Hacker News new | past | comments | ask | show | jobs | submit login
LulzSec: Why we do what we do (pastebin.com)
329 points by ssclafani on June 17, 2011 | hide | past | favorite | 179 comments



OK, so for the remaining 3 people out there who were pathologically not paying attention, computer hacking is easy. The state of computer security is poor. Lulzsec deserves a medal and a chest to pin it on for breaking this news to all of the people who don't have a facebook account, have never been on irc, didn't see the movie wargames, don't know anyone who plays world of warcraft, has never read the new york times, has never heard of china and has never heard anyone utter the word "stuxnet".

For the rest of us, it's pretty tedious.

There's another situation that fits the general parameters of what they describe. Almost no one is protected against it. Being a gunshot victim.

At least in the US, pretty much anyone can get their hands on a handgun either legally or illegally. Almost anyone can use one with a bare minimum of instruction. And almost no one is protected - if you pick a name out of a hat of all america, pretty much any possible outcome will be dead easy to track down, stalk, find the right opportunity and shoot dead. And a vanishingly small numbers of shooters make an announcement about the whole incident on the Internet.

But, all that said, if you go around shooting people for no real reason and bragging about it you're assuredly a psycopathic asshole.


The gunshot analogy fails hard. LulzSec pre-empted at least half of it, by stressing how harm occurs quietly all the time. Data gets stolen or destroyed and we just don't know it.

Unlike gunshot wound, where a person lands in a hospital, or morgue, or goes missing, data can be, and indeed is, copied quietly. Of gunshots, people are informed most of the time; of security breaches, barely ever. Cops investigate most gunshots, but do they know of most security breaches?

The big hope is the press will at last start paying attention to (in)security of our data. Thus the headline-grabbing tactics.

The other half is that corporations don't shoot people, people shoot people. And to the wit, people don't store 200.000 bank accounts on a web server, corporations do. You can -- and should -- hold corporations to a somewhat higher standard when it comes to affording decent protection for customers. It's no coincidence LulzSec weren't after granny-loves-her-cat blogs, but after commercial services.


To rephrase what dazmax said: They're under no delusions they're not evil. They're saying, "there are a lot of evil people around, and yeah, we're one of them, but who cares? There are a lot of evil people around, and in terms of damage, we're probably doing far less than anyone else and happen to be doing some good by bringing attention to how weak these security systems are. You're spending so much effort chasing us and condemning else; not that we don't deserve it, but you should be spending at least as much, in fact, far more on the people doing far more damage and not announcing it and not doing any good at all."

They're right too. I'm not saying what they're doing is good, or even necessary like some vigilante stories portray, but they're right that we should be devoting just as much attention and effort denouncing and trying to catch the doubtless countless people, who like they, tried some simple attacks and discovered that most security systems are almost trivial to breach, and are taking real advantage of it, not just putting it on the internet and watching the lulz unfold.


Except they didn't say that they are doing this to bring attention to security issues. They are doing it because they can, and because it brings them some entertainment – that's the point the gunshot analogy was addressing.

They only bring up all the silent malicious hacking that happens as an argument that we shouldn't care so much about what they're doing.


None of this addresses the DDoS attacks. I agree with you in regards to the SQL injections / URL parameters, but your post fails hard to defend Lulzsec's DDoSing of anybody.


On the XX century internet, that was true.

But! On today's internet, consumer needs certain services on-line 24/7, and is hit hard if they are down. One's stock quotes, bank account, credit/debit card processor, ticket booth, office suite, and last but clearly not least, the daily fix of WoW. Hell, a lot of people can't even read or write any email without the WWW interface.

Being vulnerable to DDoS is just as unexcusable for some business internet services as being vulnerable to SQL injection; only diffirence is the protection applies at different layer.


Okay, but the gunshot analogy applies here. If I want to, I can hire 24/7 bodyguards to prevent my being shot. If I'm a potentially high-profile target, then yes, you would expect me to spend resources to hire extra protection.

Most of the targets in this case are not critical services like bank accounts or ticket booths -- those companies DO spend the extra money on protection (more servers, in this case).

Let me ask; do you run a web business? Any website? Is it vulnurable to DDoS?


Well, maybe people will start shooting hackers. I volunteer Lulz to be first against the wall.


Corporations most definitely shoot people... http://en.wikipedia.org/wiki/Military


This is what I mean when I say that bad conversation drives out good.


Being a victim of a random person with a gun with no particular affinity for shooting you isn't easily avoidable; being a victim of a random person with Burp Proxy and a couple hours of work is. That's the key difference here. Security is hard, but we have great processes to make things secure and keep them secure against all but the most dedicated attackers.

Mind you, these processes aren't perfect. Things fall through the cracks, and effectively nothing will keep out a significantly determined attacker, but that doesn't mean you shouldn't follow well-established security methodologies. In the vast majority of cases, they hold up well.

Edit: I want to note that, in all likelihood, no amount of secure development and review would've kept people out of Sony -- there were just too many people that wanted to attack them, and too large an attack surface. It could've diminished the number of successful attacks, and it could have reduced the amount of data stolen, but in all likelihood attackers would've still made it in to some extent. However, things like the Brink attack might have been stopped entirely, since they didn't seem to be terribly determined to get in.


We must have a different definition of easily avoidable. The truth is that organizations that spend a much larger than average portion of their energy and resources on computer security can and do still fall the victim to intrusions on a regular basis. Outfits that follow generally accepted best practices get successfully spearphished on a weekly or monthly basis. Startups are encouraged by the industry to throw up websites in weeks, yet the tools they're given largely do very little to prevent them from shooting themselves in the foot on a regular basis.

Lulzsec isn't even calling their shots. They're casting around for security issues widely without rhyme or reason. You're supposed to lock your front door, but if you go through a neighborhood and try everyone's front doors you'll always find one that's left open. Now imagine your neighborhood is the world. It's literally impossible that you'll ever run out of victims.

The truth is that computer security isn't shit because all the noobs out there that don't have a CSO, don't hire matasano, don't have sufficient change review policies, don't have a 24x7 ops team with live instrumentaion and don't have DDOS protection are id1ots. Sure, any one of them can be pointed and laughed at and said they're losers. But taken in aggregate, it's not all their 30,000,000 individual failures, it's a failure of the computer industry that has long pushed speed and ease over safety and continues to sweep the current security environment under the rug. And also a failure of our own security industry for selling ineffective, labor intensive solutions and pricing most of the rest beyond the reach of most potential customers.

And I dare say that Lulzsec isn't going to have much of an impact on any of that.


> Lulzsec isn't even calling their shots. They're casting around for security issues widely without rhyme or reason. You're supposed to lock your front door, but if you go through a neighborhood and try everyone's front doors you'll always find one that's left open. Now imagine your neighborhood is the world. It's literally impossible that you'll ever run out of victims.

And that is why this stuff is easily avoidable. Much like a lock on your door isn't going to stop a determined thief from breaking in, simple protections won't stop a determined attacker from breaking into your site. But in an age where adding CSRF tokens is simple, SQLi protection is nearly guaranteed by using an ORM and/or parameterized queries, XSS is largely mitigated by filtering on templates, etc, it's not that hard to remove the low-hanging fruit from your site. Even with these, you will still have vulnerabilities, but a drive-by attack like those executed by Lulzsec will not work.

> But taken in aggregate, it's not all their 30,000,000 individual failures, it's a failure of the computer industry that has long pushed speed and ease over safety and continues to sweep the current security environment under the rug.

It's easier than ever to write secure code without even trying. If you follow, say, a basic Django tutorial, you won't be vulnerable to XSS and SQLi unless you color outside the lines. Add in CSRF middleware, and suddenly CSRF attacks (and a large amount of reflected XSS with them) are mitigated. These are not difficult things, and the software industry is getting better and better about making secure coding the rule, not the exception.


To be frank your point is bordering on meaningless, you've jumped from anyone can shoot someone to it's all a failure of the computer industry.

I find the first assertion idiotic and the last begging the question.

patio11 made a similar point about armed robbery, I mean seriously, what is wrong with you?

It's fucking stupid. If someone gets shot a lot of cops will turn up within minutes. They'll devote a lot of manpower to it. In some of your states the perpetrator will be executed.

There's a response. There's a massive immediate manhunt. Will people stop idiotically claiming that a serious, sickening crime is anything like hacking someone's server please?

And to get back on topic, if someone gets hacked it's brushed under the carpet if possible if it's even noticed. People aren't even checking if it's happened.

Where's the abnormal activity alert built into windows or linux? Or Apache or IIS?


Honestly, I'm more worried about companies like Citi allowing users to change the uid param in the URL to access someone else's account data than I am about kids in it for the lulz.


I've been kept out of Sony and all this by never consuming from them.

this is the epitome of capitalism. your comment was spot on until the edit.

last sony thing I paid was a cassette walkman. then after betamax, minidisc, memory stick, etc, etc, etc... you have to be a sucker to support them. sad but true.

anyway, by not consuming from a company with low market ethic, I also avoided a company with bad network security ethic. they would be hacked? could be. but if nintendo is hacked, I can at least just change my password not my name and credit card.

for similar reasons I also avoid apple, j&j, and a few others.


> this is the epitome of capitalism

Sure in your case, of an informed technology enthusiast. The average customer, however, is not aware of shoddy security practices endangering his data. Which novadays means his personal finances, too. Also, the average decision maker at the companies in question is not aware of your protest, either; it takes press attention to make him aware.

This is heavy information disparity; the market self-regulation cannot happen in such case. The customers simply cannot make informed (!) choices, nor put pressure on the website operators. Curiously enough, many of the decisionmakers at the companies may also be unaware of seriousness of the risks just as well.

LulzSec steps in. By grabbing headlines they aim to inform the widest audience of what goes on, and force press to take on the hard subject. Let's hope the press does the job well, so capitalism can do its at last.


I knew nothing of sony security practices. I knew about well know market practices.

about attention to my little protest, I assure you, they pay more attention to sales volume than media noise.


I don't see that analogy working very well. It's not about shooting single people. It's about banks building their vaults using cardboard and paper, instead of concrete and steel. It's just not that smart.


If my data was stolen, I'd be annoyed, not dead. And the law, and enforcement priorities, reflect that.


As I mentioned below it does very much show psychopathic tendencies. These people clearly have no empathy for those they are harming. This includes far more than just the Sony executives that everyone hates (despite not knowing).

Online security is poor for the same reason airport security is. Good security would take enough time and money to make the whole thing economically unviable.


>Online security is poor for the same reason airport security is. Good security would take enough time and money to make the whole thing economically unviable.

Airport security in the US is poor because the policies are a series of politically convenient patches applied to a broken system. In Israel, where the threat of terrorism is far greater, their airport security is both much more effective and much less invasive. Why? Because it was designed to work, from the ground up. They don't hire legions of idiots at minimum wage or close to it to do their security. They hire ex-military and ex-mossad people to surveil travellers. They have highly-trained people who know how to spot potential terrorists, and multiple layers of security (usually just someone saying hi and engaging in light chatter) that catch the vast majority of problem people before they get anywhere close to an airplane.

The US system is expensive, invasive, and ineffective. That doesn't mean airport security in general is doomed to fail, it means the US is incompetent at it.


I agree with showing how poorly secured websites are and how easily our information is distributed even when we think it's private.

What I don't agree with is their use of DDoS attacks against sites like cia.gov.

DDoS attacks are pointless. All they point out is how a site has limited resources for dealing with so many concurrent connections.

Sites should deploy onto an infrastructure they feel is adequate to deal with the expected load plus some additional room for growth and spikes.

I'm sure the cia.gov doesn't get hit very hard on a normal day so they didn't go crazy on infrastructure which is understandable. A DDoS proves nothing and prevents people from accessing data.

If you're going to hack, please wear a white or grey hat.


When Anonymous attacked Visa and Mastercard via DDoS (in retaliation to them cutting off Wikileaks donations), Anonymous did actually succeed in stopping the online verification systems for both companies (SecureCode, or something, and Verified by Visa). In that case, the DDoS attacks did more than just take the site down; they financially hurt their target, which was probably the aim to begin with.

I'm not justifying the attacks and I agree that they are the wrong way to go about this business, but it would be naive to suggest that the DDoS attacks are a minor inconvenience.


DDoS's have a monetary impact, yes. However, what the parent is saying is that all infrastructure has limits in terms of bandwidth, etc. The point is that it's not the same class of "attack" vs. finding an exploit. The latter is more in line with the "strive for more secure sites". The former, not so much.


Then we need to fix the infrastructure so that the current generation of attacks don't work. To just say, "oh, well bandwidth is limited so there's always going to be an attack" is not useful. Think of ways you can structure the infrastructure so that it can do filtering further out, or detected spoofed connections, or detect anomalous request patterns. There are solutions, we need to find them and implement them, not just tell people not to do it or claim it's a "weak" attack. It's a strong attack if it takes minimal effort to cause maximal damage. In the real world, that's what matters. There's the idea that we're playing a game and that there are behaviors that are good form or bad form. However, when it comes down to it, what works is what works.


They can certainly protect against this but it's not a good idea.

I pay US taxes and I don't want the cia.gov site to be on the same type of hardware as say Google just to be DDoS "proof".

They shouldn't be connected with a 33.6 modem but to ask all sites to upgrade everything to prevent DDoS is insane.

Who could afford to start a web site if they had to lay out all of that cost?


Might that be another advantage of cloud computing? To spread the cost of DDoS defense infrastructure across many websites?


You'd still have to pay for all the computing time to remain available during the attack. Its probably not worth it to try to stay up in that kind of storm.


mentat, I wasn't saying don't protect ourselves against this. However, harnessing a big enough bot network you can always overcome these measures. Finding an exploit is different, and especially for financial institutions inexcusable to a certain level.


It also led to Paypal allowing Wikileaks to retrieve the money they already had before they suspended their account.


Is phillijw another false positive of HN spam detectors?


Maybe. Look back through his(?) comment history, and you'll see that the point where he was autokilled/hellbanned (around nine pages back) was, while a very downvoted (and nonsensical) comment, not actually malicious. Before that, he had a few comments which were downvoted maybe two or three times (you can tell by the color). It's probable that he was autokilled/hellbanned because those caused his average comment karma to drop too far, as well as making his karma negative, though I am not aware of the exact criteria.

At this point, he seems like a false positive based on his recent comments. It's a pity that there's no real procedure for being unhellbanned, even if the user discovers that they are, other than starting a new account.


Even starting a new account doesn't work (at least it didn't in a previous instance where I notified a false positive). You also need to use a proxy. So to phillijw, email PG or start a new account using a proxy :)


DDoS attacks are pointless. All they point out is how a site has limited resources for dealing with so many concurrent connections.

This point was raised a few months back in relation to PayPal and Visa getting DDoSed because of Wikileaks: DDoS attacks could be the new digital age version of a protest, a disruption of normal activities to draw attention to a particular cause (whether or not that cause is worthy is secondary). In that sense, DDoS attacks are very relevant.


There is a need to develop systems that aren't subject to DDOS (at least the current generation). It used to be very easy to DOS anyone's network stack (think SYN flooding). If people hadn't shown that it was an issue by doing it, the Internet would still be running on stacks that were trivial to undermine many different ways. Saying that something is easy to do and has a tremendous impact is an engineering problem statement. Demonstrating it shows that it's also a business problem. This is how things get fixed, when people get tired of being instantly knocked of the Internet by .4% of the LulzSec DDOS capacity. The Internet still has some basic problems, ignoring them won't make it go away.


See, is there a practical way to "fix" the problem behind a DDOS? More specific attacks (slowloris, SYN flood, ping of death, smurf, and a laundry list of other stuff) can be fixed by simply introducing changes to the infrastructure that makes such things possible.

But a DDOS attack is, at heart, nothing more than a brute-force attack - flooding a single website / IP with so much traffic that it can't respond. No matter how much fancy technology you add, if you have a 100Mbps link, and someone's sending 1Gbps of data at you, you're out of luck.

And, yes, I realize that there are companies that specialize in protecting against DDOS attacks - generally, they move content to a CDN and use some intelligent filtering to drop packets (i.e. people that request multiple times in succession, etc.). But this still is reliant on the fact that their connections are large enough that they can actually process all this data.

If a large country decided to use all it's available Internet bandwidth to DDOS, there's not much anyone can do about it.

In short: DDOS attacks will likely always be around - they might require higher bandwidth (country-scale or thereabouts), but it's not "fixable".


So let's think about how traffic gets onto the network and what steps might make sense to limit that. I have some "crazy" ideas about this including per device reputation enforced as close to the device as possible. Yes, if we say that anyone with any sort of device can send data to anyone then this will be a problem. There are other options including different sorts of "darknet" type things. Are there no "outside the box" type solutions that you can think through the tradeoffs for? I think the underlying assumption you're working with, that anyone anywhere on the network should be able to drop an unlimited amount of data onto the link headed to me as a rule of how things must forever work needs to be justified.


Yes, that would be a valid solution - authenticate every device, or provide a per-device reputation. But this has a couple of problems that I can think of:

1. Per-device reputation removes the concept of anonymity. If I can look up the "reputation" of the device that sent me a packet, I can track it perfectly too.

2. Authenticating every device (beside the practical challenges) is very inconvenient. What happens if I move countries? Buy a new phone? Or a new network card?

And there's more issues that I won't list :)

Problems aside, I agree with the statement: "the underlying assumption [...] that anyone anywhere on the network should be able to drop an unlimited amount of data onto the link headed to me [...] needs to be justified".

I think the most practical solution to this would simply be forcing ISPs (through legislation would be best) to look a little closer at their traffic. If I'm running an ISP, and I see a computer making 100 requests/second to a single website for more than a minute, I'm immediately thinking "DDOS". Yes, there's privacy issues, but most ISPs already do some sort of traffic shaping (see: Sandvine), so it shouldn't be that much of a stretch.

Arguments welcome ;-)


It'd need the help of browsers or OS's (depending on where in the stack you put the logic), but one idea might be to require requests/packets to be signed by something that proves a sufficient amount of CPU work has been done (ala bitcoin). If the site comes under attack, they could turn this on (presumably with a middle-man service that can take high bandwidth) and up the amount of work required to reach the destination. This would no doubt slow things for the legitimate users, but it could make things much more difficult for the attackers.


This really doesn't solve the DDOS problem though. It's throwing more CPU time and bandwidth at a scenario that already requires both of those. It can slow a small group of script kiddies making a thousand requests to your server per second, but it doesn't stop an actual distributed attack using a botnet or large numbers of machines.

If you're adding the signatures, you presumably need to spend CPU time to authenticate it, and bandwidth to send the data, plus the actual content. Why not just have the middle-man soak up the extra requests, cache the data, and fan it out that way?


Of course, botnets or LOIC would completely bypass this defense...


A long time ago I read/watched something about a group that works with ISPs around the world to nail down the source of DDoS attacks and stop them, but I don't remember anything else.


> There is a need to develop systems that aren't subject to DDOS

Some protocols are immune to DDOS: like BitTorrent and Freenet. HTTP wasn't designed to deal with DDOS.


When I tried freenet it was so slow that it would compare unfavorably to a website being DDOSed, so that's perhaps a bad example. As far as bittorrent goes, it is entirely possible to DDOS the distribution of the contents of a single .torrent: DDOS every computer seeding it. Might take more effort than DDOSing a commercial site, or it might not, depending on how much downstream the seeds have.


DDOS attacks are terribly hard to stem. I remember Softlayer having a Cisco Guard they claimed helped against DDoS attacks, but it seems to cut off and block a good amount of legitimate traffic as well.


I think the point of their DDoS attack on cia.gov was in response to the US's statements that cyberwarfare would be responded to with actual warfare. They're just poking the beehive to see what it will do.


But clearly that's not what they want to do, they're not claiming that their intentions were moral or ethical, just that their having fun happens to have some arguably positive impact at times.


>People who can make things work better within this rectangle have power over others; the whitehats who charge $10,000 for something we could teach you how to do over the course of a weekend, providing you aren't mentally disabled.

This is a common complaint among blackhats: they see whitehats as being in the game for the money and taking advantage of the unenlightened as much as they [the blackhats] themselves do.

I don't really know what to make of it.


Blackhats can cost organizations way more than whitehats would charge in operating costs, personal identity theft, and reputation.

Whitehats are only taking advantage of the unenlightened as much as a mechanic is taking advantage of someone who doesn't know anything about cars - they provide experience and expertise and offer a service for a high price - at least, a higher price than if the client knew how to fix it themselves.


I love it when the economically illiterate attack others for "price gouging" as if the third party doesn't have a choice in the matter or they aren't "unenlightened" enough to properly appraise the value of what they are buying.

How do I know that my jeweler isn't gouging me on my fiancee's 2 caret diamond ring? Because I know that there's a fixed quantity of available diamonds, and almost everyone would buy them at a given price. And if I need to verify that, I can go to the jeweler down the street. Everyone would buy security consulting at a given price, but that quantity is even more limited than 2 caret diamonds.

Why is my house worth a third less than what it was 3 years ago? Because there's at least a third fewer potential buyers than there was when I bought it. I wasn't "price gouged" or fooled in either instance.

Whitehats specialize in security and it frees up our time to specialize and produce excess value for others. It's not a conspiracy. If Steve Jobs and LeBron James aren't tricking people into giving them money, neither are whitehats. It's the free market and, believe it or not, it produces wealth.


Funny that you use diamonds as an example, when the diamond market is one of the most rigged institutions on the planet.

Your jeweler is always gouging you when you buy diamonds.


Just because a cartel exists somewhere in the supply chain doesn't mean I have to participate in the transaction or my perceived value of it is artificially inflated. The two caret ring was just hypothetical, but there are plenty men who value those rings more than the asking price, and their wives appreciate that. (at least the sensible ones do)


It's less the jeweler and more his suppliers.


Also foolish to forget that time is money, you pay knowledge workers for the time they spent studying. You too can "save" $10,000 by doing security yourself, but only if you spend several years training and understanding the domain.


Where can one buy security for $10,000 anyway? I'm not mentally disabled and have spent many weekends learning about info security. What are they even talking about?


>Because I know that there's a fixed quantity of available diamonds

Meanwhile...

http://en.wikipedia.org/wiki/Chemical_vapor_deposition_of_di...


Sure, but what blackhats often claim is that even if a company pays whitehats large sums of money, it is often fairly easy for the blackhats to do just as much damage as they could before.


That false comparison has always bothered me. Preying on the weak for fun instead of profit doesn't make you right, it makes you sound like a sociopath.


I think everything else said in the post proves they are sociopaths. They don't seem to place value in "peons", "lulz lizards", or really any kind of human beings.


It's always been posited that, at some point, the Internet would create a generation of pseudo-sociopaths who are so disconnected from fellow human beings, they lack empathy, much the same as someone with the clinical diagnosis.

Mayhap that time has arrived.


Just like with violent video games, the internet doesn't make people feel disconnected, or turn them into sociopaths.

It enables people who would rather be disconnected to disconnect themselves, and gives sociopaths the ability to do far more.

The internet doesn't create people without empathy, it reveals that deep down, a lot of humanity didn't have it to begin with. The way society is starting to structure itself, though, lets that shine through more clearly.


>The internet doesn't create people without empathy, it reveals that deep down, a lot of humanity didn't have it to begin with. The way society is starting to structure itself, though, lets that shine through more clearly.

A lot? I doubt LulzSec is more than five people. For every pathological script-kiddie there are ten Free Software hackers. The Internet has revealed new ways for people to be destructive, but it has also revealed more ways that they can be constructive.

Compare:

http://www.quantcast.com/github.com

http://www.quantcast.com/4chan.org


Excellent post scythe, I fully agree with you. The comparison of numbers between gthub and 4chan is a nice indicator that there are more than these sociopaths, When you have lulzsec waving their arms in front of the internet it's sometimes easy to forget they're are millions of great people producing software, for others, for the betterment of humanity.


Not everyone on 4chan is a sociopath. Even on /b/, not everyone is a sociopath.


Of course not, just like not every project on github is open source. It just seemed like a nice glance at the ways people choose to spend time online.

I doubt society was ever much more virtuous than it is today, but we do hear about the problems more. There is the orthogonal and much more serious issue that many more people today feel unfulfilled in their lives than they did before, but I can't even begin to address that -- read Infinite Jest by David Foster Wallace if that interests or concerns you.


Just like advertisements don't convince people to buy stuff.


Well said.


It's easy to be a sociopath on the Internet where humanity is lost.


Having no moral doesn't make you a sociopath.


That's almost the textbook definition:

a person, as a psychopathic personality, whose behavior is antisocial and who lacks a sense of moral responsibility or social conscience.


Preying on the weak for fun

Preying on the weak for profit

They both kind of have a sociopath sound to them


I suppose this is a matter of phrasing.

Do car mechanics pray on weak for profit because not everyone learned how to fix their car? They trust mechanics because they devoted many years of their life at becoming good at what they do. Does that make them sociopaths? logic fail.

You could also say that white hat hackers provide a service of security for the benefit of those that spend their time creating other things.


But, only one of them is the foundation of our society.


I'm not sure which one you think it is, but I sure hope it's the one that does it for fun.

A society driven by preying on the weak for profit is far more distressing.


You guys do realize that the bit about preying on the weak for profit is just a bit of rhetoric? It isn't really true.

The person who is weak in this case is a customer. This customer is lacking in skills related to computer security. The person who is preying on the weak is someone who invested time into learning about the skills that the customer does not know. Let's say this customer was a farmer. He is using the money he too got from preying on the weak non-farmers to purchase protection.

In the case of preying on the weak for fun we also have some things being hidden behind the words. For example, fun in this case means stealing identities, trying to ruin relationships, and sending dildos to innocents.

It's cool though for the author because by having things written in these terms its easy for people to talk past each other. They don't realize the context in which he has placed the words in the article. When other people see the terms its easy to think that maybe "preying on the weak for profit" is referring to blackhats instead of capitalism.

Another thing worth pointing out is that the person who is volunteering to give away the information for free is actually someone who also put in a lot of time to learn all the things that the customer didn't know. So when he says "I could teach it to him quickly" he is really saying "I will provide the same service in exchange for you're weekend." The thing is that when these two "companies" compete only the one charging money is going to stay afloat. So the dildo sending altruist who wants fun to be the basis of society goes back to sending dildos while the guy who charged the money actually does the job.


As sad as it sounds, I really think it's preying on the weak for profit. So much of society/economy/whatever very much depends on taking advantage of those who are don't have much other choice in the matter.

I don't think it's as visible to us as it used to be, but I think it's still very much there.


See: "Invisible Hand"

In economics, the invisible hand, also known as invisible hand of the market, is the term economists use to describe the self-regulating nature of the marketplace. This is a metaphor first coined by the economist Adam Smith in The Theory of Moral Sentiments... For Smith, the invisible hand was created by the conjunction of the forces of self-interest, competition, and supply and demand, which he noted as being capable of allocating resources in society.

http://en.wikipedia.org/wiki/Invisible_hand


You mean the foundation of Taliban and Mafia society. You know, it is quite possible to make money by being good. It just doesn't grab headlines as effectively.


And quite trivial to make more money preying on the weak than being good.


At least in the short term. But, that's definitely not the foundation for any functional society.


Which one?


It's a bit of a silly way to respond though - they could either be whitehats themselves and charge a more reasonable amount; or charge the same amount and donate whatever they think is reasonable to education campaigns or whatever.


My guess is rationalization. They are lieing to themselves to justify their actions. I've read that even serial-killers think they are doing good. I don't see why blackhats would be much different.


What corporation would ever trust a 'free' security consultant?


Adorable. They're bullies and proud of it. It's one thing to call out security exploits, and quite another to take great joy in causing others pain.


> to take great joy in causing others pain

This happens far more often than people realise.


Still does not make it okay.


What if you're a second-generation schaudenfreudist? I take pleasure in the pain of those that take pleasure in the pain of others.


I think that's called Schadenfreudefreude, or perhaps Schadenfreude^2


Reading ~german~ words in an en conversation always strikes me as interesting. That we brought you this fine word is kind of telling..


I think you just described my new life philosophy.


They're mostly taking publicity, the joy is mostly for show.


And I just realized what it is about LuLzSec that's bothered me. I couldn't quite put my finger on it, but now I realize deep down they are nihilists.

That's a damn shame.

What seemed most admirable about Anonymous is that as much as they were also in it for lulz and pure chaos, underneath there seemed to be a kind of idealism. Idealism is seductive, nihilism is off-putting.


Or maybe that Anonymous idealism was a fraud and lulz, as peers, could see the hypocrisy much clearer, as everybody in their community likely do what they do because of the thrills and ignoring the pain caused. Lulz admitting it is likely taking the high road? or is that too tortured as twist.


Perhaps anon was also pure lulz with absolutely nothing else behind it. But I vaguely recall their writing to be strongly pro freedom. And their most prominent vandalisms seemed to be an attempt to make a point about basic rights and freedoms.

When LuLzSec state that they don't care, and don't even care if they get arrested, that's definitely nihilistic and kind of sad.

Certainly they too in their juvenile ways were close to making a good point. A point about shocking incompetence when handling and storing sensitive customer data. A point about unethical behavior in government. And I believe them when they say they have stuff that they've chosen not to release. So they are not in fact true sociopaths or true nihilists. I guess that makes it even sadder when they say they don't care about anything but lulz.


These men are nihilists, nothing to be afraid of.


Note LulzSec claims to 'not be Anon' (lol).

It seemed like there was idealism lurking because there was!


Good point!


invokes Ayn Rand!


Raise your hand if you're hesitant to write what's on your mind for fear of receiving some special attention from Anonymous, LulzSec, and friends.


I wouldn't be to worried about it, and here's why:

For Anonymous, they're driven by strong moral convictions in their attacks these days (e.g. look at this puppy killer, let's fuck him up). The wayward person on the internet is of no interest to them. I've had my info posted on 4chan in full - address, phone number, email, facebook, screen names for other things, etc, with no lasting effects. Got spammed a bit, had some strange things arrive in the mail, but nothing malicious. They'll only be mean if they think you deserve it.

LulzSec is out there with a different purpose - they want publicity. The ddos attack they just ran wasn't to strategically take out services, it was to gain publicity by temporarily taking out unimportant but socially obvious targets. The CIA website was the public facing one, the only purpose it served was to be a PR job for the CIA. Smearing their PR site gets people looking. Smearing some random guy on the internet does not.

Basically, you're not important enough to warrant attention, nor am I, and nor are most people.


The impact of their attacks has more been a strong motivation to "get my house in order". I'd been using LastPass for some time but decided that I should get the YubiKey for two factor auth. I also started becoming quite a bit more vocal at work about the sorts of things it might be a good idea to take a closer look at. This is a wake up call for what's already happening. They just decided to do it and tell the public instead of sitting, waiting, and letting people continue to feel safe. If there's danger and it's at your doorstep, it's good to feel not safe.


Isn't YubiKey a fail-closed mechanism? Are you okay with trading a little extra protection from voyers with the possibility of losing access to the portion of your personal data that you deemed important enough to encrypt and vital enough still keep around as opposed to wiping it clean?


Wasn't LastPass hacked earlier this year?


They saw some things they believed might be brute force attacks against weak passwords, so they reset the passwords of people who the attempts had been directed against. They also changed they way they handled repeated password failures to be even more strick. The basic database was not compromised and the passwords in the database are encrypted with the master password for the account so they'd have to be broken account by account.


Additional information can be found here: http://blog.lastpass.com/2011/05/lastpass-security-notificat...


Your question is more inviting than anybody speaking their mind. The one thing I thought when I read their statement was that it reminded me of A Clockwork Orange.


Yes, the parents in A Clockwork Orange! Or pretty much everyone in the "It's a Good Life" episode of Twilight Zone:

http://en.wikipedia.org/wiki/Its_a_Good_Life_(The_Twilight_Z...

That episode also made it into the Twilight Zone movie directed by John Landis.

See you next Wednesday!


Please don't fear them, their power comes from feeling righteous in what they do. No one's figured out how to manipulate them that easily.

At least not yet, anyway.


This smells to me like a hastily conjured rationalization for a series of attention-seeking acts wrought by a small group of disenfranchised industry workers who have something to say, but they're just not articulate enough to voice it so they blow shit up instead.


a small group of disenfranchised industry workers

Do you really think they're industry workers? I'd peg most of them as high school kids. Probably with the occasional creepy thirty-something thrown in for good measure.


exactly. high schools have a strong envy for anarchy - trying stuff for fun. I think most readers here went through that phase and forgot about it. Flirting with the borders is fun. We were not realizing the consequence of our acts.


They can voice it perfectly well. The problem is that they can't be heard in the mass media without some large event to draw attention. The last month has been their big event, and now they have the attention they needed. They had a good plan and it was executed perfectly.

[Edit: by "good plan" I mean that their plan had a good chance of success, not that it was beneficial. That part is still up for debate.]


No, they cannot voice it perfectly well, if they have to resort to stealing user information to get their message across.

Their plan was not good, insofar as it caused pain for a great many people. What they did was not okay, and should not be lauded as a positive thing for the Internet at large.

The problem is that their antics are even being considered as anything other than the terroristic (in the real sense of the word, not the post 9/11 hyped up nonmeaning it tends to carry today) acts that they are.

If someone broke into a hospital and flung all of the patient records out onto the street, we wouldn't be having this discussion; they'd absolutely be considered criminals. So what if the glass they broke to get into the hospital wasn't shatter-proof? Sure, the hospital security would be improved, but there are a great many ways to go about fixing the problem without compromising the privacy if hundreds of thousands of people.


People have been trying for years to get the point across that we need to have better security. None of them have managed it. If anything, security is getting worse because cracking tools are becoming more sophisticated. Someone had to get word out, what people were doing to raise publicity wasn't working, there was a way to get attention, and LulzSec did it. Bad as what they did is, they successfully raised media awareness of the fact that those patient records were in a clearly-labeled manila folder taped to the front door.


    None of them have managed it.
I'm glad they didn't -- this way I can still have some privacy.

    cracking tools are becoming more sophisticated
IMHO, it's easier to break into someone's home than into someone's server.

The result more predictable too, as you can find tools that can crack open doors, windows, anything. And if all else fails, you can just watch the house until somebody makes an error, like leaving the window open by themselves (although experts don't have to do this).

Real security can only be achieved through serious investments into state of the art alarms, safe-deposit boxes and by being a paranoid.

Another way to do it would be to plant GPS devices in each and every human and track each movement into a centralized database, while good thieves will find ways to block that signal anyway; and that's how all of the proposals for a more "secure" Internet sounds to me - basically punishing honest citizens in the name of security.


They succeeded in exactly the same way that the IRA succeeds in bringing attention to their cause when they blow up a school.


For a moment I'd taught I was the only one to notice. If we would ignore them, they would just fade away.


If by "we", you mean everyone on the planet, including the blackhats who benefit indirectly by utilizing the results of LulzSec's exploits, then...maybe.

This is not realistic, however.


Why we do what we do: We're 15, unsupervised, and behaving badly.

Do they really need a manifesto?


This missive strongly reeks of teen spirit. Guess we'll find out when the FBI perp walks them in front of the cameras.


No one that young would have the capacity to understand some of the contextual references required to write this piece. If you pay attention to the way LulzSec writes and words things, they aren't at all immature in their thinking or worldview. Ceasing to give a fuck about perceived trivialities is something that comes with age and seeing how the world really works. The confidence they have came with age as well. Neither is not a sign of youth whatsoever.

I'd guess mid-thirties for these guys, at least for whomever is putting out their twitter updates. This is someone who is basically immune to white-knighting and is a truly hard-core realist. It takes quite a while for someone reasonably intelligent to become that cynical, and then a while longer for them to act on it.

Anyway, I'm a fan of these guys. While I wouldn't do what they are doing myself, I certainly understand the mindset. I'm not quite sure I understand the arguments against what they're doing. The knee-jerk reactions of wanting to call them wrong frequently seem more immature to me than their recent campaigns. The real world is messy, and LulzSec's work is a valid reflection of that.

As far as the comparisons to sociopathic thinking, that's just ignorant. Sociopaths generally don't care about anyone but themselves and that's obviously not the case here. A sociopath would never release any of this data, and would simply use it for their own advantage, regardless of who was harmed.

LulzSec is gleaning entertainment here from the unwashed masses to be sure, but they aren't out there enslaving people with debt, indoctrinating them with religion, shooting them for protesting, putting them in cages for drug offenses, etc. All of which is completely legal, and in my opinion, far more sociopathic than releasing some bit personal data or playing a few practical jokes on people.


I don't think they're 15, they're to articulate for that age. But I don't think they above 30 either.


[deleted]


[deleted]


Yeah they're just like you.


Might want to change the title to something like "LulzSec actually had a point after all." They do, too, an even better one than I expected. Not only are they making a point about how terrible security is ("Do you think every hacker announces everything they've hacked?"), but they've also called out the internet on its generally abysmal attention span. I wouldn't be surprised if they'd had this written on day zero.


That's not the most important thing I took away from the submitted link.

