Personally I am more concerned because increased hacking can result in governments reducing freedom for everyone else. Push the boundaries and the result will always be a reduction of those boundaries.
While these hackers say they are fighting to protect and fight for the everyday user their actions will merely result in making our life harder.
Finaly it's important to understand that there is a big difference between different types of attacks. For instance a DDOS is very different then actualy having your systems compromised and your data stolen. Almost anyone can get hit by a DDOS, it's simply a traffic jam... it overwhelms your resources (bandwith, CPU capacity, etc) with what looks like legitimate traffic. If you can filter out the automated traffic from the real traffic at your upstream...your back in business and all you've lost is some time. Peoples data don't get exposed and stolen through a DDOS...that requires someone to exploit a flaw in your system.
This, really. I wish people would stop referring to everything as, this company got hacked. It's important to distinguish between making a site temporarily inaccessible and actually modifying or stealing information from the company. The former isn't always preventable, as sufficiently many people trying to access the same site at once will cause problems. The latter is the real problem.
I'm not excusing LulzSec's crimes. Throw the book at them. But don't accuse a company of having bad security measures just because they got hit with a DDOS.
Or is it a wake up call pushing businesses to quit hording their profits and actually invest in customer safty?
Demonizing the hackers doesn't seem very efficient or logical. If they get caught they should get punished, but the reputation of these companies that got easily hacked- well that needs to be the main issue in all of it.
Plus the industry should catch up. It's sad that they weren't leading the way.
I agree with your sentiment on the Industry being lax with their customers information.
BUT there are ways Lulzsec could have embarrassed the companies without leaking some unfortunate peoples personal details all over the internet.... like oooh I dunno maybe leaking some of the info & how it was obtained to credible media outlets ?
Not putting it on bittorrents where criminals are the primary downloaders......
For leaking personal Info punlicly I hope they get what they so richly deserve... and thats not a warm handshake..... its more likely something hard & warm from a guy name Bubba in prison....
Well people can believe me on this or not, but as a mid-level IT professional the situation didn't go down quite like how it's typically discussed.
lulzsec members had a slightly different name and had taken light jabs at various Sony and similar built systems; that had their structure and the nature of the structure exposed by legit security hackers. These guys made it public some time ago in an attempt to push Sony and even some government sites (the hosts of .gov no less) to step up to a newer standard than protocols from 2001. Seriously.
Then some malicious hackers waited for a good chance to utilize the information.
Anon exploited it with some very simple DoS attacks and made their public announcement and yadda yadda. Weeks passed and no one changed anything. From what I could see watching as a bemused spectator, the big companies figured laws in ink would prevail here.
Well more malicious minded hackers gained access. They did what they wanted to do and cost a lot of people a lot of money.
The more organized hacker groups got a lot of flak from it anyway, so if they were going to get blamed anyway they decided it was anarchy time.
A lot of us expected a sort of corporate internet DMZ to spring up. But thankfully a lot of 'open internet' laws are working and rather it's now on the companies to cover for their lack of insight.
But the worse part of this all is we're in an age where 128-bit encryption is about as useful as a "steering wheel locking device".. Anyone else remember The Club?
The King thinks this is a bad time in the world for a forced look at innovating anything. Technology or otherwise. We have a very tired world. But I think it will be done. But a bit of advice to anyone: Know that nothing you put on the internet is safe and know there are very legit steps out there (that work) to cover your ass. The thing is though, a lot of them are scams too.
Personally I am more concerned because increased hacking can result in governments reducing freedom for everyone else. Push the boundaries and the result will always be a reduction of those boundaries.
While these hackers say they are fighting to protect and fight for the everyday user their actions will merely result in making our life harder.
^ This.
Plane and simple LulzSec is just doing it for the lulz and nothing more.Now what do you think is going to happen , more money invested in keep things secure? Or limiting our freedom of what can be done on the web?Seems option # two would be the cheaper one and we all know our economy is SHIT right now.
Personally I am more concerned because increased hacking can result in governments reducing freedom for everyone else. Push the boundaries and the result will always be a reduction of those boundaries.
While these hackers say they are fighting to protect and fight for the everyday user their actions will merely result in making our life harder.
^ This.
Plane and simple LulzSec is just doing it for the lulz and nothing more.Now what do you think is going to happen , more money invested in keep things secure? Or limiting our freedom of what can be done on the web?Seems option # two would be the cheaper one and we all know our economy is SHIT right now.
Limiting the freedoms was on the table actually.
Over the last 2 months the laws that are being worked on by Congress (particularly Al Franken if anyone wants to send him a thank you note) and surprisingly the FCC withheld and kept a lock down and some unreasonable solutions suggested by corporations to the government from happening.
Not to say if the corps thought spending more money on laws rather than increasing tech could change all of that in a matter of a second; so far that's not been the case.
You hit the nail on the head with "There’s one thing I’m worried all this hacking will be used for though: more arbitrary internet laws." I dont want to sound like Im wearing a tinfoil hat, but I dont think these people are just some teenagers playing around haveing fun and doing it for the lulz.
I just don't think any government has it in them to create/fund/encourage a group with lulz in it.
LulzSec, and everyone who thinks people like this are needed are just being plain stupid.
I can not accept or even comprehend the excuse of "We're doing this to show how bad internet security is", or "It's to protect the internet". You don't go around smashing a TV with a hammer saying "See, it's not a good TV." I don't believe the internet will ever be 100% secure. They will keep improving it, and the people who keep looking for the flaws will keep finding them. The only thing LulzSec is doing is making matters much worse.
LulzSec, and everyone who thinks people like this are needed are just being plain stupid.
I can not accept or even comprehend the excuse of "We're doing this to show how bad internet security is", or "It's to protect the internet". You don't go around smashing a TV with a hammer saying "See, it's not a good TV." I don't believe the internet will ever be 100% secure. They will keep improving it, and the people who keep looking for the flaws will keep finding them. The only thing LulzSec is doing is making matters much worse.
