Phantom pie-throwers and keystroke cops

About 12 hours before some prankster shoved a pie in Rupert Murdoch’s face, some other pranksters (namely LulzSec, back in operation after their brief ‘retirement’) shoved a virtual pie in the face of his organisation. In the early hours of Tuesday morning, the group managed to successfully hack into News International’s systems and redirect readers of The Sun to a fake front-page story announcing the death of Rupert Murdoch (and later, to LulzSec’s Twitter feed). The hackers also cracked the company’s email system, releasing the login and password details of senior executives such as Rebekah Brooks, as well as tweeting out the mobile phone numbers of people allegedly connected to the phone hacking scandal and threatening to post the company’s hacked email archive in its entirety.

This threat may have been what prompted the Metropolitan Police’s decision to arrest a 16-year-old South London hacker late last night (who it says is ‘tflow’, a core member of LulzSec). However, given that the Met’s move coincided with FBI arrests in the US of 14 suspected members of the affiliated hacktivist group Anonymous (as well as a handful of arrests in the Netherlands), it looks more like a co-ordinated swoop that had been in the planning for some time. LulzSec claimed in a tweet this morning that they were “all still here”, although the post was subsequently deleted from the group's feed.

Yes, the crackdown was inevitable. Noisily disrupt the operations of corporates, Government and law enforcement agencies and you’re inviting a strong-arm response. But while what LulzSec and Anonymous do is most certainly illegal, I find the po-faced ‘lock ’em up’ attitude of some commentators slightly disingenuous. Are systems going to be any more secure because of these arrests? Of course not. Does that matter? Well, if we truly want to secure sensitive information from those with serious crime, espionage or terrorism in mind, I’d suggest it does. 

The message seems to be “as long as you compromise our systems and steal our data without bragging about it and making us look stupid, that’s okay”. One aim of the hacktivist attacks – even if not their main one – is certainly to embarrass organisations by exposing false claims that their systems and data are secure from intrusion, and their actions have undoubtedly advanced the cause of those questioning the effectiveness and robustness of organisations’ current approach to information security. As one US Anonymous member wrote in an interesting Pastebin post where a number of members outline their motives for joining the group: “I want better security for our Government. A handful of disparate hackers ravish information on our servers and you want to hunt them down? They are doing us a service!  How do we know if our defenses go untested?”

If we want to paint the so-called ‘hacktivists’ as being equally deserving of public opporobrium as, say, organised online crime gangs whose sole intent is the appropriation of information for financial gain, or foreign Government-sponsored hackers probing for classified information, or terrorists seeking to disrupt critical systems, then we are misunderstanding the nature of these groups’ protests. They think the whole system is skewed, screwed and downright corrupt. (Judging by recent events, in some cases they may have a point.) Their conception of liberty and freedom of information may seem extreme, one-sided and dangerously counter-cultural to some, but the awareness they have raised about organisations’ woeful security has been a nonetheless valuable by-product of their activities – both for the general public, and longer term probably for the organisations concerned (if it prompts, as it should, a more robust approach to infosecurity).

As Rik Ferguson of Trend Micro said when he spoke at this year’s Infosecurity Show in April, there is a parallel between the so-called hacktivists and the recent sit-in protest at Fortnum and Mason, which he said was essentially  “a denial of service attack carried out with people”. “Nobody is supposed to be put in jail for sit-in protests [...] but to my mind there’s very little difference so far in the activities carried out by the general public in the name of Anonymous. They’re protesting for a belief they feel strongly about and taking advantage of new technology to do so, which massively amplifies the attack.”

This , said Rik, raises some interesting questions about the nature of protest and the appropriate institutional response. “For example, is it right to deny people an avenue of protest because it is digital, when we don’t deny it if it’s physical?” he said. In some respects, of course, the question is academic. Throwing the book at a handful of hacktivists isn’t going to bring these kinds of digital protests to an end, particularly if the underlying security flaws that allow them to flourish in the first place remain largely unaddressed. If anything, creating martyrs for the cause is likely to spur others into even more frenetic online pie-throwing.

Comment on this blog