Lulzsec gets hacking downunder Notorious hackivist group Lulzsec has brought down Australian domain registrar and web hosts Distribute.IT and publicly published a list of 62,000 international email addresses and passwords. The data files appear to be cobbled together from a variety of sources, but the Australian email details include a number from …
No doubt they are thrilled to bits with all this publicity. My website went down in February to a DDOS attack that lasted 3 weeks, it cost me tens of thousands of pounds in lost revenue and bandwidth bills. Money that is needed to pay my suppliers, my bills and feed my children.
Saying that though, I am firmly for re-education of these kids and not jail time, they are simply too immature to understand the consequences of their little lulz games.
It was mildly amusing when they attacked Sony but it seems to be getting out of hand now. But the more publicity they gain the more they will want to hit the headlines.
To start with, I thought that it was a few people with a grudge. Then it looked like they were a bit naive, then stupid, now?
Now I'm not sure, but part of me wonders if it might be a group trying to drum-up support for cyber security / warfare? It certainly adds fuel to the US saying that they will declare cyber activities as acts of war (although it now seems that everything can be classed as war / terrorism nowadays and countered with deadly violence).
On the other hand maybe the completely different targets are the results of a google search for vulnerabilities, and they are going after anything that showed up?
I'm not going to bother posting anon; it would only encourage them to hack the Reg to get my details if they were that bothered...
I must be old but frankly I just don't get it. Presumably this group Luluz etc (and others) must put some considerable effort into doing this kind of thing but frankly I simply don't see the point of it.
All it does is irritate lots of people, cause inconvenience and misery. Hacking for profit or salacious sleb gossip I can understand (I suppose) but this?
Does upsetting some unremarkable average people's lives, make some people happy these days? I think it's quite sad.
You can't understand kids "getting-off" on seeing others suffer? How many times have you seen a public kharzi broken? A station waiting-room door broken? These arseholes who do it aren't around to see the effect of the damage they cause, they just know someone else will have to sort it out. They have made their presence known and that's the key to why kids do things like that, simply to let people know they exist.
This lot need rounding up and packing off for some re-education in manners, perhaps seeing the consequences of their actions. See the people who's emails got published now getting loads of shit in their inboxes and the possibility of being suckered by some scumbag scam email.
I can understand doing things for the fun of it and poking big companies with sharp pointy sticks and childishly going "nerr nerr, your security does suck" *blows raspberry*
But stealing information and publishing it is way over the line, adversely affecting thousands of innocent people while trying to dress it up as comedy simply doesn't fly. It's no wonder that the virgin teenager with no money in the parent's basement stereotype perpetuates so well because this is exactly the sort of thing those socially maladjusted people would consider "absolutely hilarious". I'm not saying they should be hanged, but someone needs to give them a brief introduction to manners and real life before they are lost forever.
Are these hackers blind? You hack a company or two every so often, and governments won't really care. You hack government agencies and Internet registrars every day and it's only a matter of time before they turn the Internet into a fully locked-down sandbox, with every individual computer needing to be registered and vetted or it isn't coming on, and governments having total knowledge of everything. "For our safety."
They are just making that day come closer with every attack..
It's not lulz. The group seem to be responsible for wearing out a word. Typically, the name LulzSec, linked with their activities and outcomes which are costs many lots of money; is unimaginative. Really? I mean, trying to impress other 4chan kiddies is *that* important. Can we have some real news. Perhaps if we ignore them long enuff, they will get bored and start secondary school.
Why are these people able to obtain passwords and email addresses anyway, seems to me like a lot of best practise is being ignored, perhaps the targets should have taken better care of our data and encrypted it rather than storing it in plain text, quite why anyone needs to store a password at all is totally beyond me.
Thats not to excuse the hack but it would limit damage.
My guess is that for most of the Reg readership, the concept that the internet is fundamentally insecure is old news. We have no safety or privacy, except that which we put in place ourselves.
But for the rest of the world, this is an overdue wake-up call. Your data is there for the taking in a lot of different places. LulzSec are screaming "The Emperor has no clothes". It's always been true. Now even the suits know it.
If you think the correct response is to crack down on LulzSec, then you have failed this part of your training session. Shooting the messenger doesnt improve the protection of our data. Suppressing the symptoms doesnt cure the disease.
"If you think the correct response is to crack down on LulzSec, then you have failed this part of your training session. Shooting the messenger doesnt improve the protection of our data. Suppressing the symptoms doesnt cure the disease."
Then cracking down on LulzSec may be the vital next phase of education. You have to demonstrate that it is not the answer.
Any burglar'll tell you that real-world security's much the same illusion.
So if a bunch of chavs bump-keyed, bumped or jimmied their way into your house, had away your valuables and shat all up the walls for good measure, your first reaction would be to roll your eyes, smile and say, "Well that's a lesson in security for me then!"
In the UK we have creatures called chavs, these are generally teenagers who hang round shops etc, intimidate people and vandalise phone boxes etc. These lot seem to be the Internet equivalent.
I don't mind hackers who expose bad security and tell the owner so they can fix it, even if they release stuff when the company ignores them. But lulz are doing it for no reason now, it's not even funny, it's just mindlessly destructive, just like chavs.
Government needs excuse to turn off the internet and gut it. Then we will be given access to a walled garden instead. Effectively just Facebook, but run on behalf of the government (like it already is). There will be no more DNS system. You just point your browser at Facebook, "the new internet", and write up everything you did that day, because it will be mandatory.
But first and most importantly of all they need the people to demand that something is done about "the hackers". This is just the start of a blitz that will have every newspaper in the country demanding outright enslavement before the year is out. Our politicians, although they really have no power over anything, are the useful idiots who will read those news stories and implement the police state. They have all the tools.
This is the capstone. Get ready to lose everything.
It took me a while but I also got hold of this list of passwords. Do note that the source of the passwords is still undetermined. One source says it came from Writerspace, another source claims that it was undisclosed and now ElReg speaks of an Australian ISP? Vague, vague...
While on their twitter account it seems (I don't do nor want social website nonsense) they claimed that it got from "their collection".
But lets assume that the source was indeed a website or ISP. What website or ISP would keep invalid addresses in their database? Look at the list yourself (its not that hard to find; once again distributed in plain text even). "hotmail.com.jj" anyone ? Or what about 1 e-mail address which appears multiple times with multiple passwords ....in the same section ?
It gets better.. I simply tried to verify a few addresses myself. Not by sending e-mails, that's spamming and intrusive. By using either the "verify" SMTP command or simply using RCPT TO: and check the results (after which I cleanly disconnect). Most tested valid but a lot also appear to be invalid.
How does any decent ISP or modern website (e-mail verification is so common these days) end up with non-existing (hotmail.com.jj) or invalid e-mail addresses ?
wrt the sections: there are three; one which lists "<password> | <email> | |". One which lists "<email> | <password>" and finally one which does "<number> | <password> | <email>".
Australian ISP? Its possible I suppose, but when looking at the list you'll notice that the majority are accounts from Brazil.
If people can break into systems and perform deep network intrusions as a spare time / hobby for shitz'n'gigglez'n'lulz imagine what the dedicated professional corporate / government / military sponsored types are quietly achieving ...
While doing it for the 'lulz' seems initially immature, pointless, stupid blah blah, it does beg the question "so what about other groups who are doing this, for reasons that have nothing to do with lulz"...
The media reported 'lulz' hacks are the tip of the ice-berg: what we're seeing above the waterline, and unnervingly illistrates that no one has any idea at all how deep the problem lies below the waterline...
Let's face it, Lulzsec wouldn't have been able to get at this data if it had been properly protected.
And for storing unencrypted passwords in a database, that's unforgivable in this day and age.
Granted what they're doing is causing lots of innocent people trouble, but that is because those innocent people are putting their trust into websites that do not deserve it. Lulzsec are simply bringing this out into the open for everyone to see.
If I told you I stored all your passwords and e-mails unencrypted, would you give me them?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
