The End Of LulzSec Is Not The End Of Hactivism
from the don't-be-misled dept
Lots of news over the weekend concerning the surprise announcement that LulzSec — the group of “hactivists-for-the-lulz” who were able to generate so much attention — had announced plans to disband just a day or so after promising many more hacks. The speculation, of course, was that they realized that law enforcement might be closing in on some of them. The group, not surprisingly, denies all this and insists it always planned to call it quits about now anyway. I doubt this is true, but I don’t think it really matters. I think the thing that people are underestimating is that LulzSec wasn’t so much an “organization,” as it was a group who got together in an ad hoc manner and decided to go on this hacking rampage. The point is that pretty much any group of decently skilled hackers could decide to do the same thing. Hell, the same group could decide to do the same thing under a different name. Between LulzSec, Anonymous and others, people are beginning to recognize that they can have a pretty big impact with some pretty straightforward hacks. That realization isn’t going to go away any time soon.
Filed Under: hactivism, hactivists, lulzsec
Comments on “The End Of LulzSec Is Not The End Of Hactivism”
Anytime a small group gets attention, it's likely either an intelligence op,
including useful idiots and willing pawns in major media, OR it’s /just/ idiots in media trumpeting trivia while actively avoiding anything significant.
Re: Anytime a small group gets attention, it's likely either an intelligence op,
So, the massive downtime for several major companies – including loss of financial and personal data – caused by their hacks are no cause for concern, because the group who did it happens to be small?
Re: Re: Anytime a small group gets attention, it's likely either an intelligence op,
Small group gearing up for tomorrow:
http://www.zerohedge.com/article/operation-intifada-hacker-group-anonymous-prepares-ddos-attack-israel-parliament
I think part of what got them going was the sheer stupidity on display all around.
Sony claiming it would take super hackers to get into their systems, and their systems fell like dominoes pushed over by a gust of wind.
The Government “response” was what we have come to accept, hearings that mean and accomplish nothing. They put on a pretty crappy dog and pony show, hell Sony felt it was such a joke they opted to not attend.
The media and many people want to focus on OMG THEY PUT MY PASSWORD OUT THERE!!!! Well there are a couple things that should make you more pissed.
1 – Your a moron using the same password for EVERYTHING. But our personal responsibility has been slashed to this being someone else’s fault.
2 – While the technical details of how they got the information might sound like “Mission Impossible” tactics, to put it into more concrete terms – imagine your bank sold you a safety deposit box, promised you it was super safe, and then locked it with duct tape.
3 – As Sony pumped out more stories about this being an isolated super hacker attack, their network was being infiltrated left and right with tools that in real world terms would be a straighten paper clip.
4 – The US Government has taken the stance of if you launch a cyberattack on us, we will bomb you. Rather than question why super critical systems are plugged into a AOL account. And then you see the Senate hacked and a challenge of is this enough to get us bombed?
5 – People with .gov and .mil email accounts have time to use their official accounts to look at porn, seems like a failure of what should be safe security practices.
6 – WHY OH WHY RELEASE THIS INFORMATION!!!! Because if they had claimed they had it with no proof, it would have been blown off as boasting.
If Lulzsec made it in using the techniques they claimed, they were NOT the first ones to gain access.
By shining a huge fireball on all of this people became aware that the Corporations can not and will not protect their consumers unless you make that failure more expensive than basic security steps. And given the lack of anyone stepping up to inflict penalties, this is something we should accept.
The rest of the story wrote itself, the FBI seized servers completely uninvolved and their new powers mean they can keep a copy of that data for future use. The people who crippled the economy are barely looked at, while there is a world wide manhunt for a 19 yr old on the autism spectrum who ran an IRC server and MIGHT have DDOS’s a website or 2.
One can only hope that the Government will not pat themselves on the back and declare all is well and continue on the same path. Things need to change, and while you can force the people into “Free Speech Zones” so far removed from the events no one else notices, your assumption that we punished a 19yr old and they will scare the rest off is a bad one to make.
With CCTVs, kettling, and infiltration of any group who dislikes how things are happening, sometimes the safest place is in cyberspace to make your voice heard. Given how quickly information spreads and often avoids the spin machines used by the media, it is a very fast way to get the word out that the King is naked.
Re: Re:
Cool Story, Bro..
Re: Re:
I don’t know, you can make a bridge out fo Duct tape to hold a Hummer. So taping over a Safe deposit box seems like an added layer of security.
Re: Re: Re:
well the best practices standard said use a 2 inch piece, but we found a .75 inch piece works just as good… and we save money.
Re: Re:
I must respectfully disagree with your first numbered point. There is an upper limit to how many passwords one can memorise reliably, and one or two strong passwords that you’ve memorised is better than a dozen easily-guessed ones, or writing them down.
Re: Re: Re:
I guess you did not see the datamining that was done compiling these releases and the Gawker breach.
2 strong passwords might be hard, but when they use simple words, they aren’t trying at all.
There are methods that can use used, each with its own upsides and downsides, but when you have someone consulting for the Government using a simple password for everything from his servers to his mail… there is a problem.
Not everything needs an RSA auth token… er wait that got fooked too, but when people think the dogs name is the best password ever for every site… we have issues.
Re: Re: Re: Re:
My dog’s name is &^%$#%&^()$#%^$(%$$ It’s kinda hard to pronounce, but easy to remember…
Re: Re: Re:
Good passwords are hard to remember but there are tools and strategies to help you leverage one or two really good passwords into secure and individual passwords for every site that requires one.
Steve Gibson has posted a tool that allows you to test how much time it might take to really randomly hit your password if they try every other permutation.
https://www.grc.com/haystack.htm
They upside is length and using all four character sets makes it harder to search for. Using uppercase letters, lowercase letters, numbers and symbols in a long enough password makes you a hard target. So you can use something like pA$$W0rd!!!!!!!!!!! and be more secure than someone who only used lower case letters and a password that is 40 characterless long. Just padding out shorter passwords with a repeating pattern will increase security.
Lastpass at https://lastpass.com/ generates a secure password for every website you visit after you log in with your one good secure password. It stores your passwords in a secure encoded file on your local machine and sends that file to their server. To access that file you use your strong password and login.
Re: Re: Re: Re:
And given that new tools are now leveraging the power of the GPU to cut password hacking times by orders of several magnitudes, it really is time we remind people to cycle and use different passwords.
Sure your Facebook password can be the dogs name if you want, but assume that will fall quickly. The damage that can be done on Facebook might seem horrible, but less concrete than the damage done when you loose your bank or amazon account because your password was banking+dogname or dogname+amazon.
And if they were practicing real security the passwords shouldn’t have been in plaintext for the taking from the server.
Re: Re: Re: Re:
Damn. Wish you’d identified yourself, because I owe you a beer! I do freelance tech support, mostly to home users who aren’t especially computer-savvy, and Lastpass is definitely going in my “useful apps for beginners” package.
Re: Re: Re:2 Re:
There is also the open source KeePass program.
It doesn’t use a sever on the net, but also can be run from a flash drive if you need to travel with it.
The portable version is packaged for the PortableApps platform, and they have many useful tools all designed to run from a flash drive and leave no traces behind on the host machine.
Re: Re: Re:2 Re:
Thanks just throw somebody who needs a hand a break and I’ll feel paid back.
I’d log in more but this site doesn’t autofill and I’m too lazy to log in every time.
The good news is that if your password is complicated enough you won’t be the low hanging fruit that gets easily hacked.
Re: Re: Re:2 Re:
It’s blasphemy in security circles, but I think it’s fair to note that for most home users writing down your password isn’t a terrible idea. Hackers in Russia can’t access your bedside table, and if someone breaks into your house you have other worries. This isn’t appropriate for, say, an office environment, but if we’re talking about personal email accounts, XBox Live, and the like…
It absolutely doesn’t matter. I find myself in the bizarre position of being a public scold to thousands of people who are trying to publicly scold a bunch of psuedononymous amoral pranksters.
They were in it for their own amusement, and for publicity. Even if you catch them (I drive past this place on my way to work every day, so if you say the FBI will catch LulzSec: lulz), that’s not going to put the genie back in the bottle. The disease of our age is narcissism, and narcissists never think there are real consequences attached to their actions, so once LulzSec makes hacktivism cool (too late) it’s going to breed a resurgence of the script-kiddie tomfoolery some of us might remember from the early/mid-90’s.
The motivation for the retreat doesn’t matter, the impression was made.
From what I heard every hacker group out there is now trying to outdo others competing to hack some politicians or government institution.
To be cool now you get to embarrass the government or you are just a little fishy.
Re: Re:
So to be extra-cool, you have to be Bill Hicks or George Carlin. Seems like a fair deal to me.
Re: Re: Re:
As I suspected is always for the lulz 🙂
Re: Re: Re:
Funny, Smart George Carlin
Bill Hicks
According to Twitter, all Lulzsec members have joined Anonymous. They’ve just abandoned the name.
Re: Re:
There were part of anonymous originally anyway, they have just rejoined. They woke up and realizes they need a bigger crowd to hide in, considering the law enforcement heat out there right now.
If mom finds out what they have been doing, they are going to get a serious spanking.
http://www.ibtimes.com/articles/169942/20110627/lulzsec-anonymous-government-of-tunisia-hacker-attack-taken-down-antisec-internet-censorship-fight-h.htm
And the hacks are continuing.
Re: Re:
The monocle and top hat liven up the Guy Fawkes mask.
Hacktivism?
Eww. “hacktivism” That’s too good of a connotation for those clowns. They’re a bunch of idiots who attacked websites and claimed to be making an example of companies with lax protection.
I don’t want any more groups to follow that example.
Re: Hacktivism?
So you’d like to continue you belief that your CC# is safe and secure up until the time you find yourself maxxed out because someone accessed your details because of lax security?
Maybe you expect that company will fess up they were breached.
Maybe you expect that they will help clean up the mess they turned your life into.
Password keepers...
Am I the only one who thinks keeping all your passwords in a single electronic database (Lastpass, KeePass, etc etc) is just as bad an idea?
Even *if* I were dumb enough to use weak passwords across multiple sites, someone obtaining that password doesn’t necessarily know on *what* sites that password will work.
If I have a single point of entry to ALL my passwords… Then they only have to get that one file. Even worse if that file is in “the cloud.” Who says the keepers of these password services are any more secure?
Re: Password keepers...
this is why I like KeePass keeping the file locally.
Here is an example. You have to register with your email address, you decide to use the same password you use to access your email.
I can raid your email history to find out what sites you belong to, and even if your crappy password doesn’t work well I have control over your email account and I can just use the handy “forgot password” button and have access in minutes.
There may not be a perfect solution yet, but anything is better than what we have seen that people are doing in real life.
Re: Password keepers...
Right…
All this talk of “good/strong passwords” – but what good is that if the password is stored in a database totally unencrypted when a hacker gets his/her hands on it? Four or forty characters, if it’s there, it’s there.
realization isn't going to go away any time soon - but the hackers are.
people are beginning to recognize that they can have a pretty big impact with some pretty straightforward hacks. That realization isn’t going to go away any time soon.
Just as they are beginning to realise that what they do is not appreciated by many other people, and many other hackers, who will happily attack them, and hack them and make public the identities of those responsible for those acts.
They also realise, that once this occures, they are DONE!
They have out outsmarted, out hacked, and outed.
they are also aware that when they are caught, they might do prison time, and would probably desire to leave their arse intanct.
There is a great deal of very stupid people in the world, so im sure there will be others following their lead, and achieving the same results for themselves.
Script kiddes trying to make a name for themselves and worked out that making a name as a low grade hacker who cannot even hack without being caught!
No wonder he is getting out, probably going back to flipping burgers…
What 'big impact' did they have ?
Activism is an attempt to ‘bring about change’ what changes were caused by these criminals that you consider a “big impact”?
it’s nice to use terms like “big impact” sounds good, but if you do not state what the ‘big impact’ actually is, then it is impossible for anyone to guage that impact.
If you were aware of any ‘big impacts’ that this group and achieved I am sure that you would have stated what that impact was.
At least for the vast numbers of people who see what they have done, and want to also make a ‘big impact’, but seeing that their actual impact appears to be minimal, and the fact that they LOST and QUIT, after being ‘uncovered’ I would say the only impact on that group is ON THAT GROUP,
Yes, they did have a big impact on their own futures and on the perception of everyone else, that being “these guys are not very good at what they claim to be very good at”.
After all they got caught, and they gave up the fight, once they knew that they had been found out.
So I guess they just put up the “mission accomplished” flag, fly out to the nearest aircraft carrier and claim “we’ve done it”!!! Done what ?
Re: What 'big impact' did they have ?
Hmmm… this is more coherent than your usual posts, so I’ll answer…
The impact is largely that the general populace is more aware of how pathetically insecure some major systems are. That even data stored with seemingly safe organisations such as Sony is actually unsafe.
Time will tell if it has any real impact in the long term, but this is now being discussed in the mainstream media, and a lot of people are aware that even large scale organisations can be taken offline. Whether you consider this particular group to be “real” hackers or not, the issue is now on the table and, sadly, it taken the kinds of damage done to get peoples’ attention nowadays.
I’m not holding my breath for lasting change, but at least it’s being discussed… until the next group…
“I guess they just put up the “mission accomplished” flag, fly out to the nearest aircraft carrier and claim “we’ve done it”!!! “
Well, at least they be more truthful than Bush was when he did that…
benefits
There were two effects that I see as beneficial from Lulzsec’s, high profile, blitzkrieg campaign of hacking. Computer security has been thrust into the public eye far more effectively than from the government’s occasional proclamations of the coming apocalypse from cyber-warfare. This effect was so powerful that the average citizen was speculating that last week’s United Airlines network crash, which forced many flight cancellations, was due to hacking, even though this was unlikely. This awareness is important a lot of security vulnerabilities are easily fixed. Vulnerabilities that individuals, businesses, and organizations, big and small, usually don’t have enough concern about to bother fixing.
The other beneficial effect was a real test of the effectiveness of the Tor onion routing network in preserving anonymity. Lulzsec not only used Tor for the actual hacks but for their IRC chats and twitter proclamations. The FBI has been trying really, really hard to catch them, but tracing them through their network activities was, apparently, a dead end. However, be wary of renewed US efforts to ban anonymity, from the government at least, on the internet.
Re: benefits
except, outside of the tiny to minute circle of tech type people NO ONE CARES and NO ONE KNOWS..
And they dont know because they dont care, you think this is making governments more aware of hacking ? you are freaking kidding right!
And they were FOUND OUT, he was named, so much for TOR security !!!
how was he found out? a “REAL” hacker decided to ‘hack the hacker’ end result, they quit…
yes, now that is something to strive for !!!
Re: Re: benefits
I commonly read the comments on various articles for a couple of major newspapers. For the articles that aren’t pure tech, I assume that those commenters represent a broad variety of professions and interests. In the last 3 weeks, I have seen a lot of comments related to hacking from people who are clearly not tech oriented. So, I disagree, Lulzsec’s choice of high profile targets, immediate public announcements, and media sensationalizing has definitely led to a greater public awareness of computer security. Whether that awareness translates into action to eliminate well known security vulnerabilities is another issue.
As for government organizations, I assure you the Arizona Department of Public Safety is correcting their ridiculously low level of computer security. The password of several members accounts were found out by either a password cracking program trying multiple passwords for each particular account over the internet, or by running a cracking program on the password hash file somehow copied off a server. They should have in place a small limit to login attempts before the account is locked out. In addition, the password hash file should be protected and accessible only to network administrators. At any rate, the base problem was weak passwords. They should have software in place to enforce strong passwords. Microsoft Windows can be configured to do this at varying strengths. A fix is fairly easy for this vulnerability and I’ll bet all sorts of law enforcement agencies across the country are looking into this. Arizona’s DPS surely didn’t think they would be a hacking target. Other government organizations can look at that and say it could just as easily been them.
We don’t know how Ryan Cleary was caught and the LEOs don’t want us to know. If Tor was fully compromised all of the Lulzsec members would have been caught. I think it is very unlikely that enough Tor nodes were compromised that even one member would have, randomly, been caught. I think it much more likely he made a mistake along with someone who had contact with him deciding to snitch. My point about Tor was that Tor itself was not compromised. I wasn’t saying they couldn’t be caught even though they were using Tor.
I don’t see any point in belittling the, supposed, lack of skills of the guy who was caught. The most experienced hacker will want to write, or use, tools that automate the hacking. Just because someone didn’t write the tools they are using doesn’t make them stupid, or less dangerous. The fact that these hackers are battling among themselves is something that law enforcement approves of or even enables (e.g Cointelpro).
I definitely have mixed feelings about Lulzsec. They should not have published home addresses of law enforcement agents. The DDOS attack on the CIA public website was pointless. Their choice of targets sometimes seemed to have juvenile motivations. A more dedicated hacktivist would argue that they wasted opportunities by not keeping their hacking successes secret and then monitoring government and corporate websites for useful information to leak.
Re: Re: Re: benefits
“A more dedicated hacktivist would argue that they wasted opportunities by not keeping their hacking successes secret and then monitoring government and corporate websites for useful information to leak.”
Or maybe they are… they got into many many places that did not get as much attention.
If they are to be believed, and I would not doubt them at this point, they have compiled several times more than what was released.
It is very possible that they are holding onto some trump cards to protect themselves, as well as keeping a very quiet finger on the pulse of those who wish them harm.
The penetration of the UK health system with nothing leaked but just enough to prove access was gained and explaining how they did it was not so juvenile. There were no lulz in leaking health records, and that system is now more secure for their efforts.
A little public bravado is sometimes needed to focus people on the issue.
Re: Re: benefits
actually, dude, almost everyone i know cares. identity security is a huge deal and the loss of it is one of people’s top fears nowadays. getting caught hacking? no biggie for kids–it’s like graffiti: getting caught is just part of it.
and to suggest that nobody knows about the sony hack is inane. have you been living in a box on mars? it’s been everywhere. this SHOULD BE a massive wake-up call…but it won’t be, because of folks like you who just presume superiority to the “lesser” hackers you deride in your post.
Umad?
“Not The End Of Hactivism”
to which I ask: Who claimed otherwise?
Why jump ship now?
Perhaps the greatest threat to Lulzsec is their members history and contacts with other hackers who are now pissed and more than willing to dox them. The following link, posted on Sunday, comes from team poison and probably should be taken with however as many grains of salt as you wish. If true, this may have forced Lulzsec to become non-operational and focus on covering their tracks.
http://pastebin.com/iVujX4TR
gn0sis (nigg, eekdacat, uncommon, kayla, laurelai)
madclown, topiary, avunit, sabu, tflow, joepie91
Side note:
I have just been monitoring a twitter spat between teamp0ison and anonymouSabu (sabu). I am not sure if I am watching a sequel to hackers or a playground fight.
Re: Why jump ship now?
To paraphrase a Lulzsec tweet…
If you watch Hackers backwards it is a story about a bunch of kids who fix the gibson and then go back to their crappy lives.
I wonder if their Gibson was the state of system security.
Re: Why jump ship now?
part of that pastebin doxing was a chat log where Laurelai was discussing the FBI visit she received last week. The FBI was investigating the HBGARY/HBGary Federal hacking incident. She was not arrested but they took her computer and phone for forensic analysis. Laurelai lost her job as a result of the pastebin post including the company where she worked.
Re: Why jump ship now?
Coincidence?
Laurelai used to live in Fayetteville Arkansas, population 73,000. This is the same town where Andrew Auernheimer (AKA Weev) lived last year and was arrested for the AT&T/iPad email hacking incident.