
LulzSec: Why we do what we do - ssclafani
http://pastebin.com/HZtH523f
======
trotsky
OK, so for the remaining 3 people out there who were pathologically not paying
attention, computer hacking is easy. The state of computer security is poor.
Lulzsec deserves a medal and a chest to pin it on for breaking this news to
all of the people who don't have a facebook account, have never been on irc,
didn't see the movie wargames, don't know anyone who plays world of warcraft,
has never read the new york times, has never heard of china and has never
heard anyone utter the word "stuxnet".

For the rest of us, it's pretty tedious.

There's another situation that fits the general parameters of what they
describe. Almost no one is protected against it. Being a gunshot victim.

At least in the US, pretty much anyone can get their hands on a handgun either
legally or illegally. Almost anyone can use one with a bare minimum of
instruction. And almost no one is protected - if you pick a name out of a hat
of all america, pretty much any possible outcome will be dead easy to track
down, stalk, find the right opportunity and shoot dead. And a vanishingly
small numbers of shooters make an announcement about the whole incident on the
Internet.

But, all that said, if you go around shooting people for no real reason and
bragging about it you're assuredly a psycopathic asshole.

~~~
dexen
The gunshot analogy fails hard. LulzSec pre-empted at least half of it, by
stressing how harm occurs quietly all the time. Data gets stolen or destroyed
and we just don't know it.

Unlike gunshot wound, where a person lands in a hospital, or morgue, or goes
missing, data can be, and indeed is, copied quietly. Of gunshots, people are
informed most of the time; of security breaches, barely ever. Cops investigate
most gunshots, but do they know of most security breaches?

The big hope is the press will at last start paying attention to (in)security
of our data. Thus the headline-grabbing tactics.

The other half is that corporations don't shoot people, people shoot people.
And to the wit, people don't store 200.000 bank accounts on a web server,
corporations do. You can -- and should -- hold corporations to a somewhat
higher standard when it comes to affording decent protection for customers.
It's no coincidence LulzSec weren't after granny-loves-her-cat blogs, but
after commercial services.

~~~
rgbrgb
Corporations most definitely shoot people...
<http://en.wikipedia.org/wiki/Military>

~~~
hugh3
This is what I mean when I say that bad conversation drives out good.

------
migrantgeek
I agree with showing how poorly secured websites are and how easily our
information is distributed even when we think it's private.

What I don't agree with is their use of DDoS attacks against sites like
cia.gov.

DDoS attacks are pointless. All they point out is how a site has limited
resources for dealing with so many concurrent connections.

Sites should deploy onto an infrastructure they feel is adequate to deal with
the expected load plus some additional room for growth and spikes.

I'm sure the cia.gov doesn't get hit very hard on a normal day so they didn't
go crazy on infrastructure which is understandable. A DDoS proves nothing and
prevents people from accessing data.

If you're going to hack, please wear a white or grey hat.

~~~
mentat
There is a need to develop systems that aren't subject to DDOS (at least the
current generation). It used to be very easy to DOS anyone's _network stack_
(think SYN flooding). If people hadn't shown that it was an issue by doing it,
the Internet would still be running on stacks that were trivial to undermine
many different ways. Saying that something is easy to do and has a tremendous
impact is an engineering problem statement. Demonstrating it shows that it's
also a business problem. This is how things get fixed, when people get tired
of being instantly knocked of the Internet by .4% of the LulzSec DDOS
capacity. The Internet still has some basic problems, ignoring them won't make
it go away.

~~~
someone13
See, is there a practical way to "fix" the problem behind a DDOS? More
specific attacks (slowloris, SYN flood, ping of death, smurf, and a laundry
list of other stuff) can be fixed by simply introducing changes to the
infrastructure that makes such things possible.

But a DDOS attack is, at heart, nothing more than a brute-force attack -
flooding a single website / IP with so much traffic that it can't respond. No
matter how much fancy technology you add, if you have a 100Mbps link, and
someone's sending 1Gbps of data at you, you're out of luck.

And, yes, I realize that there are companies that specialize in protecting
against DDOS attacks - generally, they move content to a CDN and use some
intelligent filtering to drop packets (i.e. people that request multiple times
in succession, etc.). But this still is reliant on the fact that their
connections are large enough that they can actually process all this data.

If a large country decided to use all it's available Internet bandwidth to
DDOS, there's not much anyone can do about it.

In short: DDOS attacks will likely always be around - they might require
higher bandwidth (country-scale or thereabouts), but it's not "fixable".

~~~
mentat
So let's think about how traffic gets onto the network and what steps might
make sense to limit that. I have some "crazy" ideas about this including per
device reputation enforced as close to the device as possible. Yes, if we say
that anyone with any sort of device can send data to anyone then this will be
a problem. There are other options including different sorts of "darknet" type
things. Are there no "outside the box" type solutions that you can think
through the tradeoffs for? I think the underlying assumption you're working
with, that anyone anywhere on the network should be able to drop an unlimited
amount of data onto the link headed to me as a rule of how things must forever
work needs to be justified.

~~~
zacharypinter
It'd need the help of browsers or OS's (depending on where in the stack you
put the logic), but one idea might be to require requests/packets to be signed
by something that proves a sufficient amount of CPU work has been done (ala
bitcoin). If the site comes under attack, they could turn this on (presumably
with a middle-man service that can take high bandwidth) and up the amount of
work required to reach the destination. This would no doubt slow things for
the legitimate users, but it could make things much more difficult for the
attackers.

~~~
cube13
This really doesn't solve the DDOS problem though. It's throwing more CPU time
and bandwidth at a scenario that already requires both of those. It can slow a
small group of script kiddies making a thousand requests to your server per
second, but it doesn't stop an actual distributed attack using a botnet or
large numbers of machines.

If you're adding the signatures, you presumably need to spend CPU time to
authenticate it, and bandwidth to send the data, plus the actual content. Why
not just have the middle-man soak up the extra requests, cache the data, and
fan it out that way?

------
scythe
>People who can make things work better within this rectangle have power over
others; the whitehats who charge $10,000 for something we could teach you how
to do over the course of a weekend, providing you aren't mentally disabled.

This is a common complaint among blackhats: they see whitehats as being in the
game for the money and taking advantage of the unenlightened as much as they
[the blackhats] themselves do.

I don't really know what to make of it.

~~~
huckfinnaafb
Blackhats can cost organizations way more than whitehats would charge in
operating costs, personal identity theft, and reputation.

Whitehats are only taking advantage of the unenlightened as much as a mechanic
is taking advantage of someone who doesn't know anything about cars - they
provide experience and expertise and offer a service for a high price - at
least, a higher price than if the client knew how to fix it themselves.

~~~
webXL
I love it when the economically illiterate attack others for "price gouging"
as if the third party doesn't have a choice in the matter or they aren't
"unenlightened" enough to properly appraise the value of what they are buying.

How do I know that my jeweler isn't gouging me on my fiancee's 2 caret diamond
ring? Because I know that there's a fixed quantity of available diamonds, and
almost everyone would buy them at a given price. And if I need to verify that,
I can go to the jeweler down the street. Everyone would buy security
consulting at a given price, but that quantity is even more limited than 2
caret diamonds.

Why is my house worth a third less than what it was 3 years ago? Because
there's at least a third fewer potential buyers than there was when I bought
it. I wasn't "price gouged" or fooled in either instance.

Whitehats specialize in security and it frees up our time to specialize and
produce excess value for others. It's not a conspiracy. If Steve Jobs and
LeBron James aren't tricking people into giving them money, neither are
whitehats. It's the free market and, believe it or not, it produces wealth.

~~~
beedogs
Funny that you use diamonds as an example, when the diamond market is one of
the most rigged institutions on the planet.

Your jeweler is _always_ gouging you when you buy diamonds.

~~~
webXL
Just because a cartel exists somewhere in the supply chain doesn't mean I have
to participate in the transaction or my perceived value of it is artificially
inflated. The two caret ring was just hypothetical, but there are plenty men
who value those rings more than the asking price, and their wives appreciate
that. (at least the sensible ones do)

------
dgabriel
Adorable. They're bullies and proud of it. It's one thing to call out security
exploits, and quite another to take great joy in causing others pain.

~~~
getsat
> to take great joy in causing others pain

This happens far more often than people realise.

~~~
ZeSmith
Still does not make it okay.

~~~
DannoHung
What if you're a second-generation schaudenfreudist? I take pleasure in the
pain of those that take pleasure in the pain of others.

~~~
wadetandy
I think that's called Schadenfreudefreude, or perhaps Schadenfreude^2

------
bh42222
And I just realized what it is about LuLzSec that's bothered me. I couldn't
quite put my finger on it, but now I realize deep down they are nihilists.

That's a damn shame.

What seemed most admirable about Anonymous is that as much as they were also
in it for lulz and pure chaos, underneath there seemed to be a kind of
idealism. Idealism is seductive, nihilism is off-putting.

~~~
chriserin
Or maybe that Anonymous idealism was a fraud and lulz, as peers, could see the
hypocrisy much clearer, as everybody in their community likely do what they do
because of the thrills and ignoring the pain caused. Lulz admitting it is
likely taking the high road? or is that too tortured as twist.

~~~
bh42222
Perhaps anon was also pure lulz with absolutely nothing else behind it. But I
vaguely recall their writing to be strongly pro freedom. And their most
prominent vandalisms seemed to be an attempt to make a point about basic
rights and freedoms.

When LuLzSec state that they don't care, and don't even care if they get
arrested, that's definitely nihilistic and kind of sad.

Certainly they too in their juvenile ways were close to making a good point. A
point about shocking incompetence when handling and storing sensitive customer
data. A point about unethical behavior in government. And I believe them when
they say they have stuff that they've chosen not to release. So they are not
in fact true sociopaths or true nihilists. I guess that makes it even sadder
when they say they don't care about anything but lulz.

------
edw
Raise your hand if you're hesitant to write what's on your mind for fear of
receiving some special attention from Anonymous, LulzSec, and friends.

~~~
mentat
The impact of their attacks has more been a strong motivation to "get my house
in order". I'd been using LastPass for some time but decided that I should get
the YubiKey for two factor auth. I also started becoming quite a bit more
vocal at work about the sorts of things it might be a good idea to take a
closer look at. This is a wake up call for what's already happening. They just
decided to do it and tell the public instead of sitting, waiting, and letting
people continue to feel safe. If there's danger and it's at your doorstep,
it's good to feel not safe.

~~~
nextparadigms
Wasn't LastPass hacked earlier this year?

~~~
mentat
They saw some things they believed might be brute force attacks against weak
passwords, so they reset the passwords of people who the attempts had been
directed against. They also changed they way they handled repeated password
failures to be even more strick. The basic database was not compromised and
the passwords in the database are encrypted with the master password for the
account so they'd have to be broken account by account.

------
diminoten
This smells to me like a hastily conjured rationalization for a series of
attention-seeking acts wrought by a small group of disenfranchised industry
workers who have something to say, but they're just not articulate enough to
voice it so they blow shit up instead.

~~~
hugh3
_a small group of disenfranchised industry workers_

Do you really think they're industry workers? I'd peg most of them as high
school kids. Probably with the occasional creepy thirty-something thrown in
for good measure.

~~~
gabaix
exactly. high schools have a strong envy for anarchy - trying stuff for fun. I
think most readers here went through that phase and forgot about it. Flirting
with the borders is fun. We were not realizing the consequence of our acts.

------
noonespecial
Why we do what we do: We're 15, unsupervised, and behaving badly.

Do they really need a manifesto?

~~~
snorkel
This missive strongly reeks of teen spirit. Guess we'll find out when the FBI
perp walks them in front of the cameras.

~~~
puredemo
No one that young would have the capacity to understand some of the contextual
references required to write this piece. If you pay attention to the way
LulzSec writes and words things, they aren't at all immature in their thinking
or worldview. Ceasing to give a fuck about perceived trivialities is something
that comes with age and seeing how the world really works. The confidence they
have came with age as well. Neither is not a sign of youth whatsoever.

I'd guess mid-thirties for these guys, at least for whomever is putting out
their twitter updates. This is someone who is basically immune to white-
knighting and is a truly hard-core realist. It takes quite a while for someone
reasonably intelligent to become that cynical, and then a while longer for
them to act on it.

Anyway, I'm a fan of these guys. While I wouldn't do what they are doing
myself, I certainly understand the mindset. I'm not quite sure I understand
the arguments against what they're doing. The knee-jerk reactions of wanting
to call them wrong frequently seem more immature to me than their recent
campaigns. The real world is messy, and LulzSec's work is a valid reflection
of that.

As far as the comparisons to sociopathic thinking, that's just ignorant.
Sociopaths generally don't care about anyone but themselves and that's
obviously not the case here. A sociopath would never release any of this data,
and would simply use it for their own advantage, regardless of who was harmed.

LulzSec is gleaning entertainment here from the unwashed masses to be sure,
but they aren't out there enslaving people with debt, indoctrinating them with
religion, shooting them for protesting, putting them in cages for drug
offenses, etc. All of which is completely legal, and in my opinion, far more
sociopathic than releasing some bit personal data or playing a few practical
jokes on people.

------
saulrh
Might want to change the title to something like "LulzSec actually had a point
after all." They do, too, an even better one than I expected. Not only are
they making a point about how terrible security is ("Do you think every hacker
announces everything they've hacked?"), but they've also called out the
internet on its generally abysmal attention span. I wouldn't be surprised if
they'd had this written on day zero.

~~~
hollerith
That's not the most important thing I took away from the submitted link.

To me, the important thing is that LulzSec says that it derives _pleasure_
from causing _harm_ to people -- like the people who used to add poison to
bottles of Tylenol, package the Tylenol back up again and place it back on the
supermarket shelf. Although they could be saying that to cover up their real
agenda, most writers (and especially most writers who have the tech skills
needed to do what LulzSec has done) could not fake an admission of this sort
as well as this text would have to have been faked.

Since it is natural human behavior to rationalize an antisocial motivation
with a more socially-acceptable cover story, you would expect LulzSec to say
things like, "We are doing this to bring public attention to how terrible
security is." But if it is a rationalization, and it sure seems that way to
me, surely it would be a mistake to focus on it and not the true motivations.

>they've also called out the internet on its generally abysmal attention span.

What an surprizing interpretation! I interpreted the parts about boredom as a
continuation of the author's honestly disclosing his own motivations, not
anything about internet users in general.

~~~
thomasz
Lets not overblow things. They don't kill random people, they carry out pranks
which can cause emotional and maybe financial distress, that's all.

------
Djehngo
Initially I thought the disclosure argument they made was weak (we hack stuff
because when we announce it similar companies will be more careful) because
unless they cause enough trouble to make security an immediate priority for a
given non-targeted company, then it's unlikely that they will overcome that
company's inertia.

However I realised that I have become significantly more careful with password
reuse now because there are no companies I absolutely trust to keep my
information from leaking out.

------
bwaaa
LulzSec seems to be just a group of teenagers that have actually nothing
special to say. As they want to be like the grown-ups, they try to add a
message behind their acts, but there is no message, no morality. If they were
real hackers and not only prepubescent teens, they would not justify their
action by any manifest, they would just act, no matter what people say or
think. Their vocabulary is also proper teen vocabulary : "bitches" "mentally
disabled" "evil bastards" "we nom nom nom, we move onto something else that's
yummier" "unimpressed zombie""Watching someone's Facebook picture turn into a
penis and seeing their sister's shocked response is priceless" "Receiving
angry emails from the man you just sent 10 dildos to because he can't secure
his Amazon password is priceless.". They don't know how to write, their
sentences are full of repetitiveness, the vocabulary is poor.

LulzSec is just a group of teenagers (or someone alone). And they are really
really funny. (This is not a compliment..)

------
crux
When are the internet tough guys of the world going to tighten up their prose?
This third-rate Patrick Bateman routine is so fucking old at this point. There
is no easier way to mark yourself as a barely socialized child barely capable
of any critical thought than to try out that ridiculous, outdated,
unconvincing pose at being this cynical, wise, best-informed übermensch above
all morals. It's not a good look.

------
_emice
From what I've been reading the attacks were not sophisticated, mainly using
SQL injection. Many here on HN understand that kind of threat but it seems
lots of companies and important services don't. Is it possible that the
attention shone on these simple/trivial hacks will cause those less security
conscious admins to get rid of that low hanging fruit?

If so, it should help reduce the impact of a broad, simultaneous attack across
many sites from much more dangerous foes. I am not saying it is right, but it
may be more effective than the legislation our congress comes up with to
protect us, with fewer nasty side effects.

------
oliveoil
This thing must be fake. I thought they were doing it for the lulz.

------
jjm
How do we enforce that these companies (such as banks) utilize proper security
protocol (within reason of course)?

Some would say, "With your wallet!". But what happens when it's your wallet
that gets stolen (electronically)?

What do you think?

~~~
TeMPOraL
Unfortunately, I've never seen "vote with your wallet" concept work[1],
neither in the Internet, nor in real life. When a company misbehaves, there's
usually a big group of their customers which doesn't know about it, and
another (maybe little smaller) group, that doesn't care at all (or enough[2]).
It's an interesting issue I have no idea how to fix...

[1] - if you know any examples, I'd be glad to hear them.

[2] - "Maybe this company is bad, but hell, the competition is 10 minutes
further walking from me...", etc.

~~~
pingswept
In real life: <http://en.wikipedia.org/wiki/Disinvestment_from_South_Africa>

~~~
TeMPOraL
Thank you for the example.

Still, it seems to have taken a lot of convincing of people and companies
before it started to work.

------
floppydisk
When it comes to security, you run into IT departments being the red headed
step children of the corporation and NIMBY (not in my backyard). It's a lot
easier and cheaper to stick your head in the sand and pretend nothing is
happening or you have some mitigating factor that discourages people from
going after you be it size (miniscule for instance), participating in a niche
market, etc. It's a lot easier and cheaper to do an ostrich than actually
spend the money on decent security.

------
hnsmurf
This is classic psychopathic behavior. Instead of torturing people physically
to see them squirm they're doing it digitally, but the same lack of empathy is
there.

------
Bertil
Why is this text the first one from Anonymous et al. that doesn't move me, at
all? They sound odd, using a “we” to include all ‘digital natives’ while I
never heard anyone under 25 use “we” before; they mention (two girlfriend's)
faces on MSN, but I never heard of a webcam on MSN; I never heard of anyone
actually enjoying a show call it “we want our shot of entertainment”.

------
MatthewPhillips
Just a question: if all they were doing was manipulating URLs (and I know
they've moved beyond that) would they be doing anything illegal?

~~~
tomp
Yes. If I leave the door to my house unlocked, it doesn't mean that it is ok
for you to come in without my permission.

~~~
Deestan
Morally, it's also not just _how_ you break in, but what you do afterwards.
I.e. if you prevent more harm than you do.

If you enter the unlocked door and write "HI YOU FORGOT TO LOCK YOUR DOOR"
with lipstick on the bathroom window, you're alerting the owner to a bad
security practice by giving them a good scare. It is A Good Thing, because you
likely prevented them losing their stuff.

If you enter the unlocked door and start smashing and stealing stuff, you are
technically still alerting the owner to a bad security pracice, but it is now
A Bad Thing. By "being" the worst case, you only guaranteed something that was
only _likely_ to happen.

~~~
tomp
Morally, I agree completely. But I'm afraid that the legal system may not.

------
Wickk
This just reeks of arrogance

------
scilro
They need to bring in someone who can write without seeming like a 12 year old
who grew up on 4chan.

------
doyoulikeworms
Their campaign is about reaching out, eliciting a response, and then reveling
in the emotional connection they've created with another anonymous soul across
this tangled mass of copper and silicon.

In other words, for the lulz.

------
chmike
This seems so fishy. Perfect timing considering the last 24 months events. I
think it was unavoidable and we'll have to face it and get ready for the
consequences.

------
foysavas
Who else has a hunch they don't yet have access to Brink accounts, but instead
have access to log files that would reveal password when users now change
them?

------
quark92
whatever is their excuse to hack companies it is illegal , it is a crime and
should be punished . if they want to pay attention for security, then they can
establish organization and give away free courses about security and privacy
in legal way instead of breaking laws and stealing people information . black
hat methods would never be agreed to improve security and privacy ..

------
madmaze
I think we have found the LulzSec hacker manifesto.

------
tobylane
"This is the lulz lizard era"

Yes it is. What the fuck is it? Nightowl would be more believable, and true.

------
adamdecaf
> "suggests...our actions are causing clowns with pens to write new rules for
> you. But what if we just hadn't released anything? What if we were silent?
> That would mean we would be secretly inside FBI affiliates right now, inside
> PBS, inside Sony... watching... abusing..."

Isn't that happening right now and by the people with pens?

------
yters
Hey, if people really want a secure internet I believe the government would be
more than willing to lock it down for us.

That's all that's going to happen as kids like Assange and Lulzsec keep up
with their criminal shenanigans. Governments are going to say, "Enough is
enough!" and lock it down like in China.

------
sigzero
We don't care. Just stop please.

------
nsomaru
The last line got me a giggle

------
majmun
this kids should be punished by pulling their ear. or beating them with
branch. they're too young for prison

------
SSHisForWienies
Any wall can be broken, but it doesnt mean that anyone who breaks a wall is a
hero. What wonders me more why did China infiltrate the group ?

------
shareme
They seem somewhat clueless..

If the NSA can partner with ISPs to scan internet traffic for phishing,
viruses, etc ...the obvious next step is Lulzsec mentions or member
mentions...in IRC, email, etc..

There is no such thing as hiding when attacking the internet, sooner or later
you become the bitch

~~~
getsat
It's good for the NSA that there's no way to securely communicate over an
insecure medium. It's also convenient that all Internet infrastructure exists
inside the USA.

~~~
__rkaup__
You are being ironic. It actually _is_ possible to communicate securely over
an insecure medium, and not all the internet's infrastructure is in the USA.
Am I right?

~~~
getsat
Your sarcasm detector is working normally. :) Not sure why your irony detector
is going off, though.

