By Alec Meer on May 13th, 2011 at 9:53 am.
Oh dear. Internet rotters have done it again, this time turning their attentions to the official website for Deus Ex: Human Revolution and for developer Eidos Montreal. But their hacking is not yer common-or-garden Denial of Service attack or painting pink moustaches on pictures of Adam Jensen – it’s stealing the personal data of some 80,000 registered users. Thanks so much, hackers.
The sites were also temporarily defaced to display the above message of willy-waving, reports KrebsOnSecurity, but everything’s superficially back to normal now. Reportedly, the damage was done by a subset of the infamous Anonymous hacker collective, who some believe were responsible for the increasingly ludicrous PSN outage/security terror (though they themselves claim they weren’t).
Clearly, if you used any login info for the DX3 or Eidos sites that you use for any other services, you should go sort out some new passwords and whatnot now, to be sure some cracker doesn’t start reading your Gmail or ordering the most expensive onions on Amazon Groceries. The exact scale of the problem and consequences are not entirely known as yet, as Eidos/Square is keeping shtum. It could have been a whole lot worse, however, if these chatroom logs (again, via KrebsOnSecurity) from the group who may have been responsible suggest:
[16:07]
one thing that would be funny
[16:07]i write a nasty virus
[16:07]that will bsod on startup
[16:07]fuck up all your drivers
[16:07]delete tons of files
[16:07]forkbom on start
[16:07]etc
[16:08]we put that in an exploit kit
[16:08]on the main page
[16:08]there security will be responsible
[16:08]for like
[16:08]thousands of fucked up computers
[16:08]and it would make the news
“One thing that would be funny.” Yes, wouldn’t it. Good grief.
Why these chaps did what they did isn’t entirely understood either – it could have been simply for the lols, but the chatroom logs bear some mention of ‘src’, which could be either in reference to the website’s source code or to the game’s source code. Sounds to me like their main interest was simply in sowing havoc, though.
13/05/2011 at 09:58 ZenArcade says:
Whoops.
13/05/2011 at 09:59 Darkelp says:
I may just quit the internet. Seond time my information has been compromised in a month, Atleast I don’t have to cancel my debit card this time.
What could they possibly gain from this action, other then coming across as childish idiots?
*Sigh*
Edit – Actually I never had a login for Eidos, but still, damn annoying.
13/05/2011 at 10:09 Theory says:
Attention they don’t receive in their real lives.
Making newsposts that relay names, quotes etc. like this one does is exactly what they want, and encourages more of the same.
13/05/2011 at 10:59 godgoo says:
replyfail
13/05/2011 at 12:05 Pyrosity says:
Never use the same passwords for things that matter (any kind of bank or email info, steam, etc) as things that don’t (most websites).
Things that matter generally have good security for this stuff, other websites…. well, there are plenty of examples of leaked information.
13/05/2011 at 13:19 Bingo Bango says:
@Pyrosity Steamguard negates password theft since it ties to specific computers
Still, this is ridiculous…
14/05/2011 at 05:20 Thermal Ions says:
Except if you’re using the same password across multiple sites/services like your email and Steam then (a) they’ll be able to obtain the unlock code to run Steam on other hardware, and (b) you’re an idiot.
13/05/2011 at 09:59 Jetsetlemming says:
Script kiddies ugh. Grats on downloading something that makes you feel like an e-man, now fuck off the internet forever.
13/05/2011 at 10:54 BunnyPuncher says:
They dont sound like “script kiddies”.
13/05/2011 at 11:50 DMStern says:
How about directing some of that anger towards the companies that insist on collecting all our information but can’t ever seem to keep it safe.
13/05/2011 at 12:28 icupnimpn2 says:
No. How about directing anger to the people that willfully perpetrate the crime. As much as the hacker kid says, “there security will be responsible,” you know what dude… you’re responsible. Their security didn’t make you try to break in.
It’s like blaming the victim of a rape. Yeah, maybe they could have taken more precautions. Maybe they shouldn’t have shown so much cleavage, or been in that part of town at night. But it’s the rapist’s fault, no matter how much “they were askin’ for it.”
13/05/2011 at 12:40 Xercies says:
Because clearly hacking and rape are two crimes that are the same!
Lets put our anger on both to be honest, the company for not making it that secure, and the hackers that seem to do this for fun
13/05/2011 at 12:54 jalf says:
Yes! And so is piracy, of course!
13/05/2011 at 12:59 jalf says:
@icupnimpn2: “rape victim”? Eidos isn’t the victim here. The people whose account informatino (possibly) got leaked are.
And sure, those who hacked the site are guilty of hacking the site. But Eidos is guilty of allowing the hack to take place. They’re guilty of failing to protect the information they had been entrusted with. That’s why they, any every other website, require you to provide a password when you log in: because they’re responsible for keeping your account secure. If it “isn’t their fault” when they fail to protect your account, then there’s no need for them to even require a password. They could provide a humongous dropdown list of all their registered users, and you could just pick the one you wanted to log in as. Because hey, if anyone abused it, it’d be that person’s fault, Eidos would’ve done nothing wrong.
Most countries have privacy laws which say something to the effect of “if you store another person’s private information, you goddamn keep it safe, or you will be held accountable”. Eidos is to blame for failing to safeguard against this, just like the hackers who did it are to blame for actually hacking the site.
13/05/2011 at 15:25 psyk says:
You guys and your dream of a 100% secure system that’s not in a room with no door and no network is laughable.
13/05/2011 at 16:08 icupnimpn2 says:
How is a company supposed to know when their practices are secure enough? There’s some little puke out there spending all his days looking for some chink in the armor.
13/05/2011 at 16:08 icupnimpn2 says:
Why double post did come? Go way double post!
13/05/2011 at 17:33 Consumatopia says:
The hackers were criminals, they should go to jail.
Eidos was negligent, they should pay damages.
Eidos defenders are idiots, they should shut up.
Blame is not a zero sum game–there is plenty of blame to go around for everyone.
13/05/2011 at 20:10 Devan says:
They sound like script kiddies to me, partly because of that chat log and partly because of the fact they did it for the recognition. They even gave out their names and IRC server, which is just begging to be surveilled.
