Anonymous vs. LulzSec: The technology snob’s favorite hacker group.

Information Security Experts Hate Anonymous but Loved This Smart, Wacky Group

Information Security Experts Hate Anonymous but Loved This Smart, Wacky Group

The citizen’s guide to the future.
Dec. 8 2014 11:47 AM
FROM SLATE, NEW AMERICA, AND ASU

The Technology Snob’s Favorite Hacker Group

Those who hate Anonymous adored a hacker group that existed for two short, glorious months.

Lulzsec logo
LulzSec’s iconic logo.

Illustration by Slate. Background image by Thinkstock.

This essay is adapted from Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous, by Gabriella Coleman, published by Verso. On the evening of Thursday, Dec. 11, Coleman will be discussing her book with the ACLU’s Christopher Soghoian at a free Future Tense happy hour event in Washington, D.C. For more information and to RSVP, click here.

Here is a question without an easy answer: Who is Anonymous? I have spent more than half a decade spending copious time with Anonymous on chat rooms, during protests, and interviewing participants. Still this question has no easy or at least straightforward answer. Various groups of hackers, technologists, activists, geeks, and unknown parties use the name to organize diverse genres of collective action. These have ranged from humiliating hacks against security firms to technological support for Occupiers or Arab revolutionaries. In some instances, a multitude participates, as was the case with one of their most famous interventions: Operation Payback from December 2010. Anonymous targeted the websites of PayPal and MasterCard after they ceased accepting donations for WikiLeaks.

Anonymous has also involved smaller and more exclusive hacker groups such as LulzSec and Antisec. LulzSec—a crew of renegade hackers who broke away from Anonymous—engaged in a startling 50-day catalytic run that began in early May 2011 and abruptly ended in mid-June, soon after one of their own, Sabu, was apprehended and flipped in less than 24 hours by the FBI. Among LulzSec’s targets were Sony Music Japan, Sony Pictures, Sony BMG (Netherlands and Belgium), PBS, the Arizona Department of Public Safety, the U.S. Senate, the U.K. Serious Organized Crime Agency, Bethesda Softworks, AOL, and AT&T. Despite the avalanche of activity—and numerous intrusions—LulzSec, when compared with Anonymous, was more manageable and contained, at least from an organizational perspective. Its members also hacked with impunity, finally making good on the 2007 Fox News claim that Anonymous was comprised of “hackers on steroids.”

Advertisement

Even the haughtiest of security hackers—those technologists whose skills are channeled toward fortifying computer security—who had earlier snubbed Anonymous cheered on LulzSec. Old-school black hats lived vicariously through LulzSec, in awe of its swagger, its fuck-you-anything-goes attitude, and its bottomless appetite for exposing the pathetic state of Internet security. One Anon Anon (as members of Anonymous call themselves), also once active in the black-hat scene, put it this way in an interview with me: “LulzSec seemed to have a sort of fully formed mythos straight out of the gate while other hacker groups like Cult of the Dead Cow took decades to achieve that.”

Anyone who has hung out with hackers knows that when it comes to technology, all types of hackers are unabashed snobs. This stance is not unique to security hackers versus free-software evangelists, nor is it unique to hackers more generally. Vocational arrogance of this nature is common to craftspeople—doctors, professors, academics, journalists, and furniture makers. It is simple: The fine art of haughtiness pushes one to do better. However (and for reasons that still mostly elude me), when compared with other activities that might also be considered “hacking,” security specialists take elitism to incomparable heights. Praise does not flow easy from the lips of these “infosec” men and women.

Combining this simplified picture with a recognition of infosec’s historical derision of Anonymous allows us to more fully appreciate why the security community’s adoration of LulzSec is all the more remarkable. The following picture from Halloween 2011 might best sum up the community’s rapture:

Lulzsec partytime
LulzSec Halloween costumes.

Courtesy of Alexander Sotirov. Republished with permission.

By dressing up as LulzSec, these New York City–based security hackers were not only living large and having a grand time—they were also giving mad props to the rebel, misfit hackers. While all the characteristics of the LulzSec mythology are represented, there is one element that may not be so obvious: the lack of pants. Many considered LulzSec to be pointing, in badass Internet style, to the fact that the Emperor Has No Clothes. Since forever, security professionals have been yelling from the top of a lonely, wind-swept, barren mountaintop about the dire need for organizations to invest more resources, energy, time, and personnel to implement better security. LulzSec, it seemed, had finally found a way to get people to listen.

Advertisement

One may wonder why security is so weak in a sector so large and profitable. After all, cyber (fear) sells. Not only does the industry regularly sell software scams (such as out-of-the-box software solutions that cannot be configured to address the unique risk profiles of an institution), or products intended to replace a dedicated security team that can do more harm than good, but the initial desire for security itself remains a low priority for many firms, even well-funded ones. One New York City–based security hacker explained: “One of the challenges in security is how to get people to take it seriously because at the executive level it just looks like an expense.” The fact that Sony—a multinational corporation—could get pillaged with such impunity in 2011 (only to be ruthlessly hacked again recently) is an indicator of the depth and nature of the problems. Cases like these make hackers whose mission is to create secure systems completely furious.

LulzSec, more than any other person, report, or group in recent memory, managed to convey a message that many security professionals had been unsuccessfully pitching for more than two decades. The effects echoed the antagonistic antics of L0pht Heavy Industries, a loose association of hackers who regularly met in person. In 1998, during a group conversation, a couple of them coined the term “gray hat” to describe hackers who are ambiguously—and deliberately—situated between the black and white labels that had come to distinguish malicious hackers from more benevolent ones. “Gray hat” hackers are not above acting illegally, but typically they do so only to identify, and publicize, vulnerabilities. L0pht became so successful that in May 1998, seven of its members were invited to testify (in semi-theatrical fashion) to the Committee for Governmental Affairs chaired by Sen. Fred Thompson from Tennessee, a Republican. With his refined, somber, and heavy Southern accent, Thompson introduced the “hacker think tank” and explained that “due to the sensitivity of the work done at the L0pht, they will be using their hacker handles: Mudge, Weld, Brian Oblivion, Kingpin, Space Rogue, Tan, and Stefan.” Muffled laughter rippled through the chambers, likely because hacker handles were superfluous: C-SPAN recorded the testimony and the hackers were unmasked. Their remarks addressed numerous topics, but the bit that stood out was their claim that they could take down the entire Internet in 30 minutes. This was meant not as a threat. It was a plea to improve the abysmal state of Internet security in 1998.

L0pht’s testimony to Congress was deferential; many of the participants wore suits, and an effort was made to present broadly intelligible explanations. LulzSec was not invited to visit Congress—nor could it take down the Internet—but in the course of its errant questing, it managed to deliver a similar message. It made people pay attention to the sordid state of Internet security—not by offering a carefully constructed testimonial, but in the mere course of their travels in search of adventure (which happened to include more than a dozen high-profile hacks along the way). They did so in the face of U.S. laws, like the Computer Fraud and Abuse Act, that were designed to punish any hacker who got caught, regardless of motivation. LulzSec’s gutsy hacks against corporate giants and government agencies, which are now the stuff of legend, were quite effective—maybe even necessary—to get people to wake up.

141208_FT_HackerCOVER

Many hackers I interviewed directly cited LulzSec’s role in making high-level executives listen, at least for a short time (2013 saw a string of massive data breaches: Adobe, Target, Neiman Marcus, Living Social, the Washington State Administrative Office of the Courts, Evernote, Drupal.org, the U.S. Federal Reserve, OkCupid ... the list goes on). A 2011 blog post by security researcher and journalist Patrick Gray titled “Why We Secretly Love LulzSec” was widely read among security professionals and captured their prevailing mood. Gray explained to me the impact his piece had: “It picked up more buzz than anything I’d ever written, including pieces for ZDNet/CNet, the Sydney Morning Herald, The Age, Wired. ...  I’ve written plenty of news stories that went big globally, but this was something entirely different.” In the piece, Gray wrote that

It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts. ... The mainstream media are having fun criticizing Sony for its poor security, but do we honestly think for a second that the XBox Live network can’t be similarly pwnt? (I know the PSN breach hasn’t been pinned on LulzSec, but the point stands.) Is there any target out there that can’t be “gotten”?
Advertisement

Even if the innumerable security problems plaguing the Internet could not be magically fixed, it was still satisfying to call out the “elephant in the room,” as Patrick Gray tagged it.

LulzSec’s spectacle also revealed the hypocritical charade of many firms, as they performed strange acrobatics to shift blame. A New York City–based security researcher who prefers to remain anonymous explained it:

One thing I think is interesting is that these people [corporations] are getting owned every day, but their info isn’t getting splattered all over the Internet. It’s usually getting owned by people doing it for profit. The irony is that when people are stealing intellectual property for financial advantage, they won’t do anything about it. ... I think it’s ironic now that LulzSec is making people eat their vegetables.

This position was echoed by Chris Wysopal, one of the original members of L0pht, who runs a well-respected security firm:

Corporations take public embarrassment more seriously than stolen intellectual property. The Sony attacks sent chills down the spines of Fortune 100 CISOs and their boards. We had customers come to us and literally say, “I don’t want to be another Sony.” They scanned thousands of websites and remediated hundreds of critical vulnerabilities so that didn’t happen to them. In this way, LulzSec made the Internet more resilient. In some ways it is like a immunization giving your immune system a taste of the virus that would otherwise kill you and force your immune system to work to build protection.
Advertisement

LulzSec’s popularity among security types exceeded its practical role of forcing executives to “eat their vegetables.” Its rich but accessible visual vocabulary incarnated the subversive pleasure and magic of hacking, which are so often left invisible. You may think that making or breaking, exploiting or building, securing and pen-testing cannot involve artistry, creative expression, and pleasure—but this is exactly what these technologists experience: bliss (along with the type of agonizing frustration that only makes the bliss doubly potent in its overcoming). Conveying the nature of this gratification to outsiders is next to impossible, because the technical craft is so esoteric. LulzSec’s publicized antics are the most accurate representation I have ever seen of the look, feel, and sensibilities that attend the pleasures of hacking. And each piece of LulzSec’s iconography symbolizes both the sensual and ideological sides of this world: the boat (standing for the pirate freedom of the high seas), the man with the monocle and suit (snooty l33t hacker), the cat (because if it is related to the Internet, there must be felines), the music (hacking to music is always preferable to doing the deed in silence), manifestos (free expression, dammit!), and law breaking (because rules, fuck them). LulzSec embodied the pleasure of hacking and subversion like no other group. LulzSec also represented a site of longing and fantasy. What the team did so blatantly was something many hackers wished they were doing. Some had certainly experienced the same illicit pleasures in days gone by, when the world of computing first opened up to them through exploration and tinkering—but this was typically done without a massive global audience.        

Now, not all hackers adored LulzSec. Hack the Planet, a hacker group that loved to pwn Anonymous, extended its loathing to LulzSec. As one LulzSec member who goes by the name pwnsauce put it, “HTP saw us as attention-whoring fucknuggets, basically.” HTP’s viewpoint reflects a long-held ethos in the hacker underground, one that drives some hackers to snub those seeking attention from the mainstream press (attention is anathema to staying out of the “clink”—and LulzSec proved the wisdom of this folk ethos). Even if LulzSec hackers did not do many interviews, they were nevertheless doing everything possible to land major stories by drawing as much attention to themselves as possible. They once did so by attacking the media itself.

Future Tense is a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.