If a real crook — the bank robbing kind, for example — carried out his criminal exploits with half the brazen disregard for authority demonstrated by the hacking group Lulz Security, he'd probably be locked up.
So why, then, is Lulz Security (or LulzSec, to the group's growing number of Twitter followers) still active? If its members are so open about their crimes, why haven't they been caught? Does the group's behavior suggest that its members are courting those who could bring them down?
It seems that way, according to Graham Cluley, senior technology consultant for the security firm Sophos.
"I don't know if they're making themselves an easy target ― that rather depends on how well they're covering their tracks ― but they're certainly making themselves an attractive target for the computer crime authorities," Cluley told SecurityNewsDaily.
Part of what has driven LulzSec to take on big-name targets like the CIA, Nintendo, PBS and Fox.com in recent weeks seems to the group's almost adolescent approach to hacking, treating it like a game. And this is a game LulzSec seems to be winning.
"The powers that be will be embarrassed by the very public way that LulzSec appear to be 'getting away with it,' and will be keen to bring them to justice — even more so when it's their own websites that are targeted," Cluley said.
Taunting the authorities
Unlike conventional criminals, LulzSec does not shy away from the spotlight. In fact, the group openly embraces it almost any chance it gets.
Announcing its takedowns of the video game company Bethesda Softworks and the website Senate.gov, LulzSec wrote: "Presenting our Bethesda & Senate.gov double surprise release. May the lulz flow through you!" ("Lulz" is an Internet term for laughs or good times, derived from the acronym "LOL," for "laughing out loud.")
As it hacked Sony, LulzSec taunted the company, writing: "Hey @Sony, you know we're making off with a bunch of your internal stuff right now and you haven't even noticed? Slow and steady, guys."
Perhaps most blatantly, LulzSec took down the CIA website on June 15 simply to show it could.
The group often posts jokes, including a June 10 Tweet: "Breaking news: LulzSec leak every email in the world, Facebook users forced to farm real crops as mass account suspension occurs."
And LulzSec even posted a phone number users could call to request websites they wanted attacked.
About Lulz Security's blatant mockery of authority, Mikko Hypponen, chief research officer for the security firm F-Secure told SecurityNewsDaily, "I don't recall anything quite like this happening before."
"They're one of the most blatant groups I've seen," Cluley said. "Certainly their Twitter activities appear to have garnered them over 100,000 followers in a very short time. Also, the fact that their attacks appear to be so random and without rhyme and reason appears to have caught the imagination of the media."
"The press is very interested, so that adds to the pot," George Smith, a senior fellow at GlobalSecurity.org, told SecurityNewsDaily.
Coincidentally, LulzSec is now engaged in a war of words with Sophos.
In a June 16 blog post, Sophos ridiculed LulzSec's unsophisticated cyberattack methods, equating the group's hacking exploits to "throwing bricks through other people's digital windows."
LulzSec responded on Twitter: "Guess what Sophos, every brick throw doesn't have to involve a double-backflip and secret handshake." The window is shattered either way, LulzSec added, using a stronger word than "shattered."
Should LulzSec be worried?
Cluley suggested that if LulzSec continues its hacking streak — just yesterday (June 16) the group posted 62,000 email addresses and passwords from Writerspace.com — the group eventually will make a costly error.
"LulzSec believe that they are smarter than the authorities — however, I think the more they do, the more opportunities they have to slip up and make a silly mistake," Cluley said. "Things could unravel very quickly for LulzSec if the authorities determine who they are.
Hypponen said the LulzSec pranksters are certainly attracting the attention of those authorities they mock. "There are quite a few people looking for them now," he said.
Smith, however disagrees. "Worry is probably not high on the agenda right now," he said.
Smith also thinks LulzSec isn't too different from hacking groups that have come and gone in the past.
"Someone may eventually be arrested. But the groups always tend to go on, morph into something else, or members move on to other things," he said. "Agencies and companies and websites will always be hacked and make news. That's an always-on thing."
LulzSec explains itself
In celebration of its 1,000th Tweet, LulzSec took to its website today (June 17) and issued a formal message explaining its motivations.
"Do you think every hacker announces everything they've hacked? We certainly haven't, and we're damn sure others are playing the silent game. Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn't silently sitting inside all of these right now, sniping out individual people, or perhaps selling them off? You are a peon to these people. A toy. A string of characters with a value. This is what you should be fearful of, not us releasing things publicly, but the fact that someone hasn't released something publicly."
LulzSec went on, even mentioning the possibility of getting caught.
"Nobody is truly causing the Internet to slip one way or the other, it's an inevitable outcome for us humans. We find, we nom nom nom, we move onto something else that's yummier. We've been entertaining you 1000 times with 140 characters or less, and we'll continue creating things that are exciting and new until we're brought to justice, which we might well be. But you know, we just don't give a living f*** at this point — you'll forget about us in 3 months' time when there's a new scandal to gawk at, or a new shiny thing to click on via your 2D light-filled rectangle."