I'm cross-posting this to DSLR also since these are the places I used to spend quite a bit of time at back in the old days. I was originally going to write up an article for a security blog, but have decided to just sit back and watch the drama between lulzsec and the security industry because this just gets weirder and weirder the more I've dug into what's going on here and I"m no longer sure that this is what it seems. Instead, I'm going to put forth some information to google for those interested in this continuing saga and let others have at it. A word of warning first, don't use Windows to dig too deeply. A number of off-ramps are polluted with things that are not good for Windows to see. But if you have OSX, Linux or want to download a free crippled copy of KNOS from CNET or Softpedia or one of the other download sites and make a CD to surf with, you'll be safe wherever your trail takes you. Just be careful if you use Windows ... An explanation of my own interest is in order here as well: Back in the days when I was involved with BOClean, we took an entirely different approach in developing our "signatures" for malware. The standard method of AV's, AT's and the like is to simply take a sample, generate a CRC32 or an SHA1 of the file and you have your signature and move on to the next one. All this method ensured was that if another copy of that exact same file was encountered, it would be detected. Since BOClean had an advantage of a memory scan where any packing or other obfuscation trick was voided once in memory, my unique choice was to actually study the individual authors and find a pattern (often text-based) that was a personal "signature" of the individual programmer that could be relied upon to be found in their NEXT "release." That was our secret to handling future "zero day" releases because if you investigated the source and pinned down THEIR behavior, you were sure to have something you could count on to happen again in addition to the default file pattern match. As a result, my own "behavior based" detection was the author themselves and so investigating the authors was something I enjoyed greatly and paid a lot of attention to. More importantly, investigating their builder code and how those worked since most of their "upgrades" involved newly assembled code which was "joined" by the same old toolkits. Finally, seeing how groups of authors would trade code. There were many commonalities since there was a limited number of authors who wrote successful infectors. This tack was the reason for our ability to do what we did successfully with such limited resources against so many new exploits back in the day. So naturally, this whole lulzsec thing was almost nostalgic for me and I have to admit I've been sucked in studying what lulzsec has been up to and more importantly trying to wrap my mind around who they are and what they're about in wanting to see about taking them out like I used to do in the BOClean days. What amazed me the most though was how *easy* it was to amass enough information to identify many of those involved in lulzsec and their history. It almost became anticlimactic in that I had pretty much pinned it down in less than four hours of googling. And from that, my wonder turned from who these people are to why they're continuing their rampage in the face of professional spooks that should have taken them out quite a while ago. Even more disturbing is that a number of the people involved have already been arrested before and are apparently "double agents." Therefore, what I'm going to do is publish just a little of what I've encountered for folks here to play with and confirm or deny to me after your own "investigation" if this whole thing doesn't smell mighty fishy. So here's the players for you to google, and I'll toss in a few interesting little morsels of some captured chats. I'm sure folks already know about lulzsec.com ( http://lulzsecurity.com/ ) site and their @LulzSec twitter site ( http://twitter.com/#!/lulzsec ) ... no secrets there. The participants however are worth a google, and I'm going to toss some names and keywords out for you to go hunting ... but first, the culprits: Topiary (already arrested and known to Law Enforcement) Corey Barnhill -aka (Kayla) Hector Xavier Montsegur -aka Xavier de Leon -aka (Sabu) Chris Ellison -aka (Avunit) Soloman Saleh -aka (Tflow) First google stop for the lulz is "topiary barrett brown" ... "topiary" in particular is an interesting character who was involved in the HB Gary episode and apparently the paymaster for lulzsec as this interesting snippet of log shows: http://lulzsecexposed.blogspot.com/ Some additional interesting reading here on the Barret Brown side and how the media circus is going: Keywords for google: "Gregg Housh marblecake" Story on the breakup between "anonymous" and "lulzsec here: http://www.neogaf.com/forum/showthread.php?t=434234 Here's "Jester's" information on the drama: http://th3j35t3r.wordpress.com/2011..._source=Jesters Court Blog&utm_medium=twitter More drama from seclists: http://seclists.org/fulldisclosure/2011/Jun/75 Some theory on it all from reddit: http://www.reddit.com/r/4chan/comments/i0fim/lulzsec_pretty_well_documented_theory/ --- So follow the players, unfortunately my local captures of more drama snatched from twitter and other sources have vanished, but if you encounter 404's searching on google, those google caches are your friend. But once again, I warn heavily that a lot of the sites that show up should NOT be viewed on a Windows box. I use KNOS and so all the nasties that tried to download failed. Be careful! I'll try to post more of what I've encountered if I must, but it would be more interesting to people here if others look over the evidence and offer their own little morsels for everyone to enjoy. These skiddies are interesting even if they're just skiddies. MY question though is that since all of these players are well known and it appears quite clear that the players are known to law enforcement and they've been infiltrated for a while, WTF?