Six UK Teens Arrested For Being "Customers" of Lizard Squad's DDoS Service

An anonymous reader writes: UK officials have arrested six teenagers suspected of utilizing Lizard Squad's website attack tool called "Lizzard Stresser". Lizard Squad claimed responsibility for the infamous Christmas Day Xbox Live and PlayStation Network attacks. The teenagers "are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous," an NCA spokesperson wrote in an official statement on the case. "Organizations believed to have been targeted by the suspects include a leading national newspaper, a school, gaming companies, and a number of online retailers."

I disagree that this tool should be illegal

[Karmashock]

that it should be illegal to use it against someone against their will... sure.

But to even own it? No.

You can't do system testing without tools that are effectively hack tools. And even if you've no good reason to have it, it isn't the government's place to say what programs we have or don't have.

Re:I disagree that this tool should be illegal

[o_ferguson]

Depends how this tool works. If it simulates a botnet attack, then sure, totally legal. But if it's just a paid front-end client for an illegal zombie botnet, then I can see how it could be considered illegal.

Re: I disagree that this tool should be illegal

[Anonymous Coward]

Unfortunately for you, the government seems to see things another way and since they have the power and a lot of mean men with guns, they're right and you're not. :)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[ruir]

Nobody even bothered to read the parent well. Slashdot sucks. It should not be deemed illegal to own it to investigate how to fight it. Period.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I disagree that this tool should be illegal

[Idimmu Xul]

it's not a 'hack tool' it's a front end website to a backend zombie army of compromised routers, where do you think all the bandwidth for the DDOS is coming from? Their wordpress hosting plan?

Re:

[kwbauer]

No, as we say in America, open carry is banned but concealed carry is accepted.

Re:

[kwbauer]

Is causing damage to paper targets and watermelons, etc. considered an unacceptable use. You do realize that 99.9999999999% of privately purchased weapons are not used for any other purpose,don't you?

Re:

[Zephyn]

Is causing damage to paper targets and watermelons, etc. considered an unacceptable use. You do realize that 99.9999999999% of privately purchased weapons are not used for any other purpose,don't you?

Watermelons? Is Gallagher doing his comedy shows with a Sledge-o-semiauto-matic now?

Re:

[tehcyder]

Is causing damage to paper targets and watermelons, etc. considered an unacceptable use. You do realize that 99.9999999999% of privately purchased weapons are not used for any other purpose,don't you?

I calculate that 0.0000000001% of 300 million guns (approximately one per person in the US) would be 0.03. I think the US has more than 0.03 gun deaths a year.

Re:

[kwbauer]

You are correct. i should have said uses of privately purchased guns. As in, I used my handguns about 1200 times last year (if use equals shot at a target) or about 20 times if you count each outing to shoot at targets.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re: I disagree that this tool should be illegal

[Anonymous Coward]

Then have professionals test your network with approved tools. There is absolutely no reason whatsoever for the ordinary citizen to be in possession of such tools.

Re:

[Behrooz Amoozad]

pssh -h every-server-i-have-access-to.txt -l root ping -fi 0 -w 1 example.com
Does that make a hacker? I have ping installed on every single piece of equipment I own.

Re:

[KingMotley]

Please respond if you haven't been arrest yet.

Re:

[kwbauer]

Ordinary citizens ARE the professionals doing this.

Re:

[ThatsMyNick]

No ISP would agree to have one of their end points being stress tested by a DDoS (I dont think they can agree either without consulting their upstreams). DDoS causes a lot of problems for your ISP, and the entire internet backbone. It is absolutely illegal, even if you own the end point equipment.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ThatsMyNick]

I have never heard of anyone DDoS (even as a test) on their an internal network. It is generally understood to be on the internet.

Unless you have the permission of the networks in between your equipment, it would be illegal. It is like disrupting a city by organizing a rally. The rally is meant to reach your residence, but it does traverse though the city. It would be illegal.

Re:

[gbjbaanb]

Its stretching the point a little, but 1 man's performance testing tools is another's DDoS attack tool.

I've stress tested our company's website on an internal network to see how much load it could handle with the hardware available to us before now. Everybody who does that hits it until it starts to degrade its service to make nice response graphs.

Re:

[KingMotley]

Are you kidding? I've DDoS'd every webserver and website I've ever built. It's how to find it's weaknesses, so that you can identify performance bottlenecks under stress and fix them.

Perhaps, that's why none of my websites have ever gone down from too much traffic. Coincidence perhaps. Maybe others just aren't doing it often enough. See: slashdot effect.

Re:

[ThatsMyNick]

May be, you can handle a 100 Gbps DDoS thrown at you, without your ISP throwing a fit and kicking you off. Mine will handle a layer 7 DDoS, but nothing else (I did not have to DDoS my system through an external network to simulate this)

Re:

[KingMotley]

100 Gbps thrown at my ISP wouldn't kill them (Just double checked), but it sure would raise some eyebrows, and yeah, it probably would take down the stuff I work on -- maybe. But then again, most of those huge attacks are simple amplification type attacks, which are easily detectable and filterable. It'd hurt for about an hour, maybe less depending on how fast the traffic can be blocked. I'm more concerned about a deluge of traffic fueled by bursts of advertising. Being able to handle 1000+ simultaneous

Re:

[ThatsMyNick]

As someone who has had the unfortunate experience of dealing with a DDoS, it most definitely wouldnt kill your ISP, but it would degrade their services a lot. The larger ISPs* will auto-null route your IPs and call it a day. The smaller ones, unless you have a good relationship at a personal level, will terminate your account and ask you to pack up (and null route the IP of course). Even the ones that advertise 10gbps (or 20 gbps) DDoS mitigation will ask you to pack up.

* The only exception is probably OVH

Re:

[KingMotley]

Another exception is a client so large that they are their own ISP. I work for such a client, so I have no concerns about being asked to pack up -- I don't manage their network so I can't answer a lot of technical questions about it. Not that I couldn't understand it, just it's not part of my job and I only know enough about their implementation as it affects what I do. Last I checked (3-5 years ago), it had enough bandwidth to host 10x what youtube delivers at it's peak times. That's all I needed to kn

Re:

[ThatsMyNick]

I am still willing to bet they wouldnt hold up at 100 Gbps attack. The capacity is usually measured in pps (packets per second). Even if you have the throughput, you may not be able to handle as many packets. Unless they own a lot of ASICs that can filter traffic for them, they are going to have a real bad time. All that is required is for one chock-point to multiply the effect.

Anyways, someone self-testing a 100 Gbps sustained attack is going to have a lot of problems with their transit providers. I wish t

Re:

[KingMotley]

You think the transit providers are going to balk if our traffic merely doubles for a short period? 100Gbps isn't as big as you'd think. My client's TLD is .gov.

Re:

[ThatsMyNick]

I am talking about a persistent DDoS, the ones that last days (and weeks). You are definitely underestimating the effect of 100 Gbps. I can think of many .gov domains (and depts), that would for sure not be able to handle it.

Re:

[KingMotley]

And that's the really nice thing about tools like this. I don't have to guess.

Re:

[tlhIngan]

DDoS-tools are a perfectly legitimate tool in network testing and research and both individuals and various companies do use them for those things. Just because you fail to see any use for them other than illegal attacks on others doesn't make it so.

And the kids weren't charged with having the tools. They were charged with illegally deploying it on systems they don't own, and for using them against sites without permission.

So yes, network security professionals do need those tools. And generally, they use i

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

To be able to regulate such things you'd have to somehow magically be able to control who can be allowed to program anything in the first place

Which is EXACTLY what should be done. All programmers must be registered and only use a specific machine, which can be remotely inspected and audited at random. It's time to tighten the vise.

Re:

[kwbauer]

If it is good for guns, it is good for computers and cars.

Re:

[tburkhol]

To be able to regulate such things you'd have to somehow magically be able to control who can be allowed to program anything in the first place, then you'd have to control all the possible tools for that

"Regulating" does not necessarily mean "strangling." For example, electrical devices are already required to be UL or CE certified before they can be marketed, but any numbnut with some wire and a soldering iron can build his own power strip, hair dryer, or Tesla coil.

It's patently ridiculous for a government to require software be bug- and exploit-free. It's also true that some disclosures would provide consumer benefit: does the software/device "phone home"? What information does it disclose if it does

Re:

[gbjbaanb]

First thing to do is to regulate the ISPs so they implement egress filtering to stop spoofed packets from leaving their domains.

That would strop a lot of DDoS, and the rest - at least you'd then know who was sending the packets, and could take action against them (or tell them to stop it)

Re:

[Karmashock]

You can't... we're in an age of programmable systems that have entirely harmless uses.

Lets say I have a CNC machine which I could use to make chairs or cabinets or something. Safe right?

I can also make guns with a CNC machine by milling out aluminum.

Increasingly we're going to see machines that could do a lot of things at once.

Is it a 3d printer that can print in metal... that I use to make artistic sculptures... or is it a weapons factory?

There is a new machine recently developed that is to chemical proces

Re:

[tehcyder]

In many countries like here in the UK it is illegal to own an automatic handgun. It doesn't mean it's impossible to get hold of one, merely that you face punishment if you're found with one (never mind actually using it for a crime).

In your exciting world of 3D printing drugs and nuclear weapons, the same will apply. If you get rid of governments and government regulations, all that will happen is that mafia-like organisations will fill the gap.

Re:

[Karmashock]

Have all the regulation you want. Anything short of full North Korea levels of suppression will fail.

You're coming to a paradigm shift. Your social model won't survive it.

Think of the social models that existed before agriculture.
Think of the social models that existed immediately after agriculture.
Think of the social models that existed prior to the industrial revolution.
Think of the social models that existed immediately after the industrial revolution.

You have come upon a paradigm shift. I can guess what

Re:

[Karmashock]

The NK model is holding. I'm not saying fail as in 1000 years... I'm saying fail as in FUCKING INSTANTLY.

The drug war was lost INSTANTLY. It wasn't like they were winning for a moment. They lost as soon as it started.

And these regulatory regimes based on outmoded contextually irrelevant industrial models will fail when applied to situations and systems they cannot regulate.

Re:

[Karmashock]

You've missed my point.

I'm not saying you can't write a law down on a piece of paper.

I'm not saying you can't order police to do X in condition Y.

What I am saying is that whatever you do with the civic authorities, you can't stop the process because it isn't going to happen in places where you're going to be able to stop it.

Your regulatory framework presupposes that the police will exist at choke points in the process that allows them to monitor and control the situation.

What I am telling you is that the ne

Re:

[Karmashock]

*shoots idiot in the face with a nice white canvas back drop*

Hmmm... Yeah... I like that tooth lodged in the right corner. I think this is a winner.

*sprays some sealant on the splatter covered canvas and hangs it up on a wall*

I call it "how this argument ends".

Life is meaningless so your death is meaningless and the manner in which you were killed was also meaningless thus any moral, ethical, or legal judgment of it is also meaningless.

You've just negated all thought thus negating yourself.

End of discussion

Re:

[Karmashock]

*shhhh*

Preserved splatters on canvas have no further rebuttals.

You're done. You rhetorically killed yourself roughly in this manner:
https://www.youtube.com/watch?... [youtube.com]

In the next incarnation of the universe assuming any such thing happens... I would suggest you adopt less instantly self destructive arguments least you will sadly go through something of a ground hog day repetition of the same thing until you finally get it right.

Re:

[Karmashock]

I said *shhhh*, greasy stain. This is over. You're now modern art.

It is I that shall explain you over a glass of wine to friends pretentiously at parties. That is your fate hence forth.

Re:

[MrKaos]

that it should be illegal to use it against someone against their will... sure.

But to even own it? No.

You can't do system testing without tools that are effectively hack tools. And even if you've no good reason to have it, it isn't the government's place to say what programs we have or don't have.

The Australian government tried to do this in the '90's. I wrote to them making exactly that point as I was securing clients to what is now ISO17799. Legislators around the world are getting a lot of bad advice about what laws should be constructed. Geeks/Nerds should participate more when laws are being made regarding technology.

I've often find myself wondering how much more actual business and computer work I could do, personally, without writing to say 'that's a bad idea and it will hurt us thus' and ma

Re:

[dave420]

They were arrested because they "are suspected of maliciously deploying Lizard Stresser". It's not just because they owned a copy.

Re:

[tehcyder]

They were arrested because they "are suspected of maliciously deploying Lizard Stresser". It's not just because they owned a copy.

You're spoiling the libertarians' "oh noes teh government are going to take away my freedom to own software and cruise missiles" whining.

Re:

[Stan92057]

Ive made my opinion on this a hundred time. This kinda tool and the person using it should be a licensed professional/or in school to become one. How many times have we seen this kinda tool used for bad purposed when released to the general public? too many. Its not a toy, you need to register a car, a test to get a license to drive said cars,even more school to drive a big trucks,a hair dresser needs a licance, a Doc needs to get a license , a lawyer needs a licance, yet a tool this dangerous is muh who c

Re:

[Karmashock]

I'm okay with registering so long as any non-felon can do it.

If the registration process becomes something that ultimately keeps it out of the hands of most people then I refuse.

Here you might say "but its dangerous"... only if the security is shit. Don't have shitty security.

Re:

[tehcyder]

it isn't the government's place to say what programs we have or don't have

Just like it's not "the government's" place to tell us we can't rape or kill or own nuclear weapons?

Gotcha.

Re:

[Karmashock]

... Reductio ad absurdum?

Very well, then using your only rules where I can apply the most hyperbolic interpretation of what you say... apparently you believe the government has absolute authority to do anything what so ever... up and including raping you death because Rule 34 subsection A paragraph 2 of the Rape Idiots That Think The Government Should Have Absolute Authority Act of 2015.

Now we see if you have the integrity to admit you made a dumb argument and moderate your position so we can engage the iss

Cry havoc and unleash...

[GeekWithAKnife]

Pilate: (to Brian) So you dare to waid uth.
Brian: (rising to his feet) To what?
Pilate: Stwike him, centuwion, vewwy woughly.
Centurion: And throw him to the floor, Sir?
Pilate: What?
Centurion: THWOW him to the floor again, Sir?
Pilate: Oh, yeth. Thwow him to the floor.
(The Centurion knocks Brian hard on the side of the head again and the two guards throw him to the floor.)

bitcoin is busted. look at all the arrests lately

[swschrad]

just saying.

Re:

[Anonymous Coward]

Bitcoin, as used by most people is not, and has never been, fully anonymous.

It's like having a bank note that records every transaction it is used in. They just back track the transactions until they can find someone they can pressure into giving up personal details. Any US currency to bitcoin exchange should be treated with caution at this point. There's obviously at least one that is cooperating with LEA.

The only bitcoin that is anonymous is the one you find yourself, but good luck with that.

Re:

[radarskiy]

US dollars are busted, just look at all of the arrests for a long itme.

Re:

[thegarbz]

Bitcoin is no more busted than a balaclava used for anonymity by a person robbing a bank who leaves his fingerprints everywhere and then drives his own registered car away from the heist.

Bitcoin offers anonymity in the wallet alone. It's not possible to identify individual people in a bitcoin transaction at the time of transaction without looking at other details the most obvious of which are IP address, or the times people convert hard currency to bitcoin and visa versa in a traceable fashion.