42 comments

[ 2.8 ms ] story [ 107 ms ] thread
i agree with what they did in terms of showing that the security of the government sites, banks, and important sites suck.

but i very much disagree with this. this seems like a bunch of hackers that just want attention. not a team of hackers that want to prove a point of insecurity.

the fact that they specifically don't say the source of where they got the information from is a proof for that

You're just encouraging them.
These kids seriously need to be punched in the face. "For the lulz," as it were. Or perhaps "for great justice" would be more fitting.

Is there any way we can help these 62,000 people? I'm reading through the password list now, and many of these passwords are to people's gmail accounts. I see a comcast account too ... you could probably access billing info just with that password alone.

It feels like our duty, somehow, as good internet citizens, to help these people out. Many of them are probably mom'n'dad-types ... they have no idea what a "Database" is, let alone what it means for one to be leaked.

But we can't just go and change their passwords, even if it's for their protection, since it's the password to their email account and we have no way of notifying them.

Parse & collect email accounts, send emails (in serial) and weep as it gets gobbled up by gmail's spam detection.

A more realistic alternative might be to notify Google with a machine-readable list of email addresses the passwords for which have been compromised so they can do a system notification of these users without fear of getting eaten by spam filter.

Im already on it, at least for domains that I am a part of or know people in
It's done. Redditters took care of that.
We can help by getting them to have different passwords for different services. We can help them by forcing companies to make security a priority.

As a good internet citizen you should be more worried about the companies that you have accounts with and getting them to improve their security before this kind of thing happens to you.

I wonder how well it would go over if every time you signed up for a service, that service would try to log into the e-mail account you provided with the password you provided - and refused to create your account if it succeeded.
That... is an awesome idea.

If you blog about it and submit it, I'll upvote it.

I guess it's time to start me a blog. I'll see if I can get it done this evening.
This is nothing. Remember the pastebin submission earlier this month? I wrote my own little pastebin scraper, and within 20 minutes saw at least three compromised Facebook accounts - one was a keylogger that was watching as someone was reactivating their account because it was shut down for suspicious activity.

I really thought about sending them an e-mail, but then I'd be an easy target to blame.

How do we know they are accounts from writerspace?

EDIT: never mind... `cat LulzSec\ Delivers.txt | grep writerspace`

Also sent a warning out to the one email i found which was on my schools domain.

(comment deleted)
Prolific & brazen criminals = enormous egos. They won't stop until they are stopped.

edit: My PR senses started tingling on further reflection.

The best way for LulzSec to be countered is in the PR arena. Since they're already bad guys, and since they've already worn out their folk hero sheen, it does no good to villify them.

The best way is to steal their thunder. An organization of people who make a concerted, publicized effort to mitigate damage to the random victims caught in LulzSec's blast radius would definitely steal the limelight.

It's similar to responding to a forum troll by making fun of them. Take away their momentum and make them a pawn in your press releases.

Sadly, I doubt they can be stopped.
No one is infallible, it's only a matter of time until they slip up. They're making a rather large footprint
I think calling it a "large" footprint is an understatement. My conspiracy buddies are going nuts with the idea that its the government trying to convince us to hand over our internet freedom to them. I wish i could laugh at them with confidence
Well said. I'm not completely convinced this isn't the government, and I'm definitely not normally a tinfoil-hatter. I think the most likely scenario is that, like the ATF's blind eye toward gun-runners on the Mexico border, an agency or agencies have been ordered to turn a blind eye for now.

The chickens are coming home to roost on the ATF thing and I sincerely hope that, if my suspicions are true, they do the same on this.

Agreed @ the understatement.

I'm not sold on this being one gigantic government conspiracy. I wouldn't doubt the existence of this being one giant social engineering tactic, but something in the back of my head tells me otherwise. I stand by the belief however that this group is just further enabling the US and other nations to take actions against internet freedom by their tactics against it.

Their twitter account needs to be suspended. It's being used to distribute the proceeds of criminal activity.
To what end? So they can create another? And another? And another? I'm quite sure they can create new accounts faster than Twitter can delete them, and the last thing Twitter wants to deal with is MORE spam. Smarter to contain the issue.
Surely they could red-flag the term "LulzSec"?

Yes, I'm advocating some well-thought-out censorship in this case.

Anonymity + audience = lulzsec. If we remove the audience, we remove LulzSec.

This is a profoundly short-sighted and ignorant position for many reasons.

