The 50-day campaign of online mayhem that was the existence of Lulz Security will go down in Internet history for any number of reasons. The group of six hackers took down the Web sites of the CIA and the U.S. Congress, exposed a massive amount of documents from Arizona law enforcement agencies, posted a story about Tupac Shakur living in New Zealand on the PBS Web site, and dogged Sony like a well-trained terrier. Along the way, the group styled itself as both an anarchic team of miscreants and a legitimate activist organization, issuing a manifesto and inviting fellow hackers to target corporations and government sites in its Operation Anti-Security. Now that it has officially gone dark, people are trying to piece together an idea of a legacy the group's antics left us with. In fact, it's pretty hard to narrow it down. But here are a few analysts' suggestions for different takeaways.
The LulzSec model will be the precedent for organized hacking in the future: According to PC Magazine's Damon Poeter, the group's campaign demonstrated a new type of organization for hacktivist groups. "The bumbling, opportunistic raid on Sarah Palin's Yahoo email account back in 2008 by anonymous members of 4Chan's /b/ board seems like ages ago," he writes. LulzSec brought together a strong brand name and identity (maintained by its hyperactive but clever Twitter feed), combined with a tight-knit "cadre" that could work together effectively and, most importantly, keep its secrets (so far). They got in, they did what they came to do, and they got out before things too hot.
LulzSec represents a radical backlash to draconian online security laws: The Guardian's Loz Kaye makes the case that the more governments try to control the Web, the more its citizens will resist. LulzSec, he notes "wasn't an isolated or unique phenomenon" among those bucking efforts to "civilize" the Web.
What even the MoD insists on calling "cyberspace" has become contested territory. Many recent events have been fuelled by a fear that the internet is under siege by governments hell-bent on restricting its subversive potential. Nato has added to this perception with violent rhetoric and an expressed desire to penetrate Anonymous. No surprise the response has been "Well, penetrate you, Nato."
LulzSec may have left a trail too close to its members after all: Information Week's Matthew J. Schwartz found a file on Pastebin that purports to name all the members of LulzSec as "Sweden-based Daniel Ackerman Sandberg (aka Topiary), Iowa-based Wesley Bailey (aka Laurelai), New York-based EE or Eekdacat (no name, but an IP address provided), Britain-based Richard Fontaine (aka Uncommon), Hector Xavier Monsegur (Sabu), and Netherlands-based Sven Slootweg (aka Joepie91), amongst others."* That's in addition to a claim last Friday by rival hacker the Jester, that he had the identity of lead LulzSec hacker Sabu. LulzSec has regularly denied that the Jester knew anything about its members, but it hasn't said anything about the other Pastebin file.
LulzSec's legacy may be living in your computer right now: According to MSNBC, the group's big Arizona law enforcement download carried a Trojan virus that may have infected hundreds of thousands of computers already. It also said the most recent download, full of AT&T internal data, contained malware in one file. But Computerworld reported today that the virus report was a "false positive" that may have been either a mistake or a deliberate attempt on LulzSec's part to spread more chaos.
It actually proved its point about lax computer security: The legacy LulzSec wanted to leave was the statement that described its overall mission: Computer security at large corporations and governments is so thin any group of bored teenagers could breach it. As security expert Patrick Gray says on Risky.biz: "LulzSec is running around pummelling some of the world's most powerful organisations into the ground ... for laughs! For lulz! ... Surely that tells you what you need to know about computer security: there isn't any."
*Note: After this story ran, Eekdacat contacted us by email and denied any involvement in Lulz Security, AnonOps, or Operation Payback. In addition, Bailey told Gawker's Adrian Chen in an interview published this afternoon that she was not a member of LulzSec, and had not engaged in any illegal activity.