[RoboTeddy]

Here's an attempt at an explanation/translation:

HTP ("Hack The Planet") is a group that likes to break into things. Another (unnamed) group of people impersonated a third group of people ("ac1db1tch3z") and tried to cause trouble for HTP.

The impersonators located HTP by examining one of HTP's botnets (a collection of compromised computers that are used to launch things like denial of service attacks). Botnets have to receive instructions (e.g., targets to attack) from somewhere, so it's likely that the impersonators followed the path taken by commands to the botnet, and found the network(s) that HTP uses to organize themselves.

HTP realized this, and wanted to get back at the impersonators. They found out that the impersonators used an IRC channel (chat room) hosted on a network called SwiftIRC. If HTP could break into SwiftIRC (which is hosted on Linode), they could cause all sorts of trouble for the impersonators. So HTP decided to break into Linode, so they could break into SwiftIRC, so they could break into the group of impersonators.

To break into Linode, HTP broke into their domain name registar (name.com). They planned to secretly take control of linode.com, and replace it with a version of linode.com would look and feel and work correctly, but had one additional feature -- it would collect the login information that people typed in. HTP probably hoped to gain the login for SwiftIRC directly, or collect the logins for Linode admins and obtain SwiftIRC's login from there.

But, before they enacted the domain takeover (a maneuver that would likely be somewhat difficult to employ without being noticed), an HTP member discovered a new vulnerability in ColdFusion, the server software used by Linode. The ability to discover a new exploit on demand implies a high level of skill within the group. Using this exploit, HTP obtained direct access to Linode. They proceeded to gain access to SwiftIRC, as well as other sites hosted on Linode, including a well-known security site, nmap.org

The FBI apparently had a mole in HTP, and they alerted Linode that HTP had access to nmap.org. This posed a bit of a problem for HTP: if it became public knowledge that they had obtained access to Linode, then perhaps they wouldn't have time to go after the impersonators using their newfound access to SwiftIRC. So, HTP tried to strong-arm Linode into staying quiet until May 1st. HTP had obtained the customer information and credit cards of all the Linode customers. HTP threatened to widely publish all this sensitive information if Linode didn't stay quiet. If Linode complied, then HTP would just delete all the info.

Linode, though, was forced by the FBI to announce that they'd been broken into. HTP told Linode to just publicly acknowledge that HTP was the group that broke into Linode, and they'd delete the sensitive info. Linode did so (https://blog.linode.com/2013/04/16/security-incident-update/).

HTP conducted an internal investigation to determine which group member(s) were working with the FBI. HTP broke into the mole's computer and turned on their webcam, and saw an FBI employee looking over the shoulder of the mole. They kicked the mole out of the group, so the FBI doesn't have access to HTP anymore.

(Remember, this is the story according to HTP.)

[davidw]

> tried to cause trouble for HTP.

Here's hoping the FBI "causes trouble" for the lot of them. Breaking into other people's stuff is not cool. If I leave my door open by mistake, yes, that makes me a bit absent minded, or foolish, but it does not give anyone the right to wander into my house.

[crisnoble]

Everyone bitching about HTP or AnonOps or any other hacking group that likes bragging should at least be thankful that they talk about their hacks. I would bet that the crime syndicates have better hacks and keep their mouths shut about them. Those vulnerabilities don't get patched, those customers never get notified. I am not defending HTP or the like, just saying, at least they boast.

[jrockway]

I worry more about governments than organized crime these days.

[jrochkind1]

Yep, them too, don't tell anyone about their hacks.

(I mean, "More about governments than organized crime? There's a difference?")

[davidw]

You should pay a visit to Sicily or Naples if you don't think there's a difference.

[jrochkind1]

And I hope none of us ever pay a visit to Guantanamo.

But seriously, yeah, of course there's a difference, but government is also often in league with organized crime, from local levels of corrupt cops and drug leaders, to international levels of the CIA and arms traders and 'our' 'freedom fighers' -- I bet this is also true in Sicily and Naples, that many parts of the government act in league with organized crime.

But yeah, to go back to the actual topic/thread, mainly, I think the guy is right that the government is the other main actor which is going to keep it's security exploits to itself, and just use them to monitor you silently. (And that's probably more likely in the US than any other country on the planet, at the moment).

[rdl]

I'd generally prefer government to organized crime, but would probably take the Yakuza over NK or Belarus or wherever.

[reeses]

You mean, how much did the 'mole' see/hear/do before getting booted from HTP?

[jrockway]

No, that's not what I mean. What I mean are things like the Chinese government hacking Google and the New York Times, not HTP hacking some IRC provider for revenge.

[reeses]

Let me be more clear. You mean, like employees or contractors under the direction of the FBI hacking sites, at least Linode, while 'investigating' HTP?

[sbank]

Honestly, the two are very often synonymous.

[plaguuuuuu]

Yep. Knowing various people who have done security work for banks and similar organisations, I've heard a few hair-raising stories.

They never ever disclose when they get hacked. And they do get hacked.

[CleanedStar]

I'm afraid your analogy is stretched a little too far for me - that your open door leading to someone physically wandering into your personal living space is the same as some corporation with tens of millions of revenue a year that has some script kiddie sitting in his mom's basement seeing some Linode stuff come onto his screen. I guess when I think of some kid snooping around some corporation's computers, I'm supposed to compose a mental image of some thug physically invading my own home. Yes, I can see why corporations want people to think this way, but it's a rather silly metaphor as far as I'm concerned.

[davidw]

Actually, these guys cost people a whole hell of a lot more time and money than someone breaking into a home probably ever did. Just for starters:

http://blog.phusion.nl/2013/05/07/phusion-server-security-re...

[conductor]

Well then you are not a hacker. And I hope FBI can not cause trouble for them, they did not do anything unethical in my POV. The server is not a house. Black hat hacking is a mixture of art and politics (I never support hackers who hack for stealing money), and if you want the analogy, they just spotted a fancy lock on the door of some institution (not a private house), lock-picked it and looked what's behind the doors. This may be illegal, but this is the way they can confront the forces they don't like and outline their position. They did not brake or delete anything (no vandalism).

[canttestthis]

Please give me the password to your regular email account so I can read your emails. I won't delete any of them, but your email server is not a house, and I should have the right to read your emails.

[conductor]

A right? I didn't say they have a right. They hacked into. Did the US/Israel have a _right_ to use Stuxnet against Iran? No. They hacked into. When did you accuse the US secret service or hope that they will be punished? Double standards?

I won't give my email or its password to you, but if you can find it, hack it and decrypt my emails, then it would be only my fault, and you will have my respect.

[bradleyland]

You're not getting it. No one is saying that Stuxnet was "right". That conversation is set in an entirely different context than the Linode hack. Iran is seeking to produce a nuclear weapon with the openly stated goal of launching it against another country. There is no segue from Stuxnet to this Linode hack.

"Fault" is not in question here either. Let's say I leave my front door unlocked. If you enter my home without my permission, you have trespassed and can be charged with a crime. The only thing I would be "at fault" for is making a lackluster attempt at securing my home. I don't forfeit protection from trespass under the law for that act though.

You see, locks are not what govern access; laws are. HTP is clearly in the wrong here. They forced entry in to Linode's systems, then attempted to extort Linode in an effort to achieve their goals. Swap out Linode's servers for Linode's offices, and there's no question that HTP are operating outside the boundaries of ethical behavior.

[conductor]

I admit Stuxnet was a bad analogy to black hat hacking. But either is the analogy of hacking into a server and physically trespassing into a private property.

The main goal of my comments is to object to the opinion that hacking is somewhat comparable to physical break and enter actions. This is an age where one can find himself in prison for tens of years for hacking and getting access to information (the prospects of Aaron) or even for IP violations, as it were a murder or rape.

Being in an underground hackers crew is much fun and possibilities to learn things for young men who are smart and different than their friends. Those guys and gals are the future top-class engineers at Google and other IT giants and I want them to continue hacking and growing personally and professionally, not rotting in the prison.

[analog]

Offtopic, but have you got a source for "Iran is seeking to produce a nuclear weapon with the openly stated goal of launching it against another country."

I had a quick look on the Wikipedia page but couldn't see anything there.

http://en.wikipedia.org/wiki/Nuclear_program_of_Iran

[mpyne]

> I won't give my email or its password to you, but if you can find it, hack it and decrypt my emails, then it would be only my fault, and you will have my respect.

Ah yes, the "might makes right" philosophy that we all know and admire from primary school.

[mtowle]

Not everybody believes in rights, per se. He did put scare underscores around the word. Just saying, if you believe your position to be the moral high ground, you shouldn't need to mischaracterize the positions of others.

[criley]

Did you honestly just use militarized cyberwarfare as an example of legitimate black hat?

The US/Israel are involved in a proxy war with Iran that involves cyberwarfare, clandestine operations and conventional military strikes (in the case of Israel striking Iranian-sourced Syrian weaponry).

It's an extremely poor example to use open cyberwarfare between nations engaged in everything but overt warfare to attempt to legitimize black hat hacking.

[err_badprocrast]

I'm curious how you would classify China's crack teams engaging in industrial espionage. Is that black hat activity, or legitimate cyberwarfare by a nation-state?

[jstanley]

"spotted a fancy lock on the door of some institution (not a private house), lock-picked it and looked what's behind the doors."

And then collected private information of everybody who works for or is a customer of the institution, and then threatened the owners of the institution if they spoke out about what had happened.

[Dylan16807]

If they spoke out within two weeks. That's not very long. Hell, you can take down sites for two weeks just by filing a DMCA notice.

[alan_cx]

I kinda get where you are coming from. I'm guessing you like the idea of sticking it to the man, as it were. Well, yeah, I like that too, I tend to lean to wards what these guys do, when it suits, but as ever, the problem is with intention and trust. Do you really trust them 100% to only look? The same people who do that could raid my current account, and none of us can be sure they wont. Or, sell on details to raise funds for their "great" works, or cynically line their pockets. We just don't know.

I think quite a number of people tread this fine line between approving of sort of Robin Hood types and criminals. And that can change given the target. So, "fantastic" if they embarrass the FBI, not so comfortable if its our bank.

[qw]

If they only "looked" it would not be too bad, but they did much more here. They threatened to release credit card numbers, user names, emails and passwords of customers. Do you think it's fair that someone's personal information is released just because they are customers of Linode?

[ozh]

Why bother reading novels or watch thriller movies when there are comments like this? :)

[mertdumenci]

That helped a lot, thank you.

[viame]

This translation makes more sense. If this is all true, this is a great story and I want to make a movie out of this. Also, who cares that Linode got hacked. Facebook/Twitter have more information on you than Linode, and they share it with the Gov. The only thing that I wouldn't want is my data to be lost (if i didn't have any backups)

Just a personal opinion.

[s884812]

lol i think this story can be filmed.