Who is LulzSec? A phone call with the hacker pranksters. (Xeni on The Madeleine Brand Radio Show)


(Image: Lulzsec by DeviantArt user BiOzZ)

Download MP3 Audio

I joined The Madeleine Brand Show today for a radio discussion about the latest LulzSec hijinks, and related hacking news. Listen here.

Here's an overview published by the rogue security prankster group of their attacks so far. One day, it's PBS and porno sites and the FBI. The next, it's the US Senate, and Bethesda Software. Earlier today, Eve Online, Escapist Magazine and Minecraft. The targets seem so diverse, so random—following their Twitter account is like watching a rabid elephant on PCP wearing a top hat rampage through a crowded market with explosive banana diarrhea.

Yesterday, they opened an apparently-untraceable phone switchboard, and invited incoming calls. Jacob Margolis of The Madeleine Brand Show got through, and you'll hear what transpired in the radio segment above. Here's their current outgoing phone message (MP3 Audio), if you call 614-LULZ-SEC and can't get through.

So who are these guys? I don't know. None of the security experts I've spoken to know either. But a few theories are floating around.

I reached out to Joe Menn, FT writer and author of the cybercrime book "Fatal System Error." He wonders if LulzSec might a sort of "elite escape pod" that broke off from Anonymous. There is some evidence that various factions of Anonymous became unhappy with the trend toward politics and righteous actions (going after Iran one day, Ben Bernanke and the Federal Reserve bank the next). Other factions of Anonymous were drifting toward more conventional cybercrime, exploring ways to make money from attacks.

But the people who became LulzSec, the theory goes, really were just "in it for the lulz." They wanted to improve the state of security and have fun by pulling everyone's pants down, and go back to the spirit and fun of earlier 4chan days.

"They certainly do not appear to be in it for the dollars," said Joe.

And no, the Bitcoins they've solicited over Twitter for beer don't count.

[Video Link]

Menn and others I spoke to emphasized that nobody appears to have done deep enough reporting to say definitively who LulzSec is, or where their origins lie. Presumably, a number of FBI agents are tasked with figuring that out, at this very moment.

LulzSec's behavior patterns suggest they're smaller than Anonymous, and therefore less vulnerable to the chaos and internal politics endemic to larger, widely-distributed, more-or-less leaderless groups.

Security consultant and writer Rich Mogull (Twitter) agreed the brazenness of their actions suggests they're a close-knit group that is careful about how they operate. A tight core of technically skilled hackers (and these guys clearly have skills) can hide effectively. They may be people involved with, or on the edges of, the security industry.

"If they don't recruit and stick to being careful, they can probably have a good run," Rich told us over email.

Another interesting phenomenon to watch, and one which may eventually lead to some uncloaking: Anonymous, LulzSec, and various other entities keep trying to "dox" each other. "Doxing," as Joe Menn explains, means pulling together documents saying this is so-and-so's real IP address, here's their social security number... here's the school where Sony exec Howard Stringer's kids go. Right now, there are security groups trying to dox LulzSec, and LulzSec is trying to dox them back. This is how the HB Gary scandal was unspooled, and conceivably, something like this could also do LulzSec in.

As noted before on Boing Boing, some security professionals are quietly cheering LulzSec on. Patrick Grey of the Risky Business Podcast wrote a widely-circulated piece: "Why we secretly love @LulzSec." Bottom line: Apart from bringing back Tupac and Biggie and the eating of childrenz, and spawning weird internet art, LulzSec is causing governments and large companies to take I.T. security seriously. Well, at least for as long as the excitement around LulzSec lasts. But still, this is something that more sober security consultants, using less lulzy tactics, have failed to do despite much earnest, hard work.

And a lot of what LulzSec does is funny enough stuff. They demand that TV reporters put a shoe on their head, /b/-style, in exchange for interview access. The @lulzSec Twitter account is a thing of beauty, with unexpected surrealist interludes popping up between the breach brags:

# You are a peon and our Freemason lizard rebellion will propel us towards binary stars of yore, you sweaty caterpillar farm.

# You can't silence the Illuminati lizards that inject into the human psyche via the funfunfun override exploit to gain root access to humans.

# Our quest for world domination through the reality bot(man)net only manifests itself further through carefully-immersed subliminal tweets.

# Mankind should tremble as the SSH key to your neuron load balancers are used as a pathway to the chemical exhilaration of entertainment.

It's poetry in the grand tradition of prankster hacking. But the stakes are high. When you go after the FBI, as they did last week, and then senate.gov, and who knows what's next—you're gonna draw heat.

Among their growing fanbase are gamers angry at Sony for being so sloppy with security, and people who just enjoy watching little-guy pranksters take on big, powerful entities that don't understand the internet well enough (or care enough about their users' privacy) to be more secure.

Watching the spectacle unfold, tweet after breach after ASCII art upload, feels like cheering on the Barefoot Bandit, Bonnie and Clyde, or Jesse James.

Everyone loves an outlaw. But eventually, outlaws tend to get caught.

# # #

[Video Link]


  1. I don’t get LulzSec.

    But I just wanted to say that “a rabid elephant on PCP wearing a top hat rampage through a crowded market with explosive banana diarrhea” is quite possibly one of the finest phrases I have read this week.

    1. +1 on all that. I don’t understand who they are or their goals but that metaphor certainly brings visual comprehension to the table.

  2. When it was Iran and the gubmints, I was kind of nodding in approval of an unorthodox approach to promoting transparancy. Sony started to make me squirm a bit – the gamers most affected didn’t seem to do anything to warrant the action, hard to see the lulz there.

    But now they’re going after, what, six guys in Sweden? A moderately successful video game website? EVE Online? I can’t help but think whatever point they’re trying to make regarding ‘big, powerful entities’ is getting badly diluted. Even Bethesda was stretching it in my most H of O’s.

    Hell, isn’t Boing Boing as at risk of these merry pranksters as anyone else?

    The faint whistling you hear is my enthusiasm for hacktivists steadily deflating.

    I’ll just sit quietly over here and wait for someone to paraphrase Martin Niemöller’s “First they came for…”

    1. I have to agree Elijah. If one day it’s BB that’s down, is it not interesting anymore? And seriously – Minecraft? A cool success story of a guy who was just doing what he loves and got some mad success? There’s no big brother/government/corporation there to hate.

      1. Ruh-roh, they ddosed a few game servers and a magazine site. Hardly of any great danger or interest. It would be lulzy if they ddosed them with the FBI botnets.

        Why is the assumption that Lulzsec is disclosing all of their hacks so global or that they aren’t taking financial gain from non-disclosed hacks? While I enjoy the idea that they are interwebz freedom fightas, I think it is quite naive to ignore the possibility that lulzsec is about more than that and the lulz. Certainly, making such a public stink doesn’t lend itself to enabling them to steal identities and cash as easily as before (well, that’s the hope), but it doesn’t exclude those activities by definition.

        I’ll be honest; I laughed at the cockorow hack. I’ll probably laugh if BB gets hacked by lulzsec. Then I’ll make my email password much more secure.

  3. I don’t think LulzSec has identified themselves as hacktivists, ever. That’s kind of the point.

    Yes, BB is a potential target for malfeasance, from any number of directions. We’ve been hacked before. Recently, but before that, too. We will probably be targeted again. Won’t change the fact that this story, and related stories in the spectrum of hacking/cybercrime/pranksterism are interesting.

    If LulzSec is reading this: guys, we’d appreciate it if you don’t nuke us. We already know you are capable of great pwnage. Thanks.

  4. “transparency” – sorry for the misspelling.

    @Xeni : Ok, so they are not hacktivists. You never made any such claim and the inference was all mine. In defense of my word choice I was trying to put a positive spin on what they were doing by assigning them an agenda to which I was sympathetic when, admittedly, I have no idea what that would be.

    Should we then assume they have no agenda? Yet they certainly seem intent on drawing a great amount of attention. How, then, are we to conceptualize them? Dada extremists?

    The phrase seems needlessly weighty. Surely there’s a more colloquial terms bandied about by their targets of malfeasance.

    Maybe dicks? Dinks? Dorks? I mean, pardon a tendency towards phallic metaphors, but I’m seeing forced intrusions here. For the lulz? Ha ha?

    Funny. I wouldn’t think that would make people laugh.

    1. More important questions are:
      If a group doing this “for the lulz” can wreak so much havoc, what could a group with more malicious intent do?

      We’re only hearing about these incidents because LulzSec is publishing/boasting about them. How would we otherwise know? How would the affected companies even know if they had been breached in many cases, if they can’t even maintain the most overt of data security measures?

    2. I’m not sure you understand the meaning of “in it for the lulz.” Sometimes people do things – art and sport/play come to mind – that are not primarily driven by agendas or profit motives. You don’t have to be a “Dada extremist” to do things for no other reason than that you like to show off and be challenged and entertained, aka because you can.

      Why is it so hard to imagine that LulzSec is just not in it for the Big Message? They’re funny and really good at what they do, and they keep people on their toes. It’s not really a morally apt paradigm of behavior.

  5. Speaking as someone who has dealt with web security since my time as a local Indymedia collective site admin starting in 2003, and got 0wned by some right-wing hackers a couple of times, I can say with absolute certainty that I’m having a blast watching a lot of self-important companies get slapped with a big trout, after getting their pants pulled down.

    Lulzsec is running around at breakneck speed, pretty much smashing everything they can get their hands on ’till the hammer falls on them. Now, the rich and powerful are learning what those of us who were doing this stuff years ago have learned – there are better, smarter, more agile groups out there who will embarrass the hell out of you when they get the chance.

    Hey – much more damage could be done by these guys. Wiping databases, injecting malware links into random stories, loading their servers with horse porn and warez – and that’s just the stuff I’ve had to clean up in the past. These guys are operating like it’s a different era – counting coup instead of stabbing a motherf**er to death.

    /me grabs popcorn and sits down to watch.

  6. They’ve racked up nearly a million dollars in bitcoins of late, which explains the seeming anarchy behind their behavior. It’s cover for nastier doings.

    1. A million? Out of 6.2 million total BitCoins available? That seems like a lot. Citation?

  7. @Ryanwoofs : yeah yeah – in all seriousness, I get you. Security breaches as a performance art can potentially serve the betterment of all. No sarcasm, I’m with you. And, mea culpa, I don’t know enough about network security to truly understand how their exploit.

    From my perspective they seem like bullies. I acknowledge – and hope – that this is not so.

    @HereticGestalt : much less enthusiastic ‘yeah.’ I so want to type more, but that link I got sent?

    @Anon : Yeah, good link. Touché.

    @Xeni : sorry if I was out of line.

  8. “We are the concentrated success of 2005 /b/, being “hunted” by the 2011 furry horde. Challenge accepted, losers. :D”


  9. Maybe I’m just being a bit naive, but it seems pretty obvious who they are: a group of kids having some fun. And like all such groups from the dawn of time, they’re going to do (and have done) some things of questionable ethics and wisdom.

    On the other hand, they do seem to have a sense of humor and some of their hijinks are pretty funny (unlike Anonymous, who don’t seem to have much of a sense of humor, apart from hacking the Spanish police site and shopping the GF masks onto the police).

    But yea, they’ve angered some pretty determined people, so I think this will end badly for them.

  10. One time, someone went down a few streets in my neighborhood, randomly slashing the tires of the cars parked in the street. I fail to see any real difference between these DDOS attacks and that act of random vandalism. The DDOS attacks are low-tech, require little more than a streak of malice, and end up costing money for people who have done nothing to the vandals. Sure, after time passes it will be seen as little more than a nuisance, but the only lesson it teaches is that there are jerks out there who will harm others merely because they are entertained by the inconvenience they cause.

    1. One time, someone went down a few streets in my neighborhood, randomly slashing the tires of the cars parked in the street. I fail to see any real difference between these DDOS attacks and that act of random vandalism.

      This is more like going down the street, checking all the car doors and leaving notes in the unlocked cars telling them to start locking their doors.

      1. It’s around the attack on Minecraft, who probably couldn’t afford better security if they wanted to, that this argument started striking as some stone bullshit.

        1. are you kidding me? do you know how much that minecraft guy has made just from his video game sales? they *definitely* could afford it.

          1. Yes.

            About as much as a fairly profitable small business. Or maybe an orthidontist.

            Are you expecting Joe’s House of Beds (Now with 3 locations!) to invest in the same level of security as, say, your bank? Should he need to invest in that level of security just in case some group of locksmiths and burglar fetishests decide to break in and shit on all the matresses to teach him a valuable lesson about improving his security?

            Or is it more reasonable to decide ‘Hey, maybe you shouldn’t go around breaking into places and shitting on the matresses?’

      2. Except that these guys didn’t leave notes. They disrupted service, which required companies to spend money to investigate the disruption and find ways around it. CCP, the company that runs EVE Online, stated that they go to external sources to help them deal with this type of problem, which I take to mean they have outside contractors. They have to evaluate their system to determine if any customers’ accounts were compromised, whether credit card information was obtained, etc. So they have to pay them. This would result in actual damages for companies like CCP. Not to mention the opportunity costs of reassigning internal programmers to address the situation, when they could be developing code for expansions, improved servers, etc. On top of this, add the people who wanted to play the accounts they’ve paid for, but couldn’t because CCP shut down their servers to avert any further damage.

        I recognize this is not the worst type of attack, but I would argue that it’s not just a white-hat attack to notify someone of a vulnerability.

      3. Leaving notes?
        DDOS:sing is nothing about leaving notes. It’s like forcing all the lights to be red. It little to nothing to do with security of the cars themselves.

      4. If this was about data compromises, we can bicker metaphors forever. “Taking down the VIN of every unlocked car on the block, as well as any personal information in the glove box and posting copies of everything on every block in the house.”

        That’s entirely missing it. As someone who’s had to deal with service denial in a variety of contexts, I can tell you that your argument is orthogonal to what you’re really talking about. Seriously? Mojang? Your message to Mojang is that they should be consumers of bandwidth large enough that they can dictate to their Tier 1 provider what they should null-route?

        (P.S. The actual metaphor in this context is someone going down the block and letting the air out of the tires on every car. Some of them have their own pump, some of them can get a pump, some of them need to get their whole car towed, and some of them prepaid for 87 tire’s full of air and all of those escaped.)

      5. ….then pulling out your spark plugs, removing a few fuses, making a copy of your registration and insurance info and then leaving it all sitting on the drivers seat

      6. [quote]This is more like going down the street, checking all the car doors and leaving notes in the unlocked cars telling them to start locking their doors. [/quote]

        No, it’s more like they slashed the tires of Public Transportation buses.

        Breaking the law for a cause is at least somewhat understandable. “lulz” being your cause never is.

        1. Close but not close enough its like this, They walk down the street piss on car here, put a sticky note on it say lulz tango down, go over to another car slash the tires sticky note it saying sunk your ship lulz, finally go over to atm machine kick it few times then sticky it saying Got your accounts lulz here the are 60,000+ with passes – all you see is abc – 123 written 150 times…. As a hacking group in comparison to what they have down is pathetic plus HOW do we really know this group is responsible to the sony attack and not just saying that they did it. They may only saying they are doing this so they look cool as for ddos I dont doubt they did that because thats a simple task to do in comparison to hacking sony taking them down for while and stealing account info.

  11. So they blatantly acknowledge being closely aligned with the transdimensional Illuminati shape-shifting reptilian alien overlords, and all you people do is sit back and LAUGH?! We are SO doomed. *sigh*

    1. First they came for CBS,
      and I didn’t speak out because I don’t watch CBS.

      Then they came for the PC games,
      and I didn’t speak out because I wasn’t a PC gamer.

      Then they came for the Sony Playstation,
      and I didn’t speak out because I didn’t have a Sony Playstation.

      Then they came for me
      and it turns out Microsoft’s network sucks so hard hacking it was an improvement.

      1. Har har they took down Sony and the PSN, whatever. But Eve is my home, the place I have friends..

        As you said..

        Then they came for me
        and there was no one left to speak out for I was having lulz at the other sites that were taken down.

  12. i am still surprised to see that a lot of people are trying to figure out what they are all about, what their agenda is, why they hack certain targets, how to categorize them.

    it’s actually really simple: they are trolling.

  13. No, the slashed tires analogy is pretty much spot on. Except for these companies it could cost them a hundred thousand dollars as opposed to a couple hundred. Although, given the nature of LoL, Minecraft, and EVE, I’d speculate that the ‘opportunity cost” of their servers being down for 12 hours is nigh negligible.

    Oh god, CCP hires contractors to wait until a ddos ends. That’s, um, to be expected, I suppose.

    I’d still laugh at a ferrari or lamborghini with slashed tires though…

  14. LulzSec is just Skidsrus people, where Ryan Cleary (one of the backstabbers of the older AnonOps network) is also hosting their IRC network.
    They are just irritating and annoying other people and network that are having holes in it.
    They sometimes use 0-sec exploits and sometimes they already hacked it some time ago.
    Some of the lulzsec guys are new but most of them are known from Skidsrus.

  15. Oh, how the world has changed. You can now REQUEST A TARGET for LulzSec to attack. They are operating a phoneline for requests.

  16. haha CCP Hacked…and this time NOT by people on the inside doing “insider trading in spaaaaaaaaace”.

  17. LulzSec is more like they punctured a bunch of tires with a chopstick, which forced the tire company to replace them with better tires to all their customers rather than continue to manufacture cheap ones that can be punctured with a chopstick. Meanwhile, you’re realizing how much you rely on having good tires and maybe you’d be less likely to just blindly give your money to the company that makes tires that can be punctured with a dull wooden instrument.

  18. They may be slashing tires and harming companies by DDoSing them but in the short term future that will force those companies to reinforce their tires, something that:
    1) they should have done a looong time ago
    2)will protect them from further harm they might have suffered at the hand of much less scrupulous hacker groups, at much greater costs than just downtime and user passwords revealed


  19. I still think this Lulz Sec hacking campaign will do little to make computer and network systems more secure. The fundamental realities are that security is reactive, computer and network systems are so complex that finding flaws is relatively easy and of course, humans are involved. The reason RSA got hacked is the same reason I keep cleaning out viruses from my family’s computers. No matter how many times I establish basic security rules they should follow, one person tends to break them and they infect their machine. This behavior is mimicked not only by people who use a corporation’s networks and computers, but also by sysadmins who, for one reason or another, don’t apply the latest updates, or have lax security policies so the CEO doesn’t have to go through hoops to connect to the network, or other countless reasons.

    For now, attackers have the advantage and have the power to break systems (relatively) stealthily, easily and from anywhere in the world with an internet connection. Until this security paradigm changes (though new security technologies or other means), I don’t think we’ll see meaningful change.

  20. I’m one of those people that had ALL there info STOLEN from Sony by LulzSec and a few days later I had money stollen from my Bank account and there are others that I’m friends with that have had the same thing happen to them after Sony got Hacked by LulzSec.
    Far as I’m concerned, they are a criminal organisation that are committing identity theft and frourd and they should all be sent to jail.

    1. Seriously? Your bank uses a SINGLE password to authenticate you? And you used the same password on a gaming network. Sorry, but I don’t believe you.

  21. They’re more like terrorists hacking systems for “the lulz” but how funny is it when they get the balls to take all your money? When you wake up in the morning with no money and your house is gone with a note saying “ha lulz” how funny is it when you need a police officer quickly and all you get is “please hold” due to lulzsec hacking the phone lines…

    Its terrorism and to be honest they should be shut down and arrested before they hit serious things. Just my opinion though…

  22. I agree that they should be taken down somehow… But that will prove difficult. These types of people are clever.

    That being said, there is no such thing as a perfect criminal.

  23. … a rabid elephant on PCP wearing a top hat rampage through a crowded market with explosive banana diarrhea.

    just look at it

  24. Going after major video game companies may seem like a questionable idea, but these merely offer addictive distractions to a large amount of people who could spend their valuable time doing more productive things in life. I think LulzSec going after World of Warcraft sometime in the future would be a good idea.

  25. The group itself is a annoying group, gamer enthusiasts that come home from work to play games- instead of say going out and beating the crap out of people and getting drunk- to let off steam. Some use it as a way to get rid of anger (fps, violent games) so they dont actually hurt people irl, Others use it to enjoy company with friends because irl they have hard time understanding other subjects other than games. So all they are doing is pissing off a part of society that I wouldn’t recommend – I always say if someone did make games illegal in state that there would probably be more murders, rape, and shootouts cause you took a way to let off steam.

    Now as for the others sites I am have no comment to as they have no direct link to my life that I can change. Word of warning though more you expose how THE ‘US’ Internet problem is more russia will take advantage or other countries by getting hackers or hacking knowledge to take down sites for good…

    1. so… lulzsec is doing us a disservice by taking away the distractions that allow us not be sociopaths to each other at the end of the day? If what you say is true, then we own lulzsec way more than lulz.

      If our society is made up of distracted sociopaths, we’re more fucked than we would be if sony were hackable. Then again, you might just mean you.

Comments are closed.