The media chums up with LulzSec hackers once again

LulzSecIt's incomprehensible to me, but the media has had a long love affair with hackers.

Of course, they don't *always* love internet criminals - just ask any of the media organisations which had its social media accounts or email inboxes compromised by the likes of the Syrian Electronic Army.

But there's no doubt that many in the mainstream press take the view that those who break into computer systems are just mischievous scallywags - modern day Robin Hoods who aren't causing any serious harm.

Yesterday, for instance, CBS This Morning published a short extract of an interview it conducted with Hector Monsegur (aka "Sabu"), one of the founders of the notorious hacking group LulzSec.

Sabu, you will remember, secretly turned informant after he was collared by the FBI, and helped them identify and entrap other members of the group.

I have no problem with Monsegur helping the Feds catch more cybercriminals. That's a good thing. And I think it was definitely sensible for him to assist the authorities, particularly as he had two young children in his care who would certainly have suffered if he had ended up behind bars for a long period of time.

Sabu on CBS animated gif

But I do wish that, rather than chortling along at Monsegur's anecdotes, the journalist had had the guts to say:

"But hang on - weren't you being a bit of dick? Was this any way for a grown man to behave? Did you ever think about the innocent people on the internet who you were harming?"

After all, LulzSec is the group which, amongst other things, did the following:

  • Published the personal email correspondence, names, phone numbers, home addresses and passwords of law enforcement officers - potentially putting them and families in danger.
  • Pointlessly knocked popular online games offline through denial-of-service attacks.
  • Released hundreds of thousands of email address/password combinations, potentially putting internet users' privacy and security at risk.
  • Encouraged others to break into Amazon accounts, and buy goods (of a sexual or embarrassing nature) to send to the unsuspecting victims.
  • Innocent Facebook users' accounts were hacked, and profile photos changed to those of pornographic images.

LulzSec's own manifesto underlines that they had no qualms about the damage they could cause to innocent people:

Yes, yes, there's always the argument that releasing everything in full is just as evil, what with accounts being stolen and abused, but welcome to 2011. This is the lulz lizard era, where we do things just because we find it entertaining. Watching someone's Facebook picture turn into a penis and seeing their sister's shocked response is priceless. Receiving angry emails from the man you just sent 10 dildos to because he can't secure his Amazon password is priceless. You find it funny to watch havoc unfold, and we find it funny to cause it. We release personal data so that equally evil people can entertain us with what they do with it.

Of course, LulzSec would typically argue that it was demonstrating the poor security of organisations, and raising awareness of a deeper problem. But they never convincingly explained how a belief in improving security could sit alongside their activities of exposing the personal information of innocent individuals.

Monsegur's cheery interview with CBS is far from the first time that one of the LulzSec hackers has cast a spell over adoring journalists. We saw similar things with Jake Davis, who - as "Topiary" - acted as LulzSec's main spokesperson despite his lack of techie skills, and even contributed to a recent Royal Court play about the group's antics entitled "Teh Internet is Serious Business" (sic).

Let's stop laughing along at the antics of malicious hackers. They're not our buddies. At the very best they're unethical, immoral twits. And in many cases they're no more worthy of our affection or attention than regular criminals.

I'd like to see the people who don't take the short cut to riches of a life of crime, but instead work hard to better protect the computer systems of all of us. They're the ones who should be lauded and interviewed on national TV.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

6 Responses

  1. Andy

    December 10, 2014 at 8:02 pm #

    There is no doubt that Sabu had great technical skills, but, there he was fleecing the taxpayers and living in public housing while he was a public menace. The court system doesn't seem to know how to deal with these hooligans. The courts will put them out house arrest when there were/are people who rarely left home. It would be more fitting to make them get a job doing something like laying blacktop or cleaning stables.

  2. Coyote

    December 10, 2014 at 11:53 pm #

    In a word: sensationalism. When I read a certain article not long ago (BBC most likely) on this very subject, I was not surprised at all. I believe it was in Russia but in any case some news agency decided they'd try to give news for 24 hours about positive only. The loss in viewers… was, not surprisingly, quite high.

    Otherwise:
    LulzSec claim there (about how things have changed, it is now 2011… /yawn) is just a more recent version of gH (remember them ?) and… and… so many others from over the years (and don't even get me started on Kevin Mitnick…). It doesn't change reality though. It isn't somehow new. Even the 90s wasn't new in that regard. Ken Thompson wrote about this in the 80s and how (Speaking of media) is causing a problem: on the one hand, they are making them (those causing trouble) seem as just.. mischief makers… but yet, they are at the same time ignoring the fact that they are guilty of federal offence. 2011 is quite young then, in comparison, is it not ? But whatever makes them feel better, that really is what they'll do. Sure, we're all guilty of at least _something_ but the above is hardly pleasant and certainly not legit.

    Quote of Ken Thompson himself (shortly after explaining that he cannot be trusted but he was making a point about not being able to trust source code unless you actually wrote it because … well his example is quite interesting to programmers who are in to security, too… and it isn't all that difficult, what he did, either):

    "I would like to criticize the press in its handling of the "hackers," the 414 gang, the Dalton gang, etc. The acts performed by these kids are vandalism at best and probably trespass and theft at worst. It is only the inadequacy of the criminal code that saves the hackers from very serious prosecution. The companies that are vulnerable to this activity (and most large companies are very vulnerable) are pressing hard to update the criminal code. Unauthorized access to computer systems is already a serious crime in a few states and is currently being addressed in many more state legislatures as well as Congress.

    There is an explosive situation brewing. On the one hand, the press, television, and movies make heroes of vandals by calling them whiz kids. On the other hand, the acts performed by these kids will soon be punishable by years in prison.

    I have watched kids testifying before Congress. It is clear that they are completely unaware of the seriousness of their acts. There is obviously a cultural gap. The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor's house. It should not matter that the neighbor's door is unlocked. The press must learn that misguided use of a computer is no more amazing than drunk driving of an automobile."

    (I wish that the media did not take over that word, though… but what's done is done)

    • Coyote in reply to Coyote.

      December 11, 2014 at 12:00 am #

      As an edit of sort: I'm not sure when the specific law I am referring to was passed. I think that was a few years later (88 maybe, but I honestly don't know off hand). Still, his point is the same, as is mine. As is yours. They are wording things in order to get more viewers, to get more money, to cause more excitement, whatever else. It is misguided and I seriously doubt it'll ever change (because people just love the sensationalism, they love seeing/reading/listening/living negative). Either way, it doesn't serve any person, any entity any good at all. It does serve some harm, however. It seems that is what the coins and bills are printed from (and for). Unfortunately, the fact it would be 'change' means a lot: many people fear change so there is less chance there will be change.

  3. gorse

    December 11, 2014 at 9:48 am #

    Has anyone interviewed the CTO of Sony recently? Not condoning lulzsec but we aren't entrusting lulzsec with our data (a shame, as they are better qualified to maintain it). Small EU fines aside (IIRC) I don't see Sony being pilloried for their gross negligence. It's somewhat disingenuous to leave your doors and windows wide open for years then moan when you get burgled

    It's lucky for consumers lulzsec were into the lulz in a public fashion otherwise how many more people would have had access to our data aside from the pro's who got there before lulzsec?

    In the grand scheme of things lulzsec serve their purpose, but they are not the villains of the piece. It is wrong that skiddies typically get more jail time than most rapists, whilst those guilty of gross negligence with our data continue to have nice careers. And apparently have not even learned the lessons of the lulzsec era.

    • Coyote in reply to gorse.

      December 12, 2014 at 5:58 pm #

      The pros as you put it would be those who do it legally (or are not known but even then they would have ethics most likely). Unfortunately, LulzSec did not just do that – see the list in the post here.

      To be blunt, all of those things listed (I remember some, I don't remember all, but if Graham has it then it certainly is not meant to mislead – it would 99.99% be all true, and the fraction is likely true too, only that I leave a small bit in case something was falsely claimed/reported in the past) they did defy the original hacker ethics (yes, there is such a thing). While they are not the first by any means (actually they are quite young, very young indeed), it still doesn't change the fact that those deeds have a serious lacking in the ethics department. Yes, there's been much worse cases but that's besides the point.

      They serve their own purpose and while they might have exposed some flaws (and good!), when they do it that way (I recall they did alert the NHS of a risk which the NHS dismissed, but at least they didn't breach it – this is an example of a commendable thing), it is – if nothing else – unauthorised (and in this day and age it is illegal). The more recent idea of 'bug bounty' is only new in that it involves pay out. The concept itself is old. I remember it years ago and in fact I'm guilty as charged there. I'm not saying all they did was wrong but what I am saying is the following:

      Yes, the corporations don't follow best practises. Yes, that is irresponsible. But so is making public all that contact information (and then there is the issue of DoS and DDoS attacks being censorship if nothing else… and again, both are ancient). And while a corporation might be forgiven for being ignorant (at least if they do try to better themselves following it – and becoming prey more than once isn't necessarily an indication of not trying although certainly those that don't try would fall prey again), as long as they handle it responsibly, that's what matters. Let's say LulzSec breached their network but then reported it to them (or alternatively found flaws that would allow that, as in the case of NHS). While the former might lead to them being prosecuted, it would depend on the company and their policies. The latter would be appreciated (usually, not always… I won't name any company like eBay/PayPal but unfortunately it isn't always appreciated).

      There's one other point to consider here: the ONLY parties that have the RIGHT to your private information – be it email, telephone number, address, whatever else – are those YOU give it to. And the information is to be respected by their privacy policy (legally – ethically they maybe should be more respectful but that's not reality). There's no exceptions here. Privacy is incredibly important and not only to security. Allow is unfortunately loosely defined but in some cases (like purchases, for one example) you have choices to make: you don't have to buy from a company if you don't want to. LulzSec era is rather amusing to me but I'm an old hat… (and yet, I have friends that go further back than me, by a lot, and they aren't in the Ken Thompson/Dennis Ritchie or even next generation). (Yes, those doing heinous crimes are given too lenient terms but this is completely different and in fact, I'm sorry to say, there is the issue of 'revenge porn' and the like, which IS over the wires and through the air… it is still abuse though!). As for your question, which I Imagine is rhetorical but that's all the more reason I should answer it: many more than you might think, have (your) information. But that's not new, either… and is frankly irrelevant to LulzSec.

  4. Coyote

    December 14, 2014 at 4:44 pm #

    Interesting. I thought I responded to this but apparently I went off on (love how logical languages can be…) the idea of senationalism. So:
    "Let’s stop laughing along at the antics of malicious hackers. They’re not our buddies. At the very best they’re unethical, immoral twits. And in many cases they’re no more worthy of our affection or attention than regular criminals."

    I just love the last setence there. I would argue in some ways (and in the cases you refer to especially) they are worth less affection (of course it seems people do enjoy reading about criminals which is maybe part of the problem). Mitnick is a perfect example. Besides not learning his lesson the first time, besides being nothing but social engineerer there was the hilarious issue of:
    At some point after his release (2001 if I am remembering right) and that means second release, he was teaching and offering a certificate on the art of bull… Yes, that's quite a great skill to have (one that doesn't take much effort really when you consider humans are the weakest link in the chain …)! I'm equally certain that that is something that law-abiding citizens don't need, either. Learning that people will social engineer (so be aware) is fine, using it as part of your tool set is fine (although if you're not authorised there then it isn't but that's another issue entirely!) but to rely on it is pathetic. And that's not even all with Mitnick because of what he did before his first arrest (and he always played the blame game.. whine whine whine.. he even blamed the movie War Games for his treatment by the authorities… and whether or not some of it was absurd claims – some was – he still had himself to blame for being in the position he was in). He still played the blame game when someone compromised his server ("it was my provider's fault…"). Problem with that latter bit is it happened more than once.

    "I’d like to see the people who don’t take the short cut to riches of a life of crime, but instead work hard to better protect the computer systems of all of us. They’re the ones who should be lauded and interviewed on national TV."
    True but then there is sensationalism, again. It would be interesting to have a side-by-side but the problem there is finding someone worthy to match a security researcher, that also was on the 'dark side', as it were. I can think of many I'd like to see interviews of but not many modern day 'hackers'.

Leave a Reply