Early reports on LulzSec cyber attacks are interesting if not surprising. A continuous thread through the media reports if you are looking for the root cause analysis it is poor computing practices by the companies. Now, to be fair this is the same kind of logic that says what were you expecting if you were carrying a wad of cash and got mugged. Who do you think you are carrying money around you’ll get mugged as a statement towards security isn’t much of a statement. Is it harmful to give LulzSec to much credence? If you accept the principle that victimizing people because you have the power to victimize them then you’re likely not reading this. Over the Weekend LulzSec appears to have hacked Bethesda and not published the customer data but once again this doesn’t pass the window test.
The window test of ethics is an analogy of the criminal theory of “broken windows” I use it to examine the hacking for security argument. It is assumed that anybody walking down the street has the power and ability to pick up a rock and throw it through a window. Only a certain percentage of people will actually pick up the proverbial rock and throw it creating damage. If there are broken windows that aren’t repaired, more windows get broken, and the slide of a neighborhood into dystopia occurs.
In our case the hacker group may assume or think that they are creating value by their havoc (breaking windows) and drawing attention to the issues of information security. In a similar thread they are taking a near Keynesian view of the parable of the broken window. They have justified or believe that they are benefactors by creating security incidents. This is an example of limited use as the polarized view rapidly comes into view. On the one hand, each human exists through the death and destruction of plants and animals and we call it nutrition. On the other hand, victimizing anybody when you have the power is nothing less than unmitigated evil. The conundrum between these points is the Robin Hood mythos.
You can take a few things away from the first part of the argument.
1. Hacking is trivial. The use of cross-site scripting, sql injection, and other forms of penetration into networks is fairly easy with the significant number of tool suites available.
2. There is an undeniable benefit to identifying non-trivial forms of system penetrations, but like fart humor trivial hacking is at best juvenile.
3. The creators and modifiers of tool suites to test systems security can’t be over appreciated. The elegance of a tool that does something totally unexpected by doing something as designed is purity.
We are starting to see with Anonymous and LulzSec their expansion from hacktivism as regards Wikileaks (and other issues) towards more advanced criminal enterprise. As with the tweaking of Senate.gov and their rejoinder on cyberwar what good does it serve? I’m left wondering what the sin of Bethesda or people against Wikileaks have actually done to the hacktivists and if the irony of their methods are even contemplated. Consider that the it could be argued a distributed denial of service is a form of repression and that as a tool can only be considered as an offensive weapon. A ddos shuts down all dialog and closes off the ability to have a discussion no less than Syria or Yemen turning off the Internet for their population. Is it right to victimize people ever? Does Anonymous/LulzSec have the maturity to even recognize the damage they’ve done?
If anything some of the arguments about computer and information security are specious. First, the argument about passwords is just about as silly as possible. Maybe a long time ago when I didn’t have a job, didn’t have a TWO mortgages, and I didn’t have to worry about feeding myself I could survive with a dozen or so passwords. Consider if you will that I have access to around fifty or sixty different websites that all have password construction requirements (capital, number, symbol, not dictionary, at least 8 characters long). That is before I get to work where the requirements are even more varied and a minimum of 16 characters. I don’t have any choice on using the web. If I want to have banking, car loans, buy pizza for gosh sakes, or manage the healthcare for me and my children I’m going to be doing it on the web. When and if my myriad passwords are exposed (different ones for every system) I’m screwed. I don’t even know all the systems I would have to change them on for sure. Exposing customer data of grandma and grandpa is like cursing them out. They are not going to understand how that is helping keep their electronic data safe.
Last year my undergraduates at my former job ran John the Ripper against 400K+ DOD spec passwords and were able to break them rapidly. Using a 500+ node computing cluster at Purdue Calumet the final approximation of time required would be about five hours and perhaps less if Rainbow tables were used (pre-computation of the tables wasn’t tested). Passwords simply aren’t any more of a security feature than padlocks are a security feature. They keep honest people honest, and increases the work factor to keep out petty criminals. With SQL injection attacks as a low barrier to entry the inspired hacktivist will go around the passwords at will. With over 40K current entries in the CVE the chances that any computing system is going to be secured completely is nearing on zero. Add to that a level of complexity as you apply traditional defense in depth strategies and attack surface grows exponentially while work factor is increases linearly.
Some take aways from the second part of the argument:
1. Is it ethical to abuse people simply because you have the power to do so? On the Glen Beck side of the scale you have Nazi Tourettes and fascism, and on the High School Musical side of the scale you have your classic sports motif bully.
2. There is an inherent issue with the argument of trying to bring light to security issues when the people being victimized simply are not able to understand the inherent security issues. I’m not sure how you balance the mega-corporation ignorance with the uneducated user base.
3. The fundamental issues of passwords themselves are inherently untrustworthy and untenable as a solution for security.
Finally, poor security practices don’t necessarily indicate poor security understanding. Any organization whether it be LulzSec or the National Signals Agency are comprised of individuals just like information technology environments are comprised of a variety of equipment, software, and procedural solutions. You operate at a security posture of the weakest link. This unfortunately is true for the average consumer of information technology services too. You can have great understanding of security, that one moment of inattention because you were up until 3AM with a sick kid, or that error in a website written by the crappy PHP programmer pissed off at the company they are working for can have similar debilitating effects.
You simply can’t throw unlimited resources at any solution, and at some point you have to expect social restraint to protect information assets. There simply is no perfect security. This is no different than the analogy of the determined burglar. Nobody can afford to protect their home, bank, or business from the highly sophisticated adversary for very long at the physical level of security. That is why we have police who come take the report and insurance to cover the loss. What is occurring now with hacktivism is the break-ins and losses are happening, but the consumers have no insurance (you can’t buy it if you want it which says something) and the police have no clue or the resources to do something if they do. The fact is the information sphere doesn’t operate a whole lot different than the physical realm. And, no it isn’t a perfect analogy.
It’s monday I need more coffee.
This does not seem to be a shift in internet culture however. There is no mercy on the net. This might be new to the Infosec realm but its not new to the net. I would be honestly surprised if this sort of stance was not how Anon and Lulzsec was already.
On a different note… you said that people were reposting your writings in whole on other pages. If I did want to repost some of what you had written as a teaser and then provided a link to your page to read the rest how much would you consider a fair teaser? Also it would be an obvious link and I would not claim that I wrote it or anything. I just have some folks that I like to send articles to read and Cyber War is my current focus.
Likely true Ryan. I’m from the ancient days of the Internet when men were men and baudot was the code of the web. The piece has a “get off my subnet” feel to it, but still I hope gets across a few points on the topic.
As to the reposting I don’t have any issue. Much like creative commons using partial content or posting with attribution is absolutely fine. I want people to feel free to read and share, but I don’t want to be accused of plagiarism when I wrote it originally.
Under the Terms of Use agreement there is a limited copyright agreement, but if you read the whole thing you’ll get the idea pretty quick 🙂
Thanks (reposting)
I dont know where all of the hackers hang out, but I assume that many of them get their feet wet trying to be cool on pages like 4chan and Something Aweful. Actually I am fairly sure Anon comes from 4chan. Anyhow from my time on those sites and being around some of those people I can tell you, it’s all about the tears. Who can make the next guy cry more, and survival of the fittest (although I am sure other terms besides fit would work better there).
I do agree with you however, just because someone can break in doesnt mean they should. Although I can sort of understand both sides on this. If I leave my front door open on my house, and I leave for the weekend, if I come back and all of my stuff was stolen I am just as much to blame as the punks that took it. However with Lulzsec its more like a cheap lock on a door and they are going up and down the block checking everyones house.
In the end I honestly think all of this will result in better security across the net. Not by everyone using different passwords for every place they visit (which I agree is not an easy thing to do) but by some new technology that emerges from the increased pressure from groups like Lulzsec and Anon. It’s going to be pretty painful and expensive but if groups like this keep up a near constant assult on sites like they have been for a month or more now, then something will have to evolve to meet the challenge.
My only fear is that laws will change that stripe freedoms instead of technology evolving.
Remember the rules, we don’t talk about 4chan 🙂
Two technologies are on the horizon that will accomplish more security and reduce freedom and anonymity (the security service specifically). CAV PIV are a method of achieving 100% attribution, but doesn’t do anything for actual security. It is part of HSPD12 and can be tied back to RealID. Access to the net could be restricted. Though we think of this whole big shebang as the wild wild west, if the telcos implemented the CAC PIV system to access it.. We’d be in some Gibsonian dystopia.
The second technology is a layered internet approach. Not Internet 2, but something like a trusted net which I think they’ve tried to implement in Japan.