50 Days of Lulz: A Retrospective

Last Saturday, the hacker collective Lulz Security disbanded after nearly two months of "high-quality entertainment at your expense," stating that they had always intended to keep their campaign to 50 days and were not responding to heightened law enforcement pressure.

Throughout their internet rampage, the hacker group was heavily hyped by the media, often for good reason. They took websites associated with the CIA, U.S. Senate, and Brazilian government offline with a gleeful "tango down!" on Twitter, and breached websites such as those of the FBI affiliated Infraguard, the Arizona Department of Public Safety, Sony, and Nintendo, leaking sensitive information. They also teamed up with the extensive, leaderless hacktivist group Anonymous and other supporters for Operation Anti-Security, devoted to exposing classified government documents.

This high-profile hacking activity drew a lot of media attention, which was good for putting network security on the agenda and exposing widespread security flaws, but as usual the press tended to mystify LulzSec, hackers, and "cyber" in general. Lulz Security is not some dark brotherhood of evil geniuses. The group accurately described themselves as "chaotic neutral." Sometimes they would act for ideological reasons and just as often they would release the personal information of innocent bystanders "for the lulz." But they were neither on a campaign to protect human rights nor were they stealing for financial gain. Mostly, they were just goofing around and showing off.

Just as Lulzsec wasn't "evil," they weren't "geniuses." While skilled, their hacks did not display any amazing technical expertise and tended to rely on Distributed Denial of Service attacks, SQL injections, and social engineering, some of the most basic attack techniques. Nothing that Lulzsec did was comparable to malware such as Stuxnet, which exploited numerous zero-day vulnerabilities and took hundreds of hours and thousands of dollars to develop. What LulzSec did, like most hackers, was analogous to the strategy of most burglars. When I worked with several police departments, I analyzed hundreds of burglaries and the vast majority, about 90%, involved entry through doors left unlocked, and the rest weren't exactly Mission Impossible, with thieves kicking in air conditioners or climbing through windows. Similarly, LulzSec got most of their leverage from glaring security oversights like reusing passwords for important accounts.

All of that is not to say Lulz Security was trivial. Targeting such important and ostensibly secure websites was both bold and eye-opening.  LulzSec attacked law enforcement head-on with no fear of arrest. This is where their skills come in, as despite the recent worldwide arrests of dozens of hackers in a crackdown, Lulzsec's 6 core members remained untouched. Because attribution is difficult in cyber attacks, informants are a key way for law enforcement to trace criminal hackers, but LulzSec dealt with "snitches" with ruthless efficiency that the mob would envy. When two wanted hackers leaked some affiliated logs, LulzSec released their locations, pictures, last known IP addresses, phone numbers, and screen names to law enforcement, even as one was trying to flee the country. "These goons begged us for mercy after they apologized to us all night," they warned in the release, "There is no mercy on The Lulz Boat. Snitches get stitches."

They also brought an unprecedented amount of attention to network security of the lack thereof. While the field of cyber security is riddled with periodic "wake up calls," LulzSec didn't just breach numerous important websites, they did so while cultivating a new level of celebrity, including so many followers on Twitter that they brought websites down simply by tweeting a link. They were the first hacker group that cultivated a brand name outside of a niche of experts and even had a PR branch. LulzSec also went after highly visible targets  associated with security, causing cognitive dissonance and exposing the flawed state of computer network security. This was all part of the plan, as LulzSec said that they relied on such unsophisticated methods precisely to make a joke of the security culture- they got more "lulz" that way.

In the end, perhaps the most cogent media analysis of Lulz Security came from an interview of CTOvision's own Bob Gourley: "Their humor cracks me up... Any unauthorized break-in should be investigated as a crime, and I hope all who participate in those crimes get caught. But as we learn about the forensics after their major attacks, they are going after enterprises that make poor choices when it comes to security. At some point we citizens should expect more from corporate America and our government when it comes to computer security.  Do we blame Lulz for their attack against Sony, or do we blame Sony?"

Leave a Reply