The hacking collective LulzSec has announced that it will not release News International emails, which the group says it acquired by hacking the website of “The Sun” earlier this week. Instead, LulzSec said it will work with selected media outlets on the emails, a tactic similar to WikiLeaks’ partnership with the press. The hacker collective Anonymous also announced today that it has broken into NATO computer servers, and published two documents, purportedly from the military alliance. Yesterday, I spoke to Sam Bowne, a hacking expert who teaches ethical hacking at City College San Francisco, about the tactics used by groups such as Anonymous and LulzSec.
RFE/RL: Do you think that groups like Anonymous or LulzSec are hacking with ethics in mind?
Sam Bowne: The “hacking” word doesn’t get me in as much trouble as the “ethical” term, exactly for that reason. Anonymous, for example, claims that what they’re doing is ethical because they see themselves as political protesters furthering some sort of high-minded agenda. LulzSec made it very clear that they have no ethics at all and they would even tell anybody that asked them for ethical concerns “forget about us and go talk to Anonymous.” But then, they seem to have attempted to make their stuff seem more politically important with hacking Murdoch and stuff. But that’s not what I mean by ethics at all. I have a much simpler idea. What we do here is legal. This is business ethics, professional ethics, where you obey the law and you don’t lie to people about what you can do, you don’t sell them defective products. That’s what I mean. Very simple, professional ethics, not the sort of metaphysical ethics where they’re “making the world better,” even if they’re breaking the law. And that’s why these “hacktivists” feel like their cause is so important it’s OK to break the law. To further their cause.
RFE/RL: I realize it’s hugely debatable what’s in the public interest, what’s not in the public interest, and hacking is illegal, but do you think there are cases where if something was in the public interest, it would be morally or ethically acceptable to break the law in order to expose that information and make it public?
Bowne: Well, there are certainly cases of whistleblowers, and there are even laws to cover that in America anyway, and I think elsewhere, where if you’re, for example, working for a company and you discover they’re doing something horrible like killing people at your company, you are allowed to violate the confidentiality rules of your company to tell the police about that. And there are also cases in which you’re allowed to break the law for an emergency like you’re allowed to drive fast if someone is really dying in the back seat and you’re going to the hospital and such. So I certainly understand cases like that.
LulzSec, I think, is utterly irresponsible and there’s no excuse at all for what they’re doing. I mean, they’re just dumping entire password databases of the U.S. military on the web which is insane. It doesn’t help anybody. And Anonymous, you know. Some of the overseas people, like in Egypt, say Anonymous is really helping them in a revolt against the government. I don’t know enough about what happens in Egypt to judge that. Their actions in America I have no sympathy for because they seem to just senselessly hate all authority figures and they seem to just be taking a bunch of clueless teenagers, lying to them, and turning them into criminals. So I don’t think much of that.
RFE/RL: Do you see moral or ethical differences between what the “News of the World” has done, for instance hacking into individual’s phones, or by LulzSec hacking into “The Sun.” Is there a moral equivalency here or are these different cases?
Bowne: Well, I mean, they’re both wrong. They’re both illegal. I think they’re both going to get caught and punished. So, I’m just thinking two wrongs don’t make a right. And I also don’t see any real purpose to the LulzSec attack because I don’t think there was some secret hidden stuff about what the News of the World did that would never have come out without them hacking in. So it’s not clear to me that them hacking accomplished anything. It was mostly just a prank so they could laugh about it, which is what LulzSec has always been about.
RFE/RL: They’re saying they have this email dump that’s going to blow the lid on the whole thing. If it did indeed show that they exposed some greater malpractice at the “News of the World” that we previously didn’t know about, I suspect there will be a lot of people, especially within the tech community, who might think the ends justify the means here.
Bowne: Well, yes a lot of people do think that. I again do not agree because if you just dump an entire email, you cause a lot of collateral damage to innocent people. If you did have some proof that Rupert Murdoch did something unknown and illegal, there would also be a bunch of innocent emails there from people talking to their doctors about medical problems or about their secret love affairs and other things that really are not criminal and yet will harm people to just dump it out. Here, for example, WikiLeaks is more responsible than that. If you wanted to release it they could just send it to WikiLeaks and WikiLeaks actually screens things and only dumps the part that appears to be important and not all the innocent victims’ names. So would a newspaper. They could send it to a major newspaper and those people wouldn’t just willy-nilly dump the entire email log. And that’s what you should do. That’s responsible disclosure of such information — although it’s still illegal for them to steal it. But what they’re doing is the same thing as a terrorist who hates one person but it’s more convenient to blow up a whole cafe. They’re just doing what’s easiest for them instead of doing carefully what’s right. What they really ought to do of course is proper law enforcement where you have a search warrant, and you have a subpoena for the email, and you’re patient and let it take a year to get it the right way. That’s why we have all these procedures.
RFE/RL: Turning to WikiLeaks, I know WikiLeaks says they don’t hack, but there has been some anecdotal evidence suggesting that they might engage in hacking, but no smoking gun certainly.
Bowne: I’m not even aware of the anecdotal evidence. What evidence is there that WikiLeaks hacks anybody?
RFE/RL: There was the piece in “The New Yorker” profile of Assange that claimed they got some of their initial documents through an Internet eavesdropping operation, where they were getting traffic from Tor [a system that enables online anonymity].
Bowne: Yeah, I’ve heard that, but I’ve never seen any evidence of it. Although that’s not even really hacking, I think — although it might be, I guess.
RFE/RL: So there doesn’t seem to be a smoking gun, but from an outsider’s perspective, Julian Assange has been a hacker in the past, comes from a hacking background, and is surrounded by hackers. There is a loosely affiliated network. And even though Anonymous isn’t officially connected to WikiLeaks, they’re supporters and in many ways ideologically they’re very similar. Isn’t all of that — it’s not compelling evidence that WikiLeaks hacks — but you might start to ask questions about WikiLeaks and where they obtain their information. Just as in the same way you might ask questions about where “News of the World” private investigators would obtain their information.
Bowne: Oh sure it’s quite reasonable to ask the question, and I think there’s no doubt that some of the information of WikiLeaks did originate in a hack. Essentially the stuff that came from the U.S. military that presumably came from [Bradley] Manning, that was a sort of hack, where you make a secret copy and leak it out. But I think the point there is apparently Manning committed a crime, but I don’t think Julian Assange had committed a crime to publish stuff that comes to him.
RFE/RL: Turning to denial of service attacks, which seem to be the tactic of choice recently for some of these script kids, do you see that as digital vandalism or more akin to a cyber sit-in?
Bowne: I really don’t think much of the sit-in analogy. A lot of people say that Anonymous is morally and legally justified to take down sites with denial of service. The difference between that and a sit-in is that in a sit-in you are physically present and you permit the police to arrest you. Here is where Anonymous reveals their complete lack of moral fiber. If you really want to protest the law and you want to break the law, Gandhi and Martin Luther King showed how to do this. You stand up in public with your real name and you let the police arrest you for doing something like blocking traffic and then this causes a public examination of why you did that and whether your cause is important. But these guys hide on the Internet, take down a site and run away so they escape the punishment. That creates fear because people justifiably think that they could be the next victim. It shows a lack of commitment. They don’t put their real name on anything and they’re not ready to take any consequences. It shows a lack of moral purity and I think it’s very clear that in fact, they do not choose their victims carefully. They just want to hurt somebody like an angry street gang, and they just get together and pick someone who appears to be unpopular at the moment to be their latest victim. And when they run out of victims, they do like what LulzSec did. They open a phone line so anybody can call in and they’ll attack anybody whose name appears on the phone line. The fun is the fight. It’s not like they have any cause or any principle or any goal. They just like attacking things on the Internet. It’s just a game to them.
RFE/RL: When I’ve spoken to Anonymous activists before and raised the sit-in analogy, they’ve said that actually they do put themselves on the line and they are at risk of being punished. As we’ve seen recently, Anonymous and LulzSec activists have been arrested. So they’re arguing that what they’re dong there, hacktivism, does face the consequences of punishment.
Bowne: Just like every other criminal they make every possible effort to protect themselves. Occasionally they fail and go to prison. They are breaking the law, but their moral position is terrible. And if you go to the pages where you download the “low orbit ion cannon” [an application used for denial of service attacks], their tool of choice, it actually contains statements that you will not get caught because when the attack starts, the servers will crash and the logs will be lost and you can always claim that you were just infected by a virus. Those statements are all absolutely false and anybody with any knowledge of computer security can instantly spot them as false. They tell teenagers to do it.
What’s really going on here is there’s a group of people who are my age, in their 40s and 50s, a small group at the core, that are recruiting young children and using them as disposable weapons — tricking them into doing attacks and then letting them go down. It really is morally deplorable. And that’s why it got me involved in being a strong vocal opponent of this because the people they’re hurting are like my students. Some of my young students might fall for this and participate, feel like they’re saving the world, and then discover that now they can’t get a legitimate job anymore because they’ve been busted for computer crime. I just hate to see it. It’s taking people who are idealistic but naive, and could be productive, and deflecting them into a world of crime.
RFE/RL: Do you really think that groups like LulzSec and Anonymous are run by a very small core of hackers?
Bowne: Oh yes, I think absolutely that is correct in both cases. Anonymous is so very low-tech that there are just groups using the name that are not led by [such] people but there were a small number of leaders that have really come out that set rules and such. I think they don’t have a lot of authority so there are a bunch of splinter factions. But LulzSec doesn’t pretend anything else. There are only six of them, and three or four have sort of drifted away. They know who they are, they’ve been well profiled and they have public identities — all under fake names of course — but there’s no question. They’re not even much of a group. There’s just six people doing it and then a bunch of people cheering them on or condemning them.
RFE/RL: When I read the tech press, I often find that the tone of the coverage about groups like Anonymous tends to be either sometimes positively cheerleady and perhaps other times, it’s not cheerleady, but certainly less critical than perhaps it should be. Have you noticed that in the tech press as well?
Bowne: Oh yes and I think it’s easy to understand: they are afraid. They don’t want to be the next target.
RFE/RL: Do you think it just comes down to fear? Or do you think it comes down to the way that hackers are somehow, for the digerati, the digital rock stars of the day, the Che Guevara. That there’s some sort of mystique about their technical prowess that they can do such things. So is it just fear, or is it a bit of both?
Bowne: If anybody has any admiration for the technical prowess of Anonymous they’ve got to be out of their mind. Anonymous doesn’t know anything. The “low orbit ion cannon” is a piece of junk and they can’t even hack into a server with a SQL exploit. Now, LulzSec has made it up to being only about 15 years out of date in their computer security knowledge. They know how to run one or two automated tools that dump the contents of vulnerable servers and they are improving rapidly. There’s schools for Lulz that published the techniques of crime that they use and I’ve been studying those. Some of those are interesting and perhaps worth using as homework for my students. But none of these guys have any technically advanced skills. They’re just doing stuff that anybody in their right mind would be smart enough not to do for non-technical reasons, like attacking NATO and the FBI, you’re just out of your mind! You’re just going to go to prison and accomplish no good and everybody else can see that. They’re just the people that are too mentally and ethically deranged to see that they’re destroying themselves.
RFE/RL: Within the hacking community, how typical or how rare are views like yours about ethical hacking? Are you in a minority do you think or are you the consensus?
Bowne: I think I’m more strict and more determined to obey the law than most, but I think in practice almost all professionals do it my way and I have some evidence for that because the people who are criminals and the people who cheer on the criminals are exaggerated online. They’re trolls essentially and they like to scream about their position. I posted an article about a year ago saying the sort of thing I’ve been saying to you about how Anonymous is wrong and how a guy named the Jester is wrong. A bunch of people complained, so I set up a poll saying among people who are certified professionals with a CISSP [Certified Information Systems Security Professional] for a certified ethical hacker. Those credentials come with a code of ethics. You must obey the law and various other things. If you don’t do those things you will lose your credentials. I said, among people with that credential, how many of you actually obey the rules? The answer was 80 to 90 percent of them said they did. So I think most people do obey the law, but of course most of them don’t do it out of a deep inner conviction that they believe in the law, they just do it because they’re afraid of prison or something, but I think they do.
RFE/RL: In the discussion of the tech press, you talked about fear. I don’t come from a technical background, I’m learning on the job about hacking, but when I first started writing about Anonymous, it did cross my mind, and I did have genuine fear for a few moments, that some people at Anonymous could hack into my computer and put some child pornography on there or do something terrible. I did have that feeling. I’ll be honest, I was worried about being too critical. Is that what you meant by fear when you said that about how people in the tech press treat them?
Bowne: Yes, absolutely, and it is well justified. It’s the same thing as a person might be reluctant to criticize Islamic terrorists or the Irish Republican Army because if you manage to get their attention they might kill you. And those things do happen. There was a case where a man was caught planting child pornography on his boss’s computer. And I’m sure for every one of those caught 10 of them get away with it. I mean, that is the nuclear strike of this industry. If someone were to get you, suspected as a pedophile it would all be over for you and you’d have very little chance of ever defending yourself. However, Anonymous is too technically incompetent to do that. LulzSec is not, but there are a certain amount of vigilantes out there, absolutely. And I think if you manage to attract their attention, they’re not messing around. But the people who are really dangerous are the organized crime people who are making money off this, like the people who write viruses. Those people are the old-school organized crime and they do show up and just kill people. They kidnapped a malware researcher’s daughter and sold her into prostitution. So there are real dangerous criminals here and it’s a thing to be aware of.
-= Jarvis =- 