LulzSec Hacks the US Senate 344
jfruhlinger writes "LulzSec might not be as famous as Anonymous — they're really best known for hacking sites they like, to prove a point about security — but they may have just raised their profile significantly, posting what appears to be data taken from an internally facing server at the US Senate. However, the fun-loving group might find that the Senate reacts a lot more harshly to intrusions than, say, PBS did."
The group also recently grabbed data from Bethesda Softworks.
Interesting (Score:4, Interesting)
Re:Interesting (Score:4, Interesting)
Re: (Score:2)
I hope these guys are as good as they claim to be, otherwise we will be seeing their faces with the caption "Further arrests from anonymous hacking group"
I don't. I look forward to seeing them shut down.
As much as I agree with some of their target selections, they're just an annoying bunch of juvenile delinquents who are giving activists a bad name, and will probably provoke the creation of more draconian laws or harsher penalties.
Re: (Score:3)
Competent black hats *who take the proper precautions* brag publicly. Insert pic of "Good luck! I'm behind 7 proxies!" dude here.
On another note, does Amazon keep any sort of network/VM logging from someone who spun up/used/spun down a virtual machine with a prepaid visa card?
Re:Interesting (Score:4, Insightful)
No. There is zero benefit to having people know what you're up to as a black hat. That's like leaving riddles inside the bank safe.
Re:Interesting (Score:4, Funny)
Re: (Score:3)
Re: (Score:3)
Two things come to mind:
"Those who speak, do not know; those who know, do not speak."
and ...
"Loose lips sink ships."
You're correct; there's no benefit to these childish displays. Their juvenile antics will be their own downfall.
Re: (Score:2)
Loose lips also make for thrilling blumpkins.
Re:Interesting (Score:4, Insightful)
No. There is zero benefit to having people know what you're up to as a black hat. That's like leaving riddles inside the bank safe.
Unless, of course, your goal is to get publicity and make a point about something. (if Lulzsec or whoever just hacked into senate.gov and didn't tell anyone, do you think we'd ever hear about it?)
Re: (Score:3)
Of course there are billions of dollars in privatised computer security profits with each and every 'False Flag' http://en.wikipedia.org/wiki/False_flag [wikipedia.org]. Just look at how successful a couple of envelopes of anthrax was in generating not only new profit potential but in wholesale major changes to the law.
Question, what is the difference between a 'Anonymous' attack and a false flag 'Anonymous' attack. Answer, none, they were both done in the name of 'Anonymous' and as everyone is a member of 'Anonymous' (
Re: (Score:3, Informative)
Assuming perfectly rational actors... which don't exist.
In the real world, people are complex, and just because you don't see a clear "benefit" to a behavior doesn't mean it won't occur.
And before you claim "but then they wouldn't be competent", I suggest you read up on the No True Scotsman fallacy.
Re:Interesting (Score:4, Informative)
You're either a black hat for two reasons: a) financial gain or b) publicity. You keep your mouth shut if you're in scenario A. B? Not so much.
Re:Interesting (Score:5, Insightful)
You're either a black hat for two reasons
Maybe they're doing it for the lulz?
Re: (Score:2)
Ok. Three reasons =)
Re:Interesting (Score:4, Insightful)
The world is many shades of gray. My opinion (although it counts very little) is that intent matters very much. Breaking in to steal credit card/personal info? Black hat. Breaking in to get information to help political prisoners? White hat. Just because you're breaking in to a secure system that isn't yours doesn't mean you are a black hat (depending on what you're doing; http://www.google.com/search?q=wikileaks+good [google.com]). Just like helping the Chinese government find holes to patch in their systems used to prevent the expression of their citizen's human rights doesn't mean you're a white hat.
What is your end goal?
Re: (Score:2)
That's like leaving riddles inside the bank safe.
That seems like a good idea, if you're not The Riddler. There is non-zero benefit to having someone believe you are something you are not.
Heh... intrigue in the US Senate: who'da thunk it?
Re: (Score:2)
Competent black hats *who take the proper precautions* brag publicly. No. There is zero benefit to having people know what you're up to as a black hat. That's like leaving riddles inside the bank safe.
Not really. It's like leaving riddles in a bank safe that is so insecure that almost anyone can just walk in and take customers money. It's like leaving riddles that humiliate the bank operator into taking the right fucking precautions to protect the customers money.
Re:Interesting (Score:4, Funny)
No, but they have shipping addresses of everybody who ever ordered a Guy Fawkes mask, which should be close enough for government work.
Re: (Score:3)
Re: (Score:3)
Open Wifi/Public Locations + Proxies + Various Virtual Machine Providers + Tor + Etc. = Come at me brah
If you've got time to bury your connections across technologies and the world, good farking luck coming after the person.
Re:Interesting (Score:4, Interesting)
These guys aren't black hats; they're a different breed. They're clearly not in it for the money. They're not in it to help people. They're in it for the chaos, and the power trip, and, well, the lulz.
They're probably going to get caught, but I don't think it's quite fair to characterize them as "incompetent," just because they're playing a different game than everyone else.
Re: (Score:2)
chaotic-neutral-for-the-lulz hat, then?
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Chaotic Evil: LulzSec
Chaotic Good: Open Source developers, especially kernel hackers
Re: (Score:2)
Uhhhh - I'm not buying any of that. BitTorrent and YouTube aren't exactly "chaotic". Neutral, I might buy into.
LulzSec evil? Nahhh.
Open source developers aren't chaotic at all. As a group, I'd rank them somewhere close to "lawful good". Of course, your idea of "lawful" may differ drastically from my own idea of "lawful". I don't recognize deep pockets as having authority to write law, ie, Microsoft, Oracle, Apple, AT&T, IBM, etc ad nauseum. "Lawful" means, or should mean, "for the good of the peo
Re: (Score:2)
Re: (Score:3)
You don't understand character alignments !
â-Lawful characters are absolutely obedient to laws and authority, they believe in order above all and never question the status quo. The most difficult thing for a lawful character to ever do would be to question his superiors. Knights would almost always play lawful characters.
â-Neutral characters pragmatists. They see the law as useful and needed, but not as something to admire or revere â" they will question laws and work to end bad laws. If aut
Re: (Score:2)
Re: (Score:2)
I hope these guys are as good as they claim to be, otherwise we will be seeing their faces with the caption "Further arrests from anonymous hacking group"
They are not. Competent black hats do not brag publicly. These are attention whores with some mediocre IT security skills. Most break-ins are not that hard to do.
If it was me, the access is something I'd want to cover in mud, so I'd find some McKinnon type to take the rap. There's no shortage of hormonated young fools not only willing to claim credit for the actions of others - but willing to keep lying even after they've been arrested, bagged, been made to "stand around" for a bit, give a little "snorkel", a bit of a "jump", the "nuts"... and by the "potty training" time the interrogators won't believe them if they decide all the attention isn't worth it and they'd
Lame hack (Score:3)
I hope these guys are as good as they claim to be, otherwise we will be seeing their faces with the caption "Further arrests from anonymous hacking group"
I agree, if they really claim to "not like the US government", then a much smarter move would be to snoop around quietly and dig up something REALLY juicy. Where's the meat? They brag about hacking the Senate but then give us what looks like little more than a list of mundane files on a webserver, or something. Whoop. Sounds more like they managed to find one unsecured machine, and just couldn't wait to brag about it ... I can just see it ... 'ZOMG dude we hacked teh Senate!!11!' 'Oh yeah we're awesome!'. I
Re: (Score:3)
Wait, this is the senate... Isn't it supposed to be hard?
Naw, Weiner's a member of the House of Representatives, not the Senate.
Fed Reserve is up next (Score:5, Interesting)
Re: (Score:3, Insightful)
It is good criminal practice, to stay on "annoyance level". If you exceed that, law enforcement comes after you. If you exceed that enough, the people that come after you actually know what they are doing, are well funded and very, very persistent. If these clowns really manage to break into or do several damage to the federal reserve, they will end up in federal prison for a few decades. May take months or years to get them, but they will get caught.
Re:Fed Reserve is up next (Score:5, Funny)
Re: (Score:2)
mod parent oblivious, obvious. ;-)
Re: (Score:3)
Re: (Score:3)
Who's "we"? (Score:4, Insightful)
Oh, the FedRes functions buddy boy. it just functions in ways we never intended it to.
What do you mean, "we"?
Hugs and kisses,
-- Hank Paulson [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
Re:Fed Reserve is up next (Score:5, Informative)
It is good criminal practice, to stay on "annoyance level". If you exceed that, law enforcement comes after you. If you exceed that enough, the people that come after you actually know what they are doing, are well funded and very, very persistent. If these clowns really manage to break into or do several damage to the federal reserve, they will end up in federal prison for a few decades. May take months or years to get them, but they will get caught.
In fiscal year 2010, the FBI requested almost $50,000,000 in new resources for internet crimes. Any bets they get more than that in new resources this year?
Re: (Score:2)
You're assuming that someone of any capability would want to work for them. Typically, the only people working for them are failures ("I got caught, so now I have to work for Uncle Sam, but I'm still a 1337 h@x0r!") or the wanna-bes ("I studied cryptography + network security, downloaded a few scripts / tools (I installed that hacker operating system "linux" and can use nmap), and while I could be a totally 'leet black hat, I've decided to fight for truth, justice, and the American way, because I am a good
Re: (Score:3)
Re:Fed Reserve is up next (Score:5, Interesting)
Believe that all you like. Then ask yourself who the larges employer of mathematicians (not an easy study by any means) in the world is. And they have other pretty good people too.
Wild guess (Score:4, Insightful)
Let me take a wild guess: number of ethicists: zero.
Somebody is on a power trip (Score:5, Insightful)
Usually these end in tears. Only the most stupid black-hats (and that is all these morons are now) brag publicly.
Re: (Score:3, Insightful)
All things considered, LulzSec has a better track record than the US Senate.
Re:Somebody is on a power trip (Score:4, Informative)
Re:Somebody is on a power trip (Score:4, Insightful)
I take it you have not heard of the concepts of "lawful evil" and "chaotic good"?
Re: (Score:2)
Re:Somebody is on a power trip (Score:5, Insightful)
Well, of course the US Senate has the law on its side. They wrote the law, arguably to serve their own interests, just like the Fed is a group of bankers that regulate the banking industry. It's not accountability if you are only accountable to yourself.
Re: (Score:2)
Re: (Score:3)
Assuming that LulzSec members are in the US. You guys still don't have Gary McKinnon and the UK is supposed to be your best pal with a Special Relationship.
If you think your laws should apply world wide because the attack was on a US institution then presumably you will be handing over the authors of the Struxnet virus to Iran, right?
Re: (Score:2)
Re: (Score:2)
Ok, so I'm kidding - a little. But the last thing you do is fuck with the feds. They will get their pound of flesh. That you can safely bet on.
Wait, I thought the Federal gov't was incompetent at everything except wasting taxpayer money. Which is it?
Re: (Score:2)
They are both.
It's like this: the feds are kind of like a slow, plodding police inspector (of the Javert variety). They miss a lot of things every day, tons of crimes going on everywhere that never get solved. We all know this, but people are loathe to acknowledge it. To acknowledge it is to admit that something is wrong, and if something is wrong, you may feel some compulsion to do something about it.
So, when they finally do catch someone, they make sure to punish them extra brutally, supposedly to set an
Re:Somebody is on a power trip (Score:5, Funny)
Are you talking about the hackers or the senators?
I want to see some Juicy stuff (Score:4, Interesting)
As much as I like chaos brought to the powers that be none of this hacking will have any long lasting effects. want to see some serious info leaked that damages someone with real power. I'd rather see these guy dig out info that calls out the hypocrites in positions of power.
Re: (Score:3)
Yeah. No Shit.
If these guys are that good, then let's make Wikileaks look like an accidental slip on the tongue in a White House press conference.
I want to see them stop fucking around with Sony, because it won't achieve anything, and go after the big ass people. Like the banks, sealed government records, etc.
What respect are they really going to get from us when all they do is annoyance and harm when their skills could get put to very good use. Specifically, and forcefully, creating transparent governme
Re: (Score:3)
"You assume they have any real skills"
Some weeks ago, we smashed into Brink with our heavy artillery Lulz
Cannons and decided to switch to ninja mode. From our LFI entry point,
we acquired command execution via local file inclusion of enemy fleet
Apache vessel. We then found that the HTTPD had SSH auth keys, which
let our ship SSH into other servers. See where this is going?
We then switched to root ammunition rounds.
And we rooted... and rooted... and rooted...
After mapping their internal network and thoroughly
Comment removed (Score:5, Insightful)
Re:Thanks Guys (Score:5, Informative)
I know what they did is wrong and all but what you wrote sounds like "Look what you did, you've angered the master, now he's sure to give us all a good whippin'"
Re: (Score:2)
Fingers to get pointed at [INSERT ROGUE NATION] and we start a another un-just war.
On the brighter side maybe these guys [IT staff of the compromised servers, I am looking at you] will actually start considering tougher security on front facing servers
Is hacking spate supporting internet lockdown? (Score:5, Insightful)
It seems like the recent outbreak of high-profile cases of computer break-ins is almost calculated to provoke legislation locking down the internet. First the kill-switch proposal, the announcement by the US military that computer intrusion would be considered an act of war, now a constant drumbeat of reporting in the media about major cracks.
Perhaps the hacks are all just being done by people who don't see how useful such stories are to those who want to assert control over the net, but it would be foolish to think that the "problem-reaction-solution" method has stopped being used by those who are after power, or to discount the possibility that some of this hacking and the publicity it receives is actually being provoked or even orchestrated by those seeking to expand government control over the internet.
Re:Is hacking spate supporting internet lockdown? (Score:5, Informative)
It seems like the recent outbreak of high-profile cases of computer break-ins is almost calculated to provoke legislation locking down the internet. First the kill-switch proposal, the announcement by the US military that computer intrusion would be considered an act of war, now a constant drumbeat of reporting in the media about major cracks.
Perhaps the hacks are all just being done by people who don't see how useful such stories are to those who want to assert control over the net, but it would be foolish to think that the "problem-reaction-solution" method has stopped being used by those who are after power, or to discount the possibility that some of this hacking and the publicity it receives is actually being provoked or even orchestrated by those seeking to expand government control over the internet.
Its remarkable how quickly the PATRIOT Act was "created" after 911. Most likely was waiting in a desk drawer waiting for something to polarize the public... Now we have teams of hackers that could literally be anyone, causing security problems across the board, from government, to business, to gamers. Clearly the people will now agree the government must put an end to it all...
Re: (Score:2)
Or more likely you underestimate the capabilities of a couple of hundred Congressmen, a thousand or more high level aides/advisers, and who knows how many lower level drones when focused on a task.
Re: (Score:2)
Well, you see, Barry is behind it now, so it can't be criticized much.
Re: (Score:2)
How so?
The "Government knows best", "big government" party would be expected to be all for the government trampling over the rights of the people.
The "state's rights", "small government" party is the one you would expect to be against it - so why would having a Democrat President make the Republicans less likely to criticize it?
Re: (Score:3)
It's always "the other side's" fault. Partisans are incapable of being consistent in laying blame where it is due, since that frequently requires blaming both of the major parties.
Re: (Score:2)
I'll say this... I'm afraid we're globally heading, and quickly so, for a regulated, locked-down Internet. We'll look back fondly at the decade of 2000s, when the Internet had already reached massive, worldwide use and importance but also remained, for the most part, free. Now we'll likely see increased efforts by some governments to censor the Internet, legislation that would allow governments to easily take down certain sites or networks, legislation that forces ISPs to keep (and reveal upon request) incr
Re: (Score:2)
And how exactly do you "lock-down" the internet? That isn't as simple as flipping a switch. Even the great firewall of china has it's limitations.
Re:Is hacking spate supporting internet lockdown? (Score:4, Informative)
Who needs a total lockdown? Make a lockdown that's "tight enough" and that will already have most of the population under control. You don't even need anything too sophisticated. Let's say the government requires that all ISPs have their DNS servers use a centralized government blacklist of sites, resolving any site on the list to 127.0.0.1. That simple measure would prevent most Internet users in that country from accessing sites on the govt's blacklist.
It's impossible to completely lock down the Internet without changing the entire infrastructure of it, if even then. There will always be the tech savvy 5% of users that are hard to limit. But with very simple technical solutions, you could limit 95% of the users. And probably limit half of the remaining 5% with a bunch of moderately more difficult measures.
It's a setup. (Score:4, Insightful)
Welp (Score:2)
Well there's a big red line to cross. Would could possibly go wrong?!
Meh ... (Score:2)
I would've given bonus points had they manipulated the system into displaying random Wikileaks embassy cables.
Er, what? (Score:2)
"LulzSec might not be as famous as Anonymous â" they're really best known for hacking sites they like, to prove a point about security"
Wait, so is LulzSec known for hacking sites they like? Or is Anonymous known for hacking sites they like? Which one of them actually likes Sony since both groups hacked them? (Even disregarding Sony's claims about the stolen PSN information, Anonymous admitted to being responsible for the prior DDoS attack.) Does Anonymous like the Scientologists or does LulzSec like InfraGard? I'm kinda confused by the claim.
Shooting one's self in the foot? (Score:2)
The end of an era? (Score:2)
Re: (Score:2)
Seems to me that a lot of these breeches happen to enter the 'shit you should always cover' territory. I.e. secure your SQL database, don't leave open inputs, make sure it's sanitized, hash and salt passwords. Don't store passes in plaintext. And so on.
Sure the hell makes me wonder who's being hired for their network security. Or if a lot of these companies are simply farming it out.
Private key for senate.gov! (Score:2)
Looks like the lucky senate.gov webmaster gets to see if the key revocation process actually works.
There's nothing important there (Score:5, Insightful)
That's not some inside server. Look at their list of files. It's the Senate's outward-facing web server, "www.senate.gov". It also hosts the public web sites of individual senators. It looks like what you can see on a UNIX system with a guest account. Big deal. Every staffer on the Senate side has that much access.
They have the complete directory of all the paintings in the Capitol. The forms for registering as a lobbyist. Pictures of all the Senators. Lots of stuff for tourists. This session's voting results, in HTML. The base Apache config. Nothing exciting.
Apache 0day (Score:2, Interesting)
Lulzsec's primary means of access is an Apache 0day. Also, one of their primary members works for a Tier 1 ISP, thus giving him privileged access to some high level routers/customer information.
IF Lulzu can do it, the question is ... (Score:2)
just how long have the Russians and Chinese been lounging around in that system? A year? A decade?
I'm waiting for LulzSec to hack Slashdot. (Score:3)
I think it would be hilarious for LulzSec to hack Slashdot and post every single username and password, along with any financial details that they found on Thinkgeek.. Come on. Slashdot is so buggy, their security simply must be a joke. I'd be curious to see what the reaction is. My guess is that some people would still support LulzSec, even saying that they're glad that such a fine group of principled and honorable white hat hackers took the time to demonstrate the flaws of Slashdot's security.
Back when I was in college, I had a friend who used to break into cars that used The Club [wikipedia.org]. He wouldn't steal anything but The Club itself, to demonstrate to them the uselessness of the product. I found it hilarious. Much like these web site hacks, it was just a harmless prank by some punk kid. But it was also pretty fucking antisocial. Did those people learn a valuable lesson? I don't know. Maybe. That doesn't change the fact that it was wrong to break into those cars.
By the way, I'm not saying that I'm some paragon of virtue, because, obviously, I'm not (I found the whole thing rather amusing and probably indirectly encouraged his activities by laughing). I don't think you need to be virtuous in order to speak about virtue, however.
Re:Bethesda (Score:4, Insightful)
They want attention. They do not care what kind of attention. Like some emotionally disturbed kids.
Re: (Score:2)
two words
password reuse
Re: (Score:3)
They probably wanted to play Skyrim early.
Remember when Valve got hacked? (Score:3)
Re: (Score:2)
Risky. What if the other one is a great fool? There is ample evidence these for a significant part of the population and that intelligence and education are not reasonable predictor of this state.
Re:Not what Obama meant by "open government"... (Score:5, Interesting)
And when that ass gets kicked in the Senate's IT office, you'll have LulzSec to thank. If LulzSec could hack it, so could Iran. We should be grateful for the service they are providing.
Re: (Score:2)
Fuck that. If they were altruistic, they'd be quietly alerting the site's owners of the vulnerabilities. Not posting the email addresses of porn accounts and trying to publicly humiliate thousands of people "for the lulz". They are sociopaths, getting off on causing others misery. They need to be locked up.
Re: (Score:3)
these guys are not amateurs like the bank DDOS kids
Re:Not what Obama meant by "open government"... (Score:4, Insightful)
I'm not sure if you've ever really sent an anonymous "your shit is broken" message to a site, but I bet the level of positive response would be inversely related to how big the company is.
No-one wants their management to find out their stuff is insecure. They'd be looking for a new job. So they likely bottle it and pretend it ain't happening.
I hate to say it, but I think Lulzsec is doing a disturbing but necessary deed. When no-one wants to improve the state of security, are quite happy accepting budget increases for "more security hardware" instead of doing it right the first time and externalise all security issues as vendor problems, there's no real motivation to actually pursue securely developed options. Lulzsec is outing that practice.
I only hope that somehow this crap makes its way to pointing out inherent security flaws in OSes that make it tangible enough to lawmakers to suddenly care. Not "care" as in "pursue legal options rather than fix", not "care" as in "buy more layers of badly managed and ineffective security theatre", but "care" as in "we need to hire people who know what they're doing, then keep them around and include security in all stages of planning, development and operations."
Re:Not what Obama meant by "open government"... (Score:4, Insightful)
The solution is to stop letting HR people with no technical knowledge hire technical people.
This is what results in the common practice of putting a know-nothing idiot with good social skills in charge of doing technical work they can't handle.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No, of course I don't. I was talking about how they should act, which is completely divorced from how they do act. They publish the stories that bring in readers. Hell, this story was probably posted by an unpaid intern who thought it was interesting and put in his 15 minutes worth of research before hitting the "Submit" button. Looking at his profile over at ITworld, this dude writes pretty much exclusively about Anonymous's latest exploits; this isn't quite the pinnacle of journalism we're dealing with he
Re: (Score:3)
Revolutions rarely have a good ending. 1789? Led to a reign of terror. 1917? Led to a reign of terror. 1776 is maybe the only one that led to more freedom. But it seems, only temporarily so.
The main problem is that we replaced aristocracy with plutocracy. Instead of birthright and divine providence, money is now the deciding factor of your worth in society. And while superficially more porous, since anyone could get rich, nothing really changed but the people on top. It is still the same flawed system.
Origi