Anonymous may help, not hinder, data retention laws

Anonymous Australia's attack on Melbourne IT was an opportunistic, unskilled act, but that doesn't mean the group won't have an effect on the data retention debate; it just won't be in the way they expected.
Written by Michael Lee, Contributor

According to Dr Mark Gregory, RMIT University senior lecturer at the School of Electrical and Computer Engineering, Anonymous' attack on AAPT was very opportunistic. Earlier, the group told ZDNet that the attack took several members to achieve. It was made possible through a vulnerable implementation of Adobe ColdFusion on Melbourne IT's servers, but Gregory said that it didn't require that much skill.

"They found a system that wasn't patched correctly, and they went for it. It wasn't an overly skilled exercise in attacking that system. It was just something they found," Gregory said.

AAPT has said that the servers that had been breached had "not been used or connected to AAPT for at least 12 months". This means that the systems Anonymous attacked aren't actually comparable to those that would be used in a data retention scheme. In fact, Telstra is one ISP that has previously stated that a large amount of work will be necessary to its existing systems to prepare them for handling data.

But if Earthwave founder Carlo Minassian is to be believed, it doesn't matter how much you upgrade your security, attackers will find a way in if they want to.

"If they want to show that they can get you, they will. If they want to steal data, they will," he said.

Because of this, data retention legislation doesn't make much sense to Minassian, who said that the effort and cost to set up data retention systems were beyond the reach of most ISPs.

"Who's going to pay for that cost? Who's going to be responsible? Who's going to be made responsible for building the necessary people, and the processes, and the technology, and all of the intellectual property necessary to deliver this protection, detection and response?"

"Unless you're sitting on a secret, classified network that isn't connected to the internet ... then gaining and leaking that information by accident or on purpose is only a matter of time. There is no way they are able to do any level of protection," Minassian said, pointing out that ISPs, by their nature, must be connected to the internet.

This argument appears to match Anonymous' views, but although Minassian thought the group didn't want to do the average Australian harm, as evidenced by their claims of removing personal information from the yet to be release data, Graham said that their actions may be twisted to add more fuel to the argument for legislation.

"They risk government using their effort as evidence of why the government's laws need to be introduced. They're walking a very fine line between trying to argue a particular point, but having that turned back on them by skillful politicians," Gregory said.

"Anonymous would be much more successful at achieving their aims if they identified insecure systems, like the AAPT's systems, and either notified the company or made it public that their system was insecure, without going ahead and actually stealing the data," he said.

"They could be good community citizens and argue a point, without going as far as breaking the law."

Editorial standards