I agree with the sentiments that both the script kiddies and the network admins are at fault to varying degrees. It’s hard to verify how much Eidos is at fault without knowing which exploit was used and whether or not it could reasonably have been prevented. The unfortunate reality is that network staff at many companies are too burdened with support requests and other demands to be able to devote the necessary time to the intangible work of network security.
Maybe management just isn’t willing to employ someone to do invisible work full-time, but it’s a big job to regularly examine and rotate log files, monitor and maintain your IDS, and keep all software and network services fully patched with security updates. There’s even a fairly strong incentive _not_ to apply patches because of the likelihood of something not working right anymore.
It’s unfortunate but it’s no excuse for having shoddy security. If you’re storing personal, financial, or password information about your users, you’d better take every reasonable step to make sure it’s protected. If you can’t do it, then don’t store the info; simple as that.
13/05/2011 at 22:20 Tatourmi says:
Responsibility is a funny thing, pretty arbitrary. Who was responsible? The hackers? Eidos? It could also be the person that taught them how to code? Maybe their mom for giving birth to them? Maybe their dogs for pissing them off that day? Maybe the internet for allowing them to contact each other, and, most importantly, to hack things? Maybe the wordl’s fault for existing? The makers of the first Deus Ex for making it so good some people decided to make sequels? The list goes on litteraly for ever.
There are plenty of things that, if they didn’t exist or didn’t make something at some point, would have theorically prevented the crime from happening. Is that what responsibility is? Is that how it is defined?No, it would be absurd, deeply absurd. Responsibility seems at this point to be a very strange metaphysical concept. Who is ultimately responsible? Is there really someone responsible?
This is an incredibly tough question if you take it this way and, unfortunately, it needs an incredibly straight and clear answer, or rather the legal system needs one to function properly.
And actually the legal system is the key. There is no objective responsibility without and objective arbitrary decision in the forms of laws. The responsible party is the one that went against the law. And there is nothing more to it. Responsibility is a legal term, only a legal term, was made to be a legal term, and should be discussed so.
Now I ask you: Was Eidos against the law? I don’t think so.
Consequently is Eidos responsible? They cannot be.
Also (My original post, which went a bit overboard):
An ideal society would not be a society in which everyone is paranoiac and protected but a society in which criminals don’t exist.
PS: In the perspective of defining who is responsible there is no difference between a rape and a hack.
14/05/2011 at 01:49 Consumatopia says:
Wrong. Every sentence. Wrong. The law may have a concept of responsibility, but it is a concept that exists outside the law.
Depending on what Eidos did, they may be liable to the civil tort (not criminal charge) of negligence.
However, the ethical/moral definition of irresponsibility is independent of the legal definition of negligence. If I give Eidos my data, and Eidos says it’s supposed to private, then Eidos is responsible for keeping that data private. When Eidos asked for my data, we both knew there were potential adversaries who would want to take that data.
Heck, even independent of the ethics/morality, there’s their business reputation. Eidos would like to be known as someone who can protect user’s data. Now we know them as someone who can’t. I’m not obligated to forget this just to protect Eidos’s feelings, or yours.
jalf had this right. Eidos is not a victim here. The users are. If you want to go with this moronic rape analogy, then this is like someone getting raped in the lobby of an apartment building while the security guard was napping on the job. The guard is not the victim, here.
15/05/2011 at 08:45 Nesetalis says:
“Script kiddy” used to be a derogatory term.. now its really the standard.
Do you really think these guys used some telnet client to reply to queries and crack the system? no… they used programs, perhaps written by them, but programs none the less..
The days of hacking in to a server manually have gone.
13/05/2011 at 09:59 Icarus says:
/slowclap
Edit to actually be constructive: Only Eidos-related password I had was for the online store after purchasing Startopia for a few quid a while back- which I’ve just changed.
Thanks, script kiddies. Thiddies.
13/05/2011 at 10:49 Bhazor says:
Holy crap! Why did I not know Startopia was available online?
I’m havin’ that. Once the servers have calmed down again.
http://store.eidos.co.uk/pc-windows-download/StarTopia.php
13/05/2011 at 11:42 Bilbo says:
Killer game. Usually available in the 3 for £10 section of GAME.
13/05/2011 at 11:42 MadTinkerer says:
Not on Steam, not on Gog.com, not on Impulse. I wish publishers would get a clue sometimes.
For organizational purposes, I need to limit the number of different places I order games from, and if you’re not a zero-budget-Indie or an owner of a major download service, I’m not buying a downloadable game from you. Just frickin’ put it on Steam, and if not on Steam than GoG or Impulse or Desura. Yeesh. (Also, no GFWL.)
13/05/2011 at 12:28 chakraist says:
I love Look Around You. Thanks, Icarus.
Thicarus.
13/05/2011 at 10:00 Stense says:
Twats.
13/05/2011 at 10:01 Dozer says:
1) Staring Eyes tag
2) I’d have blurred out their IRC channel in the second image. And also all their names.
13/05/2011 at 14:05 SuaveMongrel says:
Eh, just leave it.
Put it this way, the more this hacking business goes on, the more likely it is a virtual-Batman appears and serves the highest of punishments.
Cleaning their rooms.
13/05/2011 at 10:01 Bilbo says:
Somehow in spite of myself I feel the term “Fucking cunts” is appropriate here
13/05/2011 at 11:41 JB says:
Glad it’s not just me that thought that.
13/05/2011 at 10:01 Stitched says:
I was going to say, before Darkelp kind of hinted at it, what kind of personal information are you giving to that site? Aside from CC information (if you can buy stuff), why would you use real information?
13/05/2011 at 10:12 jon_hill987 says:
People will have signed up with an email address and a password. Type that email address into various other sites and you can bet (if the user is registered there) a large number of the passwords will be the same. Steam accounts for example.
13/05/2011 at 10:03 Vexing Vision says:
Do you remember the time when hackers were gamers, and only targeted “the man”? When the label “white hat” meant something? When the vandals spraying graffiti on all the walls and smashing windows everywhere were jocks and uneducated kids from abusive families, instead of intellectuals knowing how to switch on a computer?
Get off my internet-lawn, you fucking kids. :(
13/05/2011 at 10:34 Teddy Leach says:
I remember. I pine for a return to those days.
13/05/2011 at 10:48 Grygus says:
“White hat” meant something because there existed such a thing as “black hats.” The good old days never were, actually. Sorry.
13/05/2011 at 10:04 JYzer says:
What a shame…
13/05/2011 at 10:04 Anthile says:
Seems like the hacking minigame in the new Deus Ex is a bit too easy. Wait.
13/05/2011 at 16:59 wintergreen says:
Comment of the week
13/05/2011 at 10:06 Jetsetlemming says:
Also I gotta say, them having names seems to go against the whole “They’re part of Anonymous” idea.
13/05/2011 at 13:19 Delusibeta says:
Also, the lack of the “We are legion” line. Kind of a giveaway.
13/05/2011 at 10:06 Valvarexart says:
“Anonymous hacking group” really isn’t a hacking group. It’s just a collection of a bunch of retards from [hidden] that sometimes hang out in an IRC chatroom. A few of them might have genuine hacking knowledge, and the rest cling onto them and pretend to be “responsible”. I find it most likely that it was done by another group which then dumped the info or something similar in AnonOPS IRC.
13/05/2011 at 10:07 bigolslabomeat says:
Unlikely related to Anonymous what with them putting their names on and therefore not being… you know … ‘Anonymous’ any more.
Also I doubt they had anything to do with PSN, it would have been trivial for anyone with a basic grasp of programming and access to Google to hack their unpatched and unfirewalled Apache.
13/05/2011 at 10:09 Valvarexart says:
I am pretty sure that AnonOPS are partly responsible for PSN though. They started the DDoS’ing before the network went down.
13/05/2011 at 10:10 Icarus says:
Yeah, I’m gonna say it wasn’t Anonymous. 1) they left names, 2) Anonymous MO seems to be more activist-y/freedom-of-speech types (targeting companies that made life hard for Wikileaks etc). This just seems like some random idiots who thought it’d be funny to cause havoc.
13/05/2011 at 10:17 Valvarexart says:
Well, they targeted Sony because they were filing a lawsuit against the dude that jailbreaked PS3 or something…
13/05/2011 at 10:27 Icarus says:
Anonymous may well have been responsible for the DDoS on Sony, but I’m not convinced that they were behind the data theft there.
13/05/2011 at 11:32 Martha Stuart says:
They might not have stolen the data but the provided the smoke screen for who ever did, or atleast thats what Sony’s info security guys are saying.
13/05/2011 at 11:38 jalf says:
But by that logic, the guy who brought their programmers a cup of coffee is behind the hack too, because that too provided a distraction and a smoke screen.
Sony’s security people failed to detect and prevent a major hacking attempt, and external circumstances don’t change that, or absolve them of their responsibility. Millions of users entrusted them with sensitive information, and they failed to protect it. That’s really all there is to it.
13/05/2011 at 11:58 P7uen says:
@Valvarexar
I’m pretty sure you can’t be pretty sure of something when you clearly haven’t even read, or at least remembered, basic new stories about it. You should probably not say any more.
13/05/2011 at 12:10 ReV_VAdAUL says:
Pretty soon we’ll find out that among the files found by the soldiers that assassinated Bin Laden were chatlogs with members of Anonymous AND Wikileaks.
13/05/2011 at 13:32 Blackseraph says:
Anonymous really aren’t that bad, they like dogs and cats and make life hard for those who don’t like them and are stupid enough to post their cat torturing videos in the youtube.
They also don’t like scientologist or dictators and are big on the freedom of speech. They are more of an activist group, what they do might sometimes be illegal. But it isn’t necessarily mean spirited. In my opinion anyway.
13/05/2011 at 13:47 Robert says:
[16:12] make a deface page pointing @ xero
[16:12] with personal info
[16:12] or someone else you dont like
****
From the linky. So it might, or might not, be Anon. And I don’t believe you can validate everything because sometimes -parts of- Anon says/suggests they are ‘freedom fighters’.
13/05/2011 at 14:02 Blackseraph says:
My point is that anonymous usually have a point, a reason to attack whoever they are targeting, and those targets usually do deserve it. Say companies that made life hard for wikileaks or Mubaraks regime. As far as I have seen they don’t do things just to be jerks. At least usually.
Of course I could be wrong and they are just cyberjerks, but I don’t want to believe it. Not yet anyway.
And they don’t just say or suggest that they are freedom fighters, they actually act.
13/05/2011 at 16:47 SuperNashwanPower says:
This from PC Gamer:
“According to the hackers’ IRC chat logs, the names credited with the hack belong to a series of Anonymous members disliked by the real culprits, evo and @n”
So the names are sort of a smear campaign really – people the real hackers wanted to shaft by sticking their names on the hack.
15/05/2011 at 02:11 Azuku says:
I’m getting kind of sick of people’s misunderstanding of what “Anonymous” is, or rather, the assumption that they are anything. Saying that a hack, or data theft, or whatever, was done by Anonymous implies some sort of internal structure, which is inherently the opposite of what anon is. There is no internal structure, no leader of any kind, no MO, and no consistent motivation for anything. Saying “This looks like something that Anonymous would do” is not the same as saying “This looks like something that Jonathan James (or whoever) would do”. Anyone can be anon, and this means that you may not be talking about the same people twice in a row, or ever. It also means that you can’t prove that anything was done by Anonymous. Nothing is stopping any random dick from doing something then posting “Anonymous is legion, we do not forgive, we do not forget”, and bam anon clearly perpetrated this crime, and for all intents and purposed, anon did. “Anonymous: The hacker collective” is as silly as it is vague.
13/05/2011 at 10:07 Dark_Oppressor says:
So, does every random act of internet naughtiness get pinned on Anonymous now? (which even sounds silly, blaming it all on anonymous, ie. no one knows who did it :-P)
13/05/2011 at 11:13 gorgol says:
Lol, indeed.
13/05/2011 at 12:01 Burning Man says:
That’s the trouble with choosing such a stupid name. You share the collective responsibility of every hacker/cracker on the internet.
13/05/2011 at 12:08 Defiant Badger says:
Yes, which makes it very quite unbelievable when they say they’re not responsible for the PSN debacle; as all you have to do to be apart of anonymous is to share they’re ideology.
13/05/2011 at 10:09 jon_hill987 says:
“one thing that would be funny i write a nasty virus”
Yeah, that would be funny. No, wait, the other thing. Criminal.
13/05/2011 at 10:15 Gnoupi says:
“Chippy1337″. Right.
13/05/2011 at 10:43 jimjames says:
Haha, thats what I thought.
13/05/2011 at 10:16 Neurotic says:
When did Square and Eidos get into bed together anyway? Seems like a fairly random pairing.
13/05/2011 at 10:22 DSR says:
Swingers
13/05/2011 at 10:57 Ricc says:
Eidos was bought two years ago. Presumably because Square wants to become stronger on the Western market.
13/05/2011 at 10:17 sonofsanta says:
Although I don’t suspect it was done by Anonymous, I think Anonymous has made cracking like this cool again.
Unfortunately, whilst I can largely agree with Anon’s liberal sentiments, this is just stupid and rather pathetic.
13/05/2011 at 11:33 Daniel Rivas says:
Ah, the liberal sentiments of Anonymous. Freedom of speech, but only for the right people with the right speech. Anyone else gets a denial of service error message instead.
Lovely.
13/05/2011 at 10:18 Kdansky says:
How long until people stop using the same password every where? Oh, right, people are stupid. Never mind, proceed with losing your credentials every few months. Nothing to see here.
13/05/2011 at 10:51 StranaMente says:
At the moment I got about one hundred user id’s and passwords for the same number of sites. The question is: how can I not use about the same password everywhere?
For some of the most important there are greater differences, but otherwise it will only be a giant pain in the ass. It’s not a customer problem. The problem is these dickwads.
13/05/2011 at 11:01 yrro says:
More like, how long until sites stop storing passwords in plain text?
Passwords must be hashed and salted. No exceptions. To do anything less is negligent.
13/05/2011 at 11:15 BunnyPuncher says:
Unfortunately the problem is you.
Being too naive to protect your online data is outright careless… shouting and screaming about inevitable secuity breaches will do you no good. Its actually a positive thing these guys (seem) to be interested in havok. They force security systems to tighten up, making more sinister hacks a little bit harder to create.
13/05/2011 at 11:23 Stitched says:
KeePass is your friend – Generates log-in passwords of random or user specified sizes, stores them in a passworded program with keyfile, for access later. Truecrypt the directory of the program and you are set.
13/05/2011 at 11:27 Kaira- says:
Because remembering 10-50 passwords can get quite frustrating.
13/05/2011 at 12:11 TheApologist says:
I am not going to store 50 strong passwords in order to use the internet. I’m just not motivated enough by most sites on the internet to do so.
So either I use the same passwords and website security gets better, or security breaches keep happening and I stop using a lot of sites.
So, yes, it is up to the websites that want me to visit them and login to use them to make security practical. When did it happen that I became responsible for a websites continued survival?
13/05/2011 at 12:26 Meneth says:
“So, yes, it is up to the websites that want me to visit them and login to use them to make security practical. When did it happen that I became responsible for a websites continued survival?”
100% security is impossible. Therefore any responsible user should do what (s)he can to reduce the number of weak points in their online persona. One way to do this is having at least a few different passwords, graded by importance (E.G., stronger passwords for important, secure sites, and weaker passwords for less important sites). This alone reduces risk by a huge amount, as the points of failure for each password is now much lower.
Another, also easy, way to keep one’s online persona secure, is using a password manager (LastPass or KeePass, for example). This way one can have unique, strong passwords for every site one uses while only having to remember a single one. The hacking of a single site won’t affect any other sites. The only important point of failure is then the password manager itself, but unlike a forum or other random website the focus on security is much higher.
I do not feel sorry for anyone who uses the same password all over the internet and then has to suffer the repercussions when one of the websites the person uses gets hacked.
13/05/2011 at 12:28 Coren says:
To those of you complaining about having to remember or store dozens of passwords, there are quite a few solutions to that problem.
Personally, I use Lastpass (https://lastpass.com/), which is a cloud-based system for generating, storing and managing passwords. Lastpass works on pretty much any browser, any OS and any mobile device, and it’s generally pretty damn handy.
Security-wise, the passwords themselves aren’t stored online, just the encrypted forms (or the salt? Whatever them security-types call it). And Lastpass have recently shown that they’re positively paranoid about security breaches, preferring to force password resets for their users instead of ignoring the risk that even a minimal part of their encrypted data might have been compromised. Oh, and if you’re truly paranoid, they also offer several kinds of multifactor authentication.
If you don’t trust cloud-based systems, there’s plenty of other password managers you can use. There’s simply no excuse not to be using different strong passwords for every site you visit nowadays.
13/05/2011 at 12:45 cliffski says:
“Its actually a positive thing these guys (seem) to be interested in havok. They force security systems to tighten up, making more sinister hacks a little bit harder to create.”
Nope.
if it was a positive thing, the hackers wiould email the website and inform them of their security hole, and give them time to patch it.
But ‘hackers’ are too selfish to actually behave in that way. They just want money, and bragging rights
There is no justification for this sort of thing. if I went out and smashed all the windows in my neighbourhood, maybe it would encourage people to develop stronger glass, but I’d still be an antisocial dick for doing it.
13/05/2011 at 12:45 lamzor says:
well as you said. its possible that someone hacked lastpass
http://blog.lastpass.com/2011/05/lastpass-security-notification.html
im a bit paranoid myselves. i started using keepass
http://keepass.info/
it can autofill forms, logins, passwords on webpages(based on several rules). the copy/paste bin is protected and it is copied and pasted only 1-2 letters at a time and randomly pasted into correct position on forms. that means even best keyloggers cant steal your passwords while they are pasted to forms.
keepass software can be locked, it can be unlocked by master key which can be entered on secure desktop – keyloggers wont work.
database can be exported and saved somewhere(web, mobile or usb key). even if someone has this file, its still password protected.
this software was ported to (i think) every mobile platform as well.
i have been using it for ~2months and im very happy with it.
edit: oh and its free.
13/05/2011 at 13:05 Stitched says:
Seconded for KeePass. Ever since the Gawker site got compromised, I downloaded this, use an encrypted keyfile and log-in password for the database, and haven’t looked back. The Autofill command or the ability to drag and drop logins and passwords make it dead easy to access sites without having to remember a ton of passwords.
“I can’t be arsed to cook so I only eat at McDonalds every day”
*develops Type 2 Diabetes*
“Screw you, McDonalds! It’s your responsibility to prevent me getting diabetes!”
Think for yourself. Don’t expect or rely on others to be as clever as you are.
13/05/2011 at 17:36 Pointless Puppies says:
@TheApologist
In other words, you’re too lazy to take proper care of your own account security and expect other website to do the work for you. Especially when it’s common knowledge that no network infrastructure is 100% hack proof, making your vague demand of “make better security nao” all the more nonsensical.
You have no excuse. There’s plenty of browser-based password programs out there that store whatever password you want and automatically fill in login forms for you. Or failing that, just use a plaintext file in your own hard drive. Or do what you do, and whine all you want that hacking exists and demand better security. Makes just as much sense as not locking your car and blaming your car manufacturer for “bad security” when it gets stolen. If you’re too lazy to take care of your own accounts, don’t complain when they’re all breached at once.
13/05/2011 at 10:19 ananachaphobiac says:
I wonder what the collective noun for script kiddies is? A “Hormone,” a “Testicle,” a “Wank?”
Any suggestions?
13/05/2011 at 10:31 Ovno says:
A frustration….
13/05/2011 at 10:42 ColOfNature says:
A basement?
13/05/2011 at 10:51 mistwolf says:
A spurt, a throw, or a toss
13/05/2011 at 11:16 BunnyPuncher says:
An IRC Room
13/05/2011 at 12:01 P7uen says:
A twaddle?
13/05/2011 at 12:29 torchedEARTH says:
A copy and paste
13/05/2011 at 12:47 Ilinx says:
A spooge…
13/05/2011 at 16:20 Fumarole says:
A virginity of hackers.
13/05/2011 at 18:26 Teddy Leach says:
A furious masturbation.
13/05/2011 at 10:19 NicoPonk says:
How is this related to Anonymous ?
Those guys seem to be responsible for about anything those days…
13/05/2011 at 10:46 elsu says:
Reading the linked article (particularly the IRC logs) it loks like this is related to the fuss over at AnonOps. The names they put there are not theirs, but those of people they don’t like. In this case, I assume one of the ‘Ryan’s named is that of an AnonOps moderator who engineered a take-over of their IRC channels recently.
13/05/2011 at 10:25 kikito says:
Anthing ending in 1337 deserves public scorn.
13/05/2011 at 10:27 jon_hill987 says:
Including 37 minutes past one in the afternoon?
13/05/2011 at 10:47 Ovno says:
No 37 past 1 is Leet!!!!
13/05/2011 at 10:26 Recidivist says:
“[16:08] there security will be responsible”
It’s ‘their’. Fucking illiterates -.-’
13/05/2011 at 10:32 Vexing Vision says:
Writing nasty virus > writing good grammar! Go with the times, dude!
13/05/2011 at 15:29 RC-1290'Dreadnought' says:
The problem is that you don’t HAVE to compile English, so you can’t be sure if it is correctly written, until someone tries to read it. Of course you can use a tool to check spelling, but grammar is a little bit harder to check. The tool would at least have to be able to interpret every sentence, and create analogies which the user would then have to compare to the message that user intended to write. Of course, the tool could also be made to only check for homophones, but that still would not be fool proof.
Of course you could demand the original author to check the grammar, but since the author is also the origin of the mistake, it is unlikely that all mistakes can be reliably found. Especially with a language like English, which is used a lot on the world wide web, you will find a lot of people who learned it as a secondary language. So I have the opinion that you can’t expect everyone to be completely aware of all rules regarding the use of ‘the’ English language. (‘the’ was put between quotes because there are many variations)
However, I do agree that some mistakes could probably be more easily corrected, if the writers had put more effort into learning about common mistakes, and how to detect and correct them.
13/05/2011 at 10:31 Tunips says:
Are we sure this isn’t part of an over-elaborate ARG? Technically speaking, Eidos HQ could be part of Anonymous. Either way, it’s some cracking good irony in very poor taste (the best sort)
13/05/2011 at 10:43 Bursar says:
That was my first thought as well on reading this.
What I want to know is whether the hacker climbed up the fire escape to the roof, went in through an air vent, turned off the cameras, knocked out two guards and then got the data direct before leaving in a stealth helicopter?
13/05/2011 at 10:50 aerozol says:
@Bursar > <
@frightlever Just log into 4chan once, say ‘I’m part of Anonymous’, and you’re done. There’s no forms to sign.
On topic, since they reported losing customer information, I think it's unlikely to be any kind of internal stunt. Otherwise I would be suspicious too, because this kind of carry on seems to get a lot of coverage in sources that don't usually cover gaming news.
13/05/2011 at 11:15 hosndosn says:
Crtl-f “ARG”.
Indeed, with all the ARG trends, this could be an elaborate publicity stunt. It fits the theme. Nobody gives a crap about the deusex.com website (especially not Anon, they got other things to do). Very convenient timing for an ARG.
That green splash screen. Do they list real names next to the nicks?! I have no idea how these tags are usually handled (maybe fake names or trolling IRL people they don’t like) but it seems odd. To write anything at all, actually.
13/05/2011 at 12:42 JackShandy says:
If it’s an ARG than it’s the worst ad since GOG pretended it went out of business. I assume Eidos has enough clever marketing men there to tell them that pretending hackers stole the info of everyone who went to the site would be a horrible, horrible move, so I can’t imagine them pulling something like this.
13/05/2011 at 10:43 aerozol says:
If ‘Anonymous’ did it, then they just put up names of people they don’t like, who are probably going to get some knocks on their door soon..
Funny how ‘anon’ get blamed for everything now though. Since that’s not really a person, or an organization, or anything really identifiable. The media really do empower 4chan a lot with that though, good for them.
13/05/2011 at 10:49 Rii says:
‘Anonymous’, ‘Taliban’, ‘Communists’, ‘Anarchists’; it’s always the same: the system needs an enemy.
13/05/2011 at 12:38 JackShandy says:
Yeah, every time some guys hack into a site and steal huge amounts of private info all the fat cats and G-men start looking around for someone to blame. It’s outrageous.
13/05/2011 at 17:27 Dana says:
Not sure if trolling.
13/05/2011 at 10:50 Flimgoblin says:
I hear anonymous started putting cats in bins too… seems a bit odd to try and pin something with a bunch of people’s names all over it claiming credit on Anonymous… a group whose whole MO is being, well, anonymous.
