It's time to dump the full 75,000 names, addresses, CCs and md5
hashed passwords to every customer that has ever paid Stratfor.
We almost have sympathy for those poor DHS employees and australian
billionaires who had their bank accounts looted by the lulz
Wow. Apologies for venting, but this is fucking ludicrous. I am a middle-class mid-20s programmer who purchased a Stratfor subscription because their material is incredibly well-researched and about a million times more enlightening than your average CNN article. And now I have to cancel my credit card and deal with fraud services. Thanks a ton, Anonymous.
Congratulations, you've exposed the personal details of the rich bankers and military analysts that recognized Stratfor as the intelligent news service it is. And in the process, you've managed to completely alienate the rest of the Stratfor community, members of the "99%", who care enough about understanding global politics that they were willing to give up a portion of their hard-earned paychecks to become better-informed. Something tells me it won't be worth it.
I just can't understand it. These guys are either agent provocateurs, or complete morons.
At least according to http://pastebin.com/8yrwyNkt , Anonymous didn't do this. They claim that they like Stratfor, and wouldn't attack it. (To the extent Anonymous can coherently claim anything, but it makes sense.)
Anonymous doesn't really have centralized power though.
So technically it can still be people "from Anonymous". It can even be just a few who decided to say "its not us!".
In fact, it can be anyone. It could even be US agents.
Seriously.
I don't think it makes sense, but I think it makes more sense than Anonymous doing it.
Note that Obama recently declared war on whistleblowers, and Stratfor's entire operation is based on George Friedman's cozy relationships with a lot of top officials who tell him things off the record.
Obama's promises to end the wars go directly against Friedman's predictions, and anyone who trusts Friedman's judgment will realize that Obama is lying about pulling out of Afganistan and Iraq.
The attack on Stratfor could be intended to silence any insiders who may have planned to debunk the idea that the US will leave either of the occupied countries any time soon.
<conspiracy theory> To discredit Anonymous and Stratfor at one go. Look at all the negative press this is going to generate about Anonymous. </conspiracy theory>
On the bright side I haven't heard about Stratfor before and now I'm considering purchasing an account because so many people on HN give it positive reviews.
It depends on what's going on in the world. In some cases Stratfor is way better b/c of the historical analysis offered -- most periodicals operate on the assumption that the reader is fully versed in all the background details. Stratfor has a section where you can read up on its full historical analysis of every country, region, etc.
I'd be blaming the company more than those releasing it. If these guys can how are you to know if someone hasn't come across the db silently? At least this way there is some warning.
You're kidding, right? The people releasing it are presumably the ones who stole it in the first place. In a bank robbery, do you blame the manufacturer of the safe that was cracked? Or home invasions on the alarm system that failed to catch the thieves? No, the perpetrators of the crime are at fault.
Even if I agreed with you on who was at fault here (which I clearly don't), do you think any significant number of victims of this leak will honestly blame Stratfor more than they blame the hackers behind the attack? If not, the point I made above still stands: Anonymous has alienated anyone who has ever paid for a Stratfor membership. Which is quite a diverse, and likely intelligent, group of people.
To continue using your metaphor of a real world safe:
I also blame the manufacturer of the safe because the safe was not as secure as they claimed and because it's not like securing things correctly is an unsolved problem or even just np-hard.
information can be stolen more than once, and if it can be stolen by these people, then you can damn well bet that it can be stolen by people who might not want to let you know that they took the information. how long has that data been sitting there unsecured? how many times has that data been stolen through unauthorized access? is it even reasonable to ask to be able to run a pen test against anyone who wants my information, so that i can actually know my data is secure?
First: If you use a Master Lock (heh or an old pen-hackable Kryptonite lock) on your Bank Vault, obviously you are at fault. Doesn't matter what kind of world you want to live in, you need to secure your wares adequately.
Second: It's a dick move of these guys to release all this info. They are hacktivists, or so they claim. (If they wanted to profit off this they'd sell the hacked db to Russians and not release the data) People like MLK and Gandhi also pissed off a lot of people. For example by sitting at white lunch counters, getting spit on, etc. Sorry, that's the idea behind civil disobedience / hacktivism / etc.
Third: this has been stated before, but how do you not know that this database wasn't already cracked 2 years ago by malevolent forces who've been using it for evil, but not telling you about it?
I think it's safe to say Statfor probably wasn't using a Master Lock, but clearly they didn't do enough pen testing or whatever it would've taken for them to more securely lock down their shit.
