Why we secretly love @LulzSec

Patrick Gray of the Risky Business security podcast wrote a funny rant about why many who work in computer security are secretly chuckling at the antics of hacker/cracker/prankster entity Lulzsec.

"They're posting proprietary developer code. They're bringing back Tupac and Biggie. They're advising Nintendo on more secure httpd configurations. And they're issuing funny press releases via Twitter and Pastebin," Patrick writes.

But more to the point, professional consultants have been trying to teach the I.T. world these fundamental lessons about security for ages—now, thanks to LulzSec, the world is finally listening.

It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts. I wrote my first article on information security around May 2001. It was about the Sadmind worm and it ran on the letters page of the IT section of The Age newspaper in Melbourne.
"Geez," I thought to myself. "If awareness isn't raised about the unsuitability of these computamajiggies for srs bizness, we could encounter some problems down the track."
So for the last ten years I've been working in media, trying to raise awareness of the idea that maybe, just maybe, using insecure computers to hold your secrets, conduct your commerce and run your infrastructure is a shitty idea. No one who mattered listened. Executives think it's FUD. They honestly think that if they keep paying their annual AV subscriptions they'll be shielded by Mr. Norton's magic cloak.
Security types like LulzSec because they're proving what a mess we're in. They're pointing at the elephant in the room and saying "LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN'T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!"
There is no security, there will be no security. The horse has bolted, and it's not going to be the infrastructure that's going to change, it's going to be us.

"Why we secretly love LulzSec: Elephant in room visible. Cans open. Worms everywhere." (risky.biz)

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE: News • security • Technology

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

facetedjewel

My husband has spent the past 15 years of his career in network security. Early in his career, he would tell me the weakest link in the chain to implementing security policy and thus protecting the company’s intellectual property, was the employees. Either they failed to understand security measures and needed further education (ignorance), or they understood but refused to follow the rules, for reasons somewhere between arrogance and laziness. This threat to security from the inside has remained constant.

The IT security folks felt secure in their jobs though, no matter the economic downturn, because what corporation would be foolish enough to slash their IT security departments, right? As we’ve all observed with each recession, labor has become the enemy. Network security was no exception. They’ve been firing the guards for the past five years. While the threats have only increased, there are few to no people standing at the gate. No one to address an escalating threat once it’s inside. The corporate goombahs weighed out the *possibility* of an attack against the cost of paying for that inhouse security, and have been gambling their futures and that of all their employees and shareholders, that nothing of any real financial consequence will occur. They’ll do anything to make those quarterly numbers on Wall Street. Their own bonuses depend on it.

I wouldn’t say network security people ‘love’ lulzsec, but they are completely unsurprised by lulzsec’s success. They’re wondering what happened in the Sony hack, and how did Amazon get used as a launch point for an attack on Sony? Lessons to be learned there…as long as there are still security employees to pay attention and take notes.
Lobster

They also stole and gave away the personal information and credit card numbers of millions of people who did NOTHING WRONG.

They could have slapped some sense into the corporate security industry without screwing over people who had nothing to do with the failures.
- Anonymous
  
  No they couldn’t. Corporate hierarchy cares only about the bottom line. Its only when you threaten to eat their lunch (in this case, unfortunately, that means messing with paying customers) does a particular pet issue become a major talking point. If they could have been convinced through more reasonable methods, it would have happened already.
- Anonymous
  
  I don’t think that’s true, Lobster.
  
  The corps aren’t putting much of their value at risk, they are putting YOUR assets at risk, get it? You can’t display what they are doing wrong without exposing the credit details of millions. Really, I do IT security and secure systems integration for a living, I know what I’m talking about. It’s relatively commonplace for a mega-corp to have their own financials locked up like Fort Knox and the customer financials flapping around in the breeze. I’ve seen systems where the company GL was on a physically separate system – accessed only by sneakernet – and the customer credit cards were in an Oracle database with the password “oracle”. No lie. Systems where customer credit card data is in a mySQL database and a privileged password is kept in a file that the Apache daemon can display are a dime a dozen.
  
  Use a single payment service (I use paypal) for all online purchases is my advice.
  - Anonymous
    
    Using PayPal may keep your credit card numbers off of vendor servers, but when PayPal gets hacked and your information stolen, you’ll lose a lot. Bank account numbers, credit card numbers, some tax information if you receive payments as a vendor.
    
    Groups like Lulz show us no e-commerce, or personal information stored on someone’s server, is safe. The best you can do is minimize the damage, or bury all your money in the flower bed.
DarthVain

This amount to basically: Meh, I told you so. You didn’t pay attention to me, and now your fucked. Serves you right.

In the end some manager makes a “risk” based decision to save the company money, and increase his annual bonus, as the cost of the company.

This is everywhere, look at the financial crisis. Short term gain at the cost of risk is rewarded, and eventually when shit goes wrong they bank on being someplace else.
DarthVain

I love “risk” based decision making by the way.

Its a fancy way of saying, “Yes I know there is a problem, but I am going to ignore it for the sake of saving a few bucks…”

I have even seen the stupid little matrix graphic showing high/low risk VS high/low impact etc… sadly I doubt most even use those common sense tools to make the decisions.
- Anonymous
  
  To be fair, likelyhood vs consequence risk assessment is useful in the real world. Corporations are just a failing economic model in many respects.
  
  @anon29: I wouldn’t try explaining it. Some people just don’t or can’t understand that the only way to hurt a corporation is to hit them in a way that harms them financially. They can’t believe that defacement really doesn’t hurt a companies image.
  
  It sucks that old people are the ones who got hit with recent lulzsec activity, but they couldn’t just go in and steal records and say that they had records. Honestly, most people would perceive that to be worse, that lulzsec was intent on blackmailing sony or the customers. This way, you can ctrl-f those files and see if you’re name is in them and take necessary precautions. Or if you’re a corporation, ctrl-alt-del and run away from harsh reality.
SuperDragonMaster79

You can only lulz at those who think computers are a safe place to put things…
- Anonymous
  
  Dang! You know how much it hurts to get that dream shattered? And to realize an elephant’s been drinking my coffee.
Goblin

How does hacking Frontline over a pithy disagreement fit with this narrative?
- Anonymous
  
  lulz?
Jake0748

There’s really no secret. They are badboys (girlz) screwing with The Man. Punching holes in some over-inflated balloons. Screws and needles are badly needed around these here internets. Good for them.

(Yes, I’d be mad if they came after me and my shit, but I’m poor and don’t have anything worth going after).
Anonymous

Not to mention wackily threatening the media who offer a message they disagree with and stomping over one of the most important measures of freedom of the press and chewing away at one of the fundamental measures of our freedom as a society. But hey, it’s alright because…computers! And memes! And Saint Assange!

Those wacky pranksters.
- Jake0748
  
  Seems like a lot of the time people who don’t get the point hide behind be anonymous.
  - Jake0748
    
    er… “being”.
- Cowicide
  
  Saint Assange!
  
  No, he’s more like this…
  
  Bet that really eats you up inside. You know, to be so trite and insignificant while udders change the world.
- Anonymous
  
  “media who offer a message”
  they don’t call it “programing” for nothing.
  free speech and coercive behavior:
  Yes free speech exists, but watch what you say. Coercive behavior also exists, under the guise of free speech, under the guise of “Freedom”. Both good and bad forces are in play, seeking to influence, or control, people’s thoughts and decisions. Some of it is an expression of love and truth, some an expression of hatred for lies and violence, and sadly, a lot of it sells lies, and violence, and is an expression of the those who love money. Think about this, technology is used to empower us, and control us, to free us, and enslave us. Yes it’s a war, WW3. Only if those who truly love focus with greater intensity than those who hate can this war be one, the battle rages, within and without, it’s within our power to choose love always and truly love is the answer.
  
  Royalettes – It’s Gonna Take A Miracle http://youtu.be/G7Mxtdg752Q
  Deniece Williams – “It’s Gonna Take a Miracle” http://youtu.be/0Yoa4iugW0U Lotta Love – Nicolette Larson http://youtu.be/iU3u5UDjYeY
Carmello

They are badass when it comes to cause, but its a tad scary. They technically can come after your shit if they take down some site/host in which is a part of your lifestyle.
Woolly Mittens

There’s a little anarchist in all of us. Schadenfreude for those arrogant bastards in power who think themselves superior.
james4765

They’re just doing what many of us who work in IT have bulls**ted about for years – “Man, if they only knew how easy it would be to take this company down”…

I’m having a blast watching them. Of course, I’m not on their shit list, so that may affect my opinion of them, but FFS, someone had to do it. And I’d rather it got done for the lulz than most of the hacked systems I deal with, which are parts of spambot networks or are serving malware along with their websites.
Jack

If it werenâ€™t for sloppy coders and sysadmins doing sloppy work I am not too sure I would still get work. Practically every other tech I know who has 10+ years in the field knows what I mean.
badmigraine

I wonder if this could lead to foolishly righteous panic among the set of law-and-order politicians and stakeholders who think the Internet is a series of tubes, leading to awful prohibition-style rules and regulations, more police and government “control” of the internet, etc. Think “the war on drugs” run by RIAA-type lawyers with police powers who preside over a bureau of government-office lifers and TSA-type thugs, and where “drugs” is your internet freedom, anonymity, private encryption, etc. Tiered clearances and licenses for Internet use, total monitoring, etc. Rounding it all up and pinning it down this way like an insect on a card is, perhaps not coincidentally, the perfect solution for lading it with innumerable taxes with names like those you don’t understand on your cellphone bill or plane ticket.
- Ugly Canuck
  
  Meh.
  The internet only serves to maintain the status quo….
  
  http://esciencenews.com/articles/2011/06/08/digital.democracy.study.finds.elite.viewpoints.dominate.online.content
  
  …open your eyes, stop dreaming.
bjacques

@badmigraine:

Corporate and government actors have been trying to turn the internet into a cable TV franchise for 20 years, long before LulzSec turned up. They promise security but obviously can’t deliver–neither for you nor for their clients–as LulzSec and others repeatedly demonstrate.
Anonymous

Hopefully, daddy government will treat Sony as the enabler it is, rather than a victim that needs tailored anti-net neutrality legislation.
failix

If it wasn’t for their attack on PBS and sucking up to that egomaniac creep Assange I’d like them as much as the rest of you…
Anonymous

Let’s hope they go after banks too.

Security there sucks too.
- Anonymous
  
  Oh, did you get that e-mail from US Bank, too? The one with the followup message, “Yeah, we sent that, but we didn’t mean to, ’cause you’re not really our customer, Sorry!”
- Anonymous
  
  They did or did you miss the ATM data dump…
  - Anonymous
    
    “They did or did you miss the ATM data dump…”
    
    I mean directly. ATM data dump was results on poking at *ahem* .
    
    Credit unions aren’t safe either. Let’s just say a certain Credit Union I use, online security is based on a 4 digit pin. Granted they lock the account down after 3 incorrect attempts, but 4 digit pins?! Makes it easy to pick it up by sniffing.
- Kimmo
  
  Should have just posted the whole article, Xeni – it’s only twice as long as the excerpt. Anyway, the guy nailed it; it’s all about the I told you so that anyone with a clue about computer insecurity feels.
  
  Let’s hope they go after banks too.
  
  Fuck yes. Rp ths prcks wh stl vryn’s mny nd fckng gt wy wth t!
  - Anonymous
    
    Honestly, WHY has no one bothered hacking Goldman Sachs yet?! How did PBS end up higher on the hacker priority list than that godforsaken company?
  - Padraig
    
    Hi Kimmo,
    
    I’m going to be boring here.
    
    I agree that during the recent GFC, large corporations, banks etc got away with blue murder, distorting the markets, ripping off customers, central banks and the community.
    
    HOWEVER, can we please NOT use words like ‘rape’ as a description for what we think should happen to people/organisations we don’t like?
    
    I realise that it’s an expression of your frustration (I hope) and it has had a bit of a run lately with people using it as a metaphor but it is really an awful event. Many people experience sexual assault, it can harm them for years if not their whole life and the use of the word in such a fashion trivialises the act as well as diminishing the impact it has on those against whom it has occurred.
    
    Thanks for listening.
  - Padraig
    
    I realise the irony in my own metaphor too.
    
    :)
Anonymous

I think one good point was made here, why not go after a company that really deserves it?

Sure, brink sucked, but why eff with Bethesda when Goldman Sachs has actually profiteered off of economic collapse, Blackwater is a war profiteer, GM killed the electric car, and video killed the radio star.

There is a banana bread in the oven, and they’re taking potshots at it because it’s simply shooting fish in a barrel. They could have a realistic, normal fight with purpose, but instead they decide to 1337pwn Bethesda, and League of Legends. I think they’re afraid to take on a real challenge.
MarkM

Anything lulsec has done should be done 1000x more
to bring down the whole corporatist structure,
starting with pbs, the falsely liberal, actually
arch-conservative organ of state propaganda.
Kimmo

I’m not sure my use of the term ‘rape’ trivialised the concept in this instance, but hey, point taken… there’s certainly something off-colour about it as an instrument for justice.

But as for certain terms taking on broader definitions, I’m afraid folks are just gonna have to learn to distinguish their different senses, or continue to be offended.
Kimmo

Case in point:

Cory writes, “Hari suggests that while Dominique Strauss-Kahn’s rape accusation needs to be taken seriously, the IMF has been raping whole countries for its whole existence.”

http://www.boingboing.net/2011/06/09/imf-considered-harmf.html
bardfinn

Some IT staff have even gone to jail for trying to make their management listen, and ensure that the management is on public record as having been informed of the danger and on record as failing to do anything about it. I’m talking about the netsysadmin of City of San Francisco, few years back.

Management does not care, so long as they have plausible deniability to say “But how could we have known?”. LulzSec is taking away their plausible deniability. There will eventually be lawsuits, IT staff will have to be subpoenaed and testify, and at that point they’re going to need witness protection.