You are not as cool as Nyan Cat
There is a revolution happening right now. Whether you are aware of it or not, there’s a pretty good chance that some time in the past 90 days, your personal information was compromised. If you were lucky enough to not have had your credit card stolen, you may have had your personal passwords, your email address, and possibly your personal mailing address stolen. You may ask, “Why would anyone want to do this?” The answer is simpler than you think.
Because it’s hilarious.
The group behind many of the hacks against Sony, PBS, and miscellaneous others is a group known as Lulzsec (Twitter) and if you take a moment or two to browse their site, you’ll notice they are very well versed on their internet memes. Their knowledge of Nyan cats and ASCII art is eclipsed only by their extensive knowledge of internet security and how to destroy it on a whim.
Right now you can download a file from their website that contains over 62,000 random assorted email and password combinations from who-knows-what databases (one of them confirmed to be pron.com) across the internet. If you’re like just about everybody in the world, then you probably use the same password in multiple locations. So it’s likely that if your name is on that list, your Facebook, email, Paypal, or (heaven forbid) your IndyMojo.com account may be compromised.
I’ve been watching these hijinx for a few weeks now and was one of the first 1,000 followers of Lulzsec (they now have over 250,000). I can’t pull my eyes away from them. It’s like a car crash at a NASCAR race. You watch and find yourself somewhat horrified… but it is fascinating. While I feel bad for the end users who have lost their information, I find myself truly cheering at the fact that fat cats in suits finally have to listen to the IT industry and take the time and the money to secure their systems.
If you’re an individual who had their information leaked (seriously… take time and go check), then I feel for you. Here’s the question though: Is Lulzsec really the villain? Sitting in your seat, I’m sure my gut reaction would be “Hell yes, it is!” But these companies like Sony have apparently taken every shortcut in the book. They held your information on a silver platter for hackers by failing to implement even the most basic of security features. They were compromised by a form of cracking that is discussed in day one of any SQL class taught the world over. It’s the equivalent to leaving a hot apple pie on a window sill and wondering why Yogi bear shows up to ruin your dessert.
If Sony passed me this note, I would burn it
(Photo credit: Antics of an Undergraduate)
If that isn’t bad enough, Sony apparently does not encrypt any of their passwords. That means when you type your password into their form, they simply take it and store it just like you wrote it. So when someone comes along sniffing for info, it’s waiting for them without them having to break a sweat. Remember that SQL class I mentioned? If Day 1 was SQL Injection, then the prerequisite for entering the class would have been a handwritten note with check boxes that said “Should you store password in plain text? Yes or No.” Rumor has it that anyone who answers ‘Yes’ is actually taken into the stock yard and beaten to death with a Lolcat.
Don’t get me wrong, Lulzsec is guilty for stealing the information. Just like thousands of other hackers around the world have been guilty for hundreds of thousands of heists since the internet first became a series of tubes. The difference is that Lulzsec is using that information to say that Sony and other corporations are equally guilty for giving you a mirage of security when they cut corners and hired a toddler to put plain text passwords into their database. Don’t take my word for it, check out their 1000th Tweet Press Release.
And I can’t help but find myself agreeing with them. The plain stupidity of these companies is enough to make me wonder if they’re actually aware of what they’ve done, and somewhere in their 300 pages of Terms of Services, they explicitly state, “Oh and by the way… we don’t really feel like worrying about security, so if we get haXXed, we’re sorry. Good luck suing us though because you clicked agree, HAHAHA.”
Long story short, if you own a Twitter account, you should be aware of Lulzsec and keep an eye on what they’re doing. They claim they are now conducting an operation called #AntiSec which is meant to be a joint venture by hackers around the world aiming to take down big corporations and even government agencies to expose just how little they care about our personal security. Whether you cheer them or jeer them, be sure you watch them because you never know if your name will be the next one released.
And if your name IS released next time?
Let’s just go ahead and say that when someone logs into your Facebook account and changes your profile picture to that of a graphic depiction of what may or may not be a donkey making love to a lady of the night… well… it’s wasn’t me.