I joined The Madeleine Brand Show today for a radio discussion about the latest LulzSec hijinks, and related hacking news. Listen here.
Here's an overview published by the rogue security prankster group of their attacks so far. One day, it's PBS and porno sites and the FBI. The next, it's the US Senate, and Bethesda Software. Earlier today, Eve Online, Escapist Magazine and Minecraft. The targets seem so diverse, so random—following their Twitter account is like watching a rabid elephant on PCP wearing a top hat rampage through a crowded market with explosive banana diarrhea.
Yesterday, they opened an apparently-untraceable phone switchboard, and invited incoming calls. Jacob Margolis of The Madeleine Brand Show got through, and you'll hear what transpired in the radio segment above. Here's their current outgoing phone message (MP3 Audio), if you call 614-LULZ-SEC and can't get through.
So who are these guys? I don't know. None of the security experts I've spoken to know either. But a few theories are floating around.
I reached out to Joe Menn, FT writer and author of the cybercrime book "Fatal System Error." He wonders if LulzSec might a sort of "elite escape pod" that broke off from Anonymous. There is some evidence that various factions of Anonymous became unhappy with the trend toward politics and righteous actions (going after Iran one day, Ben Bernanke and the Federal Reserve bank the next). Other factions of Anonymous were drifting toward more conventional cybercrime, exploring ways to make money from attacks.
But the people who became LulzSec, the theory goes, really were just "in it for the lulz." They wanted to improve the state of security and have fun by pulling everyone's pants down, and go back to the spirit and fun of earlier 4chan days.
"They certainly do not appear to be in it for the dollars," said Joe.
And no, the Bitcoins they've solicited over Twitter for beer don't count.
Menn and others I spoke to emphasized that nobody appears to have done deep enough reporting to say definitively who LulzSec is, or where their origins lie. Presumably, a number of FBI agents are tasked with figuring that out, at this very moment.
LulzSec's behavior patterns suggest they're smaller than Anonymous, and therefore less vulnerable to the chaos and internal politics endemic to larger, widely-distributed, more-or-less leaderless groups.
Security consultant and writer Rich Mogull (Twitter) agreed the brazenness of their actions suggests they're a close-knit group that is careful about how they operate. A tight core of technically skilled hackers (and these guys clearly have skills) can hide effectively. They may be people involved with, or on the edges of, the security industry.
"If they don't recruit and stick to being careful, they can probably have a good run," Rich told us over email.
Another interesting phenomenon to watch, and one which may eventually lead to some uncloaking: Anonymous, LulzSec, and various other entities keep trying to "dox" each other. "Doxing," as Joe Menn explains, means pulling together documents saying this is so-and-so's real IP address, here's their social security number... here's the school where Sony exec Howard Stringer's kids go. Right now, there are security groups trying to dox LulzSec, and LulzSec is trying to dox them back. This is how the HB Gary scandal was unspooled, and conceivably, something like this could also do LulzSec in.
As noted before on Boing Boing, some security professionals are quietly cheering LulzSec on. Patrick Grey of the Risky Business Podcast wrote a widely-circulated piece: "Why we secretly love @LulzSec." Bottom line: Apart from bringing back Tupac and Biggie and the eating of childrenz, and spawning weird internet art, LulzSec is causing governments and large companies to take I.T. security seriously. Well, at least for as long as the excitement around LulzSec lasts. But still, this is something that more sober security consultants, using less lulzy tactics, have failed to do despite much earnest, hard work.
And a lot of what LulzSec does is funny enough stuff. They demand that TV reporters put a shoe on their head, /b/-style, in exchange for interview access. The @lulzSec Twitter account is a thing of beauty, with unexpected surrealist interludes popping up between the breach brags:
# You are a peon and our Freemason lizard rebellion will propel us towards binary stars of yore, you sweaty caterpillar farm.
# You can't silence the Illuminati lizards that inject into the human psyche via the funfunfun override exploit to gain root access to humans.
# Our quest for world domination through the reality bot(man)net only manifests itself further through carefully-immersed subliminal tweets.
# Mankind should tremble as the SSH key to your neuron load balancers are used as a pathway to the chemical exhilaration of entertainment.
It's poetry in the grand tradition of prankster hacking. But the stakes are high. When you go after the FBI, as they did last week, and then senate.gov, and who knows what's next—you're gonna draw heat.
Among their growing fanbase are gamers angry at Sony for being so sloppy with security, and people who just enjoy watching little-guy pranksters take on big, powerful entities that don't understand the internet well enough (or care enough about their users' privacy) to be more secure.
Everyone loves an outlaw. But eventually, outlaws tend to get caught.