Lulz security, responsible for a bunch of recent hacks, has posted a manifesto. Amidst a bunch of smack talk, they say this:
While we’ve gained many, many supporters, we do have a mass of enemies, albeit mainly gamers. The main anti-LulzSec argument suggests that we’re going to bring down more Internet laws by continuing our public shenanigans, and that our actions are causing clowns with pens to write new rules for you. But what if we just hadn’t released anything? What if we were silent? That would mean we would be secretly inside FBI affiliates right now, inside PBS, inside Sony… watching… abusing…
Do you think every hacker announces everything they’ve hacked? We certainly haven’t, and we’re damn sure others are playing the silent game. Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn’t silently sitting inside all of these right now, sniping out individual people, or perhaps selling them off? You are a peon to these people. A toy. A string of characters with a value.
This is what you should be fearful of, not us releasing things publicly, but the fact that someone hasn’t released something publicly. We’re sitting on 200,000 Brink users right now that we never gave out. It might make you feel safe knowing we told you, so that Brink users may change their passwords. What if we hadn’t told you? No one would be aware of this theft, and we’d have a fresh 200,000 peons to abuse, completely unaware of a breach.
For all the hackers that do it for the lulz, there have to be a bunch more doing it for the Benjamins, and keeping quiet about it makes a hell of a lot more sense that pointing and laughing.
Nic
The ones who do it for the “lulz” are really, I would assume, doing it more to raise awareness than anything. Remember?
Aspasia
Wow! Talk about your basic sense of entitlement!
YellowJournalism
We broke into your hotel room. We wiped our noses on your pillow, put your hairbrush in the toilet, and stuck your toothbrush up our butts.
But don’t worry; it’s okay because we left pictures behind to let you know.
Nic
I suppose raise awareness along with engage in pissing contests, and learn new shit.
Jinchi
I remember thinking the same thing when the original ILOVEYOU virus hit the internet. The code actually worked great, in the sense that it infected millions of computers within days. If the hacker had decided to simply steal data, it probably would have gone much farther. Instead he decided to trash all the JPG and DOC files he came across, making the threat instantly obvious to everyone who caught it.
Bruce
Ho. Lee. Sheets.
About Mediaite’s Explanation Of Their Fiasco
Oh, DO follow the links to New York Times and Mediaite.
No wait. First get out the popcorn, THEN follow the links.
(sorry, ot)
ruemara
I was listening to either an NPR or API story on hackers and they do have a fair point. There’s enough out there that do it for lulz then sell it to those who do it for profit that we should be more concerned. My only reason I’m less concerned is the efforts I’ve made to be secure, change passwords and on paper, I may be so lacking that they’d find it easier to drop a few donated bucks into my accounts. I’m not even bait.
scav
Oh, dear, are people once again going to be all confuzzled, hot, bothered and bewildered by the stunningly grey hats that turn up in that thing going by their eyes that isn’t the movies? Practically an epidemic that is.
Feudalism Now!
They aren’t setting out to raise awareness. They are in it for the lulz and the chance to see how far they can go.
The funny thing is that they get a lot of flack for ‘hacking’ these networks but their statement is true. These are not some sort of cyber SEAL Team 6, they are code junkies using known patchable exploits or human error to access sites. A profit motive is going to bring a better class of talent to the table, at least if you want a sustained effort.
I would add- your wallet was already empty when we came in and there were 6 other guys putting on your clothes and pretending to be you.
Alex S.
China’s hacking scares me more.
Nic
@Feudalism Now!
I did extend my comment.. but anyhow, I am very willing to bet that the “lulz” folks are a bunch of 13-17 year-olds who aren’t (always) using known patchable exploits. The profit motive will bring more talent to the table, but I wonder what the quality multiplier really is there… There’s a really big ‘learning new shit’ factor, and I’d rather it wasn’t completely overlooked.
Sony had credit cards stolen through incompetence, that sucks ass. Sony was breached with SQL injection attacks, which is arguably fairly rudimentary. But the fact that such rudimentary attacks STILL FUCKING WORK should be a very loud warning about how corporate America (and corporate *.*) are not taking security as seriously as they should. I maintain my “raise awareness” stance.
Citizen_X
Meh. They fairly reek of Galtian Supermanliness. (“Clowns with pens” writing their rulz–rulz R for foolz, dudes!)
I suppose hackers have their place in the cyber-ecosphere. I still have the urge to punch them in their smug faces, though.
scav
@Citizen_Z: Well, so long as we can punch the MBAs and CEOs pushing their shoddy cost-cutting security systems on-line first and harder. Because those guys’ eau-de-Galtian Supermanliness reeks harder.
Mustang Bobby
These folks sound like they’re getting ready to run for Congress; after all, they have the same maturity level and sense of entitlement as your average teabagger (“Neener! Neener!”) and coward/bully sneer. Lulz Fuck Yeah!
Andrew
Shorter mistermix: I, for one, welcome our new hacker overlords
Cacti
Today’s kids who are in it for the Lulz are tomorrow’s adults who are in it for the $$$$.
alwhite
Look, it does not matter how concerned you are. I have consulted on IT security for nearly 15 years. During that time I have worked for several very well known companies, including huge retailers and government agencies. The one thing they all have in common is the organizations do not understand security at all. They all want to buy a solution, plug it in & forget about it.
I ‘fixed’ two ‘Internet savvy’ companies that had outsourced network monitoring that who were not actually monitoring or reporting intrusion attempts. I fixed a government agency that had bought a very expensive firewall and then set it up as “any-any-permit’ basically a wide open door. I discovered a hacked server at another big outfit, the admins tried to clean up the attack, after 2 weeks of me begging for them to investigate(I didn’t have access)but they didn’t perform any forensics so the odds are the attacker had already leapfrogged without being detected. I am trying to convince my current client (a huge outfit you probably interact with a half dozen times a week) that they shouldn’t have admin accounts with the password of “password”. I have only had one client that was doing the job correctly.
You cannot buy, interact or exist on the Internet and be safe. You are just a wildebeest in the herd. Hope the lion picks an easier target, remain vigilante, track you credit. But if you are trusting ANY company to protect your information you are making a mistake.
Amir_Khalid
People like Lulz are just vandals with a clever, self-righteous Robin Hoodish rationalization for how they get their jollies. If they really wanted the public to be safe from cyber attacks, they wouldn’t be the ones causing so much of the problem. There are ways to expose corporate carelessness without screwing over their customers.
If I were running the US Department of Defense, I’d make every effort to find these kids and recruit them into a cyber warfare unit. (ETA: before Russian mobsters recruit them into a gang of cyber criminals.) Since they enjoy that kind of thing so much.
Villago Delenda Est
alwhite:
Security costs money. And money is what these outfits are all about. They will make the call on security based on how much money they’re willing to risk.
These guys are making decisions on spending their precious money based on their assessment of how great the risk is. The fact that they have no clue of how great the risk is tells us where the problem lies.
Raising awareness may very well be the best way of altering how the risk is assessed.
Taking their money works too. Because these Ferengi shitstains love their latinum more than their very lives.
cathyx
Al White-
What do you do to keep your info safe online?
Judas Escargot
@Amir:
Script-kiddies wouldn’t be of much use to DOD: The Chinese actually take the trouble to secure their networks.
alwhite
@cathyx
#1 PASSWORDS! Never never never ever have a word in any password. Make it long, make it ‘complex'(upper/lower case, number, symbol). You can write it down if you have to, carry it in your purse or billfold. Don’t label what the acct or user ID is & if you lose it have the acct locked until you can change the password.
I make easy to remember passwords by picking a song or text that I can associate with the account. Say my banking account, I think ‘money’ so I sing “get out of here and get me some money too”. That becomes “Go0h&gms$2”. It helps if you know some ‘leet’, where 4=A, 1=I, 0=o etc.
Don’t use the same password on different accounts. At least have levels of concern & don’t share passwords from insignificant accounts to important one – you don’t want your bank account lost because they got your gmail password!
alwhite
Privacy – forget it if you are on line. I do not keep a facebook page in my name. Part of that is paranoia about security and part of it is because of my work. But my family & friends have been kind enough to link to me so that many advertisers have figured out who I am.
There are sites on line where for free you can google anyone’s name & it will tell you their phone number, approximate income, and a google map to their house among other info. You can get more information if you are willing to pay! I forget the URL, does anyone remember it?
If you have anykind of a smart phone it is filling in a lot of blanks too.
Villago Delenda Est
21 alwhite:
Yup, all well and good in the purely theoretical sense.
The problem is when you have multiple accounts, and you can’t keep your passwords straight when they don’t have very simple mnemonics associated with them.
In the real world, people get tired of being eternally vigilant. FAST. They don’t share your heightened sense of vigilance, nor do they ever plan to.
Because they are convinced that they’re not the wildebeest that the lion is looking for.
Your last suggestion is perhaps the most important, though…prioritize which accounts are the most crucial, and put your effort into protecting those few with the highest level of awareness. That means the ones that are most attractive to someone seeking lucre…and therefore the most tempting targets.
alwhite
Credit theft:
I’m a fatalist so, not very much. I have one credit card I use for online purchases, I monitor my credit report, I expect to be ‘stolen’ any day. I have dropped the credit cards I had with a couple of clients (I REALLY want to tell you who they are because they deserve to be punished but it would not be ethical & I would probably be hunted down & punished worse).
Never use your debt or check card online. try to give the online retailer the minimum amount of information that you can. If they want you to answer security questions (Mom’s maiden name, first car) LIE! that way if they discover the right answer it won’t do them any good.
Brachiator
I have been listening to some tech podcasts and visiting some sites where this is discussed, and the hackers doing it for fun and bravado are as worrisome as those doing it for money.
Equally worrisome is the response of some geeks that they do not care that privacy or security is violated as long as they can play their games or have access to the latest and the coolest tech shit. When Sony got hacked and their games site was taken down, there was more concern about when gamers could get on again than there was outrage over possible ID theft and release of user details.
And there are geeks who are perfectly willing to give governments backdoor access to smartphones and other devices, as long as nothing delays their ability to get the latest feature crammed device.
And then we have Facebook and other social media developers who happily monetize every personal detail about people, their families and their friends. Here no one has to be concerned about stealing data since users eagerly provide it.
Oh yeah. Do not lose your smartphone in a cab in a big city. There are bounties paid for phones. The thieves immediately pop the battery so that you cannot use features to locate or wipe the phone. Then if you are like most people and do not use a good passcode, the thieves have immediate access to your data.
It is a tough world out there, and mercenary hackers may be the smallest part of the problem.
alwhite
Lastly, wherever you work encourage them to be secure. Ask them to make security an everyday part of what they do. (I’d say have them hire a security consultant but there are too many crooks in that field :D). Talk about the importance of good passwords when events like this come up.
alwhite
@Villago Delenda Est
That is why I think it is OK to write passwords down. There are several really good programs for encrypting passwords on a PC (I like PWSafe). Make sure you use a really good password for that.
Just don’t leave the written passwords sitting around.
Joel
@ Alex S:
My thoughts exactly.
Brachiator
@alwhite:
By the way, another option is to create easily remembered false or nonsensical security questions that do not reveal your identity. So, something like “mother’s maiden” is Pizza.
I agree with you about limiting the number and type of cards that you use for online purchases.
Villago Delenda Est
@25 Brachiator:
That’s because they look at those thefts as fait accompli anyways. They understand the concept of “there’s no privacy”. They’ve accepted it.
They just want to play the game or fiddle with the gadget. Because the other stuff was water under the bridge the instant they signed up, and they are good with that.
alwhite
other stuff:
Keep you system updates current. MS is a PItA with new security fixes every damn week but don’t skip them. Most attacks are ‘script kiddies’ who follow cookbook like instructions to abuse known problems.
Never click on any link if you are not sure who sent it to you and what sort of place it is going to take you.
Learn about hijackthis and adaware.
If in doubt try “house call”, its Trend Micro’s anti-virus scan online. If it fails or your systems AV suddenly stops updating or finishes a scan in a few seconds be safe and just reload the OS.
if you are willing to be annoyed figuring out what to allow or not install NoScript on firefox. There are several other good security add-ons that are worth looking into
ML
Never heard of Lulz before, but those guys are saplings compared to the redwoods of the U.S. government “security” bureaus.
