LulzSec? Hackers? Here’s a real challenge…

As fellow Naked Security commentator Graham Cluley already reported, the latest news from media-savvy “fun-hacking” crew LulzSec is that it organised a Distributed Denial of Service attack (DDoS) against the cia.gov website, sporadically making it slow, unresponsive or inaccessible.

This is the latest in a slew of “hacks” mounted by the group, whose recent targets have been as mixed as its motivation is unclear.

LulzSec has targeted Sony, the US Senate, an affiliate of the FBI, a range of online games, the CIA, Nintendo, and even PBS – the US public television network which gave the world Sesame Street.

Take that, Elmo.

But why?

I suppose that if you really must find a silver lining to what LulzSec is doing (and who knows whether LulzSec is he, she or they?), take heed that most of the LulzSec website break-ins look to have been languorously orchestrated, using nothing more sophisticated than entry-level automatic web database bug-finding tools, available for free online.

In other words, LulzSec is a timely wake-up call to better security if you are still asleep at the wheel. Your customers’ data is important – both to them and to you.

But the end doesn't justify the means. Time spent throwing bricks through other people's digital windows doesn't actually teach anyone anything about glassmaking, glazing or civil engineering.

If you consider yourself a hacker and you have time to spare, but you're tempted by "hacking" such as DDoSes or gratuitous break-ins, why not use your skills for active benefit instead? Follow the lead of a guy like Johnny Long and hackersforcharity.org

I challenge you to look at Johnny’s website and then side with the 40% of people in our poll who decided that LulzSec is both amusing and a worthwhile cause. Here’s what Johnny said in his Schmoocon 2011 address – which you can watch on-line. A hacker, speaking to hackers, on the topic: “Hack the planet”:

You guys remember Estonia, right? You remember all the bad press, and all the crap that hackers did to destroy a country? What I'm thinking is, "Why don't we just do the opposite?" Why don't we take [Uganda,] a country that's getting the [cyber-stuffing beaten] out of it for no apparent reason, that has some resources but needs your help...why don't we step in and help them out?"

When I say challenge, I’m not throwing down the gauntlet for a penetration testing challenge, or a command-injection competition. I’m talking about a moral and ethical challenge.

The great thing about getting into activities like Johnny’s is that you actually get to help – and to teach – thousands of people indirectly. And you can be open about it. You can tell other people; you can put it on your resume; you can dine out on it, if you wish. You’re a real hacker, and you can prove it.

But throw in your lot with LulzSec-like activities instead and you’ll spend the rest of your digital life hoping no-one finds out.