Wednesday, 15 June 2011

Lulz Security and the pursuit of lulz

So, for those of you that missed it, yesterday was Titanic Takeover Tuesday, brought to you by the hacker group Lulz Security.

Now before I go any further, I’ll go on record to say that I don’t agree with what LulzSec are doing. I prefer to get my lulz via other means. At the same time, I’m not a /b/tard, or anyone with a particular grudge against LulzSec.

At the weekend, the group announced that they had hacked the Bethesda servers, pilfering the user data of some 200,000 Brink players. They also hacked into the US Senate website.

During the course of Titanic Takeover Tuesday, they launched coordinate DDoS attacks on The Escapist website, the Eve Online login servers, the site of IT security company Fin Fisher , and the login servers for both Minecraft and League of Legends.

Cue much wailing and gnashing of teeth from irate gamers and, doubtlessly, many lulz for LulzSec.

I should say that I am possibly one of the people whose details were hacked from the Bethesda servers as I regrettably purchased Brink. I have a Minecraft account, have played Eve Online, and regularly read The Escapist.

So I must be pretty pissed off right now, right? Nope, not really.

Don’t get me wrong; at first I was jelly. But when I thought about it, I realised I didn’t really have any business being angry.

For a start, the whole thing reeks of double standards. I was one of the people cheering on AnonOps when they were hacking websites in the wake of the arrest of Julian Assange, and applying pressure to those who would seek to deny Wikileaks funding. I even deleted my PayPal account in protest.

But it’s a bit fucking hypocritical of me to support AnonOps simply because they choose ‘right on’ targets, and then get annoyed when LulzSec do the exact same thing to a target I care about. It’s that classic ‘It’s fine as long as it doesn’t affect me’ attitude, and it’s not right.

This attitude was evident on various gamer web forums where people were one minute gloating at Eve Online being taken offline, then later crying because they couldn’t play League of Legends. I felt like reaching through the interwebs and bashing some heads together.

It’s a tangible atmosphere present even in the professional media, with outlets who were previously silent on the AnonOps hacks being up in arms about LulzSec messing with the PBS site, and I can’t stomach that kind of hypocrisy.

Even then, that’s only when the media chooses to report accurately. Ars Technica had me under the impression that LulzSec were going to release the Brink user info if Bethesda didn’t give out more details on the upcoming Elder Scrolls: Skyrim and also add top hats to the game. When I actually got the chance to read the statement from the group, the tone was light-hearted, and not very threatening. The top hats suggestion was added almost as a funny afterthought. Not quite the blackmail that Ars Technica had implied.

There also appears to be general misunderstanding about what motivation LulzSec have. Reading some forum posts on the topic yesterday, it was clear that the poster were divided between those who thought LulzSec were terrorists (yes, terrorists) and those who thought of them as being some sort of collective freelance security operation.

They are neither, as best I can see.

The posters claiming they were terrorists reasoned that since they had the user database, they could use this info to sow fear and blackmail the individuals contained therein. I would suggest that, given the abundance of free pronography on the internet, it could be considered a bit foolish to wilfully add your details to a huge database of pron users. Especially if one was in a position whereby the revelation of such ‘hobbies’ would be harmful. But then I have a thing for individual responsibility.

Nor are they hugely interested in their target’s security. Sure they may have advised Bethesda to ‘fix their junk’, but, if we use the burglar analogy, that’s like a burglar kicking in your back door, drinking all the lemonade in your fridge, sniffing your dirty laundry, taking a dump on the kitchen table before leaving a note that says ‘Your back door is broken.’.

So why do they do it?

Really: It’s for the lulz.

It’s not that knocking down a particular website is entertaining in itself. But when the myriad users of that site then take to Twitter to castigate LulzSec, lulz are had. When it is revealed that Lulzsec have stolen user details and people take to newsgroups and web forums to register how angry or fearful they are, lulz are had. When the Senate website is hacked and the FBI are called in, lulz are had.

Taking pleasure in the misfortune of others is a timeless concept, and LulzSec represent schadenfreude in the digital age.

Their activities are arguably criminal and I wouldn’t be hugely surprised if some arrests came from it, but I’m also certain that LulzSec are doing their best to avoid this outcome and hide their tracks, with seven proxies and the like.

As for me, you and Joe Average, there’s not a hell of a lot we can do about it. Evidently general web security isn’t as sophisticated as it should be and these attacks will no doubt serve as part of a catalyst of change.

Until the proverbial hatches can be battened down, all we can do is keep an extensive list of alternative passwords. Think of it as background radiation or environmental change, something you just have to put up with.

Oh, and try and have some lulz along the way.

No comments:

Post a Comment