Hacker News new | past | comments | ask | show | jobs | submit login
LulzSec versus FBI (We Challenge You, NATO) (pastebin.com)
195 points by hornokplease on June 4, 2011 | hide | past | favorite | 68 comments

> Karim, a member of an FBI-related website, was willing to give us money and inside info in order to destroy his opponents in the whitehat world.

It is worth highlighting that there is a whole ecosystem of bottom feeders in the world of government contracted 'whitehat hackers' & 'consultants'. They know as much about security as one can pick from 'Hacking Exposed IV' kind of book from your local book store. Some of them are just fakes who just have the right connection within the agencies (many are just ex-employees, friends of friends, college buddies and cousins). Then they need to know how to navigate the red tape of proposals and bids. So this all amounts to a lot of waste, stupidity (at best) and down-right maliciousness (at worst). We saw some of this with HBGary and this Karim guy, and this is just the tip of the iceberg.

If you have the right connections and know how to handle the red-tape (you might have to hire a full-time professional for it), you can make quite a bit of money bullshitting the govt and selling them crap.

This is one of the reasons I don't want the government to increase the control over the internet. We sometimes get the illusion that it's all pure and butterflies, when in fact even whitehats/government agencies conduct illegal activities on the web abusing their powers. Better leave it to the people; we can handle it just the way it is.

yeah but the fundamental problem here is not whether the government is doing something or not. The issue is transparency and accountability.

There are corporate entities who are wasting their money on nepotism, graft, and efforts that are doomed to fail in the "planning" stages too. The difference is that the way that consumers pay for it is hidden in the cost of whatever products the company produces.

We can make government behavior suck less if we actually provide better transparency and metrics for success.

But private companies are constrained by the need to turn a profit and outmaneuver their competitors. Governments aren't. To keep them from being wasteful, people have to watch them closely and make a big fuss when something is wrong, trying to get enough people to care. That's difficult, time-consuming, often demoralizing work.

that's just not true. There are many stable oligopolies which can either resist, tamp down on, or co-opt new upstarts and maintain a status quo for themselves.

And there are people who have to do the same difficult, time-consuming and demoralizing work acting as gadflies against the egregious abuses of multi-national corporations.

And the notion that Governments don't compete is always either false or double speak. It either is the case that governments compete with the private sector (e.g. government backed plans for health insurance can operate more cost efficiently than the private sector, so they're a problem), or they don't (as you've just claimed).

And there are opportunities where people have successfully competed against governments as well. Governments collect mapping data and you can pay for access to that content. And yet there are tons of mapping companies out in the world, many of whom have better services and capabilities.

Lastly, for people who might wish to claim that government can wield undue influence over free markets when they get involved in industry, nothing has stopped them from getting involved in industries they're not directly involved in. The federal laws banning online poker are a great example.

Industry lobbying is such a powerful and distorting force, again enabled by a lack of transparency, that it seems laughable to be worried about undue government influence.

> There are many stable oligopolies which can either resist, tamp down on, or co-opt new upstarts and maintain a status quo for themselves.

Can you please point out some of this many oligopolies that somehow force me to do business with them? I can not buy from pretty much anyone I don't like, if I avoid paying taxes I will probably end up in jail.

That's a red herring.

Your participation in government and society is still contingent. If you don't want to pay taxes, go become a monk and take a vow of poverty (yeah you will still have to file returns, but whatever).

If you participate in society, you are going to have to pay taxes. Just the same way that if you want to get access to the internet, you will have to pay a company like comcast.

And, when it comes down to it, the oil and automobile companies, as a practical matter, have done a pretty good job of ensuring that Americans have to have cars, and have to pay for gas in order to live in society. That is for all intents and purposes the same thing.

