I keep getting asked – by journalists, friends, colleagues, competitors, delegates at conferences, people on the bus – what my attitude is to hacktivism, hacking and hackers.
I usually answer by saying, “What do you mean by hacktivism?” And the answer is frequently, and impassably, circular. “Y’know – all that hacking that hacktivists are doing these days.”
No! I don’t know! And I’m not willing to guess what you mean just so I’ve got something to say!
Fortunately, a few days ago a friend alerted me to a cartoon in the XKCD series (‘a webcomic of romance, sarcasm, mathematics, and language’, in its own words) which – like many XKCDs – cuts through most of the ambiguity and misunderstanding which surrounds the abovementioned H-words. (Don’t forget to hover over the image below to read the pop-up text.)
And we need to cut through the ambiguity, because every time we use the H-words on Naked Security, we seem to end up in comment wars over their relevance, meaning and imputation.
Does calling someone a hacker imply they’re a cybercriminal, even if they aren’t, and even if they might use that word to describe themselves? Does calling a cybercriminal a hacker demean everyone who ever took the term hacker as a badge of honour?
More importantly, does the sort of stuff which many so-called hacktivists get up to actually count as hacking, even if you allow the word to denote criminality?
For example, Anonymous recently bragged about a hack Down Under in which it revealed to the public a database of already-published web pages belonging to a local council. One publication blared this to the world as ‘Council falls prey to computer hacking gang’. Another avoided the H-word, but still rather extravagantly announced that ‘Anonymous releases government records including Australian council data.’
As the always-amusing Richard Chirgwin pointed out in The Register, the truth about this Down Under ‘hack’ was a little less dramatic.
Under the wry headline Council Website copied by Anonymous – Wget would have worked nearly as well, Chirgwin noted:
Australian democracy stubbornly fails to teeter on the brink of collapse this morning, after a bunch of script-kiddies mistakenly published a backup copy of a public Website in the delusional belief that they'd achieved yet another stunning coup in the "anti-sec" campaign.
In a world under clear and ongoing economic erosion by cybercriminals – not by hacking, or by hacktivists, or by hackers, but by cybercriminals – the overuse of the H-words in the media actually works against computer security in general.
Firstly, calling most self-styled hacktivists by their own name of choice imbues them with a social conscience and a justification they don’t seem to possess – rather like legitimising the looters currently on the rampage in Britain by labelling them as protesters.
Secondly, with all the attention that so-called “hacktivism hacks” against high-profile organisations are getting, it’s easy to fall into the trap of assuming that individuals and small businesses are safely under the radar. After all, who would target the website of Uncle Fred’s Garden Mowing Service when they could be taking on the mighty CIA?
The answer is that cybercriminals generally don’t care.
You might not have any data worth stealing (though it’s almost certain you do), but even if all you have to offer them is a badly-protected PC infected with zombie malware – a resource they can use to line up their next attacks whilst keeping out of the frame themselves – you are inadvertently aiding, if not abetting, their criminal activities.
So why not take one step tonight which will improve your attitude to security, and your personal resilience to compromise?
* If you use the same password for many websites, make tonight the night you change that approach.
* If you’ve been leaving your virus scanner turned off or out-of-date, make tonight the night you get it back up-to-date and activated.
* If you’re in the habit of friending people on Facebook just because they’re there, make tonight the night you treat Facebook friendships like you do real-life ones – based on knowing, liking and trusting the person.
* If you give inadvertent succour to hacktivists by simply following along and watching “for the lulz”, make tonight the night you search out something more visibly positive to do online for the greater good of all.
(Writing documentation for open source software projects is something most people can help with, even if they’re non-technical. It’s not glamorous but it’s important, useful, and can teach you a lot. You’ll be much more of a hacker than someone who joins in a DDoS attack – and you can put it on your CV, too!)
Leave a reply