Re: LulzSec

There have been a few blogs and posts that assert security people secretly and sometimes openly enjoy the activities of LulzSec:
* Their activities draw attention to the need for better security
* Like post 9/11, where the government started investing more heavily in security-related programs, businesses will allocate more cash after highly publicized break-ins.
* For places with break-ins, the security staff can gloat, say, "I told you so," even if only in their own mind.
* After security people are told, "those are edge cases and we don't need that much security," highly visible examples are coming to light, bring discussions of security to the foreground and concessions that a comprehensive policy that includes edge-cases is needed.
* Such highly visible example may be enough to convince CEO and other executives to include themselves in the security policy decisions instead of the exceptions because, "security is too hard, so I will take my laptop with HR info to the local airport, hop onto the new free WiFi, and let all my automated services log me into all my Internet services, some with insecure protocols, and use the same 7 character all-lower-case-letters password everywhere. Oh, my laptop has blue-screened, but that is okay, there is an Internet Kiosk with free Internet access, so i can check my email from there. I'm the fuckin' CEO, I can do whatever I want."

Long-term, the masses gain long-term benefit at the cost of short-term consequences, and those not impacted with break-in or data-loss are entertained.

People learn from their mistakes or they won't. If they learn from their mistakes, maybe they will apply some changes based on what they have learned and try again.

Re: LulzSec

I don't think there really is a "they" in the sense that there is an agenda around what they do. They are organized on chan's and motivated by whatever thread happens to be popular at the time. Targets are most likely selected by some sort of mob mentality, and attacks are coordinated via hidden services on tor. It most definitely is a group that has grown out of anon/4chan. I view them like a slightly more focused/less chaotic anonymous. Same exact principles guide them, same exact people are involved in it, just a little more focused.

I think for the most part there's a core group of decent hackers surrounded by a group of fodder that are used to set up their systems for basically a botnet for the core group to use. I think also that the core group are probably professional security engineers in their day jobs and most likely are "behind 7 proxies" and won't be caught. The fodder is a different story.

I think what they are doing is amusing and troubling at the same time, I guess it could be viewed as a free vulnerability assessment against networks. DDoS'ing the CIA was a pretty big mistake, same thing with attacking the senate. That will definitely get some very serious attention focused on them. But that attention will probably only garner some low hanging fruit (less technically adept) members of lulzsec.

Of course, I could be wrong about everything :D

lol internet!

Re: LulzSec

So I guess the question is: Do the ends justify the means?