Just a day after the ‘retirement’ of hack-the-world-and-expose-random-people’s-data cyberbreach group LulzSec, and the official announcement is old news.
The world is already in a questioning frenzy about what happens next.
Sadly, the questions are often of an unanswerable sort: inviting speculation, possibly even wild speculation; or trying to squeeze conclusions from unsupportable, possibly even wildly incorrect, starting points.
Here’s one example. “Do you think,” one questioner asked me, “that LulzSec was as sophisticated as it made out?”
But LulzSec never made any particular claims about sophistication. Also, it trumpeted only its successes, and didn’t enumerate those sites which it tried to hack but failed.
Perhaps a better question might be, “Would the level of sophistication of LulzSec affect the criminality of its exploits?” (That’s a rhetorical question, though one you are welcome to ponder for yourself.)
Another interrogator wanted to know, “Has LulzSec really disbanded? What do you think they’ll do next?”
You’ll have to make your own mind up on that. You can read LulzSec’s press releases, and you can look at the LulzSec Twitter feed. Do you think they’re honourable, and can be taken at their word? Does it matter? Do we not collectively care enough about security and privacy to lift our game regardless?
And yet another inquisitor posed the question, “Has LulzSec quit because it achieved its goal of raising security awareness?”
Why ask me?
LulzSec’s own press release offers the explanation that: “we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.”
That’s a rather generic and mixed bag of things LulzSec hopes to have achieved. Both love and hate, for example; both approval and disapproval.
Notably absent, though, is the explicit mention of achieving “better protected networks worldwide.”
You have to decide for yourself whether this outcome is subsumed in the desire to have provoked inspiration, or whether LulzSec’s inspiration was merely to persuade others to start stealing data too.
So, instead of allowing yourself to be sucked into the raft of speculation about LulzSec, its skills, its motivation and its achievements, why not take interest in some financially punchy evidence of the risk which cybercrime in general poses to our economy?
Last week, for instance, the FBI announced a co-ordinated twelve-country bust against a cybergang who’d been selling fake anti-virus, also known as scareware.
The estimates by the FBI, which are perfectly believable, is that this one group managed to trick close to a million people into spending an average of $75 each on software which is a worthless pack of lies. A believable pack of lies, but lies nevertheless.
So if you must speculate about cybersecurity and the lessons to be learned, try to guess what percentage of the total amount stolen in scareware scams alone each year is represented by this one $72,000,000 bust.
And if you’re still waiting for a “big moment” to help you decide that security is worth something, and isn’t merely a drain on operating expenses…
…then it’s time to take off your Joo Janta Peril Sensitive Sunglasses [*] and to smell the coffee. (We’ve enjoyed such a raft of mixed-up coverage so far in the LulzSec journey that one more mixed metaphor will surely do no harm.)
For a handy review of recent cybersecurity news, including plenty of issues in the more-interesting-than-LulzSec category, why not take a listen to the latest Sophos Security Chet Chat 65? This is a quarter-hour podcast which mixes news, opinion, advice and research: