< A Hacker's Guide to Recent Hacks


Friday, June 17, 2011

BOB GARFIELD: And I'm Bob Garfield. These are the halcyon days for hackers.

MALE CORRESPONDENT: Another day, another major hack attack.

MALE CORRESPONDENT: We had Sony, we had Lockheed Marten and we had Citigroup. Now we can add the United States Senate to the list of groups that’s experienced a hack attack.

MALE CORRESPONDENT: Another cyber attack today. That one took down the website of the Central Intelligence Agency, the CIA, knocked down.

BOB GARFIELD: Hackers in the limelight: Well, there's Anonymous. No one knows whether Anonymous is an actual group or a loose affiliation of people. We do know that the group or whatever appears to like causes. It hacked the Church of Scientology, and last year it shut down PayPal, Visa and MasterCard to protest those companies' refusal to process payments in support of WikiLeaks.

Then there's Lulz Security or LulzSec. The name comes from LOL, or laugh out loud. And it's often described as a group of 1990s style hackers, people doing it just for fun. LulzSec hacked the Senate web site, the PBS website and this week, as we heard, the CIA.

Eric Corley is an old school hacker, the owner and publisher of 2600: The Hacker Quarterly, who goes by his pen name Emmanuel Goldstein. We asked him what was behind LulzSec’s recent attacks.

EMMANUEL GOLDSTEIN: Impatience with the progress that organizations have made insofar as protecting the computer systems and ultimately our privacy. If you’ll notice, in the case of Sony, a million user names and passwords were leaked. Why was that information easy to get in the first place?

Obviously, Sony is not taking necessary precautions. The incompetence insofar as, as protecting vulnerable information is simply staggering, and it needs to be exposed.

BOB GARFIELD: Fair enough, but sometimes there are real victims I'm thinking of the, the Epsilon hack back in the spring. This is - I guess it's sort of a direct marketing company that had all sorts of personal information from all sorts of major institutions, including financial institutions and exposed email addresses, and who knows what all, in a major breach.

Sony, there are millions of Sony users whose maybe credit card information and passwords were vulnerable. These are not victimless crimes, right?

EMMANUEL GOLDSTEIN: What would you say if I told you that that information had already been obtained by some evil entity and they are using these credit cards and this personal information to steal identities and commit credit card fraud, and then you have a group come along and expose this and say, look, here it is, here’s a million user IDs and passwords, look how easy that was to get? Which scenario is more likely to result in a change?

BOB GARFIELD: Law enforcement around the world is paying a lot of attention to hackers, and some people are being prosecuted under various criminal codes. Should they be?

EMMANUEL GOLDSTEIN: It's inevitable that investigations will ensue, based on all the things that have been happening, but I think in the end when it comes down to what the penalty actually will be, you need to look at what the intent was, you need to look at what was learned and whether we're better off with this information than without this information.

When I was prosecuted back in the 1980s basically I was facing, they told me, 55 years in jail. But in the end I wound up paying for the computer time that I used without authorization, and I gave a lecture to a roomful of FBI agents on how to improve their security. And I think everybody walked away from that better off than they walked into it.

BOB GARFIELD: How much of this is just anti-authoritarianism, wanting to have something, have access to something because you're told that you can't?

EMMANUEL GOLDSTEIN: It's impossible to say what the true motivating factor is for any one particular hacker. I mean, it could be anti- authoritarianism, it could be lack of a strong father figure, who knows?

But I think ultimately there are certain basic values that we subscribe to, and that’s that we don't cause damage, we don't commit any kind of fraud and we share the information that we obtain with the rest of the hacker community, and we learn from it.

BOB GARFIELD: Do you think that the systems will ever be hack proof? And then if, if they ever get there, will you and your community stand down?

EMMANUEL GOLDSTEIN: If these organizations ever get to the point where they are successfully able to isolate sensitive information, and by sensitive information, I mean anything that has private information about us, to keep that isolated from the rest of the Internet, you'll simply see that that this information does not get out there anymore. That will be the proof that it's secured.

Like, for instance, not to toot our own horn, but the 2600 subscription list, all right [LAUGHS], it’s never gotten out because we keep it isolated. You’d have to physically break in and figure out our encryption scheme and somehow get out without being detected and then spread that around. You can't simply log onto a machine and access the information because we're not that stupid.

However, banks and, and credit agencies and phone companies and, and power companies and the like, they don't seem to care, and they leave this information lying around.

And what's even worse than all of that though is how much information we willingly give out about ourselves on such social networking sites as FaceBook, without realizing the potential problems that having all this personal information out there might result in for us. So we really all need an education on how to keep our privacy private.

BOB GARFIELD: Emmanuel, thank you very much.


BOB GARFIELD: Emanuel Goldstein - or not Emmanuel Goldstein - is the publisher of 2600: The Hacker Quarterly.