Thinking about Vigilantism
Remember Sean Carpenter? There was a great article in Time last summer that chronicled Sean’s activity at Sandia Labs in the Titan Rain affair. (Rather than link to Time’s “Premium Content” here is a link to Tao Security that blogged it at the time). Sean was railroaded out of a job because he was monitoring Chinese hacking activity against US targets. At first he was working with the full knowledge of the
There are few security practitioners that do not dabble in a little innocent vigilantism from time to time. I can remember the very first Nigerian 419 scam email I received. (Do you remember yours?) I was actually taken in by it for a couple of minutes until my 12 year old son said “it’s a scam Dad”. I was doing security assessments at PricewaterhouseCoopers at the time so my hacking skills were in good shape. It took me *one* try to guess the password at the scammer’s Yahoo account. I changed his password.
And who among us has not followed up on a phishing email and checked to see if the phishers had properly configured their application so it was not susceptible to SQL insertion attacks? Or, failing that level of sophistication cut and pasted large tracts of text from the FBI’s web site into the form field just to see if you could fill up the server’s disk?
Speaking of 419 scams what about the social service that scam baiters serve by scamming the scammers? (For a good time click here).
It is frustrating that retaliation against bad guys is illegal. There is no other recourse because law enforcement is incapable of acting against foreign hackers. First, they lack the technical skill, second, jurisdictional issues are so complicated they would rather devote their limited resources to local purps.
What’s to be done? I have a proposal I am working on. More tomorrow…