Over the weekend, Internet hacking group LulzSec, responsible for breaking into such companies as Sony, Nintendo, Sega, the CIA’s web page, the British NHS and others.  None of LulzSec’s hacks seem particularly malicious, that is, they weren’t stealing information and giving it to another government or corporation, or infecting users with malware in order to exploit their systems.

I wrote about the motivations of hackers in this blog post I wrote 3 years ago:

Hacker Ethic

Interpretation of this ethic can vary, but it essentially entails the following beliefs:

  • Information should be free and accessible to all.
  • Access to computers should be unlimited.
  • Computers and the Internet can be a force for the betterment of humanity.
  • Authority is not to be trusted.
  • The principle of decentralization goes hand-in-hand with all of the above.

These fundamental principles, and variations thereof, are commonly held in the hacker community and have evolved over time into some of the ideologies described below.

LulzSec was operating based upon an ideology of Altruism and Hacktivism (or if they weren’t it sure seemed that way).  You can see this by some of their statements: they broke into Nintendo but didn’t do a lot of damage because they liked the Nintendo 64.  But they broke into Sony numerous times and posted usernames, passwords and all sorts of confidential information.  They broke into the government of Arizona because they didn’t like their immigration policy.

Hacktivists use computers in their cause the same way that ideological hippies might chain themselves to trees in order to prevent companies from removing them in order to make way for new buildings, or the way Greenpeace protests whaling boats and oil tankers.  Altruism advocates do things for “the good of the Internet”. 

If you look at LulzSec’s targets and their subsequent statements, there are political causes in the background – at least to some of their statements.  Why would they attack Sony?  They claim that they were motivated by George Hotz for jail breaking the Play Station 3.  They are also involved in the RIAA’s crusade against downloading movies illegally. I remember my time in university when my computer science friends were outraged (!) that CDs were going to be taxed an extra $2 per blank CD, supposedly to combat piracy.  They were also outraged when the government clamped down on Napster, and I see similar outrage when movie studios try to clamp down on bit torrents downloading movies.

From a hacker perspective, companies like Sony represent suppression of information and restriction of Internet users’ freedom of access to entertainment (while ignoring copyright violation; they ignore the fact that property rights and intellectual property are one of the founding principles of western democracies). 

It’s also true that many young people have a left wing tilt – an “anti-establishment, anti-government” view.  The CIA is known for conducting clandestine operations and suppressing human rights (such as waterboarding) and the “anti-immigration” in Arizona can also be interpreted as anti-human rights (Libertarians would probably agree with that).  By going after these entities, the hackers are demonstrating their hacktivist leanings; people that suppress human freedom, either personal freedom (in the case of the government) or freedom of expression (in the case of Sony) will suffer the wrath of the hackers.

Compare this to Nintendo who got off relatively easy because “they like the Nintendo 64”.  I like the N64 as well, I got one in 1997 when I was in my first or second year of university.  Before that I had a Super NES, and an NES before that.  I skipped the GameCube (but borrowed one from a friend and thoroughly enjoyed Zelda: The Windwaker), and now have a Wii.  Nintendo makes games, they aren’t involved “suppressing information" the same way that Sony is. But the fact that the hackers like the N64 and not an earlier system indicates that this was one of their first video game systems.  Since the N64 came out in 1996 and many gamers got their first system early on (let’s say 10 years old), this would place the age range of the hackers in their late teens to mid-to-late twenties.

These hacking operations are slightly different than the 2007 cyber riots in Estonia where hackers launched DDoS attacks against Estonian government websites, and 2008 saw them launch DDoS attacks against the Georgian government.  In that case, nationalistic Russian hackers did this in order to punish those anti-Russian players and had to be stopped.

LulzSec, of course, was not launching a cyberwar against anymore.  But their ideology was not much different.  Indeed, their very name demonstrates the attitude behind the group.  LulzSec, or LOLs Security, is a way of mocking the people who they attack.  By breaking into companies using trivial exploit, they are laughing at weak security of companies whose job it is to protect their users’ privacy.  How can these companies suppress others when their own security is so weak?  These emperors have no clothes and LulzSec is the one to point this out!

This is a clue to the identity behind the group.  By being so vocal about their dealings, the hubris suggests that they are quite young and inexperienced – not technically inexperienced but inexperienced in the ways of life.

Why do I say that?

Because I can relate.  As a hobbyist magician, I have learned my lumps.  One of the principles of magic is subtlety and not drawing attention to certain things (unless you use it as a cover for misdirection).  Case in point – last week I was doing a children’s show and I got a little brash.  When I perform for kids, in every show there is one or two loud mouths that yell out “I know know how it’s done!” and proceed to explain how something is accomplished. In 90% of cases they are wrong.  Sometimes the trick suckers them in and proves them wrong (man, that feels good to shut them up) but once in a while, when the planets align, they are correct.

Anyhow, I was doing this show and the kid was annoying me with his (incorrect) theories and I decided to get really bold and brash.  I thrust a prop towards him to say “See? You’re wrong!” Unfortunately, that was a mistake because a bunch of other kids started blurting out theories and one of them happened to be correct, and the others zeroed in on it.

Oops.

My brashness bit me.  I rarely do something like that but I was on a roll.  I had a flawless show up to that point – flawless, I say – and figured I could get away with this.  I couldn’t.  I’ve been doing magic for 17 years but sometimes I still make amateur mistakes like that.

Notice I said amateur.  A professional would let it roll of his back and I generally do, but my emotions in that moment got the better of me.  The correct thing to do would be to quickly move on to the next effect.  I didn’t, and hubris was my downfall.

People who have been in the business a long time are less prone to letting hubris get the better of them.  If you’re a cyber criminal, you have to be discreet because law enforcement is after you and if you draw attention to yourself, sooner or later you will be caught.  LulzSec was very visible about their breaches. They wanted the attention and were very hubristic about the fact that they would never be caught.  You would only think that way if you don’t have that much life experience.  You wouldn’t have that much life experience if you were still fairly young… and your first video game system were a Nintendo 64… and you saw the world of the Internet as black and white where corporations were bad and all users were good.  It is for that reason that I believe that the members of LulzSec are in their late teens or probably early to mid-twenties, spend a lot of time on the computer and haven’t had that many life experiences to teach them that hubris can lead to their downfall.

They finally had the good sense to back away from their 50 days of Lulz. Unfortunately, by drawing so much attention to themselves they have drawn the ire of law enforcement to themselves.  Will LulzSec get away with it?

One thing is for sure – if they don’t, they will have nobody to blame but themselves.