85 comments

[ 4.1 ms ] story [ 152 ms ] thread
Faction warfare.

EDIT: I got downvoted, without a reply. So, explain how doing this sort of thing is not faction warfare?

The details of israeli credit is leaked by anons from the house of Saud. This is clearly a faction issue. It is not likely government sponsored (though likely condoned) and as a religious rift exists between jews and muslims, the word faction applies perfectly.

Jews, muslims, christians; all factions within religious zealotry.

I think the term is 'sectarian'.
A sectarian word for factions.

Tomato Potato

--- Sectarian:

of, relating to, or characteristic of a sect or sectarian

limited in character or scope

---

Faction

a party or group (as within a government) that is often contentious or self-seeking : clique

party spirit especially when marked by dissension

---

You would be a fool to claim that sectarian skirmishes are not also political, given the widespread theocratic nature of governments under both muslim and jewish rule.

In this case - this is an attack, while premised on the appearance of religion, is actually a theocratic/political-religious attack.

Curious to see how the general consensus of Anonymous falls in line with this. Lets not forget the long history of black hats in Israel.
Interesting. I wonder, have there been other examples of religiously-motivated hacks on this scale?
Religious or political? I suppose in the Middle East the two are conflated.
I have an israeli credit card. I'd have liked to understand where this was leaked from. And - well - make sure that mine is not among them.

Unfortunately (or fortunately?) the file isn't available any more.

I also have three of them...

I think once that file was online even for a few minutes, the card numbers mentioned in it are not safe anymore. It will be leaked again.

If it's not some kind of provocation (files with false data) then this is a pretty big crisis. I'm going to have to monitor my credit card logs closely in the next few weeks...

Which one is more safe? Letting it go so media picks it up, forcing people to renew their cards with less damage to end users or covering it and let the underground community sit on it, using random cards time to time from an endless stash?
As a possible victim I prefer spreading the list as quickly as possible. All major commerce sites and payment companies will take note of this and stop accepting these card accounts.

Obviously it will still be a huge hassle to reissue all those cards but it will minimize the financial damage.

If it is false data, won't the credit card companies say so loudly?
Since i found my CC details over there I assume this is not false data. Can we call it a cyber terror attack?
I would call it black hat hacking, hacktivism or sabotage. I wouldn't call it a terror attack unless you feel terror when you realize you have to call your credit card provider.

Lets save the word terror for things that terrify people like say bodily harm or death.

> Can we call it a cyber terror attack?

We can. How will that help? It won't put the cat back in the bag.

> We have posted this message in pastebin, but it seems they have deleted the file.

That Stratfor dump with 75.000 card details is still on Pastebin. Why this one deleted and the other is still there? (I believe both should be deleted.)

I thought Anonymous were against corrupt politicians et al, and not just general populace :(
My CC was in the list that the hackers published. Just canceled it...

Does anyone have good arguments against leaving the files where they are now and not deleting them from pastebin/megaupload/...? Since the beast is already out of it's cage, there is no point in chasing it. It is even better to let the public d/l the file and try to find themselves if their card and other details like emails, passwords were stolen.

Do you have any idea where your card was leaked from? Can you share what card provider you used? I was already paranoid about credit cards before I came, now it's really affecting my blood pressure..

(nice username btw, learned the word here..)

I'm not sure if they stole it directly from the sites (coupon site in my case) or from the clearance company. In any case it seems that the site who store the details broke the law by storing the CVV (not to mention that passwords were not encrypted..)
Broke the law, or broke the PCI standards?
i think in IL standing in the PCI standards is a must for clearance comapnies.
I just gave a talk last week at 28C3 [1,2] about how all the personal details of Israeli citizens are up for grabs for anyone inclined enough to get them.

I'm ashamed to see that we've learned nothing in the past 10 years.

[1] - http://www.youtube.com/watch?v=ow7cvZOzp6w

[2] - http://speakerdeck.com/u/yuvadm/p/28c3-data-mining-the-israe...

EDIT: Israeli media now claims that 400K is an exaggerated number, and the actual number of leaked CC is much smaller.

EDIT2: I'm gonna go ahead and publish a mirror list [3] for the leaked data and for affected accounts by email [4]. I might be affected and I prefer to know if I am ASAP, even if this means the data leaks more, which it will anyway.

[3] - http://pastebay.com/186092

[4] - http://pastebin.com/EnY7E0Hw

what's the password of the rar inside the rar? the page referenced in the "readme" file is unavailable
At least the file, hosted on hacked sites, called israeli.rar, is without a password.
I downloaded one of the files yuvadam posted (not sure if it's the same one there now - the post was edited) and it had a password protected rar in a rar
Where can I access the raw Israeli Census registry? I'm an non-resident Israeli citizen; I'm curious as to what it has on me (and if I can de-anonymize myself.)
Does anybody know the legality of checking these lists? I'm always concerned that the access logs are sent to various authorities.
I'm mostly certain no one could really give you a determining answer pertaining the legality of just browsing trough the list.

From my own experience in this matters, security forces may eventually get the logs, but are then going to cross check them against other information before even asking an ISP about information pertaining the IP addresses they get. If I were worried that someone with powerful connections in security forces would be determined enough to get me into trouble, I would use Tor to open them from a securely wipeable VM and won't save them in my hard disk.

I always click them from my PC... but in any case things get nasty I am currently working for a recognized information security company, and clicking this stuff is sort of part of my job.

That was a great talk. It seemed like maybe you were a little unprepared for the questions at the end. Have you found someone (or more) who gave up their Israeli citizenship between the leak dates to test the questioners hypothesis? And though it is trivial, I'm definitely still curious about the most popular name. I couldn't parse the names you said. Are you going to release your tools?

And then there's the big question: what do you do now that the data is out there? (and putting biometrics in the database isn't the answer)

whooops... didn't know the wahhabi fanatics could code :> thought they were better at beating up their wifes and sisters :>
oh oh being politically correct? :)
(comment deleted)
Don't VISA et al require some kind of PCI compliance for storing credit card details?
PCI compliance is worth as much as the party that signs off on you being compliant, in most cases that is you.

Audits are few and far between, lots of places have shoddy security but claim they are Fort Knox.

PCI compliancy is quite meaningless unless the people that implement it take their job seriously. That's very frequently not the case, it is just seen as a small obstacle in the way of doing business.

Thanks. Odd that VISA would let the third party auditors get away with it, until they don't... which I'd hope so in this case.

Related: http://serverfault.com/questions/293217/our-security-auditor...

It is mostly to cover their behinds not really to protect your data. When it comes to litigation they basically want to point to a piece of paper with your signature on it and say "see they agreed to be compliant" it is not our fault, we did all we could.
I saw an Australian company offering tokenising solutions for credit card transactions. Glancing briefly, they talked about replacing credit card number with "tokens" that can be stored on the customer's premises, while the actual card numbers are securely stored on theirs. To me it seems to be a sensible approach to reducing the attack surface or auditable surface. Is this what Stripe does?
Visa has the "visa verify" and it is a web service that basically asks extra security questions during authorization. That works online only. Relies on the merchant to provide the extra security.

Another thing is temporary one-use credit card numbers. My Discover card as that feature. Of course then it also relies on me to assess the risk of a merchant and go through the steps of getting that number.

(comment deleted)
Believe it or not, there are entire industries that get a sweetheart deal on PCI compliance where companies can be certified compliant without actually complying with the rules. Think airlines and ancient mainframes that can't handle real disk or network encryption.
Oh dear. And I thought the internet is a safe place for credit cards. Why would hackers want to execute MOTM when servers are sitting ducks?
I have a very hard time resolving how this type of attack could fall under the umbrella of Anonymous. Saudis specifically attacking Israel implies a nationalistic attitude, given their history. They also affiliate their hacker group with Wahabbism, which is a strict branch of Islam that most would brand as fundamentalist (and sometimes extreme).

I can't really see the ideals of Anonymous coexisting with nationalism and religious fundamentalism.

It's inspired by the Anonymous style: find someone you dislike, attack their computers somehow (e.g. private information theft, DDoS, web site defacing), and brag about it online. The ideals are very different, but the method is pretty similar.
The difference being that the people involved wouldn't be aware there was oil under their feet if our country hadn't invented the market for it, told them it was there and given them the equipment to drill it. Left to their own devices, the only thing they'd be hacking right now would be the back end of a camel. What do you think the chances are that their brute force method wasn't one of a million snippets written by someone in the west? Or in Israel, for that matter? How about the computers they used to get on the network they benefit from, but didn't create? Reckon the intel chips were made in Israel?

After all the petty bullshit, Saudis like to party too. The problem is their government and society is repressive as hell, and they're so scared to confront it, they have to go into this whole make-believe world where they act as heroes by attacking Israeli servers. It's pretty funny. I'm sure Israelis will recover. The Saudis on the other hand still live in a medieval hellhole where women can't drive a car... and this really doesn't do much to change anything. Their time and energy would be better spent trying to bring civilization to their own wasteland.

[Edit] I should add, the fact that if you did this in your own country, you'd probably have your hands cut off, is a powerful motivation to go after somebody with more liberal values.

Ironic how despite all this, the american government finds it fit to support this repressive regime, while demonizing countries like Syria where citizens (or at least women) enjoy greater freedoms. One could say it all depends on your stance vis-a-vis Israel. The fact of the matter is that, countries like Saudi Arabia, Jordan, Yemen, old Egypt, North Korea etc. have normalized or at least neutral relations with Israel (despite the hypocritical rhetoric to appease the masses), and hence are supported or allowed to have their way (even their bombs).

I think this hacking incident is a mere accident, and the ruling Saudis will be quick to repress it and assure Israel none of this will happen again.

>>demonizing countries like Syria

How can you "demonize" that type of brutal regimes? What more can you say about them? That Assad eats children?

>>One could say it all depends on your stance vis-a-vis Israel.

>>the ruling Saudis will be quick to repress it and assure Israel none of this will happen again

Sigh, so Saudi Arabia is pro Israel? :-)

http://en.wikipedia.org/wiki/Antisemitism_in_the_Arab_world#...

This is a model of what happens there without conspiracy theories:

Saudi Arabia is needed as an ally by the US. It is called "realpolitik" -- all countries, including democracies, use it and lie about it. (The difference with democracies is that they do support human rights, as long as it doesn't cost too much.)

North Korea sells/sold nuclear tech to Syria/Iran; are you really claiming they have "neutral" relations with Israel?

And so on... please don't write this kind of thing on HN.

I would say this whole thread took a wrong turn with noduerme's deeply rude, ignorant, arrogant an plain racist post. We would all have gained something had it never existed.
"We would all have gained something had it never existed."

Fuck off, Mr. Wannabe Censor. Progress requires unfettered conversation of all types, not just the ones of which you approve.

"... noduerme's deeply rude, ignorant, arrogant an[d] plain racist post."

It was none of those things. What he said is basically correct, and it reminded me of 2005's Syriana, in which there was a conversation between Matt Damon as Bryan Woodman, an energy analyst, and Alexander Siddig as Prince Nasir Al-Subaai, successor to the Emir.

NASIR: An ancestor of mine owned this bird's [falcon's] ancestor before Christ was born. Six more North Field blocks will be available for development. We would like to offer your firm the right to represent them.

WOODMAN: If I were your economic advisor I'd tell you it's not the dumbest thing you've ever done, but it'll probably be the dumbest thing you do today. Probably. But why would you need an economic advisor? Twenty years ago you had the highest GNP in the world and now you're tied with Paraguay. Your second biggest export is second-hand goods. Followed by dates on which you lose five cents a pound. You want to know what the business world thinks of you. They think a hundred years ago you were chopping each other's heads off in the desert and that's exactly where you'll be in another hundred. So, yes, on behalf of my firm, I accept your money.

http://en.wikipedia.org/wiki/Syriana

I included the first sentence, about the falcon, because it shows that Nasir is proud of his people having been around for a long time, but that apparent plus is effectively countered by Woodman's observation about their primitive nature, and how the oil money is really the only thing keeping them from regressing. Sure, the film is fictional, but there is a lot of truth to be found in it.

Read up on the resource curse on Wikipedia, it is probably the other way -- too much natural resources stop development. (Except for Norway, which still have problems despite their oil fond.)
> Fuck off, Mr. Wannabe Censor

I'm not one who wants to impose restraint on others. I merely suggest a little bit of tact makes dialog possible. Or, more important, that its lack may make dialog impossible.

> Progress requires unfettered conversation of all types, not just the ones of which you approve.

It also requires the conversation itself, which may be rendered unproductive by the kind of comment made upstream.

> it reminded me of 2005's Syriana, in which there was a conversation between Matt Damon as Bryan Woodman, an energy analyst, and Alexander Siddig as Prince Nasir Al-Subaai

Is all your knowledge in Middle East affairs derived from a movie?

Sure. I'm the racist. Not the guys who posted this on pastebin: "Judaism.txt, it includes 65 Zionist people who purchased stuff from Judaism web site"

Certainly sounds racially motivated to me.

Let's say we accept, for a moment, that not all Jews are Zionists, that "criticism of Israel" isn't motivated by anti-semitism. Let's even pretend for a second that stealing civilians' credit card numbers is a valid form of criticism against a state or government. Let's forget that Saudi schoolbooks call Jews the "children of apes and pigs." Why not. Even so, why would buying something from a "Judaism web site" make someone a Zionist (or even an Israeli, for that matter)? For all we know some of those people could have been the next Noam Chomsky or (insert other groveling apologist here).

And what do you think they're hoping people will do with this list of Jewish names? Why the fuck is it acceptable to be making lists of Jewish names anyway? If that's not racist, I don't know what is. We'd be better off if that had never existed; but at least it proves plainly that nothing about this hack qualifies as a legitimate political statement.

All you managed to demonstrate is that you are not the only racist in the world. I'm also relieved you didn't question the rest of the assessment, and agree your comment was deeply rude, ignorant and arrogant. That's a start.

I never said the release was warranted, fair, right or anything close to that. In fact, I did not even manifest an opinion about it. I only pointed out your message was not up to our standards (http://ycombinator.com/newsguidelines.html) and that it was full of telling misconceptions.

I'm not a racist, thanks very much. I don't put Arabs into one category, and I don't have a problem with them. In fact, I have two half-brothers who are Lebanese, and I grew up with plenty of Arabic culture (and food). I've been to Lebanon, and also to Israel.

Having said that, I wouldn't go to Saudi Arabia for a million dollars. It's not racist to point out the shortcomings of a national culture. Name one piece of technology used in this attack that was invented or even built in Saudi Arabia. Name one program that was written there. If you can't, it's not my fault. And clearly they're not so oppressed by Israel and the West that they can't afford to buy nice things, or build their own industries if they choose to. I know Lebanese guys who've moved back to Beirut to do startups. Look at Qatar and Dubai. They're too busy branching out and moving beyond an oil economy to be envious of middle-class Israelis.

It's also not racist to point out the lack of character involved in attacking civilians in another country, allegedly in protest of a foreign government, while you yourself live in a phony, sham-theocratic dictatorship.

If anything, I think it's people like yourself with your "good intentions" of pointing out who-must-be-a-racist, without deigning to criticize the giant racist elephant in the room, who are mostly responsible for the continuation of problems in the ME. To quote a famous Christian, first take the plank out of your own eye.

> It's not racist to point out the shortcomings of a national culture

No it's not. What's racist is your assumption that hadn't you (an implicitly superior culture, which is also a somewhat racist idea) told them what natural resource they had under their feet and taught them how to explore it they'd never figure it out for themselves and would be a primitive society. You imply that they are somehow better off because of it when, in fact, the money the country got for its riches was funneled to a small group of religious fundamentalists that, because of it, are able to rule the country unquestioned. One could argue they still have a very primitive society, only now they have money and weapons. You also imply they would never be able to develop the tools used to glean the data, an assumption that's also probably untrue and fail to mention the fact that most script-kids who pull tricks like this around the planet have no knowledge of the inner workings of the tools they use and would never be able to develop them from scratch.

And finally, I did not comment on Saudi Arabia's form of government, its repressive laws or the sadly misguided idiots who pulled this trick and their ideas about how the world works. I, myself, don't like the idea of theocracies (and absolutist monarchies) and regard them as incompatible with democracy.

Unfortunately, this is not the world I live in and we have to coexist with the less than ideal systems other people want (sometimes for no good reason) to live under. We don't have the right to impose our own way of life - or worse, an artificial one that favors us - upon others.

Also, the fact there is a giant racist elephant in the room does not make your own behavior and discourse any more helpful. Let's discuss the elephant when we get to it and, in the meantime, let's not put more little elephants in the room. I'd say there are enough of them already.

>>Unfortunately, this is not the world I live in and we have to coexist with the less than ideal systems other people want (sometimes for no good reason) to live under. We don't have the right to impose our own way of life

You think the North Koreans made an informed choice to starve while the party elite drank good whiskey?!

Tyrants like those just has no right of existence.

They made a choice. Not an informed one.

It's their job to get rid of their tyrant. We may help them, but we have no right to expect them to pick a form of government that pleases us. It's their country.

Of course people have responsibility for their own country.

But "pick their own lifestyle" argument can be used with slaves, which have been kept ignorant by their owners.

I don't know where you come from and might be putting opinions into your fingers, but modern (mostly left extremist) cultural relativistic acceptance of tyrants is truly abhorrent.

(Sorry for coming in late.)

>> How can you "demonize" that type of brutal regimes? What more can you say about them? That Assad eats children?

I was referring to the _relative_ treatment. I thought this was clearly implied. Syria's regime is definitely not above blame. But neither is Saudi Arabia and it deserves an equal share of 'demonization' by the government and the media.

>> Sigh, so Saudi Arabia is pro Israel? :-)

You musn't mistake public policy that carries no weight with actual behavior. Egypt under Mubarak was trumpeted as anti-Israel, but was clearly colluding with them in Gaza affairs. Saudi Arabia is unique in that there is a strong powerful extremist movement that needs to be placated by the ruling family. This makes for more empty talk that confuses many.

>> North Korea sells/sold nuclear tech to Syria/Iran; are you really claiming they have "neutral" relations with Israel?

They too have had their share of trouble as we all know, but I may be wrong on this one.

>> please don't write this kind of thing on HN

What kind of thing? When you see remarks like those of noduerme being upvoted, it's important that people understand that our governments are just as responsible for sustaining the abuses going on in the MidEast so that they don't misdirect their hate towards muslims/arabs.

>>I was referring to the _relative_ treatment.

And I discussed Syria/SA re "realpolitik". You didn't answer.

>>it's important that people understand that our governments are just as responsible for sustaining the abuses going on in the MidEast so that they don't misdirect their hate towards muslims/arabs.

So I should have opinions, because that would have good influences in the world...

Respect, troll -- you know how to push my buttons! (Yeah yeah, it is your honest opinion...)

(Why would anyone hate a bunch of countries that haven't modernized yet? Compare Middle East treatment of women, homosexuals, jews etc etc to many western countries 150 years ago.)

The US is obviously responsible for all the human rights violations happening in the Mid East the last 30 years? (Hell, even the Bush administrations tried to influence for human rights and Obama seems to even play cards with islamists to get rid of dicators!)

Enough, good night.

(comment deleted)
> I have a very hard time resolving how this type of attack could fall under the umbrella of Anonymous

Well the hackers have not identified themselves by name so they are ... anonymous. Isn't that the idea behind Anonymous, that anyone who is anonymous can claim to be Anonymous?

Anonymous just declared that they are not responsible for this:

https://twitter.com/anonyops/status/153969476277248000

"We have no love for Israeli gov't but targeting 1000s for being Israeli? Sorry, you are not #Anonymous pastebay.com/148920"

Heh. I like how Anonymous keep on repeating how are they "decentralized" and the only thing really needed to join is to call yourself Anonymous - and at the same time keep on telling trough semi-official twitter accounts, how this Wahhabi attack or that Stratfor attack was not official Anonymous and blah blah blah.

Hypocrisy on hypocrisy.

I would argue that the purpose of allowing anyone to call themselves "Anonymous" places the group's identity on their actions, not who they say they are. It's kind of the whole point of calling themselves "Anonymous" and leads right into the "we are legion" bit. There is no individual, only the movement.

However, by performing actions that are contrary to the Anonymous ideology the Saudi attackers distanced themselves farther from Anonymous than any name could

But what is "Anonymous' ideology" if anyone is part of Anonymous?

Maybe Anonymous should have chosen a different name. Other groups could then remain anonymous, without being assumed to be Anonymous.

Well, actually, Anonymous didn't really chose the name - it was a joke made on default "Anonymous" username on 4chan. And it really grew somehow organically into this point.

That's what I don't like about people saying "You are not true Anonymous". First hackers under the name "Anonymous" posted other people MySpace passwords on 4chan and put blinking lights on epilepsy website. And the whole scientology movement was first meant as a joke, as a reaction to the leaked Tom Cruise video.

Really, people calling other people "not true Anonymous" are hypocritical. I think.

Anonymous is an adjective, not a noun. It's not a group.
Can we just start calling these folks "Anonymous USA" to avoid naming something important with a term that anyone else on the planet can alter at will? Is there really any logic in choosing a brand that is interchangeable with the phrase "anyone on earth"?

Wouldn't that seem to suggest that staying completely anonymous while being taken seriously on the Internet is impossible?

Just because is easy, it doesn't mean you should do it. Stealing from ordinary people even from nation that you feel so much hostility to, still it is wrong.
From what I can see, the real Anonymous at least has the balls to go after their own government. Sure it's easy to hate on Israel, and these douchebags will no doubt get some props from fellow haters for their little hack, but if they had a pair of testicles between the lot of 'em, they'd start leaking info on the dictatorship they live in, rather than stealing credit cards from the democracy next door.
Attacking the general (innocent) populace for the faults of their government/military? That's the definition of terrorism... and not activism.
Good grief. Hassling the populace with a run of the mill credit card theft is not TERRORism. Terrorism is either violence or the threat of violence. Get a grip.
> Attacking the general (innocent) populace for the faults of their government/military?

Generally agree but with one exception -- in places were the government claims it represents the people and most people agree with that. Then everyone who votes basically shares the guilt of what the government does.

Most democracies I know are usually divided between conservatives of some sort and liberals of some sort, who agree and nothing, and usually just over 50% of the voters if not less, agree with their government's policies.

I totally disagree with the Israeli gov's policies and often protest them. Guess what? My personal info was inside those files (deprecated credit card and email though).

Attacking citizens of democracies because they are inseparable from their government and responsible for its actions, is a common argument for terrorism, btw.

Democracies (or just "advertised" democracies) can't have it both ways. They get to tell the world about their superior system of government where citizens have a say in how their government runs (sometimes they even invade others to impose this "superior" system on them). And that's great. But then there is the other side of the coin when the said govt. screws up, then citizens should man up and take responsibility. I am responsible for US invading Iraq and Afghanistan. If I am in those countries and I would be afraid for my safety (and rightly so). I didn't vote for it, and I don't think realistically people have the power and the voice in most advertised democracies. But then, one can argue, they are also responsible for now changing the system (and therefor the 99% Occupy stuff is happening all over, it is not about economy it is about who has the power, control and responsability).
I've set up a site to check if your card was on the list. Just go to my site and type in your card number...
This is the IP of the hacker: 188.75.86.66 (It's possible this is a bounce server, but geo locating it suggests against this.)

I know because I was involved in cleaning up one of the hacks. (I have to stay anonymous, but my main account has more than 7000 karma.)

In the one I dealt with they did not copy stored cards (because they couldn't), but rather added extra code that would email a copy of the details to the hacker as the order was placed.

(So even with PCI compliance credit card numbers can still be stolen.)

Right now, right this second edit this post. Get right of the karma count and remove the rest of what you posted besides the IP of the hacker. Word frequency analysis + knowledge of your karma count will easily identify you.
When I went to Israel a few years back I could not believe my eyes when I noticed that my entire CC number was printed on every receipt.

I don't imagine online CC security being much better..

That was mostly fixed, AFAIK. Now only the last 4 digits are printed on receipts.
I find it odd they call themselves “Wahhabis.” For starters, that term isn't something a “Wahhabi” would call himself. I've never been able to trace when it was first used. However, it's often used by western scholars to refer to “the Saudi guys” when classifying Muslims.

Does anyone know more about this group?

too much fuss for something you can not verify. a)are they really valid identities. %100 of them? b) how do you know that these were done by Saudis?