When they're attacking Sony it's "righteous" and "good", when they're attacking companies we like they're "bad" and "immature". They've always stated their intention is to create "lulz" and just do whatever damage they can, apparently people overlooked this when they were attacking people everyone "hated". Luckily Minecraft wasn't down for too long, some of us are directly affected by this stuff, sigh.
These attacks are annoying and damaging but in the long run they make our internet stronger. If these didn't happen so often people would care a lot less about security and robustness.
Sure, and I can go around punching people in the face and tell 'em that I'm doing 'em a favour by reminding them to always wear a full-face helmet when out in public.
But if nobody except me is a big enough asshole to go round punching people in the face at random...
The difference is that one of those people could very well return the favor and give you a proper ass kicking, or determine your identity with relative ease and file a complaint with the police.
The disincentives that exist for your example and those that exist for actions similar to those taken by lulzsec are radically different.
The conclusion that people should walk around with full-face helmets is ridiculous because of the existing disincentives for assaulting someone. The conclusion that companies should secure their networks, not such an unreasonable expectation.
I don't think it's that easy to identify the hackers. Even if you could, which legal jurisdiction applies? What are the legal remedies?
Securing networks is indeed a noble goal, but are we prepared to pay for the infrastructure?
The end result does not justify the means, and we all know how the story goes. More legislation to "prevent" hacking, and everyone suffers under the yoke of over-reaction.
you are ignoring the fact that China (a powerful recent player in math and physics), Russia (long time math and physics powerhouse), or any number of criminal elements have known about these security problems and have possibly been taking full advantage of them for some time, just skipping the publicity bit. LulzSec is, among other things, shaming the companies into tightening up.
Red teaming is a good thing.
Edit: to be clear, I agree there's no red-team value in DDOS. Though some have ascribed a "sit-in" utility to DDOS in certain circumstances (eg: Anonymous vs MasterCard after Wikileaks broke CableGate).
Wearing a helmet in public would be considered over-the-top whilst LulzSec are generally taking advantage of simply holes (Not considered 'over-the-top') in the websites/servers of multi-million/billion dollar companies.
Silly comparison. There is no reason for people to wear a full-face helmet in public. There may be a reason for people to know self defense though, which is why some martial arts clubs go out on the town with the specific goal of beating someone up: to remind that person and everyone else sees it that they need to know how to defend themselves.
Sure, life would be grand if no one ever broke into computers. Security is expensive and not remotely fun. But there will always be someone out there motivated to break in. It's good that these guys are doing it publicly. The more common and nasty ones keep their mouths shut and use our machines to do bad things.
The attacks on the Minecraft and EVE servers were DDOS attacks. Nothing sophisticated, and the easy way to avoid them is to just get more servers, which really isn't a good solution for smaller developers.
EDIT: I suspect the only reason they didn't succeed getting to Blizzard is because WoW was down for Tuesday maintenance.
I suspect the reason is simply because they don't have the resources. EVE maxes out at about 35-40k simultaneous connections, WoW is probably closer to 400-500k per region.
They targeted the EVE login server however, and I doubt that is designed for 35-40k simultaneous connections, as to acomplish those conditions, all users on the server would need to log in at the same time. The same is probabaly true for WoW.
The login server for WoW easily and routinely handles an incredible number of simultaneous connections as huge percentages of the player base attempt to log in at the same time, particularly after a large patch. There used to be incredible issues with the login server, but these days Blizzard is an extremely tightly run ship. They know where their money comes from, and what it takes to protect the cash flow.
Maybe they'll raise awareness of security issues and get companies to take it more seriously. Or maybe we'll just see more security theater and companies will use their lobbying powers to put in place draconian laws against any form of "hacking".
I suppose a bit like firesheep has cause a lot of sites to start pushing SSL more aggressively and even looking into dealing with some of SSL's quirks that have kept it from gaining more popular usage
That's not what happened here, though. There wasn't any release of server info; from the tweets, this was just a string of DDoS attacks.
If my account information or personal details are vulnerable to theft somehow, I want to know about that. But if a server I play games on can be taken down by DDoS, I'd happily go the rest of my life not knowing or caring so long as it doesn't actually happen. It contributes about as much as showing me that that bridge I like to drive over is susceptible to bombing.
My credit card number was used from Turkey this week. I have absolutely no idea which website was compromised. And I am pretty sure that whoever was compromised has no idea either.
Might not be a website - my wife's and my debit cards were compromised last year within two weeks of one another. The only thing they had in common was that they're at the same bank; she has never even once used her card online.
Our conclusion was that Chase Manhattan had been compromised. That's kind of scary, really. They have to be spending serious money on security.
To clarify, by "they have to", are you stating a fact or making a demand? One would have thought that Citigroup would have had some pretty tight security as well.
I think I'm accentuating an assumption - and when I saw the Citigroup story, I had precisely the reaction you just expressed here.
And yet you know that Chase and Citigroup are spending money on security in copious amounts. My heart breaks to think of all those guys getting paid not to know jack. (Or, just as probably, all those guys getting paid not to be able to shove jack through the corporate process.)
It could have been coincidence and an offline compromise for your wife. There are a lot of skimming operations out there. Plus when you give your card to a waiter at a restaurant, nothing stops the waiter from copying your information.
In my case the fact that the purchase was made from Turkey suggests that it was an online compromise.
You do understand that lulzsec is deliberately publicizing acts that would usually go untraced, right? Security is security: If you don't have any and you house information, you will eventually be burned.
Yes it's getting annoying, but they're doing it for the lulz. You can't say the same about all the other malicious hackers.
Should I rob every house that doesn't have an alarm or leaves the window open?
I agree with you it "helps" to care more about security and robustness. But I don't agree in the way. I have a dream that one day my website with minimum security won't be hacked for lulz and will be treated with respect. =)
Let's phrase this in another hyperbole, shall we? Should you rob every bank that doesn't have an alarm or leaves the vault open? No. But if a lot of banks had no policies in place to prevent those things from occurring, would you feel more secure that someone was walking into the bank, taking photos of their break-in, and not stealing the money?
I don't agree with their means (it's wrong, IMO, to mess with any machine you don't have permission to mess with) but their end goal aligns with mine: make the world more secure.
> I have a dream that one day my website with minimum security won't be hacked for lulz and will be treated with respect. =)
Would you rather have your site hacked for lulz, or would you rather someone go in and sell your customer's data on the black market?
But if these are just DDOSes, then (a) there's no way to steal sensitive information that way, and (b) there's no real defence against 'em anyway. So this particular argument is pointless, right?
There's an argument for whiteish-hat intrusions, but DDOSes must be intrinsically black-hat, right?
No. While I agree there's no red-team contribution in a DDOS, quite a few people regarded Anonymous DDOSes on Wikileaks detractors (MasterCard, et al) as the digital equivalent of a sit-in. That seems a bit of a stretch to me also, but certainly there's some application of DDOS that's not purely black-hat.
Should you? No. But I guarantee if you did, the publicity would educate people about locks.
A more apt analogy might be: opening a poorly locked door to a business, then walking behind the counter and grabbing full print-outs of all their customers' information that was left lying there.
I hope you don't take the same lax approach to security when it's more than your personal documents at stake.
The internet is a shitty place.