LulzSec supposedly claims its biggest coup yet: The entire UK 2011 Census

LulzSec The Lulz Boat<p><i>Oh well, just because we want to waste government and local authority investigation time: we hacked every website in the world. Enjoy!</i><p>11 minutes ago<p>LulzSec The Lulz Boat<p><i>I'm not seeing "we hacked the UK census" on our twitter feed or website... why does the media believe we hacked the UK census? #confusion</i><p>13 minutes ago<p>LulzSec The Lulz Boat<p><i>Not sure we claimed to hack the UK census or where that rumour started, but we assume it's because people are stupider than you and I.</i>

According to their Twitter, they haven't hacked the Census. Seems like someone was spreading false information...<p>See:<p><a href="https://twitter.com/#!/LulzSec/status/83168314527981568" rel="nofollow">https://twitter.com/#!/LulzSec/status/83168314527981568</a><p><a href="https://twitter.com/#!/LulzSec/status/83167715799470080" rel="nofollow">https://twitter.com/#!/LulzSec/status/83167715799470080</a><p>EDIT:<p>Those tweets were deleted. Here's the official word:<p>"Just saw the pastebin of the UK census hack. That wasn't us - don't believe fake LulzSec releases unless we put out a tweet first."<p><a href="https://twitter.com/#!/LulzSec/status/83172089711964161" rel="nofollow">https://twitter.com/#!/LulzSec/status/83172089711964161</a>

Given LulzSec seems to post their hacks on twitter, that there's no way of validating who posted the PasteBin item and that the Office of National Statistics hasn't reported the loss, its probably best to wait and see something a little more convincing.

This whole escalating security situation has me thinking that IT security is heading down the same path as the War On Drugs. I wonder if ten or twenty years from now we'll see petitions to legalize hacking tools after we see a resurgence in security breaches following the criminalization of "hacking tools"...

If this is true then I am suing Lockheed Martin under the Data Protection Act.

I'm leaning toward "hoax." Lulzsec has been reasonably competent writers so far, and the bizarre placement of "blissfully" makes that either incompetent or some kind of steganography. That, added to the lack of tweet, makes me doubt.<p>Of course, it could still be some anon who actually does have the census data, and considers himself lulzsec-affiliated.

If true, this will be a <i>massive</i> coup and regardless of how they obtained the records, LulzSec will get all of the significant negative attention they so badly crave.<p>I submitted my census info via the online form and given the amount of detail I included I would be terrified if that info was leaked.

So what's the worst possible outcome here in terms of the UK government's reactions? Fast-tracked arcane legislation to make security tools illegal like they are in .de ? Broadening the terms of hacking and increasing the legal penalties? If LulzSec aren't trolling the world and they do indeed have these records I would imagine there is going to be one hell of a shitstorm in the coming weeks.

This was the first census where you could submit details online. I wonder if it was these records? Would be surprised if they had even finished scanning the paper ones yet, but the UK governments security record is not good. They contracted it to Lockheed Martin, who also do the US census, so presumably reused the software?

With the amount of hacking that is flooding the news recently, I would like to learn about database security. What are some good books/tutorials/videos on how to make databases more secure?

I wonder if they are using the same (undocumented) exploit for each of these attacks.<p>I am certainly no expert in this field, but I would have thought discovering new exploits and security holes would take time, yet these guys are hitting several major sites a week.

So, after I was strongarmed into filling out the damn thing, now all my identity data is in the wild. I will be joining in a suit of Lockheed if this is true.

There'll be some interesting mashups if this is true.

I don't like where this is going.

Head of the hydra and all that....<p><a href="https://twitter.com/#!/LulzSec/status/83164092998758400" rel="nofollow">https://twitter.com/#!/LulzSec/status/83164092998758400</a>

"Biggest" only for the media coverage this could get, i would not be surprised if they had exploited a common vulnerability. At least when we are discussing about publicly accessible sites, "security-illiterate" is the perfect definition for these government agencies (and the external companies that realize the sites they need).<p>Will this kind of things make the general public at least a bit more security conscious?

What pissed me off was that it is a legal requirement to complete the census (<a href="http://en.wikipedia.org/wiki/United_Kingdom_Census_2011#Operation" rel="nofollow">http://en.wikipedia.org/wiki/United_Kingdom_Census_2011#Oper...</a>), so everyones personal details are in the database, which if stollen is a identify thief's dream load.

It appears that LulzSec isn't directly responsible for this. Although, since they called for the hacking of every government agency in the world with their "anti-sec" call to arms it's a bit disengeneous for them to rock back on their heels in shock and confusion.

Scotland Yard press release: They have confirmed his arrest.<p><a href="http://content.met.police.uk/News/eCrime-unit-arrest-man/1260269113895/1257246745756" rel="nofollow">http://content.met.police.uk/News/eCrime-unit-arrest-man/126...</a>

LulzSec just confirmed this being rumor on their twitter account <a href="http://twitter.com/#!/LulzSec/status/83167715799470080" rel="nofollow">http://twitter.com/#!/LulzSec/status/83167715799470080</a>

They're going to piss a lot of people off if they do this. Like every single UK citizen.<p>Exposing security flaws and embarrassing govt is one thing, but to put un-redacted personal data online is quite another.

Apparently it's fake:<p><a href="http://twitter.com/#!/LulzSec/status/83168314527981568" rel="nofollow">http://twitter.com/#!/LulzSec/status/83168314527981568</a> reply

of interest [edit, arrest link below]:<p><a href="http://twitter.com/#!/channel4news/status/83129762142363649" rel="nofollow">http://twitter.com/#!/channel4news/status/83129762142363649</a><p><i>19-year-old suspected of being mastermind behind computer hacking group LulzSec arrested in Wickford, Essex. #c4news</i>

Anyone can <i>claim</i> to have the census data; I won't believe this until they release it.

Such a shame.<p>Anonymous had a lot of support for their attacks on Mastercard et. al. People, not just the programmers demographic, were seeing them as civil disobedience through the internet and hailing them for taking a right cause, namely against dirty, probably unconstitutional, certainly unethical attacks on wikileaks by numerous powerful groups.<p>What's more, anonymous was seen as more powerful than such groups on the internet arena. It was felt that such powerful groups would thus think twice and know that they are against probably smarter people, perhaps even their own employees. Alas, like actual physical protests, they did not manage to change much. Wikileaks has almost been forgotten now. Julian has gone quite. The organisation itself seems to have become divided and disorganised. They possibly are buying time. But the power that be has shown us that they have the resources, are willing to play, publicly, dirty tricks, and can even withstand a public opinion quite strongly against them.<p>Julian has been given some outstanding honour in journalism. He might even win the Peace prize for what some say was the effect of wikileaks on bringing about the Arab Spring. That may show that there are many powerful avenues to resist and/or push back the power that be.<p>All of that is being undermined for no apparent reason whatever. Although Lulzec might be trying to send a signal to the power that be. We are stronger. We are smarter. You need to know that before thinking again about doing dirty tricks. They don't seem to be able or willing to choose their targets well to send such a message. Showing that you can for example steal the census data in order to increase the security of organisations which deal with our data is like a man showing that he can steal a car by so breaking into the car and stealing it.<p>We can all commit crimes. We choose not to for very good reasons. Some things can not be fortified and turned into castles. And even castles can be brought down.<p>So the ultimate effect is that anonymous is painted with the same brush. As petty criminals bringing havoc into the streets of the neighbourhood by breaking car windows to show us that they can so break car windows.<p>For now, anonymous still has the upper moral ground. That is for now. By for now I mean for the next few days or weeks. The report for example that a member of lulzsec has been arrested who has connections with anonymous helps tremendously in blurring the lines between anonymous and lulsec.<p>The blurring means nothing more nor less than the excuse and the swaying of the public opinion that the power that be needs to go after anonymous and send a clear signal. You may be smarter but we have more resources and more avenues and the consequences you face are much greater.<p>The biggest signal that the power that be may send however is that they are able to control the public opinion by playing tricks. I think we all remember how last year we were talking about how the power that be is going to deal with wikileaks. The conversations that were had here on hackernews are probably still accessible through searching. Killing him seemed to be the most mentioned option, but quickly refuted by others. Now, it may be a strong statement to make seeing as I have no evidence whatever, but the information that did come out in regards to the two women, the fact that Assange is still here in Britain almost a year after, that he is actually free, suggests that tainting him with rape accusations was their choice. As we are seeing, it seems to have worked.<p>Equally, I do not know who lulzecs is. They have no motive, no reason, to do what they are doing. They are intelligent. Thus I doubt they would risk years in prison to just show that they can break a car. People do not tend to do things for no reason, especially if there are great consequences.<p>There is no laughter to be had of say having access to a lot of information of sonny users. Nor is there any lulz in having say the information of the census.<p>I therefore think that there is a probability that Matercard, Visa, Bank of America et al got quite pissed off from anonymous' attacks, but unable to do anything because of the strong public support that anonymous had, thought creatively and went for the blurring of the lines between common thief's and civil disobedience.<p>That is one possibility. Probably the more likely possibility. Sophos for example seems to be salivating every time lulzsecs does something.<p>The other option, that they are kids, being stupid, like most teenagers at time, confused, rebellious, is a possibility but unlikely. They probably know full well, that gaining such a high profile while not having any public support or even having the public against them means that they will crash down painfully to the bottom and remain there for years and years.<p>I'll finally finish this quite long comment by stating that if lulzsec is anything else than affiliated or corrupted, then they should know that they are tainting ideals with petty crimes.