Hacker News new | past | comments | ask | show | jobs | submit login
Anonymous Pledges to Take Down Facebook (cnet.com)
144 points by noahc on Aug 10, 2011 | hide | past | favorite | 92 comments



Am I the only one who thinks this sounds completely out of character for LulzSec / Anonymous?

They aren't stupid. They surely know that waging war against Facebook would be silly.

I'd bet this is someone completely different, looking to pose as Anonymous. Try looking at the sources --- you won't be able to trace it back to an announcement by Anonymous. So who are these guys?


This is the same fallacy that news and government organizations are making: Anonymous isn't constrained to be any particular group of people.


No, you aren't. In fact if I'm not mistaken, this notice was first released yesterday, in spanish. I'm not 100% sure though.


Can you link the original one in Spanish?


Not sure if it is the first one but: http://www.youtube.com/watch?v=Rp-V47iFoDo It's seems it's even older than I thought.

EDIT: Rough translation:

----

Greetings, world. We are anonymous.

In this short time lapse, we've heard and saw the panic of Facebook progrmmers. It seems that now they are offering US$ 500 to find errors on their webpage. It is clear that nothing of this is real. They only do this to make the world believe that they have the power, and nothing can be done against them. As we have said before, we are tired of Facebook stealing people's information and selling it to powerful people like pieces of paper. This regime has come to an end.

Facebook will cease to exist.

In November 5th the Facebook Operation will take place succesfully, and nothing will be able to stop it.

We are anonymous, we are legion. We don't forget, we don't forgive. Expect us.

----

Now that I listen to it carefully, the way they put it sounds pretty weird, to say the least.


No, you aren't. It didn't "sound like Anonymous" for me, having watched their previous releases on other AnonOps campaings.


"Uh, who do we hate besides the government? They can, you know, arrest us and stuff." ... "Facebook! Yeah, let's get fucking Facebook! I hate Zuckerberg, all young and successful."

Sounds about right to me. Seemingly random target fits their MO.


From #AnonOps: "TO PRESS: MEDIAS OF THE WORLD... STOP LYING! #OpFacebook is just ANOTHER FAKE! WE DONT "KILL" THE MESSENGER. THAT'S NOT OUR STYLE #Anonymous"

That's not to say that Facebook won't be attacked, but most likely not by the people that form that Anonymous that WE think of when we think Anonymous. Although I suppose that any one or group could be Anonymous because of how they define themselves.



I really don't buy this as a... 'full force,' if you will, attack by Anonymous. I would want to see this confirmed by sources like https://twitter.com/#!/anonymousirc before I believed it to really be an 'Anonymous' 'movement.'

Of course, their strength is also their weakness. Without any names, what is and is not 'Anonymous' can forever be questioned. Like others, I want to say "they are too smart for this," but then they ('they') also attacked Amazon a few months back and that certainly did not go as well as the Visa attacks...



Except for a later tweet saying some are involved but not all:

"#OpFacebook is being organised by some Anons. This does not necessarily mean that all of #Anonymous agrees with it."



If you you're Anonymous, you're Anonymous


posting while driving failure...

meant to say - if you're posting as Anonymous, you're Anonymous.


Hahahahahaha. Hahahahahahahahahahahahaha. [breathe in] Haha. Hah. Hahahahaha.

Best of luck, Anon!

I'm not sure if Anon fully understands the level of infrastructure and the level of preparation Facebook has... They'll need to come up with something a lot more compelling than a bunch of guys at home with LOIC.


This attack is scheduled to come soon after anon switches from LOIC to a "new cannon" dubbed #RefRef (http://anonops.blogspot.com/2011/08/new-hacking-tools-by-ano...). They're probably way overconfident in their abilities (#RefRef's description is thoroughly unconvincing), but at least they don't think they're going to DDoS one of the best-prepared sites in the world, AFTER telling them exactly what day the attack will occur on.


So if we assume these people have any idea what they're talking about, it's some kind of SQLi attack... presumably mySQL? I wonder at what point it'll occur to them that Facebook mostly serves data from memcached.

Uh... did I get something wrong here? A correction or something would be nice.


"RefRef is a revolutionary DoS java site. Basically, by using an SQL and .js vulnerability, you can send a page request packet from your home computer with embedded .js file, because of the vulnerability in the SQL/Javascript engine on MOST websites, the site actually TEMPs the .js file on its own server. So now the .js is in place on the host of the site. Next since you still have the request, it picks up the .js file, and all of the requesting for packets power happens on the server, not the requestee. I send two packets from my iphone, and everything else happens on the server. Basically eats itself apart, because since both are on the server, its all a local connection."

"The tool is very effective, a 17-seconds attack from a single machine resulting in a 42-minute outage on Pastebin yesterday. As expected, the Pastebin admins weren't very happy with their platform being used for such tests and tweeted 'Please do not test your software on us again.'"

"The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe organizations will rush to patch this flaw en masse before being hit."

http://www.thehackernews.com/2011/07/refref-denial-of-servic...


I'm disinclined to trust any source that doesn't know the difference between Java and Javascript


hmmm

first of all, there's no javascript "engine" on most websites. and every major vendor of SQL databases has it's own, so good luck in finding a vulnerability that works with MSSQL/Oracle/Mysql/Postgresql.

also, even if you manage to store a .js file in a temp directory (which would be handled by the web server, btw. nothing to do with sql/js) it's usually a very locked down directory (you can't even execute from /tmp by default in most GNU/Linux servers)

even so, you would still need to execute that .js file (and how? most servers can't run javascript)

I'm not saying this tool doesn't exist, but I'm pretty sure that's not how it works


i think you're getting downvoted because anonymous has proven many times in the past that at least the people "in charge" (as much as you can call it that) definitely know what they're talking about and are possibly comprised of security experts.

if this is in fact anonymous. i'm not convinced, too big a target for them to have so little fanfare/flair.


Tell them you will attack on Friday but instead attack on Wednesday?


No way, you tell them you're attacking on Thursday night/Friday morning at midnight. Then do a headfake, a completely impotent showing, but keep at it for at least three hours. Then let it fall apart as users drift off.

Then, around eight am, when the US gets to work, and anyone at Facebook who took you seriously is sleeping in after the late night? Then. That's when you pull out the big guns.

I wonder which hour of the day is their busiest... That would be my true target time.


I've seen this source floating around quite a bit lately, http://pastebin.com/rG4GVZdX (I didn't add the comments).

If basically grabs a bunch of tor connects from a single machine and uses them to bombard the hosts.


Taking something apart is vastly easier than putting it together. Just because Anon is small doesn't mean they can't find an exploit.


they just haven't even done anything novel. Why should we expect them to now? Facebook is very unlikely to have the usual slough of easy sql injections.

I am quite sure that someone good could find attacks against facebook. I am dubious that anonymous can.


Easily said, but do you know what 'attack surface' means in infosec?

Facebook's is vast.


There are many levels of intrusion. I give Anon enough credit that they might be able to cause some mayhem, maybe even some real harm. Maybe they'll take down Facebook Chat (to the great ambivalence of everyone)... but to 0wn/DDoS the main Facebook site altogether? I dunno...

It's like, I may be able to find some way to force all the toilets at CIA Headquarters to back up. That's not the same thing as compromising their spies' identities. Not all exploits are equal.


I am aware of what "attack surface" means and stand by my claim that anonymous, having done nothing novel so far, will not find attacks against facebook.


Like I said, this is not Anon. Think about it. Anon aren't stupid. And going up against Facebook is stupid.


Isn't "Anonymous" anyone who claims to be it?


You must work for congress, quick, lets make being anonymous illegal. That'll stop this!


Within reason. It's anyone within the Anonymous subculture that claims to be it.


There is no way to tell if someone is credibly "within the Anonymous subculture" and "Anonymous" "releases" conflicting "press releases" with some regularity. There is no organization to "Anonymous", it's just an MSM-manufactured boogeyman to represent any teenager and/or groups of teenagers which knows how to send a lot of requests to a website simultaneously. samstave is also correct that those in power relish this since it gives them a lot of latitude to scare the commoners and get better tracing tools in place.


There is no better example of the No True Scotsman Fallacy.


No, that doesn't apply here at all. There's no (public) definition of who is or isn't Anonymous.


Sure it does. No true scotsman breaks down to a claim that some group has some Trait, then claiming that because some individual does not share the Trait they are by definition out of the group. I guess sometimes it's valid, but not here. Anon hasn't shown itself capable of an attack like this and if you look at the attacks by anon on scientology you'll be left wondering they were able to form a group identitiy with their fringe (core?) As it is.

Palish might be right that this doesn't sound like its from any of the main group.


Remember remember the fifth of November

Gunpowder, treason and plot.

I see no reason why gunpowder, treason

Should ever be forgot...


I was yesterday at their IRC, prepared to laugh at them, but it was quite interesting.

First, they try to look united on twitter and to media, but they quite aren't. Second, they are INCREDIBLY naive. Third, they are OBSESSED with attention of the media.

They were actually planning the attack on #OpFacebook channel (so no, it was not fake - and the channel still exists, but they probably realized it is a joke so they turned it into a joke). After they realized they quite can't attack their servers, they thought it would be better to get people passwords by "botnet keylogger" (and I am not making it up), steal about 1 million accounts and then DEACTIVATE THEM ALL, which would I guess do something terribly evil to Facebook.

Someone brought the question if this doesn't give media and police the right to label them as terrorist, and someone else replied that "police and media are the real terrorists". After that sentence, I laughed too loud and had to leave the IRC.

edit: and apparently, it is still going on - http://pastebin.com/nzaNLWfF . Or maybe not, who knows

edit2: ....and they closed the channel for speaking now. Oh well, it was fun while it lasted.


> they thought it would be better to get people passwords by "botnet keylogger" (and I am not making it up), steal about 1 million accounts and then DEACTIVATE THEM ALL, which would I guess do something terribly evil to Facebook.

That is not a bad approach. If you assume Facebook's network infrastructure is rock solid, then attack Facebook's human infrastructure by flooding them customer services calls.

I don't think you need a botnet keylogger to grab Facebook passwords because their users are easily confused or duped. For example, ReadWriteWeb wrote about Facebook's plans for login federation and many Facebook users, googling for "facebook login", found this blog and tried to login there!

https://www.readwriteweb.com/archives/facebook_wants_to_be_y...


This group calls itself anonymous as well, and uses the same 'branding', but it is useful to note that the people behind this may have no affiliation with the previous anonymous operations.

The 'original anonymous press release' was Uploaded to youtube by FacebookOp on Jul 16, 2011, and picked up by media only recently.

None of the usual anonymous twitter accounts (http://twitter.com/anonymousirc http://twitter.com/youranonnews http://twitter.com/anonops http://twitter.com/#!/AnonymousPress etc) or the irc channel (irc.anonops.li) have any mention of the operation.

It is of course not impossible to create a new youtube user and a new twitter account called 'facebookop' and post a video proclaiming to attack facebook in the name of anonymous. Anyone can do it.


Have any of the "official" (whatever it means) Twitter accounts said anything against FacebookOp?

I'm wondering if this is an spinoff from Anonymous, a false flag, or even both things at the same time (possible).


Have any of the "official" (whatever it means) Twitter accounts said anything against FacebookOp?

No. FacebookOp has gone entirely unmentioned by #AnonOps. Not because #AnonOps is unable to post - both Twitter and the blogspot account have posted multiple times about the London mess today.



Hmm, maybe the feds are getting close and Anon's trying to shake them off?


Hi anonymous, I work at facebook. If you manage to hack us and grab our data, perhaps you'd like to apply for a job? It's not trivial getting the data even with full access, so you could really help our team! Plus the free lunches are pretty good.



I thought Anonymous is an unstructured "organization" and that anybody can do anything under their flag without authorization from a central body. How is it that there is apparently a central Twitter account?


Maybe it's a bit of a meritocracy? It seems some Twitter accounts are somewhat "official" in the sense that they are followed by most of the people involved in the Anonymous movement.


I don't think they're (if they're, because it looks like a fake) aiming for the data.

If I were them and wanted the data I'd hack a big Facebook application' account and since most of them are very intrusive with their permissions I'd get a lot of data that way.

I bet from the backend it'd be very hard to do it, and the data might be encrypted using a key that only a Facebook user has (the user might have multiple keys and share them with friends... etc etc), anyways, I'm thinking too much about this, it's too late already :).


If you work at Facebook, mind posting your FB profile?


Haha, yes I do mind. :)


Why? How do we know you're not someone who works for a competitor and is out to discredit Facebook?


You don't. I choose to stay anonymous for many reasons, but if it's any help, nothing I said could be construed as trying to discredit Facebook (even though I'm anonymous).


The Village Voice has more information than CNet:

http://blogs.villagevoice.com/runninscared/2011/08/anonymous...

tl;dr: The action is motivated because of the poor privacy policy of Facebook.

As said in other comments, it isn't clear if this is Anonymous because their twitter accounts didn't echo the manifesto. It could be a spinoff, a false flag op, or anything in between.


So somehow cutting people off from playing Farmville, talking to friends and family, and generally wasting time is going to endear a small group of "hacktivists" to those users?

Perhaps as effective as cutting those users off from playing PS3 games they'd already purchased.


You don't really understand protests do you? You could say the same about street protestors, endearing themselves to motorists trying to get home, or bus driver protestors causing chaos to those who use their services.



Anonymous posted to twitter concerning OpFacebook. The three posts that (I think) are relevant:

#OpFacebook is being organised by some Anons. This does not necessarily mean that all of #Anonymous agrees with it.

We prefer to face the real power and not to face to the same medias that we use as tools. #OpFacebook #Anonymous

REMEMBER THIS ARTICLE: "Are Hacker Attacks Government Operation To Push Internet Censorship Laws?"

The last one doesn't specifically mention FB, but it does seem that that sort of event - where the MSM attributes X to anon when anon isn't behind X - is beginning to worry them.


Now that anon denied it, I have a suspicion whoever released this announcement also sent a security resume/bid to Facebook. Looks like someone creating a need for himself.


The only way I could see this going down is if they have insiders already at Facebook


Perhaps even at the very top? I mean this could just be a viral marketing campaign __for__ Facebook. Something to help them regain the street cred they are losing, something to prevent the inevitable myspacing of their business. Or maybe just a cover for planned downtime.


You all assume its going to be a traditional DDOS or SQL Injection or whatever attack.

Look at http://news.yahoo.com/anonymous-targets-norway-killers-manif... That's an attack on something, but not by technical means.

Maybe they are planning something they need lots of people to help with and so want the publicity in advance?

Not a clue what that could be tho.

(Yes, I have seen the tweet saying its fake but as others point out there are many anonymous, and in fact the whole anonymous thing is that everyone is anonymous, so who knows?)


I'm guessing this is partially a response to a talk given at DEFCON by 2 people trying to unmask anonymous and lulzsec members. They highlighted how they use social media to track people down, especially FB.


I would hope the real Anon understands the magnitude the challenge they just set before themselves.

"Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria."

^ Besides, if Anonymous wanted to disgrace facebook, I think a better way to do that would be to show evidence backing up this claim.


Totally agree. This would be quite a coup causing self-destruction.


Unstoppable force meets immovable object!

As much as I admire anon's technical prowess, I seriously doubt that they can take down significant portions of FB which seems very well prepared (unless, of course, some former employee reveals a trapdoor or something to them). Up to now, their targets have been clueless corporations (i.e. Sony) or government agencies mostly.


Having seen their previous releases, for me this doesn't sound like Anonymous. I might be wrong, but it smells like faked for me.


Conspiracy theory in play: discredit Annon being all mighty if they fail in this Facebook attempt. Anyone can claim to be Annon, it is also a way to spot the real Annon.


I just hope these nerds stay on their computers and don't attack any actual people.


While reading my fav blogs in the AM, anytime someone mentions Lulz/Anom the f’n comments stop abruptly!

So there is much FUD involved here.

After seeing what they did over the summer,if I were FB...I would take a very guarded position over this latest claim.


What would be really awkward is if they released logs of profile/picture views. I'd be willing to bet I'm far less of a stalker than most FB users, but I'd still be pretty uncomfortable with that data out in the open.


Highly unlikely, except perhaps in Jake Davis's wet dreams.

Remember that an actual hack requires a both a great deal of skill and great deal of luck, especially when reasonably secure installations (FB obviously qualifying as "reasonably secure") are the target. If this group had the skill required, they would know enough not to be counting on getting lucky. Thus, either they already have knowledge of some vulnerability, or they're not going to find one. The former is highly unlikely - if they had that knowledge, it would require a great deal of stupidity to count on FB not discovering it for nearly three months.


CRAZY THOUGHT: If this http://seclists.org/fulldisclosure/2011/Aug/76 , then they might have network access to Facebook?


Going after Facebook goes against a lot of Anon's principles. Sure they do have a pretty bad rep in the privacy department but Facebook was an invaluable tool for young people during the Arab Spring


Anon's principles

Very droll sir. Very droll.


First rule of war: Don't give notice to your enemy of when or where you're going to attack.

This is something they do to be on the news.. that's all. They're not going to be able to shut it down.


Well, there's a few ways they'd do this, right?

(1) availability - DNS or route hijacking. With https they may not be able to fake their own copy, but redirecting to a 'AnOnYmOus ownz yoo' page may be possible.

(2) privacy - a pretty big profile dump, maybe of key facebook employees?

(3) quality - have the news feed, groups, walls, etc flooded with (even more?) crap. A few cracked apps could flood a lot of users.

Sorry, the terms I'm using are pretty bad.


Remember when the mydoom worm took down google for a bit due to widespread and distributed searches for itself/targets? I wonder if database resources are infinite?


Looks like Nov 5th is the target date. So in ~85 days, they are going to concoct a plan to destroy a $100 billion (allegedly) company? This should be interesting.


Those guys really need some PR adviser... Taking Facebook down (assuming they can do it) certainly won't make them popular.


Will a DDOS attack affect a website that gets billions of pageviews per month anyways?


It really depends how they attack. They might have found some URLs that require a lot more resources (CPU or I/O) than your normal user behavior.


I am beginning to think Anonymous is a fictitious entity made up by the mainstream media to divert attention. They sound too hippy-dippy to be of serious intent.


I don't think this is true. We'll see, but I think it's a joke.


Facebook is too big & has resources to fight off any kind of DDOS attack. I think, Annon's plan won't work. Those kids are going to get disappointed


So did VISA and MasterCard ...


The traffic Facebook pulls is orders of magnitude greater than Visa and Mastercard's websites have ever had to deal with.

Hell, according to Alexa, Hypem gets more traffic than Visa. http://www.alexa.com/siteinfo/visa.com http://www.alexa.com/siteinfo/hypem.com


Alexa doesn't count the internal traffic, like financial transactions. Their website is a tiny tiny share of that traffic. Just think of all the credit card transactions happening all over the world.


And yet it's the web site, not the transactional infrastructure, that was selected for the attack http://www.infoworld.com/d/security-central/anonymous-takes-...


You're Wrong! Because

1) Facebook is powered by massive infrastructure which can be only be compared to likes of Google. Visa, Mastercard are too small even to be compared.

2) People at Facebook are Smart - as Facebook hired top talent. those "hackers@Facebook" know their sh!t & together they are better prepared that any of us here for thwarting ddos attacks.

so my message to annon is: Kids, Please don't understand facebook's infrastructure & the smart people who work there.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: