Hacker News new | comments | show | ask | jobs | submit login
LulzSec supposedly claims its biggest coup yet: The entire UK 2011 Census (thenextweb.com)
192 points by mopoke 1950 days ago | hide | past | web | 150 comments | favorite

LulzSec The Lulz Boat

Oh well, just because we want to waste government and local authority investigation time: we hacked every website in the world. Enjoy!

11 minutes ago

LulzSec The Lulz Boat

I'm not seeing "we hacked the UK census" on our twitter feed or website... why does the media believe we hacked the UK census? #confusion

13 minutes ago

LulzSec The Lulz Boat

Not sure we claimed to hack the UK census or where that rumour started, but we assume it's because people are stupider than you and I.

LulzSec The Lulz Boat

Just saw the pastebin of the UK census hack. That wasn't us - don't believe fake LulzSec releases unless we put out a tweet first.

hi Lulzer, nice to here your voices, :)

According to their Twitter, they haven't hacked the Census. Seems like someone was spreading false information...





Those tweets were deleted. Here's the official word:

"Just saw the pastebin of the UK census hack. That wasn't us - don't believe fake LulzSec releases unless we put out a tweet first."


When you post a tweet, how much information does twitter have about you? An IP adress, what platform you use, etc.

I'm just curious, because Lulzsec posts frequently and I wonder if law enforcement could subpoena twitter in attempts to catch these people.

During the 'hunt' for Wikileaks the U.S. has subpoenaed Twitter for info about supposed supporters.[1] In the case of Lulzsec this will have very little use though, as they use VPN's to hide their IP [2].

[1] http://www.wired.com/threatlevel/2011/01/twitter/

[2] http://lulzsecexposed.blogspot.com/2011/06/scared-puppies.ht...

they use VPN's to hide their IP

The FBI routinely uses software exploits to install something called CIPAV on the remote client computer to retrieve forensics data and negate the effect of proxies, vpns, tor, etc.


Twitter almost assuredly has the ability to push a custom iframe or similar based on who is logged on to support these kinds of government payloads. In the case the wired article references myspace directly assisted.

Surely being more security paranoid than usual should make it harder for an attack like this to succeed, but if the feds get pissed enough it's not unthinkable that they could get access to a targeted zero day to use.

It's pretty much useless if the tunnel is on another machine and/or it's firewalled properly.

It's no secret that the @lulzsec account is controlled by former Anonymous spokesperson Topiary (http://twitter.com/atopiary), whose identity is not publicly known, though it has been anonymously claimed that he or she is Daniel Ackerman Sandberg.

atopiary: "Dear press: I have Russian launch codes, motherfuckers. Come at me bro. I will blow your asses out of the sky you fuckers." lol

I'm sure they aren't connecting to twitter directly.

I wonder how long it will take before someone compromises their Twitter account.

Given LulzSec seems to post their hacks on twitter, that there's no way of validating who posted the PasteBin item and that the Office of National Statistics hasn't reported the loss, its probably best to wait and see something a little more convincing.

I wrote the article and have been trying to trace the authenticity of the release. I am still waiting to hear back from the Office of National Statistics, which at the time were unaware of who LulzSec even were.

I contacted them a little over two hours ago, I haven't received a response, yet.

Knowing a little of the internals of ONS...

It may take them a while to figure out what a "computer" is and how it might be "hacked". You could be waiting some time :)


Just got off the phone to them. Issuing a statement very soon. Will update both the article and on HN.

In related news, the "Mastermind" behind LulzSec has been arrested: http://thenextweb.com/industry/2011/06/21/suspected-lulzsec-...

Looks like Sophos are instigating PR damage control already: https://twitter.com/#!/gcluley/status/83121318723194880

It also has the Bethesda and US senate links in the end, making this look more like copy-paste of an older release. This is inconclusive though since the real LulzSec might copy paste from an older release to get all the ascii art.

Yes, also the phone number is wrong. That number doesn't work anymore.

I've wondered how many individuals and groups out there post things in the name of other security groups to distract attention from (or direct it toward) themselves. Maybe everyone should start signing their releases with a private key.

