They seem to be someone who is clearly inexperienced and support "hacker ethos" and don't really know what they want. They started talking about "demanding" code under open source licenses and stuff like that....
I think they are just some young hackers that started punching above their weight, and something will happen to them sooner or later. But let's see
I find it hard to believe that someone who is "clearly inexperienced" has managed to do a lot of high-level hacks in a short amount of time; I mean if someone who is "clearly inexperienced" has the capacity to do all that, we are so fucked.
> I mean if someone who is "clearly inexperienced" has the capacity to do all that, we are so fucked.
I don’t know whether or not these folks are inexperienced, but it’s hard to overstate how truly bad software is, these days. Many software developers are inexperienced, and the entire industry is built like a house of cards.
The bar is very, very low, and over reliance on dependencies seems to be something that programmers actually boast about. Another point of pride seems to be deliberately ignoring experience and a careful approach (“Move fast and break things”).
But there’s certainly good money in being a security consultant. Lots of low-hanging fruit. That industry is growing like a weed.
These days? I remember in the late 90s, early 2000s, and it really felt like 1/3 or so of all websites were vulnerable to things like PHP injection and SQL injection. I remember having to bypass login pages to do benign things like changing my password.
Websites have always been bad. In fact, they are probably better, these days, than they used to be. Web designers have traditionally not really been engineers, as such, so we can't really expect engineering discipline from them.
Despite that, I feel like Web designers are a bit more disciplined, these days, than the days of yore. It may be because the industry has matured, and there's now a prevalence of knowledge on the matter (as well as a lot of tools and frameworks that are actually pretty good).
The actual software behind them, that said tools and frameworks connect to, on the other hand...
Considering the expansion rate of the developer market, chances are that rate has actually gone down. But so has the intelligence of attackers, for the same reason.
> has managed to do a lot of high-level hacks in a short amount of time
Correct me if I’m wrong but do their attacks actually involve significant skill?
Their offer of buying credentials/access from employees suggests their bank account might ultimately be bigger than their skills and they’re leveraging that approach.
Of course, the question is, where is that money coming from and whether anyone is bankrolling them, and if so, what their motives are.
> Of course, the question is, where is that money coming from and whether anyone is bankrolling them, and if so, what their motives are.
Wild speculation here, but if they are located in a country that is recently a lot less friendly with the west, maybe they decided that being overt isn't a real problem given what they are doing is de facto legal where they live. Being a Belarusian or Russian cybercriminal targeting the west is probably less risky now than ever before (and it wasn't especially problematic before.)
I was talking about their ability to bribe company insiders. You need to have money to begin with to be able to pay said bribes - where is it coming from, and why are they spending money to breach into companies for seemingly no major benefit?
Never underestimate how much time, energy, and a total lack of care for rules a university student has, whilst simultaneously looking for something to prove[1]
From what I understand (IANAL), the bar for what constitutes criminal activity with computers is very, very low. As in, arguably the recent post by Julia Evans on undocumented web APIs[1] is a tutorial on performing criminal acts.
Which is not a judgment on whether LAPSUS$ is doing genuinely bad stuff—I don’t know—only to say that, when computers are involved, “criminal” not only doesn’t make a good consensus point on avoiding a slippery slope into overall badness, it doesn’t even seem to make a good heuristic on whether something is bad or not.
Generally speaking hacking is unauthorized computer access.
More specifically hacking under US law is;
Californian law for example:
1. Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data or computer system to:
2. Execute a scheme to defraud or extort a victim.
3. Wrongfully control or obtain money, property or data.
4. Knowingly accesses and without permission takes, copies, or makes use of any data from a computer or takes or copies supporting documentation.
5. Knowingly introduces any contaminant or virus into any computer system.
6. Knowingly and without permission uses the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of electronic messages that damage a computer system.
7. Knowingly and without permission disrupts or causes the denial of governmental computer services.
8. Knowingly and without permission disrupts or causes the denial of public safety infrastructure computer services.
US Federal Law:
Knowingly accessing a computer without authorization to obtain:
Financial information
Information from a governmental department or agency
Information from any protected computer with the intent to defraud
Knowingly causing the transmission of a program, information, or code from a protected computer
Knowingly accessing a protected computer and causing damage and loss to that computer
Leaking data isn't petty crime. I can believe a student with anti-corporate views could see what LAPSUS$ are doing as a good thing. Or just a student who is good at cracking and wants to show off, criminality be damned.
find a group of enthusiasts that are not quite there yet, such as an enclave of SKitties. give them superpowers, feed the hunger for recognition, silently run support operations, grease things up with cash so it feeds the illusion, in short troll them into thinking they are leet. let them be noticed, and create a fog of war.
step two
now that the show is on start actually infiltrating your hacks in position for a major attack. let your SKitties be the fall guys.
when its done cooking,it smells like state sponsored espionage.
They seem to be someone who is clearly inexperienced and support "hacker ethos" and don't really know what they want. They started talking about "demanding" code under open source licenses and stuff like that....
I think they are just some young hackers that started punching above their weight, and something will happen to them sooner or later. But let's see