So, here’s a question: how much hacktivism should be tolerated?
This cropped up in a discussion with a friend regarding the arrest of the Anonymous members who had taken part in the LOIC attacks against organisations perceived to be against WikiLeaks, including Amazon and PayPal. In the “Real World”, people have a right to demonstrate, get out on a march and wave banners and all the rest, as well as peaceful sit-ins, flashmobs and other acts of disruption. Some members of our society would shudder at rubbing shoulders with thousands of people and would prefer to spend their time in front of a screen.
Are their views any less important that those more socially adept? And if not, what outlet do they have to express their views?
From an information security perspective, you have to assume that there are always people out to get you and, if you do a good job, it should affect you too much if people start targeting you. However, recent events have shown that Distributed Denial of Service attacks against organisations with very sophisticated infrastructures can be very disruptive.
Should the organisers or participants in online demonstrations be punished more severely than those taking part in equivalent physical demonstrations? How should companies react to them?
Like everyone else, I’ve been following the WikiLeaks story over the past few weeks, waiting for some juicy titbit to be revealed. I’ve also been wondering: whose fault is it?
This particular question seems to be at the heart of the frenzied arguments relating to Julian Assange: that he should be assassinated, hunted down like Osama Bin Laden, that he be tried for treason. But does the blame really lie with him?
WikiLeaks publishes content that it gets sent by third parties. In the case of the recent US diplomatic cables, these were apparently supplied by Private First Class Bradley E. Manning, who is currently awaiting trial.
This begs the question: how did a Private manage to get access to over a quarter of a million diplomatic cables, discussing issues as sensitive as various Middle Eastern countries’ attitudes towards Iran?
One of the most basic tenets of information security is that of compartmentalisation, i.e. the basis of “need to know”. It is incredible that any one person, at the level of a Private, could access all of this information.
I would suggest that Private Manning was naïve and broke the law if he did what he is accused of. It would be a gross misuse of trust. But it must be acknowledged that there are serious issues within the security framework of the US Government if this could happen at all.
Something that has intrigued me about the Anonymous attacks on those companies/organisations and countries that are perceived to be anti-Wikileaks: the fact that members of the public are voluntarily installing a botnet client and allowing Anonymous to control their machine and direct their resources at will. The tool is called Low Orbit Ion Cannon (LOIC) and is so popular it is now available for iPhone and iPad.
This post isn’t a comment on Wikileaks or on Anonymous but rather the fact that there is a big unknown risk in installing something like this on your own computer which could so easily be hijacked and redirected to another target, not Wikileaks-related or even be used as a backdoor to install something far worse.
On top of this, it needs to be pointed out that the act of knowingly participating in a Distributed Denial of Service attack is probably illegal in the UK and USA.