In a move clearly inspired by LulzSec, an Italian hacker recently uploaded a torrent containing personal information of thousands of Italian university students. This information was stolen from a slew of Italian university websites. According to the press release posted by Lulzstorm this was done “to tell every Italian student how little secure their personal data are”. I can think of better ways.
The spate of recent data thefts and subsequent publication, in the name of Anonymous, Lulz Sec, LulzStorm or the umbrella movement Anti-Sec has had a tangible impact on the safety and security of thousands of innocent internet users.
While there may be sympathy in some quarters for attacks on security contractors such as HB Gary and Infraguard or government websites in oppressive states; that sympathy rapidly evaporates when the result of publishing stolen material endangers the lives of serving police officers. Or when it compromises the privacy and safety of hundreds of thousands of innocent customers of online portals or gaming services.
The call to arms to the disparate hacker community that is represented by Operation AntiSec might read like something from a cyberpunk novel but in reality it is being used by far too many to lay a thin veneer of altruism over something entirely selfish. At least LulzSec had the decency to be honest in their manifesto, they were simply courting chaos.
The truth is that the majority of people now assembling under the Anti-Sec banner are doing this simply because they can. The convenience of having a “cause” somehow making it laudable. It is true that there are far too many poorly secured and configured web-sites out there.
It is also true that the customers of those websites deserve a higher degree of care than they currently receive. It is manifestly not true to say that the interests of those people are best served by pasting their personal data all over the internet.
In the ultimate irony, the original AntiSec manifesto from back in 2001 was all about the irresponsibility of full disclosure. That same manifesto was reposted when Imageshack was compromised 8 years later. The manifesto criticised the “security industry” for using full-disclosure to develop “scare tactics” to convince people into by security. Are you listening Operation AntiSec?
This is a call for responsible disclosure in the Anti-Sec community, find the flaws, publish your successes if you must, but have the decency to spare the innocent victims of your activities. Obscure personal data before you publish; otherwise you are considerably worse than those you are attempting to shame.