From your logic I can only draw the conclusion that government owns society. You may believe that it is so, and that it's even rightfully so. I choose to disagree. I was born free, and the soil that I was born on can in no way be owned by the government. The government never homesteaded it. Since the government can't have greater powers than those of individuals who choose to delegate their powers to the government some individual has to have homesteaded the soil and explicitly signed it away to the government. Of course, this never happened, we all know how our governments came to claim sovereignty over huge land areas. I say that might does not necessarily make right, I say you own what you mix your labor with. Although government claims to be the highest authority and backs that up with the threat of violence, you can't assume that their claim is rightful.

The first step is an independent, free currency.

Does baby want his bottle? Quit crying kid and get a job.


Well he's already making money from taking down the gov and Sony websites.

I call them metasploit cowboys. It's the kind of consultant that fires up metasploit, generates some shitty pdf report and bills you $15k.

Here's the IRC log: http://pastebay.com/125179

and a phone conversation: http://lulzsecurity.com/releases/Unveillance_Secret_Conferen...

Very interesting conversations.

They also had a "warmup" with the Nintendo servers: http://pastebay.com/125180

The emails consist of LinkedIn confirmations and "secret data" (PowerPoints w/ PDFs) about various smallish tech/data companies.

Sample PDFs in case anyone is interested:

Apptap (formerly Mplayit): http://www.2shared.com/document/1Q_QkBxY/apptap-execsummary_...

BlackRridge Technology: http://www.2shared.com/document/csuHua1e/Blackbridge_Investo...

CloudFusion Cconnect Business Plan: http://www.2shared.com/document/yi6bYjDC/cConnect_Business_P...

Gatekeeper Security Investor Presentation: http://www.2shared.com/document/Ec3FaP0p/Gatekeeper_Investor...

videoNEXT Network Solutions Inc. Corporate Qualifications and Capabilities: http://www.2shared.com/document/9OSbAgDM/videoNEXT_Investor_...

Two more interesting PDFs:

DHS Proposal/Comprehensive Understanding of Malicious Overlay Networks: http://www.2shared.com/document/5tCGtYKK/Lee_DHS1102_TTA6.ht...

Unveillance Federal Report: http://www.2shared.com/document/7SJljKpc/Unveillance_-_Fed_1...

On a tangent-- the PBS NewsHour's bemused reaction to LulzSec hacking them (which they discussed in a segment on hacking) is the best I've ever seen an organization take something like that. The FBI is a much worthier target.

Mirror of the smaller file, (17 KiB) for when mediafire takes it down:


The IRC log is really damaging... assuming, of course, that Lulzsec hasn't embellished it.

EDIT: The archive is actually a ZIP file, with a RAR extension, which makes some decompressors unhappy. A copy with the correct extension:


I'm getting a corrupted archive error... is there a password?

I didn't add one, so nope.

I just downloaded it again from myself and the new copy worked fine.

EDIT: Lulzsec created a ZIP file, but changed the file extension to RAR. Doh ho ho, those wacky guys. Your unrar tool is apparently more fragile than WinRAR, which decompressed it without even throwing an error.

Since I want to preserve the filename, I made a copy:


Thanks, I appreciate it. UnRarX does appear to be fragile.

Kind of funny that they have a bitcoin donation address, and have recieved about $300USD worth of donations already.

When, or if, any LulzSec member get caught. Well, I don't want to think about it.

It's also interesting that they are using BitCoin. Say they try to cash out a block chain donated/given to them that was mined by a known IP; honeypot. Then whom ever sits in wait and watches the log waiting for that chain to get cashed out via a fiat exchange. Records are subpoenaed and it is determined who cashed out that block at what IP/PayPal/ect? I don't know if thats possible so don't trust me.

IP is probably useless; these people know what they're doing, and Tor, proxies, and public wifi plus a cantenna can make you pretty anonymous.

As for the bitcoins themselves, I believe that they'd be instantly anonymized by putting them through one or more bitcoin transaction before they reach real life. The FBI would have a very, very difficult time following the real-life "oh, I got them from person X" tree back to lulzsec, especially if lulzsec transactioned the bitcoins to the right person the first time around.

