Sophos Cloud Optix
As fellow Naked Security commentator Graham Cluley already reported, the latest news from media-savvy “fun-hacking” crew LulzSec is that it organised a Distributed Denial of Service attack (DDoS) against the cia.gov website, sporadically making it slow, unresponsive or inaccessible.
This is the latest in a slew of “hacks” mounted by the group, whose recent targets have been as mixed as its motivation is unclear.
LulzSec has targeted Sony, the US Senate, an affiliate of the FBI, a range of online games, the CIA, Nintendo, and even PBS – the US public television network which gave the world Sesame Street.
Take that, Elmo.
But why?
I suppose that if you really must find a silver lining to what LulzSec is doing (and who knows whether LulzSec is he, she or they?), take heed that most of the LulzSec website break-ins look to have been languorously orchestrated, using nothing more sophisticated than entry-level automatic web database bug-finding tools, available for free online.
In other words, LulzSec is a timely wake-up call to better security if you are still asleep at the wheel. Your customers’ data is important – both to them and to you.
But the end doesn't justify the means. Time spent throwing bricks through other people's digital windows doesn't actually teach anyone anything about glassmaking, glazing or civil engineering.
If you consider yourself a hacker and you have time to spare, but you're tempted by "hacking" such as DDoSes or gratuitous break-ins, why not use your skills for active benefit instead? Follow the lead of a guy like Johnny Long and hackersforcharity.org
I challenge you to look at Johnny’s website and then side with the 40% of people in our poll who decided that LulzSec is both amusing and a worthwhile cause. Here’s what Johnny said in his Schmoocon 2011 address – which you can watch on-line. A hacker, speaking to hackers, on the topic: “Hack the planet”:
You guys remember Estonia, right? You remember all the bad press, and all the crap that hackers did to destroy a country? What I'm thinking is, "Why don't we just do the opposite?" Why don't we take [Uganda,] a country that's getting the [cyber-stuffing beaten] out of it for no apparent reason, that has some resources but needs your help...why don't we step in and help them out?"
When I say challenge, I’m not throwing down the gauntlet for a penetration testing challenge, or a command-injection competition. I’m talking about a moral and ethical challenge.
The great thing about getting into activities like Johnny’s is that you actually get to help – and to teach – thousands of people indirectly. And you can be open about it. You can tell other people; you can put it on your resume; you can dine out on it, if you wish. You’re a real hacker, and you can prove it.
But throw in your lot with LulzSec-like activities instead and you’ll spend the rest of your digital life hoping no-one finds out.
I'm in complete agreement.
If Johnny from Schmoocon doesn't know why Uganda is current having its "cyber-stuffing beaten out of it", he obviously hasn't been following the news recently: Uganda is currently in the process of bringing into law an act that would make homosexuality illegal and some acts punishable by death.
I don't know about you, but in my book, having the cyber stuffing beaten out of it, Uganda is getting off lightly. What two consenting adults get up to in the privacy of their own bedroom should not carry the risk of persecution and a potential death penalty.
Interestingly, if you watch the video, the deal is that the attacks he mentioned, and which perplexed him, do indeed appear – like LulzSec's – to be _for no apparent reason_. An "Everest" thing, if you will. (Why climb Everest? Because it's there.)
Would you rather break something down simply to demonstrate a point which is already clear, or build something up and, incidentally, make that same point much more clearly?
Uganda is incidental to the point – it just happens to be where Johnny Long's charitable heart is right now. I'm using him as an example because he considers himself a hacker and is widely accepted as a hacker in the hacking community – evidence that there's life beyond DDoS and gratuitous break-and-enter.
The problem is that the "point" isn't clear for management.
I think what Lulzsec is doing has a purpose in this regard. Even though it doesn't fit somebody elses moral agenda.
Management needs incidents to appear in media or in their own network to take security seriously, and they need it frequently.
Do you remember how bad you felt the last time you had the flu, and therefor take the vaccine every year? Probably not…but if you had it every year, and the media wrote about it weekly, you probably would take the vaccine. This is where Lulzsec has a purpose…it connects known names with security incidents over and over again. Reminding us to take known security issues seriously, and not be overly focused on the latest and greatest exploit techniques.
If everybody should follow the ethics in the article in general, and always focus on those who are in the worst conditions, why should people spend their savings on anything else than the third world? Why buy holidays? Why should car manufacturers spend money on making better and more expensive cars? Why did you buy your computer, instead of sending the money to somebody who needs it more?
The article pretends to follow ethics by those living in a world with double set of morals…
Why should we work on helping other countries when there are holes in US sites, leaking US data. Why feed the starving in Africa when the homeless are sleeping on the sidewalks of the White House?!
Why indeed? If you're into charitable giving, you can – and you chould – deploy your gifts where you choose. Hackersforcharity is just an example.
But see my comment above. This isn't about Uganda, or about Africa. It's about taking the criminality and the repetitious pointlessness out of hacking "LulzSec style", and replacing it with something which doesn't merely prove a well-known point, but which educates, builds, improves and is jolly good fun all at the same time.
Oddly enough, Paul, most “hackers” are actually people who were using the word LONG before the press decided to apply it to high-tech criminals. Your own description of LulzSec’s work, “languorously orchestrated, using nothing more sophisticated than entry-level automatic web database bug-finding tools, available for free online,” is not the description of “hacking” but the description of someone whose skills make him/her more of a “script kiddie” than a hacker. People who aspire to be called “hacker,” and in the hacker community one does not declare oneself a hacker,when one’s skills warrant that level of respect one is called a hacker by the community, are only interested in DDoS in so far as there is a challenge involved. Climbing Everest “because it’s there.” Most “hackers” are also quite socially conscious, and, though I’m not familiar with hackersforcharity.org, I’m not surprised by the concept.
I’d like to encourage people, but kids especially, to develop the skills to hack NOT LulzSec style, which seems, as I said, more script kiddie than hacker, but to REALLY understand systems well enough to hack “pwn2own’ style. These kids would be more secure on the ‘net, and would make the ‘net more secure for everyone.
Errr, it seems we agree almost exactly 🙂 Note that I placed quotation marks around the word _hacks_ when I mentioned the LulzSec break-ins.
And my challenge is not – as I say explicitly above – about any hacking ability that break-and-enter "hackers" may or may not have. It is, as you point out, about being a hacker who has a social conscience and acts upon it. In short, the challenge is to prefer to build than to break.
If you watch the video I mentioned above, you'll get a nice confirmation of your assertion about hackers and social conscience, when you see the size of the audience and the warmth of their response.
Lol. All your 'ethics' and 'morals' are belong to @LulzSec.
If Uganda or gets the cyber-stuffing beaten out of it, they deserve every swing of that whip. So I don't agree with the "no apparent reason" statement. If a country passes a law that gay people should be jailed or possibly even killed, well, actually, let the hacking begin. Too bad I don't have the skills to do it.
Hello,
You write:
"But the end doesn't justify the means. Time spent throwing bricks through other people's digital windows doesn't actually teach anyone anything about glassmaking, glazing or civil engineering."
I do agree and understand what you want to say with that statement. But LulzSec might be able to do something all the preaching wasn't able to do: To fight the ignorance of people when it comes to information security ;( I know so many people that argue that attack vector x and vulnerability y arent that risky, because they don't get the technical details (and the capabilities of people who have). Every attack proves them wrong … Which is a very sad thing, indeed!
Regards,
Marc
The only problem with this post is, if I'm right LulzSec are just doing this for fun and enjoys annoying people and being the silly little child that annoys everyone. They are loving the fact that the affected users are flooding message boards with complaints.
Its not about hacking, its about being the bane of the internet. They probably see themselves as a virus in their own right and are enjoying just some good old fashioned vandalism with no other personal gain required.
@LulzSec does not follow reason. They are just psychopaths and, at least, they don't kill people directly… When people does something without caring about other people feelings is just psycopathy, many politicians are like that, many CEOs are like that and the LulzSec guys are the same…
Psychopathy is a technical term, with a specific meaning. Prior to the early 1980's, when The Diagnostic and Statistical Manual of the American Psychological Association, version III (The DSM-III) changed the name of the disorder to Antisocial Personality Disorder, it was the name of a very specific personality disorder. These are the most accepted traits of the psychopath or sociopath:
Superficial charm and good "intelligence"
Absence of delusions and other signs of irrational thinking
Absence of nervousness or psychoneurotic manifestations
Unreliability
Untruthfulness and insincerity
Lack of remorse and shame
Inadequately motivated antisocial behavior
Poor judgment and failure to learn by experience
Pathologic egocentricity and incapacity for love
General poverty in major affective reactions
Specific loss of insight
Unresponsiveness in general interpersonal relations
Fantastic and uninviting behavior with drink and sometimes without
Suicide threats rarely carried out
Sex life impersonal, trivial, and poorly integrated
Failure to follow any life plan
While psychopathy is more widespread than most people think, there's no real evidence that LulzSec is composed of people whose psychological makeup is that of a psychopath. There is certainly a fair bit of immaturity and a tendency not to see the big picture as far as the consequences of their attacks go, but to call it psychopathy is going a LOT too far. Now many (but not by a long shot all) CEOs and politicians exhibit sociopathic tendencies.
I'm going to hack Canada and steal all their expensive maple syrup and give it away to the poor 3 world nations just so they know what yummy deliciousness really is. 😀
I don't think this is about hacking at all I think it is frustration with world events and they are taking it out on someone.
You got it right Graham! This is the real challenge, using your god given talents to help others not just throwing dirt on somebody's faces.
Johnny deserves a lot of props, and all the help he can get. A good guy doing good things. We need more hackers like him!
True about their revelations about poorly constructed databases and server-side code, but you can't say the same about their DDoSing. Nobody likes DDoS, it is almost always at first unpreventable. Given the number of active zombies in a botnet, any website can go down.
seems they DDosed the hackersforcharity website also… l
Lulzsec hacked PBS because they aired a documentary about wikileaks that caste a negative light on wikileaks, and painted a negative picture of american hero Bradley Manning.