Outrageous really... :S
" See, we need these guys to make the internet a better place! their fighting for us! "
-days later bank account gets wiped plus savings and identity switched to a mexican transvestite Axe murderer-
"F#$^ YOU HACKERS , BURN IN @$^#^@$^@$^ HELL!!! QQQQQQQQQQQQQQQQQQQQQ!
LulzSec, and everyone who thinks people like this are needed are just being plain stupid.
I can not accept or even comprehend the excuse of "We're doing this to show how bad internet security is", or "It's to protect the internet". You don't go around smashing a TV with a hammer saying "See, it's not a good TV." I don't believe the internet will ever be 100% secure. They will keep improving it, and the people who keep looking for the flaws will keep finding them. The only thing LulzSec is doing is making matters much worse.
Outrageous really... :S
The problem is that we as the public are in a no win situation.
A lot of companies simply don't bother with proper IT security protocols. They may do the minimum of encrypting credit card information, but that's because it's required by law. Credit card companies can and do audit companies to make sure they handle CC info properly, and if the company doesn't then they are barred by CC companies. There are no strict laws or auditing that are in place that enforce that companies take proper measures to keep customer information secured. As such, a lot of companies simply avoid spending any money or effort of proper security, and gamble with their customer information that they won't get hacked.
While what a lot of what Lulzsec has done has arguably been too much, they have put the spotlight on just how lazy a lot of companies are with their IT security. No system that's connected to the Internet is invulnerable. But manny of the methods Lulzsec has used are quite literally script kiddie methods; attacks that are very basic to perform, but on the other hand are very easy to protect against provided you actually bother to protect against it.
Yes, black hat hacking is bad, but that's all the more reason why companies should actually be investing in IT security. A lot of companies have been playing fast and loose with their IT security and putting customer personal info at stake. If it wasn't Lulzsec having hacked them recently, it could potentially have been a much more malevolent group wiith far more malicious intent doing it tommorow, and thus far greater consequences.
I'm all for Internet freedom, and I don't agree that restrictions of the Internet are the way to protect people from these types of hackings. THe best way is for the cheap and lazy companies to get off their asses and spend the time and money to properly secure their own systems, like they should have been doing the day that decided to connect to the Internet.
The problem is that we as the public are in a no win situation.
A lot of companies simply don't bother with proper IT security protocols. They may do the minimum of encrypting credit card information, but that's because it's required by law. Credit card companies can and do audit companies to make sure they handle CC info properly, and if the company doesn't then they are barred by CC companies. There are no strict laws or auditing that are in place that enforce that companies take proper measures to keep customer information secured. As such, a lot of companies simply avoid spending any money or effort of proper security, and gamble with their customer information that they won't get hacked.
While what a lot of what Lulzsec has done has arguably been too much, they have put the spotlight on just how lazy a lot of companies are with their IT security. No system that's connected to the Internet is invulnerable. But manny of the methods Lulzsec has used are quite literally script kiddie methods; attacks that are very basic to perform, but on the other hand are very easy to protect against provided you actually bother to protect against it.
Yes, black hat hacking is bad, but that's all the more reason why companies should actually be investing in IT security. A lot of companies have been playing fast and loose with their IT security and putting customer personal info at stake. If it wasn't Lulzsec having hacked them recently, it could potentially have been a much more malevolent group wiith far more malicious intent doing it tommorow, and thus far greater consequences.
I'm all for Internet freedom, and I don't agree that restrictions of the Internet are the way to protect people from these types of hackings. THe best way is for the cheap and lazy companies to get off their asses and spend the time and money to properly secure their own systems, like they should have been doing the day that decided to connect to the Internet.
You're not entirely logical here. You keep saying that what Lulz and Anon have done is needed at some level to expose weaknesses. I'd only agree if those jerks hadn't published customers' details on the internet. These guys are doing this out of the kindness of their hearts. They're doing it for personal gain and have probably sold whatever details have been stolen onto those people who can make money off of this kind information. Sure, they can hide behind the veneer of 'we want companies to change... we're actually helping their customers'... but the fact alone of them having used our personal data to blackmail the companies AND US completely exposes what they're really up to.
To all the people who think that this "hacking phenomenon" is a new thing, please get more informed. Hacking has been a problem for as long as computer networks have existed. Most large corporations successfully defend against hundreds of cyberattacks/probes a day.
But suddenly a group goes about hacking a few companies vocally and its big news and terror. People are far too complacent on the internet.
CCP, for example, was not successfully hacked. They took the right action and had the right systems in place in order to detect a possible intrusion fast.
Sony on the other hand is pathetic. The attacks which compromised them and their many subsidiaries were not even sophisticated, as has been stated on several news sites. But some people persist in treating these hackers as really clever and having pulled off virtual magic by hacking them.
Yes, the hackers are vandals and bullies and should be treated as such until greater material losses can be proven. But Sony and other companies compromised are also liable to be sued for their incompetence and negligence. And if some people lose their jobs over that, well tough. Thats how the corporate world works. If you can't do your job properly, ie. make good decisions at management level, or make proper security decisions or policy decisions, then you need to pay the price. Capitalism.
Business isn't about sitting around the fire singing Kumbaya.
The problem is that we as the public are in a no win situation.
A lot of companies simply don't bother with proper IT security protocols. They may do the minimum of encrypting credit card information, but that's because I'm all for Internet freedom, and I don't agree that restrictions of the Internet are the way to protect people from these types of hackings. THe best way is for the cheap and lazy companies to get off their asses and spend the time and money to properly secure their own systems, like they should have been doing the day that decided to connect to the Internet.
You're not entirely logical here. You keep saying that what Lulz and Anon have done is needed at some level to expose weaknesses. I'd only agree if those jerks hadn't published customers' details on the internet. These guys are doing this out of the kindness of their hearts. They're doing it for personal gain and have probably sold whatever details have been stolen onto those people who can make money off of this kind information. Sure, they can hide behind the veneer of 'we want companies to change... we're actually helping their customers'... but the fact alone of them having used our personal data to blackmail the companies AND US completely exposes what they're really up to.
To the OP... great article by the way!
I doubt they are selling that information. Firstly, the information has almost no value if you announce to the world what you have done.
If you were going to steal something to sell, it must have value. And since you have gone to the trouble of stealing it (and all the stresses inherent in that), surely, it stands to reason that they would have stolen it and kept quiet. Then they would have made a killing - millions of dollars.
Most people do not check their credit card statements every day; many only check once per month. So if they were really interested in theft, then they would have kept quiet and not used loud obvious attacks like DDOS and made bold statements about their intent and accomplishments to be found by the media.
There are many ACTUAL criminal organizations which perpetrate credit card fraud on a daily basis worldwide for the traditional purposes of greed and theft. The actions of Lulzsec and Anon do not in anyway mimic their methods.
The problem is that we as the public are in a no win situation.
A lot of companies simply don't bother with proper IT security protocols. They may do the minimum of encrypting credit card information, but that's because it's required by law. Credit card companies can and do audit companies to make sure they handle CC info properly, and if the company doesn't then they are barred by CC companies. There are no strict laws or auditing that are in place that enforce that companies take proper measures to keep customer information secured. As such, a lot of companies simply avoid spending any money or effort of proper security, and gamble with their customer information that they won't get hacked.
While what a lot of what Lulzsec has done has arguably been too much, they have put the spotlight on just how lazy a lot of companies are with their IT security. No system that's connected to the Internet is invulnerable. But manny of the methods Lulzsec has used are quite literally script kiddie methods; attacks that are very basic to perform, but on the other hand are very easy to protect against provided you actually bother to protect against it.
Yes, black hat hacking is bad, but that's all the more reason why companies should actually be investing in IT security. A lot of companies have been playing fast and loose with their IT security and putting customer personal info at stake. If it wasn't Lulzsec having hacked them recently, it could potentially have been a much more malevolent group wiith far more malicious intent doing it tommorow, and thus far greater consequences.
I'm all for Internet freedom, and I don't agree that restrictions of the Internet are the way to protect people from these types of hackings. THe best way is for the cheap and lazy companies to get off their asses and spend the time and money to properly secure their own systems, like they should have been doing the day that decided to connect to the Internet.
You're not entirely logical here. You keep saying that what Lulz and Anon have done is needed at some level to expose weaknesses. I'd only agree if those jerks hadn't published customers' details on the internet. These guys are doing this out of the kindness of their hearts. They're doing it for personal gain and have probably sold whatever details have been stolen onto those people who can make money off of this kind information. Sure, they can hide behind the veneer of 'we want companies to change... we're actually helping their customers'... but the fact alone of them having used our personal data to blackmail the companies AND US completely exposes what they're really up to.
To the OP... great article by the way!
That's why I said that we as the public are in a no win situation.
In a perfect world there would be no hacking. Everyone would respect the integrity of everyone else's PCs, servers, networks, etc. If you're going to expect that, then you might as well expect world peace, aka, not happening.
I don't agree with how Lulzsec carried themselves and most of what they did... but at the same time I begrudgingly have to admit that it was needed. Essentially the hackings carried out by Lulzsec, in my opinion, are the lesser of what could have been much worse evils.
Many corporate systems, which contain cast yields of our consumer info, are often left vulnerable to the cloud. I know that you can't completely fortify a system connected to the Internet. So when I say vulnerable, I mean systems that are embaressingly un-hardened and vulnerable to unsophisticated attacks.
I don't condone black hat hacking, including Lulzsec's. But it was inevitable that it was going to happen, because companies have taken very little effort to secure their systems. The only redeeming thing is that Lulzsec made a spectacle of the whole thing, which brought light to the issue. Had another group carried out the hackings, I doubt that most of the companies involved would have even admitted their was any breach, that is, if they even knew themselves.
None of the latest rounds of attacks are anything new. Groups of people getting together, sharing tools and tactics, and doing coordinated attacks is about as old as the moment the internet went beyond edu only. The only difference is the media coverage and where people go to get that information. How many media outlets mirrored attrition back in the day for site defacement compared to what we have now?
I think the worst part of it all is the actions of the companies attacked. As usual, they push off all the blame. They do everything they can to spin it to put these "hackers" in the super genius catagory as a defense of legality and reputation. I'm not going to defend these "hackers" in any shape or form. But, you have to share the blame with the company who didn't patch their systems or implement basic security measures. And, look at file sharing/piracy/torrent legal battles. If you go to trial over a technical case, who is judging you? Do they really have any idea of just what is being described to them? The level of technical knowledge still has a huge gap.
I say "hackers", but that word is so over used and missused it's not funny. People download tools made by others, use them, and get called or call themselves "hackers". They use proof of concept progams made by others to explain and prove an exploit to attack companies who, sometimes, aren't keeping up on patches or using temporary means to avoid unpatched vunlerabilities. Are the people making those PoC programs to blame? No. There is a moral difference there. It's what is done with them by the person using them. They are responsible for their own actions.
I think media outlets need to take more responsiblity with their reporting. They should adopt other terms for people who are just part of a group, running premade programs, and just being part of the group. Maybe that would help to not glorify them and put them at the same level as other crimes. "Accomplices", "Petty Thief", etc.
Originally posted by Ceridith, I doubt that most of the companies involved would have even admitted their was any breach, that is, if they even knew themselves.
That has been going on for decades. Sadly. Entire databases of companies are stolen remotely or strong arm from data centers. You don't hear about it because the company would go under immediately. But, in that same train of thought, Sony doesn't because they are Sony and "it's just games". Kind of silly. Why does it matter who or where the data is stolen from?
Going back to my earlier statement about responsible media, they also need to get things straight on attacks. Headline: cia.gov is hacked!!!. Story: groupx hacked the cia webserver by inintiating a DDoS attack against it. <- Very poor information handling and completely illogical. Does the media outlet not know the difference or are they just glorifying to sell more copies/get people to watch/read?
People make a lot of money off that stolen information. It's bought and sold several times for different reasons. If they didn't make money off it, they wouldn't do it. What would be the point? Not every attack is publicized. So, if there was no statement to be made, why other than profit would they do it?
Not that this is is even close to being as bad as 9/11 but you could compare it to it in a few aspects.
Some people say that it showed companies and america the need to invest in better protection. You think that the protection will be free and without hassle?
Look at what happened after 9/11 granted it was a horrible event, it showed we needed tighter security on airlines. Well now look at what has happened. it can be such a hassle to travel, they are frisking 7 year old kids and such.
If MMOs start jumping on the big defensive they might require more intrusive or long drawn out things in order to "protect" your data and theirs.
It does suck that these hackers have nothing better to do.
I am entitled to my opinions, misspellings, and grammatical errors.
Not that this is is even close to being as bad as 9/11 but you could compare it to it in a few aspects.
Some people say that it showed companies and america the need to invest in better protection. You think that the protection will be free and without hassle?
Look at what happened after 9/11 granted it was a horrible event, it showed we needed tighter security on airlines. Well now look at what has happened. it can be such a hassle to travel, they are frisking 7 year old kids and such.
If MMOs start jumping on the big defensive they might require more intrusive or long drawn out things in order to "protect" your data and theirs.
It does suck that these hackers have nothing better to do.
There are two sides to that coin. Actual security and loss of liberties in the name of security. But, that's also only if you think those liberties haven't already been violated. Try to find everything done in the name of the patriot act. Do you think most major providers don't already have rooms where government equipment monitors our connections? The problem for them is monitoring and filtering all that information to be usefull in a timely manner. Think of who signs off on/pushes these bills/laws. Technological intelligence gap.
As said above, security was already in place/available to combat what happened. Negligence by the company is another thing entirely.
Also, again, "hackers" is a very loose term. There are people that do nothing but analyze, audit, write, and fix lines of code that don't even get paid for it from their primary job. Those people are called "hackers" too. There are people that modify existing tools/programs to extend their functionality beyond what the maker has done or thought of. They are "hackers" too. There are people who penetrate companies, report their findings to that company, and sometimes help them repair/fix the problem without ever gaining the fame of groups like Lulz. Also called "hackers". Ever heard of white, grey, and black hats?
If they released the border guards information and any of their families get killed by drug Carte people because of it....I hope that these "hackers" find the people kicking down their doors are not there to arrest them.
I doubt they are selling that information. Firstly, the information has almost no value if you announce to the world what you have done.
If you were going to steal something to sell, it must have value. And since you have gone to the trouble of stealing it (and all the stresses inherent in that), surely, it stands to reason that they would have stolen it and kept quiet. Then they would have made a killing - millions of dollars.
Most people do not check their credit card statements every day; many only check once per month. So if they were really interested in theft, then they would have kept quiet and not used loud obvious attacks like DDOS and made bold statements about their intent and accomplishments to be found by the media.
There are many ACTUAL criminal organizations which perpetrate credit card fraud on a daily basis worldwide for the traditional purposes of greed and theft. The actions of Lulzsec and Anon do not in anyway mimic their methods.
As far as I know we still don't really know who broke into SoE. Lulz might claim it or whoever, but I am not convinced in the Sony case that it was just for lulz. We might be in a copycat phase now that Sony has egg on its face, with Lulz taking the credit whether they do it or not. Again, why would they steal some peoples' credit card details and bank account information otherwise?
One inaccuracy in your post... a DDOS attack is not the same thing as hacking into a database. The DDOS swamps the service that is being targetted in order to bring it down and make it inaccessible to users. It has nothing to do with theft of details from databases.
Anyway, if Anon hopes that this sort of behaviour will keep the internet a free and open place, they're dreadfully wrong. Peoples' information is extremely valuable whether it has been announced to the world that their details have been taken or not. There are tons of companies that make money off of that very info (namely spammers and scammers). Governments are unusually interested in keeping that sort of valuable information in their control, so I expect that the internet will be somehow regulated.
What I would prefer to see is that the game companies actually not retain my info that is not needed, and after a certain amount of time passes, I would prefer that they actually erase that info, though not the account itself. I also think they should make passwords reset after a set time and send an email to the registered email address for the user to change them.
Ah, who cares. What they can do with my information, nothing. It is easy to prove that you did not ordered something with credit card from different country or even city. And who for power of Gnomes give his bank account to some MMO company???
If something tangible is exchanged, something is traded for it. Just because you get your stolen money back does not mean it's not being paid for by someone. Often that someone is actually yourself in indirect ways. Somewhere you are paying taxes or fees that are the result of increased costs of fraud, fraud protection, and reimbursement of people subject to fraud. And not just fraud you were the victim of. The costs are spread around. Even if you aren't paying for it at all, someone has to. And, that payment is having an effect on your country and it's economy.
That's why I said that we as the public are in a no win situation.
In a perfect world there would be no hacking. Everyone would respect the integrity of everyone else's PCs, servers, networks, etc. If you're going to expect that, then you might as well expect world peace, aka, not happening.
I don't agree with how Lulzsec carried themselves and most of what they did... but at the same time I begrudgingly have to admit that it was needed. Essentially the hackings carried out by Lulzsec, in my opinion, are the lesser of what could have been much worse evils.
Many corporate systems, which contain cast yields of our consumer info, are often left vulnerable to the cloud. I know that you can't completely fortify a system connected to the Internet. So when I say vulnerable, I mean systems that are embaressingly un-hardened and vulnerable to unsophisticated attacks.
I don't condone black hat hacking, including Lulzsec's. But it was inevitable that it was going to happen, because companies have taken very little effort to secure their systems. The only redeeming thing is that Lulzsec made a spectacle of the whole thing, which brought light to the issue. Had another group carried out the hackings, I doubt that most of the companies involved would have even admitted their was any breach, that is, if they even knew themselves.
