On Saturday, Lulz Security announced what would be their final release, indicating that the group of six (according to the release) would disband.
Unlike past releases, which have been fraught with gloating and taunting messages, the press release that went with the information release was almost wistful, talking about their love of the “chaotic thrill of entertainment and anarchy”, and how such things entertain. It even went philisophical, stating that these things are “what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.”. They went onto state that the people behind the LulzSec mask are people with tastes, even comparing themselves to Hitler, also known as “the mediocre painter turned supervillain (who) liked cats more than we did”. Despite all of this, they stated they believe in the “AntiSec” movement, the act of attempting to bring government and “white hat” agencies down, and that they “hope, wish, even beg” that the movement would blow up into a full blown, self-sustaining revolution. On their Twitter feed, they told readers that they love everyone involved, even the trolls, “in an entirely sexual way”, and later implored the press to pay attention to the data leaked in the torrent, and not just the press release.
Said data is a variety of information of varying usefulness. Relative to gaming is a list of about 550,000 users from the Battlefield Heroes beta, in a list that contains usernames and hashed passwords, and about 50,000 members of “various gaming forums”. This list has various information in it depending on the forum they were gathered from – most of them have email addresses, forum usernames and hashed passwords – though it’s never stated which forums the accounts came from.
Also in the almost 500MB torrent:
* The SQL file for hackforums.net. Considering who this forum tries to cater to, this is a potentially massive breach.
* An internal help and configuration cheat sheet for AOL.
* What appears to be an error script from an FBI page.
* 11,793 user accounts for nato-bookshop.org, which includes user IDs/email addresses, plaintext passwords, and full names.
* A screenshot of a compromised job search for the American Department of the Navy.
* The CIDR network ranges of various corporations.
* The addresses, usernames and plaintext passwords of employees of Priority Investigations Limited, based out of Ireland.
* A list of comrpomised routers, as well as the root account names on each of them.
* A massive data and file dump of AT+T’s internal network that included programmes, USB installers, boot disks and other data. However, the data dump had malware in it, and due to this, the original torrent has been taken down from The Pirate Bay. Gaming Bus has not been able to verify the contents of the folder on a Linux system yet.
Though LulzSec stated that their entire goal was to wreck havoc for 50 days and disband, there are some signs that they were pushed into laying low. An IRC administrator with ties to both LulzSec and Anonymous was arrested this past week in Britain. They’ve also been under attack from other hacker groups. A group calling itself The A Team released a significant amount of data on LulzSec members, and they have been under constant threat from ex-US military hacker “th3j35t3r”. Leaked IRC logs were acquired and posted by The Guardian. The group’s disappearance also runs contrary to a statement they made when they released their “Chinga La Migra” release on Thursday, where they said they would leak new data every week.
Click here for Gaming Bus’s relevant coverage of Lulz Security.
Thanks to Peter Bright of Ars Technica for some of the information contained in this report.
Analysis: Most of the scuttlebutt I’ve heard about LulzSec states that the group’s leader, Sabu, is a serious minded person who knows how to get out of sticky situations. I think there’s a lot of fire to the smoke that Humpty Dumpty was pushed off the wall, and that things were getting too hot. The attention they drew from other hacker groups – groups arguably more dangerous than LulzSec, such as “TeaMp0isoN_” – was just as dangerous as the heat they were getting from law enforcement, who have shown they’re eager to circle around internal hacker squabbles in order to pick up the easy targets (note: Ryan Cleary’s “dox” were published after his AnonOps intrusion). This was definitely a case of “let’s lay low and hope everyone goes away”, but the problem with that is that hackers – either the white hat types who are doing this as their jobs, or the black hat types who hate the “scene fags” – never forget, and they want some big name heads to hang on their walls.
As for the hack itself… meh. There’s some very damaging stuff here (mainly the hackforums.net info and whatever the hell was in that AT+T .rar), but most of it is patently useless to almost anyone. This has the air of someone going “OK, we’re just going to dump everything we have”, and doing it. The information itself is largely weak; congratulations, you know how to use a local file inclusion script, run “netstat -rn” and “df -h” and export it to a text file, be proud of yourselves. Basically, they took what they could, but in a lot of cases, The A Team was right; most of this isn’t advanced level hacking, it’s just script kiddie junk on unsecured websites. Ultimately, the most damaged places were the ones that were down for some time, like The Escapist. Speaking of, if there’s anything more ludicrously ironic than a group who has stated the goal of taking down freedom stifling governments effectively chilling free speech by bullying a site that obviously could not fight back like The Escapist, I don’t know what that is.
So with LulzSec “disbanding” (read: absorbing back into the Anonymous hivemind), people are going to ask what the “legacy” of LulzSec is. Personally, I don’t think they have much of one, at least any more of one than any other grey hat hacking group. But what’s funny about this is that by being their worst, LulzSec actually showed people at their worst. Gamers tended not to care too much about the legitimate damage that was done to Sony, to Bethesda, to The Escapist, or to the other companies that got in their way, nor did they care that these “sophisticated” hackers were nothing more than script kiddies using DDoS and SQL injection attacks to carry out their mayhem. They only cared about their games. Most of what I heard was centred around two memes:
1) God damnit I wanna play on PSN! 🙁
2) God damn buncha losers, they’re gonna hurt the people that give me my games! 🙁
Everything was centred around self-interest. So the “lessons” that LulzSec taught are largely going to be ignored. Gamers will still put all of their personal data into places where it cannot be trusted. They will still reuse passwords. They will still whine and bitch whenever something happens that prevents them from doing either of these things. And companies will still do what Sony did: take shortcuts to save on costs, and then blame the hackers when they get hacked, much like someone who leaves his car keys on the front seat of his unlocked car getting loud about the person that steals his car.
Once it no longer becomes “in vogue” to attack gaming companies – who have proven themselves to be exceptionally soft targets, by the way – they will go back to cutting corners on security, and we’ll be right back to where we started. That’s the “legacy” of LulzSec to me: that ultimately, they won’t be anything more than a footnote in history. A lot of that is our fault, as gamers, because of our messed up collective priorities.
One final note to all of this: one of the biggest causes of damage from the LulzSec hacks and other similar acts of mayhem has been not from the initial hacks, but from the passwords that have been gleamed from them. Most people use the same password for everywhere they go, and some of them are frankly embarrassing in their simplicity. The number one complaint I get is “how do I manage all of these passwords?”. Here’s what I recommend: I use a programme called Keepass. What it does is it gives you a safe place to manage all of your passwords. It encrypts into AES (which is very strong), and allows you to look up passwords that you forget. The whole list can be encrypted behind one master password; make this a strong password, and keep different passwords for all of your key places that you log into, such as a separate password for email, a separate one for banking, a separate one for Facebook, and any place else that has important information that would become damaging should it be stolen. Keep a throwaway password for places like webforums, and the like (such as our comment box; bear in mind that WordPress only hashes passwords, and I use WordPress for now). Keepass works on Windows by default, and for Mac and Linux users, it runs with Mono. There’s also a version for the Portable Apps suite, which I also recommend looking into as an aside for people who work a lot off of thumb drives.