Open source software security

LulzSec Going Apeshit

26 June 2011
I've been asked a lot over the past few days about my opinion of the Lulz Security crew. At the risk of raising the ire of some of the folks in the security community I'm going to side with Patrick Gray's take on them. The reality is that not a day passes when I can't open the New York Times and find an article about the IMF being compromised, Citigroup getting owned, Nasdaq being compromised, or any more of the litany of high profile "cybercrime" incidents. The reality is, even though Lulz Security is causing mayhem, they're not stealing money, and sadly, they're not exploiting stuff that nobody else could. It's comfortable to think of LulzSec and Anonymous as shadowy uber hackers, but they're not any more or less skilled than any of the other criminals, security researchers, or professionals out there. What they're doing takes some skill, but it isn't that hard. Ultimately they're thumbing their nose at the system, and pointing out it's legion flaws, in a very public and humiliating way, which is a good thing. It's high time that people start realizing that the state of modern computer security is not good. There are bigger threat actors on the scene now than ever before, from multi million dollar criminal syndicates to state sponsored actors. The number of targets has exploded with the meteoric rise of internet commerce, mobile devices, cloud computing, and the general move to network everything. This combination is tempered with a security industry that has failed to innovate over the last two decades. Firewalls, antivirus, and intrusion detection are pretty much the same as they've always been. So while there are more dangers, there are no new solutions. Realistically the only reliable defense against these sort of threats is good people. Having a few good programmers on staff can save organizations from the types of public embarrassments and loss that so many high profile victims are suffering on a daily basis. One might question how a few people could replace, or supersede, the value of a vendor supplied solution developed using millions of dollars and countless hours of software production and testing. The reality is that no software ever meets 100% of a customers needs. At best software meets 90% of an organizations needs and the last 10% has to be tweaked either by consultants, the vendor, or internal staff. Having good programmers working in a security department means they can close that 10% gap, or even build custom software tailored to the needs of an organization. Every group is different and part of the reason most commercial solutions fail is because the defenses they employ don't mesh with a customer site's risks and topology. This leaves gaps that are just the sort that attackers will hone in on and exploit. Putting a few good people on the job is invaluable. People are flexible, they learn, they adapt, they do all the things that a piece of software inherently cannot do. Ultimately I like LulzSec because they mean job security. I do sympathize with their methods as well though. They're fighting the same fight that security researchers who push for full disclosure have been fighting for many, many years. They're pointing out flaws before (or even after) the bad guys take advantage of them. Sure, it's embarrassing for the Arizona Law Enforcement to have their internal documents splashed all over the internet, but just think what a Mexican drug trafficing gang could have done with covert access to that data. The vulnerability is there, whether or not LulzSec broadcasts it to the world, and at least after the problem is public it can be fixed. I'm not sure how long of a run LulzSec will have. They've definitely kicked the hornets nest, and there are a lot of powerful people who would love nothing more than to find and punish members of LulzSec. Sadly, however, this is a misguided effort. Instead of trying to find and punish the kids who are pointing out that the emperor is naked, we should invest in a few good tailors and fix the problem.