Anonymous may help, not hinder, data retention laws

Anonymous may help, not hinder, data retention laws

Summary: Anonymous Australia's attack on Melbourne IT was an opportunistic, unskilled act, but that doesn't mean the group won't have an effect on the data retention debate; it just won't be in the way they expected.

SHARE:
TOPICS: Security
2

According to Dr Mark Gregory, RMIT University senior lecturer at the School of Electrical and Computer Engineering, Anonymous' attack on AAPT was very opportunistic. Earlier, the group told ZDNet that the attack took several members to achieve. It was made possible through a vulnerable implementation of Adobe ColdFusion on Melbourne IT's servers, but Gregory said that it didn't require that much skill.

"They found a system that wasn't patched correctly, and they went for it. It wasn't an overly skilled exercise in attacking that system. It was just something they found," Gregory said.

AAPT has said that the servers that had been breached had "not been used or connected to AAPT for at least 12 months". This means that the systems Anonymous attacked aren't actually comparable to those that would be used in a data retention scheme. In fact, Telstra is one ISP that has previously stated that a large amount of work will be necessary to its existing systems to prepare them for handling data.

But if Earthwave founder Carlo Minassian is to be believed, it doesn't matter how much you upgrade your security, attackers will find a way in if they want to.

"If they want to show that they can get you, they will. If they want to steal data, they will," he said.

Because of this, data retention legislation doesn't make much sense to Minassian, who said that the effort and cost to set up data retention systems were beyond the reach of most ISPs.

"Who's going to pay for that cost? Who's going to be responsible? Who's going to be made responsible for building the necessary people, and the processes, and the technology, and all of the intellectual property necessary to deliver this protection, detection and response?"

"Unless you're sitting on a secret, classified network that isn't connected to the internet ... then gaining and leaking that information by accident or on purpose is only a matter of time. There is no way they are able to do any level of protection," Minassian said, pointing out that ISPs, by their nature, must be connected to the internet.

This argument appears to match Anonymous' views, but although Minassian thought the group didn't want to do the average Australian harm, as evidenced by their claims of removing personal information from the yet to be release data, Graham said that their actions may be twisted to add more fuel to the argument for legislation.

"They risk government using their effort as evidence of why the government's laws need to be introduced. They're walking a very fine line between trying to argue a particular point, but having that turned back on them by skillful politicians," Gregory said.

"Anonymous would be much more successful at achieving their aims if they identified insecure systems, like the AAPT's systems, and either notified the company or made it public that their system was insecure, without going ahead and actually stealing the data," he said.

"They could be good community citizens and argue a point, without going as far as breaking the law."

Topic: Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Sometimes, you have to break the law in order to get companies to move

    I hate to say the above, but it is just true. Many companies unless they have it thrown in their faces will not fix vuln's the way that they should.
    Lerianis10
  • Opportunism is actually a skill

    In dynamic systems, which basically include computer systems because of regular software and harware installs, patches, updates, upgrades and such, you are almost guaranteed have moments, periods of high vulnerability. And the larger, more complex the system the more frequent these opportunities. So if you make the effort to be on the lookout for these vulnerable moments, well....
    JustCallMeBC