I understand your point, but you're taking Lulz at their word that their attacks are as simple as they say they are. That seems just a little to trusting, I mean that is where that info is coming from isn't it?
I would assume since these attacks are under serious investigation (obviously world wide) official details would be scarce in how these attacks occured and how they were achieved.
If the goal is to embarrass a company why wouldn't they say these attacks were easy to pull off? Regardless of the know how or vulnerabilities needed to achieve their stated goal.
For every minute you are angry , you lose 60 seconds of happiness."-Emerson
I think it bears differentiating between the hackers who break into company servers, steal customer data, financial information, shut down websites and perform DoS attacks ( do things which cause stocks to tank and interrupt business ) and those which conserve themselves to cheating at video games, making trainers, tools and mods. I think the author lumps together a broad spectrum of behavior and not all is equal.
That may be a thin line, but personally I think its the responsiblity of the game company to ASSUME their product will be tested and to rigorously examine their code for faults. Of course this may be a little off topic, but it DID manifest on an MMO website, so obviously there is some overlapping accusations going on. Personally, I think if no law has been broken, then its up to the company to decide if there is some tort they can apply in CIVIL court, and sue whoever damaged their service. Of course it would be a lot cheaper to fix the problems
Anyway, SOE's experience validated something I've felt for a VERY long time, which is that you NEVER give a company your real information. Irregardless how wonderful their privacy policy may be, they can NEVER guarantee your information will not be stolen by a hacker, that an employee won't walk out with a hard drive, or that the company itself is reputable enough not to sell your info. Case in point, I recently started receiving gold scam spam mail at an address I specifically created for Rappelz - a game I have not played for years. Somehow gPotato LOST my information.
Most people do not check their credit card statements every day; many only check once per month. So if they were really interested in theft, then they would have kept quiet and not used loud obvious attacks like DDOS and made bold statements about their intent and accomplishments to be found by the media.
There are many ACTUAL criminal organizations which perpetrate credit card fraud on a daily basis worldwide for the traditional purposes of greed and theft. The actions of Lulzsec and Anon do not in anyway mimic their methods.
As far as I know we still don't really know who broke into SoE. Lulz might claim it or whoever, but I am not convinced in the Sony case that it was just for lulz. We might be in a copycat phase now that Sony has egg on its face, with Lulz taking the credit whether they do it or not. Again, why would they steal some peoples' credit card details and bank account information otherwise?
One inaccuracy in your post... a DDOS attack is not the same thing as hacking into a database. The DDOS swamps the service that is being targetted in order to bring it down and make it inaccessible to users. It has nothing to do with theft of details from databases.
Anyway, if Anon hopes that this sort of behaviour will keep the internet a free and open place, they're dreadfully wrong. Peoples' information is extremely valuable whether it has been announced to the world that their details have been taken or not. There are tons of companies that make money off of that very info (namely spammers and scammers). Governments are unusually interested in keeping that sort of valuable information in their control, so I expect that the internet will be somehow regulated.
What I would prefer to see is that the game companies actually not retain my info that is not needed, and after a certain amount of time passes, I would prefer that they actually erase that info, though not the account itself. I also think they should make passwords reset after a set time and send an email to the registered email address for the user to change them.
Sorry, I think you misunderstood me, or I was not clear enough. I know very well what a DDOS attack is and how it works. Let me try and be more clear. What I meant was if you were going to hack into a database for the purposes of stealing information, then you would not also draw attention to yourself by using a DDOS to bring down their website or other services temporarily. You would silently slip away with the loot and make as much money off it as possible.
Did they try to sell the information anyway? Perhaps someone did. But I doubt that was their primary motivation for attacking the company in the first place, since their behaviour seems to suggest otherwise. And I also doubt that the stolen information will result in much harm due to it being so widely publicized, people had ample time to change passwords and otherwise protect themselves.
Will people possibly be targeted by more spam or phishing attempts? Again, possibly. BUT none of this is anything different from what was commonly happening for the last decade in any case.
The internet will only get regulated in countries where their governments overreact to this particular, widely publicized, slew of hacks. The correct response for them would be to focus more on internet security and security policies, instead of looking for ways to take away people's liberties in order to protect them.
As I stated above, many companies get cyberattacked daily and weekly and yet they manage to successfully deflect these probes. What was wrong with the security policies of the companies' whose websites got compromised and who was responsible for making the decisions leading to this? Negligence.
That's why I said that we as the public are in a no win situation.
In a perfect world there would be no hacking. Everyone would respect the integrity of everyone else's PCs, servers, networks, etc. If you're going to expect that, then you might as well expect world peace, aka, not happening.
I don't agree with how Lulzsec carried themselves and most of what they did... but at the same time I begrudgingly have to admit that it was needed. Essentially the hackings carried out by Lulzsec, in my opinion, are the lesser of what could have been much worse evils.
Many corporate systems, which contain cast yields of our consumer info, are often left vulnerable to the cloud. I know that you can't completely fortify a system connected to the Internet. So when I say vulnerable, I mean systems that are embaressingly un-hardened and vulnerable to unsophisticated attacks.
I don't condone black hat hacking, including Lulzsec's. But it was inevitable that it was going to happen, because companies have taken very little effort to secure their systems. The only redeeming thing is that Lulzsec made a spectacle of the whole thing, which brought light to the issue. Had another group carried out the hackings, I doubt that most of the companies involved would have even admitted their was any breach, that is, if they even knew themselves.
I understand your point, but you're taking Lulz at their word that their attacks are as simple as they say they are. That seems just a little to trusting, I mean that is where that info is coming from isn't it?
I would assume since these attacks are under serious investigation (obviously world wide) official details would be scarce in how these attacks occured and how they were achieved.
If the goal is to embarrass a company why wouldn't they say these attacks were easy to pull off? Regardless of the know how or vulnerabilities needed to achieve their stated goal.
Actually, I read the details of the Sony compromise on BBC or CNN, I can't remember which. And as anyone in IT can confirm, the hack was very easy to achieve. SQL injection vulnerabilities are trivial to exploit and actually sadly quite common due to improper security practices and policies being followed at many companies.
I've been on many projects myself where due to pressing budgets and deadlines, management decides that if corners need to be cut, its in security. Very very sad. The consumer pays the price every time.
Comments
Personally I am more concerned because increased hacking can result in governments reducing freedom for everyone else. Push the boundaries and the result will always be a reduction of those boundaries.
While these hackers say they are fighting to protect and fight for the everyday user their actions will merely result in making our life harder.
This, really. I wish people would stop referring to everything as, this company got hacked. It's important to distinguish between making a site temporarily inaccessible and actually modifying or stealing information from the company. The former isn't always preventable, as sufficiently many people trying to access the same site at once will cause problems. The latter is the real problem.
I'm not excusing LulzSec's crimes. Throw the book at them. But don't accuse a company of having bad security measures just because they got hit with a DDOS.
Well people can believe me on this or not, but as a mid-level IT professional the situation didn't go down quite like how it's typically discussed.
lulzsec members had a slightly different name and had taken light jabs at various Sony and similar built systems; that had their structure and the nature of the structure exposed by legit security hackers. These guys made it public some time ago in an attempt to push Sony and even some government sites (the hosts of .gov no less) to step up to a newer standard than protocols from 2001. Seriously.
Then some malicious hackers waited for a good chance to utilize the information.
Anon exploited it with some very simple DoS attacks and made their public announcement and yadda yadda. Weeks passed and no one changed anything. From what I could see watching as a bemused spectator, the big companies figured laws in ink would prevail here.
Well more malicious minded hackers gained access. They did what they wanted to do and cost a lot of people a lot of money.
The more organized hacker groups got a lot of flak from it anyway, so if they were going to get blamed anyway they decided it was anarchy time.
A lot of us expected a sort of corporate internet DMZ to spring up. But thankfully a lot of 'open internet' laws are working and rather it's now on the companies to cover for their lack of insight.
But the worse part of this all is we're in an age where 128-bit encryption is about as useful as a "steering wheel locking device".. Anyone else remember The Club?
The King thinks this is a bad time in the world for a forced look at innovating anything. Technology or otherwise. We have a very tired world. But I think it will be done. But a bit of advice to anyone: Know that nothing you put on the internet is safe and know there are very legit steps out there (that work) to cover your ass. The thing is though, a lot of them are scams too.
So it pays to learn how to properly research.
^ This.
Plane and simple LulzSec is just doing it for the lulz and nothing more.Now what do you think is going to happen , more money invested in keep things secure? Or limiting our freedom of what can be done on the web?Seems option # two would be the cheaper one and we all know our economy is SHIT right now.
Limiting the freedoms was on the table actually.
Over the last 2 months the laws that are being worked on by Congress (particularly Al Franken if anyone wants to send him a thank you note) and surprisingly the FCC withheld and kept a lock down and some unreasonable solutions suggested by corporations to the government from happening.
Not to say if the corps thought spending more money on laws rather than increasing tech could change all of that in a matter of a second; so far that's not been the case.
I just don't think any government has it in them to create/fund/encourage a group with lulz in it.
LulzSec, and everyone who thinks people like this are needed are just being plain stupid.
I can not accept or even comprehend the excuse of "We're doing this to show how bad internet security is", or "It's to protect the internet". You don't go around smashing a TV with a hammer saying "See, it's not a good TV." I don't believe the internet will ever be 100% secure. They will keep improving it, and the people who keep looking for the flaws will keep finding them. The only thing LulzSec is doing is making matters much worse.
Outrageous really... :S
" See, we need these guys to make the internet a better place! their fighting for us!
"
-days later bank account gets wiped plus savings and identity switched to a mexican transvestite Axe murderer-
"F#$^ YOU HACKERS , BURN IN @$^#^ @$^@$^ HELL!!! QQQQQQQQQQQQQQQQQQQQQ!
>:(("
The problem is that we as the public are in a no win situation.
A lot of companies simply don't bother with proper IT security protocols. They may do the minimum of encrypting credit card information, but that's because it's required by law. Credit card companies can and do audit companies to make sure they handle CC info properly, and if the company doesn't then they are barred by CC companies. There are no strict laws or auditing that are in place that enforce that companies take proper measures to keep customer information secured. As such, a lot of companies simply avoid spending any money or effort of proper security, and gamble with their customer information that they won't get hacked.
While what a lot of what Lulzsec has done has arguably been too much, they have put the spotlight on just how lazy a lot of companies are with their IT security. No system that's connected to the Internet is invulnerable. But manny of the methods Lulzsec has used are quite literally script kiddie methods; attacks that are very basic to perform, but on the other hand are very easy to protect against provided you actually bother to protect against it.
Yes, black hat hacking is bad, but that's all the more reason why companies should actually be investing in IT security. A lot of companies have been playing fast and loose with their IT security and putting customer personal info at stake. If it wasn't Lulzsec having hacked them recently, it could potentially have been a much more malevolent group wiith far more malicious intent doing it tommorow, and thus far greater consequences.
I'm all for Internet freedom, and I don't agree that restrictions of the Internet are the way to protect people from these types of hackings. THe best way is for the cheap and lazy companies to get off their asses and spend the time and money to properly secure their own systems, like they should have been doing the day that decided to connect to the Internet.
You're not entirely logical here. You keep saying that what Lulz and Anon have done is needed at some level to expose weaknesses. I'd only agree if those jerks hadn't published customers' details on the internet. These guys are doing this out of the kindness of their hearts. They're doing it for personal gain and have probably sold whatever details have been stolen onto those people who can make money off of this kind information. Sure, they can hide behind the veneer of 'we want companies to change... we're actually helping their customers'... but the fact alone of them having used our personal data to blackmail the companies AND US completely exposes what they're really up to.
To the OP... great article by the way!
Playing MUDs and MMOs since 1994.
Eh.. /facepalm
Heavy is the crown. Why hath my timeline been ignored? Oh right I didn't make it a royal decree.
To all the people who think that this "hacking phenomenon" is a new thing, please get more informed. Hacking has been a problem for as long as computer networks have existed. Most large corporations successfully defend against hundreds of cyberattacks/probes a day.
But suddenly a group goes about hacking a few companies vocally and its big news and terror. People are far too complacent on the internet.
CCP, for example, was not successfully hacked. They took the right action and had the right systems in place in order to detect a possible intrusion fast.
Sony on the other hand is pathetic. The attacks which compromised them and their many subsidiaries were not even sophisticated, as has been stated on several news sites. But some people persist in treating these hackers as really clever and having pulled off virtual magic by hacking them.
Yes, the hackers are vandals and bullies and should be treated as such until greater material losses can be proven. But Sony and other companies compromised are also liable to be sued for their incompetence and negligence. And if some people lose their jobs over that, well tough. Thats how the corporate world works. If you can't do your job properly, ie. make good decisions at management level, or make proper security decisions or policy decisions, then you need to pay the price. Capitalism.
Business isn't about sitting around the fire singing Kumbaya.
I doubt they are selling that information. Firstly, the information has almost no value if you announce to the world what you have done.
If you were going to steal something to sell, it must have value. And since you have gone to the trouble of stealing it (and all the stresses inherent in that), surely, it stands to reason that they would have stolen it and kept quiet. Then they would have made a killing - millions of dollars.
Most people do not check their credit card statements every day; many only check once per month. So if they were really interested in theft, then they would have kept quiet and not used loud obvious attacks like DDOS and made bold statements about their intent and accomplishments to be found by the media.
There are many ACTUAL criminal organizations which perpetrate credit card fraud on a daily basis worldwide for the traditional purposes of greed and theft. The actions of Lulzsec and Anon do not in anyway mimic their methods.
That's why I said that we as the public are in a no win situation.
In a perfect world there would be no hacking. Everyone would respect the integrity of everyone else's PCs, servers, networks, etc. If you're going to expect that, then you might as well expect world peace, aka, not happening.
I don't agree with how Lulzsec carried themselves and most of what they did... but at the same time I begrudgingly have to admit that it was needed. Essentially the hackings carried out by Lulzsec, in my opinion, are the lesser of what could have been much worse evils.
Many corporate systems, which contain cast yields of our consumer info, are often left vulnerable to the cloud. I know that you can't completely fortify a system connected to the Internet. So when I say vulnerable, I mean systems that are embaressingly un-hardened and vulnerable to unsophisticated attacks.
I don't condone black hat hacking, including Lulzsec's. But it was inevitable that it was going to happen, because companies have taken very little effort to secure their systems. The only redeeming thing is that Lulzsec made a spectacle of the whole thing, which brought light to the issue. Had another group carried out the hackings, I doubt that most of the companies involved would have even admitted their was any breach, that is, if they even knew themselves.
None of the latest rounds of attacks are anything new. Groups of people getting together, sharing tools and tactics, and doing coordinated attacks is about as old as the moment the internet went beyond edu only. The only difference is the media coverage and where people go to get that information. How many media outlets mirrored attrition back in the day for site defacement compared to what we have now?
I think the worst part of it all is the actions of the companies attacked. As usual, they push off all the blame. They do everything they can to spin it to put these "hackers" in the super genius catagory as a defense of legality and reputation. I'm not going to defend these "hackers" in any shape or form. But, you have to share the blame with the company who didn't patch their systems or implement basic security measures. And, look at file sharing/piracy/torrent legal battles. If you go to trial over a technical case, who is judging you? Do they really have any idea of just what is being described to them? The level of technical knowledge still has a huge gap.
I say "hackers", but that word is so over used and missused it's not funny. People download tools made by others, use them, and get called or call themselves "hackers". They use proof of concept progams made by others to explain and prove an exploit to attack companies who, sometimes, aren't keeping up on patches or using temporary means to avoid unpatched vunlerabilities. Are the people making those PoC programs to blame? No. There is a moral difference there. It's what is done with them by the person using them. They are responsible for their own actions.
I think media outlets need to take more responsiblity with their reporting. They should adopt other terms for people who are just part of a group, running premade programs, and just being part of the group. Maybe that would help to not glorify them and put them at the same level as other crimes. "Accomplices", "Petty Thief", etc.
That has been going on for decades. Sadly. Entire databases of companies are stolen remotely or strong arm from data centers. You don't hear about it because the company would go under immediately. But, in that same train of thought, Sony doesn't because they are Sony and "it's just games". Kind of silly. Why does it matter who or where the data is stolen from?
Going back to my earlier statement about responsible media, they also need to get things straight on attacks. Headline: cia.gov is hacked!!!. Story: groupx hacked the cia webserver by inintiating a DDoS attack against it. <- Very poor information handling and completely illogical. Does the media outlet not know the difference or are they just glorifying to sell more copies/get people to watch/read?
People make a lot of money off that stolen information. It's bought and sold several times for different reasons. If they didn't make money off it, they wouldn't do it. What would be the point? Not every attack is publicized. So, if there was no statement to be made, why other than profit would they do it?
Not that this is is even close to being as bad as 9/11 but you could compare it to it in a few aspects.
Some people say that it showed companies and america the need to invest in better protection. You think that the protection will be free and without hassle?
Look at what happened after 9/11 granted it was a horrible event, it showed we needed tighter security on airlines. Well now look at what has happened. it can be such a hassle to travel, they are frisking 7 year old kids and such.
If MMOs start jumping on the big defensive they might require more intrusive or long drawn out things in order to "protect" your data and theirs.
It does suck that these hackers have nothing better to do.
I am entitled to my opinions, misspellings, and grammatical errors.
