Why Lizard Squad Took Down PSN and Xbox Live On Christmas Day

DroidJason1 writes Early Christmas morning, hacker group Lizard Squad took credit for taking down PlayStation Network and Xbox Live for hours. This affected those who had received new Xbox One or PS4 consoles, preventing them from playing online. So why did they do it? According to an exclusive interview with Lizard Squad, it had to do with convincing companies to improve their security — the hard way. "Taking down Microsoft and Sony networks shows the companies' inability to protect their consumers and instead shows their true vulnerability. Lizard Squad claims that their actions are simple, take down gaming networks for a short while, and forcing companies to upgrade their security as a result."

They're assholes.

Why did they do it? They're assholes.

Re:They're assholes.

[burni2]

Perhaps because they are not those assholes, as you imply?

They could have done much more harm with access to credit card information, like transfering money to many dubious locations.

So they just gave you time to think about your game consumption, and the opportunity to think about the "silent" in silent night.

Re:They're assholes.

[Mister+Transistor]

(Waves Hand)

These are not the assholes you are looking for...

So they weren't as malicious as possible, that gives them a pass somehow?

Re:They're assholes.

[burni2]

A pass in the sense, that they might have used the only possible solution to give these companies a hint. As those companies did not do their share in protecting their network - and their users.

In law there is a principle, that in the case of an emergency you can justify breaking law without punishment.

But, this does not justify torture, but it gives you the option to kill someone that instant this person threatens your or other human life directly.

Also those "bastards" did not impede on basic human rights,
even the right to "commerce" is only slightly restricted now (it will be up and running quickly), no company will be bankrupt.

Nor was personal data published. If they would have done that, the verdict would be different because it would impede on human rights.

Re: They're assholes.

No they couldn't. This was a ddos attack that any dumass with enough gear can acclompish. They're a bunch of adolescents trying to become rock stars. There is not one ounce of benevolence here. Sorry to inform u.

Re:They're assholes.

[JackieBrown]

So they just gave you time to think about your game consumption, and the opportunity to think about the "silent" in silent night.

They stopped because they were paid off. Thinking of them as noble or anything less than assholes gives them to much credit.

https://twitter.com/LizardMafi...

Lizard Squad @LizardMafia 10h 10 hours ago
Thanks @KimDotcom for the vouchers--you're the reason we stopped the attacks. @MegaPrivacy is an awesome service.

Re: They're assholes.

"Hey, I could have stabbed you in the eye, but instead I just beat you down. No worries you will heal and by the way, all I did was show you you need a self defense class. See how nice and helpful I am?"

Re:They're assholes.

[burni2]

I did not watch their twitter, but considering this, you are right, and I need to change my verdict.

Re: They're assholes.

By that argument, one could make the argument for someone going round and breaking windows or shoving doors open and yelling "Could've been worse!!!" Lol

Re:They're assholes.

[johnlcallaway]

Denying many people the ability to play games simply because they think they know best means they are assholes. Assholes who think that the ends justify the means, no matter who it affects.

Worse than just plain assholes, they sound like self-righteous, inconsiderate assholes.

That may not be fair ... saying someone is an inconsiderate assholes may be redundant.

Hmmm .. what do you call someone living in their mother's basement who has delusional ideas about their value to society and is willing to impact the lives of other people to prove a misguided point??

Maybe jerkoffs is more accureate?? Or Dicks?? Possibly Dickheads??

Or maybe they are more like Snowden and Assange and just egotistical assholes but on a smaller scale.

Saying someone could have done something far worse doesn't make them any less culpable for their actions.

I hope the police find them and send them and their assholes to jail, where someone can actually show them another use for their assholes.

Re:They're assholes.

[DarkOx]

I think at least some blame does need to be lay at the feat of Sony and Microsoft here, but not because of 'network security' but rather creating the risk in the first place where there does not need to be one.

This was basically a DDOS attack. By and large those are difficult to defend, and the usual defense is just having over whelming resources. Should everyone just go an 90% under subscribe systems just to make the DDOS proof? I don't know does not see practical.

Why do these systems need network access to play a game bought on a disk? That is the bigger question, sure I can understand only supporting multiplayer through a centralized service, my issue is with the activation and phone home crap. There is no "good" reason someone should not be able to use these things without network access for single player experiences.

Customers out realize that the system is brittle because Sony and Microsft created a hard dependency where there never needed to be one. It might not be their fault they are attacked, but they do know or should have know they are targets. Hopefully the lession they take away from this is that basic functionality should be there if you have the system and game disk fresh out of box. Maybe you can't update, download new content, do multiplayer but folks ought to be able to at least play with it even if the network is down.

That way the scope of these little disasters would be limited.

Re: They're assholes.

[mcheesier]

They did do that on microsofts servers

Re:They're assholes.

[gbjbaanb]

Ok, so there are many aspects to this - big corporation, single points of failure, 'improve security', steal credit cards/passwords, offline play, etc but there's one that stands out for me:

DDoS. Its trivially easy to send massive amounts of data at something and we have pitiful ways of mitigating it - in fact there is nothing you can do to mitigate it except buy more pipe than the attacker can fill. This is pants and isn't something the attacked companies can do anything about (except buy more pipe - which is ok if you're the size of Microsoft)

We need to start putting egress filtering in place to prevent these easy attacks, if the networks dropped all packets that didn't have a correct source IP, most DDoS would disappear as an attack (sure you'd still be able to gather lots of people/hacked machines together to instigate a DDoS but the attacker would be able to tell who they were and possibly get them fixed/cleaned for future).

The definition of a correct source IP - its an IP address the ISP owns. Its too easy to just create packets that have a random source IP or the IP of the target. We should be fixing this aspect of the internet years ago.

Re:They're assholes.

[jtwiegand]

I think the reason companies include the nuclear, always-online, DRM model, is because they are under the mistaken assumption that 1 pirated game = 1 lost sale. This is almost certainly not the case, or even close. I'd wager it's more like 1 pirated game = .01 lost sale.

Re: They're assholes.

Hi. You are dumb. Very dumb. Now, being a moron, you probably don't realize just how dumb you are, so I won't hold it against you. But now that I have informed you that you are stupid, you now have a responsibility to not go around talking about things you are ignorant about (likely everything).

Simply because something is not physical does not make it not real. And, in actuality this "attack" was as physical as a door. Routers are physical, switches are physical, computers are physical even if their OS has been virtualized. And the services they provide are just as real as the doctors' services behind a door at the physician's office.

So distinguishing between a DDOS attach and blocking a door is rather stupid and you should feel shame by bringing up such a ridiculous argument. Go stand in the corner, child.

Re:They're assholes.

[Penguinisto]

Or maybe they are more like Snowden and Assange and just egotistical assholes but on a smaller scale.

Need to take a bit of exception here, but mostly because of degree and motive:

* You can agree or disagree with what Snowden did, but you cannot deny that the man acted on principle - more importantly, he put his name and his ass on the line for what he did. Note that he also could have just as easily just anonymously *sold* the info viz. Silk Road/BTC and quietly retired as a zillionare in Ecuador.

* Assange? IMHO he's a narcissistic asswipe (I base this mostly on Cryptome's assessment of Wikileaks' early dealings with them), but again, he put his name and ass out there for better or worse.

* These "lizard" guys? Script kiddies who wanted a 'rep and managed to get paid, then tried to cover it up with some nobility bullshit. Perhaps a smaller-scale version of Assange in the aspect that they wanted a reputation, but unlike Assange, they weren't willing to stick their necks out.

Re:They're assholes.

[Chaos+Incarnate]

These systems don't need network access to play a game bought on a disk.

The Xbox One at least used to need Internet access for first-time setup (it didn't include a final firmware image out-of-the-box) - don't know about PS4. But once that's done, you can play offline in single player or local multiplayer to your heart's content.

Re:They're assholes.

The games CAN be played offline. But unfortunately, the systems (and many of the games) needed an initial patch, which they couldn't get.

My son was lucky in that he received his Xbox One on xmas eve and the updates downloaded fine. Come Xmas day, we just popped in the game disc and it ran just fine once we told the Xbox to go to offline mode.

The reason these guys are ASSHOLES is because of all those excited kids that opened their BIG present and couldn't do anything with it because the update patches couldn't be downloaded. If these guys came through and took a toy from a kid's hand, you wouldn't be saying they aren't assholes because they COULD have beat people with bats at the same time.

Re: They're assholes.

How could they obtain any information from basically doing the equivalent of ringing someone's doorbell a hundred times a second?

Re:They're assholes.

[l0ungeb0y]

The real assholes here are MS and Sony for knowingly maintaining insecure networks even after Lizard Squad already took them down and publicly warned that it was but a taste of what was to come on Christmas. These ASSHOLES couldn't be bothered to conduct security audits or take any action at all to prevent the take down they knew was coming. Why? Because they are ASSHOLES and the industry has found that paying for security is far more expensive that letting the attackers do whatever. Sony, Target, Staples et a have seen first hand that it doesn't matter how much consumer info you give attackers, the consumers that were harmed will always come back and there is no punishment to be faced. Until Congress passes Federal Laws criminalizing maintaining known insecure networks that contain sensitive consumer data that either opens the gates for Class Action Suits and imposes substantial Legal Penalties, we wont see this behavior changed.

Re:They're assholes.

[gatkinso]

No... they are assholes.

Re: They're assholes.

[Mashiki]

No, that was sony.

Re: They're assholes.

[ls671]

Exactly, think of the children !

Re: They're assholes.

[ScentCone]

A door and windows are real.

It's idiots like you, who think that businesses, networks, people's entertainment time, and the like "aren't real" that give comfort and encouragement to idiots like the guys who pulled this. They did it to be dicks, just like other dicks might throw a rock through your window and nail your TV right before you were going to watch the World Cup match you've been waiting weeks to watch with your friends. Or, in a closer analogy, waiting until moments before the game starts, and then cutting the cable that services your house or apartment building.

Let me guess: that soccer game's not real! They're not at the stadium in person, so denying them the chance to watch it as they planned isn't actually harmful! Destruction of the time someone plans to use in a certain way is a theft more real, in many ways, than stealing physical objects. You'll never be able to replace the time. Which is one of the reasons these guys are dicks. Deliberate, purposeful, not noble in any way, dicks.

Re:They're assholes.

[ScentCone]

The only victims here are the users who bought into a DRM'ed, locked down platform.

You're right, all those people should have chosen to buy fun, well-developed, richly supported gaming platforms from one of the many providers who offer open source, freedom-minded, anti-IP, systems that have a large selection of really cool massive multiplayer games with giant networks supporting all of that activity. There are so many to choose from that I'm sure it's why you just didn't have time to list them.

Re: They're assholes.

[ScentCone]

They didn't steal

Sure they did. They stole time from millions of people. They deliberately screwed with the expectations and plans of millions of people, all for a little bit of cash and bragging rights among their fellow assholes.

Re:They're assholes.

[DarkOx]

This is true, but the issue is that is dumb! You really should be able to unbox a toy on Christmas morning have it work without going out the Internet and connecting to some account.

Maybe not all the functionality can be there, but functions that don't naturally require network access should not require network access.

Re:They're assholes.

[Casualposter]

Ok, here are a few points:

(1) Distributed Denial of Service (DDOS) is not a security issue for the victim. It is a security issue for the thousands of computers illegally used in the attack - think thousands of illegally accessed computers, theft of the electricity and network access required to run a bot net sufficient to impact a large network like Microsoft or Sony's.
(2) Nothing the Victims security team could do would prevent a DDOS from occurring. That Microsoft or Sony's security was bad, is irrelevant to any DDOS. DDOS is like having a group of people drive bumper to bumper around your block. You can't get out, and that fancy home security system isn't going to stop the cars in the street.
(3) They were apparently in it for something other than principle as it has been pointed out that they tweeted that they received compensation to stop the DDOS. So extortion? That's not a protest at all. That's like someone getting out of one of those cars and asking you for money to make the artificially created traffic jam go away. Which is very similar to an arsonist selling protection from him burning your house down.
(4) Anyone who wanted to access the affected networks was denied access because of the DDOS. They paid for access to that network and their time on the network was essentially stolen from them. The customers who are adversely affected here are not mentioned - they are just as much victims as the corporate network. Consider for a moment that many of these people may not have much time to access the DDOS's networks due to other constraints upon their time (work, school, etc.) and were looking forward to enjoying some play time. Those plans were cancelled without recourse by the Lousy Lizard Squad and their army of stolen computers. I say stolen computers because I am pretty sure that any DDOS was not done using thousands of willing participants who signed upon on someone's website to allow the Lousy Lizard Squad to DDOS Microsoft. They are accessing other peoples property and spending other peoples resources in electricity and network access to run the DDOS attacks and that is theft of services plain and simple.

So there are four decent reasons to call these people thieves and that makes them assholes.

Re:They're assholes.

[xaotikdesigns]

You are absolutely right. I mean, did you see the way that their network was dressed? They were definitely asking for it.

Re:They're assholes.

[BarbaraHudson]

Perhaps because they are not those assholes, as you imply?

They could have done much more harm with access to credit card information, like transfering money to many dubious locations.

So they just gave you time to think about your game consumption, and the opportunity to think about the "silent" in silent night.

They ARE assholes. Their excuse is as nonsensical as someone saying that they're justified in walking into my home and taking some of my stuff because I don't lock my door - or I don't have "enough" locks. Attention-seeking assholes. (and no, this DDoS does not affect me - I don't own either a sony or a microsoft console).

I can just see it - "Judge, I only held up the bank to show that they need to add more security."

If they're so concerned, why don't they work on solutions to these problems instead of acting like Santa didn't give them a pony.

BTW, they wouldn't have been able to get CC numbers just from a plain vanilla DDoS. They're not actually hacking into the servers.

Re: They're assholes.

[xaotikdesigns]

Score:0, Informative...

I wish I had modpoints, because this is definitely underrated.

Re:They're assholes.

[BarbaraHudson]

Another mitigation strategy would be to allow players to directly connect to each other rather than go through a central server. We were able to do this a couple of decades ago, but now we can't? Or rather, it's because the companies want to continue to control what you do after the sale, to sell you the parts of the game they "forgot" to put on the disk.

And when the servers no longer support that game that you and your friends really love because it's become a classic, you're hosed.

Re:They're assholes.

[BarbaraHudson]

It's the old version of "batteries not included," but now on the INTERNET so somehow it's okay.

Re:They're assholes.

Plus their benefit vs harm ratio is kinda crap. Any idiot knows that online game stuff is vulnerable to DDOS. It's normally not a big problem because there doesn't seem to be enough money for most attackers to DDOS such stuff regularly. Most of them probably want more than vouchers from Kim Dotcom. So you cause a problem now and you don't really reduce future problems.

Whereas it seems lots of people actually didn't know the bad and evil things their governments were doing, and Assange and Snowden opened at least some of their eyes. Greater awareness of that is a step towards eventually reducing the bad stuff. It may not actually fix stuff (people might still not care), but what other better options and paths are there?

Re: They're assholes.

[BarbaraHudson]

Also those "bastards" did not impede on basic human rights, even the right to "commerce" is only slightly restricted now (it will be up and running quickly), no company will be bankrupt.

Bringing in the term "human rights" to attempt to say "well, since they didn't violate basic human rights, it's okay that they did a DDoS to point out the problems with security. That's like saying "I killed your therapy dog, but owning a dog isn't a basic human right, and I did it to point out that you need better security for your dog, so instead of getting upset you should be thanking me."

And your reference to Kim DotCom is just another red herring. Even if the handling of that case was wrong, the last time I looked two wrongs don't make a right.

Re:They're assholes.

[westlake]

Why do these systems need network access to play a game bought on a disk? That is the bigger question, sure I can understand only supporting multiplayer through a centralized service, my issue is with the activation and phone home crap.

Consoles have long since ceased to be video game players alone.

That is why Xbox Live Status posts a breakdown by services and apps.

It is perfectly possible for activation and content management services to be up while multiplayer gaming is down.

That way the scope of these little disasters would be limited.

The geek needs to remember that he pays a high price for these attacks.

"The Lizard Squad" is a perfect fit for the popular stereotype of the eternally-adolescent-and-irresponsible geek, aka the malicious practical joker, the hacker. Each hack chips away at the geek's credibility and political effectiveness where he needs it the most.

Re:They're assholes.

[BarbaraHudson]

I did not watch their twitter, but considering this, you are right, and I need to change my verdict.

That doesn't change the fact that you were saying it was okay for them to do this before you found out it was ransomeware - if that's even true. A post on twitter doesn't make it so.

Re:They're assholes.

[Penguinisto]

Plus their benefit vs harm ratio is kinda crap. Any idiot knows that online game stuff is vulnerable to DDOS. It's normally not a big problem because there doesn't seem to be enough money for most attackers to DDOS such stuff regularly. Most of them probably want more than vouchers from Kim Dotcom. So you cause a problem now and you don't really reduce future problems.

Whereas it seems lots of people actually didn't know the bad and evil things their governments were doing, and Assange and Snowden opened at least some of their eyes. Greater awareness of that is a step towards eventually reducing the bad stuff. It may not actually fix stuff (people might still not care), but what other better options and paths are there?

Quoted complete for greater exposure. You should have posted this under a 'nym or login, because it needs to be modded way the fuck up. :)

Re:They're assholes.

[g0bshiTe]

I disagree, I'd say 1 pirated game is = 1 lost sale but 1 pirated game != 1 lost sale profit.

Re: They're assholes.

[BarbaraHudson]

Only if it was by throwing ".net.wpf.windows.break()"

You should make a difference between virtual and real.

A door and windows are real.

Why? On the same basis I should be able to empty your bank account because the money in it isn't real - first, it's only digits in a computer, and second, it's a fiat currency, backed by faith and trust, not real assets.

Note to Sheldon Cooper: If we ever reach the singularity, remember to wipe out this person's virtual self after his body is dead because as far as they're concerned "it's not real".

Re: They're assholes.

[BarbaraHudson]

All they did was download an illegal program [...]

Illegal program. LOL.

ping is illegal? Wow. So linux, freeBSD, Apple and Microsoft have been distributing illegal programs? Quick - call in the FBI!

Re:They're assholes.

[BarbaraHudson]

I think I and others have adequately responded to that question elsewhere. Refresh the thread. It would have been a good troll attempt except it was too easy to refute your basic claims :-)

Re:They're assholes.

[Krojack]

Being able to directly connect to other players is fine but you need to already know a buddy and their IP address first. You would no longer be able to connect to a random game with random people. I loved playing Doom 2 & Warcraft 2 with others but could only do it with my friend when he was home and online or we packed up our computer and took it to the other persons house.

That COULD be an option but very few people would use it today.

Re: They're assholes.

[BarbaraHudson]

I suspect argumentation isn't your strongest skill ?

Switching from one weak "justification" to another as each one gets knocked down, and displaying your ignorance of the basic technology involved shows that trolling isn't your strongest skill. Next time, leave it to the pros.

Re: They're assholes.

[BarbaraHudson]

This is the real crime here. That ignorant people actually think these wannabes are real hackers.

Well, what more can you expect from a wannabe troll?

Re: They're assholes.

[BarbaraHudson]

Exactly, think of the children !

Narcissistic people like this, with a warped moral compass, you DON'T want them thinking of your children. Unless you think Luka Magnotta or Jeffrey Dahmer would make good babysitters ...

Re:They're assholes.

[BarbaraHudson]

True, but they can always send their current ip address to their friend via email, chat, text, or a phone call. Or run a small server that people can join up to independent of the game companies, just to get the other players IPs.

Re:They're assholes.

[jader3rd]

The real assholes here are MS and Sony for knowingly maintaining insecure networks even after Lizard Squad already took them down and publicly warned that it was but a taste of what was to come on Christmas.

A very secure system can still be overwhelmed by an attacking system. It's a more secure design to safely shut down when being over whelmed than to "turn off" security and just let the information flow. So being taken down by a DDoS does not an insecure network make.

Re:They're assholes.

[BarbaraHudson]

Your original premise is still wrong, and has been roundly condemned, both on moral and technical grounds. Just because you reversed it based on a possibly fictitious tweet doesn't change the facts - you tried to troll, you got caught because unlike a well-done troll, you showed ignorance of the basic technology in a tech forum (about as dumb as trying to rob a donut shop next door to a police station).

Also, it's the inability for one single day, and people react like crazy kids, not taking a deep breath of fresh air or being able to relax.

You obviously still don't get it if you really believe that. But then again, you're such a lousy troll, who knows? Maybe you really do.

Re: They're assholes.

[fustakrakich]

Time bandits... If they want to really steal 'valuable' time, they can take down the Department of Motor Vehicles networks. The 'real' thieves make you wait in line all day at the bank, supermarket, wherever. If your game network goes down, at least you can go make yourself a sandwich and watch some soap operas or Springer or something.

On an actually semi-serious note, nobody can say they weren't warned these things would happen when network dependency became all the rage. It was fully expected, yet the 'victims' bought into it anyway. It's almost like leaving the door open with a big sign that says 'free stuff inside, be nice and don't get caught taking any of it'. Right or wrong, people are only following the examples of so-called 'pillars of society', the very people who are supposed to provide guidance and show respect. The rot goes all the way up. When talking about crooks and thieves, we could be a bit more inclusive of who we are dealing with, if you want the message to have much effect. Otherwise the kiddies just point and laugh, noting the *assassin accusing the assassin*.

Re:They're assholes.

There's a secondary (or maybe it's the primary?) bonus to this tactic as well: Shut down the servers in the future and those games just stop working. They cease to be competition for the new games they're trying to sell to you.

This is the other edge of the copyright sword as well, as seen in the movies and music industry. Distribution of digital works is fast and nearly free. With thousands of years of art and entertainment available at your fingertips, why cough up hard-earned dough for rehashed crap anymore?

Re:They're assholes.

[Pubstar]

The point he was making is that they could just be playing on PC. You have a very freedom-minded, open source (if you want it), gaming platform that has a huge library of games to go along with it. Oh, main game servers taken down? Get on something like GameRanger to play online without the official servers. The point, I think you missed it.

Re:They're assholes.

[Dishevel]

Because script kiddies doing DDoS are capable of actual hacking?

Re: They're assholes.

[Oligonicella]

"One is discomfort, the other is dirty intent." Both done by assholes.

Re:They're assholes.

[Dishevel]

Idiots like you make assholes like them bolder.

Re:They're assholes.

[Oligonicella]

A point you seem to be missing is the games they want to play are not to be decided by others.

Re:They're assholes.

[rochrist]

This. Assholes.

Re:They're assholes.

[rochrist]

Because I didn't murder you, mugging you totally makes me the good guy!

Re:They're assholes.

[rochrist]

There's very little you can do to prevent a DDoS attack.

Re:They're assholes.

[luis_a_espinal]

So they just gave you time to think about your game consumption, and the opportunity to think about the "silent" in silent night.

They didn't *give* shit. They *forced* it upon people without giving them a choice. Anyone who think this was benevolent or positive in any way is an idiot living ideological fallacies as if they were real, positive options. #fileitunderfuckyou

Re:They're assholes.

[sjames]

Sure they would. Just meet up on a discussion site and post your IP (using PMs if you're worried about assholes).

Re:They're assholes.

[ShaunC]

I'd say it's worse than "batteries not included." If I give or receive a gizmo that needs batteries, and I didn't get them ahead of time, even on Christmas morning there were several options. Walgreens, CVS, and most gas stations were open and they all sell batteries, so I could go remedy the problem if need be. With this DRM always-online nonsense, there aren't any options.

Re:They're assholes.

[qwak23]

Why do these systems need network access to play a game bought on a disk? That is the bigger question, sure I can understand only supporting multiplayer through a centralized service, my issue is with the activation and phone home crap. There is no "good" reason someone should not be able to use these things without network access for single player experiences.

Customers out realize that the system is brittle because Sony and Microsft created a hard dependency where there never needed to be one. It might not be their fault they are attacked, but they do know or should have know they are targets. Hopefully the lession they take away from this is that basic functionality should be there if you have the system and game disk fresh out of box. Maybe you can't update, download new content, do multiplayer but folks ought to be able to at least play with it even if the network is down.

I can't speak for MS and the Xbox, but I managed to score a free PS4 at a work holiday party and there are only two games I have on disc that have been unplayable during this outage, Plants Vs. Zombies Garden Warfare (the game has an 'offline' mode that should be accessible when the network is down, but apparently not) and Destiny (on-line is kind of the whole point of the game, so at least understandable that it doesn't work). Everything else I own, even the stuff that was acquired digitally and downloaded straight to HDD works just fine.

So yeah, Sony did not create a hard dependency where there never needed to be one. During the outage the system has been playable, the majority of the games have been playable, disc or not. Instead of playing Destiny, I played Samurai Warriors 4. Aside from not being able to play on-line games, the only real difficulty I could see someone having is with a new console needing an update in order to play some newer games as I'm not sure if there is a work around for that. In the past I've seen companies ship games with console updates on disc, not sure if that practice still happens.

Re:They're assholes.

[Stan92057]

Please explain how I having bought a game DVD called Battlefield 4, install it, then be able to play with 59 other people on a server located say in Atlanta. Console is no different except the games not installed but they can still play with 20 plus people on a server located somewhere on earth. I am not sure but I think console player have the ability to play on the very same severs PC players are. All of which are paid for and run by individuals Not EA or Sony

Re:They're assholes.

[DarkOx]

Please understand none of my observations were intended to be supportive of Lixard Squads' actions.

I think what they did really sucks. I just think it also sucks Sony and Microsoft put them in a position to do it.

Re:They're assholes.

[DarkOx]

I don't have a current generation system yet so i am legitimately curious. Were you able to unbox the PS4 without a connection?

I know things will keep working can a newly out of cardboard unit be make functional without calling home at least once?

Re:They're assholes.

[AaronW]

NAT makes this difficult to do for multi-player games. Now you require the gamers to set up port forwarding on their routers, many who have no idea how to do that.

Re:They're assholes.

[rwven]

No, they couldn't have done anything worse. They control a huge botnet and they just pointed it at PSN and XBL. They didn't "hack" anything, and this has nothing at all to do with security. It was just a troll move.

Re:They're assholes.

[im_thatoneguy]

Total bullshit. They DDOS'ed the gaming servers. That's not "insecure" that's just overwhelmed. That's like saying that your bank account is insecure because protesters can chain themselves to the door handles and prevent you from entering the building. It is far more expensive to secure your servers against random bursts of demand because they shouldn't and can't really protect against it. It would be like saying "well I shot up your house to prove how weak your walls and windows are." No shit. I'm not going to install ceramic plating costing millions of dollars throughout my exterior siding nor am I going to sacrifice my nice large windows and replace them with 3" bullet proof glass because somebody might at some point shoot a gun at my house.

Re:They're assholes.

[im_thatoneguy]

If game developers build against a specific library and your console has an older version (because manufacturers have to get a firmware build to install months before launch) then it's not easy to release a game that uses both the newer, more stable, higher performance library and the older one sent months ago to get something into the manufacturer's hands.

I imagine that newer consoles all have sufficiently new firmware/libraries to allow games to run out-of-the-box but I don't think expecting launch-day hardware to for instance to be up to date is realistic. Especially since the only way to keep up with demand is to start manufacturing so much earlier than shipping.

Re:They're assholes.

[marka63]

As a Industry there is lots one can do to prevent / reduce a DoS.

You can quarantine infected machines.
You can install BCP 38 filters so traceback is more effective.
You can ensure that fixed software images are always available.
You can not orphan software just because it is old.
You can auto update software.

You can take pro-active steps like surveying the your customers and informing them when they have a known vulnerable system.

Re:They're assholes.

[Yaztromo]

This is true, but the issue is that is dumb! You really should be able to unbox a toy on Christmas morning have it work without going out the Internet and connecting to some account.

Maybe not all the functionality can be there, but functions that don't naturally require network access should not require network access.

As it happens, my wife bought me a PS4 for Xmas -- a massive upgrade over my 15 year old original PS2. It came in the box with GTA5 (on disc), and a coupon for a free digital download of another game.

It's been a PITA that PSN has been offline. There are a lot of features and functions built into the system that rely on online functionality, including for some dumb reason accessing the built-in web browser. However, playing GTA5 hasn't been an issue -- I just popped the disc in, waited what felt like an eternity while it installed itself (it didn't give me a choice, and warned me it could take up to an hour), and I was off and playing. All without having been signed into PSN.

In essence, the system worked exactly as you described that it should. A single-player game on disc loaded and ran just fine while PSN has been offline. Not all the functionality was there, but the major function that doesn't require network access (playing GTA5 in this case) has worked flawlessly.

Yaz

Re:They're assholes.

[ArmoredDragon]

This is actually how some games used to work. For example, the original Starcraft worked that way.

This lead to a bunch of problems though; namely each user was exposing their public IP address to each other, and back in the days of winnuke this was problematic from a DoS perspective. Not only that but the games would tend to suffer much worse latency problems as a result of it.

Today I imagine such a setup would be even worse. There are apparently businesses out there that sell services to other gamers where they'll ddos somebody for you for x amount of time for x amount of dollars. They go by the name of "booter" services. You just plug in an IP address and pay the fee and that person gets knocked off of the internet for your desired duration.

Presently the most popular way of doing this is to find the persons's IP address by knowing their skype name. The machines that do the DDoSing are of course everyday users with machines that have a trojan, rootkit, or whatever installed, and their owners are unaware.

In my opinion, egress filtering is definitely the way to do it, but don't just restrict it to block IP spoofing. Various groups already have a rather large honeypot infrastructure in place to identify ddos sources; I think what ought to be done is have some bayesian logic applied to this traffic to figure out what is legit and what isn't, and apply egress filtering to what are probably compromised systems at their ISP border routers.

This wouldn't be easy to implement though; we'd need some kind of international treaty body similar to maritime treaty to enforce those kinds of rules. The rules would need to be very specific so as to be only for the purpose of preventing DDoS attacks, and nothing else (even other kinds of hacking or illegal activity should not be filtered.)

Re:They're assholes.

[qwak23]

Can't answer that question as we unboxed and hooked up before the network went down and I can't remember if we were able to get into the main system before setting up the network.

Re:They're assholes.

[BarbaraHudson]

It's not like ICANN or IETF is going to do anything ...

Re:They're assholes.

[MikeBabcock]

I just want to import my old world scenario into Dragon's Age ... :-(

Re:They're assholes.

[Pubstar]

He was making an open ended statement about other platforms that might or might not exist. I gave the example that the GP was posting about since it seems like he missed the point. This had nothing to do about what platform people prefer.

Re:They're assholes.

[datavirtue]

There wouldn't be a problem if these assholes weren't bringing down the network. In my eyes they created the problem. I could nearly destroy my employer's network/business....that doesn't mean I would or should do it to prove a point. WTF?

Re:They're assholes.

[datavirtue]

The load balancer/WAF/proxy should be able to sense packet flooding and cut off the offender in less than a second.

Re:They're assholes.

[Dan541]

Perhaps because they are not those assholes, as you imply?

They could have done much more harm with access to credit card information, like transfering money to many dubious locations.

So they just gave you time to think about your game consumption, and the opportunity to think about the "silent" in silent night.

The burglar only stole half my stuff. Must be an ok guy.

Re:They're assholes.

[OrangeTide]

Most kids don't want the sort of games sold at GOG. It's about 90% really old stuff. I only play it out of nostalgia.

Re:They're assholes.

[ToasterMonkey]

The point he was making is that they could just be playing on PC. You have a very freedom-minded, open source (if you want it), gaming platform that has a huge library of games to go along with it. Oh, main game servers taken down? Get on something like GameRanger to play online without the official servers. The point, I think you missed it.

Next time your Internet is out remember there is someone out there saying you could be playing golf instead.

Re:They're assholes.

[rossz]

I think at least some blame does need to be lay at the feat of Sony and Microsoft here, but not because of 'network security' but rather creating the risk in the first place where there does not need to be one.

How about I kick in your front door and steal all your stuff? After all, you didn't put in place absolutely perfect security, so it's really your own fault for allowing me into your home.

Or a better analogy. I park a big rig in your driveway so you can't get into your home. That's what a DDOS is, basically. And if the "enemy" has enough resources, a DDOS is nearly impossible to prevent.

Re:They're assholes.

[strikethree]

I am not trying to support or advance the OPs argument here, but what I did was just not buy any of those systems. Any fool, or non-fool, can easily see that the "service" is easy to disrupt. The worst part about that is the weakness was put in, on purpose, to try and ensure greater profits for the company selling that stuff.

Are there better alternatives? No. The wise thing to do at this point is to just not buy any consoles at all (does the current Nintendo console suffer from this same weakness?)

Re:They're assholes.

[ArmoredDragon]

They can't. For example, the current protections that exist for preventing IP spoofing for example aren't universal. The IETF did create an RFC for blocking them at the ISP level, but not all ISPs have chosen to implement. In fact, a lot of standards the IETF has created either aren't used or are broken all the time.

You'd need some kind of legal entity to enforce it, and said legal entity could blackhole any ISP that doesn't comply by removing it from the global BGP table.

Re:They're assholes.

[ArmoredDragon]

Oh, and also ICANN doesn't have any say in this matter. They just set the rules and enforcement for ownership of domain names and IP blocks. That would be like asking the US Patent and Trademark office to set rules against wifi signal jamming.

Re:They're assholes.

Nintendo handled that by including the required firmware on the game disc. If the new Wii game required a newer firmware it would install without internet access. I don't own the next-gen consoles, but would be shocked if they didn't do this ( which apparently seems they don't ).

Re:They're assholes.

[DarkOx]

That is very good to know! Sounds like Sony did a better job than I was giving them credit for.

Re:They're assholes.

[BarbaraHudson]

You're absolutely right, and I think we're going to see more pressure to do this; if the IETF won't the individual countries will. And that will create a real hodge-podge of rules.

Re:They're assholes.

[Iconoclysm]

Not one of these systems requires you to phone home to play a game on disk.

Re:They're assholes.

[Iconoclysm]

That's why UPnP, Port Triggering, and NAT-PNP exist.

Re:They're assholes.

[Iconoclysm]

Yet it's not true, no console is relying on DRM right now. What was happening with some consoles was a half on/half off state of the service causing confusion to the game client. If they disconnected the console from their network, the games would have worked. Also, when the time comes that these services shut down, a final patch to allow all use offline is common.

Re:They're assholes.

[Iconoclysm]

You're under the mistaken assumption that you can't unbox and play without going to the Internet. In fact, this thread is full of people who are mistaken...and arguing about a problem that doesn't even exist.

Re: They're assholes.

This is ridiculously easy to fix. Minecraft lets you set up minecraft servers, and thousands of people do it. The only reason a central server connection is *required* is control. This conversation wouldn't be happening if it weren't for the ddos, btw...

Re:They're assholes.

[BarbaraHudson]

I'm surprised you haven't been up-modded yet. This tension between copyright and license is going to be a source of continual friction. I liked Borland's no-nonsense policy. Treat it like a book - if you give it to someone else, you have to erase it from your system, so that there's only the one copy that was bought still in use. The enforcement was very simple - if you wanted the upgrade, send in the title page from your current manual.

Re:They're assholes.

[jtwiegand]

The point I'm making is that people who pirate games were probably never going to buy at any price in the first place, so instances of pirated games do not represent much lost revenue. Yes, of course 1 cracked game gets downloaded 100k times probably at a minimum, but what is not happening is 100k people who were going to buy the game stole it instead of buying.

Re:They're assholes.

[jeremyp]

And yet my nephew knew how to configure the NAT/router in his parents' house so that he could run a Minecraft server for his friends when he was ten.

Re:They're assholes.

[tlhIngan]

Another mitigation strategy would be to allow players to directly connect to each other rather than go through a central server. We were able to do this a couple of decades ago, but now we can't? Or rather, it's because the companies want to continue to control what you do after the sale, to sell you the parts of the game they "forgot" to put on the disk.

Well, two reasons.

1) NAT and/or firewalling makes direct connections hard, if not impossible. No, IPv6 is not a solution because you can't guarantee there's no firewall in place. In fact, it makes things worse - it's trivially easy to detect NAT (look up IP versus external IP), but difficult to detect a firewall. In fact, you can appear to be completely connectable until you actually try to connect and then fail hard (this happens a lot back in the days of StarCraft and Battle.net). And this will cause lots of issues when IPv6 gets finally deployed because it's better to have hidden breakage than obvious breakage. (And there are some benefits of NAT too even for IPv6 that aren't firewall related - like inside/outside IP numbering independence - I'm sure many neckbeards would cringe if they had to renumber a modern LAN... and clueless users).

2) Matchmaking services. There are typically three types of gamers - one (like me) prefers to not play online. Another who prefers to play online with friends, and the third is someone who wants to play against (or with) others, any time of the day.

Sure you could try to do what PC games do and offer a huge list of servers, but then it becomes a bit hit and miss - perhaps you accidentally log into one where everyone is super skilled and get pwned in 2 seconds, or you log into one where it's all newbies, etc. And perhaps you want a full 16x16 team free-for-all and you only see servers half-populated.

Matchmaking means everyone gets ranked and when you click Play, the servers look for newly available people of approximately the same skill so you can be in the game within 2 minutes, no trying to hunt for a suitable server, no trying to find or gather friends who may be offline, etc. Just click and you're in.

3) Online leaderboards require servers that are vetted and a central lobby so players can be ranked. Because bragging rights are human nature, and it's not something you can do in a less controlled environment.

Re:They're assholes.

[Stan92057]

Your making a lame excuse to steal. Why not stop building cars? then no one will steal them, Why grow crops? people will steal them too. YES it a revenue loss, the scum criminal has and is enjoying a free copy of a game everyone else had to pay for. Come back to reality dude stop making excuse for bad behavior.

Re:They're assholes.

[Pubstar]

With how fast my mobile phone connection is (75/40 average 30MS ping on speed test) and the amount of data I have for teathering (40gb/month), it would be an extremely rare instance where both my phone and home connections are out at the same time.

And if that were to happen, I'd probably be out paintballing with friends instead of playing golf. I'm not that old yet.

Rubbish

[JaredOfEuropa]

If you want to prove these companies' inability to protect their customers, you hack into their systems and publish some anonymized but verifiable data. This is just petty vandalism; DDOSing game companies does not endanger customers or their privacy, it just denies them a service they paid for. It's like parking your truck across the entrance to the parking lot, in order to "prove that the mall has poor security".

Re:Rubbish

[funkymonkjay]

Not quite. It wouldn't be a truck. It would be other people's trucks, stolen, owners unaware, repeatedly circling the parking lot, maybe takes a ticket but backs out and go around for more.

Re:Rubbish

[Tom]

Nonsense. On their gaming systems you are unlikely to find any data that the companies would consider valuable. And 10+ years of experience show that "oops, we leaked customer data" isn't really a game-changer.

But cries from customers can be. Denying them the joy of their freshly gifted gaming console can be very powerful. It's not the nice way, definitely not, but it makes headlines.

I doubt it's going to change anything, because customers are too used to computers not working. That is the real damage that 30 years of Microsoft dominance have done to the world.

Re:Rubbish

[Somebody+Is+Using+My]

More to the point, you can't just hack /any/ data. Stealing customer's personal information, credit card numbers, or similar doesn't phase the corporations either; sure it causes them a bit of bad PR, but ultimately the cost of the hack is paid by their customers, not by the corporation itself. In fact, seeing as how common the "we stole your entire customer database" sort of hacks are becoming, even the negative PR is becoming minimized; after all, as /everybody/ is seemingly getting hacked in that way, so why get upset with any one particular company?

No, if the hacker groups really want to make companies improve their security, then they need to grab proprietary information, like the GOP did to Sony. Emails and accounting information are particularly damning, since they often reveal poor practices and corporate malfeasance that might get the companies into legal hot-water. If you start showing corporation how easy those doors are to open, you can be sure they'll hire a proper locksmith PDQ.

So these Christmas DDOS's aren't going to provoke the affected companies into doing a damn thing (except maybe sic the legal system on the ones behind it). All it did was piss off a bunch of kids on Christmas morning. Way to go, grinches!

Re:Rubbish

also, they're probably just a bunch of teenage boys who need to get laid badly

Even better would be to get laid well.

Re: Rubbish

[Virus+Hunter]

Target paid out big time when their security was breached. Also DDOS attacks don't target security vulnerabilities. Lizard Squad is just pretending to be a white knight when they're really just malicious pranksters.

Re:Rubbish

[Jaime2]

I agree that this wasn't the reason I was expecting to hear. Why would a random hacker group care to help Sony and Microsoft improve their security? I was expecting them to say "We shut them down to show buyers how dependent their consoles are on the service." I could have at least sympathized with that message.

Re:Rubbish

[JavaBear]

Agreed, DDOS today pretty much belong in the realm of vandalism and script kiddies. Sadly, it is still a low skill-high damage attack.

Re:Rubbish

[Sir_Eptishous]

because customers are too used to computers not working

Go ahead and down mod me, but I don't think that is a bad thing... At one point in my career I worked at a PCI compliant company that handled CC transactions, and I was astounded at the "bailing wire and duct tape" way those CC transactions happened... Things would stop working quite regularly. It gave me a whole new insight into what happens when you swipe your card, standing there blissfully unaware of what it takes for things behind the scenes to work.

It really is quite a miracle that a lot of this shit works at all.

So, I don't think it is a bad thing for people to be used to some downtime.

Re:Rubbish

[Fnord666]

You have to give them a little leeway for not thinking big picture. they're only 12 years old and all they have to work with are the scripts that they have managed to find. They did the best they could with the limited resources they had.

Re: Rubbish

[Casualposter]

Pranks have to be funny. What is funny about DDOS?

Re: Rubbish

[Virus+Hunter]

It looks like you're getting hung up on some pretty trivial details. The crux of my argument is that ddos doesn't target security vulnerabilities, least ways they don't target vulnerabilities of a the victim. However if you click through the link on this post, you'll see that these ddos attacks are funny to them. They invented their justification later.

Re:Rubbish

[westlake]

I doubt it's going to change anything, because customers are too used to computers not working. That is the real damage that 30 years of Microsoft dominance have done to the world.

The truth of it is that significant outages are rare considering the size of the Microsoft ecosystem.

The geek posts his rant to Slashdot in the hope that his story will make the front page before service is restored.

Re:Rubbish

[drinkypoo]

Why would a random hacker group care to help Sony and Microsoft improve their security?

Maybe they're gamers.

Re:Rubbish

[Tom]

I know from my own experience how right you are, but that, exactly, is the problem. This "it didn't crash in 10 minutes, ship it" approach is utterly horrible. It's become industry standard instead of being taken out back to be shot, and that is a really serious problem.

People shouldn't be used to computers crashing - they should demand that they don't do so.

Such nobility

Given such lofty and noble intentions I'm sure they will be making their names known any day now so that the public can thank them for thei civil service...

Re:Such nobility

[DiEx-15]

Given such lofty and noble intentions I'm sure they will be making their names known any day now so that the public can thank them for thei civil service...

I'll be selling pitchforks and torches to help the public properly thank them. For an extra 5, I'll sell them rope and a nice, tall tree.

Consoles are worthless offline

[ahotiK]

This actually shows how worthless consoles are now days without an Internet connection wich has been accepted by the masses. Most of the PC games are now unplayable without a connection too (in some cases even for single player mode!!!) which I find completely unacceptable.

Re: Consoles are worthless offline

[Lunix+Nutcase]

Luckily there are other games to play.

Re:Consoles are worthless offline

[tompaulco]

Consoles aren't worthless offline. I didn't play any games yesterday, but if I had, I would have been unaware of the outage. Instead, I used my console to play some movies, and it worked just fine for that, even though part of that was technically online as well. It is only games that require an online connection that are worthless offline. Which is why I own zero of said genre.

Re:Consoles are worthless offline

[Sir_Eptishous]

Yes, when the game companies started doing this a few years ago I was appalled but not surprised. It is just more of the dicklessness that is the calling card of Korporate Amerika.

I pay for something but then can't enjoy it unless I have a connection to the internet? WTF?!?

Yes, I understand not all games are like this, but it gets worse every year.

Re: Consoles are worthless offline

[CronoCloud]

That's because Destiny is an MMO-shooter.

Re:Consoles are worthless offline

[danomac]

I played a game yesterday, but it wasn't on the new consoles. I played a game on my xbox 360 and it signed into live with no issues yesterday morning.

I was surprised to read the xbox live went down, as I was using it yesterday!

Re:Consoles are worthless offline

[thejynxed]

Theyapparently targeted the XboxOne portion of the Live sign-in (yes, the 360 and One have different sign-in servers). Many people with 360s that I know were able to use the services just fine the entire day.

Security is NOT the issue here.

These companies were not hacked, there was no data breach or loss of customer or employee information. These were simple DoS attacks. It doesn't take much knowledge or skill. As far as I can tell, their security functioned as intended.

Bullshit

[Lunix+Nutcase]

So they wouldn't mind if someone broke into their houses? Since, you know, it was just to force them to upgrade their security.

Denying people access to these services repeatedly is about being griefers not caring about the users' security.

Glad to hear it's not their just pathetic jerks

[blahbooboo]

So they ruin the day both for thousands of kids with new consoles and the tech support/security teams for the companies who now have to come in to work on Christmas. I have another theory why they do this on Christmas -- this group of hackers (at a psychological level) are just sad and lonely people who are angry with the world and want to ruin the joy/fun for others.

Re:Glad to hear it's not their just pathetic jerks

[Lunix+Nutcase]

They are jerks. This is just post hoc bullshit to try to paint themselves as white knights.

Re:Glad to hear it's not their just pathetic jerks

[raind]

I would think the kids being unable to play on there Xbox would be a good thing, then perhaps they could you know - go outside.

Re:Glad to hear it's not their just pathetic jerks

[Your.Master]

Of course that's not a good thing. By that reasoning the parents shouldn't have gotten them an xbox in the first place. It's not a public service to take away the toys that you, personally, disapprove of.

December 25 is not known for its good weather in much of the world where Xboxes are sold.

Re:Glad to hear it's not their just pathetic jerks

[RuffMasterD]

Ironically, this is exactly what the pasty white, overweight, socially maladapted, juveniles, sitting alone in their bedrooms orchestrating these attacks should do. Go outside, meet people, make some friends... But hey, if these guys feel the need to dictate what everyone else should do instead, then who am I to disagree.

Re:Glad to hear it's not their just pathetic jerks

[Coisiche]

Actually, given this taste of the teenage mindset about christmas, my own theory is that they just didn't get Xbox Ones or PS4s as presents.

Re:Glad to hear it's not their just pathetic jerks

[TheQuantumShift]

Sad and lonely, yes, but I wouldn't hang the "watch the world burn" label on them. Just kids wanting to desperately be recognized as "cool". Once school is back in session, I give it two weeks before they start dropping hints and end up reported and charged.

Accidental infringement

[tepples]

Would copyright infringement be a valid form of protest if the incumbent music publishers start suing indie songwriters on trumped-up charges of creating a derivative work by accident? (For example, Bright Tunes Music v. Harrisongs Music)

For that, you'd have to do a different attack

[Opportunist]

All a DoS does is prove one thing: That you can field more bandwidth than your target. Unless of course it's one where you exploit the weakness of a target system (e.g. by shutting down a service deliberately using an exploit). Else, a DoS proves little.

If a DoS exposes any kind of security issue, then a global one: That there are techniques that allow you to use little bandwidth on your end to cause the other end to drown in traffic. There are a few documented ways how you could pull this off, the most trivial one would be to spoof the IP address of your target system with some server that sends back a ton of info for a tiny request. E.g, DNS. Such an attack doesn't prove that the target system is vulnerable, it proves that the DNS protocol itself is beyond repair (and yes, it is, and there are secure replacements but ... you know, it's the internet... it works, changing stuff costs money, so...).

So what does the attack prove? Well, I wish I could say it proves without a doubt that MS and Sony have a security that matches the opaqueness of an erotic dancer's dress and should up their security (well, they do, and they should, but this attack doesn't prove that). It proves that we use technology that makes such an attack not only possible but actually trivial. And that EVERY company on the net is susceptible to something like that because unlimited bandwidth does not exist.

Re:For that, you'd have to do a different attack

[Tom]

spoof the IP address of your target (...) it proves that the DNS protocol itself is beyond repair

No, it proves that the network you are connected to is braindead because it still allows IP spoofing.

And that EVERY company on the net is susceptible to something like that because unlimited bandwidth does not exist.

It used to be really easy to knock someone off the Internet. It's not so easy anymore. For some of the really big targets, being able to muster the bandwidth alone would be an impressive demonstration of power. Keeping them offline for more than a few seconds while their Anti-DDoS countermeasures deploy would be something that few players smaller than a nation state level can pull off.

MS and Sony have a security that matches the opaqueness of an erotic dancer's dress

Not really. I hate them as much as most people with three working brain cells, but they've both done quite a lot about security. It's just not enough and - like every company - they make decisions to not invest in some security measures because the ROI simply isn't there.

Re: For that, you'd have to do a different attack

[beanpoppa]

I don't think you understand how amplification attacks work. Anti-spoofing measures don't do anything. The spoofed messages don't come into your network. The very large responses do. And by the time they reach your filters, the damage is done; they've already filled your pipes. As the patent said, it's not exposing a weakness on your system. It's exposing a weakness on third party DNS servers, and the hundreds/thousands/millions of peoples' PCs that have been controlled via botnet.

Re: For that, you'd have to do a different attack

[BarbaraHudson]

So what we need is a system that doesn't allow for egress of bad or malicious packets. Set the evil bit in the packet header as per RFC 3514, then filter on that :-)

Re: For that, you'd have to do a different attack

[Tom]

I don't think you understand how amplification attacks work.

I wrote advisories on that more than 10 years ago, so please go ahead and lecture me.

Your home network should not allow a request with an IP that doesn't belong to it out. If I'm the router that connects 1.2.3.0/24 to the Internet, I shouldn't put a packet that claims it originates from 5.6.7.8 on the wire.

The only places where a package that isn't part of my network should be routed through is when my network is a transit network.

Re:yeah, because it's really important,

[Opportunist]

Let's give them the benefit of doubt and say they chose networks that are of no strategic significance. What do you think would have gone down if they targeted, say, VISA or MC during the holidays?

At least that's what I'd do. I sure as hell don't want every three letter agency on my ass just for proving a point. And it's doubtful that they will send the marines after you for kicking off some gaming platforms. Might be different if you shut down a key payment system during the most busy time of the year.

Re:... stupid reason as well !

It's like someone letting down the tires of your car to prove how easy it is to break into.

Re:Lame hypocrits

[JaredOfEuropa]

this raises the issue again of the always-on-line model for current gen gaming.

Now that would have been an excellent point to make, and a DDoS attack would be a good way to demonstrate the point.

Re:If a guy dons a mask and goes on a punching spr

[Opportunist]

And that's the reason I don't engage in such activities. It usually backfires. People's reaction is not to blame the companies for shot security, they start crying for stricter laws (as if that accomplished dick). People are stupid, and I will not fix that. I had to accept that a long time ago.

Plus, companies being insecure is good for my business, so I really have no reason at all anymore to get worked up over it.

Oh christ, this again?

[goodmanj]

"We're trying to get shopkeepers to install stronger windows", said the kid throwing bricks.

dickheads

[Intrepid+imaginaut]

Agreed.

Modern day bullies

[Atrox+Canis]

These kids get picked on in school and they are ill equipped to figure out how to handle it. So, they dump their teenage angst by being bullies themselves. As others have already stated, this was no "hack". It was a DDoS and it will likely never compel the affected companies to modify their "security". And their actions gain no sympathy amongst the end users. Few people are likely to take their new consoles back to the store and trade them in for (insert non-electronic somethingsomething here). And the attacked companies are not going to violate the 80/20 rule to increase capacity.

I don't own a console and currently am not playing any games that would have been affected if there are PC versions in the target list. But, this kind of attack irritates me anyway and I think I would enjoy seeing a few of these worthless turds being skull fucked by a horde of hedgehogs, or forcing them to watch something on the Lifetime channel.

Re:It would be nice...

[tompaulco]

Yeah, that would be like yanking a movie out of a movie theater just based on some threats from terrorists. Nobody would do that.

Re:If a guy dons a mask and goes on a punching spr

[JackieBrown]

In this case, it's not even about people being stupid.

This group overloaded servers - there was no security breach.

If I was a consumer, would I blame
  A) The group of people that on purpose overloaded the servers
  B) The company for not having invested in more servers that are only used because assholes are deliberately trying to overload their servers and ruin my day (and who would cover the cost of the additional - usually unneeded - servers)

Funniest part for me: The error message in the PS3

[jbssm]

The greatest part of this is the error message I got when trying to do the update for PS Home in my PS3.

The possible errors where: My ISP, my internet connection, my router.

Funny how they never admit the problem could come from their side, it reminds me exactly the process I have to go trough about every time I need to go to my lab's IT office to get something fixed... now, it obviously can't be their system's fault. The system put in place by the IT department is obviously perfect, it's us - the lousy users - that are obviously doing something wrong.

Ddos doesn't demonstrate security issues

[Virus+Hunter]

This was a ddos attack. There's essentially no way to protect yourself from a ddos attack. It doesn't demonstrate a security issue with Xbox live or PSN. It just demonstrates that any cluster of servers anywhere can eventually be overloaded.

Let's apply the same logic to these assholes

[DrXym]

We should teach them the importance of protecting their fingers by smashing their fingers with a lump hammer. The same logic they used as justification for their attack.

The real reason they attacked is quite simple. They're antisocial, immature pricks. If they ever get caught you just know these losers will play the asperger's card in their defence.

Ways to protect vs DDoS

Per my subject vs. many kinds of DoS/DDoS - Defensive measures that work:

Microsoft Windows NT-based OS settings vs. DDoS/DoS:

Protect Against SYN Attacks

FROM -> http://msdn.microsoft.com/en-u...

A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.

To protect the network against SYN attacks, follow these generalized steps, explained later in this document:

Enable SYN attack protection
Set SYN protection thresholds
Set additional protections

Enable SYN Attack Protection

---

The named value to enable SYN attack protection is located beneath the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0, 1, 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

---

Set SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

These keys and values are:

Value name: TcpMaxPortsExhausted

Recommended value: 5

Valid values: 0?65535

Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

Value name: TcpMaxHalfOpen

Recommended value data: 500

Valid values: 100?65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Value name: TcpMaxHalfOpenRetried

Recommended value data: 400

Valid values: 80?65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.

---

Set Additional Protections

All the keys and values in this section are located under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:

Value name: TcpMaxConnectResponseRetransmissions

Recommended value data: 2

Valid values: 0?255

Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

Value name: TcpMaxDataRetransmissions

Recommended value data: 2

Valid values: 0?65535

Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

Value name: EnablePMTUDiscovery

Recommended value data: 0

Valid values: 0, 1

Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack.

Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

Value name: KeepAliveTime

Recommended value data: 300000

Valid values: 80?4294967295

Description: Specifies how often TCP attempts to verify that an idle connectio

Re:Ways to protect vs DDoS

[greg1104]

Let me see if I've got this right: did you really just suggest the DDOS attacks against Microsoft's Xbox Live would be mitigated if only they follow the recommendations of Microsoft? (Slow clap) Now that's some top grade shilling.

Re:Ways to protect vs DDoS

[DavidRawling]

None of these protect against a volume-oriented DDoS. Many are DoS only (single / few sources) and do not apply when every IP on the Internet appears to be sending thousands of requests, or more likely, responses. Further, you've completely ignored spoofing of addresses combined with amplification attacks (send out a 64 byte DNS request pretending to be the DDoS target, get 4kB sent to the target). Finally, regardless of the 50-100Gbps pipes MS, Sony and Amazon no doubt have, they're useless when there's 1Tbps of amplified crap directed down the pipes. With the example above, you'd only need about 4Gbps of bandwidth total (40 cheap VPS on "100Mbps" connections) to generate 256Gbps of DDoS.

When 256Gbps of rubbish arrives at your servers or firewalls ... registry settings and kernel tweaks do jack (note that CloudFlare was hit 11 months ago with more than 400Gbps of DDoS, so this is not implausible!)

And since it seems it was apk I'm replying to ... I'm actually half surprised you didn't try to claim that a HOSTS file would magically help.

morons...

[SuperDre]

How did they show with ddos that the security is lacking? they didn't hack the servers... They are just a couple of morons who only want attention, nothing more nothing less..
And propably it wasn't even that hard, because everybody could have predicted that the servers would already be at full load on christmas day, so simple ddos would topple it..
But the only thing they did, was getting people to hate them even more..
But how did they get an interview if noone knows who they are? Get the bastards and cripple them (physically)..

Works for AMAZON & yes, MS... apk

They simply need to cover their gaming networks the same as they do their own INTERNAL ones all noted here via varying methods vs. VARYING types of DDoS/DoS http://games.slashdot.org/comm... ... simple - especially using the measures I noted.

APK

P.S.=> Another "simple fix" would be to check the user-agent querying their gaming networks - Now, *IF* the malware tool doing the requests uses one that ISN'T the "std. one"? There's an answer also, that allows them to detect for + turn aside THIS type of DDoS attack (that, or issuing a patch to gaming consoles that changes it to one that attackers NOT using) - yes, this *IS* a "temporary work-around" only (since the attackers, odds are, *WILL* change the user-agent to match the new one, yet again, doing the same) - still:

The fixes I noted above CAN & DO work vs. DDoS of *MANY* kinds, listed here http://games.slashdot.org/comm...

(Thus - DDoS/DoS IS 1st DETECTABLE, & then thus, stoppable: Despite the common online myth/misinformation about it being "unstoppable", when it's clearly not)... apk

I doubt this is true, BUT....

[WindBourne]

if so, then thank you. These kinds of actions are needed to force companies to change.
At the same time, we should be suing retailers, along with the CIO and CEOs, that have lost CCs.

Re:I doubt this is true, BUT....

[WindBourne]

When you want to prevent treason, the first rule is to have ppl that have a stack in the success of the nation. In addition, you pay them enough. In addition, when you have a KNOWN path that is easy to break, you switch away from it.
What you will see is that ALL of these companies that got cracked had windows, had outsourced to India, and not a one of these companies were allowed to do retail business in India.

panties

[awdone82.jb]

I just wish these guys would try and learn how to hack into some panties, then maybe this crap wouldent effect the gaming community.

But DDOS's don't leak customer data

[jader3rd]

There's a difference between security and being able to handle a DDOS. Unless you expect every computer connected to the internet to be using your service all at the same time, there's no need to budget for that. All Lizard Squad did was make Microsoft and Sony spend resources on combating DDOS's, and not resources on looking for security holes that leak customers data.

The consumers are at fault

[future+assassin]

for supporting systems that need to be activated in order to use what you paid for. I wanted to get a Roku media player, well after reading some insane thing about having to phone in to activate your hardware if you didn't want to give out your credit card to activate, it I said fuck it. Its insane that I have to activate hardware before I use it. I have no desire for the company to know my name or other personal. Its none of their business unless I want to deal with warranty issues.

Re:Funniest part for me: The error message in the

[Higaran]

I tried to get on XBOX Live yesterday, and was having trouble connecting. I figured it was because it was the afternoon and their servers got overloaded with all the people who opened their new systems and tried to get online, and it overloaded the servers. That wouldn't be the first time the xbox servers got overloaded on Christmas. I did a test and it gave me a message right away that it was not my network or isp, it said it was an issue on microsofts side. I tried again like 10 minutes later and it was fine.

Take down the botnets?

[phaserbanks]

These DDOS attacks wouldn't be possible without a horde of infected slave computers. If black hat hackers can control these botnets, what prevents the white hats from controlling them too and disabling them?

Re:Take down the botnets?

[RockDoctor]

If black hat hackers can control these botnets, what prevents the white hats from controlling them too and disabling them?

(1) The laws. White hats, more or less as part of the definition, abide by the appropriate laws ; Black hats don't even think about trying.

(2) Technical issues - many black hats implement some appreciable degree of security on their protocols, if only to protect against other black hats.

You have a beautiful hypothesis, laid low by an ugly fact. Or several.

morons

[slashmydots]

This had nothing to do with security. They DDOSed it. A monkey could do that. That's traffic control, not security. Maybe they should have found everyone using hacks and cheats in console games and make their Xboxes melt. Then that would be something. Other than that, it's like saying you broke into a bank when in fact you sprayed fire hoses at it so nobody could get in and then still didn't get in or access anything inside.

And they didn't prove shit

[Chewbacon]

DDOS attack doesn't prove shit about security. Fucking little script kiddies. This was a case of the bullied bullying someone else for a change. Grow some dicks and go stick it in something, losers.

They need network access

[rsilvergun]

because most of the games that came with the consoles were digital copies. This was done because digital copies are cheaper (no disc pressing, and yes, at these volumes it's an expense worth talking about) and there's not second hand market depressing the price of the physical copies in store. Having a pack in game basically tanks the value of the game at retail because of how the used market works.

Re:Why does it need internet?

[TapeCutter]

So distract everyone and yell "ASSHOLES!!" and pretend you haven't been shown how buttfucked you are, and how willingly you bent for it.

Self-righteous cunt, what's it to you if other people are willingly bending over, did you ever consider they were enjoying it and just wanted to be left alone?

Ahh ok

[Sycraft-fu]

Well since you are clearly a network security expert, please tell us how to secure a network against being taken out be a DDoS attack. Then post your IP, we'll see how you fair. Remember, you are the asshole and deserve Legal Penalties with Scary Caps if you can't stop it.

Here's a hint: There is no security against a DDoS attack. That's why assholes like Lizard Squad use them.

Re:Additionally: MORE to "eat your words" on

[mister2au]

Wow ... that ranting combined with atrocious formatting just screams mental illness ...

Which is a shame because there seems to be a valid point hidden in there.

Re:Quit projecting + take your own advice

Unlike you, people have lives. You need to check back into your special facility, get back on your medication and just stop being such a crackpot moron. If you didn't sound like a babbling hobo people might actually listen to your advice.

I would have been impressed

[ssufficool]

If their reasoning was to show how DRM has a central failing point that would cause legitimate purchased games to fail to install and play due to absence of the central DRM authority. I spent an hour trying to get my sons XBox One online until I realized the network was flooded ( I assumed due to Christmas). Later to find some dickish hacker eff-tards had done a lame DDoS attack.

Take them down to prove always online DRM sucks and peer to peer gaming should be allowed. Although I think MS and Sony removed the "Always On" DRM before release.

And the same issues as yesteryear

[phorm]

One of the biggest issues with net-play between friends was NAT and getting ports open to allow people in.Yes, this can be alleviated by uPNP enabled routers etc, but that same feature can also be a security risk. As IPv4 shrinks though, it's likely we'll also see residential v4 addresses shrink to carrier-level NAT. This may be alleviated by IPv6, but it's been "coming" for a loooong time now, and the security configuration for that is still going to be hell for a lot of home users.

 

Not the way to do it.

[Scott+says]

So a group of coders got together and imposed a restriction on a group of companies that will in essence require the companies to hire more coders to prevent the malicious attacks. Lucky the makers of bullet-proof vests don't have a similar mentality.