Goodbye plausible deniability...

I haven't seen "Census" mentioned in their twitter feed (yet), so as far as I know the only source is a bit of anonymous text on pastebin. Anyone could put that there.

They are mentioning something they've got though, in similar language to the pastebin. I think it unlikely they'd have managed to acquire the full census, but I think it's probably quite possible they've got ones submitted online.

Full statement:

We are aware of the suggestion that census data has been accessed. We are working with our security advisers and contractors to establish whether there is any substance to this. The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have noevidence to suggest that any such compromise has occurred.

This whole escalating security situation has me thinking that IT security is heading down the same path as the War On Drugs. I wonder if ten or twenty years from now we'll see petitions to legalize hacking tools after we see a resurgence in security breaches following the criminalization of "hacking tools"...

If this is true then I am suing Lockheed Martin under the Data Protection Act.

There's jurisdiction for that?

If their servers have been compromised to leak the data, should be. They ran the survey and UK and European data protection law makes data leaks the responsibility of the data holder.

They were one of the first companies to admit that the RSA SecurID exploit compromised them over the past months, too.

Link to story: http://www.networkworld.com/news/2011/052611-lockheed-martin...

Yes, they will probably be the information controller under the DPA and have to be extreamlly careful that our data is safe. Even keeping a copy in a non EU country is very hard.

US companies can store data from EU countries if they comply with the "Safe Harbour" principles. Organisations can self-certify and as yet no company has been challenged as failing to meet the guidelines.


Why would jurisdiction enter into someone in the UK suing the company that processed the UK census data? Thier data. I don't know if antihero is in the UK, but if they aren't, people in the UK should do it instead. I am disturbed that my data could leak like this.

I'm in the UK and for some crazy reason filled out my census correctly, so yeah, I think there's grounds for DPI lawsuit action.

Well, the crazy reason is the threatened fine of up to £1000.

I didn't fill mine in, whoops

As you would expect, there is a legal entity for Lockheed Martin in the UK. Unless there is some crazy immunity for companies working on government contracts (which wouldn't surprise me) I don't see why they couldn't be sued.

I'm leaning toward "hoax." Lulzsec has been reasonably competent writers so far, and the bizarre placement of "blissfully" makes that either incompetent or some kind of steganography. That, added to the lack of tweet, makes me doubt.

Of course, it could still be some anon who actually does have the census data, and considers himself lulzsec-affiliated.

Also according to their twitter the number listed in the pastebin has been suspended, and they have a new one (not in the pastebin).

The writing style does seem different, sentences in this release aren't terminated in some cases, whereas those from officially corroborated releases always are.

Why can't anyone bother to sign their press releases, it's not like it's the 60s.

Plausible deniability? (assuming you meant to cryptographically sign the press releases.)

Hmm, good point.

If true, this will be a massive coup and regardless of how they obtained the records, LulzSec will get all of the significant negative attention they so badly crave.

I submitted my census info via the online form and given the amount of detail I included I would be terrified if that info was leaked.

Imagining that the release is true, this will do strange things for pay bargaining. Imagine if you could look up your colleagues before asking for a rise? On the other hand, I don't recall anything really horrific on that form. Enough data to steal my identity and take out a mortgage in my name, yes. Enough to embarrass me? no...

There may not be anything in there to embarass me but there is unequivocally enough in there for someone to steal my identity and ruin a credit rating I've been working extremely hard to build over the last three years.

Essentially if every person in the UK was open to identity theft then this would be an extremely serious issue. Which it could be.

What info from the census would enable someone to steal an identity? From the looks of it there's only DoB and address in terms of personal info...

Childrens names & DoB, previous addresses, employment status, national insurance number. That info alone is enough for someone experienced to do damage.

Isn't that info relatively easy to obtain from most people anyway? Not on such a large scale of course.

You can obtain that sort of info, by dumpster diving say, but not in anything like the scale.

