Arik Hesseldahl

Recent Posts by Arik Hesseldahl

At the Height of Their Infamy, LulzSec Hackers Call It Quits

The hacker group LulzSec says that after 50 days, it’s through causing trouble on the Internet. In an announcement posted to Pastebin and linked from its Twitter feed, the group said that after 50 days, the latest batch of files it released via BitTorrent would be its last. (The link to those files has since gone dead.)

“For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could,” the group wrote in its statement.

The collection of files it released — LulzSec’s “booty” — which I downloaded, contained a mishmash of text and images intended to demonstrate, one last time, the group’s hacking prowess. Among the collection was an image of a U.S. Navy web site civilian jobs board that had been defaced with 11 entries reading “PabloEscobar AntiSec.”

Another file, entitled “Office Networks of Corporations,” is a text file containing what appear to be the IP addresses of internal corporate networks belonging to several media and telecommunications companies. Among those on the list are the Walt Disney Company, Sony — a favorite LulzSec target — Qwest Communications and the EMI Group.

By far the biggest file — clocking in at more than 600 megabytes — was a folder containing what appeared to be internal documents taken from AT&T. They include what seem to be planning documents, timelines, internal memos related to testing and other documents concerning the construction of AT&T’s LTE wireless network.

Another file appears to be an internal memo concerning the structure of an AOL network.

Another text file, entitled “silly routers,” contains a long list of IP addresses of routers, the networking equipment that functions as the traffic cops of the Internet. Next to each IP address are the creditials used to log in and make changes to the settings of those routers; however, in each case the username and password are “root” and “admin” or “root” and “root.”

The significance here is that “root” is the highest level of administrative access that can be gained on any computer. A user with “root” access has complete control over the system, and “gaining root” is the gold standard of practically any hacker attack. In this case the joke — or Lulz — is that the root accounts are guarded by default passwords, either “root” or “admin,” meaning they’re essentially unguarded. I traced a few of the IP addresses and found they correspond with addresses in Brazil, where a LulzSec branch — really more of a copycat group — has emerged in recent days.

So why is LulzSec calling it quits now at the height of its infamy? For one thing, the heat is clearly on. At least one person said to have ties to the group, a 19-year-old named Ryan Cleary, has been arrested in the U.K., and assuming the person they’ve arrested is guilty as charged, chances are that when the pressure is on, he’ll give Scotland Yard as much evidence as he can in exchange for a lighter sentence.

Additionally, more information has started to emerge about the group via rival gangs and people who are former members. The Guardian Newspaper on Friday published a fascinating account, including a lengthy chatroom transcript that provides a great deal of insight into the group’s inner workings. That this much information has wound up in the hands of a newspaper means that the cone of silence the groups members have relied upon to cover their tracks is starting to break down. Law enforcement agents looking to make more arrests will be combing through the logs looking for connections.

They’ll be looking for someone else like Cleary, who has a history of hanging around on the periphery of groups like LulzSec, and who may have knowledge of how they operate, or other identities they use online. If it plays out as other cases have, eventually investigators will hit upon another clue that will lead to the arrest of key member who will, when the pressure of the law is brought to bear, start naming names of the other members.

With that kind of heat, it behooves LulzSec’s members to go silent and split up, and stop creating any kind of digital trail that might lead to them. Chances are that each member will destroy any evidence in their possession that might implicate them personally: Hard drives will be wiped and perhaps physically destroyed. At the same time they’ll probably retain somewhere enough evidence that will help them finger other members in the event they’re arrested.

Then again, there may never be any more arrests. There are untold scores of infamous computer crimes committed for which no one ever got arrested.

One such group that comes to mind is Hacking for Girliez, which in 1998 defaced the Web site of the New York Times. (See a mirror of what they put up here.) The people who carried out the attack later granted an interview to Forbes Magazine, but were never heard from again. No one ever faced charges in that incident, and the statute of limitations has long since expired.

LulzSec’s members could find a way to quietly fade into digital obscurity in the same way that Hacking for Girliez did more than a decade ago. But then much depends on how well its members can keep their mouths shut. Part of their appeal was their ability to brag about their conquests so publicly and with apparent impunity. If each of the group’s six members can resist the urge to brag that they were once part of the Internet’s most infamous gang of troublemakers, they might just get away with it.

LulzSec’s farewell Tweet and statement are below.

50 Days of Lulz statement: | Torrent: Thank you, gentlemen. #LulzSec
The Lulz Boat


Latest Video

View all videos »

Search »

There’s a lot of attention and PR around Marissa, but their product lineup just kind of blows.

— Om Malik on Bloomberg TV, talking about Yahoo, the September issue of Vogue Magazine, and our overdependence on Google