Feeds

back to article LulzSec hacks US Senate

Hacker tricksters LulzSec is baiting US lawmakers with its latest attack on the US Senate. The hacking group posted what security experts Sophos characterised as "basic information on the filesystems, user logins and the Apache web server config files" of the Senate website on Wednesday morning. The group also posted a …

COMMENTS

This topic is closed for new posts.

so pissed off

if you are like me you like to keep it simple. and use a master password. yes, i know its not a great idea but how the hell am i supposed to remember 100+ passwords on the move. i dont want to have to keep referencing some locker full of passwords, which would need a password anyway.

after all the ball ache of changing passwords due to PSN now ive had to do it again due to bethesda forums!

cant these little virgins living in their parents houses just get out and get laid and chill and stop messing around with everyday users? stop fucking up our stuff, if you have a beef with X then get their MD details and fuck with him, not the users.

3
15
Facepalm

Errm.

"Master password"? So you're saying that you use the same password for your online banking as for some random blog you want to post comment to? Nice.

Password re-use is bad practice but you should do some damage assessment should it be compromised. If, by getting your forums password all they can do is troll on some other forums/blog comments, then that wouldn't be of my concern. If on the other hand they could access my primary email or bank account or anything else that is important...

6
0
Flame

t i t l e

If a company harvests user data it should protect it. I'd much rather somebody hack a site and advertise the fact than have someone secretly exploit that data.

If you cant be bothered to come up with a sensible password system maybe its time you went back to living with your parents, they'd be on hand to help you out with all those tasks in life which require a responsible adult at hand.

6
1

lul w00t?

Who needs 100's of password?

Get a mailinator address and use for all your forum/site/commentary/FB/twitter accounts (basically anything non-e-commerce). So they get your address and password, what's the worst that would happen? Spam posted on fora in your name big deal.

99+% of sites can be relegated to disposable addresses and password. For the 2-3 that are commerce related, sign up to the enhanced security authentication schemes (verfied by vi$a and the like) and only use them in private sessions only when necessary. Alternatively, pay by bank transfer and keep all your data to yourself.

Job done.

Do people still use one address for all activities?

0
0

i know....

but an ideal world and real life are different things. as i say i have 100+ passwords to remember on a regular basis

i know i could do <standardpass><ref> where ref would be 'bethesda' or whatever but still a ball ache. obviously if they had locked down the SQL injections or however they got in then we wouldnt need to. i had the same password for everything for 15 years without issue. now its changed twice in a few months.

0
3

ahh bless. epeen wars...

from the guy without the bottle to even post his username.... afraid i will hack you and track you down to your parent's basement where i find you wanking over a linux mag dressed as someone from star trek?

as i say i visit many forums and have lots of places i need to log into. maybe i will just have to use the postfix method i talked about. the thing is i shouldnt need to.

1
8
Trollface

Nice trolling Mr Kaned!

Two thumbs up. Ya muppet.

1
0
Boffin

KISS

If you need to use just one password make it an algorithm:

First 4 characters is the name of the site,

Second 4 characters is a standard number,

Last letter is a special char such as # [ ] { }

You get a unique password for each location and 99% of the time they are holding a hashed value so no two hashes will be the same or just use a password manager like Passwordsafe.

1
0
Pint

This isn't their fault...

It just shows the awful security present in many large companies.

Butthurt, much?

1
1
Mushroom

@Citizen Kaned

"the thing is i shouldnt need to."

No, you shouldn't. Sites which force users to log in with credentials should take the correct measures to protect that data. I completely agree with you on one aspect of this - you are an innocent third party but you bear a significant burden as the result of lazy, tight fisted and incompetent systems owners.

In some respects you should be pleased that the LulzSec losers did this - if it had been more malicious parties, you wouldnt even know you needed to change all your passwords so you would be surfing away in blithe innocence while your data was compromised.

If that bothers you less than the fact LulzSec hacked a site and told the world, then dont bother to change your passwords - it cant be that important to you.

The reality is companies of all size are cutting corners and saving money by not spending on security. When the hack happens they keep it quiet for as long as possible before saying it is all the eebul hackers fault. They dont admit to scrimping £50k on an IPS etc, instead it is down to the users, customers etc to bear some of the pain that they have effectively profited from.

Yes, what LulzSec et al do is wrong, but on the great continuum of wrong, its not very wrong.

5
0

yeah, but

what happens when sites change name, url etc? for instance i use virgin so i have a virgin email, but its ntlworld as the address. so i now have to remember all these little things. some sites have long names, and every time you refresh it wants you to sign in again. its just a ball ache but i know i should do something like your algorithm and i now have.

0
1
Silver badge
Thumb Down

I respectfully disagree

You SHOULD have to use different passwords. The whole point of a password is that it's a secret shared only by you and the site it authenticates you to. If you tell it to other people, it no longer serves that purpose. The fact that those other people also run websites with which you want to authenticate yourself does not make that okay.

1
0
Bronze badge

Re: so pissed off

"if you are like me you like to keep it simple. and use a master password. yes, i know its not a great idea but how the hell am i supposed to remember 100+ passwords on the move. i dont want to have to keep referencing some locker full of passwords, which would need a password anyway."

I keep about 2,000 passwords in my PINs file ( http://www.mirekw.com/ ), which is PW protected and 448 bit Blowfish encoded; I keep them in a True Crypt container when I travel. It has a password of about 32 alphanumeric characters. Security is worth its weight in gold. If I lose my USB stick I lose less sleep than most people.

Oh, and my passwords for internet fora and the like? Hopelessly complex and long. By the time you crack 'em I've changed 'em.

0
0
Anonymous Coward

@ Kanded

As the AC you seem to be replying do, I dont understand what your point is here.

Yes, changing your passwords is a pain in the backside, but it is because the site that stored it did so badly, not (just) because LulzSec publicised the weakness.

0
0
Devil

@Scorchio!!

It is good that you go to such great lengths, although I dread to think how much time you spend opening and closing encrypted containers and finding the appropriate password for various accounts.

I assume your USB stick is fully backed up and the backups are encrypted. Where do you keep a copy of the backup encryption key?

If someone got hold of your USB stick and got past your Truecrypt container, would they have access to every single password you have? Seems like a massive pain in the arse to change 2000 of them just to be safe - and you have to, because you cant be sure that your truecrypt container will sustain whatever attack is thrown against it.

Also, all of this is totally defeated by the websites you interact with.

No matter what lengths you go to to protect your end of the deal, there are still sites that log in over HTTP (rather than HTTPS), they will store user credentials in clear text, they are vulnerable to SQL injections etc.

So all of that effort *you* have put in, is defeated by lazy, greedy and useless people on the other end.

Shame really.

0
0
Silver badge

Genius

So to protest hacking laws they hack the legislators. That's surely a well thought out plan with no negative repercussions.

1
6
Silver badge

So to protest hacking laws they hack the legislators.

Well yes, that's how civil disobedience works. If you want to protest about the ban on sitting at the back of a buss because of your skin color then moving to the back of the buss seams to be a good idea.

That's surely a well thought out plan with no negative repercussions.

Well no. There will be repercussions, but if people aren’t prepared to break the law we'd still be living under an absolute Monarchy, with no votes for women.

5
2
Anonymous Coward

@John G Imrie

You're likening Lulzsec to Rosa Parks? Seriously?

For a start, and this is just a start, What Rosa Parks did was peaceful and didn't involve breaking into anything, threatening anyone or generally affecting anyone who wasn't involved in racist segregation. Lulzsec put innocent people's personal information onto the internet, break into and deface web sites and threaten the owners of said sites, all because they don't like being told that they're not allowed to hack/download for free/whatever else it is today.

It's not comparable. It's just not.

8
2
Anonymous Coward

Comparability

"What Rosa Parks did was peaceful and didn't involve breaking into anything, threatening anyone or generally affecting anyone who wasn't involved in racist segregation."

We only have that view now because of what happened.

At the time people did indeed feel threatened, it was likened to breaking into the whites only area and the repercussions did indeed affect everyone - if if they were not directly involved in racist segregation.

More importantly, you appear to fail to grasp the concept of analogy.

6
5
Anonymous Coward

Err

No, I fully understand the concept of an analogy, which is why I know comparing Lulzsec to protests for basic human rights is wholely inappropriate.

1
2
FAIL

Eh, what?

Erm, I think he got the analogy alright, he just thought it was a shitty one, like I do.

And pulling the "you don't know why it isn't hurting anyone because your moral compass isn't well-adapted yet" is a horribly bad argument. Please explain to me why posting people's personal information is not hurting people by infringing their (supposedly unalienable) right to privacy.

0
3
FAIL

Eh what now?

Who said it wasnt hurting anyone?

0
0
Anonymous Coward

@Sindegra & previous AC

I still dont think you got the analogy right. Saying you did isnt the same as actually getting it.

The analogy is about what civil disobedience is. This is talking about protesting against a hacking law, by hacking legislators.

Its not about posting PII. Its not about infringing the rights of the private citizen to privacy.

Its not about justifying the takedown of Eve Online with a parallel to Rosa Parks. That is not the analogy in either its stated or implied forms. Its not about *ANY* other hacking attack being the same as Rosa Parks, its about demonstrating that the only way Civil Disobedience works is by breaking the laws you dont agree with.

0
0
Silver badge

Horseshit

Lulzsec is not a civil rights movement, it doesn't represent a mass of disaffected people. It's a handful anonymous hackers who like to vandalize stuff. Stop trying to make them out to be some political movement because they're not. In fact by vandalizing stuff they just demonstrate that the legal penalties for doing it probably require review.

0
0
Anonymous Coward

take a deep breath

Who said LulzSec was a civil rights movement?

Are the voices in your head drowning out the words you are reading on the screen?

0
0

Erm...

"it also leaked potential sensitive data about video gaming outfit Bethesda Softworks, the firm behind Quake and Doom"

Erm, Bethesda will be behind the yet to be released Doom 4, but not Quake or the previous Doom games.

5
0
Meh

@Raithmir

id Software got swallowed up by Bethesda's parent; so it is correct in a way.

But yeah, given that Doom and Quake will be forever known as id Software's games, why not dodge the question and say 'Bethesda Softworks, the firm behind the Oblivion and Fallout 3'.

2
0
Silver badge

Bethesda Softworks,

for the record, are better known for the Elder Scrolls series, and the recent Fallout games.

1
0
Silver badge
Facepalm

*Cringe*

I also cringed when I read "the firm behind Quake and Doom". That will always be id Software, and even now id Software still exists even if only as a ZeniMax subsidiary. Bethesda will "sell" Doom 4, yes, but the whole coding stuff is still being made by id Software.

0
0
Unhappy

Shoddy workmanship Ted. Shoddy, shoddy, shoddy

Because I would much, much rather a games company spends even more money on security and less money on developing the games. After all there is a magic amount of money that, when spent, will make any system unbreakable, even if social engineering is used.

Still, the important thing is that as a consumer I am being taught to audit the security of any company I might want to give my email address to, or sign up for a forum with.

1
0
Mushroom

So tried of hearing about "LulzSec"

They are not a group.

If you've been on their IRC, they have a banner at the top that encourages visitors to send them leaks and documents. Just like Anonymous, anyone can claim to be them. So they have a shitty looking website that chronicles each release. So what? They are still a bunch of teenagers having fun with open source tools.

1
1
Facepalm

"Bunch of teenagers"

Who have managed to either break into or in some other way acquire customer data from several companies and the gov. This bunch of PFYs are managing to make a serious buzz and get a lot of sensitive data, what have you done with "open source tools" today Mr. COWARD?

1
1
FAIL

@TheRead

Yes, they seem to have managed to click the right sequence of shinny buttons; you seem to hold that in high regard.

0
1
Anonymous Coward

Shiny buttons

Yeah, just think how much damage real hackers could have caused.

0
0
Stop

@AC

Yes, because natural laws control the amount of damage each group can do

0
0
g e
Silver badge

So if an American hacker hacks US.gov....

>snip<

'bout time they had theirselfs another civil war, YEEHAAA!

0
1
Silver badge
Coat

They're baiters.

And Masters, at that...

2
0
Black Helicopters

What I find interesting...

... is the relative silence from Anonymous regarding LulzSec's recent forays.

Some accusations have been made (such as by Branndon Pike):

-- -- Fox News: Group Claims It Was 'Paid to Hack PBS...'

-- -- -- http://www.foxnews.com/scitech/2011/06/02/man-denies-paying-group-to-hack-pbsorg/

that LulzSec is a "splinter group" or otherwise affiliated with Anonymous.

Usually, when such pronouncements are made, Anonymous is fairly quick to file a response (in either confirmation or denial), such as it did with the original Sony PSN breach (in that case, a denial).

But ever since LulzSec appeared on the scene, it seems that Anonymous has intentionally "faded into the background," so-to-speak. But I don't think it's a defence against "guilt by association" move; it's more tactical than that...

0
0
Big Brother

@K. Adams

That is certainly something to consider. Anonymous is seemingly taking a back seat to LulzSec's antics. Perhaps the heat is rising on the evil mastermind. And, then again, could be the group members are just changing their tactics as the use of the LOIC has taken a bit of a toll on some of the Anonymous brotherhood.

It's just a pity that big guvmint doesn't mandate a certain standard of security across the board for businesses that hold our identifying data. Of course this means that changes may need to be made to certain, ahem..., backdoors.

0
0
This topic is closed for new posts.