Anonymity vs Privacy vs Security
The last couple of months Internet security has been making headlines thanks to a hacker group by the name of Lulzsec. Most prominently are their attacks on Sony which caused the PSN (PlayStation Network) to be offline for a month. The group claims that it is for the laughs and they are doing the world a favour by showing the vulnerabilities that exist in systems. They have a huge following on Twitter (187,000 at last count) and there is a lot of reaction on their exploits, mostly negative though. One thing that they do highlight however is that Internet security is still lacking and more active measures need to be taken.
Just for the record, I don’t like them (Lulzsec) and don’t agree with what they are doing. I think they are malicious, and for all their “we do it for the laughs” attitude, they are doing more harm than good. They don’t really show security vulnerabilities, they rather show lazy administrators and poor system design. The reason for me saying this is that none of their hacks are anything new, it is all existing vulnerabilities in systems that should have been patched by the administrators.
The Sony attack was nothing more than a SQL Injection hack, which was done the first time in 2005. Do a Google search on SQL Injection and the first result take you to Wikipedia with a full explanation on how to do the hack, even with SQL queries. Their taking down of websites is being done with botnets, also something that has been around for a long time, nothing new. If they were to hack a website with a new vulnerability they found, I would have applaud them on making the Internet a safer place, but at this stage they remind me of scripting kiddies that sees themselves as hackers because they know how to use the work of other people.
They are malicious because they publish login information of people on the Internet for others to take advantage of, and they actually encourage
it. Although I agree with having strong passwords and different passwords for different systems, it is because I’m working in IT and thus are more aware of the dangers. Most people however do not know this and is unaware of the risks. I’ve also read a report once where an auditing company found that strong password in a corporate environment actually makes the network less secure. The reason for this is that people can’t remember the strong passwords, and therefore writes the passwords down, which kind of defeats the purpose.
As to botnets, I do think that when a group is caught that uses botnets, they should compensate the people whose computers were infected. They used computing power and bandwidth, and should be charged for that. Since botnets run in hundreds of thousands or even millions of infected computers, this might be a hefty fine. Although Lulzsec is very critical of the white hats (hackers that work for the good, typically being employed by big corporates or security companies) I think the purpose why they are so public is to get caught. Their fines will be paid by their new employees as the Lulzsec hackers drive off in their new Ferraris, part of their package off course. That is why I want the fines to be so big, that whoever employs them must pay those fines as well. If the fines are big enough, they will become unemployable and therefore defeat their own purpose.
We cannot however ignore the security threats they highlight, even though we might not agree with how they do it or their actions afterwards, t
hey are highlighting a very basic flaw in the Internet. Anonymity, one of the cornerstones of the Internet, the fact that you can choose how much about yourself you want to be known in cyberspace. This is one of the principles the Internet was build upon, and maybe one of the biggest flaws.
Here in sunny South Africa, before the big credit crunch, our government passed a credit act which was originally met with a lot of resistance. They forced banks to ensure that before they lend money to a customer, they must ensure that the customer can pay the loan. Everyone were in uproar, and although the law was there to protect customers, when the credit crunch did happen, the banks were the ones that were protected, and none of our banks needed a government bailout to stay in business. The second part of this was to attach every account at the bank to a person or company. When the account was linked to a company, it was linked to one or more people in the company. This means that for every bank account, there is a corresponding ID number and address where the person might be found. Our government took it a step further, they brought in a telecommunications act, where every landline and mobile phone must also be linked to an ID number and physical address. Although this infringe on our privacy rights and a lot of other things people complain about, it also means that criminals can now be tracked, they can’t use an anonymous phones anymore, because it is not anonymous anymore.
My solution to Internet security will be the same, link every IP or Mac number (Mac number is a unique number on every network device) to a specific company or person. So when my bank account gets hacked, or someone gets into my PayPal account, they can be traced. Every request done to the internet, whether it is talking on Skype or surfing a website, the IP number and Mac number must accompany this request, and therefore can be traced back to a specific individual. Hackers won’t have the luxury of being anonymous anymore, they will be traceable. It will also solve a lot of the cyber warfare issues that is starting to make headlines.
This will take away some of my rights as consumer and individual, but if I must choose between being anonymous on the Internet or having a safe online banking experience, I will choose the latter. This solution might also finally stop spam emails, as I will now know where it comes from and will be able to sue the sh*t out of those irritating bastards.
So although some hacking groups might be doing it for the laughs now, their very actions might be their downfall, insofar as everyone will loose a lot of privacy and anonymity on the Internet in order to make it a more secure environment for everyone.