To me, the important thing is that LulzSec says that it derives pleasure from causing harm to people -- like the people who used to add poison to bottles of Tylenol, package the Tylenol back up again and place it back on the supermarket shelf. Although they could be saying that to cover up their real agenda, most writers (and especially most writers who have the tech skills needed to do what LulzSec has done) could not fake an admission of this sort as well as this text would have to have been faked.

Since it is natural human behavior to rationalize an antisocial motivation with a more socially-acceptable cover story, you would expect LulzSec to say things like, "We are doing this to bring public attention to how terrible security is." But if it is a rationalization, and it sure seems that way to me, surely it would be a mistake to focus on it and not the true motivations.

>they've also called out the internet on its generally abysmal attention span.

What an surprizing interpretation! I interpreted the parts about boredom as a continuation of the author's honestly disclosing his own motivations, not anything about internet users in general.


Lets not overblow things. They don't kill random people, they carry out pranks which can cause emotional and maybe financial distress, that's all.


Part of me feels that the publicity side of their argument is a little overblown. Many people do publicly disclose exploits, it's just that LulzSec has made a huge deal in the media about each one. Another part of me is happy to see them call people out on their abysmal security practices. Sony would not have upgraded/redone their security practices had there not been attacks. The only thing worse than poor security is having a false assurance that it's good.


Not only are they making a point about how terrible security is ("Do you think every hacker announces everything they've hacked?"), but they've also called out the internet on its generally abysmal attention span. I wouldn't be surprised if they'd had this written on day zero.

Neither of these are novel concepts: we've heard about abysmal internet security (FireSheep) and low attention spans (Nicholas Carr[0, 1] and Jonah Lehrer[2]) repeatedly over the last couple of years.

This release may seem profound to you, but LulzSec proposes no solutions to the problems they're creating. They're too nihilistic to put on white hats, and they deserve none of your praise as a result.

[0] http://www.theatlantic.com/magazine/archive/2008/07/is-googl...

[1] http://www.amazon.com/Shallows-What-Internet-Doing-Brains/dp...

[2] http://scienceblogs.com/cortex/2010/04/attention_and_intelli...


The difference is that LulzSec managed to get their word on every tech blog in the world. They also managed to get their basic message - nothing is safe, and here's proof - onto nearly every single major news site in existence, and they made their message immediately and personally important to millions of people. That's why I'm praising them. They don't need to propose a solution; that's already been done. They don't need to have a new message; extant messages are good enough. What they bring to the party is visibility.


What they bring to the party is visibility.

Do published books and articles in The Atlantic, Wired, and NYT not work for you? Those are a few of the news sites that have covered declining attention spans.

As for internet security--anyone who can do something about it already knew there was a problem. On the consumer end, what are users supposed to do? Add symbols to their passwords? That would delay GPU- or SSD-based brute force techniques by, what, 10 seconds?


An article on Wired gets read and forgotten. An article about passwords in the NYT gets dismissed as "newfangled kids". Ten million credit cards stolen - one of which is yours - gets remembered. Having your FB account manually and maliciously defaced changes your life. That's visibility that no article or book can sell.

Consumers are supposed to start using tools like KeePass or LastPass. Adding symbols to a simple 6-character password doesn't help. Adding symbols to a high-entropy 20-character password and never using a password twice makes you basically immune to this kind of thing.


On the consumer end - what needs to be done is a massive education campaign, kept reasonably simple. It was done in 2000-2003 for anti-virus and it (roughly) worked for the 80% or so of the Windows world that did what they were told (by the mainstream press).

The mainstream press has (so far) done a terrible job on password education. You see long lists of rules that nobody but a security professional or hacker would follow. It needs to be boiled down to something simple, like:

Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password.

I put together a guide based on this concept here:

http://www.filterjoe.com/2011/04/14/passwords-guide-without-...

Unfortunately, this (and probably other) good password guide(s) get far less attention than the latest Sony exploit.


Initially I thought the disclosure argument they made was weak (we hack stuff because when we announce it similar companies will be more careful) because unless they cause enough trouble to make security an immediate priority for a given non-targeted company, then it's unlikely that they will overcome that company's inertia.

However I realised that I have become significantly more careful with password reuse now because there are no companies I absolutely trust to keep my information from leaking out.


LulzSec seems to be just a group of teenagers that have actually nothing special to say. As they want to be like the grown-ups, they try to add a message behind their acts, but there is no message, no morality. If they were real hackers and not only prepubescent teens, they would not justify their action by any manifest, they would just act, no matter what people say or think. Their vocabulary is also proper teen vocabulary : "bitches" "mentally disabled" "evil bastards" "we nom nom nom, we move onto something else that's yummier" "unimpressed zombie""Watching someone's Facebook picture turn into a penis and seeing their sister's shocked response is priceless" "Receiving angry emails from the man you just sent 10 dildos to because he can't secure his Amazon password is priceless.". They don't know how to write, their sentences are full of repetitiveness, the vocabulary is poor.

LulzSec is just a group of teenagers (or someone alone). And they are really really funny. (This is not a compliment..)


When are the internet tough guys of the world going to tighten up their prose? This third-rate Patrick Bateman routine is so fucking old at this point. There is no easier way to mark yourself as a barely socialized child barely capable of any critical thought than to try out that ridiculous, outdated, unconvincing pose at being this cynical, wise, best-informed übermensch above all morals. It's not a good look.


From what I've been reading the attacks were not sophisticated, mainly using SQL injection. Many here on HN understand that kind of threat but it seems lots of companies and important services don't. Is it possible that the attention shone on these simple/trivial hacks will cause those less security conscious admins to get rid of that low hanging fruit?

If so, it should help reduce the impact of a broad, simultaneous attack across many sites from much more dangerous foes. I am not saying it is right, but it may be more effective than the legislation our congress comes up with to protect us, with fewer nasty side effects.


This thing must be fake. I thought they were doing it for the lulz.


How do we enforce that these companies (such as banks) utilize proper security protocol (within reason of course)?

Some would say, "With your wallet!". But what happens when it's your wallet that gets stolen (electronically)?

What do you think?


Unfortunately, I've never seen "vote with your wallet" concept work[1], neither in the Internet, nor in real life. When a company misbehaves, there's usually a big group of their customers which doesn't know about it, and another (maybe little smaller) group, that doesn't care at all (or enough[2]). It's an interesting issue I have no idea how to fix...

[1] - if you know any examples, I'd be glad to hear them.

[2] - "Maybe this company is bad, but hell, the competition is 10 minutes further walking from me...", etc.



Thank you for the example.

Still, it seems to have taken a lot of convincing of people and companies before it started to work.


When it comes to security, you run into IT departments being the red headed step children of the corporation and NIMBY (not in my backyard). It's a lot easier and cheaper to stick your head in the sand and pretend nothing is happening or you have some mitigating factor that discourages people from going after you be it size (miniscule for instance), participating in a niche market, etc. It's a lot easier and cheaper to do an ostrich than actually spend the money on decent security.


This is classic psychopathic behavior. Instead of torturing people physically to see them squirm they're doing it digitally, but the same lack of empathy is there.


Why is this text the first one from Anonymous et al. that doesn't move me, at all? They sound odd, using a “we” to include all ‘digital natives’ while I never heard anyone under 25 use “we” before; they mention (two girlfriend's) faces on MSN, but I never heard of a webcam on MSN; I never heard of anyone actually enjoying a show call it “we want our shot of entertainment”.


Just a question: if all they were doing was manipulating URLs (and I know they've moved beyond that) would they be doing anything illegal?


Yes. If I leave the door to my house unlocked, it doesn't mean that it is ok for you to come in without my permission.


Morally, it's also not just how you break in, but what you do afterwards. I.e. if you prevent more harm than you do.

If you enter the unlocked door and write "HI YOU FORGOT TO LOCK YOUR DOOR" with lipstick on the bathroom window, you're alerting the owner to a bad security practice by giving them a good scare. It is A Good Thing, because you likely prevented them losing their stuff.

If you enter the unlocked door and start smashing and stealing stuff, you are technically still alerting the owner to a bad security pracice, but it is now A Bad Thing. By "being" the worst case, you only guaranteed something that was only likely to happen.


Morally? Isn't privacy important to you? Leaving the moral judgement up to what the intruder does with the data he finds seems a bit delayed to me. He is immoral from the get-go, by trespassing in the personal property of others. It does not matter if I forget to lock my door. People often do. It does not make it OK to open my door.

You probably have this opinion because you think it's the cool way to think, that these 'hackers' have a great function in society, but lets shift the analogy: do you think your government should be able to do the same? If there was a story about the US government doing this stuff, HN would go insane with tirades about how the government is out to get us.

But no, not if it's lulzsec, not if it's some cracker kid. It's the romantic fantasy of the teenage computer hacker, rebelling against the world and saving the day... I mean posting your nudes on facebook. Everyone here emphasizes with it so much that they're blind to the reality that it's just wrong to invade the privacy of others, under any circumstance.

The only exception I could think of would be to invade the privacy of an oppressive government.


Morally, I agree completely. But I'm afraid that the legal system may not.


What would a judge say?


Can I look in the windows?


Passer-by catching a glimpse of my big TV through my street-facing uncovered window? Sure.

Standing outside and watching my TV for 10 minutes? Please leave before I call the police.

Creepy guy with zoom-lensed camera in a van trying to peek through my bathroom curtains? I have already called the police.

While it isn't intuitive to us programmers and hacker types, when it comes to law and courts, intent matters more than action.


I think a reasonable comparison to the Citibank security flaw is leaving bank statements on a table in front of the window.


This just reeks of arrogance


They need to bring in someone who can write without seeming like a 12 year old who grew up on 4chan.


Their campaign is about reaching out, eliciting a response, and then reveling in the emotional connection they've created with another anonymous soul across this tangled mass of copper and silicon.

In other words, for the lulz.


This seems so fishy. Perfect timing considering the last 24 months events. I think it was unavoidable and we'll have to face it and get ready for the consequences.


Who else has a hunch they don't yet have access to Brink accounts, but instead have access to log files that would reveal password when users now change them?


whatever is their excuse to hack companies it is illegal , it is a crime and should be punished . if they want to pay attention for security, then they can establish organization and give away free courses about security and privacy in legal way instead of breaking laws and stealing people information . black hat methods would never be agreed to improve security and privacy ..


I think we have found the LulzSec hacker manifesto.


"This is the lulz lizard era"

Yes it is. What the fuck is it? Nightowl would be more believable, and true.


> "suggests...our actions are causing clowns with pens to write new rules for you. But what if we just hadn't released anything? What if we were silent? That would mean we would be secretly inside FBI affiliates right now, inside PBS, inside Sony... watching... abusing..."

Isn't that happening right now and by the people with pens?


Hey, if people really want a secure internet I believe the government would be more than willing to lock it down for us.

That's all that's going to happen as kids like Assange and Lulzsec keep up with their criminal shenanigans. Governments are going to say, "Enough is enough!" and lock it down like in China.


We don't care. Just stop please.


The last line got me a giggle


this kids should be punished by pulling their ear. or beating them with branch. they're too young for prison


Any wall can be broken, but it doesnt mean that anyone who breaks a wall is a hero. What wonders me more why did China infiltrate the group ?


They seem somewhat clueless..

If the NSA can partner with ISPs to scan internet traffic for phishing, viruses, etc ...the obvious next step is Lulzsec mentions or member mentions...in IRC, email, etc..

There is no such thing as hiding when attacking the internet, sooner or later you become the bitch


It's good for the NSA that there's no way to securely communicate over an insecure medium. It's also convenient that all Internet infrastructure exists inside the USA.


You are being ironic. It actually is possible to communicate securely over an insecure medium, and not all the internet's infrastructure is in the USA. Am I right?


Your sarcasm detector is working normally. :) Not sure why your irony detector is going off, though.


Given the NSA's charter, I wouldn't be surprised if most of their data interception mechanism are focused on non-US internet traffic.


Call me crazy, but I'd rather have LulzSec stealing passwords on crappy secured services than a NSA agent scanning my whole life. That would be the single worst outcome.


Really? Because the NSA could be doing it right now and you wouldn't have a clue. If someone steals your password though, chances are you'll notice.


What would you say if you found out a local dentist was molesting his patients while they were under on nitrous? He could be doing it right now, and you wouldn't have a clue.


Exactly.

LulzSec on the other hand would probably be the ones breaking into the dentists office and drawing a penis on the patients face with black marker, just to wait for them to wake up and laugh at them.

:)


what makes you think Lulzsec mention the name "Lulzsec" a lot more often than the average HN reader?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: