Looooooooooooooooooooooooool.

So. Lulzsec have called it a day. Cue not an insignificant number of tech journos writing knowing articles about how they weren’t really so tough after all, and it was mostly easy stuff like botnet DDOS attacks and SQL injections, and they probably had inside help too and honestly, didn’t people just get suckered in by an usually media-savvy group of script kiddies?

“From what we’ve seen these lulzsec/gn0sis kids aren’t really that good at hacking. They troll the Internet and search for [SQL injection] vulnerabilities as well as Remote File Include/Local File Include bugs. Once found they try to download databases or pull down usernames and passwords. Their releases have nothing to do with their goals or their lulz. It’s purely based on whatever they find with their ‘Google hacking’ queries and then release it.”

Yeah, well, maybe, but that’s not the point. Things still got hacked. Right now, it’s possible to download what still amounts to quite a lot of sensitive personal data, stolen from organizations that really shouldn’t allow themselves to be compromised thus (NATO, anyone?). What’s more, some of this stuff wasn’t even encrypted – it just sat there as plain text in a database. I’m sure I don’t need to point out what a terrible idea storing passwords in that manner is.

If critics are right that the Lulzsec guys were relatively simplistic in their attacks, then we should actually be much more worried. Because after all, if a smash-and-grab DDOS with the LOIC or a similar hacking tool can result in the leak of hundreds of thousands of usernames and passwords (by the way, if you’re reading this and you ever played Battlefield Heroes, change your password), what are more subtle, serious attacks doing?

As it happens, there’s always a bigger fish.  The earlier quote comes from a fairly convincing-looking posting on pastebin, Lulzsec’s outlet of choice, which appears to expose most of the crew. One can only imagine the sentences these guys face if actually caught, and in a way I hope they’re not. It would be too easy to pin everything on them, when really the lasting effects of their damage are minimal. It’s the lessons learned for online security that must endure.

Oh dear.

So the PlayStation Network – PSN – has now been down for nearly a month. A quick background, first: at the beginning of April, the loosely-defined-but-potent online hacking group Anonymous took a few potshots at the PSN servers using a fairly primitive DDOS tool called the Low Orbit Ion Cannon. The software can be powerful, but against a mighty piece of engineering it was never likely to have much of an effect beyond making a few sites flicker under the load. Moreover, the attack was a simple revenge for a Sony lawsuit against hacker GeoHot, who had finally cracked the platform. So far, so impersonal.

Then a chap from Sony’s hosting provider spoke to Ars Technica, without permission from his superiors. He guessed, probably correctly at the time, that the hackers were ‘going to get bored’. And then he made a big mistake:

… The DDoS attacks have been underwhelming.  The source characterized them more as an annoyance than an unstoppable force. They “annoyed our network engineers,” says the source, but are only of “medium strength.”

This was really, really dumb.

Read more…