After upstart hacker collective Lulz Security breached Sony Pictures user data last week and released the source code for the Sony Computer Entertainment Development Network on Monday, Sony has finally alerted its users to the data breach. A PC Magazine post today has a statement from the company warning 37,500 users that their "name, address, email address, telephone number, gender, date of birth, and [Sony] website password and user name" had been obtained and revealed.
Meanwhile, LulzSec continues its campaign of mischief with an overnight attack on a security contracting firm whose Web site has been altered all morning.
After trading barbs with security consultant Joe Black on Twitter yesterday, the hackers went after his site overnight, superimposing a picture of their mascot, Mr. Lulz, on the home page. The hack responds to a challenge on Black & Berg's site. He does seem to be asking for it:
Oddly, Black doesn't seem to be too furious about the hack. He tweeted this impressed-sounding missive today: "@lulzsec We're not sure what happened, we're looking into it. It seems whoever is responsible was very good at covering their tracks.#ninja" He also requested the group "please unfuck our website."
Perhaps, though, it's not that odd that Black is more impressed than annoyed with LulzSec's work. In an essay on Risky.biz today, Patrick Gray suggested that people in the professional hack-fighting world were "secretly getting a kick out of watching these guys go nuts." The logic makes sense:
Security types like LulzSec because they're proving what a mess we're in. They're pointing at the elephant in the room and saying "LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN'T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!"
There is no security, there will be no security. The horse has bolted, and it's not going to be the infrastructure that's going to change, it's going to be us.
LulzSec is running around pummeling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.
But companies such as Sony don't think it's that funny, obviously, because if their customers don't think their data is safe, they won't continue to be customers. LulzSec has not confined its attacks to Sony. It also breached PBS, Nintendo, an FBI security contractor, and the Canadian Conservative Party. It seems the group could easily turn its attention toward companies such as Apple, with its iCloud, or Google, with its online stores of customers' documents, e-mail, and other information. The group tweeted earlier today that "our next target is in our firing line and doesn't even know it yet..." So we should find out soon.