Excellent. This means the problem is solved and we don't have to secure any of our systems, because he was a one-in-a-billion case that nobody could replicate. (Surely nobody is currently doing the same things with less fanfare.)
So we shouldn't arrest people when they commit a crime because others are committing the same crime? Or because they're doing it in a high-profile manner?
> It is dangerous to be right in matters on which the established authorities are wrong. ~Voltaire
Our governments have no comprehension or understanding of the prospects or implications that the internet has on modern civilization. When an individual can take down an organizations method of operation (mastercard/visa/paypal), it isn't the individuals fault (regardless of their actions) it is the organizations fault.
You don't blame someone for stealing from a bank when they pile gold bullion in the entrance without a guard in sight. You blame the bank because that's fucking stupid.
Being able to dDOS mastercard isn't the individuals fault, it's mastercards. I've never heard of someone dDOSing Google, why? Because Google only makes money when people access it and their system can support insane amounts of instantaneous traffic. It's a simple fact that sooner or later mastercard/visa would have been taken down by a normal traffic spike.
Is it the users fault when mastercard gets dDOS'd by a few million people placing midnight orders on Black Friday?
Seriously, look at the world rationally. If I can spend $5 on a padlock, it's my fault when someone steals my $500 BBQ from my back yard. Someone committed a crime, yes, but I'm going to be buying a padlock like I should have in the first place.
Why didn't mastercard/visa/paypal/sony/sony/sony/(sony x 27 fucking times) front the goddamn cash so they wouldn't lose hundreds of thousands.
> When an individual can take down an organizations method of operation (mastercard/visa/paypal), it isn't the individuals fault (regardless of their actions) it is the organizations fault.
Who cares whose fault it is? It's illegal, they get arrested, it's simple really.
> You don't blame someone for stealing from a bank when they pile gold bullion in the entrance without a guard in sight. You blame the bank because that's fucking stupid.
Sure, you can do that. That, and arrest the person too because, you know, they broke the law.
>Sure, you can do that. That, and arrest the person too because, you know, they broke the law.
I think it's more relevant that what they did was willfully malicious. I probably regularly violate laws that I'm not even aware of, but the fact that I'm not intentionally doing harm to anyone establishes some kind of innocence.
"The rationale of the doctrine is that if ignorance were an excuse, a person charged with criminal offenses or a subject of a civil lawsuit would merely claim that he or she is unaware of the law in question to avoid liability, even though the person really does know what the law in question is. Thus, the law imputes knowledge of all laws to all persons within the jurisdiction no matter how transiently."
I think his point is that by doing this we are simply treating the symptom (breach in security), and not the cause (unsound security measures). It appears to me as "security theater" in every sense that I understand the phrase.
Although, of course, the police aren't the ones who would be patching up the security vulnerabilities anyway. So arresting unethical hackers and securing systems aren't mutually exclusive. What a country!
Isn't the second half of that 'but you can torture a metaphor' ?
I get the impression reading some of the blogs that some of the arrests recently have in fact picked up people who were 'known' to other people who might very well become somewhat more cautious.
I've been listening to the teaching company's audio lectures on the history of freedom, and I think the idea that "you can't kill an idea" is also represented in Socrates & Jesus-- both of their influences did not waver after death.
/historynerd
One may still be charged with obstruction of justice if there is a definite attempt to make unavailable evidence needed for a case, even if the unavailability is temporary until a suitable mirror can be found. It's such a broad definition for a criminal charge to have, and in this case I really think they would consider it.
Don't be silly. If a murderer burns the clothes in which he perpetrated the murder, he's not 'destroying evidence' in addition to being a murderer. Something must first have been determined to be evidence, before destroying becomes a criminal act. Neither are you obstructing justice by hiding evidence.
Actually, I believe that is the case, although the charge pales in comparison to murder. IANAL, but the Green River Killer was convicted of contaminating a crime scene because he left false evidence to throw off investigators. From that, it appears that intentionally tampering with evidence of a crime - even if you created it - is illegal.
When you're facing the possibility of having multiple governments looking to 'come down hard' on you, I doubt destruction of evidence adds much to the mix.
###########################################################################
###########################################################################
ooooooooooooo o8o
8' 888 `8 `"'
888 .ooooo. oo.ooooo. oooo .oooo. oooo d8b oooo ooo
888 d88' `88b 888' `88b `888 `P )88b `888""8P `88. .8'
888 888 888 888 888 888 .oP"888 888 `88..8'
888 888 888 888 888 888 d8( 888 888 `888'
o888o `Y8bod8P' 888bod8P' o888o `Y888""8o d888b .8'
888 .o..P'
o888o `Y8P'
###########################################################################
###########################################################################
Now we have Topiary. Probably the lamest one of the bunch. He doesn't
actually do anything except give interviews. There are plenty of logs of
him all over the internet being a complete idiot. His "d0x" are all over
the internet also. He tries to deny it but there are logs of him bitching
about being d0x'ed int he #hq logs that Laurelai leaked.
Name: Daniel Ackerman Sandberg
Location: Sweden
It's not unreasonable to suspect that a user in the Shetlands Isles might have had a POP in Sweden, or use of a connection in Sweden to host a remote box with a better connection than available to them normally.
Every time I read a story like this, I picture the opening sequence from "Hackers". I wonder if that isn't one of the most realistic portrayals (of anything) in that movie?
I was busted in much the same way in the early 90s in NYC.
Yes, it was the only realistic part of the movie. It is a bit frightening to be woken up by a man pointing a shotgun in your face when you are 13.
IIRC, there was a well known NYC hacker who was getting ready for school, and was in the shower, when the SS burst in and the scene was loosely based on him.
Not much to say. It was part of operation sundevil. I was never arrested or indicted and eventually got all my equipment back.
I'm not sure if it is SOP, or the Secret Service thought they were dealing with violent criminals. But they knocked down the front door with one of those rams you see on TV , ran room to room "securing" everything. Once they realized they were dealing with a scared 13 year old they seemed more embarassed than anything.
In addition to the local cops, and the Secret Service, there was a postal inspector involved, that guy was kind of a dick, he kept sneering and telling me stuff like "you are going down buddy", even at that young age I figured he didn't get out of the office much. The Secret Service spent post of their time bullshitting and telling me stories of various trips abroad with the president. Some of the nerds bagging up all my equipment would sometimes come in and peer at me, asking me minor questions like "Why do you have so many batteries" until they were reminded that I was a minor and they did not have parental permission to ask me questions.
I waited for years for the other shoe to drop, and be indicted, but I never was.
I still have all the equipment, still tagged, and even have some disks they put in the drives labeled "SS transport disk"
"I'm not sure if it is SOP, or the Secret Service thought they were dealing with violent criminals"
seems possible the bulk of them had first learned about hackers at the same time they learned about the raid -- perhaps from someone who exaggerated the average size of a hacker's fangs. in any event it doesn't seem likely that in preparation for sundevil they'd have consulted with anyone that would have urged a relaxed and moderated view of what was at that time an unexplored frontier of law enforcement.
Right, from the sheer scope of the raids I'm sure they thought they were dealing with some sort of syndicate, probably professional criminals branching out. They were absolutely dumbfounded, they didn't know whether to slap the cuffs on me or give me milk and cookies.
I find it hard to believe that European kids care that much about the CIA or Arizona's immigration laws. Yet many of these alleged LulzSec arrests seem to be in Europe.
These are only excuses to show off their "skills". Everyone loathes script-kiddies, and they know the only way for them not to be considered script-kiddies (which they are in fact) is make everyone believe that their motivation is different than fame and feeling of power.
I think every wannabe-hacker wants to "hack" the CIA and Arizona's racist laws have been covered extensively on comedy programs like The Daily Show which I'd imagine are popular with anti-authoritarian internet-savvy youths worldwide.
Of course, if it were really about their problems with "racist" immigration laws, many countries in Europe have stronger and more strictly enforced immigration policies.
They will be. This latest round of arrests by the FBI were made based on the PayPal attacks, which were ages ago. LulzSec didn't even start going until months later, and the attacks that would have really pissed off the FBI happened just recently. The FBI is big and slow, but they'll get around to it if they have any evidence of members in the US.
if I were tasked with catching these guys, I would:
* setup numerous honeypot open proxies and tor gateways
* work with journalists to have all emails and communications forwarded
* isolate ddos clients and reverse-engineer command and control. surprisingly many of these trojans are poorly written and have security holes themselves
* setup numerous fake twitter profiles and provoking them into responses - things like posting images, replying, etc.
* setup fake hacker groups. stage defacements etc. in order to get in touch with them
* I would write a system that tracks and stores every bit of communication they make and plot out their social communication graphs and when they are talking, who to, etc.
* ask ISP's or proxy providers to grep for traffic patterns.
* get user-agent info from twitter, or provoke them into visiting a link, and possibly load malware. no browser is really safe in a targetted attack
* word/speech tracing. this is why 1337 5p34k was invented, so you can not be traced via your vocab/grammar/spelling/phrases etc. it doesn't take a large sample to start narrowing it down
probably more - haven't really thought about it, but when i did see that they started using twitter I gave them 3-4 months, tops.
get user-agent info from twitter, or provoke them into visiting a link, and possibly load malware. no browser is really safe in a targetted attack
This is certainly the most direct way. I'd be pushing exploits from the twitter data center and sharing links to funny/cool #antisec whatever in irc hangouts. The client is almost always the weakest link here, and with people using multiple devices you get lucky once or twice and get some malware on a phone or pc.
If you're investigating foreign hackers on foreign soil you have a lot of leeway in terms of back hacking them, the US is definitely using this kind of approach in anti-terror.
Once you get the right guy and know it's him, share the details with the local authorities and let them figure out what legal info they have to build a case now that they know who they're after.
The other way I'd do it is with a fleshed out honeypot. Set up something tempting with two stages of flaws and some good documents. Bring the first flaw to on of the farm irc channels with something semi-juicy you got out of it. They'll probe the rest of the system and find the second dangled SQLi flaw and some juicy data. If you can set up and watch them in advance some mistakes will generally be made, and whatever documents and executables you leave to get stolen will probably end up being handled in an unsafe fashion. Think how tempting a VPN software token authenticator would be to run, and I highly doubt that stuff would get RE'd before it got run. If you can get them to voluntarily run some software they stole from you you won't be needing a warrant in advance.
It is very likely he was informed on. (Grassed / Snitched)
One of the better broadsheet newspapers here in the UK had an article on Lulzsec/Anonymous, and one of the best comments they made was:
"Hackers fear other hackers more than law enforcement."
In this community it seems there is no honour amongst thieves. I very much suspect they grabbed a bunch of people around the world who were less talented at hiding themselves, and one of them knew enough to plea bargain in return for information.
If I were to guess it was the same methods they used to "catch" Manning. From my narrow (but not inexistant) knowledge of hacktivism arrests, it always reduces to someone feeling lonely/overtrusting someone on IRC/Jabber.
For computer crime do they have to be able to draw a direct line from the act to the person's computer? Also, does a persons computer legally mean they committed the crime? What I'm getting at is, could a group like LulzSec guarantee lighter sentences for themselves if a line could be drawn from the crime to the group but you couldn't determine who actually hit the keyboard?
In the US, they could be charged with "Conspiracy to commit <crime>".
>One important feature of a conspiracy charge is that it relieves prosecutors of the need to prove the particular roles of conspirators. If two persons plot to kill another (and this can be proven), and the victim is indeed killed as a result of the actions of either conspirator, it is not necessary to prove with specificity which of the conspirators actually pulled the trigger.[1]
I'd assume English law has something equivalent -- it's a really old problem, and involving computers won't change the principles involved.
Given the close proximity of this case to the News Corp phone-hacking case, any bets on whether similar conspiracy-to-hack charges will be brought against all the people who were involved in that one? Not putting large odds on it; I'd bet that if anybody goes to jail for it, it'll only be a person or two who can be shown to have actually personally done the break-in.
Hiding your identity from casual observers: trivial.
Hiding your identity from scrutiny by local law enforcement: straightforward.
Hiding your identity from scrutiny by federal agents: Tricky.
Hiding your identity from scrutiny by an international investigation after having pissed off several high octane intelligence agencies: impossible.
Not impossible in the strictest since, but highly improbable. Even Bin Laden went down and he had a lot more on his side than all of the members of lulz and anon combined.
Snitching. It really isn't that hard to remain anonymous, as you said. But if you're spending hundreds of hours working on Ops with a small team, you learn to trust them and you slip up and share personal information. When somebody slips up, the cops threaten to drop the hammer unless they give up the rest. A 17 year old kid isn't going to risk his whole life for somebody he's never even met, so he snitches.
LulzSec isn't anything new, this kind of hacking has been going on since the 80s - they've just taken a different approach with the media. And snitching is always how hacker groups fall.
This is essentially how all law enforcement investigations work, actually. Drugs, hacking, graffiti, white collar crime, whatever. Get a good snitch and you'll get the whole organization eventually.
Taking all the precautions necessary and doing it consistently while not talking/bragging about it to outside people requires a lot of discipline. Most of these guys do no really have it. It takes few rounds of arrests, trials etc for the core group of survivors to get actually paranoid smart enough.
I would imagine it is pretty hard to make no mistakes. He might have accidentally logged into his twitter account (or some other account known to be his) through the wrong browser, which allowed them to see his real IP address.
I don't think it's anything technical, just the same old tactics they use against any other criminal organization.
Catch a weak link, offer them a deal in exchange for information that leads to the conviction of someone higher up in the organization, repeat until you make it to the top.
No they're not that good, if the arrests are correct then they're actually pretty bad. For the little value that they are worth, they're worth far more as an example to be made for others.
Actually, arresting them is next to worthless. Does the oodles of cash spent each year pursuing, prosecuting, jailing, fining, policing and enforcing vandalism cases result in decreased vandalism? Boredom is a social problem, no amount of enforcement will reduce bored kids desire to break stuff. If anything, drawing attention to Anonymous only attracts more people to it.
Scots law: age of consent (and age you can enlist) is 16, drivers license is 17, drinking and voting is 18. And this is Scotland, so the age of criminal responsibility is 12. (Until recently, it was eight: http://news.bbc.co.uk/1/hi/scotland/7916561.stm).
Hold on, hold on, let me try to clear some things up.
A criminal is a rigidly-defined adjective meaning an entity which breaks or broke laws.
An activist is a rigidly-defined term meaning an entity which acts to further some idea and bring it to public perception.
A hacktivist isn't well-defined, but we'll assume here that it's a form of activist.
Now based on this, the Anonymous and Lulzsec hackers were hacktivists, at least according to their own statements of their intent. They also were criminals, at least according to my reading of the laws of the US. Now, what you may be looking for is whether they were ethically good --- but don't conflate lawfulness with morality, that's worked out poorly in both directions.
But of course, you acknowledge that this is a horribly simplistic view of things. Even DnD got this, after all (clearly Anon is Chaotic, and whether it's Neutral or Good depends on whom you talk to).
So perhaps you might say "I don't believe Anon's actions were for the good", or even "weren't well-intentioned", but please recognize that passing judgement beyond noting the factual statement that they are criminals, is a personal judgement. Not that personal opinions shouldn't be argued, defended, and spread --- just that they should not be conflated with fact.
I agree to the defined terms, and further purpose hacktivist is an activist who's chosen/preferred method is "technology", be it illegally accessing private systems, or building nifty robots out of servos and shit.
But, what cause or idea have they furthered? Computer security? Social injustices? Tax evasion by corporate amarica? I can't find one other then their own personal enjoyment.
I can not point to a single action they have taken and describe it as "constructive." The issues they do occasionally allude to could be furthered much more successfully, legally and in a morally responsible fashion (respecting individuals privacy) by other means.
As for their harm, it is fairly self explanatory, but to make it clear, releasing innocent individual's personal information and encouraging others to use it to commit further crimes is most decidedly not neutral.
I don't believe LulzSec's actions helped anyone. If you think they did some good, please enlighten me, point it out. I can't see it.
I would argue that their actions, at the very least, are getting people thinking about the privacy and security issues we face. Their methods are blunt and can be damaging, but you can't deny that people have been talking about these issues much more, and I think that's a good thing.
Raising awareness for privacy and security issues is a good thing. Doing so by creating more privacy and security issues is decidedly counterproductive.
An activist need not be an effective activist to still be an activist.
PETA nailing people with red paint on the street is incredibly counter-productive to their cause. Hell, it probably actually increases sales of fur. They are still however activists.
"An activist is a rigidly-defined term meaning an entity which acts to further some idea and bring it to public perception."
If you agree that PETA's red paint stunts are counter-productive, how can you then turn around and argue that the same red paint stunt is furthering (is productive) to the cause?
Their stated goal is to have fun and cause mayhem. That isn't activism by any stretch of the imagination.
While some of their attacks have stated goals that appear to be activism, some of them, like the attacks on Nintendo, pron.com and Minecraft appear not to serve any type of activism I'm aware of.
They put the spotlight on the widespread disdain for security exhibited by major corporations regarding their client's data?
That was the core message between the lulz. That said, dumping the full data was not necessary to make that point, even though it probably increased the media coverage, hence the spread of their message.
But the lulz were so loud that I could not hear the core message. They were certainly not primarily activists. At best, that was a scant moral cover for what was basically mass vandalism.
On the one hand, I don't feel too bad for trolling you, since your comment basically glorifies the same activity. Lulz and all that.
On the other hand, I feel that you should understand why your comment is not smart. "X bad/useless activity is better than Y bad/useless activity, therefore X is ok" is always a stupid argument.
Martin Luther King also put didn't hide from the authorities and voluntarily went to jail out of belief for his ideas.
Lulz puts as much effort in to remaining anonymous as anything and, it would seem the consensus opinion here, folds like paper houses when they get caught. I didn't see MLK Jr trying to negotiate a sentence down by selling out the rest of his leadership. Instead, he actually accepted prison time rather than pay a fine because he truly believed in what he doing.
One of the critical measures though is that most activists openly do so. Someone up-thread mentions that MLK was a criminal, and he was. As was Ghandi, and others. But they said here I am, here is what I am doing, and why I am breaking this law. And for civil disobedience to be effective, here's the kicker, they welcomed and expected the punishment.
The idea that we would arrest another human being for sitting at a lunch counter, etc, is designed to provoke outrage at the unjust situation.
The Crito is an excellent place to start in examining I suppose the philosophical roots of civil disobedience: http://en.wikipedia.org/wiki/Crito
Civil disobedience is only one of many forms of activism. The people who ran the underground railroad were in no hurry to make their identities known. Where they any less activists for it?
An arrested hacker activist is a hacker inactivist. Expecting them to allow themselves to become arrested is absurd.
Actually, forcing arrests is a very effective form of civil disobedience. One of the most effective civil disobedience campaigns I have seen was one that aimed to poke holes in wide and loosely defined laws being used by police for openly racist reasons (that is, we don't like your kind here). Some states in Australia have laws that can be used to arrest almost anyone for very little reason. For example, public nuisance, indecent language, resisting arrest (yes, people are often charged with, and only changed with, reacting to police attempt to arrest). Basically the campaign involved indigenous Australians going alone to places they knew would get them arrested, getting arrested, and then refusing bail. When bail is refused you are assigned the first available court session. The plan was a success, after 2 weeks the courts were completely clogged with cases judges would instantly throw out (because the prosecution case was beyond flimsy). Attention granted, laws were slightly changed, and some police officers were charged with contempt of court. Allowing yourself to be arrested is a valid activist tool for change.
Forced arrests only work when the system/population deep down realize how absurd the arrest really is. The courts will happily throw as many "hackers" as there can possibly be into the slammer. Hell, the prison industrial complex has actually made this profitable.
Generally it does seem to be a common attribute. Some activists are also idealists, which is to say they have a view of the world that is idealized based on their principles which is a distortion of reality to a lesser or greater extent.
Living as I do in the San Francisco bay area, I encounter all forms of activists from people living in trees on college campuses (illegally) to folks who provide services to undocumented workers, to folks who expose security flaws on web sites. Of the ones with whom I've been able to talk briefly about their goals, all of them did not grasp that the results of activism are later perceived through the dialog of what the people that 'win' write. (sort of a variation on the winners write the history)
