Hacktivism, the hacking of information systems to advance a social or political agenda, was clearly a major trend in 2011, which is why hactivism was noted several times in our cyberthreat predictions for 2012 (in other words, we think you’re going to see more of it). That prediction was underlined by the news on Christmas Day that Anonymous had hacked Strafor Global Intelligence, a think tank in Austin, Texas.
You are likely to see more than one post on this blog about that incident and its lingering aftermath, the phased release of data obtained by the hackers. So far, according to independent analysis performed by identity theft prevention service Identity Finder and published by VentureBeat, some 9,651 active credit cards, 47,680 unique e-mail addresses, 25,680 unique phone numbers and 44,188 encrypted passwords were hacked from the A through M name list published by Anonymous (we may see the N through Z portion of the list exposed in the next few days).
What strikes me about this incident is the spotlight it shines on questions as old as hacking itself, most notably: Do the ends justify the means? I engaged in a lively discussion of this and related questions with a large congregation of hackers at DefCon III, held at the old Tropicana in Las Vegas, in 1995. The session, which The Dark Tangent invited me to present, was titled “Why Hacking Sucks” but it quickly morphed into a consideration of “When does hacking suck?” Unlike sessions at more recent and more expensive information security conferences, this one was recorded in high quality audio and made available free on iTunes (obviously some time after iTunes was invented, and yes, it is weird to hear yourself speaking 16 years ago).
What I took away from that session, and the whole DefCon III experience, was that most hackers are not “amoral, sociopathic scum.” That phrase was erroneously attributed to a friend and colleague, Mich Kabay, because what he actually said, to the best of my recollection, was: “criminal hackers are amoral, sociopathic scum.” But even with that “criminal” qualification I would argue with the term “amoral” and suggest, perhaps, “differently moralled.”
Indeed, there was a lot of righteous indignation in hacking circles circa 1995. People who thought of themselves as hackers bent on improving technology by exposing flawed implemenations had watched in mounting frustration as the media began demonizing “hacking” without any real understanding of what it was. I know because a journalist writing for a well-known magazine called me that summer looking for cases of “hackers causing bloodshed.” He got quite testy when I could offer no examples and he ended the call when I suggested he write about the technical failure of the London Ambulance Service Computer-Aided Despatch system in 1992, to which dozens of avoidable deaths had been attributed. My advice to hackers at DefCon III was to better articulate their moral perspective and be sure they were clear about any equations involving righteous ends and illegal means.
Some 16 years later it seems clear that, if you’re going to break the law to break into a computer system, you should have clear and well-articulated reasons for doing so. After all, illegal acts of this nature carry risks for you and, potentially, unhappy consequences for thousands of innocent people. While most reports of the Stratfor incident have focused on the company’s big name corporate clients the company had a lot of paying customers who were private citizens entirely lacking in nefarious agendas.
Many of us may feel compelled to call out those with whom we disagree and we may choose to break laws which we feel are deeply unjust. The peaceful exercise of civil disobedience has a proven ability to overthrow cruel oppression and strike down illegitimate regimes. So perhaps the question today is: How far can you extrapolate the principles that inform civil disobedience before you risk losing the support of those you seek to liberate or empower? That, and Why would you not encrypt your customers’ credit card numbers?
Security Expert for ESET