And for all of its seeming Robin Hoodishness, LulzSec is my new hero for this reason: it shows proof to the adage that nothing is foolproof, because fools are so ingenious. They’ve made mockery of a lot of people that take themselves very seriously (and for good reason) that have failed miserably. I’m also reminded of Inspector Clouseau. Worse, they’re embarrassing people that have spent many billions of dollars over the last decade in security and authentication systems. And they did it with silly stuff, like SQL Injection attacks. A couple of choice clicks here and there is roughly all it took.
Be warned, however: Dismissing what LulzSec and Anonymous have done will cost even more. Like it or not, we’ve killed off a dramatic number of manual systems and now depend on the webtoobies for everything from interacting with shopping to renewing our license plates.
My little organization was hacked, not long ago. No one was injured. There were no credit cards. We changed the passwords, not that it matters. You see: with a stolen credit card, you can logon to Amazon’s EC2 cloud, spin up some instances of Linux, and crack some of the most difficult passwords in seconds, others in under a day. For the pennies charged. Amazon doesn’t care what you’re doing with their cloud, nor does any other provider with open accessibility. Just pay the bill, and compute your brains out. Do you think someone is peering inside EC2 or Rackspace to see if someone’s cracking passwords? Nope. I don’t think so.
Although LulzSec and Anonymous have released precious little information that can be monetized or breach privacy, they’ve shown their acumen -- by listing embarrassing data on username/password combinations, Arizona law enforcement blather stolen from its servers, and the sort of data junk you find at the bottom of a kitchen drain -- they’ve also demonstrated that an awful lot of people are either asleep at the switch or believed in arcane security methods like security through obscurity.