Lulz Security, or LulzSec, is an amorphous, disparate group of digitally connected people who come together periodically to attack a company or a government to make a point. This week it's been Sony (presumably to highlight how it hasn't fixed its security) and Nintendo, to underscore another other gaming firm's security failings. Last week it was PBS and Sony Pictures, with the former targeted for bad-mouthing WikiLeaks, and the latter because it was foolish enough to store customer details in a plain text file on its servers. There may have been more intrusions, but we haven't heard about them.
If this sounds familiar, it is--it's extremely reminiscent of how the online distributed "hacktivist" group Anonymous works. And now, by way of what seems to be a leaked conversation in one of LulzSec's secure chatrooms, it looks like some of the key figures in Anonymous are also key figures in LulzSec.
The leak happened on a security mailing list called Full Disclosure, a distributed discussion system that SecLists.Org labels as: "An unmoderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately, 80% of the posts are worthless drivel, so finding the gems takes patience."
LulzSec's "leak" seems to fall into the good 20% category, and has exposed the code names Topiary, Kayla, and Sabu. These are spokespersons for Anonymous, who have even appeared on camera to talk about Anonymous.
You may question the ethics of either group, and their activities may or may not cross the line into damaging illegality depending on whom you work for, what nation you live in, or your own stance on defacing people's websites and disrupting their business. But both LulzSec and Anonymous claim to be acting in the interests of free speech, online security, political protests and, in some cases, plain good sense. (Such as the Anonymous versus Westboro Baptist Church TV interview and simultaneous hack on WBC's website--shown below.)
But this may not save them from NATO. Yup, the multinational military group is now reportedly targeting groups like LulzSec and Anonymous, as well as leaker sites like WikiLeaks, as part of its new strategy on cyber defense. In NATO's new draft policy on online security, the organization notes that "armed attack" threats are being joined by cyber attack threats on its own IT infrastructure or that of its 28 member nations. It needs such systems to share information among allies, but notes "the time it takes to cross the Atlantic has shrunk to 30 milliseconds compared to 30 minutes for ICBMs" and "a whole new family of actors are emerging on the international stage, such as virtual 'hacktivist' groups." As such, NATO worries about a whole new class of conflict, between groups and/or nation states "or even to conflicts between exclusively virtual entities."
If that all sounds like science fiction or cyberpunk, that's because it is--it's exactly what writers like William Gibson and Neal Stephenson have been predicting. NATO's new study is obviously intended for international level affairs. This is, after all, an an era when China is said to have a crack "Blue Army" of cyberwarriors; when firms like Lockheed Martin are hacked; and when targeted viruses are released--like Stuxnet, against Iran's nuclear facilities. But the study's writer also names Anonymous, and suggests "The longer these attacks persist, the more likely countermeasures will be developed, implemented, the groups will be infiltrated and perpetrators persecuted."
That sounds nasty. But is NATO potentially going to be "persecuting" the wrong guys among its attempts to deflect more serious government-level cyber attacks? Traditional questions on ethics and blame would seem to be in serious need of revisiting.
[Image: Flickr user skenmy]