LulzSec? Bah, cybercrime ain't no joke

Forget the LulzSec speculation sideshow. The cybercrime charges against Matthew Flannery are a rare chance for the AFP to put a head on a spike as a warning to others.
Written by Stilgherrian , Contributor

"[On Tuesday,] the AFP arrested and charged a self-proclaimed Australian leader of the internationally renowned computer hacking collective known as LulzSec," said Commander Glen McEwen, the Australian Federal Police's manager for cybercrime operations, kicking off a press conference full of stern warnings.

Matthew Flannery, aka "Aush0k", was charged with three offences relating to his alleged hack of a government computer less than two weeks earlier — a remarkably quick result.

"The AFP has zero tolerance for this type of behaviour. The AFP believes this man's skill sets and access to this type of information presented a considerable risk to Australian society," McEwen said.

"Those thinking of engaging in such activities should be warned that hacking, creating, or propagating malicious viruses, or participating in distributed denial of service attacks are not harmless fun, and the consequences are severe.

"The AFP will continue to actively monitor, identify, and disrupt this type of activity."

The LulzSec leadership claim was an immediate cause for speculation. Wasn't Hector Xavier Monsegur, aka "Sabu", generally thought to be the leader of LulzSec? And weren't there only six to eight core members? Monsegur was arrested and turned by the FBI in August 2011, and subsequent arrests of alleged LulzSec members seem to account for the rest. Doesn't this mean that LulzSec was already both dead and leaderless?

"He [Flannery] was actually in forums inhabited by other people of LulzSec, and there was no denials of his claims as being the leader," said Detective Superintendent Brad Marden, the AFP's national coordinator for cybercrime operations. The federales knew this from their "monitoring of the environment", a fascinating euphemism.

There's no indication that LulzSec has increased its activity, Marden said. But then LulzSec isn't really a group, but merely "people who affiliate with those networks, LulzSec and other issue-motivated groups. So by self-affiliation, you're actually continuing the name."

There's also been speculation over Flannery's alleged skills. "He is a well-respected person within the Anonymous community, within LulzSec and that side of the house, but he has also worked in the IT professional field," said Marden. The AFP claims that he was a "very well informed IT expert" operating from a position of trust in a security company, and had access to sensitive information from clients, including government agencies.

But that company, Content Security, says Flannery was doing "basic overnight help-desk work for a US client that wanted 24/7 support", and was still on probation. "There is no possibility of access to sensitive documents without a private key and passphrase, which Mr Flannery did not have," they said in a follow-up statement.

I daresay all this will be thrashed out in the criminal trial, but it's all a sideshow.

All this Great Big Crime razzamatazz is surely to counter the very idea that hacking can ever be solely "for the lulz".

The impact of a compromise may seem trivial, at least when judged by the visible impact, but remediation can cost tens of thousands of dollars. If I caused that kind of financial loss to a company through other means, say with the aid of a sawn-off shotgun, I'd quite rightly be hit with serious criminal charges.

But, of course, a compromised system can no longer be trusted. If you pwn the computer, you can manipulate any and all data that flows through it. If the system is expected to be trustworthy, like most government, banking, and business systems, and if it's compromised for an extended period, there's the potential for extended mischief on a grand scale.

That's why the changes to Australian criminal law introduced in the Cybercrime Act 2001 put such hefty penalties on these crimes, namely two or even 10 years in jail for the kinds of charges laid against Flannery.

"On this particular case, our early intervention interrupted him before he could commit any further serious offences, but the ability to interrupt online trading, online transactions for government, can have serious consequence in the long term," Marden said.

But cybercrime prosecutions aren't all that common, and most are dealt with by lower courts and go unreported in the media. Flannery's claimed link with LulzSec meant that this case would get media attention. The AFP has taken good advantage, using it as a vehicle to issue their stern warnings.

The AFP will push this one hard, you can count on that. If Flannery is eventually found guilty, they'll put his head on a spike to serve as a warning to others. Metaphorically, anyway.

Editorial standards