Imagine that you can get this info and a pretty good idea of salary and lifestyle by running a db search in a few seconds. You can easily focus your attention on the most lucrative propositions and get info from even those that are careful to not put such info out there. Census completion is a legal requirement, everyone should be on one.

I can easily imagine looking up my colleagues salary, because here in Norway you actually can. (Well, you can look at how much tax they pay, and various websites convert that into an estimated salary)

I don't find it particularly interesting, though. People earn around what you expect them to earn.

I don't remember salary being requested on the UK census...

It did ask for the household annual income. It also asks for the job title of the various householders so with a small bit of market info you could easily discern who earns what. Regardless, salary info would be the least of my concerns.

You're right. I must have been confusing it with the litany of forms & processes I went through after our son was born. Good find.


Job title, Occupation, Employees managed.

You didn't look very well ;0)>

I remember particularly as this sort of question is hard for me as I don't really have a job title, my occupation is extremely varied.

And what is exactly that is of your concern?

Why would you be terrified? There isn't that much information on the census form - name, age, address, nationality and employer, roughly.

It includes information on income and health, those are the really nasty bits to have leaked as far as I can remember.

Apart from the obvious ID theft risk.

Name and DoB of everyone in a household alone can make it much easier for someone to pose as you to say a credit card company.

Aren't these already in public records in the form of birth certificates and, if you own property, the title deeds?

So what's the worst possible outcome here in terms of the UK government's reactions? Fast-tracked arcane legislation to make security tools illegal like they are in .de ? Broadening the terms of hacking and increasing the legal penalties? If LulzSec aren't trolling the world and they do indeed have these records I would imagine there is going to be one hell of a shitstorm in the coming weeks.

How about holding the companies who were supposed to secure the data fully accountable?

It would be just another excuse to get the Internet ID implemented. MAFIAA has been pushing for Internet ID since years now and a number of politicians are in favour. Must admit that every time I read about the latest Lulsec activity I cannot help but think that MAFIAA is behind all this.

I'd say the opposite will happen. The government will not be able to set up anything which requires a massive secure database for quite a few years. Every time they claim they can set up a secure database, the 2011 census leak will be brought up.

If they will implement the Internet ID in the same way as they implement their current security (assuming the leak is real), then there is no need to worry...

I don't think so, this is the government that wants to pass the Freedom Bill: http://freedom.libdems.org.uk/

Hilariously, that url returns "403 forbidden."

Google doesn't seem to return anything on that domain.

Here's the text of the freedom bill:


Seems pretty nice. I dread to think what they'll have to trade the tories for it though.

Don't forget that Teresa May's first act when the Tories won the election was to scrap national ID cards and order the database destroyed.

This was the first census where you could submit details online. I wonder if it was these records? Would be surprised if they had even finished scanning the paper ones yet, but the UK governments security record is not good. They contracted it to Lockheed Martin, who also do the US census, so presumably reused the software?

LM was penetrated few days before census day. Maybe the left some back doors? http://www.ibtimes.com/articles/154078/20110529/lockheed-mar...

In all likelihood it was probably compromised through some other means than the software. I'm sure the software got a lot of attention in terms of security but surrounding systems were neglected.

With the amount of hacking that is flooding the news recently, I would like to learn about database security. What are some good books/tutorials/videos on how to make databases more secure?

The Web Application Hacker's Handbook is most widely cited in a more general sense. I'm reading it myself at the moment - http://www.amazon.com/Web-Application-Hackers-Handbook-Disco...

SQL injections seem to be the prominent exploit by them.

Not in any order of popularity:

1. Brute-force (or not) cracking of weak or default usernames/passwords

2. Privilege escalation

3. Exploiting unused and unnecessary database services and functionality

4. Targeting unpatched database vulnerabilities

5. SQL injection

6. Stolen backup (unencrypted) tapes


I believe that most databases are secure, especially the open source ones.

What you should be careful about is the things surrounding the database: the .php files (or whatever) that read/write the database, and the system it is running on.

Basic security practice for the web: NEVER trust user input: check and recheck all the GET/POST variables, check that numbers are numbers, that strings are correct strings (they have no funny characters, such as " or ; (for databases) or <>"&' (for HTML) or . (for paths)). Check all input into the databases (to prevent SQL injections) and all output for to the user (for XSS).

Basic security practice for sysadmins: Use up-to-date OS and software. Use strong passwords. Almost never run root. Make remote access hard.

This seems easy, and for the most part, it is. It's just so many things that people forget to check for them all.

Yes, let's secure our databases against O'Reillys and AT&Ts submitting their funny names! <g>

It's not characters that get you, it's lack of escaping or escaping for the wrong context (e.g. magic_quotes won't work for HTML)

• For SQL use prepared statements exclusively (never let "oh, it's just a number so I don't need to" fool you)

• Escaping doesn't differ between "trusted" and "untrusted" data (and these boundaries are too easy to break eventually).

Just escape everything, always. In PHP it means every `echo $var` is a likely vulnerability and `echo htmlspecialchars($var, ENT_QUOTES)` (in HTML except script) or `json_encode($var)` (in script) is a must.

Obviously, you should do defense in depth, so input validation is great and some filtering just-in-case may be warranted, but escaping alone (assuming done well) is sufficient for security, while filtering alone is not.

> For SQL use prepared statements exclusively (never let "oh, it's just a number so I don't need to" fool you)

I cannot vote this up enough. Also, depending on what database you are using (eg Oracle) if you don't use prepared statements (aka bind variables) you are guarantee killing your DB performance.

People have argued with me in the past that for things like sorting the data they cannot use bind variables. In that case, use the user input to select which safe string to use, eg:

    if user_select_sort == 'by_account_num'
      return 'order by account_num asc'
    elsif user_select_sort == 'by_transaction_date'
      return 'order by transaction_date'
      return ''
    end if
Then if someone sends in something tricky, it will just order wrong.

The way I write software, such values of user_select_sort would never even be possible... It's much slower to compare strings than to compare numbers, and passing long descriptive values that are actually booleans or short enums is just a waste of bandwidth (assuming they are passed as GET/POST variables).

Why not just pass numbers instead?

Numbers or strings wasn't the point really. You can do 'order by 1' or 'order by 2' in SQL to order by the first or second selected col etc, but if you used used the number passed directly from the user in the SQL statement, you are open to SQL injection. Feel free to use the number in a case statement to select the order by string to concat into your SQL however.

On the other hand some uses of bind variables can kill performance: http://www.dbspecialists.com/specialists/specialist2003-11.h...

Well, yes, but only when your data is skewed in general. Tom Kyte gives a 1 - 2 hour presentation about bind variables, bind variable peeking, overbinding, SQL Injection, parsing etc - great stuff if you are an Oracle guy and can get to one of this seminars.

Actually, it's not easy. It's incredibly difficult to have a webapp with a wide range of functionality that doesn't leak data to SQL injections. There's plenty of stuff that can get past the precautions you listed[1][2], although pornel is closer to the mark.



Another obvious weak point is not controlling access to copies of production databases. Developers getting access to copies of production databases full of personal info is terrifying, and yet not uncommon.

I'd recommend: https://www.owasp.org if you're working on the Web.

I wonder if they are using the same (undocumented) exploit for each of these attacks.

I am certainly no expert in this field, but I would have thought discovering new exploits and security holes would take time, yet these guys are hitting several major sites a week.

From what I understand, their main tool is simple SQL injection.

Most websites seem to have at least one XSS or SQL injection hole. Nearly all have CSRF flaws.

Still, census data should not be accessible from a public facing web site. That's just amateur hour. You should really assume that anything with a POST form is vulnerable.

Agreed. Any submitted data should have been immediately encrypted with a public key who's companion private key was stored offline. It should have then been immediately transferred to a secondary box which was setup with a single function of accepting and storing the data. Ie a box which you can't query over the network for data.

As soon as the census closed, the relevant boxes should have been taken offline. The data moved to a "secure" location, and the original boxes wiped and destroyed.

Considering the data that was being collected, I don't think this is overkill.

For those who are interested, these are the questions: http://www.ons.gov.uk/census/2011-census/2011-census-questio...

well its got to go in somehow, perhaps a facade that exposes only preparedstatements procs could have prevented this, but equally perhaps they exploited the facade, the transport mechanism to the facade, the db driver..... who knows, what is known is that theres a path, however narrow

No, they should have processed the data on a secure network, then burnt CDs with the final results.

That's how Australia treats important (Top Secret classified) data. I don't know how classified our census is, it should be treated with a bit of respect.

So, after I was strongarmed into filling out the damn thing, now all my identity data is in the wild. I will be joining in a suit of Lockheed if this is true.

There is already a guide on how to take a case under the Data Protection Act:


There'll be some interesting mashups if this is true.

I don't like where this is going.

Whats worrying about the apparent proliferation of security breaches like this is that as the attacks get more sophisticated, so do the prevention methods. This could get to the point whereby the skill level required to protect an application or server goes way higher than the skill level of many developers.

The result being that independent development is impossible as you would need to hire ever more expensive security consultants for anything that stores data.

I understand your point (it is potentially true for more than just the security domain of application development) but I think your premise in this case is false. SQLI (XSS, CSRF, ...) attacks are neither sophisticated nor new. SQLI has been known since at least 1998 (Phrack 54).

SQLI protection at least should be abstracted away from the developer's concerns by use of default parametrized queries. Technical difficulty is not the problem here.

"This could get to the point whereby the skill level required to protect an application or server goes way higher than the skill level of many developers."

We reached that point quite a while ago. What we are seeing now is the result of that point being reached, without anyone realising at the time.

But aren't they using pretty old exploits, SQL injections and DDoS?

The security breaches are attacking the old well known holes that everyone has ignored for years.

I quite liked this post: http://1raindrop.typepad.com/1_raindrop/2011/06/unfrozen-cav... people are just not investing in security. Most of the attacks are not very sophisticated, it is just no one is spending money on solving the basic security weaknesses.

I was thinking more in terms of reactions. Governments rarely admit their own faults and weaknesses. They will react claiming computer terrorists must be stopped now and that more control on the Internet is needed to protect everybody.

Surely Web frameworks do a lot to help solve this. Im sure django isnt't perfect; but its more secure than anything I could do.

More likely that common development tools and frameworks will become much more intrinsically security conscious.

In my experience the expense of a security consultant is rarely correlated with their skill level.

"Biggest" only for the media coverage this could get, i would not be surprised if they had exploited a common vulnerability. At least when we are discussing about publicly accessible sites, "security-illiterate" is the perfect definition for these government agencies (and the external companies that realize the sites they need).

Will this kind of things make the general public at least a bit more security conscious?

What pissed me off was that it is a legal requirement to complete the census (http://en.wikipedia.org/wiki/United_Kingdom_Census_2011#Oper...), so everyones personal details are in the database, which if stollen is a identify thief's dream load.

It appears that LulzSec isn't directly responsible for this. Although, since they called for the hacking of every government agency in the world with their "anti-sec" call to arms it's a bit disengeneous for them to rock back on their heels in shock and confusion.

Scotland Yard press release: They have confirmed his arrest.


LulzSec just confirmed this being rumor on their twitter account http://twitter.com/#!/LulzSec/status/83167715799470080

They're going to piss a lot of people off if they do this. Like every single UK citizen.

Exposing security flaws and embarrassing govt is one thing, but to put un-redacted personal data online is quite another.

Supposedly, census data should be anonymous. This means the records should be anonymized as soon as possible and should not just be stored.

It can't be totally anonymous, otherwise there's no way of enforcing the legal requirement to complete it.

Each census form had a unique ID, which is obviously linked to your address as it was sent to you through the post.

The answers can be hashed in many ways to ensure anonymity.

If you read the article or the pastebin:

We’re keeping them under lock and key though… so don’t worry about your privacy (…until we finish re-formatting them for release)

So, given they really arer LulzSec, they are hinting that they won't publish the data un-redacted.

Or they're just literally formatting it for organization and readability. They've released damaging info before on innocent users.

If this is true (and it seems it's probably not) then the people to get angry with are the UK government and their contractors Lockheed-Martin. WTF are we using a US-based company for anyway?

Presumably they put it out for tender and got the best package that they could.

Isn't that what we'd expect a Government to do? Tender jobs out to the private sector and choose the provider that offers the best value for money?

It's not as if Lockheed Martin are a particularly insecure or untrustworthy company to hold private data.

LM have a terrible reputation. Google around.

Is there any Government IT contractor that doesn't have a terrible reputation?

Government contracts are a pain to do. Most of the work is in jumping through hoops rather than actually doing the work. Most (all?) competent companies avoid Government work for this reason, making it very difficult to get any Government IT work done well.

That is a fair point.

I've always thought that the government should have their own IT agency. The NHS would do well to fire all the paid up consultants and commercial software and start a Google-style technology cooperative and share their results to other agencies. The NHS has the biggest IT problem of all and with the right minds on the job we'd have massive progress in the organisation and some serious advances in computer science to boot.

Whilst yes the UK govt and/or LM are to be criticised for their lack of security, LulzSec or whoever don't need to actually go post all the data for the world to see. If they want to prove they've done it post re-dected samples. It's childish, self-defeating and insanely irresponsible to publish them.

I filled in the UK census online, but I can't actually remember what compulsory data was requested. Is there a copy of it somewhere?

er... I dont think they care, its for the Lulz.... apparently :-\

of interest [edit, arrest link below]:


19-year-old suspected of being mastermind behind computer hacking group LulzSec arrested in Wickford, Essex. #c4news

"The PCeU was assisted by officers from Essex Police and have been working in co-operation with the FBI."

Just noticed that a moment ago. As of now no reports on the Channel 4 News website (http://www.channel4.com/news/) but I'm keeping my eye on it...

Anyone can claim to have the census data; I won't believe this until they release it.

Such a shame.

Anonymous had a lot of support for their attacks on Mastercard et. al. People, not just the programmers demographic, were seeing them as civil disobedience through the internet and hailing them for taking a right cause, namely against dirty, probably unconstitutional, certainly unethical attacks on wikileaks by numerous powerful groups.

What's more, anonymous was seen as more powerful than such groups on the internet arena. It was felt that such powerful groups would thus think twice and know that they are against probably smarter people, perhaps even their own employees. Alas, like actual physical protests, they did not manage to change much. Wikileaks has almost been forgotten now. Julian has gone quite. The organisation itself seems to have become divided and disorganised. They possibly are buying time. But the power that be has shown us that they have the resources, are willing to play, publicly, dirty tricks, and can even withstand a public opinion quite strongly against them.

Julian has been given some outstanding honour in journalism. He might even win the Peace prize for what some say was the effect of wikileaks on bringing about the Arab Spring. That may show that there are many powerful avenues to resist and/or push back the power that be.

All of that is being undermined for no apparent reason whatever. Although Lulzec might be trying to send a signal to the power that be. We are stronger. We are smarter. You need to know that before thinking again about doing dirty tricks. They don't seem to be able or willing to choose their targets well to send such a message. Showing that you can for example steal the census data in order to increase the security of organisations which deal with our data is like a man showing that he can steal a car by so breaking into the car and stealing it.

We can all commit crimes. We choose not to for very good reasons. Some things can not be fortified and turned into castles. And even castles can be brought down.

So the ultimate effect is that anonymous is painted with the same brush. As petty criminals bringing havoc into the streets of the neighbourhood by breaking car windows to show us that they can so break car windows.

For now, anonymous still has the upper moral ground. That is for now. By for now I mean for the next few days or weeks. The report for example that a member of lulzsec has been arrested who has connections with anonymous helps tremendously in blurring the lines between anonymous and lulsec.

The blurring means nothing more nor less than the excuse and the swaying of the public opinion that the power that be needs to go after anonymous and send a clear signal. You may be smarter but we have more resources and more avenues and the consequences you face are much greater.

The biggest signal that the power that be may send however is that they are able to control the public opinion by playing tricks. I think we all remember how last year we were talking about how the power that be is going to deal with wikileaks. The conversations that were had here on hackernews are probably still accessible through searching. Killing him seemed to be the most mentioned option, but quickly refuted by others. Now, it may be a strong statement to make seeing as I have no evidence whatever, but the information that did come out in regards to the two women, the fact that Assange is still here in Britain almost a year after, that he is actually free, suggests that tainting him with rape accusations was their choice. As we are seeing, it seems to have worked.

Equally, I do not know who lulzecs is. They have no motive, no reason, to do what they are doing. They are intelligent. Thus I doubt they would risk years in prison to just show that they can break a car. People do not tend to do things for no reason, especially if there are great consequences.

There is no laughter to be had of say having access to a lot of information of sonny users. Nor is there any lulz in having say the information of the census.

I therefore think that there is a probability that Matercard, Visa, Bank of America et al got quite pissed off from anonymous' attacks, but unable to do anything because of the strong public support that anonymous had, thought creatively and went for the blurring of the lines between common thief's and civil disobedience.

That is one possibility. Probably the more likely possibility. Sophos for example seems to be salivating every time lulzsecs does something.

The other option, that they are kids, being stupid, like most teenagers at time, confused, rebellious, is a possibility but unlikely. They probably know full well, that gaining such a high profile while not having any public support or even having the public against them means that they will crash down painfully to the bottom and remain there for years and years.

I'll finally finish this quite long comment by stating that if lulzsec is anything else than affiliated or corrupted, then they should know that they are tainting ideals with petty crimes.

Give me a break. There are no ideals, and it's not a conspiracy. It's just a bunch of trolls on summer vacation. They are doing it because they don't really care to consider consequences when they choose to do something. Mystery solved by Occam's Razor.

If you didn't know that lots of people like to do mean, pointless things all day for no reason, then welcome to 4chan, you may or may not enjoy your stay.

There are no ideals, and it's not a conspiracy.

That's the impression I have of a lot of contemporary political and business interests: "There are no ideals, and it's not a conspiracy. It's just business." Some do it for the lulz. Some do it for the bottom line.

LulzSec's tactics may be callous or juvenile, but they also somehow see a fitting expression for some of the inchoate disenchantment that I feel. When I pause to consider that I'm doing pretty well, all things considered, I can imagine the deeper chord they strike with others.

but they also somehow see a fitting expression for some of the inchoate disenchantment that I feel.

I've been curious about this feeling as it certainly seems to me that you're not alone. What is it that they've done that makes them hit a chord with you? What I see when I look at lulzsec is mostly behvior that hurts a random collection of common people - like dropping emails, hashes, personal info of people who just happened to be unlucky enough to make an account with one of their many targets. Or DDOS on small indie software developers to prevent their customers from playing their games for a bit. Are you disenchanted with gamers and people who sign up for a book forum and such?

I totally understand the appeal of the Anonymous DDOS's and HB Gary hack for example, so the whole thing isn't lost on me. But I just find lulzsec idiotic and grating.

I think that if there's an overriding principle behind it, you could say the principle is this:

The world is full of crazy laws and arbitrary rules which are frequently both boring and harmful. The only reasonable laws are ones that are purposeful and enforceable. If a law is stupid or if you can't enforce the law, we will break it at our whimsy, and if you don't like it, then you're the one that should change somehow, because anyone else could and probably should go break it too.

You could say that this is the grow-a-thicker-skin Internet philosophy. It's an idea that is appealing if you're young, moderately intelligent and computer-savvy, because your life has probably been filled with really stupid rules that are totally pointless and/or completely unenforceable, and you have no idea how to fix it, and you have probably never been on the other end of things.

What is it that they've done that makes them hit a chord with you?

As an American, I have a demoralizing sense that the country has given up on doing great things and, more specifically, turned its back on underdogs. I could make a more detailed case, starting with my view of human nature and extending to the latest Supreme Court decisions and the drivel I see nosing around Twitter and Facebook, but that would be sort of beside the point here.

Why gamers and book forum readers? I don't have anything against them personally and I agree there are probably more suitable targets. At the same time, obsessive game-players and score-keeping book-readers offer an obvious illustration for the kind of obliviousness and escapism that I can find symptomatic of larger social problems.

I suspect Lulzsec owes part of its style to The Joker from the last Batman movie. Remember that scene when the Joker lights the pile of money on fire? I agree Anonymous is a more constructive example of civil disobedience. But Lulzsec, in its aimlessness, may be the more potent symbol. I see it as a form of satire as much as anything.

Would my attitude would change if, say, they deleted my gmail account? Probably. But then maybe there would be something constructive in that, too.

Thanks for taking the time to respond.

I was thinking of saying something along the lines of I'd be surprised if they view their own actions so introspectively. Perhaps comparing it to the classic english teacher interpreting meaning behind a work for he class that the author never intended.

But I suppose it really doesn't matter - if people get something from a work it really makes no difference if the intent was there with the creation.

I agree. I expect their actions are not introspective but reactionary. Nevertheless, I think there's a logic behind them consistent with the sort explored by behavioral economists.

Doesn't seem too different than the usual teenage hubris. Kids think adults are boring on purpose and try to disrupt the social order to make life more interesting. They don't realize order and a good life is actually quite hard to maintain, and a bit of boring is the cost of living well.

I thought the actions of anonymous did have ideals. They were protecting free speech through disobedience.

I've seen 4 chan. Its no more than the corner teenagers playing around. They may once in a while break a window, or inconvenience some person, but they do not go to steal banks, or hit a police officer. All that is metaphors obviously, perhaps imperfect metaphors.

All I am saying is that I, we, do not know who or what Lulsecs is. Anonymous is everyone. You can apparently just enlist your computer towards some action. Lulzsecs is who?

Considering what happened to wikileaks why is there no probability, though slight, that it may be some dirty trick?

For example, anonymous is everyone right? Yet this guy who has been arrested, the "lulzsec mastermind", is apparently someone who has connections with anonymous.

Moreover, since lulzec appears to logically have no motive to take such a grave risk, as shown by someone who just got arrested individual and may possibly rot in jail, but many groups have an interest to get rid of anonymous, thus would want to blur the lines and sway the public opinion, I think there is at least some probability that they have been either corrupted or are affiliated.

I'd rather keep an open mind. We'll probably learn much more once this Lulzsec guy goes to trial, hopefully here in Britain, rather than extradited to some extrajurisdictional American prison, or offered a job in some company.

- 4channers have been sitting around DDOSing and defacing websites recreationally for years. The only difference here is that the websites are big organizations instead of some poor dude's message board or personal site, and that might seem like a big difference to you, but I don't think it seems like a big difference to the folks involved.

- I don't know what the mystery is here about "who or what Lulzsec is" or about "Anonymous is everyone." It's a bunch of teenagers on IRC, not a shadowy order of the shadows. It's pretty much the same guys every time, with people popping in and out.

- What does this have to do with Wikileaks, even tangentially? The fact that it's on a computer and the government doesn't like it?

- It's surprising that LulzSec has "connections" with Anonymous? The name of their group is "LulzSec" and their Twitter mascot is the 4chan monocle guy! Where did you think they came from, thin air?

This whole thing looks so completely ordinary to me that I don't see any reason to postulate foul play.

Mystery solved by Occam's Razor.

Why do people insist on saying this? Yes, it might be the most likely reason, but Occam's Razor is not a law. It's more of a saying. Why are people repeating it as if it is always true?

I'm using it as a shorthand for: "Here is a perfectly reasonable explanation that fits the facts. The other given explanation requires the conjunction of multiple unlikely things and I see no evidence favoring it. I believe the other explanation is sufficiently unlikely that there's not much point speculating about it."

Just so we're clear, you're suggesting that LulzSec is actually a front group for Sophos or maybe Mastercard?

That seems fantastically unlikely.

Again, LulzSec is not Anonymous nor do they speak for them.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact