I don’t like having my personal data taken by the “Bad Guys”, no more than anyone. When the infamous Sony Playstation Network hack took place in April, I was among the angry and upset, fearful that my credit card number would be popping up in every blackhat IRC channel out there. But it wasn’t the hackers with whom I was angry. And now, as the exploits of Lulz Security make me angry as well, it’s still not the hackers themselves enraging me.
A number of years ago, I’d probably be cursing the hackers, ferociously calling for them to be hunted down and punished for causing such distress and potential harm to millions of customers. They’re the Bad Guys, after all, and they took information that they weren’t supposed to — my information — to do who knows what with. Good people don’t do that kind of thing, I’d have said. Nothing could possibly justify that.
By the time LulzSec performed their own hack on Sony, my views on the matter were different. They’d been evolving as I’d grown to admire the work of Anonymous, culminating with their DDoS attacks on MasterCard and Visa for refusing to process donations to WikiLeaks. So what, I realized, if our individual ability to buy shit on the Internet was interrupted for a few hours? We’d live. But an important message would be sent to these massive, over-powered corporations: they cannot, and must not, push us, the people, around.
This view didn’t win me a lot of support from my close friends and family. In fact, arguments over whether the hackers or the gigantic corporations were the Bad Guys started to drive a wedge between my boyfriend, Dave, and me. The aforementioned attitude I’d have had years ago — indignation at the evil, evil hackers — was coming right back at me. Explaining why Anonymous was on the side of all the people they’d inconvenienced was a difficult, frustrating task.
On the night that LulzSec hacked into Sony, Dave and I somehow started discussing the news, our conversation inexplicably ending up on that topic in the way that conversations do. Because of their similarities to Anonymous (irreverent attitude, 4channy communication style, targeting Sony, and, well, anonymity), I reflexively fired up my “it’s for a cause” defense. Lulz Security is doing this for us, I said, and fighting corporate power. If it’s for us, he responded, why are they stealing our data? Why are they going beyond mere inconvenience, and actually harming us? Because, I stammered, fumbling to come up with a coherent explanation.
Anonymous, at least, is pretty demonstrably doing what they do for a cause, and ultimately for the common good. And even then, their tactics don’t cross the line into malice against the people. Lulz Security, on the other hand, has few inhibitions, and puts their motivation right in their name: they do it for the lulz.
I realized, at this point, that Lulz Security are not the Good Guys. Causing damage for no real reason, other than the empty cause of entertainment, isn’t defensible. They’re not my friends, not our friends, and not doing what they do for anyone’s good. Just to have a laugh.
So why, as I said in my opening paragraph, am I not angry at LulzSec, or at the (presumably) financially-motivated Playstation hackers?
Imagine a massive earthquake rocks your city, causing billions of dollars of damage, and killing hundreds of people. Then, later, you learn the following:
- Seismologists could see the earthquake coming for hours, but the government never alerted anyone or called for evacuation
- Buildings all over the city weren’t constructed to be earthquake-resistant, despite the fact that your city was on a fault line
- Gross negligence and incompetence by the government’s disaster relief agency led to many, many preventable deaths and injuries after the quake
Well, that certainly seems like the government failed to protect its citizens from the earthquake, doesn’t it? Disasters are a fact of life, but there were so many things that this government should have done to minimize the risk and the damage.
Now, imagine that the government is Sony, the city is their servers, and the earthquake is Lulz Security.
It’s easier to get angry at a group of hackers than it is to curse the natural occurrence of an earthquake — hackers are people, and people can make choices, but the earth can’t help itself from shaking sometimes. While true, and completely logical, this attitude is a waste of time and blood pressure. Individual hackers can make the choice not to hack, not to break into systems and take sensitive data belonging to innocent people. But somebody, somewhere, will always go ahead.
So I said to Dave, you’re focusing on the wrong thing. You’re getting angry at LulzSec, but if they hadn’t done it, somebody else would have — perhaps someone with serious criminal intent rather than random mayhem. Lulz Security, I said, is irrelevant. They’re not Good Guys or Bad Guys, they’re just hackers. Hackers hack; it’s a fact of life. The problem, I said, is that Sony didn’t pay attention to this fact. They didn’t protect their customers’ data, and left their sensitive systems open to attack. But not just any attack: LulzSec exploited a single SQL injection — one of the most basic, grade school things to prevent — and got access to everything. And that everything was stored in plaintext. All of it, right there, unencrypted. Not even ROT13‘d.
As Patrick Gray said, “LulzSec is running around pummelling some of the world’s most powerful organisations into the ground… for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn’t any.” That’s why I’m angry. I’m angry because we have vested our trust in corporations and governments to secure their systems — many of which hold our personal information, or perform vital functions that affect our lives — and our trust has been breached.
LulzSec is not, I believe, a group of superhuman master hackers (or, as they might put it, “level 9001 wizards who doesn’t afraid of anything and are no strangers to love”), and all of the things that they have done, are doing, and will do, are preventable. And that goes for nearly all of the hackers that will inevitably come after them. Governments and powerful corporations are not likely to understand this; they will misdirect their rage towards the hackers themselves, focusing on punishing the individuals and bringing them to “justice”, and meanwhile neglecting to fix the problems that enable them in the first place.
That probably also rings true for a million other issues besides hackers. But I digress. Hackers will hack, and the powers-that-be will bumble. One of these things is inevitable, and the other one is what we should really be getting up in arms about.
Perhaps, in my desire to make a cheeky Dr. Strangelove allusion, I lied in the title of this article. I don’t love LulzSec. In fact, I don’t even like them very much. But I don’t hate them. It’s not their fault that their jobs have been made so damn easy for them — that’s purely the fault of the bumbling powers-that-be. And partly, I’m glad that it’s a bunch of Chaotic Neutral-types doing all this rather than Chaotic Evils.