Sophos Cloud Optix
A Naked Security user tweeted me earlier today, asking about the LulzSec hacking case:
"But do you feel there is something noble about the lulzsec cause, and getting info to the masses?"
The argument goes that LulzSec were just a bunch of media-savvy fun-time guys, having a laugh at big companies’ expense, exposing the inadequate security of websites and computer networks run by large organisations.
Surely, the argument goes, LulzSec was harmless. In fact, weren’t they really somewhat noble?
Pardon me for taking a different point of view.
Although the hackers involved in the LulzSec attacks may not have been finanically motivated that doesn’t mean no harm was done.
Innocent people had their private information exposed and published on the internet, forcing them to change passwords and mop up any damage.
You may find membership of a hardcore porn website distasteful, but didn’t the 26,000 members (fnarr..) of a hacked sex site deserve better than to have their email addresses and passwords published and LulzSec encourage others to hack into Facebook accounts and tell their friends and family?
These guys probably sign into Facebook with the same email/pass combo, so we suggest the following:
1) sign into their Facebook accounts
2) find their family members
3) tell them all about how the victim (you!) signed up to porn sites
4) watch the hilarity
5) tell us about it on twitter!
6) ???????
7) PROFIT
Alternatively, what about readers of The Sun newspaper, who – if they had participated in the paper’s competitions – ran the risk of LulzSec exposing their private details.
In one example, LulzSec published details of applications for the Miss Scotland beauty contest, which includes details of potential contestants’ aspirations, vital statistics, hair and eye colour, weight, and height as well as their dates of birth and addresses.
So, no. In answer to my correspondent – I don’t view what LulzSec did as noble.
It’s perfectly possible to put hacking skills to positive uses instead.
It’s definitely possible (and within the law) to inform companies of poor security, and to tip off the media if you feel the organisation is dragging its feet fixing it.
What isn’t cool, or funny, is to hack into companies, expose the private information of members of the general public, and to launch denial of service attacks.
Those kind of attacks are illegal, and the LulzSec gang knew that.
And that’s why, today, three members of the LulzSec hacking gang received custodial prison sentences.
There is also a financial cost to the companies that were hacked that people need to consider. One can say, oh they are big business, they can afford it. Well not exactly, extra money spent on issues such as these can take away funds that could be used for employee incentives, training, bonuses etc.
Well with a name that includes Lulz in it, how coudl they be noble? They didn't do it for the people, they didn't do it to make anyone aware, they just used that as an excuse in hindsight… they mostly did it for the lulz..
Spot on! Laughing at another's misfortune is not noble. Vigalantes are not noble. Causing misfortune on another to further your agenda is not noble.
I don't think that they are noble, but the only histories I've heard of people finding security issues and reporting them have been them defending themselves in court and wasting a tons of money or being forced to create a fix without compensation.
That's why I never report any potential or real security issues and keep them for myself if it's on private software.
The only times I do any fixes is on open-source softwares because you can make your own tests on your own machines.
True nobility truly thinks positively of others. Lulzsec only thought of themselves, and viewed others as either toys to play with or people to humiliate.
True nobility cares about effects on others. Lulzsec did not.
True nobility leads one to not do bad things. Lulzsec broke into areas people consider private to access data they consider protected, and then made information public.
True nobility encourages betterment. Lulzsec exposed people to encourage ridicule, not comment on morality.
True nobility does not indulge in selfishness. Lulzsec were showy, self-centered in their statements, self-congratulatory in the same, mocking, hubristic, and did what they did not to better others, but to show off their "prowess".
True nobility is respectful. Lulzsec was anything but.
These were not Robin Hoods fighting some overarching oppression. These were kids playing a narcissistic game with information and tried to cloak it in a semi-plausible veneer of righteous activism. That doesn't make them noble. Not in the least bit.
Indeed they were a right bunch of narrow-minded self important power tripping idiots. They got what they deserved. For the lulz my a**. For their gigantic egos methinks.
Who has ever heard of a "noble" asshole??
Noble? Of course not. But I have to admit they did make me laugh more than once.
It was certainly not noble but it was indeed really fun to follow them on twitter as they exposed the flaws and incompetence of companies one thinks are untouchable…
Privately reporting this kind of flows wouldn't have been as effective as what they did. I think that for big companies like Sony there is a before and an after Lulzsec in the way they consider security and their clients' privacy protection.
They attacked these companies at their most vulnerable part: their image. Now that companies noticed how poor judgement can hurt them, they might take all of this more seriously… which is good for everyone in the end.
Did Lulzsec made the world safer with their childish actions? maybe…
If LulzSec expended their efforts revealing real crime rather than individual foibles, then perhaps it would have been a worthwhile exercise. Unfortunately, embarrassing people isn't really noble, just embarrassing. There are so many places they could have used their skills to actually make a difference. Now they'll just be making no difference anywhere for a long while.
I have stated my feelings about this group multiple times now and I will not talk about that anymore.
But I thought I might share a thing I found out in my career of finding website vulnerabilities here: system administrators mostly do not like people telling them about vulnerabilities. I’ve come across a few websites where the response to my mail(or in whatever form I told them about the vulnerability) were not as nice and thankful as I initially thought. Some people seem to take a friendly advice as disdainful criticism I suppose.
They were young laughers just playing with they 0days and tools…. you better waste your energy thing about those who really makes money hacking into big companies and governments.
I'm not saying that what was done do not deserve some kind of punishment, but sending that kind of plp to jail is a waste of time, and mainly potential from these guys….
All the media attention and "circus" hacking gave more investments on security, the big guys on suit started to have a real fear. Even some governments created some "hackers for army" units… Just because of those laughers …
I only see more upsides from Lulzs actions than other things….
@2072
Thats how anarchy is. Just doing what you feel and having your own reservations take precedent over anything else is wrong. How do we know privately reporting would not have worked? Lulzsec just assumed. The assume everything. Now they have to assume the worst in prison.
Privately reporting might have worked for the few companies they hacked but you can be sure that other companies learned and acted proactively seeing what happened to their victims… Their actions had the effect of a vaccine.
Back in high school, we thought we were badasses for throwing empty beer bottles at stop signs.
That was condidered vandalism at the time, but we were small change compared to now.