back to article LulzSec hacks US Senate

Hacker tricksters LulzSec is baiting US lawmakers with its latest attack on the US Senate. The hacking group posted what security experts Sophos characterised as "basic information on the filesystems, user logins and the Apache web server config files" of the Senate website on Wednesday morning. The group also posted a …

COMMENTS

This topic is closed for new posts.
  1. Raithmir

    Erm...

    "it also leaked potential sensitive data about video gaming outfit Bethesda Softworks, the firm behind Quake and Doom"

    Erm, Bethesda will be behind the yet to be released Doom 4, but not Quake or the previous Doom games.

    1. Anonymous Coward
      Meh

      @Raithmir

      id Software got swallowed up by Bethesda's parent; so it is correct in a way.

      But yeah, given that Doom and Quake will be forever known as id Software's games, why not dodge the question and say 'Bethesda Softworks, the firm behind the Oblivion and Fallout 3'.

    2. Old Handle

      Bethesda Softworks,

      for the record, are better known for the Elder Scrolls series, and the recent Fallout games.

    3. Daniel B.
      Facepalm

      *Cringe*

      I also cringed when I read "the firm behind Quake and Doom". That will always be id Software, and even now id Software still exists even if only as a ZeniMax subsidiary. Bethesda will "sell" Doom 4, yes, but the whole coding stuff is still being made by id Software.

  2. DrXym

    Genius

    So to protest hacking laws they hack the legislators. That's surely a well thought out plan with no negative repercussions.

    1. John G Imrie

      So to protest hacking laws they hack the legislators.

      Well yes, that's how civil disobedience works. If you want to protest about the ban on sitting at the back of a buss because of your skin color then moving to the back of the buss seams to be a good idea.

      That's surely a well thought out plan with no negative repercussions.

      Well no. There will be repercussions, but if people aren’t prepared to break the law we'd still be living under an absolute Monarchy, with no votes for women.

      1. Anonymous Coward
        Anonymous Coward

        @John G Imrie

        You're likening Lulzsec to Rosa Parks? Seriously?

        For a start, and this is just a start, What Rosa Parks did was peaceful and didn't involve breaking into anything, threatening anyone or generally affecting anyone who wasn't involved in racist segregation. Lulzsec put innocent people's personal information onto the internet, break into and deface web sites and threaten the owners of said sites, all because they don't like being told that they're not allowed to hack/download for free/whatever else it is today.

        It's not comparable. It's just not.

        1. Anonymous Coward
          Anonymous Coward

          Comparability

          "What Rosa Parks did was peaceful and didn't involve breaking into anything, threatening anyone or generally affecting anyone who wasn't involved in racist segregation."

          We only have that view now because of what happened.

          At the time people did indeed feel threatened, it was likened to breaking into the whites only area and the repercussions did indeed affect everyone - if if they were not directly involved in racist segregation.

          More importantly, you appear to fail to grasp the concept of analogy.

          1. Anonymous Coward
            Anonymous Coward

            Err

            No, I fully understand the concept of an analogy, which is why I know comparing Lulzsec to protests for basic human rights is wholely inappropriate.

          2. sindegra
            FAIL

            Eh, what?

            Erm, I think he got the analogy alright, he just thought it was a shitty one, like I do.

            And pulling the "you don't know why it isn't hurting anyone because your moral compass isn't well-adapted yet" is a horribly bad argument. Please explain to me why posting people's personal information is not hurting people by infringing their (supposedly unalienable) right to privacy.

            1. Anonymous Coward
              FAIL

              Eh what now?

              Who said it wasnt hurting anyone?

            2. Anonymous Coward
              Anonymous Coward

              @Sindegra & previous AC

              I still dont think you got the analogy right. Saying you did isnt the same as actually getting it.

              The analogy is about what civil disobedience is. This is talking about protesting against a hacking law, by hacking legislators.

              Its not about posting PII. Its not about infringing the rights of the private citizen to privacy.

              Its not about justifying the takedown of Eve Online with a parallel to Rosa Parks. That is not the analogy in either its stated or implied forms. Its not about *ANY* other hacking attack being the same as Rosa Parks, its about demonstrating that the only way Civil Disobedience works is by breaking the laws you dont agree with.

      2. DrXym

        Horseshit

        Lulzsec is not a civil rights movement, it doesn't represent a mass of disaffected people. It's a handful anonymous hackers who like to vandalize stuff. Stop trying to make them out to be some political movement because they're not. In fact by vandalizing stuff they just demonstrate that the legal penalties for doing it probably require review.

        1. Anonymous Coward
          Anonymous Coward

          take a deep breath

          Who said LulzSec was a civil rights movement?

          Are the voices in your head drowning out the words you are reading on the screen?

  3. Citizen Kaned

    so pissed off

    if you are like me you like to keep it simple. and use a master password. yes, i know its not a great idea but how the hell am i supposed to remember 100+ passwords on the move. i dont want to have to keep referencing some locker full of passwords, which would need a password anyway.

    after all the ball ache of changing passwords due to PSN now ive had to do it again due to bethesda forums!

    cant these little virgins living in their parents houses just get out and get laid and chill and stop messing around with everyday users? stop fucking up our stuff, if you have a beef with X then get their MD details and fuck with him, not the users.

    1. Anonymous Coward
      Facepalm

      Errm.

      "Master password"? So you're saying that you use the same password for your online banking as for some random blog you want to post comment to? Nice.

      Password re-use is bad practice but you should do some damage assessment should it be compromised. If, by getting your forums password all they can do is troll on some other forums/blog comments, then that wouldn't be of my concern. If on the other hand they could access my primary email or bank account or anything else that is important...

      1. Citizen Kaned

        i know....

        but an ideal world and real life are different things. as i say i have 100+ passwords to remember on a regular basis

        i know i could do <standardpass><ref> where ref would be 'bethesda' or whatever but still a ball ache. obviously if they had locked down the SQL injections or however they got in then we wouldnt need to. i had the same password for everything for 15 years without issue. now its changed twice in a few months.

    2. Anonymous Coward
      Flame

      t i t l e

      If a company harvests user data it should protect it. I'd much rather somebody hack a site and advertise the fact than have someone secretly exploit that data.

      If you cant be bothered to come up with a sensible password system maybe its time you went back to living with your parents, they'd be on hand to help you out with all those tasks in life which require a responsible adult at hand.

      1. Citizen Kaned

        ahh bless. epeen wars...

        from the guy without the bottle to even post his username.... afraid i will hack you and track you down to your parent's basement where i find you wanking over a linux mag dressed as someone from star trek?

        as i say i visit many forums and have lots of places i need to log into. maybe i will just have to use the postfix method i talked about. the thing is i shouldnt need to.

        1. Anonymous Coward
          Mushroom

          @Citizen Kaned

          "the thing is i shouldnt need to."

          No, you shouldn't. Sites which force users to log in with credentials should take the correct measures to protect that data. I completely agree with you on one aspect of this - you are an innocent third party but you bear a significant burden as the result of lazy, tight fisted and incompetent systems owners.

          In some respects you should be pleased that the LulzSec losers did this - if it had been more malicious parties, you wouldnt even know you needed to change all your passwords so you would be surfing away in blithe innocence while your data was compromised.

          If that bothers you less than the fact LulzSec hacked a site and told the world, then dont bother to change your passwords - it cant be that important to you.

          The reality is companies of all size are cutting corners and saving money by not spending on security. When the hack happens they keep it quiet for as long as possible before saying it is all the eebul hackers fault. They dont admit to scrimping £50k on an IPS etc, instead it is down to the users, customers etc to bear some of the pain that they have effectively profited from.

          Yes, what LulzSec et al do is wrong, but on the great continuum of wrong, its not very wrong.

          1. Old Handle
            Thumb Down

            I respectfully disagree

            You SHOULD have to use different passwords. The whole point of a password is that it's a secret shared only by you and the site it authenticates you to. If you tell it to other people, it no longer serves that purpose. The fact that those other people also run websites with which you want to authenticate yourself does not make that okay.

    3. Turtle_Fan

      lul w00t?

      Who needs 100's of password?

      Get a mailinator address and use for all your forum/site/commentary/FB/twitter accounts (basically anything non-e-commerce). So they get your address and password, what's the worst that would happen? Spam posted on fora in your name big deal.

      99+% of sites can be relegated to disposable addresses and password. For the 2-3 that are commerce related, sign up to the enhanced security authentication schemes (verfied by vi$a and the like) and only use them in private sessions only when necessary. Alternatively, pay by bank transfer and keep all your data to yourself.

      Job done.

      Do people still use one address for all activities?

    4. countd
      Trollface

      Nice trolling Mr Kaned!

      Two thumbs up. Ya muppet.

    5. Nextweek
      Boffin

      KISS

      If you need to use just one password make it an algorithm:

      First 4 characters is the name of the site,

      Second 4 characters is a standard number,

      Last letter is a special char such as # [ ] { }

      You get a unique password for each location and 99% of the time they are holding a hashed value so no two hashes will be the same or just use a password manager like Passwordsafe.

      1. Citizen Kaned

        yeah, but

        what happens when sites change name, url etc? for instance i use virgin so i have a virgin email, but its ntlworld as the address. so i now have to remember all these little things. some sites have long names, and every time you refresh it wants you to sign in again. its just a ball ache but i know i should do something like your algorithm and i now have.

        1. Anonymous Coward
          Anonymous Coward

          @ Kanded

          As the AC you seem to be replying do, I dont understand what your point is here.

          Yes, changing your passwords is a pain in the backside, but it is because the site that stored it did so badly, not (just) because LulzSec publicised the weakness.

    6. Anonymous Coward
      Pint

      This isn't their fault...

      It just shows the awful security present in many large companies.

      Butthurt, much?

    7. Scorchio!!

      Re: so pissed off

      "if you are like me you like to keep it simple. and use a master password. yes, i know its not a great idea but how the hell am i supposed to remember 100+ passwords on the move. i dont want to have to keep referencing some locker full of passwords, which would need a password anyway."

      I keep about 2,000 passwords in my PINs file ( http://www.mirekw.com/ ), which is PW protected and 448 bit Blowfish encoded; I keep them in a True Crypt container when I travel. It has a password of about 32 alphanumeric characters. Security is worth its weight in gold. If I lose my USB stick I lose less sleep than most people.

      Oh, and my passwords for internet fora and the like? Hopelessly complex and long. By the time you crack 'em I've changed 'em.

      1. Anonymous Coward
        Devil

        @Scorchio!!

        It is good that you go to such great lengths, although I dread to think how much time you spend opening and closing encrypted containers and finding the appropriate password for various accounts.

        I assume your USB stick is fully backed up and the backups are encrypted. Where do you keep a copy of the backup encryption key?

        If someone got hold of your USB stick and got past your Truecrypt container, would they have access to every single password you have? Seems like a massive pain in the arse to change 2000 of them just to be safe - and you have to, because you cant be sure that your truecrypt container will sustain whatever attack is thrown against it.

        Also, all of this is totally defeated by the websites you interact with.

        No matter what lengths you go to to protect your end of the deal, there are still sites that log in over HTTP (rather than HTTPS), they will store user credentials in clear text, they are vulnerable to SQL injections etc.

        So all of that effort *you* have put in, is defeated by lazy, greedy and useless people on the other end.

        Shame really.

  4. Anonymous Coward
    Unhappy

    Shoddy workmanship Ted. Shoddy, shoddy, shoddy

    Because I would much, much rather a games company spends even more money on security and less money on developing the games. After all there is a magic amount of money that, when spent, will make any system unbreakable, even if social engineering is used.

    Still, the important thing is that as a consumer I am being taught to audit the security of any company I might want to give my email address to, or sign up for a forum with.

  5. Anonymous Coward
    Mushroom

    So tried of hearing about "LulzSec"

    They are not a group.

    If you've been on their IRC, they have a banner at the top that encourages visitors to send them leaks and documents. Just like Anonymous, anyone can claim to be them. So they have a shitty looking website that chronicles each release. So what? They are still a bunch of teenagers having fun with open source tools.

    1. TheRead
      Facepalm

      "Bunch of teenagers"

      Who have managed to either break into or in some other way acquire customer data from several companies and the gov. This bunch of PFYs are managing to make a serious buzz and get a lot of sensitive data, what have you done with "open source tools" today Mr. COWARD?

      1. A handle is required
        FAIL

        @TheRead

        Yes, they seem to have managed to click the right sequence of shinny buttons; you seem to hold that in high regard.

        1. Anonymous Coward
          Anonymous Coward

          Shiny buttons

          Yeah, just think how much damage real hackers could have caused.

          1. Anonymous Coward
            Stop

            @AC

            Yes, because natural laws control the amount of damage each group can do

  6. g e

    So if an American hacker hacks US.gov....

    >snip<

    'bout time they had theirselfs another civil war, YEEHAAA!

  7. Ted Treen
    Coat

    They're baiters.

    And Masters, at that...

  8. K. Adams
    Black Helicopters

    What I find interesting...

    ... is the relative silence from Anonymous regarding LulzSec's recent forays.

    Some accusations have been made (such as by Branndon Pike):

    -- -- Fox News: Group Claims It Was 'Paid to Hack PBS...'

    -- -- -- http://www.foxnews.com/scitech/2011/06/02/man-denies-paying-group-to-hack-pbsorg/

    that LulzSec is a "splinter group" or otherwise affiliated with Anonymous.

    Usually, when such pronouncements are made, Anonymous is fairly quick to file a response (in either confirmation or denial), such as it did with the original Sony PSN breach (in that case, a denial).

    But ever since LulzSec appeared on the scene, it seems that Anonymous has intentionally "faded into the background," so-to-speak. But I don't think it's a defence against "guilt by association" move; it's more tactical than that...

  9. Anonymous Coward
    Big Brother

    @K. Adams

    That is certainly something to consider. Anonymous is seemingly taking a back seat to LulzSec's antics. Perhaps the heat is rising on the evil mastermind. And, then again, could be the group members are just changing their tactics as the use of the LOIC has taken a bit of a toll on some of the Anonymous brotherhood.

    It's just a pity that big guvmint doesn't mandate a certain standard of security across the board for businesses that hold our identifying data. Of course this means that changes may need to be made to certain, ahem..., backdoors.

This topic is closed for new posts.