Linked by Thom Holwerda on Fri 17th Jun 2011 18:49 UTC
Privacy, Security, Encryption Oh boy, what do we make of this? We haven't paid that much attention to the whole thing as of yet, but with a recent public statement on why they do what they do, I think it's about time to address this thing. Yes, Lulz Security, the hacking group (or whatever they are) that's been causing quite a bit of amok on the web lately.
Thread beginning with comment 477595
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Bah
by No it isnt on Fri 17th Jun 2011 20:12 UTC in reply to "RE[2]: Bah"
No it isnt
Member since:
2005-11-14

I'm sure LulzSec can use the same argument, pointing to RIAA/MPAA/the gubmint.

My point is, however, not that your judgement is morally wrong, just that it contains no insight.

Reply Parent Score: 3

RE[4]: Bah
by Laurence on Sat 18th Jun 2011 01:10 in reply to "RE[3]: Bah"
Laurence Member since:
2007-03-26


My point is, however, not that your judgement is morally wrong, just that it contains no insight.

I think he's right though and I also think we do have an insight through reasonable deduction.

We might not know directly, but we understand how DDoS attacks work and what they're normally used for (generally blackmailing - pay us or we'll take your site down).

We further know that these sites were not attacked in protest (Sony being the only exception) nor for blackmail. So that actually doesn't leave many motives.

We also know that LulzSec like to publicly advertise the fact that they were behind the attacks. If you were doing it just for a laugh, then you wouldn't necessarily want to draw excessive attention to yourself.

In fact we know that LulzSec love actively flaunting themselves in the media. From posting stolen personal details on a public site through to having the audacity to set up a telephone hot line, this sort of behaviour is intentionally antagonistic. They are deliberately provoking a reaction from people.

So yes, you are right that we don't /know/ their motives, but it's more than a reasonable deduction that a major incentive is global recognition.


If I had to speculate, I'd also say they were all kids / young adults too - with no-one in the group over the age of 25 and the majority still in their teens. However that /is/ complete guess work based on next to no insight.

Edited 2011-06-18 01:20 UTC

Reply Parent Score: 3

RE[4]: Bah
by Soulbender on Sat 18th Jun 2011 05:15 in reply to "RE[3]: Bah"
Soulbender Member since:
2005-08-18

I'm sure LulzSec can use the same argument, pointing to RIAA/MPAA/the gubmint.


Really now. Is the gubmint running around stealing data?

My point is, however, not that your judgement is morally wrong, just that it contains no insight.


You want insight?
We need to stop idolizing this kind of behaviour. They're not "tech wizards" or "security geniuses". They're petty criminals hiding behind the comfort of their computer screen, which conveniently prevents them from actually ever interacting with their victims. Think it's hard to hack into a system and find a single flaw? That's a walk in the park. Try building systems and defenses that can't be broken into, THAT is hard and no it doesn't require hacking skills. It does however require understanding of good engineering and security practices but the industry is more interested in the whizbang gadget of the week that will magically solve all your problems or paying "hackers" to "pen test" their systems. Like Marcus Ranum I too wish it was considered cool to properly design your systems and defenses but as long as media is the way it is I doubt that'll happen. Being the "whiz kid" of the week will always be more cool even if the whiz don't really know jack.

Edited 2011-06-18 05:18 UTC

Reply Parent Score: 2

RE[5]: Bah
by Alfman on Sat 18th Jun 2011 06:07 in reply to "RE[4]: Bah"
Alfman Member since:
2011-01-28

Soulbender,

"We need to stop idolizing this kind of behaviour. They're not 'tech wizards' or 'security geniuses'."

To be fair, they could be those things, even if we disagree with their judgment.

"Think it's hard to hack into a system and find a single flaw? That's a walk in the park. Try building systems and defenses that can't be broken into, THAT is hard and no it doesn't require hacking skills."

Having hacking skills sure helps though. I'm not sure why someone would think otherwise?


"It does however require understanding of good engineering and security practices but the industry is more interested in the whizbang gadget of the week that will magically solve all your problems or paying 'hackers' to 'pen test' their systems."

You're trying to make a distinction between the skill sets being used for good and bad, but I'm not sure such a distinction can be made.

A university might have a course about computer vulnerabilities and network penetration, but effectively educating students about preventing attacks implies giving them insight into how attacks are executed. The same knowledge which helps foil attacks can be used to maliciously forge attacks.

Maybe they could only teach students to use the attack prevention tools without teaching them the theory behind attacks, however I'd have less confidence in these students being able to do the job of keeping the infrastructure secure - too much can slip by them.

Of course I'm not arguing the attacks are right, but it seems silly to understate their abilities.

If anything, these are skilled people who are probably under-appreciated when using their skills productively, and have turned to an underground culture where they can be appreciated.


I don't have to agree with their choices in order to understand them.

Reply Parent Score: 5

RE[5]: Bah - hacking skills
by jabbotts on Sat 18th Jun 2011 17:13 in reply to "RE[4]: Bah"
jabbotts Member since:
2007-09-06

I agree that it's far harder to build and manage secure systems than to find and exploit a single path into them. I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties.

Hacking and hackers are not inherently criminal; it is a set of skills applied to any topic of interest and in the majority of cases, applied in a perfectly legal manner. In terms of security hackers who work within the law, they should be considered a natural resource. They should be employed to design and test systems. If you are not employing hackers on your own sys admin team and/or having third party pentests done by hackers how can you possibly claim that you've designed and hardened your systems in any kind of responsible manner?

Heck, if your federally employed, FISMA makes it a legal obligation to be responsible and prove your systems secure through proactive testing. (which does bring into question these federal systems that are broken into so easily let alone older cases of wide spread use of default passwords and similar stupidity.)

Not contracting people who now have a criminal record; that's fair. There are lots of law abiding hackers out there to hire or contract.

Reply Parent Score: 2