Additionally, people can always create new wallet IDs and self-launder the money, assuming they aren't using the Bitcoin Laundry (http://bitcoinlaundry.com/) to do it for them.

That is interesting, but the trail is still there; i.e. the block chain we are following as it never changes. It's not the transferring them from BC wallet to BC wallet that I'm worried about, but the cashing out for fiat.

no its not. you put your 'marked' 100$ in the laundry service and you get 100$ that came from some random dude. Assuming the laundry service doesn't keep logs (very big assumption though) the money that came through such a service can't be used to identify anyone

Logs are critical for this tracing to work, without them the trail ends. I was looking over Bitcoin Faucet and it does appear that, at least, they log all ip address. Then I made my way to http://blockexplorer.com and was able to trace all those block.

In the end, BitCoin is only as anonymous as you make it.


This is why you have a guy in Afghanistan cash it out and put the balance onto your foreign, anonymous Paypal/Liberty Reserve account. He takes a cut, but that's life. He has no idea who you are and you only access the account through compromised Windows machines in foreign countries (which you wipe when you're done).

Lulzsec.com registered at Dreamhost (check whois). Stupid mistake? Diversion? Domain squatters?

Ok. The internet is getting interesting.

We have Julian Assange leaking secrets from nearly every country and major organisation. National governments are toppling left and right, with the internet as the tool to gather and convene. We have Anonymous who generally wreaks havoc on whomever pokes that hornets nest. We have Chinese hackers (or hackers using Chinese servers) that are whittling away on European and US servers. And we now have LulzSec hacking and publicly insulting the FBI.

What a weird world we live in.

We should civilize this internet thing before life gets any weirder.


1. Not so much 'leaking' as 'hoarding'... the dripfeed of leaks is mainly from the single cables dump (a non-renewable resource). Nearly every major organisation? I don't think so.

2. I'm guessing you mean Egypt, where the military has indeed appointed a new cabinet. Not sure that counts as 'toppling' but we'll see, come September. That accounts for the 'right', who's left?

3. Yes we have an organised collective of vigilante hckers exposing the hypocrisy and corruption of other hckers, much as has always been done. Two differences now: (a) national governments have started outsourcing to the second group more and also hyping the word 'cyber', leading to (b) the public has started to become mildly amused by these skirmishes.

4. Interesting configuration of actors there. For those in Europe or America, the interesting part of alleged Chinese hacking is the unwanted free transfer of lucrative IP, which is to say trade secrets. But the US government already has behind-the-scenes access to a vast amount of global internet traffic so any large scale spying effort on its part wouldn't need to be so overt as would that of, say, China. And China is certainly not alone in facing these allegations.[1]

5. Aaand back to 3.

[1] http://www.dbune.com/news/business/3370-france-accused-of-be...

2. Don't forget Tunisia, whose revolution was sparked at least in part by the revelations about Ben Ali in the State Dept cables, or the swing in election results in Kenya back in the stone ages from one of WikiLeaks' first releases, or the "Twitter Revolutions" (overblown though that title may be) throughout the rest of the middle east...

4. The NSA has taps on the major telecom hubs, and is actively sorting through reams of data to gather intelligence. I can't find the links right now, but the story was on HN about the project's creator and his misgivings about how it was eventually used. Yeah, China's bad, but just wait until the US finds itself toppled from economic primacy and see what information they start pulling out then.

Shame on me; I did forget Tunisia. I don't see anything to do with the internet in the events in Yemen, Syria and Bahrain. The mobile network has played some part in Libya though. In any case, none of these governments have been 'toppled' and especially have not been replaced by democratic ones.

The fiber tap story, for reference: http://news.ycombinator.com/item?id=2348156

I really dread what is going to happen, by the time Anonymous or someone else start setting their sights in Israel/Palestine. It can only be a matter of time before it happens.

Dread it how? What outcome do you fear?

Well, thats a hornest nests with some bad queen bees armed with more dangerous stuff than stingers.

Now is the best time ever to be a security consultant.

