Patrick Gray of the Risky Business security podcast says many internet security professionals "secretly love" the ongoing antics of hacker group Lulzsec because it's forcing the public to come to grips with the sad state of online security.
The hacker collective that calls itself Lulzsec has made an awful lot of noise in recent days, hacking Sony, Nintendo, PBS and the security firm Black & Berg. The last attack came in response to a challenge from senior security consultant Joe Black, who offered a prize of $10,000 and a job with his company to anyone who could do it. By all appearances the group was able to pull off the attack with relative ease, but it nonetheless declined the prize. "Done, that was easy," it wrote in a message that, at last check, was still on the site. "Keep your money, we do it for the lulz."
Victims of such attacks probably don't find it very funny but according to Gray, it's not just "the Internetz" who are having a laugh watching Lulzsec do its thing. "It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts," he wrote in an article entitled "Why We Secretly Love Lulzsec."
"For the last ten years I've been working in media, trying to raise awareness of the idea that maybe, just maybe, using insecure computers to hold your secrets, conduct your commerce and run your infrastructure is a shitty idea," he continued. "No one who mattered listened. Executives think it's FUD. They honestly think that if they keep paying their annual AV subscriptions they'll be shielded by Mr. Norton's magic cloak."
But where op-eds and consultancy papers have failed, the very public beat-down delivered to the PlayStation Network in April has, at least in terms of attracting attention, been a smashing success. For those who have been preaching to empty houses about the need for tighter online security, that's great news.
"Security types like LulzSec because they're proving what a mess we're in. They're pointing at the elephant in the room and saying, 'LOOK AT THE GIGANTIC F*CKING ELEPHANT IN THE ROOM ZOMG WHY CAN'T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!'" he wrote. "There is no security, there will be no security. The horse has bolted, and it's not going to be the infrastructure that's going to change, it's going to be us."
He noted that the popular response to the PSN attack has been to heap scorn upon Sony but claimed that such an attack could, and still can, happen to anyone. He also pointed out that "state-sponsored hackers, likely Chinese," have even been able to break into networks belonging to major U.S. military-industrial corporations and make off with sensitive information.
"LulzSec is running around pummeling some of the world's most powerful organizations into the ground... for laughs! For lulz! For shits and giggles!" he added. "Surely that tells you what you need to know about computer security: there isn't any."
As for "senior security advisor" Joe Black, his day just kept getting worse. The attention drawn to his site by the Lulzsec attack led to the rather awkward revelation that Black is, to put it bluntly, a fake. "Attrition.org broke a story back in February on how Joe Black has used social media to create his 'Security God' image. Needless to say, they debunked the entire image," the Jaded Security website reported. "Unfortunately, real security guys are the only ones who actually read Attrition, and Joe Black was able to continue in his path to self-proclaimed 'Security God'." The site noted that while Black claims to be working on his Masters in Security Management, he actually withdrew from every course he was enrolled in back in January 2009, and there are also some apparently-important security certifications missing from his CV.
That's some pretty serious lulz right there.