Sony Website Hacked By the "Lulz Boat"

[smithy1234]

This is getting stupid now okay I'm just going to say that there's no point in lying about their methods, I really can't see a reason why they would do that. Yes saying it's SQL Injection makes it look easy but honestly, if it were some other method they would have said so and then what would everyone be crying about? "OMG These hackers are terrible, they used BLIND Sql Injection, it was actually difficult to hack into Sony's database so that means their security was actually moderately good but their DB still got hacked! So.. Sony isn't so bad but their security was still pretty shit...Wahhhh".

It won't make a huge difference if it turned out it was something else so why lie about it? Bottom line is that Sony was hacked into again, PERIOD, whether it was sort of hard or really easy isn't the point. The point is that they were hacked into again because their security isn't amazing for the large company it is. This wasn't a complicated statement and the fact that people have found something to argue about and call deceptive is fucking beyond me.

Nicely shoveled.

The difference here is the difference between "Sony upped their defenses, but someone still beat them," and "Jesus H. Christ! Sony doesn't fucking care! Fuck Sony!"

Guess which one of those is happening. Are you seriously trying to ignore that?

If you knew anything about hacking then you would know that they obviously did not up their defences if they were hacked by this skiddy internet group. Ive done tons of SQL injection attacks against websites and just by looking at this attack I can tell that an SQL injection is very possible and most likely the method used.

I can show you an SQL Injected website and you can see for yourself it fits nicely with the results of the attack against Sony by LulzSec. You also seem to paint hackers with a big brush of EVIL INTERNET CITIZENS THEYRE ALL BLACKHATS which is sort of hilarious haha

 

[Therumancer]

I think it's ridiculous to call them terrorists, people overuse that term to the point where soon it's going to miss any relevency or meaning.

I took the liberty of looking up the word "Terrorist." Dictionary.com defines "Terrorist" as

a person, usually a member of a group, who uses or advocates terrorism.

So, I looked up the word "Terrorism." Webster.com defines "terrorism" as

the systematic use of terror especially as a means of coercion

Explain to me how this doesn't qualify. And, please, don't give me any bullshit about how we shouldn't base our language by what words actually mean. Frankly, once you get past your VERY flawed opening statement, upon which you base your entire arguement, not a single word in your post has any validity, whatsoever.

Ahhh, semantics games. Gotta love them.

It's like this, people constantly start trying to expand the definition of terms to include a very broad array of behaviors and activities, until they cease to have the initial meaning, and gradually lose their thunder.

It's sort of like how the UN has extended the definition of Genocide to go beyond the extermination of a race of people, and into the extermination of an idealogy, and so on. Largely so it can yell "Genocide" at anything it doesn't like, and use such a broad definition to justify taking absolute action against any group of people.

Right now there is a jump to broadly define terrorism, so it can be applied to pretty much anyone who uses strong arm tactics for anything. It will get to the point where since we start calling muggers terrorists because of the "literal" definition of the term that nobody much cares. I'm personally waiting for "this guy tried to intimidate me into giving him my wallet so he should be tried as a terrorist" to actually go to court personally.

Up until recently, what was intended when someone said "terrorist" was obvious, you'll notice nobody really tried to go after groups like The Mob as being terrorists, despite running some of the largest scale intimidation rackets ever.

Your pretty much trying to win an arguement by semantics games and trying to argue based on a ridiculously broad literal meaning of a term, rather than how it applies to society, and how it has been applied until there have been recent gains in using the term due to things like The Patriot Act. Had The Patriot Act existed they would have gone after Al Capone as a terrorist rather than trying to prove things like racketeering, and eventually fail so hard that they wound up having to use tax law.

As I see things, what we're dealing with is pretty much vigilantism. The acts are largely being perpetuated because of the failure, or unwillingness of, conventional authorities to deal with the target. What is being done is still wrong, and a crime, as things like this tend to get out of control much more than comic books or science fiction novels, but not really an act of terrorism.

As the term traditionally applies to society I'd be more willing to accept the label of terrorism if say "Lulzsec" was setting off Fertalizer bombs inside places like Sony's Tokyo headquarters, without any real concern for collateral damage.

As far as these activities go, I don't even think there is any real desire to spread general fear, as all of the information stolen has been handled in such a way as to minimize the risk of anything bad happening to anyone. The only people really being leveraged are Sony, everyone else is being inconveinenced more than terrorized.

See, right now all of this publically released information is put out in such a way that it becomes very easy for identity protection services to step in. If they were keeping the stuff to themselves, stealing fortunes in money, etc... and telling people "turn on Sony or we will destroy your lives" that would be more of a terrorist act.

Of course the longer this goes on, the more likely that the system will fail, and someone will exploit that released information before any kind of ID protection can take place, and again that's exactly why things like this aren't quite the cool victimless crimes they are in fiction, someone always gets hurt in the end if they go on.

 

[samsonguy920]

Snipped for space.

This reminds me of the story of two dormmates. One never bothered to lock his door whenever he went out to class or such, and the other grew insanely bothered by this. Finally the bothered dormmate decided to just up and go into the first's dorm and removed all of his pricely possessions. When the first returned to find his stuff gone, the second was there to claim responsibility for it, as a lesson to the first to lock his dormroom door.
The first immediately called the police and swore out a complaint against the second for burglary and breaking and entering. The second claimed innocence because it was supposed to be a lesson in keeping your dorm secure. That didn't fly with the courts which sentenced him to a couple years in prison, or the college which expelled the second dormmate permanently.
We should have a right to expectation of privacy and security. That security should include feeling comfortable leaving our doors unlocked. Sony did err by not implementing better security to protect their customer's information, but the Lulzboat is still being criminal here, and I hope they are caught and thrown into prison. Truth be told, they would have still tried to do this if Sony did have better encryption and security, but that still doesn't excuse them for the act of trying. If you catch someone trying to pick your deadbolt to your house, you will still call the police, and the intruder will still be incarcerated for the crime.
There simply is no justification to this, none whatsoever. The Lulzboat not only violated Sony's systems, but they also violated every single person whose information was lifted from Sony's database. Their action was petty, immature, and inexcuseable.

 

[Blackpapa]

If you knew anything about hacking then you would know that they obviously did not up their defences if they were hacked by this skiddy internet group. Ive done tons of SQL injection attacks against websites and just by looking at this attack I can tell that an SQL injection is very possible and most likely the method used.

I can show you an SQL Injected website and you can see for yourself it fits nicely with the results of the attack against Sony by LulzSec. You also seem to paint hackers with a big brush of EVIL INTERNET CITIZENS THEYRE ALL BLACKHATS which is sort of hilarious haha

Can you teach me how to be a hacker like you?

 

[Inkidu]

This might just put Sony under on the gaming front. Two high-profile hacks within a month or so of one another. Most companies don't come back from that. I know if I could online game I'd be steering away from Sony. One hack, okay, you've still got my good faith. It happens. Two hacks so soon scream of real or unfounded incompetence.

 

[Sikratua]

Ahhh, semantics games. Gotta love them.

It's like this, people constantly start trying to expand the definition of terms to include a very broad array of behaviors and activities, until they cease to have the initial meaning, and gradually lose their thunder.

Semantics, my ass. I didn't use "Expanded definitions," whatever the shit that means. I used the actual dictionary definitions. I get it, though. I can up with an arguement to which you can't actually reply, so you try to drown a lack of logical reply in a ever-growing mound of bullshit.

By the way, the difference between "vigilantism" and "terrorism" is whether or not you like the people getting attacked.

 

[Luke Cartner]

I find it deeply offensive that the author feels he can compare a company with almost no security (making sql safe input and encrypting passwords is security 101) getting hacked with a person getting sexually violated or raped. The two are not even near the same.
The victim in this case is not really Sony anyways, it's the users who trusted Sony with their personal information. Sony should be blamed for having such terrible measures to protect their details.

 

[The_Puppy_Prince]

Can these people display Sony's terrible security without stealing everyone's shit?

This
I mean cmon if you really wanna punish Sony
Hack their employees
Not the customers
What the bloody hell have they done to deserve that?

 

[smut]

Sony kept the data in an unencrypyed text file, basically a "notepad" file. Epic failure of security. I said it before and I'll say it again, Sony needs to do a complete audit of ALL of their operations that are connected to the web in some way. Sony was hacked by a freaking SQL injection which is something you learn on your first day of internet security 101. This is amateur hour on Sonys part.

 

[k-ossuburb]

Also, funnily enough, they've also added their attack to Wikipedia.

Check it out, it's right at the bottom of the list titled "Known real-world examples" near the bottom of the page. [http://en.wikipedia.org/wiki/SQL_injection]

 

[Jumplion]

Or, alternatively, target the higher-ups rather than the innocent bystanders (hopefully without malice). That is real damage that can easily paint Sony in a bad light while avoiding any backwards ass-logic these guys are doing now.

Please expand on that, I'll be taking notes.

Alrighty then.

While I would never advocate for any sort of illegal hacking (I'm the kind of guy who just wishes everyone would just get along huggy-wuggy much), targeting the higher ups, and possibly the lower positions like engineers and such, would be a much more viable option than attacking the consumer.

First off, if you hack and get a bunch of CEOs info and stuff you can easily make them look incompetent. But for god's sake, don't be cruel to their families or terrorize their homes, that only makes you look like an even bigger ass. Instead, hijack their Twitter account or something and post some funny (read: Not offensive) pictures or somesuch, making it obvious someone got control of it. Make their jobs harder to do by causing a ruckus, this is much more fun and enjoyable for everyone else (except, of course, the higher ups).

Warn them that if they do not change their ways, things like this will continue to happen. Slowly but surely you could potentially get up to the big stuff, like hacking for their information on PSN or something, and if push comes to shove eventually, maybe you can hack into something like PSN, but don't steal anything dumbass! Leave a note saying "Hey, don't fuck with us, this could have been a lot worse." Show them that you are not to be trifled with, but not because you're a lunatic who wants attention.

Still, this would technically still make them criminals, but hey, at least one with some semblance of ethics and morals. Like I said, I do not advocate for this kind of shit, but it'd at least make a helluvah lot more sense than "Their security is shit! To prove that, we stole everyone's info! Now, can we have some money so we can continue to hack and publish private information? We are so helping you guys, we swear!"

 

[Therumancer]

Ahhh, semantics games. Gotta love them.

It's like this, people constantly start trying to expand the definition of terms to include a very broad array of behaviors and activities, until they cease to have the initial meaning, and gradually lose their thunder.

Semantics, my ass. I didn't use "Expanded definitions," whatever the shit that means. I used the actual dictionary definitions. I get it, though. I can up with an arguement to which you can't actually reply, so you try to drown a lack of logical reply in a ever-growing mound of bullshit.

By the way, the difference between "vigilantism" and "terrorism" is whether or not you like the people getting attacked.

If you want to have a discussion remain civil.

The entire point is that common usage and expansion changes the definitions as recorded by dictionaries and other sources. For example the UN's definition of Genocide has creeped into the recorded meaning of the term.

I understand why you don't want to accept that, but at least try and remain civil about it.

If you want to agree to disagree, I'm fine with that.

In the end we both think the other is wrong, and there really isn't going to be a meeting of the minds on it. Such is the way of the internet.

 

[Davroth]

So if they would have been like "yeah, we hacked that sony site and it was totally easy, but we wont show you what we got out of it" would you believed that they actually did it?
I sure wouldn't. It's one of these things that require evidence or it's unbelievable.

so what your saying is ?plz I don?t believe you put all of the inforation you have (or may have) got up on the net so we can see. That seems a little stupid to me and is against what a lot of ppl stand for in the hacking for loz community...

i don?t believe this ether coss i don?t buy that a SQL injection would work but I think your logic is flawed

I hacked Sony, it was super easy, and I've got tons and tons of compromising data.
Sounds believable? No? Guess I'll have to put up a website then showing the data I gathered.

 

[Blackpapa]

I hacked Sony, it was super easy, and I've got tons and tons of compromising data.
Sounds believable? No? Guess I'll have to put up a website then showing the data I gathered.

Sure. Just truncate the personal data to two letters and post the passwords as salted SHA-256. Be sure to make the salt public and non-alphanumeric and provide a handy javascript hashing utility for users to compare your publicly posted hash to their result.

Just for the lulz publish the first 100 prime IDs in full, open plaintext.

For more lulz use JSON to transparently harvest the plaintext passwords input into your javascript hashing utility.

 

[Silva]

So these idiots posted our personal information publicly against our will and we're supposed to be annoyed at Sony for "not making it secure enough"?

Screw that. BOTH sides are fools with their own self-interest in mind and no common good has come out of any of this.

 

[Ice Car]

I feel SO sorry for Sony and it's fans now. So very sorry...

Glad I'm a 360 user, not a PS3 user.

 

[Davroth]

Sure. Just truncate the personal data to two letters and post the passwords as salted SHA-256. Be sure to make the salt public and non-alphanumeric and provide a handy javascript hashing utility for users to compare your publicly posted hash to their result.

Just for the lulz publish the first 100 prime IDs in full, open plaintext.

For more lulz use JSON to transparently harvest the plaintext passwords input into your javascript hashing utility.

Well I could do that, granted, but I'm sure I'll come up with something that sounds even fancier.

 

[Seagoon]

Yeah, tomorrow i might go out... See a movie... Hack into PSN... ya know S.S.D.D and all that... My granny hack PSN last night.... Hell, so did my dog.... Everyones doing it... Its just so easy, ya know...

 

[Virtual Connor]

These hackers belong in prison for massive breaches of privacy of the innocent public.
Sony suck for not doing more to prevent it, and really need to address the problem. But it still doesn't make the crime acceptable and the hackers are still the ones who are solely responsible for their actions (ie. theft of personal information and making it readily available to every other criminal with a computer).

 

[MarsProbe]

Really, getting sick of all these so called "hacktavist" groups or whatever trendy badge they want to go by. Anonymous, LulzBoat or whatever stupid name they want to go by, they're all no better than a gang of petty thugs, and should therefore be treated worse.

Escapist, can't we get another topic now? It got tiresome enough hearing about Sony being (allegedly) hacked by Anonymous, now we have to put up with the same news, only this time about some other joke of an outfit.

Not malicious my arse. They must think we're even dumber than they are.