• United States



LulzSec knows how to have fun. But where are the grownups?

Jun 06, 20113 mins
Data and Information Security

The antics of Lulz Security are getting lots of attention, which begs the question: Are groups like these no good or has a corporate world complacent about security made these guys necessary?

In my view, there’s nothing praiseworthy about these guys.

They carry on with their attacks like it’s just a big joke — exposing vulnerabilities and having fun while advertising it. I question their morals the second I look at their mission statement on the LulzSec site:

We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calender year.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

I’m sure that if you spend all your energy attacking big entities like Sony, InfraGard and PBS, it is fun when you successfully find flaws and launch attacks through them. But it’s not fun for the customers of these organizations, whose only fault was in doing business with companies they believed to be secure.

When you look at this through the legal lens, it’s more cut and dry. Knowingly exposing sensitive data will put you in the feds’ crosshairs. Indeed, the talk on the Full Disclosure site this morning is that one of the people behind LulzSec is already in FBI custody, and “the rest are probably about to follow him.”

It’s evil every time someone exposes a person’s personal information. Making a point about someone’s vulnerabilities by releasing the billing information of their customers strikes me as wrong any way you slice it.

On the other hand, a lot of companies know darn well that their security is lacking yet they carry on with the stupid approach of doing nothing, hoping no one will ever notice. That’s the thing that puts customers in danger to begin with.

If more companies were more serious about security, these groups wouldn’t appear with such frequency.

Perhaps that’s too sweeping a statement, but when I look at Sony’s history, it’s hard to get upset about their troubles.

I do feel bad for their customers, though.

The security community has debated the pros and cons, good vs. evil of these hacking groups since the beginning, along with the related issue of responsible vs. irresponsible disclosure.

This column won’t settle anything, nor is it meant to.

Discussion threads like this one paint LulzSec as a small group of young pups who are over compensating for a lack of romance in their lives.

Is that an accurate description, or are we really dealing with much more experienced, sophisticated hackers?

To be honest, I don’t really care.

And I’m not going to pretend I’m an expert on the right or wrong way to expose security holes.

In this case, I only know what my gut tells me — which is that exposing customer data is never an act of good.

I’ve seen some chatter online today about whether people are really getting harmed here.

To me, it’s simple: If you post the details for some 50,000 user accounts online, you’re doing harm.

Companies that are lax on security need to be exposed, for sure.

I just think there has to be a more grown-up way to go about it.

–Bill Brenner