How LulzSec kept itself safe during the summer of 'lulz'
By Jacob Aron Last year, a group of hackers calling themselves Lulz Security (LulzSec for short) caught the internet’s attention with a series of high-profile data breaches and website takedowns targeting the likes of Fox News, Sony and the US government, before apparently disbanding after 50 days of “lulz”. Throughout that period, the group’s own website proved impervious to rival hacking attempts, thanks to an online security service called CloudFlare. Speaking to New Scientist in advance of his talks at the RSA conference and SXSW festival next month, CloudFlare CEO Matthew Prince explains why he kept the hackers online, and how attacks on their site have helped protect the internet. What does CloudFlare do? CloudFlare provides performance and security for any website online.We handle more traffic through our network now than Amazon, Wikipedia, Twitter, Zynga and Aol combined. If you want to have a faster website and be protected from bad guys online, you change your network settings so traffic to your website passes through the CloudFlare network before it goes to you server, and that gives us the opportunity to clean and accelerate that traffic. When did you first realise that LulzSec was using CloudFlare? The process of signing up for CloudFlare is totally self service – 1500 new websites sign up almost every day – so we had no idea last June when a website called lulzsecurity.com signed up. Within 24 hours they had published information about the alleged hacking of the Sony Pictures website and we fairly quickly became aware of who they were. What was your reaction? Internally, we had a debate about the right thing to do. It’s important to note that because of the way CloudFlare works, no hacking activity was launched from our network – it was simply a matter of publishing information. So hacking happened in other places and then when they published the information about their exploits it would pass through the CloudFlare network. So in that sense we’re more akin to network provider than a hosting provider. If we were to terminate Lulz Security as a client that wouldn’t make the content go away, it wouldn’t take it off the internet, it would just make it slow and more vulnerable to attacks. Our goal is to power a better internet. There are a lot of things on the internet that I personally find quite troubling and the list of those things is maybe very different from yours, but our role as a company wasn’t to play internet censor. So what happened next? There were essentially 22 days from when Lulz Security first signed up for the service to when they announced they were disbanding. In that period, the attacks against their website just went through the roof. We were actually able to track what those attacks were and provide better and better security over time to help everyone who was on our network. How did attacks against LulzSec help other websites? CloudFlare’s core value comes from the fact that every website that is part of our system helps contribute data in order to better protect other websites. As one website gets attacked, the knowledge about that attack is immediately shared with the rest of the websites, so that the system gets smarter and smarter over time. What kind of attacks did you see? We saw a very wide range of hacking attacks directed at us, some of which were remarkably clever. They ranged from fairly standard old-school denial-of-service attacks, where they would flood a particular network interface with an enormous amount of traffic, but we also saw very specific attacks targeted at vulnerabilities in the routers we used on our network. That’s pretty clever; you would have to spend quite a bit of time investigating the topology in order to figure out what routers we were using. Any idea who was trying to hack LulzSec? There were several white-hat hacker groups on Twitter that announced that they were trying to knock Lulz Security offline, the most vocal of which was a hacker who goes by the name The Jester. He spent a lot of time trying to defeat our system, to work out where Lulz Security was actually hosted and he posted various pieces of information over time. Have you been in touch with LulzSec since they disbanded? After everything was over, I had some requests to tell the story of what happened. We respect the privacy and confidentiality of all of our clients, so I wrote to the email address we had on file for the Lulz Security account. About two weeks after I sent the email I got a response, and it simply read: “You have my permission.” It was signed: “Captain Jack Sparrow.” Would you let LulzSec or another branch of Anonymous use CloudFlare again in the future? A lot of websites that claim to be part of Anonymous use CloudFlare, many of the Occupy websites use CloudFlare, but so do a lot banks and Fortune 500 companies. We are a fairly good reflection of the internet overall and we’re trying to make the internet overall faster and safer. More on these topics: