The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Bullies, Pirates and Lulz

Saturday, June 25, 2011 by spaf
in General, Kudos, Opinions and Rants, Secure IT Practices
Share:

Yet another breach of information has occurred, this time from the Arizona Department of Public Safety. A large amount of data about law enforcement operations was exposed, as was a considerable amount of personnel information. As someone who has been working in information security and the implications of technology for nearly 30 years, two things come to mind.

First, if a largely uncoordinated group could penetrate the systems and expose all this information, then so could a much more focused, well-financed, and malevolent group — and it would not likely result in postings picked up by the media. Attacks by narcotics cartels, organized crime, terrorists and intelligence agencies are obvious threats; we can only assume that some have already succeeded but not been recognized or publicized. And, as others are noting, this poses a real threat to the physical safety of innocent people. Yes, in any large law enforcement organization there are likely to be some who are corrupt (the claimed reason behind the attack), but that is not reason to attack them all. Some of the people they are arrayed against are far worse.

For example, there are thousands (perhaps tens of thousands) of kidnappings in Mexico for ransom, with many of the hostages killed rather than freed after payment. Take away effective law enforcement in Arizona, and those gangs would expand into the U.S. where they could demand bigger ransoms. The hackers, sitting behind a keyboard removed from gang and street violence, safe from forcible rape, and with enough education to be able to avoid most fraud, find it easy to cherry-pick some excesses to complain about. But the majority of people in the world do not have the education or means to enjoy that level of privileged safety. Compared to police in many third-world countries where extortion and bribes are always required for any protection at all, U.S. law enforcement is pretty good. (As is the UK, which has also recently been attacked.)

Ask yourself what the real agenda is of a group that has so far only attacked law enforcement in some of the more moderate countries, companies without political or criminal agendas, and showing a total disregard for collateral damage. Ask why these "heroes" aren't seeking to expose some of the data and names of the worst drug cartels, or working to end human trafficking and systematic rape in war zones, or exposing the corruption in some African, South American & Asian governments, or seeking to damage the governments of truly despotic regimes (e.g., North Korea, Myanmar), or interfering with China's online attacks against the Dalai Lama, or leaking memos about willful environmental damage and fraud by some large companies, or seeking to destroy extremist groups (such as al Qaida) that oppress woman and minorities and are seeking weapons of mass destruction.

Have you seen one report yet about anything like the above? None of those actions would necessarily be legal, but any one of them would certainly be a better match for the claimed motives. Instead, it is obvious that  these individuals and groups are displaying a significant political and moral bias — or blindness — they are ignoring the worst human rights offenders and criminals on the planet. It seems they are after the ego-boosting publicity, and concerned only with themselves. The claims of exposing evil is intended to fool the naive.

In particular, this most recent act of exposing the names and addresses of family members of law enforcement, most of whom are undoubtedly honest people trying to make the world a safer place, is not a matter of "Lulz" — it is potentially enabling extortion, kidnapping, and murder. The worst criminals, to whom money is more important than human life, are always seeking an opportunity to neutralize the police. Attacking family members of law enforcement is common in many countries, including Mexico, and this kind of exposure further enables it now in Arizona. The data breach is attacking some of the very people and organizations trying to counter the worst criminal and moral abuses that may occur, and worse, their families.

Claiming that, for instance, that the "War on Drugs" created the cartels and is morally equivalent (e.g., response #13 in this) is specious. Laws passed by elected representatives in the U.S. did not cause criminals in Mexico to kidnap poor people, force them to fight to the death for the criminals' amusement, and then force the survivors to act as expendable drug mules. The moral choices by criminals are exactly that — moral choices. The choice to kidnap, rape, or kill someone who objects to your criminal behavior is a choice with clear moral dimensions. So are the choices of various hackers who expose data and deface systems.

When I was growing up, I was the chubby kid with glasses. I didn't do well in sports, and I didn't fit in with the groups that were the "cool kids." I wasn't into drinking myself into a stupor, or taking drugs, or the random vandalism that seemed to be the pasttimes of those very same "cool kids." Instead, I was one of the ones who got harassed, threatened, my homework stolen, and laughed at. The ones who did it claimed that it was all in fun — this being long before the word "lulz" was invented. But it was clear they were being bullies, and they enjoyed being bullies. It didn't matter if anyone got hurt, it was purely for their selfish enjoyment. Most were cowards, too, because they would not do anything that might endanger them, and when they could, they did things anonymously. The only ones who thought it was funny were the other dysfunctional jerks. Does that sound familiar?

Twenty years ago, I was objecting to the press holding up virus authors as unappreciated geniuses. They were portrayed as heroes, performing experiments and striking blows against the evil computer companies then prominent in the field. Many in the public and press (and even in the computing industry) had a sort of romantic view of them — as modern, swashbuckling, electronic pirates, of the sorts seen in movies. Now we can see the billions of dollars in damage wrought by those "geniuses" and their successors with Zeus and Conficker and the rest. The only difference is of time and degree — the underlying damage and amoral concern for others is simply visible to more people now. (And, by the way, the pirates off Somalia and in the Caribbean, some of whom simply kill their victims to steal their property, are real pirates, not the fictional, romantic versions in film.)

The next time you see a news article about some group, by whatever name, exposing data from a gaming company or law enforcement agency, think about the real evil left untouched. Think about who might actually be hurt or suffer loss. Think about the perpetrators hiding their identities, attacking the poorly defended, and bragging about how wonderful and noble and clever they are. Then ask if you are someone cheering on the bully or concerned about who is really getting hurt. And ask how others, including the press, are reporting it. All are choices with moral components. What are yours?

Update: June 26

I have received several feedback comments to this (along with the hundreds of spam responses). Several were by people using anonymous addresses. We don't publish comments made anonymously or containing links to commercial sites. For this post, I am probably not going to pass through any rants, at least based on what I have seen. Furthermore, I don't have the time (or patience) to do a point-by-point commentary on the same things, again and again. However, I will make a few short comments on what I have received so far.

Several responses appear to be based on the assumption that I don't have knowledge or background to back up some of my statements. I'm not going to rebut those with a list of specifics. However, people who know what I've been doing over the few decades (or bothered to do a little research) — including work with companies, law enforcement, community groups, and government agencies — would hardly accuse me of being an observer with only an academic perspective.

A second common rant is that the government has done some bad things, or the police have done something corrupt, or corporations are greedy, and those facts somehow justify the behavior I described. Does the fact that a bully was knocked around by someone else and thus became a bully mean that if you are the victim, it's okay? If so, then the fact that the U.S. and U.K. have had terrorist attacks that have resulted in overly intrusive laws should make it all okay for you. After all, they had bad things happen to them, so their bad behavior is justified, correct? Wrong. That you became an abuser of others because you were harmed does not make it right. Furthermore, attacks such as the ones I discussed do nothing to fix those problems, but do have the potential to harm innocent parties as well as give ammunition to those who would pass greater restrictions on freedom. Based on statistics (for the US), a significant number of the people whining about government excess have not voted or bothered to make their opinions known to their elected representatives. The more people remain uninvolved, the more it looks like the population doesn't care or approves of those excesses, including sweetheart deals for corporations and invasions of privacy. Change is possible, but it is not going to occur by posting account details of people subscribed to Sony services, or giving out addresses and names of families of law enforcement officers, or defacing the NPR website. One deals with bullies by confronting them directly.

The third most common rant so far is to claim that it doesn't make any difference, for one reason or another: all the personal information is already out there on the net or will be soon, that the government (or government of another country) or criminals have already captured all that information, that it doesn't cost anything, security is illusory, et al. Again, this misses the point. Being a bully or vandal because you think it won't make any difference doesn't excuse the behavior. Because you believe that the effects of your behavior will happen anyhow is no reason to hasten those effects. If you believe otherwise, then consider: you are going to die someday, so it doesn't make a difference if you kill yourself, so you might as well do it now. Still there? Then I guess you agree that each act has implications that matter even if the end state is inevitable.

Fourth, some people claim that these attacks are a "favor" to the victims by showing them their vulnerabilities, or that the victims somehow deserved this because their defenses were weak. I addressed these claims in an article published in 2003. In short, blaming the victim is inappropriate. Yes, some may deserve some criticism for not having better defenses, but that does not justify an attack nor serve as a defense for the attackers. It is no favor either. If you are walking down a street at night and are assaulted by thugs who beat you with 2x4s and steal your money, you aren't likely to lie bleeding in the street saying to yourself "Gee, they did me a huge favor by showing I wasn't protected against a brutal assault. I guess I deserved that." Blaming the victim is done by the predators and their supporters to try to justify their behavior. And an intrusion or breach, committed without invitation or consent, is not a favor — it is a crime.

Fifth, if you support anarchy, then that is part of your moral choices. It does not invalidate what I wrote. I believe that doing things simply because they amuse you is a very selfish form of choice, and is the sort of reasoning many murderers, rapists, pedophiles and arsonists use to justify their actions. In an anarchy, they'd be able to indulge to their hearts content. Lotsa lulz. But don't complain if I and others don't share that view.

I am going to leave it here. As I said, I'm not interested in spending the next few weeks arguing on-line with people who are trying to justify behavior as bullies and vandals based on faulty assumptions.

Tags for this post: attacks, breach law enforcement, bully, cybercrime, cyber crime, cyber policy, cybersecurity, cyber security, cyber security policy, cybersecurity policy, history, law, lulz, malware, pirate, privacy, security-practices, security failures, terrorism, vulnerabilities

Leave a comment (8 so far) »

Comments

Posted by Anon
on Sunday, June 26, 2011 at 02:31 AM

“First, if a largely uncoordinated group could penetrate the systems and expose all this information, then so could a much more focused, well-financed, and malevolent group — and it would not likely result in postings picked up by the media. “

This^^

Anyone that seriously wanted to harm AZ law enforcement or ANY police dept. could because they are PUBLIC officials and their info is already PUBLIC. Secondly these infamous drug cartels in all probability have already compromised the Dept. It seems to have taken a small cell of people very few resources to do it while these cartels have millions to flush down the toilet.

Have you thought about the net gain of this? America and Britain are ready in an undeclared cyberwar with China.  If China or another entity were to perform a really aggressive attack on the US right now do you think we could handle it? Maybe Lulzsec and Antisec will force the gov’t to get its together to defend our country from a foreign gov’t supported cyberattack.

Think about who may be hurt? Think about who HAS BEEN hurt because they put their faith in gov’t and corporate claims that their online information is safe and how many more MAY HAVE BEEN hurt if no one kicked these entities in the teeth to do their jobs. PSN, PayPal, XBL, etc. accounts have been getting compromised since day one. Was there already a database of users info out there already being bought and sold on the blackmarket before Lulzsec? Probably.

You say Lulzsec are bullies. Bullying who? A government that we pay an insane amount of taxes to protect us. Corporations/Monopolies that throw vast sums of money at the media gov’t officials to control us?

Bully:
1. A person who is habitually cruel or overbearing, especially to smaller or weaker people.

And in Lulzsec/Anon vs. Gov’t/Corp. you’re calling Lulzsec the bullies?!

I’m calling BS.

=======
You are entitled to your opinion.  However, as someone who has seen both sides of this for years, I can tell you that the attacks are not doing anything to “fix” security.  Instead, it will lead to greater abuses by governments.
—spaf

Posted by anon
on Sunday, June 26, 2011 at 02:46 AM

Oh and Operation #antisec has gone global. Get on twitter.  Hackers from all over the globe including Malaysia, Libya, Brazil, Syria, India, Iran, Israel, Africa, China etc have joined the fight. Why aren’t you reading reports on that? Because the mainstream media has an agenda on what it reports.

And America is moderate? Our last three OFFICIAL wars have been based on lies.  Politicians are bought and owned by corporate interests. Forget voter fraud, vote manipulation legislation is being pushed through.  The gov’t has been exposed at trying to spy on normal citizens multiple times, most recently Coin/Romas. The police can be videotaped beating you black and blue and shoot you while you are innocent without losing their jobs. LOL@The Supreme Court being fair and balanced.

Does that sound moderate to you?

==========================

It’s a lot more moderate than Myanmar or Iraq or North Korea.
—spaf

Posted by Aragorn, son of Arathorn
on Sunday, June 26, 2011 at 07:56 AM

I don’t think it’s news to anyone that our “private” information is probably public to people with enough money.  I don’t see why that “poses a real threat to the physical safety of innocent people”, especially since this has been the status quo for at least a decade.  China knows who I am, what I post, where I work, and who my family is; so does the US.  Nothing’s changed.

But you say that when you attack The Law, you cross a line, because “some of the people [The Law] are arrayed against are far worse”.  Let’s assume that you’re right.  So what?  If Team A are worse than Team B, should I not call out Team B until I sort out Team A?  Is there some hierarchy-of-evil that all moral people need to adhere to?  Is Team B immune to criticism because of the existence of Team A?  The obvious answer (to me) is “no”, and it seems that the obvious answer (to you) is “yes”.  You use the same logic to say “Don’t attack corporations! ... because THESE GUYS are worse”.  And then “Don’t attack Government X! ... Government Y is worse”.  In fact, your entire post reveals that you’re upset because you think they’re attacking the wrong targets.  If they were attacking the people you’d like them to attack, you’d cheer them on.

However: they’re attacking innocents, right?  “law enforcement” in “moderate countries”, “companies without political or criminal agendas”.  Here’s the thing, though: everyone’s conception of “what’s evil” isn’t your conception of “what’s evil”.  If there’s anything that will help you to understand LulzSec, it’s that.  If you think “The claims of exposing evil is intended to fool the naive”, then I rather think the naive person is you.

Your flawed arguments aren’t what I particularly wanted to talk about, though.  It’s your flawed facts and wild speculations that are galling.  For instance, if you “take away effective law enforcement in Arizona, those gangs would expand into the U.S. where they could demand bigger ransoms”.  You’d have to be telepathic to know this, for a start.  But let’s say that you’re right, just for kicks.  Now, will this data breach bring about the downfall of the entire Arizona Department of Public Safety?  No, it won’t.  So why even bring up a hypothetical situation that has zero chance of occurring?

Then there’s the claim that “U.S. law enforcement is pretty good”, along with the UK.  You know, the law enforcement that enforces things like Free Speech Zones, and wiretaps citizens, and ensures that racial profiling stays alive and well in the US.  Then there’s the UK, where Metropolitan Police recently dragged a disabled man out of his wheelchair beat him for protesting ... and were declared innocent of any wrong-doing.  Sterling stuff.

Then there’s the idea that LulzSec should start fighting the War on Drugs that they don’t agree with.  You may have dropped the plot on that one.  And they should get up out of their chairs and stop human trafficking and systematic rape in war zones and Fight The Chinese and Become Greenpeace and Stop Global Jihad and ... I’m surprised you’re not asking them to take up the US presidency, frankly, since you seem to think of them as astonishingly competent people.  I have to ask: why aren’t you doing the same thing?  What’s that?  Because you feel that you can do better as a keyboard warrior?  But I guess the same argument doesn’t apply to them, does it?

As for this whole law-enforcement data breach: what, you think criminals (who you consider to be more organized than LulzSec) can’t track a guy from the moment he leaves the station to the moment he enters his house?  Of course they can.  This information just makes it easier to find that guy’s house.  If a cartel wanted to (and, going by your own link entitled “fight to the death”, it’s the last think a cartel WOULD want to do) they could do it any time.  In other words: more wild speculation.

It’s clear that you don’t understand the lulz.  LulzSec come from the same traditions that gave us BOFH, Slashdot, 4chan, and The Pirate Party.  If anything, their choice of targets reflects their diversity.  Some are undoubtedly “bullies”, but to pretend that that’s all that is going on is short-sighted.  It is a convenient label, though, isn’t it?

Here’s something for you to think about, while you’re pontificating about the “real evil left untouched”.  Right now, governments (including the US & UK) are enforcing laws that are manifestly unjust.  They’re doing whatever they want to do (have you heard of Bradley Manning?  And Libya?).  Corporations feel that they can do as they’d like too, and who cares what their customers think?  These things affect actual people, who are hurt and suffer loss.  But they get away with it, don’t they?  And now a group is exposing their data ... and getting away with it.  Why?  For the lulz.

================
Oh, I do understand the lulz.  I simply don’t provide excuses for the antisocial behavior by pointing out other abuses.  The protesters in Tunisia, Egypt, and Syria are fighting government excess, and it is hardly for the lulz.  And if people actually got together and applied their will and voices in the US and UK, some of those laws that are unjust would not stand.  But taking potshots at the agencies involved is only going to cause tighter enforcement.  Which do you think is more likely to get the Patriot Act repealed and which will cause it to be expanded — a public stance by a million people against it, writing to their Congressmen and blogging about it, or a bunch of anonymous vandals breaking into government websites?
—spaf

Posted by Rdar
on Sunday, June 26, 2011 at 09:32 AM

What the hell is ‘forcible rape’? Fix the post. The concept that there is *another* kind of rape is totally false.

===============
There are other kinds of rape that do not involve force: statutory rape, coercive rape, and rape of someone incapacitated by drugs, alcohol, etc.  Generally, sex with someone who is not legally able to give consent is considered rape, so there are a few other situations here too.

Rape is criminal and abhorrent.  However, it is not always committed with force.
—spaf

Posted by Sam Bowne
on Sunday, June 26, 2011 at 01:50 PM

Excellent thinking, clearly stated!  I appreciate you standing up to these criminals and revealing them for what they are.

Posted by Jason
on Sunday, June 26, 2011 at 07:39 PM

It’s sure nice to be a well-known, widely-respected security professional.  And one with a large institution behind him.  If you were to discover, without being asked, a security flaw in an intelligence or law enforcement agency’s systems, you would *probably* be treated with respect.  (50-50 whether that would be respectful dialogue or respectful denial and stonewalling.)

I wouldn’t expect that treatment.  I would expect my door to be knocked down, without warning, by heavily armed agents with search and arrest warrants.  I would expect all my data and electronic possessions to be confiscated, never to be returned. I would expect to be treated with extreme hostility.  I would expect to be held under unaffordably high bail.  I would expect to lose my job, and have difficulty finding a new one.  I would expect my family and friends to be harassed, and questioned about my (nonexistant) connections to criminals and terrorists.

Although I wouldn’t be surprised if that happened to you too.

US intelligence and law enforcement agencies have a long, well-documented history of hostility towards the public they claim to protect.  We aren’t allowed to question their motives or their methods.  When we do so, we are presumed hostile to them.

Gene, I wouldn’t give a federal agent *the time of day* if he asked me for it, without consulting a lawyer.  Should 18 USC 1001 apply?  It probably shouldn’t, but the risk just isn’t worth it.

LulzSec might be just a bunch of technically gifted pricks.  But their approach is the only way to guarantee our agencies will pay attention to the security of their systems.  You and many others been at them, politely, for years.  We now see that isn’t working so well.

===========
There are methods of responsibly reporting flaws.  Many people use them and do not get harassed by the police.  The issue is how you find those flaws — if it is by poking around, actually looking for them, then that is likely to cause a problem.  —spaf

Posted by Admin
on Tuesday, June 28, 2011 at 02:30 AM

One of the more interesting reads in a while. Doing things for amusement or because they amuse you is pure selfishness - i totally agree! Good work.

Posted by Kooberfacer
on Thursday, July 7, 2011 at 04:21 PM

Hi there!

I found this blog via Krebs.Anyways id like to point out this section-

“Ask yourself what the real agenda is of a group that has so far only attacked law enforcement in some of the more moderate countries, companies without political or criminal agendas, and showing a total disregard for collateral damage. Ask why these “heroes” aren’t seeking to expose some of the data and names of the worst drug cartels, or working to end human trafficking and systematic rape in war zones, or exposing the corruption in some African, South American & Asian governments, or seeking to damage the governments of truly despotic regimes (e.g., North Korea, Myanmar), or interfering with China’s online attacks against the Dalai Lama, or leaking memos about willful environmental damage and fraud by some large companies, or seeking to destroy extremist groups (such as al Qaida) that oppress woman and minorities and are seeking weapons of mass destruction.”

This is what any citizen on this world should be questioning.Ive been patient and waited for these ahem ,hacktivists, to truly attack those that are way worse than the federal reserve and nada, ziltch.

So until they actually do some REAL good in the world,id keep an eye on them.

Leave a comment

Commenting is not available in this section entry.

Previous entry »

« Next entry