Hacker News new | past | comments | ask | show | jobs | submit login
LulzSec: 50 Days of Lulz statement (pastebin.com)
164 points by brodd on June 25, 2011 | hide | past | web | favorite | 91 comments

Considering they'd even earlier today advertised a Monday booty release, I suspect that, rather than abandoning the Lulzsec facade after 50 days, it's that the fuzz is a little too hot on their trail for comfort.

I'd have to agree. Even now I think that with time they will all be outed - if they've not already. Some of these 'raids' have just been too daring to expect to get away with forever.

Really though, if all of your traffic is going through TOR to a vpn in eastern europe, the chances of being tracked down are slim to nil. Sure, there are theoretical weaknesses in TOR, but you'd need to control quite a few exit nodes to even begin to have a chance of pinpointing the endpoints. Combine that with a compromised wifi as a last resort (which you erase the logs of regularly), and you're pretty damned safe. All of the people who were arrested for hacking the CIA or DoD were caught many years ago, when anonymization tools weren't nearly so well developed, and the need for anonymization wasn't so clearly recognized. I'd like to see a modern story of the authorities finding someone who was hidden by TOR + vpn. I just don't see it happening any time soon.

Just like the low security systems they crack, the weakest link in their own chain is the human element.

Think password reuse is a problem? So is screen name reuse. So is having the same friends over time. So is trusting people.

A person's digital fingerprint is huge these days, and a human weakness can break the chain apart. And once one person's in custody? How much discipline do you think each member has to not snitch in the face of prison time?

Exactly right. We have images of government forces tracing connections across a glowing map thanks to movies, but really they just tap their network of informants, or do personal research.

In my imagination, they'll start with Aurenheimer's hdd. The world isn't that big. Think how the head of the CIA is probably 7 people away from anyone in luzsec.

The human element is clearly the weak point, but it's also the easiest to overcome. The cracker who speaks to no one is secure beyond reproach. That they inevitably speak to others in search of recognition and respect is a flaw in the operators, not the system.

You're assuming they're safe because their technology stack is safe, but there are about 20 ways that law enforcement could possibly track these guys down that don't require particularly l33t skillz.

Cops work like hackers in the sense that both groups attack vulnerabilities. The vulnerabilities here are clear: these guys have big mouths and they're overconfident. They'll talk to somebody someday, and when that happens, it will provide an opening for the fuzz.

> there are about 20 ways that law enforcement could possibly track these guys down that don't require particularly l33t skillz.

Would be interesting to hear some of them.

Most any overlap between your "secret" identity and your "normal" identity can provide an opening.

This might involve (erroneously) shared contacts. Shared VoIP numbers. Shared MAC addresses, or shared IP addresses. Shared passwords. IRC channels or web sites.

Even what times you are active, what words and what phrases you use, and your browser strings can provide clues.

A group within (IIRC) Lebanon was reportedly identified a while back because of an opsec error; one of the folks involved in the group used a "restricted" cellular phone to call his girlfriend, and that broke open the identities.

The German Ultra encryption system was targeted and was sometimes vulnerable due to opsec errors. Opening such as key reuse, or sending duplicate messages, can provide openings that allowed decryption.

This area is related to the classic "covert channels" discussions within information security; on the expected information leakage, and around how a "defender" wants to keep leakage at a minimum, and how an "attacker" is looking for clues and errors.

This is also a corollary to the classic difficulties with maintaining server security; leave one sufficiently egregious opening in your security, and you can be toast.

I just named one.

Even if authorities were able to track down someone through TOR, I doubt they'd publish it. More easy to let black hats think they are safe.

Right, but then they'd be prosecuted, and the means would come out. You wouldn't be able to both put people in jail based upon evidence gained from compromising TOR, as well as keep secret the fact that TOR was compromised. Not for long, at any rate.

Pretty simple really, at least in the UK. Just get someone to make an allegation against them (underage porn, etc), and their computers get seized. If the police just happen to discover a ton of other things they're really involved in whilst analysing them, there you go. If encrypted, under UK law you have to divulge the keys or go to jail, so you're guaranteed to get them some jail time.

Just get someone to make an allegation against them (underage porn, etc), and their computers get seized.

Is that legal in the UK? Because in the US it'd be unconstitutional.

Unconstitutional doesn't mean it doesn't happen.