(Thought experiment: if a YC company got owned, do you think pg would blame the thieves, for their smash & grab kind of job? Or the coders who left a gaping security hole / social engineering attack vector open?)
not sure what pg would say, but for me (if i were in his shoes) it would depend entirely upon what/how the company was owned. there's a big difference between, say, a hacker exploiting a hole in a well-vetted, well-known encryption api and a hacker exploiting a hole an encryption api that you rolled yourself.
This is ludicrous. That's like blaming the rape victim for wearing alluring clothing going to a club, but not carrying a gun and learning martial arts to defend themselves.
Yes, Stratfor is guilty of having lax security (I've been affected by this), but the bottom line is that these hackers are the ones that committed the crime and released this credit card information.
if you want to switch analogies to rape, fine, but i think that's a much worse analogy to use.
blame isn't a zero-sum game. if a hypothetical human walks down the street in provocative or revealing clothing in a bad part of town without any way to defend themselves, then you can argue that, at the very least, he (or 'it' if you don't believe in the genderless 'he') should not be surprised that someone attempted to rape him (it). That in no way excuses the rapist for what he (it) did, or lessens the blame apportioned to the rapist.
relating your analogy back to the stratfor situation, the blame stratfor gets should in no way lessen the blame that the hackers get, but stratfor should be held accountable for the fact that they essentially walked into an area known to be infested by opportunistic rapists wearing provocative clothing with no means of protection. regardless of how wrong it was that stratfor got metaphorically raped, one still needs to look at stratfor and ask, why in the world would you do that? how could you even expect anything different to happen?
not like securing things correctly is an unsolved problem or even just np-hard.
Given that Google, RSA and Intel have all been penetrated (that we know about), and all have a passing knowledge of security I think this has turned out to be harder than you seem to think it is.
I didn't say it was easy; it's usually pretty hard/expensive to do it right.
But there are known best practices, and it looks like those weren't followed (at the very least, have a good password policy and salt the goddammed passwords before hashing).
here are two examples of companies doing security right:
In what way is this any different than someone picking the lock to the front door of your house, smashing things up with a baseball bat, carrying your valuables out to the street and then leaving you a note saying "you should have bought a better lock"?
I'd far rather live in a world where we didn't need the lock in the first place.
the issue (for me) is how valuable the valuables are and how much security is protecting the valuables. There's a good reason why there's a major difference between the security protecting the mona lisa and the security protecting my car, even though both are secured and both are valuable.
when people under-secure assests that they claim to be securing, especially when those assets aren't theirs, I think they're partially to blame when the assets are eventually stolen. I'm blaming stratfor because i think they did a shitty job securing their customers' info, especially since the info belonged to paying customers.
I don't think the leak of the password hashes is that serious. Sh*t happens.
What I find inexcusable 1) the hashes being weak and not salted (I couldn't confirm that - and yes, I downloaded the data) and 2) the leak of credit card data, billing addresses and other personal info. That information should never, ever, under no circumstances, be accessible.
My information was released without warning. They dumped everything days ago. They could have informed Stratfor about the vulnerability, or even waited to give people a chance to cancel their cards.
Stratfor probably is to blame for lax security. But the hackers are as much to blame for violating my privacy.
I think Dan's point about alienating the wrong people by picking the wrong battles is the most important. Treating innocent people as 'collateral damage' is dehumanizing.
Edit for zobzu:
They posted everything days ago.
My post contains none of the implied strawmen you assume. I believe we're on the same side, so I'm not sure why you are flaming me. You didn't address anything I said in my post.
Yeah I agree they haven't take the best form of action which would be to email everyone in the dataset and give them a chance to change their credit card without giving out the whole set. At the same time though this is a better outcome than the information being silently sold.
But yeah, I agree with you, you're much better off when people hack those accounts, steal the money and not do tell anybody, so they can keep stealing from it from time to time, and since you don't know about it, you're secure!
Plus I guess it's only ok to see collateral damage when it's poor people getting killed by the army in other countries, on TV. Cause yeah it's TV. Feel sad for 2 min and go grab a coffee.
Heck in this war all you have to do is switch credit card. Not switch a leg for a plastic one.
If the person/people who did this just wanted to expose security flaws, releasing a DB filled with innocent people's personal information is really over the top.
Stratfor is a geopolitical analysis company which helps shape a world-view for decision-makers in the existing power structure. What don't you understand about their infrastructure being a completely valid target?
The question of identities and motives of the actors is certainly interesting, but there are a bunch of plausible theories:
* WikiLeaks sympathetic individuals who subscribe to the Assange theory of conspiracy (see: http://estaticos.elmundo.es/documentos/2010/12/01/conspiraci...). If you grok this, it's a textbook play in the 'throttling weighted conspiracies' game, ain't it?
* Agent provocatuers, as you already mention. That you'd pre-announce a hack like this days before releasing credit card numbers makes absolutely no sense from a Project Mayhem, anarchist perspective, does it? You're giving everyone enough time to cancel cards and minimize mayhem but still maximize reporting of the reckless, misguided behavior of hackers. It only seems to benefit the establishment over the longer-term with a public release like this. If you really care about undermining the system you'd quietly analyze the data and build up an under-the-radar picture of the establishement network to act on, no?
* morons. They got lucky with a target, and care less about gifting SOPA supporters in Washington a delightful Christmas present.
I'm not clever enough to have a view either way, but getting irate based on superficial internet evidence as to the identities and motives of players is not conducive to good health in 2011.
"Stratfor is a geopolitical analysis company which helps shape a world-view for decision-makers in the existing power structure. What don't you understand about their infrastructure being a completely valid target?"
And presumably you think anyone who writes a book about, say, the Nazis is therefore a Nazi sympathizer?
You're expressing a desire to censor information and opinion. As you state it, Strafor is several degrees of separation from actual policy enactment. The provide analysis, which "shapes world-view". Any given fact, or analysis thereof, can potentially result in many different reactions.
Is Wikipedia a valid target because it, too, "shapes world-view"? Wikileaks certainly does, so is it a valid target?
How about Amnesty International? They produce reports, that provide analysis, that shape world view. Are they a valid hacking target?
If you disagree with Stratfor's analysis, then produce your own analysis that proves them wrong.
Huh? You've completely misread my comment. As have a few others it appears. Perhaps I should have written the bit you got so irate about as "Completely valid target, viewed from a number of perspectives."
Just so we're clear:
* I don't condone or approve of the hack.
* I think it's a reckless, stupid action and the perfect gift (and almost perfectly timed) for SOPA lobbyists in Washington.
* I've actually read George Friedman's Stratfor reports and found them really insightful.
So please, quit with all the hyperbole and Godwin's law proving froth on HN.
I was merely emphasizing that it's not surprising that Stratfor was a target in this context. It is possible to make that statement without approving of the act, you know.
It's also possible to wear the hat of a particular actor to understand their motives without actually supporting them:
* as a misguided, WikiLeaks-supporting hacktavist attacking Stratfor makes perfect sense. In this context you'd view Stratfor as a right-wing, US-centric outfit which "helps shape a world-view for decision-makers in the existing power strutucture". Based on Assange's theory of conspiracy, you're attacking one of the nodes in the connected graph of conspiracies.
* as a government actor attacking Stratfor would be a perfectly underhand and effective way of rousing the establishment to call for an even greater curtailing of internet freedoms. You're embarrassing all the right people, but giving most of them enough time to cancel credit cards before any real damage is done. The way the announcements have been done certainly don't support the idea that whoever is responsible is wanting to maximise mayhem.
I should re-iterate here that exploring possibilities does not mean the explorer supports or believes the possibilities explored. Believing this was a government actor is pretty fanciful, but falling into the trap of avoiding exploration because something is "unthinkable" is the path to naivety.
> Stratfor is a geopolitical analysis company which helps shape a world-view for decision-makers in the existing power structure. What don't you understand about their infrastructure being a completely valid target?
Then surely the New York Times and Washington Post are as well.
Well, of course? As is The Economist and other publications that are part of the existing power structure.
It is possible to make these pedestrian observations without supporting the people who oppose the power structure.
I would also say that in the context of the Cold War, Radio Free Europe HQ would be a "completely valid target". It doesn't mean I actually a) support such an attack, or b) am a communist.
My point is that few of the folks applauding/excusing the StratFor intrusion would support a similar intrusion of the NYT, WashPost, or even Economist.
Those last 2 are popular for the battlefield heroes dataset and other gaming-related ones, so I keep them in my script as gaming sites are both highly targeted and usually poorly secured.
Anyway, it's clear that no rules were enforced as a 3-letter dictionary word like "war" would never be allowed by any rule creation system. The fact that "stratfor" was used by nearly 1.4% of all accounts (!) tells me that either their users did not value these accounts or they simply have no idea how passwords are supposed to work.
I've been a Stratfor subscriber on and off since they got started about 15 years ago (I was 14 years old at the time). The last time around I got a new subscription, Stratfor set a new password for me, and it was... "stratfor".
This is just about the only bad thing I have to say about Stratfor. Being a long-time subscriber, I am always a few steps ahead of basically everyone else when it comes to global politics, and this has been very useful and enjoyable over the years.
One thing worth pointing out is that a Stratfor account like mine does not contain any sensitive information. It gives me access to exactly the same Stratfor reports as any other subscriber. As far as I know, it would not be possible to obtain e.g. my credit card details by using that password.
If the account does not hold any "vital" information, password "stratfor" could be quite a harmless password to leak, as I couldn't imagine anyone using that password for any other site/account. Although I don't know what user information is contained within the account.
Anyway, it is stupid to use such passwords and it tells something about the persons using those. Maybe they would use site names as passwords on other sites also.
How did you get a breakdown of all the passwords used? Did you try to crack them yourself, or has the cracked passwords been posted? I'm trying to figure out if my own password has been compromised.
All you need to do to figure out the hash for a password is take the MD5 hash of it. My guess is the commenter you replied to just took some common passwords and some no-brainers and did a quick little "find all" for each hash.
When downloading the file from the .onion URL given in the link, the archive contains a member "._stratfor_users.csv". Seems that this is some OS X metafile that also includes a UUID of some sort.
Anyone more familiar with the format? Does the UUID allow to identify the user that originally downloaded the CSV and/or posted the archive? (Assuming that you have access to Apple's or Google's data).
Not any first-hand, and I hope never to have to find out. Still, I suspect "I am an RA working with a security researcher and we're studying password strength" would go over better than "I'm curious", although they amount to the same thing. The respect and deference we afford institutions can be a bit strange, at times.
So, Citi provides a similar "Virtual Account Number" service which allows a cardholder to create a new cc# with a new expiration date and a specific balance, but the billing address cannot be customized which reduces the usefulness of the service.
If Anonymous thinks they're making a strike against American militarism with this, why didn't they hack some place that has more influence, like the American Enterprise Institute, which is blatantly ideological and employed a number of people who went on to the Rumsfeld Pentagon?
The people who support the Stratfor hack keep painting a picture of Stratfor which would far more accurately depict the mendacious hacks at AEI.
So what exactly has Stratfor done? I mean aside from posting their own (informed) articles and running a business?
These people aren't protesting anything reasonable anymore -- they are flat out against people who earn money. Personally I consider them traitors to America.
I'm a fan of Stratfor (I read it to get a handle on international news - they provide a background/context to enable me to understand what's going on, unlike traditional news), and I don't agree with this type of activity, but calling someone a traitor is a serious allegation, especially when these people are merely criminals and are not committing treason, which is what traitors do. Given that I don't understand the point of posting account details with password hashes, and CC#s - what are they trying to achieve?
I read it to get a handle on international news - they provide a background/context to enable me to understand what's going on, unlike traditional news
That sounds like it might be worth looking at. Is there a publicly accessible example you could provide a link to?
Unfortunately, their site has been down since the penetration. Even if it appears most of their content is not free, I signed up for their newsletter and received links to some articles regularly.
I highly recommend "The Geopolitics of the United States" series. Very well reasoned and clear explanation of the underpinning advantages of the US. It all clicked together so nicely.
No idea where you could find it now though.
Maybe these black hats should have snatched a copy of the content instead of these stupid mail spools.
John Mauldin frequently links to / references / includes excerpts from STRATFOR in his own newsletters. This is just an excerpt, but should give anyone curious a sense of the quality:
It would, of course. Just look at some European democracies that lean heavily towards socialism. Excellent universal healthcare, schooling, civil rights (yes, economic systems are orthogonal do state systems) and so on.
What really endangers the US is the rapid erosion of civil liberties under the excuse the country is under attack. It is, but if the medicine kills the patient, it is not exactly a winning scenario.
Congratulations, you've exposed the personal details of the rich bankers and military analysts that recognized Stratfor as the intelligent news service it is. And in the process, you've managed to completely alienate the rest of the Stratfor community, members of the "99%", who care enough about understanding global politics that they were willing to give up a portion of their hard-earned paychecks to become better-informed. Something tells me it won't be worth it.
I just can't understand it. These guys are either agent provocateurs, or complete morons.