I once wore a batman mask to a fancy dress party, does that mean if I ever do anything wrong we can pin it on Batman?
13/05/2011 at 11:28 Batman says:
I DON’T WEAR HOCKEY PADS.
13/05/2011 at 22:19 Grape Flavor says:
Batman mask? No. Get yourself a Cowl of Nocturnal though and you’re golden.
13/05/2011 at 10:56 Milky1985 says:
“Reportedly, the damage was done by a subset of the infamous Anonymous hacker collective, who some believe were responsible for the increasingly ludicrous PSN outage/security terror (though they themselves claim they weren’t).”
Its only reportedly anonymous because every single news outlet is now blaming any hacks on any gaming related sites on anonymous, like how every single hack out there to governments or places with customer information is blamed on the chinese.
I don’t really get blaming anonymous, becuase its not like they are a proper group with joining rules etc, to be anonymous you simply say “i am a member of anonymous”, it covers the entire human race in theory :P
They migth as well report “a human did it” as it covers about as many people :P
Oh and saying they are a “hacker collective” is a bit daily mail, last time i heard, they are simply a bunch of people that group together to do X, athe moment X = Dosing from the looks of things but previous X was annoying the CoS.
13/05/2011 at 11:00 jalf says:
Er, I do believe that the number of people who identify themselves as “human” is qutie a lot bigger than the number of people who identify themselves as “involved with Anonymous”.
No, I don’t think it covers quite as many people, no.
13/05/2011 at 10:56 Keilnoth says:
Having unique passwords for your Gmail, Paypal and other critical websites is a good start for protecting your data and not having to change your password everytime that kind of news appear on the boards.
13/05/2011 at 10:57 adonf says:
Wait, you can order groceries on Amazon ? My life is augmented !
13/05/2011 at 10:58 jalf says:
Oh, I dunno. Getting hold of username/password info for a few tens of thousands of people is pretty handy. Since most people use the same usernames/passwords on loads of services, that would allow them to log in to a lot of people’s gmail and whichever other services you use. How about Amazon or Apple’s Appstore, or another site that conveniently remembers your CC info?
Yet another reason why it is so bloody stupid for every goddamn game developer to have their *own* user account database with *their own* insecure login mechanism and password database.
If the games industry would just grow up a little bit, they’d delegate the whole authentication business (to the extent that it’s needed at all) to professionals. OpenID, anyone? Both Steam and GMail are OpenID providers, so relying on open, and secure, standards, they could allow anyone to log in with their steam username or gmail account, with individual sites never even *seeing* your password. And so, when lazy developer #37 gets their website hacked, the poor fools who registered wouldn’t have lost any personal or sensitive information.
13/05/2011 at 11:03 Rii says:
Yeah, that’s what wrong with the internet today: the powerful just aren’t powerful enough! If only Facebook ran absolutely everything, then we’d all be safe.
13/05/2011 at 11:24 jalf says:
Huh? What does that have to do with anything?
My point is that I’d rather store my password with a site that specializes in security, and which can then to authenticate me to the websites I register on, and which I don’t necessarily trust to the same degree, rather than having every to give my password to every company whose website I want to log in on.
I fail to see what it has to do with facebook, or anyone else, “running everything”. How would it allow anyone to “run everything”?
The clever thing about OpenID (which is just one example of how the problem could be solved) is that it makes no requirement on who you use as your OpenID provider. You can use Steam, or Gmail, Facebook or one of several dozen other companies. You choose who to trust with your authentication info. That’s the polar opposite of “allowing the powerful to run everything”.
13/05/2011 at 11:51 Kaira- says:
I personally would prefer that my passwords wouldn’t be centered to one location, it makes it more fragile than having multiple passwords for multiple pages. And well, concentrating power to a single entity has never yielded very good results in history.
13/05/2011 at 12:15 vandinz says:
I have a different password for different places. Only important places though. Websites and forums etc I couldn’t give a shit about. Ebay, Paypal, Gmail … etc, all though are different. Best way to be atm.
13/05/2011 at 12:49 jalf says:
I still fail to see the relevance. This wouldn’t force you to store “all your passwords in one place”. It would allow you to store the password only in places you trust, rather than with goddamn everyone who wants you to log in on their website.
It would allow you to separate “I want to log in to this website” from “I entrust this website with my password”, so you can log in to a website without giving *them* access to your password.
You could create a separate OpenID for every site you log in to, using a different OpenID provider for each, if you wanted to. But you’d be able to *choose* which company gets to store the information. Eidos would never see your password, so when Eidos gets hacked, you’d lose nothing.
13/05/2011 at 17:25 Lukey__b says:
But then OpenID will just run off and takeover the world.
Seriously, Jalf, what you suggest sounds quite sensible.
At the moment I have 1 or 2 easy passwords for bullshit like this (serious internet bullshit, of course) a fewof pretty decent passwords for my main bank, email and Amazon. Everything else I either tick ‘remember my password’ or request a password reset everytime I use that site. PLUS I have 5 or 6 systems I use at work, where they ask for a different password for each.
Then I have different ‘secret phrases’ whenever I want to talk to a company on the phone, to sort out a bill or something.
Too many passwords to remember. Although I do remember the first random number password I was given in ICT at Secondary School.
13/05/2011 at 20:46 Devan says:
While systems like OpenID are better than someone using the same username/password pair everywhere, I think that it is very important to have the ability to use different identities in different locations. It’s a balance between security and privacy, since if people have a single ID for every community, it makes it a much easier to do social profiling / behavioural analysis / data mining / etc.
Some sites even let you log in with your Facebook or Gmail account and I always prefer to create a new identity. I’d rather have a password manager with hundreds of accounts in it than a single ID that might be compromised.
13/05/2011 at 10:58 Corrupt_Tiki says:
And again a few fuckwits make things hard for everyone else, we should just start shooting them. Honest. I’m down, I have guns, we could make a game of it!
13/05/2011 at 11:01 WJonathan says:
I’m interested in sewing hammocks, too. It’s not my main interest, but still I enjoy it. That doesn’t make me a bad person.
13/05/2011 at 11:09 AbyssUK says:
For script kiddies to get into your site means your not looking after it enough.. simple. Companies need to realise if they want to store data about their customers then they need to store it properly, that means keeping your database/web server updated… and encrypting any stuff you keep decently is trivial these days its just lazy not too.
Yes hackers shouldn’t hack its mean… but so is bank robbery banks don’t keep the money in easy to snatch ‘swag’ bags so why should companies be so flippant with our info.. something needs to change.
13/05/2011 at 11:11 HelderPinto says:
“but the chatroom logs bear some mention of ‘src’, which could be either in reference to the website’s source code or to the game’s source code. Sounds to me like their main interest was simply in sowing havoc, though.”
Of course it’s not the game source, the webpage has nothing to do with the game. And it’s tottaly diferent servers, probably not even in the same country
13/05/2011 at 11:13 kimded says:
This is why we can’t have anything nice… a part of me almost wants Anonymous to teach these script-kiddies a lesson, but that would be wrong, I must try for the higher path
13/05/2011 at 11:15 Muzman says:
While this is naughty and needlessly destructive, it does highlight the casual and sloppy way registration is being required for all sorts of things for no real reason other than data mining these days.
Add a line in ‘advice for modern living’ right under “Don’t talk to the police”. “Don’t help marketing”.
13/05/2011 at 11:20 SuperNashwanPower says:
I thought hacking was sort of illegal? If so, isn’t leaving your name on the site a bit like doing over the local off licence, then handing out copies of your passport to anyone present?
13/05/2011 at 11:27 Zanchito says:
Deus Ex site hacked? So very meta!
To be pedantic:
DoS is not hacking
And not to excuse any kind of data theft, but companies should really improve their data security, it’s wores than appalling at many sites.
13/05/2011 at 11:29 The Army of None says:
Why does this not have the Staring Eyes tag?
13/05/2011 at 13:37 VelvetFistIronGlove says:
Cause there’s only one. Duh. ;)
13/05/2011 at 11:30 Coins says:
Man, I sure hope Steam is properly protected…
13/05/2011 at 11:37 Lost says:
Could we please start calling these people crackers? Thanks!
13/05/2011 at 12:12 vandinz says:
lol yeah. So many people get the term wrong I just go with the flow now.
13/05/2011 at 11:43 apa says:
Thanks Eidos, and thanks all the companies who want our information and don’t keep it secure. This kind of behaviour is just as bad as if your bank threw your old records to the trash bin on the street. No one who’s not looking will not find them but anyone with even smallest bit of interest can mess up your life.
Information holder is responsible of its security.
13/05/2011 at 11:47 vanarbulax says:
As bad as data theft is, that’s the fact that it was Deus Ex which was hacked is pretty lulz-y.
Also chances of this being viral (no-pun intended) marketing?
13/05/2011 at 12:02 Diziet Sma says:
Absolutely pathetic… whatever happened to hacking as a form of betterment and advancement rather than embitterment.
13/05/2011 at 12:11 vandinz says:
Exactly, what was to gain from this? Gone down in my estimation.
13/05/2011 at 12:04 DrazharLn says:
I find it amusing that the hackers are getting all the flack here, as if Eidos wasn’t at all responsible for their network security. If the hackers really did use a 0day (a currently unknown exploit) then they’re off the hook for the penetration of the website. But if they acquired passwords and game source (the website source is probably worthless) then that’s just bad practice on Eidos’ part.
13/05/2011 at 12:09 vandinz says:
Oh right, so you see a car with it’s window open, you steal it and it’s the owners fault? Get a grip.
13/05/2011 at 12:44 jalf says:
If someone promises to keep your wallet safe in their car, and they forget to lock the goddamn door, then yes, it is absolutely their fault when they lose your wallet.
Get a grip yourself.
Eidos were entrusted with potentially sensitive user information, just like your bank is, and just like Sony’s PSN were. And when they screw up and allow third parties to access that information, then it is absolutely their fault.
13/05/2011 at 13:57 Robert says:
Nice analogy there. It illustrates the discussion “Who is guilty, the car owner, or the wallet owner? Somehow, for a lot of people, this debate clears the PERSON WHO ACTUALLY COMMITTED THE CRIME of blame.
You can say the ‘wallet owner’ is careless with his/her passwords, the ‘car owner’ could’ve protected the site better, but please.. if you want to blame: blame the f’in THIEF OF THE ‘WALLET’!
13/05/2011 at 17:32 Batolemaeus says:
Robert, this might confuse you, but that the person committing the crime is guilty isn’t specifically mentioned, because that is already implied.
When I entrust someone with my stuff, I expect them to take measures to protect my stuff. They won’t be able to change the world with lots of mean people in it, so I can’t demand they do that. Instead, I demand they tighten their security, as that is the only thing they can do to prevent theft.
So if my stuff gets stolen, I will blame the people who didn’t protect my stuff from whatever might be out there.
Getting owned by a bunch of scriptkiddies is a testament to how carelessly and incompetently the data was protected, or actually, not protected at all. Theres criminal behaviour from the crackers, and criminal negligence from the ones getting cracked.
13/05/2011 at 12:09 vandinz says:
I like some of what anon does, mainly to arseholes like Scientology but this is to us, the people that ‘support’ them. So from now on they can suck my dick. I hope they’re caught and arse raped until they love it. Probably from the start. Fuckers.
13/05/2011 at 12:53 jalf says:
Even though there seems to be little reason to believe they had anything to do with this?
13/05/2011 at 12:23 roman2 says:
They seem to share lots of data from the hack on BT, including CVs, SQLDumps ‘n Stuff. Could be fake though, I’m not very eager to download it.
Another thing: They aren’t really sharing real names, irc channels and nicks with the world, are they? I mean… isn’t that a *bit* risky? o_0
PS: hitman.com seemed to show the same message for a short time, at least the google cache lists it with the same content that has been on deusex.com
13/05/2011 at 12:39 Metonymy says:
http://en.wikipedia.org/wiki/The_Fable_of_the_Bees
This guy knew what internet security was about 300 years ago. I remember this being one of the first books I read when I went to college, before the internet even existed. I just randomly picked it up by chance, not for a class, and years later I laughed as people slowly came to grips with the necessity of malicious hackers.
By the way, this is not an appropriate venue for rage.
13/05/2011 at 12:51 Tyrone Slothrop. says:
{With a voice that comes from smoking three packs a day} I never asked for this.
…
What a shame.
13/05/2011 at 12:52 Bodminzer says:
Anyone else agree that the current internet frenzy about “Oh wow hacker culture is ace amazing, hack the planet! Hackers are the new freedom fighters!” has done quite a lot of harm wrt hackers thinking they’ll be supported and viewed as heroes for doing things like this?
13/05/2011 at 13:08 Gary W says:
They should’ve changed their password from “bionicman”.
13/05/2011 at 14:23 Ilinx says:
Bravo, sir :D
13/05/2011 at 13:10 heretic says:
Bleh, prob another ARG but just bad.
13/05/2011 at 14:05 Bodminzer says:
Pardon?
13/05/2011 at 20:49 heretic says:
c.f. Arma website, though I guess maybe this is slightly more genuine…
13/05/2011 at 13:25 Jackablade says:
My, what path-p-p-pathetic creatures of meat and bone.
13/05/2011 at 13:32 lamzor says:
i think that there should be some rules for database encryption. bigger the database, better the security.
if someone has 30user w3 fanpage, he shouldt be forced to add salt to passwords.
but how in the world could symantec store passwords/data in plain text(no encryption at all):
http://news.softpedia.com/news/Symantec-Online-Store-Hacked-127726.shtml
and kaspersky used encryption, but one of the admin password was abc123. not very hard to crack such encryption/hash using rainbow tables.
http://news.softpedia.com/news/Two-Official-Kaspersky-Websites-Hacked-129420.shtml
big databases and databases of companies like symantec and kaspersky should be at least hashed/salted. with good salt, not even rainbow tables can help. and even huge data loss would not harm users. because decrypting 100mil encrypted/salted PSN passwords/credit card numbers would take gazillion years(or at least one good quantum computer :)
if company fails to secure user data according to the rules, they would be fully responsible. now it seems that no data loss is taken seriously. sony just said “just keep checking your account history or change credit card number” – no big deal.
edit: another example – orange.fr using plain text
http://countermeasures.trendmicro.eu/orangefr-compromised-245000-clear-text-passwords-exposed/
gamespot, 8mil accounts could have been stolen:
http://blog.rstcenter.com/2009/05/19/unu-is-back-8000000-is-the-magic-number-gamespotcom/
13/05/2011 at 13:52 D3xter says:
Anyone else think it is funny that companies are pushing more and more towards “cloud” and “online only” when they can’t even keep their user databases safe from a few kids?
What’d happen if coming consoles would rely on services like “OnLive” for their games is that you couldn’t even access the SinglePlayer if something like the PSN-Hack happens…
What the hell was wrong with the times where you could just install a game, start it up and play online without all the “account this” and “social network that” bullshit and master servers/server browser combination you could use at any time?
13/05/2011 at 13:57 Zaboomafoozarg says:
What a rotten way to lose personal information.
What a shame.
13/05/2011 at 14:15 VA1N says:
I’m getting so sick of all these hackers. They need to do something productive and get a job. Hell, they could make a fortune in the security industry. Guess that doesn’t offer enough “lulz”
13/05/2011 at 14:43 foobarfoo says:
..and they will. It’s just that right now, they don’t have enough skills yet, and not quite the CV yet, to be hired in the security industry. They’re probably still rather young, yet already posess great skills. Those that have breached the security of the PSN will be those that will keep your GoogleFaceTwitterBookLive account secure in the future.
Indeed, if you look at those working in the security industry, most of them have been black-hat (or at least grey-hat) hackers for a part of their life. This is primarily because to be good at protecting systems, you need to be good at destroying them. If you can’t destroy a system, how can you know where to put your time and effort in?
13/05/2011 at 17:16 A-Scale says:
“Reportedly, the damage was done by a subset of the infamous Anonymous hacker collective”
Or someone using that identity as cover.
13/05/2011 at 17:40 Pointless Puppies says:
Anyone can claim to be “Anonymous”. That’s the whole point.
13/05/2011 at 17:40 Kaira- says:
Or maybe they were part of Anonymous. Anonymous is as much of a single-minded entity as me and my fiancee.
13/05/2011 at 18:46 Dawngreeter says:
Does saying that you are Anonymous mean you are no longer anonymous?
13/05/2011 at 18:45 Dawngreeter says:
For the lols? Mr. Meer, I do declare. No World Wide Web colloquialism student, you.
As we all know (and we do know, right?) proper etiquette for denoting the purpose of acts which include opening threads on forums about killing yourself just to see how people react, ruining websites and posting pictures that make people lose their lunch and possibly a couple nights’ worth of sleep is to say that it is done for the lulz.
That’s lulz, damn you.
13/05/2011 at 19:02 sinister agent says:
Hang on, there are people who actually register on publishers’ websites?
Why?
13/05/2011 at 19:06 Rii says:
Demos, Patches, DLC, Forums, News…
14/05/2011 at 06:08 MD says:
The DX3 forums are/were pretty active.
13/05/2011 at 19:26 geldonyetich says:
When I first read this news story header, I thought it’d be the source code to the game that got lifted. Thank goodness that didn’t happen, I want the game to succeed.
If these guys want to make the news so badly, be careful what you wish for, you just might get it. If there’s enough news stories like this, it would result in sufficient paranoia amongst public sentiment to get laws passed that massively lockdown Internet freedom and deliver much heavier punitive measures to hackers. This is why we can’t have nice things.
14/05/2011 at 02:19 Josh W says:
Nitpick:
The article doesn’t say that anonymous is a hacker group, instead it refers to 808chan associated hackers who hacked the anon-ops IRC, and themselves have factions.
So it’s not factions of the hackers called anonymous, it’s factions of the hackers who hacked anonymous, some of whom are also a faction of anonymous.
That’s assuming the article is right! It might be that they’ve been framed in retaliation etc etc. But it does fit the supposed mode of operation of these guys;
1 hack,
2 release personal info for no apparent reason.
14/05/2011 at 02:30 Kent says:
This is the kinda activity that I strongly disprove of. Trying to attack honest, hardworking gamers for no reason whatsoever. For their personal fame? Criminals of the worst kind. Once I can afford it I’m getting a laptop for all my Internet needs.
14/05/2011 at 10:02 TsunamiWombat says:
Obligatory “these are Crackers, not Hackers” comment.