I've seen news about child porn allegations in the UK that usually lead to nowhere in the latest years, mostly because of some credit card issues. I remember it happening with Pete Townshend (from The Who) and Robert Del Naja (from Massive Attack), plus some football player whose name I can't remember.

In the UK they can seize your computers from your home for creating a public nuisance or wasting police time (they actually did this to a journo a few years back). Oh, and they don't give them back. I mean yeah I think they're supposed to but they don't exactly get around to it quickly.

I'm pretty sure confidential informants are tailor made for covering up illegal or undisclosed investigation techniques. It's not like they haven't had a little practice trying to protect wiretaps.

Which isn't to say that I think the feebs have compromised TOR, because I think that's pretty unlikely.

That's an interesting perspective. Still, in order for the anonymous source's testimony to carry any weight, there'd have to be some solid evidence. Either they'd have to show traffic logs, or they'd have to show the results of forensics done on the suspect's hdd. If you've properly distanced yourself from your activities, then there shouldn't be anything on your hard drive to implicate you.

Ultimately, it comes down to human fuckups. Bradley Manning is not in jail because he didn't take security precautions, he's in jail because he talked to someone he shouldn't have. The same will be true of any reasonably sophisticated hacking organization. They can take all the precautions in the world, but a vengeful ex can bring the whole thing crashing down.

If they were serious about the investigation they'd probably get a sneak and peak warrant to install a keylogger/etc. (either electronically or physically) instead of just a smash and grab. That way they'd have some good trial evidence, because as you say relying on forensics for computer crime is quite dicey - something the bureau is all too familiar with. If they can beat the system electronically this also gives them a chance to see whether there is anything that'd make a quick seizure worth it.

The law enforcement exposure they just did undoubtedly made it much easier to get warrants or FISA approval if they did have some targets.

If you are interested in some hypothetical pondering about how secure Tor is not, here's some food for thought: http://sheddingbikes.com/posts/1293530004.html

Addressing his points one by one (quotation marks should in no way be thought of as referring to a quote):

"The Navy made it, why'd they release it?"

-They released it because it's entirely useless if the military are the only ones using it.

"It's not theoretically effective. There's lots of ways to break it."

-Sure, there have been papers written about ways to break TOR. I've yet to see someone actually do it. That doesn't mean the NSA or whoever isn't doing it, but you'd think if someone had compromised the system you'd see some story about it. Somebody who was using TOR would have been tracked down and they would have thought, "hey, wait a minute..."

"Project Vigilant"

-Meh. Again, if they compromised TOR, you'd hear about it. They'd have given the IPs of hidden wiki visitors to the feds, and some pedo would have been arrested. If PV don't care about pedos, they would have given the feds some information about somebody that would have led to some sort of action. The fact that none of this has come to light is pretty strong evidence that PV has not compromised TOR.

"Wikileaks uses TOR"

-So the fuck what? They have a pretty clear use case, and the fact that ioerror is a contributor means he's concerned about anonymity (for obvious reasons), not that Wikileaks has hatched a plot to snoop on anonymized traffic and leak details. Why the hell would they bother? They've got more than enough stuff to leak handed to them. What are the chances that someone using TOR would be transmitting data that WL would care about?

This is just stream-of-consciousness FUD from Zed, of the type we're used to seeing from him. He throws out a bunch of what ifs and pretends it's an argument. Show me the evidence. Show me some indication that TOR has been breached and I'll be the first one to question whether it should be used. In the meantime, TOR is only getting more secure as more people talk about it and use it.

There's a lot to be said about super-node pattern analysis with TOR, as well as the flaws in the exit nodes with regard to unencrypted communications, but I couldn't get past the fact that Zed's entire post was a massive Godwin.

Zed will be Zed.

"P.S. I have a long bet that SELinux is an NSA backdoor. Any takers?" Really? Zed Shaw lost the credibility to talk about anything security related with that one sentence ...

Yeah -- as if the NSA would be unable to crack software if it were not for SELinux.

Well, I think its just a matter of the amount of pressure a group puts on the feds for finding them. TOR is not 100% percent, iirc there are some rather successfull attacks against it, so once a group like LulzSec starts releasing stuff that is really hot (millitary documents, e.g. US war logs or the nuclear weapon codes :D ) the feds or rather the nsa will think of something new. I guess they have the monetary means to setup a few TOR nodes...

What's the point of the VPN? A place to store data that is in a country that isn't US friendly?

How do they use Tor for such large projects? I tried using that thing like 5-6 yrs ago and it was slower than 56k...

What do you mean by large projects? The size of the files they transfer?

Your machine -> TOR -> hacked home user or server -> your target.

This way you only transfer the files between the target and the hacked server, and from there on to a torrent, and heck, why not let that machine seed it too.

Chances are that they even used a chain of hacked machines to get to their target. It gets pretty complicated pretty quickly if you (as in FBI et al) have to raid several companies to get your hands on machines to do forensics on.

I doubt these files (or much of anything else) ever touched the criminal's physical machine. Unless, of course, they fucked up by, say, posting to pastebin or a tweet or something else that is seemingly insignificant (at the time) using their own IP.

Most tend to.

This mirrors an idea that I had. TOR is a military project, and you know at least some of the exit nodes are controlled by the US gov't. Why not replicate TOR with a botnet? Bounce your communications around a plethora of average joes and you have yourself a more stable tor. If you spread the botnet without a CnC server and have the infected machines bounce random traffic around, it would be damned difficult to break. TOR is open source, so it shouldn't be too hard to modify it to work on a private network. The nice thing about it is that if you attract to much heat you can always ditch the network and start a new one.

> you know at least some of the exit nodes are controlled by the US gov't


Oh, neat. I didn't realise the issue had been resolved. Thanks.


People do run their own private onions.

Ahhh, didn't know they went onto hacked machines. So - some people should be getting some knocks on their door soon?

Yup, you use a compromised Windows machine or Linux server in a third world country as a proxy. When you're done, you wipe the disk.

3rd world country only? You mean nothing else outside your own country works? tsk tsk.

Third world governments aren't exactly known for being cooperative with western governments. I'd rather have a rooted box in China or Pakistan than in North America or Europe.

That's the unfortunate bit -- some innocent people are likely to get their dog shot as the FBI busts down their door with assault rifles to seize a laptop.

how much traffic does a terminal session really need?

Try again. Tor is being improved all the time, browsing is fun with today's speeds. ~100 Kilobytes/s are normal, sometimes much more.

Damn, the AT&T-release is especially juicy. It contains a lot of highly confidential information about technology and strategy that their competitors would love to get their hands on.

I'm a quite technical guy and I barely understand a thing. No wonders AT&T are having troubles with fixing their network troubles, it looks like a massive, massive beast of technology.

I found the frequency chart fascinating. It's available publicly here: http://www.ntia.doc.gov/osmhome/allochrt.pdf

Given the juiciness of this, I'm surprised that more companies don't have corp espionage groups to carry out little lulsec attacks.

Because if they ever got caught the company would be sued out of existence (probably bought by competitors at that point). They have too much to lose in most cases.

Based on the HBGary leak, I'd say that they currently do.

My first job out of college was at Nortel, coding their 4G data network infrastructure. I still think I only understood about 20% of the big picture by the time I left. So many moving parts, massive code base and tons of acronyms.


How would using a Mac prevent that?

What about analyzing their writing? They release quite a bit of text...somebody likes to write. Considering there are efforts to identify people by typing patterns, I wonder if this is how they'll get caught: http://petsymposium.org/2011/papers/hotpets11-final8Chairunn...

Unfortunately given the scope of that paper, it doesn't sound like typing patterns can be used just yet. A sample size of 36 participants doesn't handle the scale involved when going against 'The Internet'.

Also, the paper collected timestamps of each keystroke, something that'd need to done on suspects; however, if they are already suspecting you, they probably have other ways to identify you.

Finally, how in the world does a paper like this get away with having 'nowadays' in it? I know its a legit word, but, just seems awkward.

Was it written by an ESL speaker? Sometimes non-English speakers feel insecure starting a point without "However", "Because of this", and other conjunctions. If you don't need a conjunctions, you can say "Nowadays", but you don't need it. It's like the "auto" keyword in C. Because ESL speakers cram a lot of grammar into a few years, rather than spending years making simple sentences, they often use advanced patterns when simpler ones would suffice.

NATO press release about the break in to their ebookstore by LulzSec:


Note that the press release was two days ago, after NATO was notified by police. AFAIK, this is the first that Lulzsec has disclosed that the NATO bookstore was hit, which means the police knew before we did. That can't be good for those behind the mask.

AFAIK, this is the first that Lulzsec has disclosed that the NATO bookstore was hit, which means the police knew before we did. That can't be good for those behind the mask.

Maybe they were seeing how long it would take for the news to come out without their help.

