We Don’t Need Cyber-Vigilante Justice

Friday, June 15, 2012

Andy Willingham


I spent the last couple of days Josh Corman as he was in town for OWASP and a meeting with my team at work.

Tuesday night we went to dinner with a few others and naturally the conversation was dominated by security. One of the topics as around groups such as anonymous, LulzSec, and others.

We talked about some of the stuff that they have done, can some of it be classified as “good” while some is most definitely bad. We talked about the damage that they did to Aaron Barr and many others via posting PII, and about how there is a bit of fear in talking to much about them.

Fear that you, your family, or your company will become a target of their wrath.

I admit that in the past I have had to be my tongue to keep from saying some things either here or on the podcast. Not that I had any breaking news that would lead to mass arrest or outing of the members.

It was just plain ole anger at the audacity of some of the things that the do in the name of the “greater good”. I saw an article on ThreatPost that finally put me over the edge. If you haven’t already read it click on the link and take a quick look. I’ll wait right here.

Did you see that? Did you see what made me so mad? It wasn’t the release of the PII of all those innocent people, although it should be that. I guess I’m just numb to it now. It was their reason for doing it.

They did it because they reported a web site vulnerability and it wasn’t fixed so they decided to post PII of thousands of people on the internet. Now, obviously I don’t know all of the details around their conversations with the school system.

How long did they wait after they contacted them? What proof did they provide? Who did they talk to? What was the response from the school? I don’t know these things but I do know that you don’t put 14,000+ people at risk of identity theft just because your request as ignored.

You weren’t hired by the school and you weren’t asked for your advice. You found an issue, you reported it, and your job was done. If you felt that more needed to be done you could have handled it in many different ways. You could have gone up the ladder even to the governing board. You could have created a presentation that shows the vulnerability, why it is a problem, how to fix it, why it is dangerous to others, etc, etc, etc.

If you had a need to demonstrate your “elite haxor skillz” you could have defaced their site, sent them a copy of the database as proof that you are a master hacker. But no, you had to prove that not only are you a hacker (or at least can use Metasploit) but you also are a immature little brat.

Did you stop to think about the damage that could be done if even one of these people have their identity stolen? The long process of getting things fixed? The possibility that they may not be able to buy the house they were about to close on? What if they were interviewing for a job in the financial sector but didn’t get hired because they had thousands in debt that they didn’t know about? Maybe they had been out of work and this was their chance to get back in the job force.

Let me ask you this: What would you do if it was you who had your life messed up like this? Especially with your “elite haxor skillz”? Would you sit idly by and do nothing?

Unfortunately that is the only real choice most people have. They suffer because someone else decided that they were going to be the “protector of right”. Fight for the greater good.

Who put you in the role of deciding who wins and who loses? Did we elect you to fill this role? Did the people of Clarksville or even the staff and students of the school give you that authority?

I don’t think they did. And don’t come back with the argument of “others do it and they have no more right than I do.” Yes you are right lots of others in lots of different roles (CEO, CFO, VP, hacker, punk, Police, etc) do abuse the power that they are given but that doesn’t make it OK for you or anyone else to do it.

There may be a place for vigilante justice, but it is not because you felt a patch needed to be applied and it wasn’t. The school system isn’t the recipient of your punishment, it is the people whose info you released. Were they the ones that you talked to who didn’t patch?

Maybe they took a vote and decided to ignore you. Yeah that’s probably it.

Cross Posted from AndyITGuy

Possibly Related Articles:
Network->General Breaches
Information Security
Patching Attacks Network Security Hacktivist Personally Identifiable Information hackers Ethics Data Dump Digital Vigilantism
Post Rating I Like this!
Robin Jackson What Anonymous is doing is not vigilantism, it is quite the opposite. They are not beneficent, there motivations are anarchist, and hooliganism. And their skills are limited. They couldn't hack into the site, they simply harvested the data using an SQL injection on the web site.

Welcome to the anger that we've had since PayPal/Visa and Sony. Help combat them wherever and however you can!
Michael Johnson Okay, the school system in Clarksville: WTF?

Perhaps the answer is SpexSec/LulzSec/Global resistance movement have no real hacking skill. Perhaps they just weren't skilled enough to target a high-profile agency, and instead settled for running a ready-made exploit against a nice easy target. Or perhaps they were cowards who like to target Joe Average while hiding behind Anonymous.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.