Sorry for posting this here, but if you would...

UFOs, lost socks, discuss whatever you like here.

Moderators: Master_Kale, TNM Team

Post Reply
User avatar
Neveos
X-51
Posts: 875
Joined: Wed Mar 03, 2010 1:29 am

Sorry for posting this here, but if you would...

Post by Neveos »

I need to ask those technically competent, here (especially being a DX crowd), whether or not "hacktivism" or the ability for a lone hacker (like Julian Assange) to do what they have allegedly done (hack multiple top tier security systems), whether it is all just a bunch of bullshit.

I don't want to know if it is theoretically possible, I'm sure everything is theoretically possible, but does it ring with truth or fiction? Assange has gone public with his distaste for 9/11 conspiracies, and most people think he is a shill op. But an albino billionaire hacktivist that keeps servers hidden all around the world, just seems like some sort of cointelpro operation, likewise Anonymous, and I want to ask you who may know something about programmers, whether or not "hacking" still exists as it once did in the earlier days of the internet, when security systems were not as expecting of security breaches.
What I do in my other free time:
http://www.youtube.com/watch?v=e3FfPUKuGsQ
User avatar
Jonas
Off Topic Productions
Off Topic Productions
Posts: 14224
Joined: Sat Apr 24, 2004 9:21 pm
Location: Hafnia

Re: Sorry for posting this here, but if you would...

Post by Jonas »

Yeah sure, hacking still exists. Also cracking, which I think is what you're really talking about (academic distinction I suppose). Not in quite the same way as in the early days, particularly if you go back to the time of Captain Crunch finding a way to get free phone calls from the tele companies by blowing a whistle into the phone receiver, but you can still get into a lot of systems if you know them well enough to find and exploit their security flaws.

Top-tier security systems though? I don't know. My impression is that when people crack proper high-level stuff, it's because they have shell access, and it's more of a social engineering project than actual cracking. Like the Wikileaks thing with Julian Assange - that was just one army guy with access who decided to put a load of secret files on a CD and make off with it so he could upload it to the Internet later.

You heard about Stuxnet? That's probably the most exciting known example of cracking in recent times, presumably carried out by intelligence agencies from Israel and the US, and I think the general theory is still that they had somebody inside the Iranian facilities with physical access to the system so the virus could be uploaded.

Does that begin to answer your question?
Jonas Wæver
Chief Poking Manager of TNM

I've made some videogames:
Expeditions: Rome
Expeditions: Viking
Expeditions: Conquistador
Clandestine
User avatar
Neveos
X-51
Posts: 875
Joined: Wed Mar 03, 2010 1:29 am

Re: Sorry for posting this here, but if you would...

Post by Neveos »

Yes. However, a lot of these hacktivist stories are giving everyone the impression that they are accomplishing things like "shutting down the website of", "uncovering the email of", or "shutting down power grids" from their homes. That really just seems like false flag propaganda against the internet. I am more or less wondering, from a programmers point of view, what is the likelihood that even the best programmers are:

A.) giving enough of a shit to get into such political activities.

B.) capable of even knowing what system he would have to communicate with, regarding political entities, in order to do something like this.

C.) capable of writing a successful virus.

and

D.) capable of even fooling the IT who manages the server to download anything from them? (how could anyone get the server of the Kremlin's website to actually download the virus?)
What I do in my other free time:
http://www.youtube.com/watch?v=e3FfPUKuGsQ
User avatar
Jonas
Off Topic Productions
Off Topic Productions
Posts: 14224
Joined: Sat Apr 24, 2004 9:21 pm
Location: Hafnia

Re: Sorry for posting this here, but if you would...

Post by Jonas »

Neveos wrote:Yes. However, a lot of these hacktivist stories are giving everyone the impression that they are accomplishing things like "shutting down the website of", "uncovering the email of", or "shutting down power grids" from their homes. That really just seems like false flag propaganda against the internet.
Uh no that sounds about right - well probably not shutting down power grids, I haven't read about anything like that occurring in recent times, but shutting down a website and getting access to somebody's email account is not exactly rocket science. The former can be achieved with a fairly simple DDOS attack (that's typically what Anonymous do), and the latter just requires a bit of fishing or maybe a brute-force dictionary attack - that mostly relies on the human factor, again: people picking shitty, shitty passwords. Such as "password". Idiots :P
I am more or less wondering, from a programmers point of view, what is the likelihood that even the best programmers are:

A.) giving enough of a shit to get into such political activities.

B.) capable of even knowing what system he would have to communicate with, regarding political entities, in order to do something like this.

C.) capable of writing a successful virus.

and

D.) capable of even fooling the IT who manages the server to download anything from them? (how could anyone get the server of the Kremlin's website to actually download the virus?)
I'm not exactly an expert on IT security here, but it's my impression that the greatest threat is from national entities (ie. intelligence agencies). You don't necessarily need to be a good programmer to be a competent cracker, but I'm sure it helps. Once you're good enough, you probably want to get paid, and it's probably a lot easier to find paid work as a hacker for the GCHQ than trying to hack a bank and steal a bunch of money undetected.

I'm sure a good programmer can figure out how to write a decent virus. Considering the amount of viruses apparently in circulation, it can't be that difficult. Getting the Kremlin's server to download a virus could be as easy as getting one of the Kremlin's less IT-savvy employees to download it, either by sending them an e-mail of a questionable nature or just by them visiting an infected website, but if you're trying to achieve something specific in a specific place, I doubt a virus would be a good way to do it - it's a very scattershot sort of attack, difficult to target precisely. Stuxnet kind of stands out for being such a rare example of an extremely precisely targeted virus.
Jonas Wæver
Chief Poking Manager of TNM

I've made some videogames:
Expeditions: Rome
Expeditions: Viking
Expeditions: Conquistador
Clandestine
DDL
Traditional Evil Scientist
Traditional Evil Scientist
Posts: 3791
Joined: Mon Oct 17, 2005 10:03 am

Re: Sorry for posting this here, but if you would...

Post by DDL »

EDIT: NINJA'D BY TEH JONAS

A lot of 'hacking' relies on the fact that people are stupid, i.e. "Hi, it's graham from IT: we're restarting the servers tonight and it'll wipe everything, so we need your password so's we can reimplement it after the reset. Thanks!"

Bam: password acquired.

A lot of the rest are just DDOS attacks, which pretty much just boils down to spamming a website with spurious traffic. You can do them from your front room, sure, you just use a botnet (which are apparently for hire: who knew?). So you tell a bajillion secretly slaved computers to devote a smidgen of their time to spamming a website, basically.

Viruses can be pretty much put together from off-the-shelf components, very little sophisticated programming knowledge is needed. Sure, they'll be shitty viruses, probably, but see "people are stupid", above: often a shitty virus would be enough.

Even the 'good' viruses are generally just iterations on existing themes.


Almost all 'anarchic' anonymous-style hacktivism is just DDOS and 'reading of emails', generally ones on poorly secured servers (i.e. ones where you can exploit human stupidity to get in). It's just that many people seem to conflate "PowerGen's website is down" with "OMG TEH POWER GRID AM BORKEN!", because (again) people are stupid. You'll note that even on "shit, we done got attacked" damage limitation mode, company spokespeople seem incredulous that anyone would be stupid enough to think "broken website" equals anything other than "broken website". Still, "Hackers force powergen off net" is a nice suitably-vague news headline that sounds dramatic and shifts copy.


Proper spy-style stuff usually relies on a dedicated team of people and ideally (as Jonas says) an inside man. A lot of it is probably 'brute force' stuff rather than clever code, since brute force is always going to work eventually (clever code, not so much). And of course the truly secure systems aren't on the net at all, so then you need your inside man.
User avatar
Jonas
Off Topic Productions
Off Topic Productions
Posts: 14224
Joined: Sat Apr 24, 2004 9:21 pm
Location: Hafnia

Re: Sorry for posting this here, but if you would...

Post by Jonas »

DDL wrote:It's just that many people seem to conflate "PowerGen's website is down" with "OMG TEH POWER GRID AM BORKEN!", because (again) people are stupid.
Obligatory relevant XKCD: http://xkcd.com/932/
Jonas Wæver
Chief Poking Manager of TNM

I've made some videogames:
Expeditions: Rome
Expeditions: Viking
Expeditions: Conquistador
Clandestine
User avatar
Neveos
X-51
Posts: 875
Joined: Wed Mar 03, 2010 1:29 am

Re: Sorry for posting this here, but if you would...

Post by Neveos »

Right. No, there's just been press conferences warning people that they could possibly do something like that. A scenario like that is probably just under hack computer -> computer explodes killing user.

http://www.dailymail.co.uk/news/article ... warns.html

But yeah that's what I'm wondering: the believability of a wikileaks or anonymous. I really don't buy the Julian Assange story. The Anonymous movement actually seems like NSA attempting to lure real potential hacktivists out into the open.

That's what blows my mind: something like a "ddos" attack on a website could be traced, and the damage is minimal. They would almost always need an insider or social engineering for something like email extraction or to even know what to target.

Question: webites like this, where we have to provide a username and password. You guys can obviously look up the password from the server, right? I use 3 grades of password, and stuff like this is the lowest grade, but other people probably use a universal password. That actually seems like an easy way to catch peoples' login information.
What I do in my other free time:
http://www.youtube.com/watch?v=e3FfPUKuGsQ
DDL
Traditional Evil Scientist
Traditional Evil Scientist
Posts: 3791
Joined: Mon Oct 17, 2005 10:03 am

Re: Sorry for posting this here, but if you would...

Post by DDL »

Wait, you think Julian Assange is a government plant?

:shock: :shock:

Honestly, if Anonymous were a covert government operation designed to lure out hackers, it would be vastly less incompetent and dickish. Hell, it's not even an organisation, it's more like a thousand angry vindictive children in a sack. And if Assange were a plant, then I suspect governments would be spending less time trying to pin rape charges on him, and Bradley Manning wouldn't be languishing in 'detention'.

Also, never believe anything in the daily mail, it's a newspaper designed to make you hate/fear things.

Finally, DDOS attacks are, as noted, usually executed remotely via a botnet, so there's nothing to trace. Or more accurately, there's too much to trace, all of it useless: "you were DDOSed by seven million computers, here are their IPs. All of them are slaved botnet computers that have no idea they are".

Or at least, that's my understanding. :P
User avatar
Jonas
Off Topic Productions
Off Topic Productions
Posts: 14224
Joined: Sat Apr 24, 2004 9:21 pm
Location: Hafnia

Re: Sorry for posting this here, but if you would...

Post by Jonas »

Neveos wrote:Question: webites like this, where we have to provide a username and password. You guys can obviously look up the password from the server, right? I use 3 grades of password, and stuff like this is the lowest grade, but other people probably use a universal password. That actually seems like an easy way to catch peoples' login information.
Not really. Passwords are typically stored "hashed", meaning encrypted into complete nonsense. If you've got access to the system, you can get the encrypted passwords, but as long as the system that took the input from the user and encrypted it is relatively competent, decrypting them can be immensely time-consuming - it's something you might be able to do with one specific password if you know what user it belongs to, but if you want to decrypt all of the hashed passwords you'll need a shitload of processing power and/or an incredible amount of time. As far as I know.

There are examples of online systems where passwords were stored in plain text (ie. unencrypted). That would be something like Gawker's unbelievably incompetent comment system where somebody got access to the database and released the passwords of all Gawker's users, much to everybody's general dismay. This is not the case for these forums, for example, as they run on PHPBB3, which hashes all user passwords with a framework called phpass.

Of course, as a user it's always best to assume the system you're using is insecure. Which means you should use different passwords for every website you use. Personally, I think that's too many damn passwords, so I have 3 mental tiers of importance, with unique passwords for all websites in the top tier (email, bank, phone, OTP control panel, etc.), a couple different (rather strong) passwords for the medium tier, and a couple simple and easy-to-remember passwords for the low tier (mostly forums that I've signed up for once with no expectation of ever needing to use them again).
DDL wrote:Finally, DDOS attacks are, as noted, usually executed remotely via a botnet, so there's nothing to trace. Or more accurately, there's too much to trace, all of it useless: "you were DDOSed by seven million computers, here are their IPs. All of them are slaved botnet computers that have no idea they are".

Or at least, that's my understanding. :P
That is my understanding as well.

PS. Here's how long my Steam password is: **************************
I take passwords pretty seriously ;)
Jonas Wæver
Chief Poking Manager of TNM

I've made some videogames:
Expeditions: Rome
Expeditions: Viking
Expeditions: Conquistador
Clandestine
User avatar
Neveos
X-51
Posts: 875
Joined: Wed Mar 03, 2010 1:29 am

Re: Sorry for posting this here, but if you would...

Post by Neveos »

haha, alright thanks. I don't think the government is so incompetent though. They are competent enough to try, but are usually pretty tacky in execution. Kinda what you'd expect paying people to get together in a room and hash out ideas as a think tank. Kinda like the OBL raid. Where we caught him following a "courier" (it just so happens fallout: new vegas [no I'm not always in game land] put a lot of emphasis on the term "courier" months leading up to this) and they pulled it off with "silent helicopters" (as if we didn't already know about them) over night in a military complex in Pakistan. And announced it in America after everyone went to bed, and then supposedly dumped his body in the ocean at night in accordance with a Muslim law that doesn't exist. All while releasing Obama's birth certificate the day prior along with Prince William's wedding. They were shown reacting to the raid as it occured, but claimed they couldnt remember what they saw, and then claimed the helmet cam blacked out at the moment of the raid, so they were all agasp at a black screen. But it "has to be real because we accidentally lost one of our black helicopters so there's that sacrifice of secrecy, and why would they want to do that??" Later the seal team supposedly dies in a helicopter crash, so they can't say anything.

You see, it's like, kind of the same way a really good liar works. It gets done, but it gets extrapolated to the point of lunacy.

For instance, wikileaks is a perfect example. It's like a group of people thinking, "we have a real problem with conspiracy theorists on the internet, and a potential problem with the existence of whistleblowing on the internet". So they create an albino super-hacker out of thin air which has servers in hidden bunkers and hops from country to country "hacking" and revealing nothing but innocent plots to acquire resources, and denies any real conspiracy theories, while making hard working intelligence agencies look like victims of a deranged weirdo who rapes women. It's usefulness changes over time.

If Anonymous is what I expect it to be, a government op for sniffing out potential real hacktivists, they name it "Anonymous" because they want it to seem that interested persons will remain hidden. They also have the ability to then blame the group for cyber-terror.

Except, if they are operations, they are idiotic operations because they cause massive blow-back because now you are just creating social groups and making the practice of questioning the government exciting and popular. You are also opening up institutions which could be hijacked by whistleblowers in the program, which I think has actually happened to both ops.

So when it comes to conspiracy, it really is this mixture of clever but stupid. You have a few people each manipulating a few more, and they more, and you end up with a cluster fuck, and you have to rely on the mainstream media to simply look pretty, be stupid, and read the teleprompter with the right inflectional tones to keep the population from combusting into flames.
What I do in my other free time:
http://www.youtube.com/watch?v=e3FfPUKuGsQ
bobby 55
Illuminati
Posts: 6354
Joined: Wed Jun 24, 2009 9:15 am
Location: Brisbane Australia

Re: Sorry for posting this here, but if you would...

Post by bobby 55 »

Apologies for jumping in but Assange isn't the hacker is he? I thought he was just the front man so to speak, and that he got his info from some American serviceman (who's currently facing a shitload of charges).
Growing old is inevitable.......Growing up is optional
User avatar
Neveos
X-51
Posts: 875
Joined: Wed Mar 03, 2010 1:29 am

Re: Sorry for posting this here, but if you would...

Post by Neveos »

bobby 55 wrote:Apologies for jumping in but Assange isn't the hacker is he? I thought he was just the front man so to speak, and that he got his info from some American serviceman (who's currently facing a shitload of charges).
I honestly haven't looked too much into wikileaks. However, from what I know about him, he is a hacker who eludes detection and reveals private government documents, and I would assume he does so, at least part of the time, "hacking". Such a lifestyle as his is alleged to be (travelling by plane all the time) would be extremely costly (it is just too likely to crash financially), so I don't really believe that someone's life could be so epic or dramatic without it being some sort of set up. And his appearance and name "Julian", it just all seems so put together.
What I do in my other free time:
http://www.youtube.com/watch?v=e3FfPUKuGsQ
DDL
Traditional Evil Scientist
Traditional Evil Scientist
Posts: 3791
Joined: Mon Oct 17, 2005 10:03 am

Re: Sorry for posting this here, but if you would...

Post by DDL »

Erm.

Wow.

Ok. So....Assange is actually more of a..figurehead: he's the nominal owner of wikileaks: a website that collects and disseminates leaked confidential information, often of the governmental type (but also corporate and so on). Usually things like emails along the lines of "pah, fuck it: the contaminated water won't be detected until we're both retired! LOL" and other such gems. He's (essentially) the person registered as owning the servers, and an identifiable personality to attach to the whole wikileaks phenomenon (not least because the media love personalities). He doesn't hack stuff himself, people send stuff to him. Most of the time the stuff they're sending isn't hacked stuff either, it's simply stuff they have but shouldn't be showing to people. Hence wikileaks, not wikihax. So if you're a young US military guy (for instance) and you suddenly find you've been given access to databases recording some truly morally dubious stuff, and you have a conscience, then you copy it and send it to wikileaks. And then you get put in prison forever, because "fuck you, morality".

Wikileaks funding comes largely from private donations, i.e. people with disposable income and consciences. A lot of these donations are routed through places like paypal and mastercard, which is why the goverment pressured paypal and co to suspend the accounts during the whole wikileaks fiasco (not that paypal generally needs much pressure to suspend accounts), and this is why Anonymous then DDOSed the shit out of paypal and mastercard and so on.

Plus, most of the wikileaks personel are volunteers: the lawyers mostly work pro bono, etc. The money is pretty much spent on flights and server hosting, and is under 1 million USD a year (estimated). Given how much money you can get through kickstarter just for a point and click adventure game (purely from computer game fans), you can understand how it's possible for wikileaks to secure funding fairly easily. Well, assuming the government doesn't illegally suspend their accounts, and stuff.

Really, assange is simply a recognisable face to associate with wikileaks: he's not an uber hacker with a jetset lifestyle, he's just a guy who owns a website that governments happen to hate. He's not even that important to the process, which is something governments are slow to catch up on (they really don't understand this whole internet thing).

So there's that.


On to Osama bin Laden. Right. Well. If you were going to fake the killing of someone as infuential as Osama, first and foremost...you would need to be absolutely sure he was already dead. If you put all that effort into faking an assassination and then he pops up in a cave saying "o hai USA! I'm fine acshully lol" then your credibility just took a massive nosedive.

So he's almost certainly dead, whether or not he was killed at that compound.

Secondly, the compound was in Pakistan. If the whole thing was faked, this means the USA flew helicopters full of special forces troops into a sovereign nation with whom they are not currently at war (and indeed have a healthy trade relation with), attacked a building in a populated area and murdered lots of people inside it (or pretended to), then flew away, blowing up one of their helicopters in the process. That's...well, actually a perfectly justifiable casus belli for pakistan moving to a war footing. And they have nukes.

That all seems horrendously risky and indeed utterly stupid when they could've simply faked an attack on a cave in afghanistan, a nation with little solid infrastructure that is full of caves and mountains miles away from witnesses, and which also happens to be currently full of US military personel.

Finally, burying him at sea without displaying the corpse was..well, actually one of the most dignified aspects of the whole grisly process, to my mind. You've got all that footage of insurgents dancing around murdered US troops, and those ever popular beheading videos: the very last thing the US wants to do is step down to that level (and indeed the troops who DO stoop to that level are a constant headache for the US PR effort). Burying him at sea prevents anyone constructing a shrine to him at his burial place, and getting it done within 24 hours, according to proper muslim traditions (it's the 'within a day' bit, not the burial at sea, that is traditional), demonstrates that the US is not conducting a war on islam, which is great international PR, and could swing some votes with the muslim voter block back home (though hey, it's not like they'd vote republican....).
Add to that, that in all honesty, the number of people crying FAKE! I CAN TELL BY TEH PIXELS would be vastly greater if they HAD released footage. Treating the whole thing as a messy but necessary business, carrying it out with expertise and speed, and subsequently handling with quiet dignity...well, that sort of shit makes you look a lot better to the international community.

So overall, you have to wonder why, if the whole thing was faked, anyone in their right mind would fake it in such a godawfully stupid, risky, expensive, hugely prone to exposure style fashion.
DDL
Traditional Evil Scientist
Traditional Evil Scientist
Posts: 3791
Joined: Mon Oct 17, 2005 10:03 am

Re: Sorry for posting this here, but if you would...

Post by DDL »

And finally, Anonymous.

Are you seriously suggesting that Anonymous, a group that essentially formed from the more computer literate and dickish members of /b, on fucking 4chan, is actually a government plot?

See, this is the problem the papers are having, too: they keep thinking of Anonymous as an organisation, or hell, even a group. They're not, they're just a bunch of dickheads with more time and education than sense of restraint, who happen to hang around on the same forums. They don't even have a cohesive agenda: for every news report that says "a spokesman for the hacker collective anonymous said X", there'll be umpteen forum posts of others saying "lol wut", and "hu put u in chaerg lol" and so on. It's a big sack of mischief-focussed asshats who barely know each other outside of the forums themselves. Some are simply bigger asshats than others, or have been there longer.

In reality, this is half the problem: there is no central leadership structure, no agenda, no recognisable targets: one day they'll be all up in mastercard's face, doing petty bullshit like DDOSing their homepage, then the next day they'll be ruining the life of a 14 year old girl because she said she didn't like kittens. It's random, spastic, headless mischief that frequently does things simply because it can, and because it's funny.

Most of us could easily recognise such ephemeral, attention-deficit-esque pointless lulz-based scattershot aggression/mischief as "just the internet being the internet. Sigh", but for goverments that are still mostly run by old men in suits who went to Eton/Harvard/Yale together, this whole thing is confusing and well outside of any paradigm they have experience for. Thus, "scary! Kill it with fire!"

Plus making Anonymous seem organised, dangerous and vengeful, rather than petty, easily distracted and basically "doing it for the shiggles" tends to make for much better news stories.

Like the XKCD link jonas posted suggests:

"HACKERS FROM ANONYMOUS SHUT DOWN CIA" sells papers.

"Some bored dicks on the internet spam CIA's homepage until it has to be reset" does not sell papers.
bobby 55
Illuminati
Posts: 6354
Joined: Wed Jun 24, 2009 9:15 am
Location: Brisbane Australia

Re: Sorry for posting this here, but if you would...

Post by bobby 55 »

Wow, thanks DDL. I think the plan was to capture him but he came out of his bedroom brandishing an automatic rifle, so it was a less an assassination (purportedly) and more of a reflex thing. Admittedly I read that so it's not actually gospel.

Edit: that is related to the previous post.
Growing old is inevitable.......Growing up is optional
Post Reply