LulzSec retired? Don't believe it
They made fools out of a lot of security guys. They feed on attention. They'll be back.
They believed that money spent on security products == we are secure. They were not asleep. They did not believe in security through obscurity. They trusted the industry. They gave it money in return for products that were supposed to protect them. They lived in ignorant bliss. Unfortunately, the security industry (and the rhetoric they proclaim) is all about the end goal of the industry making money.
LulzSec and Anonymous have sounded a klaxon at 120db: the state of online security clearly stinks and if it weren’t so consistently bad, it might be funny. LulzSec say they’ve retired, but I’m guessing they’re addicted to the lulz.
It hasn’t mattered to LulzSec or it’s brethren, the alt.ego known as Anonymous whether they’re making fools of government security, bank security, online gaming security, or other security. Very famous names in the security industry have been recently cracked open like an egg. Should you be scared, or should you be laughing? After all, getting the CIA as mad as a wet hen does have its mild comic value. I wondered who might be next. Michelle Bachman’s Campaign HQ?
My experience says: we haven't seen the end of the story, rather, it’s the beginning of an era of serious navel-gazing and quick bandages to an ailing infrastructure. I smell of flock of pontiffs, pundits, consultants, and holy men rising to the occasion of Embarrassment Prevention For Fun and Profit. If LulzSec retires or goes fully on the lam, these guys don’t get to cash fattened checks.
And for all of its seeming Robin Hoodishness, LulzSec is my new hero for this reason: it shows proof to the adage that nothing is foolproof, because fools are so ingenious. They’ve made mockery of a lot of people that take themselves very seriously (and for good reason) that have failed miserably. I’m also reminded of Inspector Clouseau. Worse, they’re embarrassing people that have spent many billions of dollars over the last decade in security and authentication systems. And they did it with silly stuff, like SQL Injection attacks. A couple of choice clicks here and there is roughly all it took.
Be warned, however: Dismissing what LulzSec and Anonymous have done will cost even more. Like it or not, we’ve killed off a dramatic number of manual systems and now depend on the webtoobies for everything from interacting with shopping to renewing our license plates.
My little organization was hacked, not long ago. No one was injured. There were no credit cards. We changed the passwords, not that it matters. You see: with a stolen credit card, you can logon to Amazon’s EC2 cloud, spin up some instances of Linux, and crack some of the most difficult passwords in seconds, others in under a day. For the pennies charged. Amazon doesn’t care what you’re doing with their cloud, nor does any other provider with open accessibility. Just pay the bill, and compute your brains out. Do you think someone is peering inside EC2 or Rackspace to see if someone’s cracking passwords? Nope. I don’t think so.
Although LulzSec and Anonymous have released precious little information that can be monetized or breach privacy, they’ve shown their acumen -- by listing embarrassing data on username/password combinations, Arizona law enforcement blather stolen from its servers, and the sort of data junk you find at the bottom of a kitchen drain -- they’ve also demonstrated that an awful lot of people are either asleep at the switch or believed in arcane security methods like security through obscurity.
There’s a Dirty Harry sort of network going after the perps at this point. But like the vigilante cops in the movie of the same name, the urban legend value of what LulzSec is doing is difficult to ignore. Law enforcement officials are sure to catch up with “the gang” soon. Or so it is thought. If I were them, and I’m not, I would have already piled up mounds of misleading pointers to random people to distract investigations from finding who I was. I’m guessing a lot of innocents get caught in the dragnet. More lulz for twisted minds. I smell a Hollywood screenplay in the making.
This isn’t the era of Prohibition, where gangs sought to control illegal trade of illicit goods like credit cards and passwords. Oh, wait, it is.
The US Treasury Department needs to assume the role of lead to the FBI. In this role, the US Bureau of Alcohol Tobacco and Firearms now becomes, instead of the BAT, the BATI—where the “I” is for Internet. They need digital tommyguns, and they need them now. BATI, I’m telling you.