Why LulzSec Was Un-Hackable, And Why That's A Good Thing
from the neutrality,-naturally dept
UPDATE: As several people have pointed out, the news broke that several LulzSec members were arrested this morning, and that the leader of the group had been working as an FBI informant. We’ll have more commentary on this later.
The question of service provider neutrality is central to every debate about internet policy. From PayPal cutting off Wikileaks to Twitter pushing back against the feds to the new Righthaven’s “spineful” hosting, the responsibility of companies to neutrally protect their customers is a contentious topic.
New Scientist has an interview with Matthew Prince, the CEO of CloudFlare, a network security/performance service for websites. One of their recent high-profile customers was LulzSec, the controversial hacker group that executed a string of takedowns and data breaches last year, but whose own website proved impervious to constant hacking attempts because of CloudFlare. Prince talks about their decision to treat LulzSec the same as any other client:
Internally, we had a debate about the right thing to do. It’s important to note that because of the way CloudFlare works, no hacking activity was launched from our network – it was simply a matter of publishing information. So hacking happened in other places and then when they published the information about their exploits it would pass through the CloudFlare network.
So in that sense we’re more akin to network provider than a hosting provider. If we were to terminate Lulz Security as a client that wouldn’t make the content go away, it wouldn’t take it off the internet, it would just make it slow and more vulnerable to attacks. Our goal is to power a better internet. There are a lot of things on the internet that I personally find quite troubling and the list of those things is maybe very different from yours, but our role as a company wasn’t to play internet censor.
It’s good to see companies standing firm on this point. Anyone who understands the internet knows that it runs on fundamental principles of neutrality. Similarly, anyone who understands innovation online knows how vital it is that companies are able to build off the services of others without fear of discrimination. Sometimes this puts service providers in a tough spot, because the pressure placed on them can be intense—but the ones who navigate the situation without betraying their customers send a powerful message about their commitment to internet ideals.
Interestingly, Prince also explains that because of the way CloudFlare security works, the aggression from the white-hat hacker community (Update: a commenter raised the question: is this really white-hat? That’s a great point, and also a separate debate, so I’ll just call them ‘hackers’ for now) against LulzSec actually helped improve security online:
… the attacks against their website just went through the roof. We were actually able to track what those attacks were and provide better and better security over time to help everyone who was on our network.
CloudFlare’s core value comes from the fact that every website that is part of our system helps contribute data in order to better protect other websites. As one website gets attacked, the knowledge about that attack is immediately shared with the rest of the websites, so that the system gets smarter and smarter over time.
Stories like this also show that while net neutrality is an important concept, regulating it is ultimately less than ideal. When permitted to function without interference, the nature of the internet already encourages and rewards neutrality, with everyone benefiting the most when nobody discriminates.
Filed Under: security, service
Companies: cloudflare, lulzsec
Comments on “Why LulzSec Was Un-Hackable, And Why That's A Good Thing”
I realize that the black hat/white hat thing is coding slang, but i think you may have a misleading context using white hat to describe some hackers trying to penetrate a network.
White hats are supposed to be the good guys and black hats the bad guys. Problem being, when is an action “good”? A better and more clear definition is the black hats are the aggressors and the white hats are the ones trying to secure a network. The aggressors in this case are still most likely breaking the law, however good their intentions.
At best this makes them grey hats.
“As one website gets attacked, the knowledge about that attack is immediately shared with the rest of the websites, so that the system gets smarter and smarter over time.”
Crap, it’s the Borg…
Re:
It’s not always black and white. I remember reading about some so called white hats who wrote and released a worm that would remove another, malicious, worm from victims machines.
Re:
The narrative of Cloudflare and LulzSec is best shown in simple terms.
“Evil” Blackhat LulzSec hacked poor innocent companies, and then posted material online. They made many people sad because they used the same password everywhere.
“Good” Whitehat Hackers attempted to take down LulzSec to end the fun and festivities. They were protecting peoples rights to be stupid, and ignore the corporations total lack of concern for their customers.
In the end a few very skilled people managed to make Cloudflare better by focusing tools, like any tool – neutral, on the defenses.
Some people think LulzSec were the white hats, showing corporate greed winning over basic protection of customers.
Some people think LulzSex were the black hats, getting people’s account infos and turning them over to people who would order dildos for the account owners on Amazon.
Some people think the Lousie Boat actually exists, but they tend to not be allowed sharp objects.
Unlike old westerns, the hat changes color based solely on the perception of the viewer.
But then this is about why the net is best left to repair and adapt itself on its own. Without someone trying to make it a civilized place, or give corporations buttons to make things they dislike go away.
Lessons learned –
Never expect a corporation to do anything to protect your info.
Never use the same password everywhere.
Your the first line of your own security, no one else cares enough about you to do it for you… do you care enough?
Oh and… Never get involved in a land war in Asia.
Credibility
“Anyone who understands the internet knows that it runs on fundamental principles of neutrality.” This, to me, implies “You’re either with us or an idiot”.
The irony is that this is an article about neutrality.
I’m starting to think that Techdirt cares less about informing and more about preaching to the choir.
Techdirt is an internet news source that I still respect, for now. Please, in the fight against internet ignorance continue to inform, not attack. We musn’t become the finger pointing, one-sided lemmings that we fight so hard against.
Re:
Ah the oft forgotten greyhats.
Skillsets
Yes, but…
The skills used by hackers of any hot color (mine is brown, for example) are largely the same. A “security expert” needs the same knowledge and skill of infiltration that an infiltrator would use against his facility.
HAHA
old saying is true you don’t harm what you use.
THAT’S the real story. END of story really.
Re:
White hats are supposed to be the good guys and black hats the bad guys. Problem being, when is an action “good”? A better and more clear definition is the black hats are the aggressors and the white hats are the ones trying to secure a network. The aggressors in this case are still most likely breaking the law, however good their intentions.
This is a really good point. It was Prince who called them White Hat in the interview and I just sort of let that slip into the post – but now you’ve got me wondering.
I guess the one distinction that still stands is that The Jester and other “white hat” hackers *announced* that they would be trying to hack LulzSec, and presumably didn’t plan on actually taking any data or doing any damage – that seems to be one of the biggest white hat / black hat factors.
Credibility
I can understand your concern about making sure that Techdirt continues to inform but for so many issues now they are a continuing narrative, with Techdirt providing updates on where we are at this point. That presupposes either a regular reader, someone with prior knowledge or someone who has the time or inclination to track back and understand how we have got to that point.
I don’t think it is practical for every post to explain the full context. It would be boring to read for regular readers and would also leave less time for analysis of the ongoing issues.
As long as there are links back to the earlier posts then I think that is reasonable. The reader has to take some responsibility for their own education on issues.
Re:
Post updated. Thanks for bringing this up!
I have to agree with the OP, if they’re actively trying to pwn someones system, that makes them at least “not white hat” in my book
Could be unhackable in part due to the fact the leader was working with law enforcement….
http://www.foxnews.com/scitech/2012/03/06/hacking-group-lulzsec-swept-up-by-law-enforcement/
Re:
“It’s not always black and white”
Exactly. You also have red hat.
Credibility
I don’t know where you understood that I was implying that “every post [is] to explain the full context”.
I said: “Please, in the fight against internet ignorance continue to inform, not attack. We musn’t become the finger pointing, one-sided lemmings that we fight so hard against.”
I thought I made it pretty clear that I was questioning Techdirt’s priority of attack over information, not assuming them a role as educators. I guess I wasn’t. I will continue to work on my rhetoric.
If you’d like me to clarify further, or would like to help me improve my modes of discourse, shoot me a pm so we can stay out of the main comments thread.
Re:
I wear a purple fedora with a feather in it. I am not a pimp.
Re:
“Some people think LulzSex”
…
…
I think I had a girlfriend that used to do that from time to time…
LulzSec Down?
Saw an article on slashdot today about how Sabu had been working with the feds for years, and lulzsec has taking a big blow in terms of arrests…
I won’t believe it till I hear some details, beyond the FBI posturing…
Umm, you guys are so transparent, it hurts. Nice friendly piece about Cloudflare. What you failed to mention is that Techdirt is hosted there as well now.
So here is the question: How much of a discount or kick back does Techdirt get for writing happy and nice pieces about Cloudflare?
Also, why not address the issues that Cloudflare appears to have some outages anyway, and being that they take all the sites likely to get DDoS attacks and other nasty things happening, that the risk that an innocent site is taken down when their network gets attacked is higher.
It’s a nice piece their Marcus, I bet Mike didn’t have the gall to write it himself.
Re:
Oh, this is classic. Another case of where a group isn’t a group and isn’t organized and yet there are only certain people who are the heads of the deal.
If I was one of the Anonymous leaders right now, I would be shitting my pants. One of your own is pointing you out to the cops right now.
The FBI busted LulzSec !!!
http://www.foxnews.com/scitech/2012/03/06/exclusive-inside-lulzsec-mastermind-turns-on-his-minions/
“For the last eight months, the self-styled ?hacktivists? who make up LulzSec and the international hacker community beyond have been led by a turncoat.
Like a Mafia don who wears a wire to ensnare his own soldiers, Hector Xavier Monsegur, aka ?Sabu,? has been helping the FBI track down and gather evidence against his associates, tweeting out misinformation and even protecting the CIA among other government and financial institutions from hacks, according to sources close to the LulzSec leader and law enforcement officials in charge of the months-long international hacking probe capped by international arrests of the remaining LulzSec leaders on Tuesday morning.
Flipping Monsegur wasn?t easy. But with a charge of aggravated identity theft and a two-year prison sentence to hang over his head, the FBI forced Monsegur to weigh the political beliefs that drove him and his allegiance to cohorts around the world against his desire to be with his kids?he is the guardian of two children?and his extended family.
?He didn?t go easy,? a law enforcement official involved in flipping Sabu told FoxNews.com. ?It was because of his kids. He didn?t want to go away to prison and leave them. That?s how we got him.?
?He really cares about these kids,? a source said. ?They?re young [and] he is really worried about what will happen.?
On August 15, 2011 Monsegur pleaded guilty to more than ten charges relating to his hacking activity. In the following few weeks, he worked almost daily out of FBI offices, helping the feds identify and ultimately take down the other high-level members of LulzSec and Anonymous, sources said”…
…
http://www.foxnews.com/scitech/2012/03/06/exclusive-inside-lulzsec-mastermind-turns-on-his-minions/
LulzSec Down?
http://www.foxnews.com/scitech/2012/03/06/exclusive-inside-lulzsec-mastermind-turns-on-his-minions/
Re:
Nice piece of trolling overall, but The part where you get the author wrong is definitely the best. Classic stuff like that never goes out of style.
Re:
Aren’t hats defined along these lines:
– black hat – hackers that use their hacks for their own gain (monetary? e.g. 0-day exploit sales)
– white hats – working with the company or at least asking for permission
– grey hats – same as white, but not asking for permission and sometimes ridiculing the company by exposing the hack (so, not working with the company but not selling or extorting with that exploit)
Lulsec are not selling 0-day exploits, are they? I see them as grey. Like Adrian Lamo, before FBI informant days.
Jester seems white. But he also could be viewed as grey.
OUR Internet
I think it’s important to point out (as many times as it takes) that the internet does not belong to the governments of the world nor the MPAA. It is OUR internet, service providers and consumers.
Governments have no right to have ANY say on how it works unless we tell them they do! We need to make this very clear to them.
Re:
Umm, Marcus is Leigh. Sorry that your return troll so failed.
The FBI busted LulzSec !!!
I think the best part about this is that it makes the entire piece from Marcus null. Basically, they weren’t hacked because, well, they were protected.
HAHAAHAHAHAHAHAHAHAHAHAHAHAH!
Transparency
You are aware that CloudFlare’s basic service is free, right?
As for CloudFlare having outages, can you name a service that doesn’t? Yes, aggregative services like CloudFlare (and, in a different way, any ISPs) increase the likelihood of collateral damage for innocent sites being aggregated with DoS targets, however the risk/cost must be weighed against the benefits of somebody knowledgable actually watching your web infrastructure to make sure it performs well and security issues are addressed.
Transparency
You are aware that Techdirt is now using the service, right?
You won’t be aware of it from reading the piece. It just seems like a nice happy, happy, look how good a service they have thing. It’s dishonest for there not be a clear disclaimer about the business arrangements between Techdirt and Cloudflare.
This is the sort of thing the FTC talked about in the past, blogs that don’t disclose.
Re:
Don’t forget blue hat.
Re:
Heh. Nice try – I’m sure you’re jumping for joy at having caught us on this – but I’m afraid I’m going to have to burst your bubble:
Techdirt does not use CloudFlare.
The FBI busted LulzSec !!!
We’ll have some updates on the LulzSec bust soon.
I think the best part about this is that it makes the entire piece from Marcus null. Basically, they weren’t hacked because, well, they were protected.
Umm, no. CloudFlare still blocked tonnes of attacks from numerous parties directed against the LulzSec website, using the same tech they use for countless other sites. I don’t see how their secret involvement with the FBI has anything to do with that.
Re:
Ahh, so all those “techdirt down” cloudflare messages in the last couple of weeks have been miracles?
Got it.
The FBI busted LulzSec !!!
It’s like that in part because since the arrest, Lulzsec was effectively inactive over the summer and fall. They weren’t a prime target anymore.
I would guess that anyone attacking Lulzsec would have gotten a door knock from the FBI. After all, they were probably monitoring the stuff very closely. I wonder if Cloudflare provided them info?
Re:
Dude, seriously. You need to take a deep breath and calm down, because you’re making an idiot out of yourself.
TechDirt briefly tried out CloudFlare – and decided not to continue using it. If you don’t believe me, you can go look up the DNS records.
Re:
Here Marcus, bite me!
“Domain Name:
8 Characters Length:
#12,551 Alexa Traffic Rank:
Nameservers:
jim.ns.cloudflare.com
kate.ns.cloudflare.com”
http://webcache.googleusercontent.com/search?q=cache:ROGzClif89kJ:webipaddress.net/www.techdirt.com+&cd=8&hl=en&ct=clnk&gl=ca
You can apologize now, or look like an asshole. Your choice!
The FBI busted LulzSec !!!
…is it just me, or do the lines from the ‘law enforcement official’ and ‘source’ in combination sound like something from a mafia movie.
you know, the whole ‘you wouldn’t want something to happen to your kids now, would you?’ angle…
probably just an unfortunate arrangement in the quoted article, but still.
Re:
Sigh. You just really want to look dumb, huh?
Those records are two weeks and four days expired. As I said – they tried it, then stopped. The updated records point to dnsbox:
http://dns.l4x.org/techdirt.com
Re:
touche…..
Fascinating article,replys.
I know nothing of the universe under the surface of my comp.screen.i know my speakers howl frm the depths of somewhere beautifully when trying to stream,load a movie in my 280p!
Alas my life missed coding and the comprehension, the beauty of numbers.i went to a convent in the 1980S,where home economics and choir prevailed.URGHH.
My math teacher 9-10 grade was a sadly senile nun hence disengagment.
More rambling: disclaimer-i have flu delerium!
So anyway, i missed my calling somewhat,alot.
So
Respect to the Numbered Man.for coding,hacknsack, is an incredibly ordered business,imaginative logic rules does it not?intrinzic balance must be found.
.freedoms/abuse
Chaos/control.the great dualities.
cath.,melbourne
Re:
Umm, you guys are so transparent, it hurts. Nice friendly piece about Cloudflare. What you failed to mention is that Techdirt is hosted there as well now.
We are not. Nice try, though.
We did test Cloudflare briefly a couple weeks ago.
So here is the question: How much of a discount or kick back does Techdirt get for writing happy and nice pieces about Cloudflare?
Considering we’re not using them and that we don’t do kickbacks/discounts in exchange for posts no matter what, the answer is absolutely none.
You might want to just admit you were wrong and move on.
The organic nature of the internet is just marvelous.
Organisms try to infiltrate other organism and they all learn something in the process and evolve.
Networks apparently do the same thing, unless you are a US government IT manager.
Ok that is low and uncalled for still, one can gauge the level of sophistication in Washington just by seeing them get outed by Mike here for their astroturf initiatives LoL
ps: It doesn’t happen just here everywhere the people in Washington and law enforcement apparently get owned every time. One can only hope that the NSA and the CIA can do better since at least the CIA have some experience in not losing their field agents in hostile territory.
Every politician and law enforcement agent should be mandated to attend Shmoocon or DefCon to get pwned and realize they need to do better.
Even normal people are doing it, as downloads for darknets can attest. Slowly but surely we are going into a encrypted network with all the bad and the good that brings.
Re:
Is it worth me checking back here every now and again to see if he admits he was wrong?
Nah, didn’t think so either…
Re:
Who’s Marcus?
Tell me, hoe retarded are you, really?
Re:
What was I wrong about?
I have shown you DNS records that indicate you were on Cloudflare.
I have shown that you have (on more than on occassion now) written nice pieces about them.
We even had a discussion a few weeks ago about your whois information being hidden (private), and how you had moved to this service.
Are you denying it?
Holy crap. You guys won’t give up, will you? Trying to discredit someone who points out what is really going on, using the same sort of things you use to try to discredit everyone else. Come on Mike admit it – Marcus should have mentioned something. The FTC wouldn’t be impressed!
Re:
What was I wrong about?
Wow… how much time do you have?
Re:
“The FTC wouldn’t be impressed!”
Why don’t you go and tell them all about it. Will you post a copy of their response to you when they laugh at your mixture of desperation, paranoia and incompetence? I doubt it… Never mind, we’re all having a laugh at you anyway.
Re:
What was I wrong about?
You falsely claimed that we are on Cloudflare and that we have a relationship with them. You falsely suggested that there was some sort of quid pro quo for writing about a company where there was no such deal and we have no relationship with (in fact, a firm whose service we tested, but chose not to use — so, if anything, there’s a negative relationship in that we chose not to use them).
And when caught, you’re too clueless to stop digging. Okay, you weren’t “wrong” about that. You just look silly.
Holy crap. You guys won’t give up, will you?
I believe you’re referring to yourself.
Trying to discredit someone who points out what is really going on
No we’re pointing out that you’re wrong because you are wrong. “What is really going on” is that you’re wrong.
using the same sort of things you use to try to discredit everyone else
This makes no sense.
Come on Mike admit it – Marcus should have mentioned something.
Hahah. What should he have mentioned? Really. What should he have mentioned?
The FTC wouldn’t be impressed!
Please, tell them. And send me a copy of the complaint and their reply. This ought to be fun.
Re:
Mike, rather than get all uppity and mad, why not apply your own general standards of “investigative blogging” to my comments?
“You are aware that Techdirt is now using the service, right?”
When was the last time you were on cloudflare? A couple of weeks ago? I don’t check your network status every day. Last I saw, you were on Cloudflare (and floundering badly). Since I didn’t see any public post about changing hosting since our last discussion, it is a fair assumption that you are still with them. Congrats on changing hosts (again!).
Would you care to point out your post about changing hosts?
“It’s dishonest for there not be a clear disclaimer about the business arrangements between Techdirt and Cloudflare.”
The type of disclosure you made earlier “We did test Cloudflare briefly a couple weeks ago.” is the sort of thing that should have been in the original article. It would provide context for Marcus’s rah-rah post (a poorly timed one too, I might add). It would clear up any potential for misunderstanding. Clearly, Techdirt has used Cloudflare services, and positive articles have been posted about them. Why not just say it, get it out there, and make it clear that you no longer have any business dealings with them?
You have used much flimsier material to try to discredit or slam other groups on your site over the years. Don’t you think that you should be working to more clearly explain your business relationships with the companies that you blog about? This is especially true when the stories read almost more like press releases?
I think the FTC already has a file on you. You might want to try a FOIA to see… 🙂
You might want to check that again...
Seriously. Go back to that link you provided, scroll down and click “Refresh This Page.”
You’ll find:
Domain Name: Techdirt.com
Length: 8 Characters
Alexa Traffic Rank: #N/A
Nameservers:
ns.dnsbox.net
ns2.dnsbox.net
I have shown you DNS records that indicate you were on Cloudflare.
And they responded that they did temporarily. So there’s no argument there. But they’ve moved on since then. Constantly accusing them of still being on Cloudflare when your own updated link says they’re not shows you’re just arguing for the sake of arguing.
You might want to check that again...
Yes, you are correct – I was only making the point that, if techdirt isn’t using them TODAY, they were using them a very, very short time ago, and without going and doing a daily check, there is no way to know for sure. Considering that this was a subject of discussion not even a couple of weeks ago, it’s surprising to see such a change so quickly.
It’s equally amusing to see that the service wasn’t good for Techdirt, yet “saved” Lulzsec. Not sure how that works out.
You might want to check that again...
Holy shit dude – your desperation is getting pretty sad.
You might want to check that again...
Holy shit dude, there is no desperation. All I can see is you and Mike circling the wagons after getting caught out (yet again).
Don’t you have some copyright stuff to go make?
You might want to check that again...
Don’t you have some copyright stuff to go make?
Wow, you’re still trying to make that one stick? It was a pathetic enough attack when I worked at National Post.
The FBI busted LulzSec !!!
Been following this seemingly “hacker turf war” for a while and I suspect at least some of the ones attacking Lulzsec probably have some sort of “protection from on high,” especially the way some of them have been launching very public DOS attacks on all sorts of other websites they don’t agree with and have yet to get “party v&”.
Would be interesting to see if anyone gets nabbed for those attacks on Lulzsec’s webpage or Anonymous public outlets.