My guess is that they spent a few days trying to see if they can access accounts of anyone important from the NATO dump. The passwords were in plaintext.

They would only release the data to the public once they are done using it.

NATO has an ebook store? What are the hell?

Sheesh, it's described in the linked NATO press release. Nothing big, propably comparable to PACER.

> NATO’s e-Bookshop is a separate service for the public for the release of NATO information and does not contain any classified data.

That's also what strikes me in this story. Anyone can explain this?

After thinking about it for a few moments, I would guess that they largely sell books and research papers and suchlike on subjects that are of interest to those in member militaries, but aren't of sufficient general interest to make it to Amazon or otherwise.

EDIT: or, I could've spent a single moment to read the contents of the aforementioned link.

My question was badly phrased. I'm not that surprised that there are books/documents produced by NATO. I'm surprised they sell them. I think everything (public) produced by NATO should be freely accessible to everyone. This was so obvious to me that I'm surprised it's not the case, another little reminder of the world we live in.

The torrent appears to contain hacked personal data from:

* EA (Battlefield Heroes) * Hackforums.net * Nato-bookshop.org * Misc other forums

The first of these purports to be 200K+ users.

The Battlefield Heroes passwords are unsalted MD5. Way to go EA.

Hm, are you sure? I have a couple accounts there (and they are appearing in the dump) and they are not simply md5(password). Of course they were long, random passwords and I don't play this game anymore, but I'm curious. Where did you read that?

I didn't read it anywhere. I downloaded the database and checked all my friends against a known password database. They're plain md5(password).

Then the dump must be old. I have changed my password months ago and the hash does not match my current password.

Some BF Heroes beta server was hacked over 2 years ago. I wonder if this could be the same hack.

That still beats the NATO bookstore's plaintext. :)

Also of note, AOL and AT&T data. AT&T's rar is 329.9 MB.

It seems that there are better people out there that got angrier


Quitting or rebranding is the question I find myself asking.

Like a wave they will again become sea, only to rise later as a different wave.

Or to put my high school poetics into plain English:

They will want to blend in with the Anonymous masses, until they deem it safe to once again to craft new identities for themselves.

Given that the LulzSec name was a clique from AnonOps rebranding itself to begin with, I would bet on the latter. Although it may be a while before we hear of them pulling such flamboyant stunts again.

Odds that one of the crew is commenting on this thread?

Looks like they were a getting a bit anxious that they were going to be outed, which will ultimately still happen anyway. Regardless, it was a fun reading their Pastebins and Twitter feeds every few days making a mockery of multiple corporations information security.

How is it possible to register a .com domain in an anonymous way?

prepaid visa or just get someone who doesn't know you very well to do it

Yup, fuzz on their tails..

Not too smart either why include the number of Lulzsec members?

1.) What useful information does "there are six of them" convey?

2.) What makes you think that they're not lying?

1.) What information does the number of columns in a MySQL database convey? It's not just that there are six of them, but that records could be poured over for various irc servers in an attempt to link the 6 accounts that interacted with eachother the most. It allows for deeper inspection, and perhaps more information. However,

2.) They almost certainly are. I could see them saying how many people they actually had almost as a bluff, but more than likely they're just throwing out misinformation.

Disinformation is most likely, but I've been hoping for some steganography from their Pastbins from day one.

chat logs show more than 6..

But its only 6 that are active in illegal stuff

It doesn't have to be true.

I guess is part of the concept... transparency, clarity...

I was trying to search web cache on who used the words lulz and security together before Lulzsec ... and then this final release :|

Who is LulzSec?

I was going to say something snarky, but I checked your comment history and it seems you are on here seldom enough to explain an honest lack of knowledge about them. Basically, LulzSec is a hacking group that has been attacking many targets very publicly over the past 2 months. They've been all over HN, /., reddit, etc. They've even earned some mentions in the MSM.

Basically, they're notable for a) the number of targets they've hit, b) how brazen they are about it (hitting the FBI, CIA, and other law enforcement agencies), and c) how vigorously they court publicity (270k followers on Twitter).

I was being sarcastic :-)

And here I was, sparing you my snark. You've made me re-evaluate humanity, sir, and I'm not impressed with the results.

I appreciated your brief synopsis. I only know a little bit about LulzSec, and the added information helped. So your efforts were not entirely lost...

I appreciate your appreciation. If you want to learn more, the wikipedia article on them [1] is pretty decent.


In a few months I won't know either.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact