LulzSec, Anonymous, and AntiSec: Thoughts on Lulz and Ethical Hacking

By now I think most people are familiar with LulzSec, Anonymous, and other anonymous hacking groups, as they are receiving more and more media coverage in mainstream outlets as well as tech-only reporting sources.  I’ve hesitated to blog about this, namely because I have yet to comprehend everything that is happening, but the longer I wait, the more I realize I’m never going to fully understand it.  Like much of the stuff I’m interested in, it’s too big to judge or sum up in a single blog post.

So instead, I’m going to try to break down my observations and thoughts about this phenomenon in a very basic sense.  I may have attempted in previous posts to make a distinction between malicious hacking and DDoS (distributed-denial-of-service) attacks, but I would like to refine that further using more appropriate terminology.  For some time now, the term hacker has been reclaimed in a positive or at least neutral usage, while “cracking” has been used to describe malicious hacking attempts.  A better classification system, and the one more popular with the hacking groups themselves, runs from “black hats,” or straight-up computer criminals, to “white hats,” or computer security experts.  Most pertinent to this discussion are “gray hats,” those hacking not for personal gain or out of malicious intentions but who technically commit crimes during their hacking endeavors.  Gray hats may seek improved security by breaching the cybersecurity of various organizations, or may leak internal governmental data in order to promote awareness of and accountability concerning human rights abuses by those nations.

DDoS attacks, which flood a server with so much data that the website is forced to go down, are considered gray-hat tactics.  I think I’ve stated previously my belief that DDoS attacks serve as modern-day peaceful protest.  However, I do think the gray area becomes even grayer for some when you take into consideration the motives behind these attacks.  Taking down and even defacing the Zimbabwe government’s website to protest its oppressive regime, for instance, seems more morally upright than taking down for anti-establishment lulz.  But ultimately, neither attack is harmful, especially when compared to black-hat(?) tactics such as leaking 62,000 random logins into the hands of Twitter users, who promptly used the information to gain access to innocent individuals’ email, gaming networks, PayPal, Amazon, Twitter, Facebook, MySpace, and so on.

Despite this, I’m having a hard time condemning LulzSec.  I tend to be more supportive of them when they are targeting governments and corporations—i.e., institutions, whatever those may be—rather than when they are targeting individuals.  At the same time, if you use the same email/password for everything, can you really complain when everything is hijacked?

It’s not so simple, I realize, and the ends don’t justify the means, IRL or online.  In fact, I probably stated earlier that I support Anonymous for their ethical selection of targets, so it should be easy for me to write off LulzSec for their apparent lack of morality.  In conversations with friends and colleagues, however, I find myself against the wall trying to defend (or at least objectively view) hacker activity that can be plausibly likened to hurling bricks through a shop window IRL—damage for the sake of damage, breaking things because they can.  They have hacked, obtained, and disseminated databases from Sony, PBS, Fox, X Factor, Bethesda and other gaming servers (at the request of callers, according to them),, Infragard Atlanta (an FBI affiliate) and; they’ve dropped dox on Karim Hijazi, CEO/President of Unveillance and member of Infragard; they have played with the websites of individuals who exhibit unwarranted self-importance (e.g., claiming to be #1 hackers or hacker-proof).

At the same time, LulzSec has gained more media notoriety in a month or so than Anonymous has since it first entered the fray (Anon has been hacking for years, but as an ethical hacking group it really came together in 2010 during the height of WikiLeaks controversy).  And you can bet your ass Sony employees were chained to the desk toughening their defenses after being hacked multiple times in fairly rapid succession.  LulzSec has utilized “simple SQL injection and Local File Inclusion vulnerabilities, and botnet-powered Distributed Denial of Service attacks” (Ars Technica) that, to some, are too low-level to qualify as hacking.

But the Internet truly exploded on June 17, around 5:48, when LulzSec DDoS’d  By around 6:10, the main page had reappeared but as a facade, but none of the links were working. Immediate Twitter posts tagged #LulzSec include statements ranging from “oh shit they ddos’d the CIA” to “we’ll see who’s laughing when the FBI comes for them.”  Minutes later, th3j35t3r tweeted to LulzSec, “Gloves off […] expect me.”  And at that moment and only that moment, apparently, shit got real.

First, here’s a basic rundown of three of the key players in this ongoing “cyberwar”:

th3j35t3r:  Self-described gray-hat “hacktivist for good.  Obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, and other general bad guys,” known for his pro-U.S./pro-establishment stance.  Operating since 2010 or earlier, th3j35t3r targets Islamist and jihadi websites and has allegedly attacked WikiLeaks and 4chan as well.  He justifies his attacks by claiming to act out of American patriotism, as he targets those that threaten American security and foreign relations and assets.

LulzSec:  Short for Lulz Security, “the world’s leaders in high-quality entertainment at your expense,” LulzSec is a hacking group seemingly dedicated to exposing and exploiting security breaches online.  Motivated by Schadenfreude, or pleasure derived from others’ misfortune (i.e., lulz).  Allegedly includes members Sabu, Topiary, Nakomis (more like AnonOps), of whom Topiary has been arrested(?).  Nakomis is laughing at all the faildox, which identify him as Casey Gardiner.  I don’t even remember how many different sources I checked to confirm this, and all I can really say is you be the judge.

Anonymous:  The loose digital collective affiliated with the *chans that has increasingly moved from lulz to ethical hacking, mostly targeting repressive groups or nations, especially over issues of censorship.  They are defenders of WikiLeaks, free information, free Internet, etc., and have mobilized to stand with citizens in countries known for their oppressive policies.

Now, in the last week or so, LulzSec has butted heads with th3j35t3r and with Web Ninjas, a hacking group who stands for the hacking victims and is bent on exposing the lulz lizards.  Said lulz lizards have drawn the ire of blackhats TeaMp0isoN_, who believe LulzSec to be “scene fags”; and the FBI and Scotland Yard have been in hot pursuit.  British 19-year-old Ryan Cleary, whose website housed LulzSec’s IRC among other things, was officially “charged with hacking offences” on June 21, namely for botnet-related DDoS attacks and other activity.  LulzSec denied Cleary had any part in LulzSec activities, but shortly after dropped dox on members who snitched, m_nerva and hann.  Cleary, meanwhile, may face extradition to the U.S. for being “suspected of masterminding a global computer hacking plot” (World News Australia).  Despite reports that Cleary was a/the leader of LulzSec, Scotland Yard has not confirmed that the arrest had anything to do with LulzSec (BBC).

Various individuals supposedly affiliated with Anonymous and/or LulzSec have also been arrested as cyberterrorists.  LulzSec members have been doxed(?); members have flipped on members(?); non-members have been arrested; and LulzSec has joined forces with AnonOps and other Anonymous channels for Operation #AntiSec, short for Anti-Security, which is about as anti-establishment as it gets:

As we’re aware, the government and whitehat security terrorists across the world continue to dominate and control our Internet ocean. Sitting pretty on cargo bays full of corrupt booty, they think it’s acceptable to condition and enslave all vessels in sight. Our Lulz Lizard battle fleet is now declaring immediate and unremitting war on the freedom-snatching moderators of 2011.  (LulzSec)

#AntiSec has in turn spawned #ProSec, backed by Red_Penguin and th3j35t3r (call-to-arms here).  While I agree that actions like LulzSec’s and Anonymous’s may cause the masses to believe Internet regulation is not only legitimate but necessary, I also think Operation #ProSec is a little naive.  Contacting government officials does not have to result in action, especially when content/activity can be (mis)construed as a threat to security at home or abroad.  Not to be entirely pessimistic—certainly enough persistence from the right groups can yield new legislation or overall change—but this is not always the case, and in some time-sensitive instances, such as civil war or revolution, change may come too late.  In these cases, unwanted media attention or Internet relays created by hacktivist and free-Internet groups can pressure these governments in a more timely fashion, and thereby, ideally, effect change when that change is needed most.

That has been Anonymous’s modus operandi in targeting repressive regimes.  By contrast, LulzSec celebrated its 1000th tweet with this press release, ending with the following:

This is the Internet, where we screw each other over for a jolt of satisfaction.  There are peons and lulz lizards; trolls and victims.  There’s losers that post shit they think matters, and other losers telling them their shit does not matter.  In this situation, we are both of these parties, because we’re fully aware that every single person that reached this final sentence just wasted a few moments of their time.

Thank you, bitches.

Lulz Security

The group’s lulz manifesto is refined in this press release, as LulzSec argues that releasing information is far better than “playing the silent game,” i.e., sitting on a mountain of accounts, selecting ones to abuse, or silently selling them off.  “This is what you should be fearful of,” they state, not us releasing things publicly, but the fact that someone hasn’t released something publicly.”  They acknowledge that it is evil to release everything in full, but “welcome to 2011.”  They accuse us of loving “the idea of wrecking someone else’s online experience anonymously.  It’s appealing and unique, there are no two account hijackings that are the same […] and certainly no limit to the lulz lizardry that we all partake in on some level.”  They call this part and parcel of the Internet generation—easily distracted, always looking for something more stimulating, the next big fix.  They acknowledge that they may be arrested, and that they “just don’t give a living fuck at this point – you’ll forget about us in 3 months’ time when there’s a new scandal to gawk at.”  And they are demonstrably as willing to extract lulz from their own as they are from the general public, evidenced by the “snitches get stitches” dox.

All the public infighting may be part of the reason why Anonymous members Nakomis(?) and Topiary(?) were doxed, though dox on all members were dropped(??) on namshub by Backtrace Security, itself a group of ex-Anonymous formed to remedy what it perceives as “a betrayal of its roots” (Forbes) which comprise:

Fun-loving, often destructive nihilism, not the political hacktivism Anonymous has focused on for much of the past year.  “[Anonymous] has truly become moralfags,” says Hubris [Backtrace’s leader], using the term for hackers who focus on political and moral causes instead of amoral pranks.  “Anonymous has never been about revolutions. It’s not about the betterment of mankind. It’s the Internet hate machine, or that’s what it’s supposed to be.” (Forbes)

If both having and lacking ethics is enough to incur someone’s wrath, then what is the “correct” motivation?

The more I read, the more I reinforce my own instinctive feeling that yes, it’s all a giant waste of time.  The rhetoric, the drama, the back-and-forth tweeting, the releases, even, despite the lulz.  Everyone is a loser and no one agrees.  It’s the panopticon in reverse, where no one can see anyone but everyone can claim to speak from the center (Schwartz).

It’s 5:00 a.m. and these are the questions keeping me up right now:  Why is it so easy for LulzSec to gain access to these sites and leak this kind of info using such simplistic methods?  Why does it take this kind of public-profile hacking and media attention for these breaches to be corrected?  Why are people trusting enough on the Internet—where social engineering is commonplace and fairly easy to pull off—to use the same login information everywhere?  Why are most media outlets quick to assume rather than verify information through fact-checking?  What constitutes ethical hacking?  When do grayhats become blackhats?  When does it become “cyberterrorism” that merits quicker, harder scrutiny than, say, the way in which bin Laden was finally taken down?

And, finally, why do I find myself hoping that faildox are fail and that LulzSec and Anonymous survive a little longer?  I can’t deny being amused, but I don’t think it’s just about the lulz.  I could say it’s about forcing groups to improve their security, fact-checking, or bias, but that’s tantamount to protest via brick-through-the-window.  (The Stonewall riots come to mind, or perhaps the shoes thrown at Bush by an Iraqi reporter.  I certainly don’t condone the violence of the former, but that attempt to seize back the power is considered the defining event/starting point of the gay rights movement in America.)

So maybe it’s about the discrepancy between what deserves attention and action and what is actually acted on.  While Anonymous tries to answer the need for justice in an often unjust world (e.g., OpIndia), LulzSec seems to echo the notion that there is no real justice—just sharp divisions between lulz lizards and peons.  What this will morph into, as LulzSec and Anonymous work together for #AntiSec, currently defies my comprehension.  It’s still overly simplistic but maybe that’s the point: there is no point, there is no making sense of it, there isn’t much there to make sense of.

Leave a Reply