Hacker News new | comments | show | ask | jobs | submit login
FBI arrests LulzSec member "recursion" for Sony Pictures hack (arstechnica.com)
39 points by alvivar on Sept 22, 2011 | hide | past | web | favorite | 45 comments

It's hardly surprising that these people are being caught. Using a VPN service that resides primarily in the USA, the same jurisdiction in which your attacks are being carried out, seems a bit shortsighted.

Exactly. At the level that these guys were playing at, I would assume that they would have protected themselves in a wiser manner

Actually I'm not surprised. They got too comfortable. They got lazy. Properly covering your tracks is extremely cumbersome and boring.

Well, there's that and there's using a USA-based VPN service.

They could have picked any other totalitarian police state in the world, Russian, Chinese proxies, they all accept creditcard, and the FBI could have done fuck all to get the logs.

Instead you know USA based companies are required to barf up the logs at the drop of a hat.

It's not just lazy, it's really really dumb.

It would be great if they would go to trial so that maybe we could find out how the FBI tracked them down. My suspicion is that it's all an abuse of spying laws intended for terrorism. Unfortunately these guys will probably all plead.


"According to HideMyAss.com, “…services such as ours do not exist to hide people from illegal activity. We will cooperate with law enforcement agencies if it has become evident that your account has been used for illegal activities.”

The service stores logs for 30-days when it comes to Website proxy services, and they store the connecting IP address, as well as time stamps for those using the VPN offerings."

Why on Earth would he use hma when tor is readily available and far better at hiding your nefarious deeds? At the very least, if you live in the US, use an extranational vpn. Take some of those "hacking" skills and use your neighbour's wifi, wiping the logs after each session. For the FBI to have an IP address that leads back to you means you're incompetent.

The lack of technological sophistication from these guys just further highlights the negligence on the part of the victims. If someone who knows this little about security can infiltrate your network and steal your secrets, then you have serious problems.

Nelson Mandela, Aung San Suu Kyi, Liu Xiaobo, Recursion. One of these is not like the others.

You're right. Neslon Mandela led and participated in a group which committed violent acts of sabotage and resistance (including human right violations according to Mandela himself).

I know you mean Recursion, because you are not on the same side as him, but at least try to pick examples that don't undermine your own freaking point.

In that can how is HideMyAss.com useful? Wasn't the service able to guarantee the anonymity?

Not for illegal activity, according to an article on Tech Herald:

"Logs, seized equipment, and testimony from those arrested, seems to be the undoing for those connected to Anonymous and LulzSec. ...According to HideMyAss.com, ...services such as ours do not exist to hide people from illegal activity. We will cooperate with law enforcement agencies if it has become evident that your account has been used for illegal activities

The service stores logs for 30-days when it comes to Website proxy services, and they store the connecting IP address, as well as time stamps for those using the VPN offerings."

Furthermore - if you're using a VPN service to stay anonymous, you're only staying anonymous from whatever you're accessing, not the VPN service itself.

The only service I can think of that doesn't store any sort of data is ipredator.se (which is what I use). I know there are a few more (I think SwissVPN is safe too), but I can't think of them off the top of my head.

I wouldn't trust this service, because I can't find any information about who is running this service - at least not in the few minutes I have spend clicking around on their site. Maybe there is some info somewhere, I have not found it.

In another comment a quote from a different article was mentioned regarding the Terms of Service. I could not find a page about the terms of service. Maybe it's me, but I think that these informations should be easy to find on a site.

Some other interesting points about this service are explored in an article by rsnake from ha.ckers.org:


"So yeah, please don’t use CGI proxies, unless you really know what you’re doing. They really very rarely increase your security. Most of the time, they just decrease it, as a matter of fact."

I always thought the main purpose of things like HideMyAss.com are to get around stupid filters installed at your workplace or school. Thankfully neither for me have filters, but I've visited my old high school a number of times and I just throw everything through an ssh connection to my home machine.

Maybe try 8 proxies next time?

(realize he was not actually behind 7 proxies)

Good. Throw the book at him.

What a great idea! Now we can focus on how evil this guy is, and not have to talk about Sony who in an act of pure altruism is requiring any users of their service to waive their right to hold Sony liable for not bothering to protect things they have a legal obligation actually protect. (Note: under no circumstances is allowing an sql injection attack evidence of anything other than criminal neglect and those who have a susceptible product should be just as liable as those who manufacture faulty vehicles.)

Quit it with this hippy tech youth crap. The guy committed a crime. Get over it. It's time for him to face justice. I swear, some people are retarded.

You know the phrase "throw the book at him" and the idea of justice are not identical right? "Throwing the book" is about finding and (over)zealously prosecuting (with much fanfare) for every possible offense, no matter how loosely associated to the actions that offense may be. Justice is about fairly metting out punishment and consequences for actions. The very act of throwing the book at one person for a wrong and ignoring the wrongs of another is antithetical to justice. This was my point.

I never said Recursion was right in his actions, nor did I say he should not be punished. In fact, I'm pretty sure I lost a lot of respect for lulzsec over this one, when they stopped focusing on those they claimed were the problem and caused "collateral damage", and think there should be consequences for that.

Further, whether you agree with the message or not, this type of loud targeting of everyone that doesn't belong to the club, while not mentioning the faults of the big players, is what lulzsec was claiming to be fighting against. Throwing the book puts a certain amount of weight into those statements, no? Simply arresting and prosecuting without all the hoopla and moving on would seem far more effective if you were really against all the "hippy tech youth crap".

NOTE: cut it with the absurd name calling. This is not grade-school, if you don't like my position state your disagreements.

I highly doubt he breathed as much into "throw the book at him" as you have to defend your position. My name-calling is not absurd. What is absurd is your opinion on this matter. You're part of a vocal minority that doesn't care if someone commits a crime if it satisfies your personal anti-corporate agenda.

I very clearly stated I care that a crime has been committed. I don't have an anti-corporate agenda. I have an agenda, but it is simply that we take care to ensure that:

1. the punishment fits the crime, not that we do our worst to everyone who breaks a law ever - this is unreasonable.

2. that in our attempts to find justice in one case, we don't ignore a hundred others because our bloodlust.

3. that we assess the responsibilities of companies to their customers and recognize liability and that large coffers are tools which can be used to unbalance the system.

I apologize that I have offended you with my long writing about my position on this, I don't know any one sentence platitudes or slogans on which to hang my position. You see, I have thought about it a lot, and none of the simple statements seemed to cover my thoughts fully nor appropriately.

Yes, your name calling is absurd - it won't change my mind and doesn't really even offend me, just slightly annoys me because it doesn't add to the conversation. It obviously hasn't made you feel any better, you still seem pretty angry.

I am actually curious why you think my postion is absurd. Would you mind telling me, using adult language and responding to the opinions I actually wrote about, not the ones you are claiming (those contradict statements I have made so I am not sure how you got them).

I do not believe that your original statement did anything to convey what you've just said. I do not find this reponse unreasonable. I jumped the gun calling you retarded -- I assumed you were the usual tyoe that defends anonymous/lulzsec. They don't care about the crime, they don't see why it's a crime, etc. That was my impression. I do get angry in these discussions. These people are annoying. The others in this thread I've responded to are like this but at least you acknowledge that this person should be punished.

Fair enough.

My original comment was intended to be very sarcastic. I don't respond well to platitudes and slogans, they usually just annoy me by ignoring that most things in life cannot be properly summed up in 6 words. I think that like many issues, both sides in this one seem to resort to shouting matches in which sides need to be taken, and people forget the issue in the desire to "win" and like I said, my response is usually sarcasm towards both... perhaps a bit of childishness on my part too there :)

Anyway, I appreciate your response here, thanks for that.

>the punishment fits the crime, not that we do our worst to everyone who breaks a law ever - this is unreasonable.

How many million dollars did he cost Sony? I agree, let the punishment fit the crime. If he's lucky he'll have a few years left after he's released.

Sony bears the greater part of responsibility for whatever losses it incurred due to its negligent security practices. Digital security is not like physical security -- it's so "easy" to secure systems (in comparison to securing a physical location against e.g. looting or vandalism) that it's better to preemptively close all known classes security holes than it is to be lax with security and expect the law to sort things out.

There's the issue that digital data is much more valuable (and/or damaging). Nobody is going to break into an office building to steal their filing cabinets in the hopes of finding enough info there to guess someone's mother's middle name and subsequently hope to steal their credit card or bank account. Being able to effectively search, filter, and map against other sources makes digital data particularly valuable. In essence, digital crime scales.

That said, I'm not sure I agree with your claim of the ease of digital versus physical security - physical security is something we're fairly good at, having had a few thousand years of practice. I suspect the number of bank robberies in which human factors (The physical equivalent of rubber-hose cryptanalysis being 'pointing a shotgun at the manager') massively outweighs those that were exploited by technical means.

That's not to say that they weren't negligent in not even taking the basic precautions that are common sense to anyone working in the field, and even many who aren't.

>Sony bears the greater part of responsibility for whatever losses it incurred due to its negligent security practices.

Ah, no. That's simply not true. "It was easy" is no justification for criminality, either legally or morally.

HN user rtm is a YC partner and the infamous Robert Morris, of the Morris worm which had a nice impact on the internet back before it was the internet.

I guess we're lucky that rtm had a few years left after he was released.

I think a large part of their supporters don't care if someone commits a crime if it is done in a sufficiently shameless and entertaining way. Just look at Sabu's tweet.

Quit it with this codger pissing his diaper routine. I know blindly following the law is seeming more important as you get old but the "crime" consisted of sending malformed data and it caused games to go offline. Get over it.

It's time to require Sony to run their business properly instead of investigating children as if they were mobsters. I swear, some people are retarded.

This isn't blindly following the law. So someone hacks your site and we praise the hacker and condemn you? Someone breaks the lock to your front door and we applaud the burgler and make fun of your lock? Get real. I'm sick of this attitude. Just because I understand right from wrong doesn't make me some kind of lackey for the law dogs. People with your attitude convey the wrong message. You don't like Sony, I get it. But you think it's OK to hack people and destroy property as long is it's against someone you don't like and that is not OK.

Let's play the "more appropriate analogy" game:

Say you take your valuables to a bank to put in a safe deposit box. They position themselves as a leader in safe deposit box technology. Then one night a burglar notices that the boxes are protected simply by a piece of cardboard panted to look like a real door, and there are no other security systems. Further the locks on the boxes can be opened by merely tapping them in the right place with a screwdriver. He takes your stuff in the heist.

Are you pissed at the burgler? Of course.

Are you pissed ath the bank? You should be ...

But by your logic, we should ignore the facts regarding the bank's complete lack of proper safe deposit box handling and security. Obviously they must have tried real hard, and their statements about good security are no match for the evil burglar.

A lot of homes in the US are protected not even by cardboard, but by large glass windows facing the front of the house.

And yet, generally people get in serious trouble if they smash through that glass to access the house, despite it being incredibly easy to accomplish.

True, but a home is not even remotely similar to a bank or Sony in this case. A home is a place where a single person or family is responsible for securing their own stuff. A bank (and sony) is a place where money was paid with the understanding of safekeeping. Not just by one person but by many. Since many people are concentrating stuff worth safekeeping in a single place, it stands to reason that that single place now needs to be as secure as many homes -- the payout is bigger therefore the burglar investment is bigger. A place that doesn't account for this but claims security should be held accountable, as that makes perfect sense.

Further I never claimed that the bank robber shouldn't be held accountable, in fact, if you read closely you see I explicitly claimed the opposite. I only added to it by stating that the bank should also be held accountable for not doing what they said they would (securing stuff without properly analyzing what securing means).

Tangent: it is questionable that a glass window offers less security than a piece of cardboard. At least a glass window, upon breaking, makes quite a bit of noise drawing attention (usually a security asset). The cardboard can be removed in a much quieter fashion. Neither withstands a minimal effort at getting past them. I would say both offer the same level of security.

That was not my logic at all.

Just because Sony should be held to higher standards and just because they should be in trouble maybe for having a security flaw (like they're the only ones? It's just fashionable to hate Sony's divisions), this doesn't discount my very first point that you shouldn't downplay the fact that this person committed a crime. A very real crime that you wouldn't be defending if you liked Sony instead of disliked them.

My problem is we go to hold criminals accountable for real life crimes that you wouldn't want committed against yourself and then you get these online people whining that they are heroes somehow. It's ridiculous.

I never once declared there wasn't a crime. Nor did defend it. I didn't even declare it should be downplayed. I said it should not be overhyped. There is a difference. Please stop putting words in my mouth (erm.. fingers).

You know what I don't want?: to be hacked or robbed. I think it is fine that we hold people accountable for it and punish their actions (provided it is appropriate for the crime).

You know what else I don't want?: I don't want my supposedly secured info made available to the first guy with an sql-injection. I think the asshats who let this hacking-101 trick past should also be accountable and punished.

It's kind of funny: you seem to think that Sony not be the only people with security flaws is somehow mitigating, but if someone said "Recursion isn't the only hacker your know" you would probably jump down their throat. I think that responsibility should go two ways and you are getting all sorts of worked up over it.

That's not an appropriate analogy at all. Sony isn't a bank. The financial stuff is incidental to the actual service they were providing.

If I had taken the possessions of thousands of people, and promised to keep them safe in my house, and then a burglar broke in and stole everything.

I deserve to be condemned.

sure, the burglar should be punished for the simple crime of theft that he committed.

but I took the possessions of thousands of people and failed to make them secure, despite promising to do so.

Especially if I took all those possessions and then used a 5 dollar lock from the local shop, instead of investing in something that may actually make secure the possessions I promised to keep safe.

That is a terrible analogy. It's as if you were given peoples' posessions but you had someone working around the clock to find a way into your home to deface you. You're condemning Sony's engineers for missing something, even if it was a "simple" something. This LulzSec guy, however, did act in malice. He's the one who leaked information, after all.

it is a terrible analogy, I agree. I didn't choose it.

anyway, lets keep beating on it.

If I were to agree to keep the possessions of thousands of people safe under my roof, I would expect to have someone working around the clock to find a way into my home.

I am not condemning Sony's engineers at all, I dont know any of them, but even so it is my absolute belief that they knew damn well how broken the system was, and that they told their management repeatedly that it needed to be fixed or customer data could be at risk.

I am condemning Sony, if they agree to take my possessions and to keep them secure, they had better damn well expect to have a continuous stream of people deliberately attempting to break in.

He's, allegedly, the one who made the leak public. Yes. But that data was leaking for a long time and we have no way of knowing who else collected it.

If I had thought Sony was secure I'd actually be better off now, with my card visibly leaked, than before where only the bad guys had access to it. If my card was fraudulently used I'd have been in a bad position before the leak was known - I'd be assumed to be a criminal until I proved that I didn't make the purchases. After the leak became public I'd be more likely to get reasonable treatment from my credit card company.

Ugh, physical analogies. That's my point. You're stuck in a world of things. Where things go missing or get broken.

This is data. Physical laws apply badly, especially when applied in fear by people who hardly seem to understand the domain. A webserver is giving out data. "Hacking" it is just tricking it into not checking what it's handing out.

Imagine a webserver as a really dumb employee. "Give documents in the first box, labelled 'public' to anyone. ..." If you've ended up telling that employee to give a copy of your financials to anyone who asks for it, because you forgot to tell them it wasn't a public document, it's your fault.

Not only would preventing this in law involve criminalizing many protocol errors and mistakes but it merely serves to hide the real problem - trusting inherently weak security.

Recursion was 23, hardly a child, or are you saying Recursion was retarded?

Arrest these evil-doers, copying information and defacing images.

In other news, why is the FBI suffering from such a shortage of willing hackers? More hypocrisy after the break.

Hope he's still lul'ing

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact