Slashdot Mirror
Why Lizard Squad Took Down PSN and Xbox Live On Christmas Day
DroidJason1 writes Early Christmas morning, hacker group Lizard Squad took credit for taking down PlayStation Network and Xbox Live for hours. This affected those who had received new Xbox One or PS4 consoles, preventing them from playing online. So why did they do it? According to an exclusive interview with Lizard Squad, it had to do with convincing companies to improve their security — the hard way. "Taking down Microsoft and Sony networks shows the companies' inability to protect their consumers and instead shows their true vulnerability. Lizard Squad claims that their actions are simple, take down gaming networks for a short while, and forcing companies to upgrade their security as a result."
If you want to prove these companies' inability to protect their customers, you hack into their systems and publish some anonymized but verifiable data. This is just petty vandalism; DDOSing game companies does not endanger customers or their privacy, it just denies them a service they paid for. It's like parking your truck across the entrance to the parking lot, in order to "prove that the mall has poor security".
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Given such lofty and noble intentions I'm sure they will be making their names known any day now so that the public can thank them for thei civil service...
These companies were not hacked, there was no data breach or loss of customer or employee information. These were simple DoS attacks. It doesn't take much knowledge or skill. As far as I can tell, their security functioned as intended.
So they wouldn't mind if someone broke into their houses? Since, you know, it was just to force them to upgrade their security.
Denying people access to these services repeatedly is about being griefers not caring about the users' security.
So they ruin the day both for thousands of kids with new consoles and the tech support/security teams for the companies who now have to come in to work on Christmas. I have another theory why they do this on Christmas -- this group of hackers (at a psychological level) are just sad and lonely people who are angry with the world and want to ruin the joy/fun for others.
All a DoS does is prove one thing: That you can field more bandwidth than your target. Unless of course it's one where you exploit the weakness of a target system (e.g. by shutting down a service deliberately using an exploit). Else, a DoS proves little.
If a DoS exposes any kind of security issue, then a global one: That there are techniques that allow you to use little bandwidth on your end to cause the other end to drown in traffic. There are a few documented ways how you could pull this off, the most trivial one would be to spoof the IP address of your target system with some server that sends back a ton of info for a tiny request. E.g, DNS. Such an attack doesn't prove that the target system is vulnerable, it proves that the DNS protocol itself is beyond repair (and yes, it is, and there are secure replacements but ... you know, it's the internet... it works, changing stuff costs money, so...).
So what does the attack prove? Well, I wish I could say it proves without a doubt that MS and Sony have a security that matches the opaqueness of an erotic dancer's dress and should up their security (well, they do, and they should, but this attack doesn't prove that). It proves that we use technology that makes such an attack not only possible but actually trivial. And that EVERY company on the net is susceptible to something like that because unlimited bandwidth does not exist.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"We're trying to get shopkeepers to install stronger windows", said the kid throwing bricks.
No they couldn't. This was a ddos attack that any dumass with enough gear can acclompish. They're a bunch of adolescents trying to become rock stars. There is not one ounce of benevolence here. Sorry to inform u.
So they just gave you time to think about your game consumption, and the opportunity to think about the "silent" in silent night.
They stopped because they were paid off. Thinking of them as noble or anything less than assholes gives them to much credit.
https://twitter.com/LizardMafi...
Lizard Squad @LizardMafia 10h 10 hours ago
Thanks @KimDotcom for the vouchers--you're the reason we stopped the attacks. @MegaPrivacy is an awesome service.
The greatest part of this is the error message I got when trying to do the update for PS Home in my PS3.
The possible errors where: My ISP, my internet connection, my router.
Funny how they never admit the problem could come from their side, it reminds me exactly the process I have to go trough about every time I need to go to my lab's IT office to get something fixed... now, it obviously can't be their system's fault. The system put in place by the IT department is obviously perfect, it's us - the lousy users - that are obviously doing something wrong.
I think at least some blame does need to be lay at the feat of Sony and Microsoft here, but not because of 'network security' but rather creating the risk in the first place where there does not need to be one.
This was basically a DDOS attack. By and large those are difficult to defend, and the usual defense is just having over whelming resources. Should everyone just go an 90% under subscribe systems just to make the DDOS proof? I don't know does not see practical.
Why do these systems need network access to play a game bought on a disk? That is the bigger question, sure I can understand only supporting multiplayer through a centralized service, my issue is with the activation and phone home crap. There is no "good" reason someone should not be able to use these things without network access for single player experiences.
Customers out realize that the system is brittle because Sony and Microsft created a hard dependency where there never needed to be one. It might not be their fault they are attacked, but they do know or should have know they are targets. Hopefully the lession they take away from this is that basic functionality should be there if you have the system and game disk fresh out of box. Maybe you can't update, download new content, do multiplayer but folks ought to be able to at least play with it even if the network is down.
That way the scope of these little disasters would be limited.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
This was a ddos attack. There's essentially no way to protect yourself from a ddos attack. It doesn't demonstrate a security issue with Xbox live or PSN. It just demonstrates that any cluster of servers anywhere can eventually be overloaded.
Or maybe they are more like Snowden and Assange and just egotistical assholes but on a smaller scale.
Need to take a bit of exception here, but mostly because of degree and motive:
* You can agree or disagree with what Snowden did, but you cannot deny that the man acted on principle - more importantly, he put his name and his ass on the line for what he did. Note that he also could have just as easily just anonymously *sold* the info viz. Silk Road/BTC and quietly retired as a zillionare in Ecuador.
* Assange? IMHO he's a narcissistic asswipe (I base this mostly on Cryptome's assessment of Wikileaks' early dealings with them), but again, he put his name and ass out there for better or worse.
* These "lizard" guys? Script kiddies who wanted a 'rep and managed to get paid, then tried to cover it up with some nobility bullshit. Perhaps a smaller-scale version of Assange in the aspect that they wanted a reputation, but unlike Assange, they weren't willing to stick their necks out.
Quo usque tandem abutere, Nimbus, patientia nostra?
A door and windows are real.
It's idiots like you, who think that businesses, networks, people's entertainment time, and the like "aren't real" that give comfort and encouragement to idiots like the guys who pulled this. They did it to be dicks, just like other dicks might throw a rock through your window and nail your TV right before you were going to watch the World Cup match you've been waiting weeks to watch with your friends. Or, in a closer analogy, waiting until moments before the game starts, and then cutting the cable that services your house or apartment building.
Let me guess: that soccer game's not real! They're not at the stadium in person, so denying them the chance to watch it as they planned isn't actually harmful! Destruction of the time someone plans to use in a certain way is a theft more real, in many ways, than stealing physical objects. You'll never be able to replace the time. Which is one of the reasons these guys are dicks. Deliberate, purposeful, not noble in any way, dicks.
Don't disappoint your bird dog. Go to the range.
The only victims here are the users who bought into a DRM'ed, locked down platform.
You're right, all those people should have chosen to buy fun, well-developed, richly supported gaming platforms from one of the many providers who offer open source, freedom-minded, anti-IP, systems that have a large selection of really cool massive multiplayer games with giant networks supporting all of that activity. There are so many to choose from that I'm sure it's why you just didn't have time to list them.
Don't disappoint your bird dog. Go to the range.
None of these protect against a volume-oriented DDoS. Many are DoS only (single / few sources) and do not apply when every IP on the Internet appears to be sending thousands of requests, or more likely, responses. Further, you've completely ignored spoofing of addresses combined with amplification attacks (send out a 64 byte DNS request pretending to be the DDoS target, get 4kB sent to the target). Finally, regardless of the 50-100Gbps pipes MS, Sony and Amazon no doubt have, they're useless when there's 1Tbps of amplified crap directed down the pipes. With the example above, you'd only need about 4Gbps of bandwidth total (40 cheap VPS on "100Mbps" connections) to generate 256Gbps of DDoS.
When 256Gbps of rubbish arrives at your servers or firewalls ... registry settings and kernel tweaks do jack (note that CloudFlare was hit 11 months ago with more than 400Gbps of DDoS, so this is not implausible!)
And since it seems it was apk I'm replying to ... I'm actually half surprised you didn't try to claim that a HOSTS file would magically help.
This is true, but the issue is that is dumb! You really should be able to unbox a toy on Christmas morning have it work without going out the Internet and connecting to some account.
Maybe not all the functionality can be there, but functions that don't naturally require network access should not require network access.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Ok, here are a few points:
(1) Distributed Denial of Service (DDOS) is not a security issue for the victim. It is a security issue for the thousands of computers illegally used in the attack - think thousands of illegally accessed computers, theft of the electricity and network access required to run a bot net sufficient to impact a large network like Microsoft or Sony's.
(2) Nothing the Victims security team could do would prevent a DDOS from occurring. That Microsoft or Sony's security was bad, is irrelevant to any DDOS. DDOS is like having a group of people drive bumper to bumper around your block. You can't get out, and that fancy home security system isn't going to stop the cars in the street.
(3) They were apparently in it for something other than principle as it has been pointed out that they tweeted that they received compensation to stop the DDOS. So extortion? That's not a protest at all. That's like someone getting out of one of those cars and asking you for money to make the artificially created traffic jam go away. Which is very similar to an arsonist selling protection from him burning your house down.
(4) Anyone who wanted to access the affected networks was denied access because of the DDOS. They paid for access to that network and their time on the network was essentially stolen from them. The customers who are adversely affected here are not mentioned - they are just as much victims as the corporate network. Consider for a moment that many of these people may not have much time to access the DDOS's networks due to other constraints upon their time (work, school, etc.) and were looking forward to enjoying some play time. Those plans were cancelled without recourse by the Lousy Lizard Squad and their army of stolen computers. I say stolen computers because I am pretty sure that any DDOS was not done using thousands of willing participants who signed upon on someone's website to allow the Lousy Lizard Squad to DDOS Microsoft. They are accessing other peoples property and spending other peoples resources in electricity and network access to run the DDOS attacks and that is theft of services plain and simple.
So there are four decent reasons to call these people thieves and that makes them assholes.
Creative Spelling Copyright (2002). May use without Persimmons
Another mitigation strategy would be to allow players to directly connect to each other rather than go through a central server. We were able to do this a couple of decades ago, but now we can't? Or rather, it's because the companies want to continue to control what you do after the sale, to sell you the parts of the game they "forgot" to put on the disk.
And when the servers no longer support that game that you and your friends really love because it's become a classic, you're hosed.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.