LulzSec, Sony, And The Rise Of A New Breed Of Hacker
NEW YORK -- When a new hacking entity calling itself LulzSec claimed credit for a barrage of recent attacks on Sony and several other companies, many cyber-security experts found themselves grasping for a term to describe the attackers.
Hackers often divide themselves into two groups -- the "black hat" hackers, who exploit the vulnerabilities of their victims for profit, and the "white hat" hackers, who point out those weaknesses so that the vulnerable can take the proper measures to protect themselves. Yet as several experts pointed out recently, LulzSec doesn’t really fit into either of those categories, and that slipperiness, combined with the group’s sudden prominence, speaks to how hacker culture is changing.
In the wake of the April attack that exposed the records of more than 100 million customers of the Sony PlayStation Network, a crime whose perpetrators remain unknown, LulzSec has claimed responsibility for additional attacks on Sony, as well as hacks against PBS, Nintendo and InfraGard, an organization affiliated with the FBI.
In a press statement released last week, the group wrote, "We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts." LulzSec also claimed to have gotten hold of "3.5 million 'music coupons,'" which the group then invited the public to "plunder."
Their motivation, it seemed, was something other than monetary gain. But what? An introduction on their website offers a clue: "We have now taken it upon ourselves to spread fun, fun, fun… "
Jeff Moss, the founder of Defcon, the world’s largest hacking conference, told HuffPost, "We’re struggling with labels to describe what they're doing." He brought up the term "gray hats," which has been around at least since the late 1990s and is about as ambiguous as it sounds.
"You could call them 'gray hats' in the sense that they're breaking laws," he said, "but they're not, as far as I can tell, stealing secrets and trying to sell them, like corporate espionage, and as far as I can tell they're not blackmailing anybody or holding anybody ransom."
Moss drew a connection to George Hotz, also known as geohot, a 21-year-old hacker who was sued by Sony earlier this year and whose conflict with the company sparked a retaliation against Sony in early April by the hacker collective Anonymous.
In 2010 Hotz figured out a way to break into his Sony PlayStation 3 console and use it to run a third-party application. Sony then issued an update for the gaming console that shored up its hardware defenses.
"This angered all these tinkerers and all these people who’d been doing things with the PS3," said Moss. "Something that was previously fine and that they’d paid for was no longer fine. They felt totally abused by this corporate giant."
Hotz found a way get past Sony's hardware security yet again, and many in the hacker community hailed him as a hero. LulzSec’s battle against Sony, Moss suggested, may be related to Hotz's cause.
"It sounds like it’s a protest," Moss said. "I don't want to use the term 'hactivist' -- it seems like half of it is, they have these goals and these lofty ideals, and then the other half is, they want to pile it on, like vandals having fun."
Jeremiah Grossman, the chief technology officer at the firm WhiteHat Security, Inc., rejected the term "gray hat" as a classification for LulzSec. Yet, like Moss, he suggested that the Sony attacks may have been motivated by Hotz's lawsuit. (The suit was settled out of court earlier this year.)
"These are people who were not too pleased with Sony going after one of their own," he said.
Grossman defined a "gray hat" attack as one in which the hacker uses illegal means to harm a government or institution deemed unethical. In contrast, he said, "What they're going for is not politically-motivated or anything like that. I guess you'd call it revenge."
Regardless of how these attacks are classified, said Grossman, they underscore a point that cyber-security researchers are always trying to hammer home: as the Internet grows, companies are growing more and more vulnerable to attacks of all kinds and should take precautions that they might not have considered necessary in the past.
"Back in the old days," he said, "if you wanted to rob a bank you had to drive to it and take out the money. Now you can be anywhere in the world. When you're conducting legal actions against one person, like geohot, all the people who liked his work and enjoyed his cause can go after you directly, no matter where in the world they are."
"Sony made a good legal case against geohot," Grossman added. Yet because of hackers like LulzSec, he said, not to mention the massive attacks in April, "It might not have been the best choice for them to go after him the way they did."