Brachiator
@31Villago:
None of these people considered suing Sony or seeking regulations to ensure better security (or very few) did because I think, there is a sizable segment of the geek community who believe that the idea of an open Internet and cool stuff means that no one should have any privacy. It is not just about accepting the lack of privacy in their own lives.
Facial recognition software was recently discussed on one tech show. A caller had noted that this Facebook feature could be used by political activists to identify people they wanted to harass. Use of this feature supposedly is controlled by friending, so the snide response of the show host was “Don’t friend people you don’t trust.”
Douglas
With all due respect… actually. screw that.
Winning a suit against Sony to force them make it more secure would 1. take ages, 2. doesn’t seem to have much of a chance of success… not to mention it would involve lawyers and crap.
So… lots of work for pretty much nothing.
Lobbying congress is even worse – the idea that a body as beholden to corporate interests as the congress, not to mention one almost certainly containing some members who still think the internet is a series of tubes ;-), and which isn’t even capable of passing something as straightforward as net neutrality, will force big corporations to invest in better security is pretty amusing – I mean, I love for it to happen, but I’m not exactly holding my breath.
So yeah, it’s not so much ideology as it’s a resignation that there’s not much you can do. It’s a battle lost some time ago.
Also, did someone ungeek the EFF? I was under the impression the geek™ position of privacy was pretty well set <_<
As for facebook – I don't use it, and I don't know anyone I'd call geeky that doesn't have privacy concerns about it…
Sentient Puddle
@alwhite (22):
The problem is, all those tips are way too much hassle for the average user. Make passwords that are long, complex, and different for each of the ungodly number of sites they visit that require credentials? That’s just way too inconvenient for the vast majority of people, even if they can write them down somewhere.
You ask me, this just shows that the username/password authentication scheme is no longer working and we need something new. I don’t really know what something more ideal would look like…my first instinct would be to say some sort of centralized authentication system run by someone who actually gives a shit about security and provides APIs for site admins to use. Which probably has its own problems as it is, but this is the problem that security professionals should be figuring out. I don’t want to hear “Here are a bunch of crazy-ass rules that make passwords total fucking hell, go forth and be secure.”
alwhite
@Sentient Puddle (36):
I want unicorns & rainbows too but it just isn’t going to happen soon if ever. So you can complain about it or you can try to protect yourself or you can just give up & use ‘password’ on everything. There are centralized access systems but making them work on an Internet size solution would be expensive and complicated. It also would make a single hack of the service the gateway to all passwords. RSA got hacked so those nice, very secure, one-time use password keys are not 100% secure either.
I know it is tough but at least separate important from unimportant, work from personal. Write them down and/or use pwsafe.
YellowJournalism
I would note that my wallet was already empty when THOSE guys came in.
But my point is that they’re all the assholes who had no right to be in my room, no matter what their intentions were.
BattleCat
If you can’t handle long, complex passwords, try pass phrases instead. Most sites that accept long passwords will not reject spaces, so phrases like “The Long Eel Eats Babies” are just as secure as “b4byg0tb4ck” (“babygotback”).
Just make sure that the pass phrase is a random combination of words — common phrases, such as biblical quotes, or quotes by famous people, etc, are not a good idea.
Brachiator
@Douglas:
Geeks are obviously not united on this. And clearly, the EFF also pushes for regulatory answers as part of their efforts.
Your EFF link includes a useful item on disabling facial recognition on Facebook. Those interested and potentially affected should take a look at it.
Sheesh
I want to make a plug for two-factor authentication. If any service you use offers this layer of security use it, even if the cost (or hassle) is non-zero. It’s largely painless even if you have a number of fobs or dongles to “manage”.
Two-factor authentication is inevitable at this point anyhow (whether it’s passwords with biometrics or single-use timecodes, or something else entirely), as long as passwords continue to be used weakly. Two-factor auth also raises the stakes/difficulty for social engineering attacks too.
Sheesh
While we’re talking about this though, can you guys believe that here we are in 2011 and email STILL ISN”T routinely and transparently encrypted?
Sheesh. Remember when we all thought PGP would bring about the revolution?
@cicsregion
YellowJournalism It is a whole lot better than no pics I tell you.