There are two sides to that coin. Actual security and loss of liberties in the name of security. But, that's also only if you think those liberties haven't already been violated. Try to find everything done in the name of the patriot act. Do you think most major providers don't already have rooms where government equipment monitors our connections? The problem for them is monitoring and filtering all that information to be usefull in a timely manner. Think of who signs off on/pushes these bills/laws. Technological intelligence gap.
As said above, security was already in place/available to combat what happened. Negligence by the company is another thing entirely.
Also, again, "hackers" is a very loose term. There are people that do nothing but analyze, audit, write, and fix lines of code that don't even get paid for it from their primary job. Those people are called "hackers" too. There are people that modify existing tools/programs to extend their functionality beyond what the maker has done or thought of. They are "hackers" too. There are people who penetrate companies, report their findings to that company, and sometimes help them repair/fix the problem without ever gaining the fame of groups like Lulz. Also called "hackers". Ever heard of white, grey, and black hats?
If they released the border guards information and any of their families get killed by drug Carte people because of it....I hope that these "hackers" find the people kicking down their doors are not there to arrest them.
As far as I know we still don't really know who broke into SoE. Lulz might claim it or whoever, but I am not convinced in the Sony case that it was just for lulz. We might be in a copycat phase now that Sony has egg on its face, with Lulz taking the credit whether they do it or not. Again, why would they steal some peoples' credit card details and bank account information otherwise?
One inaccuracy in your post... a DDOS attack is not the same thing as hacking into a database. The DDOS swamps the service that is being targetted in order to bring it down and make it inaccessible to users. It has nothing to do with theft of details from databases.
Anyway, if Anon hopes that this sort of behaviour will keep the internet a free and open place, they're dreadfully wrong. Peoples' information is extremely valuable whether it has been announced to the world that their details have been taken or not. There are tons of companies that make money off of that very info (namely spammers and scammers). Governments are unusually interested in keeping that sort of valuable information in their control, so I expect that the internet will be somehow regulated.
What I would prefer to see is that the game companies actually not retain my info that is not needed, and after a certain amount of time passes, I would prefer that they actually erase that info, though not the account itself. I also think they should make passwords reset after a set time and send an email to the registered email address for the user to change them.
Playing MUDs and MMOs since 1994.
If something tangible is exchanged, something is traded for it. Just because you get your stolen money back does not mean it's not being paid for by someone. Often that someone is actually yourself in indirect ways. Somewhere you are paying taxes or fees that are the result of increased costs of fraud, fraud protection, and reimbursement of people subject to fraud. And not just fraud you were the victim of. The costs are spread around. Even if you aren't paying for it at all, someone has to. And, that payment is having an effect on your country and it's economy.
I understand your point, but you're taking Lulz at their word that their attacks are as simple as they say they are. That seems just a little to trusting, I mean that is where that info is coming from isn't it?
I would assume since these attacks are under serious investigation (obviously world wide) official details would be scarce in how these attacks occured and how they were achieved.
If the goal is to embarrass a company why wouldn't they say these attacks were easy to pull off? Regardless of the know how or vulnerabilities needed to achieve their stated goal.
For every minute you are angry , you lose 60 seconds of happiness."-Emerson
I think it bears differentiating between the hackers who break into company servers, steal customer data, financial information, shut down websites and perform DoS attacks ( do things which cause stocks to tank and interrupt business ) and those which conserve themselves to cheating at video games, making trainers, tools and mods. I think the author lumps together a broad spectrum of behavior and not all is equal.
That may be a thin line, but personally I think its the responsiblity of the game company to ASSUME their product will be tested and to rigorously examine their code for faults. Of course this may be a little off topic, but it DID manifest on an MMO website, so obviously there is some overlapping accusations going on. Personally, I think if no law has been broken, then its up to the company to decide if there is some tort they can apply in CIVIL court, and sue whoever damaged their service. Of course it would be a lot cheaper to fix the problems
Anyway, SOE's experience validated something I've felt for a VERY long time, which is that you NEVER give a company your real information. Irregardless how wonderful their privacy policy may be, they can NEVER guarantee your information will not be stolen by a hacker, that an employee won't walk out with a hard drive, or that the company itself is reputable enough not to sell your info. Case in point, I recently started receiving gold scam spam mail at an address I specifically created for Rappelz - a game I have not played for years. Somehow gPotato LOST my information.
Sorry, I think you misunderstood me, or I was not clear enough. I know very well what a DDOS attack is and how it works. Let me try and be more clear. What I meant was if you were going to hack into a database for the purposes of stealing information, then you would not also draw attention to yourself by using a DDOS to bring down their website or other services temporarily. You would silently slip away with the loot and make as much money off it as possible.
Did they try to sell the information anyway? Perhaps someone did. But I doubt that was their primary motivation for attacking the company in the first place, since their behaviour seems to suggest otherwise. And I also doubt that the stolen information will result in much harm due to it being so widely publicized, people had ample time to change passwords and otherwise protect themselves.
Will people possibly be targeted by more spam or phishing attempts? Again, possibly. BUT none of this is anything different from what was commonly happening for the last decade in any case.
The internet will only get regulated in countries where their governments overreact to this particular, widely publicized, slew of hacks. The correct response for them would be to focus more on internet security and security policies, instead of looking for ways to take away people's liberties in order to protect them.
As I stated above, many companies get cyberattacked daily and weekly and yet they manage to successfully deflect these probes. What was wrong with the security policies of the companies' whose websites got compromised and who was responsible for making the decisions leading to this? Negligence.
Actually, I read the details of the Sony compromise on BBC or CNN, I can't remember which. And as anyone in IT can confirm, the hack was very easy to achieve. SQL injection vulnerabilities are trivial to exploit and actually sadly quite common due to improper security practices and policies being followed at many companies.
I've been on many projects myself where due to pressing budgets and deadlines, management decides that if corners need to be cut, its in security. Very very sad. The consumer pays the price every time.