Also, if there were a time that consumers learned to be wary of the information they hand out in public or private and how they protected it, now is the time.

If LastPass has an affiliate service, it's quite possible that some quick bucks could be made from this.

This is hilarious.

The main important point is that it makes a mockery of the security snake-oil salesmen and the government sponsored investigation agencies.

It also demonstrates that legislation is powerless over the internet (something I think everyone quietly realises but doesn't want to admit). They've let the cat out of the bag and now it won't go back in.

The Internet is an uncontrollable, resiliant, self-aware monster with a good self-preservation instinct. It's fighting back against those who wish to control it.

I'm not sure it really proves any of those things at all, but it does prove that no matter how good you are at something, chances are you will come across someone better than you at some point in your life.

When you thing is security and the other person is feeling malicious I guess it can be an ugly outcome.

It's not about being quantifiably better - it's about perception. Security is wholly percieved. It doesn't actually exist.

okay, I'll bite, would you care to explain how security does not exist?

Secure vs who? With what budget? Are you content with achieving 'security' by shredding the server or do you plan to hook it up to a network?

So security is relative compared to a threat. That's a assumption that any thoughtful person can make. Yes, the resources available to you will greatly affect your ability to achieve a particular level of security. Just because you connect your server to a network does not mean that the security of your server disappears. Whatever level of security you've managed to achieve is still there. It just may be that the attackers you face are able to overcome your security measures.

If by security one means absolute security against all threats present and future, then yes security is not only illusory but also meaningless.

So you do a lot of work and achieve what you might call "near-perfect real-world security" and are not hacked, are you secure?

When you later find out you were vulnerable. Were you secure?

Does knowing that an undetectable root-kit could have been installed during this time, change your perception of the state of your current security?

Would it matter if the newly-released insecurity was a one-in-a-billion thing?

For instance when's the last time you actually took measures to guard against a trojaned compiler?

If you did get hacked because of a one-in-a-billion thing which nobody could have predicted did it happen because you weren't secure or did it happen despite your security? It's a subtle difference in perceptions.

Does your perception of your security level change if you realize the crooked CEO conspired with the security consultant to arrange a back door and that the one-in-a-billion thing was a virtual certainty?

It goes deeper than simply being all relative, you always make some assumptions - even incredibly large ones. Even a tiny mistake can totally scupper system robustness. In crypto and security a system is often weaker than its weakest link and that includes designer assumptions, operator errors, and customer specifications as well as expected issues such as programming errors. Speaking of security as a thing that can be achieved is mostly wrong and confuses many.

My concern is that the physical layer is more limited and is indeed disrupt-able / controllable.

We need some neutrino transceivers. And a few other orthogonal communication technologies.

Edit: I guess it is also a comment on the situation that I deleted my comment before reconsidering and deciding to repost it.

When opinions can no longer be expressed without fear of (arbitrary and/or extra-judicial) retribution, things have really started to go too far.

The physical media are too constrained. Even if you're not into "black arts" (and I'm not), you may have increasingly limited trust in the powers controlling the infrastructure (not so much the engineers, but the people who pay them and/or put them in jail).

We have amateur radio (pirate or registered), AX25, APRS mail, USB-stick sneaker-net, UUCP, modems, dialups, OTP encrypted SMS still. It's low bandwidth but important information is actually really small.

IPv4/6 may die but there are still ways of shifting stuff around that is important.

Lets see :

1. Wiretaps 2. Taping Telecoms 3. Taping satellites

and yet that still does not educate the FBI, CIA, NSA into having better computer specialists? That is the disadvantage of relying upon political back deals to do real work in that you get an illusion rather than reality.

Note, US military for years has been advocating taking service men and women and retraining them for a counter computer security role to replace the independent whitehats.

Would it be too much to assume that the profits might be great enough at risk that some whitehats might be involved with this LulzSec effort?

>Note, US military for years has been advocating taking service men and women and retraining them for a counter computer security role to replace the independent whitehats.

That is already an MOS.

> Note, US military for years has been advocating taking service men and women and retraining them for a counter computer security role to replace the independent whitehats.

You can't give them a process guide or a manual for this. It's something that requires understanding. It's idiocy.

I've worked with "DoD certified NT4 administrators" (retrained administrative worker bees) who didn't know arse from elbow. I walked straight onto one of their "certified configuration" exchange boxes via IIS and read classified emails over HTTP from the mail spool folder... That got me a promotion back then in '99 but it'd probably get me shot now.

Holy Crap! Yes, these guys have done it now.

Goodbye anonymous internet - as we know it today.

As much as I love freedom of speech and 'David' taking on 'Goliath' as the next guy, this is seriously bordering on Terrorism. This seems so unprovoked.

All this is doing is challenging the government to regulate the internet. This does nobody any good.

Now it seems Anon has gone too far, and has crossed over into 'psycho' territory. Once you start attacking the state, there is no coming back from that.

I am sorry, but this isn't a war that Anonymous can win.

Given that Anonymous are widely (but not exclusively) after fame, I wouldn't be that quick to attribute this act to them even though there are large similarities.

In all honesty, all this is doing is challenging people who elect governments to regulate them. This now proven; government are not just bordering terrorism, they are engaging in terrorist acts through contracting fake security firms (which are then easy to point at when uncovered). THIS does nobody any good.

> This seems so unprovoked.

Constant citizens' surveillance and infringing of their rights by "righteous" Governments is also unprovoked.

Exactly:). And in my mind criminals are those that plot killings, and break basic constitutional right( haha - and citizens let them... In fact they are by mean of real democracy not an citizens but idiots-> http://en.wikipedia.org/wiki/Idiot_(Athenian_democracy) ).

Wtf? it wasn't even the people you are accusing who did this. It says so right on top, in the link itself. how are we getting weird comments where people didnt even read the article on HN? Astroturfing ? (I am aware that lulsec is supposedly linked with Anon, but they aren't the same)

You are all trolls, so who cares.

I say bait you idiots with randomly spewed nonsense so that you spend all your time commenting on the internet.

Go cry more!

This is a huge challenge for the FBI and it will be interesting to see how they handle and crack this case. I do hope they can find these bastards and put them behind bars for a very long time indeed.

The FBI should start with the a court order and to get the domain registrar to reveal the identity of the person/organization, that registered the domain name lulzsecurity.com which happens to be registered in the Bahamas and can be viewed at : (http://whois.domaintools.com/lulzsecurity.com) as

    c/o lulzsecurity.com
    N4892 Nassau
Tel: +852.81720004

Of course, most likely they used an alias/fake identity. But the hackers had to have left a financial trail when they purchased and registered that domain name, or that phone number, PO Box.

I use the same registrar as these guys. The Bahamas pretty much do not give a fuck about FBI requests. They likely registered on the site using falsified info through a foreign, compromised Windows machine acting as a proxy and paid using an anonymous Paypal account. Problem?

Paypal accounts are cheap to buy and machines running Windows are plentiful.

> The Bahamas pretty much do not give a fuck about FBI requests

And how exactly do you know this?

Oh my god, you're right. He's one of them! (damn lawyers)

Haha, I used Internet.bs before they were cool. They have (had?) the cheapest .com's.

Registering a domain with a prepaid credit card isn't rocket science.

Not if they were smart.

Probably too smart for their own good - all super-smart criminals make the fatal mistake of assuming that others are too dumb to catch them. They also do not have access to the combined resources of the NSA, FBI, CIA.

Do you have experience dealing with super-smart criminals other than noticing how they are generally portrayed in movies / tv ?

The thing about super-smart criminals is that you don't hear about them ;)

Or they are called defenders of freedom;]

combined resources of the NSA, FBI, CIA

The problem is that all these combines resources mean less outside of the US. They mean even less in an old eastern bloc country, Russia, or some random 3rd world.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact