Funny tht right around the time he was arrested, Lulzsec declared they were done and sailing off in their Lulzboat. Then they reappeared a few months later, probably started back up after Sabu went to the narcs. Luckily this was only after Anonymous put together their new decentralized teams that do the footwork now. Lulzsec is just a name now, very little work is done by their namesake anymore.
The writer is a bit confused. Topiary was caught way before this round of arrests.
Also, there has been a significant belief for months now that the "Real Sabu" disappeared and was (maybe) arrested, or that he was never an individual but only a name the group used for PR. Finally, there is significant doubt that Kayla is a single individual as well.
In short, Anonymous targets and humiliates authoritarians and those who service them. This is at the core of my morality.
Their hacks illustrate the glaring weaknesses of our technology and that the incompetence in infosec so often spawns from negligence at the highest of levels in the industry. Despite this, powers that be (nation-states, militaries, and regional law enforcement) invest nearly nothing in securing their (public) assets. They demonstrate that organizations like Sony, the State Department, and the Pentagon can go months without even knowing of full-root breaches, only to wait yet more months to inform the public.
Luckily, Anonymous does all this for the sake of Teh Lulz (public humiliation), rather than corporate or state espionage.
> Luckily, Anonymous does all this for the sake of Teh Lulz (public humiliation), rather than corporate or state espionage.
Or so they say. There seems to be an awful lot of blind trust that Anonymous (or people claiming to be Anonymous) really do have the goals that they've stated. If Anonymous, or a splinter group, goes after some random company, ostensibly to humiliate them, what's to say they're not being paid by the company's rivals?
I tend to agree with you. They have been going up against publicly unpopular targets, so few have questioned them thus far, but there's no reason that can't be a ruse.
Part of the problem here is the fact that they really are anonymous, so if Anonymous goes after two different targets on two different days, there's no way to know that it's actually the same group both times. So even if you could prove beyond a shadow of a doubt what their goals were for one particular attack, that would have zero bearing on the motivations and goals behind any subsequent attack.
I honestly thought that statement was so stupid that it didn't need "<SARCASM>" or the like.
Guess I was wrong. Not about how stupid a reference to getting someone on the record as "supporting anonymous" was, but about not needed to telegraph the joke here.
I reckon a huge proportion of blackhats in the scene are working for the feds.
Some kid with no record gets thrown in a van by men with guns, and the full force of police psychological manipulation is brought to bear on them. They get told they're irrevocably destined for a lifetime of being brutally raped in the showers.
Is it any surprise that these young men with no experience of foul-play or maliciousness outside of the virtual world fold and turn informer with such regularity?
If I were an active blackhat, I wouldn't talk to anyone, ever. I wouldn't even invent a pseudonym, that's the first step to ending up on fox news.
Groups allow information trading. It is basically essential if you want to cash for your hacking activities, such as carding and 0-day selling. I am not totally familiar with "the scene", but I'm pretty sure there are plenty of incentives for hackers to regroup
The most successful ones work for the feds while squirreling away the proceeds. The feds don't mind cultivating crime if it's increasing their numbers.
Actually, criminal copyright infringement is a $250k fine, 5 year felony, in the US. Pretty amazing. You are vastly more likely to be prosecuted criminally if you're part of a group, and especially if you focus on 0-days. Even more likely if you sell things, charge for advertising on your site, etc.
DMCA still makes some 0-day exploit research not totally safe, either. https://www.eff.org/wp/unintended-consequences-under-dmca I don't know if anyone has been successfully convicted, but a lot of prosecutions have come up, and that's enough to deter many people.
DarkMarket was an English-speaking internet cybercrime forum created by Renukanth Subramaniam in London that was shut down in 2008 after FBI agent J. Keith Mularski infiltrated it using the alias Master Splyntr, leading to more than 60 arrests worldwide. Subramaniam, who used the alias JiLsi, admitted conspiracy to defraud and was sentenced to nearly five years in prison in February 2010.
The website allowed buyers and sellers of stolen identities and credit card data to meet and conduct criminal enterprise in an entrepreneurial, peer-reviewed environment. It had 2,500 users at its peak.
That reminds me of Albert Gonzales and The Great Cyberheist (http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html?p...) - awesome story. Gonzales was broken by FBI and became their agent - but then he got somehow bored by the cooperation and returned back to his underground activities while still working for FBI.
I also think that a lot of black hats are working for the feds. But I think it has more to do with their lack of integrity and morals rather than threats and intimidation.
Legal advice is a big part of black hat literature, so I don't think any of them can claim ignorance.
There's also the ones that actually have morality and integrity and thus find honor in serving one's country.
This doesn't mean that everything the Government does is beneficial to society, but people seem to forget that many government employees have good intentions.
Not to mention, they wouldn't typically have met their co-conspirators face-to-face. It is much easier to turn on an anonymous handle on the computer screen than a human face.
Oh Fox News. Even when reporting on something legitimately interesting and out of the ordinary, they have to use very un-journalistic phrases like "...allegedly commanded a loosely organized, international team of perhaps thousands of hackers..."
It has nothing to do with giving credits. I (and I'm sure many others would also) like to read less tabloid-y and factual reporting anytime and so would prefer to read the story on Guardian than on Fox.
But the quotes are literally lifted from the Fox piece. The Guardian does not add much new reporting, it just lays out the existing facts in a way you find more agreeable.
Which is what I thought I made clear when I linked to it i.e. same report, less hyperbole. Perhaps you would have preferred it if I had used the word "version" rather than "report"?
They use lots of confusingly contradictory language to puff up the arrest, like: "the head of LulzSec" then immediately following with "the loose network of hackers", and contrasting "loosely organised" with Sabu being at the "nerve centre", and also "perhaps thousands of hackers" whereas they claim to know they're arresting "top-ranking members".
So simultaneously acknowledging they taking out a member of a distributed network but also talking up the importance of that member. Strange.
As a former blackhat and ID thief who used to spend a lot of time in "underground" chatrooms and forums this doesn't surprise me at all. This is a standard pattern LE follows. Start with small arrests, work your way up, get someone at the top level to be an informant, take everyone down. Works for any type of group.
This always works because people are foolish and too trusting. The best rule is to assume everyone is LE trying to catch you. That means never revealing info that can lead back to you, never telling anyone personal info, your general location (eg the weather), always using 7 proxies, etc.
People who don't break the law would probably be surprised how much personal info crackers give to their online "friends". Less so on fraud forums but it still happens.
As some other people mentioned read "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground" for more info on how LE works. The FBI took over a few carding forums and Secret Service also had high level CIs.
> The best rule is to assume everyone is LE trying to catch you.
This sounds wise. But I'd argue that it's wiser to not be engaging in activities where you even have to worry about that. If your rule is the best rule, my rule is even better. :P
Non sequitur. If you don't do something, negative consequences won't happen. You can say that about anything. Don't have sex if you don't want STDs, don't drive a car if you don't want to get into an accident, don't walk down the street at night if you don't want to get mugged.
This article claims billions of dollars in damage. If this is what the FBI is saying, they are wrong. Lulzsec damages don't even approach a million dollars, most likely. Billions of dollars is how much money it costs to do things like provide universal health care for a small state. The FBI should investigate real cases and not treat a bunch of merry pranksters like they're a bunch of super terrorists.
Costs in hacking cases are mostly measured by time spent investigating & repairing * fully loaded employee costs. If you have to dump a bunch of servers and reload everything and audit your backups the costs rise very quickly.
True, but companies on the receiving end often end up also including the cost of things that they would need to do even in a responsible-disclosure scenario. For example, if you discover a major flaw in a company's system that allows high levels of access, and disclose it to them, they'll typically incur considerable costs patching it, rolling out the updates, doing a security audit to make sure it wasn't already quietly discovered earlier by a blackhat who might've backdoored something, etc.
When they do all those same things upon an actual intrusion, they often attribute the expenses to the hacker, but imo they're really attributable to the security flaw, since they'd be incurred even in the whitehat case. I'd only attribute to the hacker the delta between what blackhat disclosure and whitehat disclosure would cost.
You're absolutely correct - there are a lot of things that get rolled into damage cost estimates that aren't legitimate. I was just trying to explain how it's pretty easy for the actual & legitimate costs to be quite high as well.
We are still in the stage of these groups being very amateurish. It will take few rounds of purges until really committed+careful+smart organizations emerge.
Committed/careful/smart organizations already exist. But they aren't motivated by publicity and lols. They make serious money through industrial espionage and financial fraud, and they stay as under the radar as possible. Everyone who has a credit or debit card has likely experienced having that information being stolen in one way or another. Those activities aren't just accidents or pranks by bored teens.
Organized crime is well invested in these sorts of things, and for every one incident you hear about there are dozens or hundreds you don't.
Yes they definitely do exist, but I am referring to the ideological types not the straightforward crime for money. Also need to consider the fact that resources brought against Lulsec etc were orders of magnitude more then what normal credit card fraud criminals have to deal with.
Sure they would, they'd just be smarter about it. The point of hacktivism is publicity. If no one knows what you're doing, you're not being particularly effective.
I want to refute your point with the mention of Stuxnet. Please correct me if I'm wrong but up until now there are no groups that have owned up to the virus. There's evidence and much speculation to point it towards Israel gov't but no definitive proof.
A lot of the content that surrounded Stuxnet also hints to further organizations existing behind the veil. There were at a minimum 3 0-day exploits present in the virus that would have to have been operated from behind the scenes. It is extremely unlikely that a single group was able to create such a virus without external resources.
In the end you don't need to issue press releases and the like. You need to get in, do your damage and get out. Let the damage reveal itself in time and its considered massively successful. Those fighting the Iran nuclear program did more while keeping their mouths shut than any loud group ever has.
Stuxnet was cyberwarfare, not hacktivism. The point of Stuxnet was to disable infrastructure, whereas the point of much of what Anon does is to get attention. Now, granted, that doesn't require the ego-driven hacks and braggery that we've seen from them, it simply requires getting in, getting out, and posting the data anonymously then promoting and publicizing the data, not the hackers. I suspect you may start to see more of the hacker cells aligned with anonymous take this approach in the future to minimize the heat that they feel personally.
Great distinction of cyberwarfare and hacktivism ... its unfortunate that both get shown in the same light while they clearly have different motive behind them.
For a group, that would take lots of discipline. Not impossible, but not very likely. Even Feds, Chinese and Israeli "teams" suffer unwanted leaks --and these are trained people. People who go thru psychological profiling, shaping, and get reminded by the bureaucracy probably on a frequent basis.
It's hard for me to imagine a loose-knit group being able to pull this disciple off long-term.
Seems like an inverted flipping maneuver. Rather than starting with the small fish and cutting deals up to the top, they hit the ostensible mouthpiece/leader and wraps up all of the other folks in the org so that it doesn't splinter off and create successor orgs.
Note that he hasn't actually been sentenced to 124 years. We're talking about multiple stacking charges here. You could get multiple charges of parking too far from the curb and it could add up to thousands of dollars, but that doesn't mean the parking fine is too much.
More than likely, it'll be reduced to a sane amount when the compile the charges. 5 years, maybe 10 (maybe more). The actual sentence (minimum sentences notwithstanding) is almost always up to the judge.
Yup, maximum sentences are actually generally there for the protection of the defendant; they put a ceiling on sentencing. Without them sentencing would be entirely up to a judge's discretion.
No surprise here considering that 25% of hackers cooperate with law enforcement[1]. These people aren't hardened members of violent crime organisations like Gangs or various mobs and are probably very easy to "break". On the other side hackers tend to trust each other way to much and share personal details inside their group which makes infiltration very easy. Sure you can be behind 7 proxies when you hack something but that doesn't matter as soon as you start talking to your hacker buddies about your personal life without using OTR or even bothering to sign into chat services with a proxy. As soon you start sharing details about how you're in love with a girl or that you feel depressed or you are about to order pizza at place X it's pretty much over for you.
These hacker groups are like a clique a social circle of friends but most "hackers" don't think that their "friends" will rat them out in a second. Most of them probably have never been interrogated or even any contact with law enforcement and therefor very easy to intimidate.
When you're unemployed all you have is time. I think he only had partial custody for his kids.
It lets you fit railing against governmental entities and directing 20-somethings--who also don't have full time jobs--seamlessly into your schedule, all with convenience from your government subsidized housing.
How can anyone with a tiny bit of intelligence claim that he did any wrongdoing by helping the FBI?
This does not imply that helping law enforcement is always ethical. In this case, helping law enforcement take down these criminals is not a "dick move".
Careful here, civillian is not the same as innocent. For simple obvious cases of this: technically NSA, FBI and CIA people are civillians, as are government contractor employed security forces... It gets fuzzy pretty quickly.
There is also the question of who's version of innocent you use, for example if my moral/ethic system says X is a terrible offense and your system says X is just OK, which is most applicable to the classification of innocent? (for a simple concrete instance of this, look at the global variations of views on homosexuality, ranging from "it's nothing we should care about societally" to "we should care and embrace" to "it is a death penalty offense" -- not making any statements here on the debate, that is tangential to this). The situation needs to be looked at with an eye towards intent as well as just questions of innocence.
Well, that's the Op's opinion and here is yours. Your point of view differ, deal with it.. why the intelligence thing? That's certainly nowhere close to being intelligent.
The 21st century equivalent of setting a poop-filled bag on fire on someone's porch, or something along those lines. But without actually requiring anything so taxing as getting up from the computer, going outside, and running.
The only difference is that instead of people thinking that it is a harmless prank they will send in homeland security/swat team/etc with loaded weapons.
"The offshoot of the loose network of hackers, Anonymous, believed to have caused billions of dollars in damage to governments, international banks and corporations..."
Wait .. what ... !?
We are talking about those guys with The Love Boat theme right?
One question: If the FBI knew of additional hacks that could expose things such as customer credit card numbers, should they have intervened? Did they intervene?
If they were involved an operation to export thousands of guns to Mexican drug gangs[1], surely killing hundreds in the process, then yes. If they knew, they probably wouldn't intervene. Even still, few (any?) Lulzsec attacks actually leaked unencrypted credit card data. Even then, the damage done by exposing credit cards is pretty negligible anyway.
They will have cut a deal with him already, however that deal usually means reduced jail time in an easy prison, he still has to be charged with the offences. His "good behaviour" is then taken into account by the prosecuting authorities when sentencing him.
They arrest him and publicise his arrest as psyops, any other hackers out there see that the #1 from lulzsec was caught and turned therefore who knows how many lower level hackers have also been turned, thus it increase the paranoia within hacker circles.
Of course this works 2 ways, first off it scares people off from hacking or being involved in it and makes them more likelyo to turn tail and rat out anyone they know who is undertaking nefarious online activity in an effort to protect themselves. The second response is the one they dont like, these groups become more security concious, go deeper underground, become less likely to admit new members, etc. This is counter productinve for the FBi as it makes it more difficult to catch them later down the line.
It's not just the assistance to authorities, but the fact that he brought actionable intelligence that brought arrests towards others. His getting other LulzSec members arrested and prosecuted is key to diminishing his own sentences.
Other hackers have offered help and not proven useful, only to find themselves up a creek with little to no lightening of their sentences.
You've got it wrong. Typical chan-goers don't give a shit about Lulzsec and where they do the opinion ranges from tepid to disdain. This is especially true of the one notorious for pizzas and phone calls.
If there's any kind of response to this news it will most likely be mocking.
It's strange that it was revealed at all whether he works with the FBI. Is that normal? Why not keep it secret for somewhat longer to catch even more hackers? Exposing him as informant could also bring his life in danger.
There is propaganda value in revealing it. I'm guessing they're hoping that members of other groups are going to start asking themselves "if lulzSec was infiltrated by the FBI without anybody noticing, then how can I be sure that they haven't infiltrated my group as well". At the end of the day scaring people into not committing crimes is better for everybody than catching them after the fact.
Well, you can pretty much imagine how it went down. FBI caught up to him with threats like "eh..you are unemployed, and you still have two kids. You want to see them in foster care system?" ... well, no surprise there. too many buttons that FBI can push on this guy
Vapid speculation based on TV plots doesn't really help the level of discourse at HN. Given the list of hacks and the outrageous hacking laws in the US, the default penalty could easily be life in prison. I wouldn't think the Feds would need to push much harder than that.
It's not exactly vapid speculation. It's what's been reported by Fox news. I'm not sure how trustworthy their source is but here is the quote:
>“It was because of his kids,” one of the two agents recalled. “He’d do anything for his kids. He didn’t want to go away to prison and leave them. That’s how we got him.”
Vapid or not, everyone is entitled to their opinions. If you can't accept that, you are not welcome on HN discussion either. End of story.
Simply stated, if HN is heading towards Reddit-like behavior where comments must gear towards "singular" minded thinking, that's the also the day I stop visiting this site.
I think it's a bit naive to think that's what's been dubbed 'hivemind' behavior is absent on HN. I think it appears on every site, differing just by degrees. The threads on the recent GitHub hack were quite telling.
Any idea why they don't mention the nationality of Hector Xavier Monsegur? His name sounds like Spanish or French but it could be otherwise. In the end, it's confusing and I can't really get a geographical idea of the Lulzsec thing.
So a guy hacks github, he's a hero. A guy hacks a bunch of media organizations, and he's a villain. I really don't understand the groupthink these days.
The writer is a bit confused. Topiary was caught way before this round of arrests.
Also, there has been a significant belief for months now that the "Real Sabu" disappeared and was (maybe) arrested, or that he was never an individual but only a name the group used for PR. Finally, there is significant doubt that Kayla is a single individual as well.