日期:2011-08-15 11:12



Black hats, grey hairs

A shake-up in the hacker underground and fresh attacks suggest change is coming to computer security

Aug 6th 2011 | from the print edition

AN 18-YEAR-OLD with 16 computers in a small house in the Shetland Islands: that is where a police hunt ended for the global nerve centre of LulzSec, a group of hackers whose exploits include defacing or disabling the websites of Rupert Murdoch’s media empire, the CIA, a bunch of gay-bashing American Baptists, and Britain’s Serious Organised Crime Agency. Active from May to late June, when it claims to have disbanded, LulzSec’s hallmark was prankish attacks accompanied by public mockery. As well as officialdom, its targets included computer-security and online-gaming companies regarded as pompous, complacent or hypocritical.

在英国设德兰群岛上的一间小屋里,有一个十八岁的孩子守着十六台计算机,这就是警察搜寻到的LulzSec 的全球控制总部。这个名叫Lulzsec 黑客组织的战绩包括,攻击破坏罗伯特默多克媒体帝国的网站,美国中央情报局网站,美国浸信会中攻击同性恋的网站,还有英国重大组织犯罪署的网站。一直从五月活跃到七月末,它忽然宣布解散。LulzSec特点就是在公众的嘲笑下恶作剧般的攻击。它的目标包括那些自大骄傲虚伪的计算机安全公司和在线游戏公司,还有官僚做派的组织。

In geekspeak “lulz” means to laugh at a victim; “sec” is for “security”. But lately the misfortune has mostly been the hackers’ own. Of LulzSec’s six presumed core members, police have arrested at least two, including, in late July, the (now bailed) Scottish teenager Jake Davis. The most expert, who goes by the alias Sabu, is still at large. About 15 members of Anonymous, a shadowy collective of skilled, politically motivated hackers, are also in police custody worldwide, according to Gregg Housh, a Boston man who ran computer servers for it but denies involvement in illegal hacks.


Authorities in America, Australia, Britain, France, the Netherlands, Norway and elsewhere are arresting high-profile hacktivists and threatening them with real-life jail (without, horrors, internet access). Old-fashioned policing, such as less severe sentences for those who snitch, is proving effective: “These are criminal networks and there are known techniques for dealing with criminal networks,” says Nils Gilman of Monitor 360, a consultancy.


Amid this pressure the hacker underground, riven by squabbles and splits over personality and policy, has turned on itself. Cyber civil wars have broken out, with rivals attacking each others’ computers and attempting to discover and reveal their real-world identities. LulzSec itself emerged from such a row a little more than three months ago when it broke off from Anonymous. The quarrel, about which targets deserved attack, was particularly bitter, says Mr Housh.

这些地下黑客组织不光面临着外界压力,在个性和政策上的争执分歧也让自己焦头烂额,引火烧身。网络内战已经爆发,竞争对手间互相攻击对方的计算机网络,试图去揭发泄露对方现实身份。LulzSec 同三个月前他和“匿名”断交前相比,现在更多的参与到其中。豪斯先生说,关于攻击目标的争论,尤为激烈。

Upon forming, LulzSec distanced itself from its parent. The older group had been launching computer attacks against MasterCard, Visa, PayPal and others that had blocked donations to WikiLeaks. The LulzSec team of self-described “evil bastards” wrote in a press release that it preferred to abuse more ordinary folks and organisations for “a jolt of satisfaction”. Devilry seemingly trumped high-minded politics: the aim, says Mr Housh, was entertainment, “screwing with a person until he can’t take it anymore”. But some more puritanical hackers have turned vigilante, trying to disrupt LulzSec. Its antics, they say, encourage official crackdowns on internet freedoms.

刚刚组建,LulzSec 就同其母体组织保持距离。旧的团体曾经对万事达,威士卡,贝宝和其它的一些停止对维基泄密提供资金的公司发动攻击。而LulzSec团队自我描述成“魔鬼私生子”曾在发布稿中写过,它更愿意去攻击更普通的平民或者组织,只是为了纯粹的满足感。邪恶好像是高尚的政治正义感更胜一筹。豪斯先生说:纯粹为了娱乐,和一个人死磕到底直到他动弹不得。但是一些清教徒式的黑客成为了治安专员,想要搞垮LulzSec。他们认为,它的各种离经叛道的行径就是在鼓励当局限制网络自由。

Not in it for the money

Groups such as Anonymous and LulzSec are not motivated by money, but they can still wreak financial havoc. Following the theft of roughly 100m online gamers’ account details in April, Sony shut down its PlayStation Network for nearly a month at a cost of about $171m. A loss in consumer trust has added to that toll. Anonymous and LulzSec often post stolen data online to brag and attract potential recruits. But others can and do attempt to cash in on the loot. David Pérez of Taddong, a Madrid-based consultancy, says stolen bank-account or credit-card details often end up in online black markets. Illicit software automates many of these bourses, says Gordon Snow, assistant director of the cybercrime division in America’s FBI. Sellers and buyers need not communicate directly, so closing deals is less risky.

像“匿名”和LulzSec这样的团体不为钱驱使,但是他们仍旧能摆脱经济上困窘。四月大概有一亿在线玩家的账户被盗,之后索尼就将它自己的PSN关了近一个月的时间,花了大概1.71亿美元。由于失去了客户信任,增加了损失。“匿名”和LulzSec 经常在网上展示偷来的数据,用来显摆或者吸引新人眼球。但是其他人可以也尝试利用这些战利品来趁机捞一把。来自马德里一家名叫塔东咨询公司的大卫•佩雷斯说,那些偷来的银行账号或者信用卡详细资料最终都会落到线上黑市交易。美国联邦调查局的网络犯罪部门助理司长戈登•斯诺说,非法软件让许多线上交易所自动交易。卖家和买家不需要直接沟通,做成交易没多大风险。

Lately LulzSec has changed tack, branding itself a champion of the oppressed, perhaps to shake off accusations of political indifference and sadism. A grandiloquent statement issued after Mr Davis’s arrest said: “We are sick of the twisted corporatocracy that controls us…united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.”


Even as the hacking underworld has splintered, new threats are emerging. The agenda for Black Hat USA, a security shindig this week in Las Vegas, ranges from the perennial flaws of Microsoft’s software to newly discovered weaknesses in Apple laptops’ batteries, in mobile devices running Google’s Android operating system and in wireless water-meters.


The growth of “cloud” computing makes life harder for hackers overall (because firms that run cloud systems will on average have better security) but when a breach occurs, it offers bigger gains. LulzSec recently claimed (on flimsy evidence) that it had made Apple “our bitch for life” by pillaging passwords and source code from the iCloud servers built to dispatch photos, music and other data to customers’ iPhones, iPads and computers. As mischief has become easier, the hacker crowd has burgeoned and mutated. Ilias Chantzos of Symantec, a computer-security company, says it has far outgrown its nerdy roots in a subculture of brainy social outcasts fuelled by pizza deliveries and fizzy drinks.


The lower technological barriers to entry—no matter the motive—have led to what the FBI’s Mr Snow refers to as hacking’s “industrialisation”. Supporters of Anonymous and LulzSec have stoked the fire, he says, thanks to the spread of new easy-to-use software called “hacking toolkits”. These automate attacks and can be configured to deface or crash a website, or even snatch goodies ranging from credit-card details to industrial designs. Some toolkits also offer “drive-by download”. This turns a website into a trap that hijacks visitors’ computers (or phones), even if they have not clicked on anything.

技术门槛低并且不看动机导致了现在如联邦调查局的斯诺先生所说的黑客工业化的情况。他说,由于一个一个简单实用的名为黑客工具包的软件的传播,“匿名”和LulzSec 的支持者们也能跟着煽风点火。这些自动程序可以攻击或者能被设置能破坏或者使网站瘫痪,甚至顺带着攫取一些甜头,从信用卡细节资料到工业设计。一些工具包也提供偷渡下载,这就将网站变成了一个陷阱,只要访客的计算机(或者手机)点击到了网站的任何东西,那就被黑了。

The hacktivists may do most damage by providing cover for more sinister efforts. A report this week by McAfee, a computer-security company, reveals the results of a five-year probe called Operation Shady RAT, examining attacks that use “Remote Access Tools” to inveigle access to computer networks. It does not name the perpetrator (some fingers are pointed at China) but lists 72 victims, from sporting authorities to the governments of America, Canada, India, South Korea, Taiwan, and Vietnam, plus defence contractors and many other firms. Dmitri Alperovitch of McAfee describes the intrusions as “the biggest transfer of wealth in terms of intellectual property in history”. Kenneth Geers of NATO’s cyberwar centre in Estonia says the hacking boom makes it easier for cyber-spies to pass off their work as the handiwork of a misguided rebellious teenager. Not so funny after all.

黑客活动因为为一些更为恶性的行为提供屏蔽而造成了更多伤害。计算机安全公司迈克菲这周发布的报告发布了一个名叫“Shady RAT”为其五年的调查结果,有哪些攻击是使用“远程访问工具”来诱击计算机网络的。它并没有指出作案者的姓名(一些的指向在中国),但是列举出了72个受害者,包括体育当局,美国,加拿大,引渡,南韩,台湾和越南的政府还有国防承包商其他的许多公司。迈克菲副总裁狄米崔•阿帕罗维奇把这些入侵描述成“历史上最大的知识产权的财富交易”。爱沙尼亚的北约网站肯尼斯•吉尔斯指出,黑客蓬勃发展让网络间谍有机可乘,视工作为误入歧途的叛逆青少年的手工小制作。但是没那么有趣罢了。

  • indifferencen. 不重视,无兴趣,漠不关心
  • satisfactionn. 赔偿,满意,妥善处理,乐事,确信
  • emergingvi. 浮现,(由某种状态)脱出,(事实)显现出来
  • dealingn. 经营方法,行为态度 (复数)dealings:商务
  • spreadv. 伸展,展开,传播,散布,铺开,涂撒 n. 伸展,传
  • revealvt. 显示,透露 n. (外墙与门或窗之间的)窗侧,门
  • boomn. 繁荣,低沉声,帆杠,水栅 vi. 急速增长,发出低
  • proben. 探针,探测器,调查,查究 v. 用探针测,详细调查
  • directorn. 董事,经理,主管,指导者,导演
  • transfern. 迁移,移动,换车 v. 转移,调转,调任