1. You will give far more publicity to LulzSec than they are already getting by acknowledging them as such a severe concern you've pulled your engineers off other more valuable tasks to enact draconian and totally meaningless interdiction efforts

2. It won't actually shut them up. LulzSec is an example the ultimate asymmetrical enemy. They have fewer numbers, fewer financial resources and less technology, but have a mastery of the terrain. You don't defeat a guerrilla by pretending they don't exist. You do not attack them where they are strongest.

3. You're not actually achieveing anything here. Twitter isn't exposing itself to legal vulnerability here, and you certainly wouldn't shut up LulzSec for even a split second by just taking away their Twitter account.

I mean, honestly, have you thought this through at all? Have you paid attention to anything in the last 20 years? This kind of short-sighted feel-good finger-in-the-dyke measure is exactly why we're all sitting here screaming into the wind about copyright and piracy. What a shame that there are so many people who think this is the way to handle serious issues on the Internet.

I mean, honestly, have you thought this through at all? Have you paid attention to anything in the last 20 years?

Nope.

You're correct. When I'm presented with a problem, I tend to point out the first solution that comes to mind. If there are secondary problems, I refine the solution until the problem is solved.

In this case, the secondary problems would be that LulzSec would gain more audience, rather than be effectively censored, due to the Streisand effect. (http://en.wikipedia.org/wiki/Streisand_effect)

Do you have any ideas for a solution?

Let's put it another way. What you said really upset me and I'm just totally against that kind of statement/behaviour. I'm advocating some well-thought-out censorship in that case.

Those things just depend on which side of the fence you stand; that's why they shouldn't be considered.

As Voltaire said or Evelyn Beatrice Hall wrote: “I disapprove of what you say, but I will defend to the death your right to say it.”

(comment deleted)
Would you really want to stop them? Would you really want to pour your time and energy into stopping them?

Why would you do that when there are more dangerous things happening, such as companies not securing their websites and databases or governments that are trying to lock down the internets?

I'm more worried about governments having LulzSec's capabilities than LulzSec.

You're more worried about governments having capabilities like finding sql injection flaws in web apps and renting small botnets for and hour or two of DDOS?

The horror.

We could like, stop submitting/up-arrowing a link to HN every time Lulzsec hacks some place -- which seems to be multiple times daily at this point.
Lets see LulzSec and Anonymous trying to out do one another.. and mixed in the possibility that both are being played by government agents to get info on wikileaks..

Nothing good will come of this..

Honestly, the more you rage about this in comments here, the more they love it. Stop caring, it's the only thing you can individually do to reduce their power. Unless you're working for the cyber police.
It's a great time to be a security specialist. People who know their shit can probably make an absolute killing right now consulting for companies.

And all companies should be on red alert, because if nothing else, this is an amazing wake-up call about security.

So why isn't anyone upset that writerspace.com is storing passwords in plaintext?
Why o why do developers keep storing plain passwords in databases. They should store hashes instead.
That's not good enough. Scrolling through the list, I haven't seen any password that I can say with certainty couldn't be either brute forced, dictionary attacked, or found in a rainbow table.
There's just no class (as if there could be any in hacking) with LulzSec. I could be on the side of a hacker with cases like Kevin Mitnick. These guys are just dicks.
Please stop upvoting this blogspam posted constantly by unixroot. He's clearly doing this to promote his site, thehackernews.com

I imagine he's made a killing lately with all the Lulzsec drama that gets reflex upvoted. Just more noise and blogspam. He submits several stories a day exclusively from that domain, thehackernews.com

I'm not convinced these are real. A lot of the passwords are surprisingly cryptic - not the usual collection of bananas and children's names you might expect.

Assuming that most people use the same username and password for most things, and that AOL users will be the least sophisticated I thought it would be interesting to verify 10 of the combinations which had an AOL address against AOL. Not a single one of them actually worked and I'm inclined to wonder whether (happily) this isn't just a hoax.

Would it be acceptable for someone to post a list of just the passwords? I would love to add them to my collection of passwords that are not allowed.
I tried about a 100 password/login pairs and none worked. Perhaps they've all been changed, or maybe this list is fake.
I've got to admit to finding a few of the things they do a little amusing in a somewhat childish manner, but this sort of thing ruins what little (debatable) good comes from their politics.

If they are going to keep on hitting targets like this just because they can then, they could at least release only the email addresses and not the passwords, which will illustrate the point and allow affected users a chance to know they are at risk from the sites policies whilst reducing the immediate risk to their data.

Obviously what the could actually do is just release nothing and work with administrators to correct the errors, but then they wouldn't be garnering the publicity they so obviously crave.