I'm not going to pull down that torrent, but if someone does, can you tell me exactly what they mean by this? Did they just pirate and release the source for a bunch of major video games? Did they grab any of the art?
Since I'm not from the US I figured it'd be pretty safe to pull it down no matter what it was.
Turns out it's a bunch of mysql-dumps in txt format, some admin passwords and server logs. I am guessing there's a lot of pain in there, but I only had a quick glance.
The packed file was ~15MiB. No code or art in there as far as I could see.
A phone number? A cursory google search didn't come up with anything informative, except that someone commented that it was a number pirated by LulzSec with call forwarding (http://mrnumber.com/1-614-585-9732). I'm certainly not going to call it myself, but I'm just curious as to what this is, how they're using it, and what do you find on the other end. Thoughts?
Right now they're running a "contest". http://twitter.com/#!/lulzsec Call in and say the magic word, win $1,000! I wouldn't bet on it being legit, but it looks like fun :-)
I'm a little confused. "We actually like this company..." So why did they do this? I'd think the thing to do after finding an exploit would be to notify who has it and give them a reasonable amount of time to correct the problem. I think I'm confused about what LulzSec is all about.
Honestly, my guess is that LulzSec is a bunch of crackers that have decided to do something about the public perception of information security. It's kind of a stretch (understatement), but it lines up. They attack indiscriminately, and in every case make fun of any idiotic security practices. When they attack targets that everybody loves to hate, they do as much damage as possible; when they attack targets that everybody loves, they don't release admin passwords or user DBs, they inform the target of their vulnerabilities, and they generally try to be a service to the community. Most importantly, they're trying to make the entire thing /glamorous/. They want people fifty or a hundred years from now to look back on crackers and Anonymous the same way we look back on cowboys, ninjas, and pirates.
They are essentially defacers, though instead of (just) defacing they go for a press release / dox drop. Defacers do it for the attention. You'll often see reasoning on defaced websites such as "We did it for the glory of Iran" or "Maybe you should secure your users data better!" as if to suggest a greater purpose for the actions, but when you string together all of their targets the reasoning almost always falls flat.
Lulzsec may have given some people the wrong impression by hitting Sony and thus suggesting that they were activist minded like the AnonOps program they grew out of, but they'd always been honest about the real reason from day one: "we do it for the lulz". The lulz in this case are inexorably intertwined with the attention seeking.
It's their namesake. Doing something "for the lulz" is a descendent of 4chan, meaning that you do something with no regard for who it affects or what your relationship with them is, purely for entertainment purposes.
They are a bunch of script kiddies with no professional ethic whatsoever. They also try to get credit for things they haven't even done (e.g., bitcoin temporary crash). In short, ignoring them is the right way to go. HN sucks up to them instead and gives them exposure. Just sad, really.
Either they're incompetent script-kiddies and the fault lies with the admins with unpatched servers, or they are competent and have access to, or have written undisclosed exploits. There is no middle ground, and unless you have some information that we do not, there's no reason to conclude that they are script kiddies. Being mischievous and being intelligent are not mutually exclusive.
>In short, ignoring them is the right way to go. HN sucks up to them instead and gives them exposure. Just sad, really.
It is a noteworthy news event when high profile sites are hacked, regardless of the perpetrators. There are a whole ton of people who use HN to follow tech news.
I'd even go so far as to say a daily streak gets more newsworthy the higher it gets. Have we ever seen a group in the past that hit this many companies in so short a time?
You can bet that this will be used to push through draconian legislation in the interest of "security". I wouldn't be surprised if hacking/cracking/piracy became the new equivalent of possession in these coming decades.
The US hasn't looked kindly towards hackers since the early 1990s. This won't change anything.
The people saying that this type of thing is going to cause an "internet crackdown" of sorts have had their head in the sand for the last 15 years. Doubly so for the last 5-10.
Media companies have been screaming and crying about multi-billion dollar losses, and using all of their lobbying ability to get an "internet crackdown" to happen.
It already has. You could argue that most of the crackers of today are a result of it.
It's the sustained media attention that these hacks are drawing that's going to be the catalyst for legislation.
The government's attitude has largely been static on the issue, but they need a general population outcry to push through/rubber stamp legislation that's no doubt already written somewhere.
And what would this legislation be? You've already got kids going to jail for simple stuff. Look at what happened after the LOIC/Visa/Mastercard thing a few months ago.
Even if you need to insert your drivers license to the computer in order to access it, and every packet you send is signed with a user-specific hash, the only people it's going to matter to are the people who aren't doing anything wrong right now.
Cracking down is just going to create more crackers, and most of us in the middle probably won't really notice.
Don't forget that some companies have already shipped rootkits and viruses on their hardware before (Sony, Creative, I think even Apple had an incident with their iPod?) So the war between corporate lawyering+tech and the free world began a while ago.
Their site has been open to a lot of exploits. I tried writing my senator and telling him... guess what, nothing.
Dear Senator Lamar:
We have exchanged ideas in the past; see the below message. I am now writing to report a different issue. Website vulnerabilities in the Senate.Gov and House.Gov website. I am not sure if these have been reported to the proper person as of yet; I did email Senator Corker.
I wanted to bring this to you attention in hopes that it will be fixed. Thank you for your time.
Sincerely,
Christopher Woodall
On 03/01/2010 04:04 PM, [email protected] wrote:
>
>
>
> March 1, 2010
>
>
> Mr. Christopher Woodall
>
> Dear Christopher,
>
> Thanks for getting in touch with me and letting me know what's on your
> mind regarding identifying medical neccessities of government employees.
>
> Although no legislation has been introduced in the 111th Congress
> regarding this issue, I'm always pleased to consider new ideas that will
> benefit the people of Tennessee. These are serious times, and the
> willingness of good people to get involved is very important.
> Suggestions from my constituents play an important role in determining
> what initiatives I will pursue in the Senate, and I'll be sure to
> consider the issues you've raised.
>
> Sincerely,
>
> Lamar
Looks like a few of the issues have been cleared up. I have more for USAJobs.com and a myriad of government sites. No one listens to regular joes.
There is a webmaster, you can contact them. Senators have no direct control over websites like this, and are unlikely to have the faintest clue what to do about this.
I'm not sure if they would even know what "website vulnerabilities" are.
You are correct. It is better to email their customer support or webmaster if available. Still, many websites have horrible reporting features and even worse response rates.
Once they get caught they are going away for a loooong time. Going after Sony following some political fighting I get, but this is just mean. Atleast reveal it privately to Bethesda to let them secure things up.
I guess that depends on the country. As long as they do not "destroy" or "maliciously manipulate" some data, charges in many countries are pretty low (and sometimes non-existant). In addition, there are many countries that won't extradite their own citizens.
In the long run their actions are likely to be beneficial for both corporations and their customers. More attention will be paid to security now (at least for a while), instead of purely seeing it as a nuisance to spend the minimum time/money on. And programmers/sysadmins may be made more aware of how embarrassing it is to get owned by a local file inclusion hole. Or what that even is, as many "Web Developers" do not.
As customer (of Bethesda, both Sony divisions and Codemasters) I'm also being even more careful now. I only put information into sign-up forms on a need to know basis. If they don't need to ship me something, they don't need my address (although sometimes this interferes with credit card validation). If they don't need my real name (so other users can identify me, usually), they get a fake one. And there's rarely a good reason to hand out a phone number or birth date anymore.
In addition to this, for many years now I've been using one email address per service, which has served me well in both identifying sites that leak/sell my personal information (very popular after a company goes under) and easily filtering the resulting targeted phishing/spam.
None really. While you can link the console version of Brink to your Bethesda Account—to see your stats online—that game doesn’t require you to create an account or provide an email or password to play it.
If they did manage to get 200k Brink accounts, I doubt most of them have any personally-identifiable information tied to them.
Did they leak any private end-user information? As much as I can tolerate mischievous crackers violating corporate security and releasing intellectual property, I am loathe to give any praise to groups that victimize consumers/users by violating their right to privacy. It seems thoughtless and uncaring.
They specifically said they are not leaking all of the juicy user data they found.
It's nice that they did that, but it's kind of like breaking into your house and stealing everything except your Rolodex because, well, that would be a dick thing to do.
Not really a great analogy: unless you are employees or shareholders, it's not really your "house". If you are a dedicated customer, you may be more invested in the welfare of the company than most customers, who mostly just care about their personal interests (products or services they've paid for and any personal information that company keeps on record).
I tried to cook-up a comic store analogy where the loyal customer is most concerned about their orders and personal contact info being stolen than the merchandise of their favourite shop, but that analogy ignored the fact that what LulzSec did to Bethesda is essentially the following: making copies of the shop's inventory manifest, latest promotional program, and names of customers in a Rolodex, and then publishing all that info online (or in a local comic hobbist newsletter). Other than the loss of potential business and the trust of their customers, are the owners and employees likely to suffer as a result of this break-in? I tend to think that lost business will be minor, especially if customer privacy and interests are not noticeably compromised by the break-in.
Not trying to start a morality debate (unless that's welcome here?). I just wanted to point out why I tend to see "black hat security audits" as generally to the victims' benefit, when individuals aren't likely to suffer as a direct result. In the reality of my above analogy, the comic shop is likely going to invest in better security after this kind of break in, which is a positive outcome for the business and the customers. Only the very paranoid or "security minded" customers will choose to take their business elsewhere after the break-in, which likely amounts to very little lost business to the shop.
After working in the Banking world and talking with IT from a lot of other institutions, hell, I'd even take people making the decisions actually being semi-competent in security as a major win.
Properly implemented pub-key crypto would make it so much of the loot from these attacks was unreadable. Of course, if people store unencrypted secret keys on vulnerable servers, or just use one key to encrypt for everyone in the company, or something like that, it's not that useful.
If you pay these guys to do something, they will take your money, giggle to each other about it, and then poop on your front lawn while calling you gay.
Why do people always assume this? Makes it easier to sleep at night? Do the various government agencies pay that well? I would say the smartest people are either doing research for universities or making big money in the banking industry. I can't think of any reason that the best ones would find themselves working for the government of all places.
I wonder how long before they get their .com taken from them and have to flee for another tld.