How I Learned to Stop Worrying and Love LulzSec

I don’t like having my personal data taken by the “Bad Guys”, no more than anyone. When the infamous Sony Playstation Network hack took place in April, I was among the angry and upset, fearful that my credit card number would be popping up in every blackhat IRC channel out there. But it wasn’t the hackers with whom I was angry. And now, as the exploits of Lulz Security make me angry as well, it’s still not the hackers themselves enraging me.

A number of years ago, I’d probably be cursing the hackers, ferociously calling for them to be hunted down and punished for causing such distress and potential harm to millions of customers. They’re the Bad Guys, after all, and they took information that they weren’t supposed to — my information — to do who knows what with. Good people don’t do that kind of thing, I’d have said. Nothing could possibly justify that.

By the time LulzSec performed their own hack on Sony, my views on the matter were different. They’d been evolving as I’d grown to admire the work of Anonymous, culminating with their DDoS attacks on MasterCard and Visa for refusing to process donations to WikiLeaks. So what, I realized, if our individual ability to buy shit on the Internet was interrupted for a few hours? We’d live. But an important message would be sent to these massive, over-powered corporations: they cannot, and must not, push us, the people, around.

This view didn’t win me a lot of support from my close friends and family. In fact, arguments over whether the hackers or the gigantic corporations were the Bad Guys started to drive a wedge between my boyfriend, Dave, and me. The aforementioned attitude I’d have had years ago — indignation at the evil, evil hackers — was coming right back at me. Explaining why Anonymous was on the side of all the people they’d inconvenienced was a difficult, frustrating task.

On the night that LulzSec hacked into Sony, Dave and I somehow started discussing the news, our conversation inexplicably ending up on that topic in the way that conversations do. Because of their similarities to Anonymous (irreverent attitude, 4channy communication style, targeting Sony, and, well, anonymity), I reflexively fired up my “it’s for a cause” defense. Lulz Security is doing this for us, I said, and fighting corporate power. If it’s for us, he responded, why are they stealing our data? Why are they going beyond mere inconvenience, and actually harming us? Because, I stammered, fumbling to come up with a coherent explanation.

I couldn’t.

Anonymous, at least, is pretty demonstrably doing what they do for a cause, and ultimately for the common good. And even then, their tactics don’t cross the line into malice against the people. Lulz Security, on the other hand, has few inhibitions, and puts their motivation right in their name: they do it for the lulz.

I realized, at this point, that Lulz Security are not the Good Guys. Causing damage for no real reason, other than the empty cause of entertainment, isn’t defensible. They’re not my friends, not our friends, and not doing what they do for anyone’s good. Just to have a laugh.

So why, as I said in my opening paragraph, am I not angry at LulzSec, or at the (presumably) financially-motivated Playstation hackers?

Imagine a massive earthquake rocks your city, causing billions of dollars of damage, and killing hundreds of people. Then, later, you learn the following:

  • Seismologists could see the earthquake coming for hours, but the government never alerted anyone or called for evacuation
  • Buildings all over the city weren’t constructed to be earthquake-resistant, despite the fact that your city was on a fault line
  • Gross negligence and incompetence by the government’s disaster relief agency led to many, many preventable deaths and injuries after the quake

Well, that certainly seems like the government failed to protect its citizens from the earthquake, doesn’t it? Disasters are a fact of life, but there were so many things that this government should have done to minimize the risk and the damage.

Now, imagine that the government is Sony, the city is their servers, and the earthquake is Lulz Security.

It’s easier to get angry at a group of hackers than it is to curse the natural occurrence of an earthquake — hackers are people, and people can make choices, but the earth can’t help itself from shaking sometimes. While true, and completely logical, this attitude is a waste of time and blood pressure. Individual hackers can make the choice not to hack, not to break into systems and take sensitive data belonging to innocent people. But somebody, somewhere, will always go ahead.

So I said to Dave, you’re focusing on the wrong thing. You’re getting angry at LulzSec, but if they hadn’t done it, somebody else would have — perhaps someone with serious criminal intent rather than random mayhem. Lulz Security, I said, is irrelevant. They’re not Good Guys or Bad Guys, they’re just hackers. Hackers hack; it’s a fact of life. The problem, I said, is that Sony didn’t pay attention to this fact. They didn’t protect their customers’ data, and left their sensitive systems open to attack. But not just any attack: LulzSec exploited a single SQL injection — one of the most basic, grade school things to prevent — and got access to everything. And that everything was stored in plaintext. All of it, right there, unencrypted. Not even ROT13‘d.

As Patrick Gray said, “LulzSec is running around pummelling some of the world’s most powerful organisations into the ground… for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn’t any.” That’s why I’m angry. I’m angry because we have vested our trust in corporations and governments to secure their systems — many of which hold our personal information, or perform vital functions that affect our lives — and our trust has been breached.

LulzSec is not, I believe, a group of superhuman master hackers (or, as they might put it, “level 9001 wizards who doesn’t afraid of anything and are no strangers to love”), and all of the things that they have done, are doing, and will do, are preventable. And that goes for nearly all of the hackers that will inevitably come after them. Governments and powerful corporations are not likely to understand this; they will misdirect their rage towards the hackers themselves, focusing on punishing the individuals and bringing them to “justice”, and meanwhile neglecting to fix the problems that enable them in the first place.

That probably also rings true for a million other issues besides hackers. But I digress. Hackers will hack, and the powers-that-be will bumble. One of these things is inevitable, and the other one is what we should really be getting up in arms about.

Perhaps, in my desire to make a cheeky Dr. Strangelove allusion, I lied in the title of this article. I don’t love LulzSec. In fact, I don’t even like them very much. But I don’t hate them. It’s not their fault that their jobs have been made so damn easy for them — that’s purely the fault of the bumbling powers-that-be. And partly, I’m glad that it’s a bunch of Chaotic Neutral-types doing all this rather than Chaotic Evils.


  1. piratbloggar (Piratpartiet Live!)

    Falkvinge on Infopolicy: How I Learned to Stop Worrying and Love LulzSec:

    Zacqary Adam Green.
    I don’t li…

  2. Falkvinge (Falkvinge)

    Testing new tweet tracking function, ignore this tweet. #test

  3. James

    In other words your being nice so all the bored teens with nothing to do this summer being recruited by LS don’t launch a surprise attack on this site. Or something like that?

    1. Zacqary Adam Green

      What? No, I’m not being any nicer than I actually feel. This certainly isn’t written to ward off an attack at all. And why worry about that? Even though Sony, et al couldn’t be bothered, this site has security measures. (Right, Rick? RIGHT?!)

      1. Rick Falkvinge

        Re. security measures:

        It has as much security as could be expected. It’s behind an ordinary firewall and is an ordinary Ubuntu Server, patched up to date.

        If this can be taken down, so can 70% of the web servers on the planet. Perhaps they can, and if so, that may even be the point of the article.

        But I like to trust GNU/Linux more than that.

      2. Scary Devil Monastery

        No, I’m pretty sure Rick’s servers could be taken off line with any serious attack performed by one or more hackers given that any system meant to communicate actually has the unavoidable weakness that the system has to be able to interact with the outside.

        Any system is vulnerable. The problem with SONY and so many other major companies is that their systems are like castle walls made of swiss cheese. Huge targets with great visibility, millions of possible points-of-entry and little to no hardening.

        In short, you’d need a far more serious effort to take down a Unix-based personal server with a few well-defended points of entry than you would in trying to take out SONY. Which is a statement in itself.

        I concur with the article. When Geohot published the PS3 root key it was the equivalent of a journalist walking into a bank and noting that the guards were dead drunk, the security cameras turned off and the money kept in a shoebox next to the cashier. Who then wrote an article about it in the newspaper and got worldwide coverage.

        When the hack was perpetrated a month later the guards were still drunk, the cameras still turned off and the money was still kept in the same shoebox.

        You can certainly blame the hackers for hacking. But I personally would be pretty pissed off with my bank as well.

  4. urbansundstrom (Urban Sundstrom)

    RT @falkvinge How I Learned to Stop Worrying and Love LulzSec #anonymous #lulzsec #security

  5. Anonymous

    So, every half smart car mechanic can break into your car and leave open the doors for the lulz? And you will blame the car maker?
    Every locksmith worth his money can open the door to your home, and leave it all open? And if the locksmith sees your address book on the table, he can copy it and publish the content?
    Every open window is a justification for stepping inside?

    1. Zacqary Adam Green

      That’s a bit of a flawed analogy. Hacking into an individual’s email account is, perhaps, akin to burglarizing a home or a car. On the other hand, hacking into the servers of a public-serving corporation or government and accessing millions of people’s personal data is more like robbing a bank.

      No, it’s not okay to rob banks, but if your bank had been secured with nothing but a dime-store padlock and a “Do Not Enter” sign, wouldn’t the robbers themselves be the least of your concerns? When you’re trusting a rich and powerful organization to protect things that are important to you, the least they could do is put it in a vault.

      1. Anonymous

        Dear Zac,

        1) You are blaming the victim. Can I beat you up and claim your weak appearance made me do it? That you asked for it by being weak and stupid?
        What a sad and weak statement.

        2) What does your line of thought lead to?

        Easy example, when WiFi/WLAN was introduced most routers were open. Thus, pretty much everyone could access the internet in millions of locations.

        Then a few idiots abused that. And today you hardly find an open, private access point. (Where experts know, that WPA can be cracked in a few minutes already.)

        So, what did the people gain from the few crackers abusing open WiFi?

      2. Zacqary Adam Green

        Again, faulty analogies. The true victims when a corporate or government server is hacked are the people who trusted said corporation or government to take steps to protect their data, and had their trust betrayed. If these powerful entities were actually doing everything they could to secure their systems, then it would be a different story. But the fact is, they’re not.

        The lack of open WiFi is caused by two issues: 1) The potential to access and snoop on other computers using the network, and 2) The threat of legal liability if somebody commits a crime from your Internet connection. The former could be solved by setting up a public network properly, and sandboxing individual connections by default, and the latter by, well, fixing the stupid laws.

        Complaining about the fact that some people are dicks may feel good, but it’s sometimes far more effective to just design around that. (Note the word “sometimes”. No more silly analogies about individual victims of violent crime, please.)

    2. Scary Devil Monastery

      Let’s clarify that as i have in a reply above:

      When Geohot published the PS3 root key it was the equivalent of a journalist writing in detail on how the bank you trust was storing your cash in a shoebox by the counter with poor security.
      When the burglars come a month later the bank is still keeping your cash in that shoebox.

      Sure I’d be pissed with the robbers but my main concern would be that the bank, despite having it’s crap security published worldwide had made no effort to get a decent vault.

      Or, to return to your own comparison – there isn’t a single insurance company in the world who will recompensate you for your stolen car if your habit was to leave it with the door open and the keys in the ignition. Or in this case, if the parking guard you left your car with had that habit, who would you really be the most ticked off with?

  6. berkes

    People often seem to forget that before LulzSec published entire lists of login-data, about every (more or less) serious cracker would do the same.
    Difference being, that LulzSec publishes these for the great public, where previously such lists would be published for a small set of blackhats or sold to the maffia.

    When people complain that due to the releases of LulzSec someone’s paypal acct was robbed, they hardly consider the fact that peoples paypal accts get robbed on daily basis with stolen passwords.

    Servers are breached on a daily basis, for years. No-one knows if Sony has been cracked before, but bought off either the blackhats ransom, or bought off the people who’s accounts were abused. We simply don’t know, but can safely assume that large companies have to deal with this frequently. Just now, their option to cover it all up, has been taken away.

    That does not make hacking and cracking any better or worse. It merely shows that LulzSec is doing nothing new, or extraordinary. The only difference is that they are doing it in all openness.

  7. Björn Persson

    There’s one more thing to be angry about if you think one step further. Why are you afraid that your credit card number may pop up in blackhat IRC channels? Why would it bother you if it did?

    Because your credit card number can be used to take your money without your consent.

    If the credit card system had required that every transaction be authorized by you, then it wouldn’t have mattered who got their hands on your credit card number. You could have published it. But since no authorization is required, you have to keep the number secret so that criminals don’t find it and empty your bank account. But you also have to give out the number to every time you buy something, which means that you have to trust the seller. You have to trust not only the seller’s honesty but also his ability to keep criminals from getting their hands on your credit card number.

    You can’t buy so much as a hotdog with your credit card unless you trust the hotdog man as much as you trust your bank.

    You trusted Sony to keep your credit card number secret, and Sony betrayed your trust, so now you’re angry with Sony. While Sony definitely deserve your anger, they’re not the ones who designed the credit card system. Sony’s lack of security would have mattered less if there hadn’t been such a big, gaping security hole in the credit card system. The banks and the credit card companies keep promoting the system despite this terrible design flaw. Shouldn’t you direct some of your anger at them?

    1. Zacqary Adam Green

      It never really crossed my mind how broken credit card numbers are, but now that you mention it, that’s an excellent point.

      However, there are a lot of other bits of personal data that many of us trust large corporations to keep safe — not just credit card numbers — and that was what I wanted to cover in this article. I’ll definitely be skewering the financial status quo in some later posts, though.

      1. jonny

        The credit card system is broken? I beg to differ. I remember the week everyone was getting their knickers in a twist over VISA and MasterCard joining the government-led offensive against the villains who gave “the people” information the government of “the people” wanted to keep secret – heaven forbid, all peace could break loose!?

        Still, rules are rules. This was the position of many of my friends, and WikiLeaks broke the rules. It’s important to obey the law, except when the law is against the law (as the law pointed out, helpfully, at Nuremberg).

        Still, might is right (as might believes, when it is wrong and cannot make the case, otherwise). That’s why it’s dangerous to be right when power is wrong; why would power listen? Power watches its own back, and never debates nor is required to even make a convincing argument – what Power wants, is the convincing argument! – and this is very unfortunate for Power.

        Because Power doesn’t follow me on Twitter, one of my first tweets was celebrating the fact that I might not be able to support WikiLeaks with my money; but I could still use my credit cards to support the ingenious mass email marketers who deliver non-stop limited-time offers to my Junk email Inbox. You can’t support WikiLeaks but that’s one (1) merchant. You can support Spam just fine (that’s thousands of merchants). It’s about perspective. My perspective was all wrong. A personal email from an unknown friend alerted me to the fact that I did not have enough ham to fill my girlfriend’s ham-pocket. I panicked, but thankfully – as it turns out – those who brought me this information had ham for sale. What serendipity!

        Might I suggest you Verify your VISA? This way, you can support 99% of all merchants in real-time. You don’t want delays when you are accepting the FREE MONEY! online casinos want to give you. They just need a deposit, to prove that your children and the pick-pocket who took your wallet can enter in 13 letters and 19 numbers printed on the card, accurately. You can be losing within minutes!

        If you want to withdraw your own money after playing, maybe the next day, maybe four months down the line, then there are some security checks. This is for your safety (and convenience). They will not process your withdrawal until you give them proof of where your children sleep at night, and high resolution colour scans of your passport, so they can Verify with VISA that you are not a criminal fraudster who has been losing your (the real you’s) money for four months. You needn’t worry, unless you get frustrated at some point during the 18 months between your supplying this info and them not paying you. They are licensed by the website of the Seychelles Islands Gaming Commission (they will get an office, when they exist) where all disputes are subject to the laws of the island (they will get a judge, if they need one). Look, they’ve never needed one; but you could be the first to fly to Seychelles for justice and force them to stay in London or Montreal where their servers are. Try not to imagine them laughing at you standing in a Seychelles hut alone with a drunk judge who’s buttoned up his Hawaiian shirt for the big day.

        Maybe they lose their licensing in Seychelles, maybe they never had any because there’s no way to verify who in Seychelles received a manila envelope with their application ‘papers’. But worst case scenario, you fly to Seychelles for holiday, they keep your money and ‘move’ licensing to Malta Lotteries & Gaming Commission (a subsidiary of the UK Gambling Commission, and regulated by the EU).

        All of this is for your safety, I explained to The Malta Times & to The Guardian (with screenshots of the relevant Acts of British Parliament and Malta and the legislation signed into European ‘law’ by those jokers in Belgium; every “responsible gambling” and “anti-fraud” law being breached, by literally everyone (except the VISA customers / victims). The EU has a Commission to assess breaches, a Court of Justice to adjudicate and decide whether they agree with you or not. That’s about it, as I understand the situation. They can ask nicely? When they form a standing army, and get nuclear weapons then they can do more; but until then they’re limited to bullying bankrupt states like Greece who want high-austerity loans. Free movement of goods & services because all of Europe is equal, but of course some are more equal than others.

        I had a point, I think. Oh yes, unless I was so drunk I imagined it, I showed The Malta Times and The Guardian how their respective monopoly regulatory bodies were so corrupted it was farcical, but I was sucking eggs. They knew this already. Which means The Guardian is corrupt, I thought . But I should have known that already. Either way, breaking the law is not newsworthy when you write the legislation. I have no excuse for not knowing this, I have read the Bible and Moses pointed this out, smashing God’s commandments on the ground in fury.

        But yes, credit cards. Every online casino in Malta will spam the globe “FREE MONEY!” offers, and then make you jump a hurdle a 3 year old child can vault. Then they’ll steal your money, but if you want to lose it they are cool with that as well. Maybe tomorrow, maybe in four months, you want your money back? And this is not something that occurs, often; obviously. But if you aren’t a gracious loser 100% of deposits, and instead press Withdraw, then they have some ‘hoops’ for you to jump through. Your card is Verified by VISA, and they need notarised proof of address, passport and bank statements. Maybe they receive them, maybe they don’t; kindly send again? And again. One more time. Are you sure you don’t want to gamble in the meantime? They will wait on your getting them the docs, maybe Google lost the emails? Thank you for your understanding. This is for your safety. Remain cordial. They don’t have to pay you if you use colorful language. Read the fine print, which says – after 30 pages – that they can do absolutely anything they like, including – but not limited to – everything. If you don’t like the terms, you shouldn’t have deposited. This is a Polite Society for a reason.

        Maybe you say “keep the money, you thieves” and then you will be embarrassed when you next go to buy more ham (for your girlfriend’s over-sized ham-pocket)? Or when you buy normal ham at Safeway. Credit card troubles. Happens to all of us, when we’re broke – or blacklisted by VISA’s online casinos.

        You say the system is broken. I beg to differ. Maybe you pay for your penile extensions with cheques or money orders? I use Verified by VISA and MasterCard to get the secrets to extending my penis size INSTANTLY. I don’t mean to brag.

        You won’t be able to support WikiLeaks, but why would you want to? Are they making penises bigger? I understand you can find a ‘way’ around the rules, buying Assange ‘gifts’ and things, but unless he can give me more ham STAT, my girlfriend is going to leave me for someone who can fill her ham-pocket. Perhaps, for Assange.

        But if you want to shoot yourself in the foot, VISA and MasterCard are your best friends. Nothing is broken. The system is humming perfectly; as designed. There are dozens of innovative payment solutions for anyone who wants to mass email the world offers for FREE MONEY! and Urgent Ham Needed spam emails. If you don’t like it, no one is forcing you to use credit cards. So what’s your problem? It’s a free country, so long as you follow the rule. Might is ‘right’, but might isn’t bright. Might is solid on “optimality” in a short term vacuum. But “sustainability”?

        Might is not acting in might’s best interests. But you go tell them that. I need my credit cards. And find a girlfriend. Then maybe, we’ll look at addressing any ham deficiencies.

  8. opassande » Blog Archive » Om du inte kände till LulzSec

    […] Namnet LulzSec har dykt upp varstans i mina flöden, och det tog faktiskt ett tag innan jag fattade att det handlade om en hackergrupp. Bland annat så var det den gruppen som hackade Sony härom sistens. LulzSec har dessutom inspirerat till ett antal diskussioner och inte minst kärleksförklaringar. Bland andra har Zacqary Adam Green som skriver hos Rick Falkvinge bidragit med ett sådant. […]

  9. Morten

    Your analogy with the government and earthquake is a bad one in my opinion. People should be careful who they deal with in business, I agree. But governments are just a violent monopoly over a given area. There is no reason to expect or believe they should actually be proactive in preventing any harm. If you are living in a city on a faultline, and have not gone to great lenghts to ensure yourself that your house is secure, and are not paying insurance companies that actually would check such dangers, you have noone to blame. Blaming “the government” is just saying to your neighbour “why didn’t you pay for all these things”. When will people wake up and see that trusting a violent monopoly to do anything right is why the world is in so much shit. The government might be inescapable, but it will never be there with “your best interest” in mind.

  10. Superman

    Okay, what a nice beginning but i’m going to take a look at that a tiny bit more. Will show you exactly what more there is.

Comments are closed.