dangerous
stuff than stingers.

------
chrisjsmith
This is hilarious.

The main important point is that it makes a mockery of the security snake-oil
salesmen and the government sponsored investigation agencies.

It also demonstrates that legislation is powerless over the internet
(something I think everyone quietly realises but doesn't want to admit).
They've let the cat out of the bag and now it won't go back in.

The Internet is an uncontrollable, resiliant, self-aware monster with a good
self-preservation instinct. It's fighting back against those who wish to
control it.

~~~
weego
I'm not sure it really proves any of those things at all, but it does prove
that no matter how good you are at something, chances are you will come across
someone better than you at some point in your life.

When you thing is security and the other person is feeling malicious I guess
it can be an ugly outcome.

~~~
chrisjsmith
It's not about being quantifiably better - it's about perception. Security is
wholly percieved. It doesn't actually exist.

~~~
joe24pack
okay, I'll bite, would you care to explain how security does not exist?

~~~
wnight
Secure vs who? With what budget? Are you content with achieving 'security' by
shredding the server or do you plan to hook it up to a network?

~~~
joe24pack
So security is relative compared to a threat. That's a assumption that any
thoughtful person can make. Yes, the resources available to you will greatly
affect your ability to achieve a particular level of security. Just because
you connect your server to a network does not mean that the security of your
server disappears. Whatever level of security you've managed to achieve is
still there. It just may be that the attackers you face are able to overcome
your security measures.

If by security one means absolute security against all threats present and
future, then yes security is not only illusory but also meaningless.

~~~
wnight
So you do a lot of work and achieve what you might call "near-perfect real-
world security" and are not hacked, are you secure?

When you later find out you were vulnerable. Were you secure?

Does knowing that an undetectable root-kit could have been installed during
this time, change your perception of the state of your current security?

Would it matter if the newly-released insecurity was a one-in-a-billion thing?

For instance when's the last time you actually took measures to guard against
a trojaned compiler?

If you did get hacked because of a one-in-a-billion thing which nobody could
have predicted did it happen because you weren't secure or did it happen
despite your security? It's a subtle difference in perceptions.

Does your perception of your security level change if you realize the crooked
CEO conspired with the security consultant to arrange a back door and that the
one-in-a-billion thing was a virtual certainty?

It goes deeper than simply being all relative, you always make some
assumptions - even incredibly large ones. Even a tiny mistake can totally
scupper system robustness. In crypto and security a system is often weaker
than its weakest link and that includes designer assumptions, operator errors,
and customer specifications as well as expected issues such as programming
errors. Speaking of security as a thing that can be achieved is mostly wrong
and confuses many.

------
shareme
Lets see :

1\. Wiretaps 2\. Taping Telecoms 3\. Taping satellites

and yet that still does not educate the FBI, CIA, NSA into having better
computer specialists? That is the disadvantage of relying upon political back
deals to do real work in that you get an illusion rather than reality.

Note, US military for years has been advocating taking service men and women
and retraining them for a counter computer security role to replace the
independent whitehats.

Would it be too much to assume that the profits might be great enough at risk
that some whitehats might be involved with this LulzSec effort?

~~~
woodall
>Note, US military for years has been advocating taking service men and women
and retraining them for a counter computer security role to replace the
independent whitehats.

That is already an MOS.

------
marcamillion
Holy Crap! Yes, these guys have done it now.

Goodbye anonymous internet - as we know it today.

As much as I love freedom of speech and 'David' taking on 'Goliath' as the
next guy, this is seriously bordering on Terrorism. This seems so unprovoked.

All this is doing is challenging the government to regulate the internet. This
does nobody any good.

Now it seems Anon has gone too far, and has crossed over into 'psycho'
territory. Once you start attacking the state, there is no coming back from
that.

I am sorry, but this isn't a war that Anonymous can win.

~~~
paganel
> This seems so unprovoked.

Constant citizens' surveillance and infringing of their rights by "righteous"
Governments is also unprovoked.

~~~
deepinit
Exactly:). And in my mind criminals are those that plot killings, and break
basic constitutional right( haha - and citizens let them... In fact they are
by mean of real democracy not an citizens but idiots->
<http://en.wikipedia.org/wiki/Idiot_(Athenian_democracy)> ).

------
xdef
This is a huge challenge for the FBI and it will be interesting to see how
they handle and crack this case. I do hope they can find these bastards and
put them behind bars for a very long time indeed.

The FBI should start with the a court order and to get the domain registrar to
reveal the identity of the person/organization, that registered the domain
name lulzsecurity.com which happens to be registered in the Bahamas and can be
viewed at : (<http://whois.domaintools.com/lulzsecurity.com>) as

    
    
        c/o lulzsecurity.com
        N4892 Nassau
        Bahamas 

Tel: +852.81720004

Of course, most likely they used an alias/fake identity. But the hackers had
to have left a financial trail when they purchased and registered that domain
name, or that phone number, PO Box.

~~~
Flam
Not if they were smart.

~~~
xdef
Probably too smart for their own good - all super-smart criminals make the
fatal mistake of assuming that others are too dumb to catch them. They also do
not have access to the combined resources of the NSA, FBI, CIA.

~~~
div
Do you have experience dealing with super-smart criminals other than noticing
how they are generally portrayed in movies / tv ?

~~~
olalonde
The thing about super-smart criminals is that you don't hear about them ;)

~~~
deepinit
Or they are called defenders of freedom;]

