Why did the hackers at Lulz Security ("LulzSec") invade Sony Pictures websites, take down cia.gov, and release 60,000+ e-mail addresses and passwords? For the lulz, of course—but what might look lulzy to one person could certainly enrage another. In honor of its 1,000th tweet, the witty wankers of LulzSec released a manifesto of sorts, defending their actions to the angry Internets.

Sure, they're in it for the lulz, but they claim that their behavior is also in the public interest. What—don't most public servants end their dispatches with "Thank you, bitches"?

Enemies list



LulzSec certainly has enemies. Gamers in particular have been agitated by the group's attack on login servers for games like EVE Online. Angrier, perhaps, have been those whose e-mail, Facebook, and PayPal account passwords were leaked—and who then had to watch as Twittizens celebrated the sometimes-criminal misuse of those accounts.

"Cheers for the paypal account with £250 in it! ;)" tweeted a user named Murraaayyy. "Oh and just got a random Hotmail with usernames and passwords for Amazon, Ebay, Game, Paypal and Xbox! #LulzSecIsGod."

Murraaayyy soon followed up to say that "whoevers paypal account this is will be receiving; Giant Foam Trollface x 1, Mature Cum Eating Grannies Dvd x 1 and A Fishtank x 1."

Another user wrote that he "ordered a large pack of condoms for an elderly woman on Amazon."

User TheDancingMilk, whose tweets suggest that he's a student, wrote, "@LulzSec Got an Xbox Live, Paypal, Facebook, Twitter, YouTube THE WHOLE LOT! J-J-J-J-J-J-JACKPOT." Most of the hacks apparently came from the LulzSec release of 60,000 e-mail addresses and passwords; many people reuse passwords and commonly use e-mail addresses as usernames, providing easy access to multiple services. That was the case here: "Yeah, idiot had the same password for everything."

(LulzSec has blamed users for this sort of password reuse when it released usernames and passwords from a Sony Pictures hack. "I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere," the group tweeted. "Hey innocent people whose data we leaked: blame @Sony.")

Such public admissions can invite a quick backlash. After LuzSec retweeted TheDancingMilk's comments, he wrote, "So getting your tweet re-tweeted by @LulzSec automatically makes people DOX you. How fun." ("Dox" refers to publicly posting someone's identifying information; it's usually followed by harassment. Admitting to computer crimes on Twitter, though, may well invite a more private form of "doxing" from the police.)

Lulz lizards



Such accounts are impossible to verify, but LulzSec has apparently been stung by the response to its antics. Its new manifesto admits to having "a mass of enemies, albeit mainly gamers." As for the release of unencrypted usernames and passwords, LulzSec says "hey, it's funny":

Yes, yes, there's always the argument that releasing everything in full is just as evil, what with accounts being stolen and abused, but welcome to 2011. This is the lulz lizard era, where we do things just because we find it entertaining. Watching someone's Facebook picture turn into a penis and seeing their sister's shocked response is priceless. Receiving angry emails from the man you just sent 10 dildos to because he can't secure his Amazon password is priceless. You find it funny to watch havoc unfold, and we find it funny to cause it. We release personal data so that equally evil people can entertain us with what they do with it. Most of you reading this love the idea of wrecking someone else's online experience anonymously. It's appealing and unique, there are no two account hijackings that are the same, no two suddenly enraged girlfriends with the same expression when you admit to killing prostitutes from her boyfriend's recently stolen MSN account, and there's certainly no limit to the lulz lizardry that we all partake in on some level.

But LulzSec says that those upset at the data releases have missed the point. LulzSec claims it is bringing attention to real security issues; other hackers are doing the same things to the same sites, but they're keeping the information private, and probably preparing it for more nefarious uses.

Do you think every hacker announces everything they've hacked? We certainly haven't, and we're damn sure others are playing the silent game. Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn't silently sitting inside all of these right now, sniping out individual people, or perhaps selling them off? You are a peon to these people. A toy. A string of characters with a value. This is what you should be fearful of, not us releasing things publicly, but the fact that someone hasn't released something publicly. We're sitting on 200,000 Brink users right now that we never gave out. It might make you feel safe knowing we told you, so that Brink users may change their passwords. What if we hadn't told you? No one would be aware of this theft, and we'd have a fresh 200,000 peons to abuse, completely unaware of a breach.

Or perhaps LulzSec is engaged in a philosophical game, holding up a mirror to Internet culture and its love of memes, scandal, and trivia. Do Internet users not, the group asks, demand to be entertained? And is not LulzSec providing that entertainment?

We've been entertaining you 1,000 times with 140 characters or less, and we'll continue creating things that are exciting and new until we're brought to justice, which we might well be. But you know, we just don't give a living fuck at this point - you'll forget about us in 3 months' time when there's a new scandal to gawk at, or a new shiny thing to click on via your 2D light-filled rectangle This is the Internet, where we screw each other over for a jolt of satisfaction. There are peons and lulz lizards; trolls and victims.

If you want to blame someone, says LulzSec, blame human nature—not the individual humans actually doing the hacks, leaking the data, and then logging into other people's accounts.

"Nobody is truly causing the Internet to slip one way or the other," says the statement, "it's an inevitable outcome for us humans."

Update: Just to make it perfectly clear, I am describing the LulzSec arguments in this piece, not endorsing them in any way. It is LulzSec, not Ars, who wants to pin the blame for the entire situation on human nature, etc. I've updated the final section to more explicitly note that these are LulzSec arguments.

Update 2: Interesting response to LulzSec from a former troll who grew up and became "a different person." Money quote:

"Alas, I don't think anything i'll say will register with you. I don't think you have the capability for anything complex because, to be frank, everything you've done has the signature of a child. You will eventually tire of this game because eventually you're going to grow up. Just remember when you do that it's not important what you do - it's who you are. So please, just take a moment and sit down, and i'll tell you how I became the prince of a town called bel air."