/>
X

Thinking about Vigilantism

 Remember Sean Carpenter? There was a great article in Time last summer that chronicled Sean’s activity at Sandia Labs in the Titan Rain affair.
zd-defaultauthor-richard-stiennon.jpg
Written by Richard Stiennon on
 
shiprigging.jpg

Remember Sean Carpenter? There was a great article in Time last summer that chronicled Sean’s activity at Sandia Labs in the Titan Rain affair. (Rather than link to Time’s “Premium Content” here is a link to Tao Security  that blogged it at the time).  Sean was railroaded out of a job because he was monitoring Chinese hacking activity against US targets. At first he was working with the full knowledge of the US military and then with the FBI.  But, realizing that breaking into computers in China, regardless of the motivation, was problematic they washed their hands of him and he lost his job at Sandia.

 

There are few security practitioners that do not dabble in a little innocent vigilantism from time to time. I can remember the very first Nigerian 419 scam email I received.  (Do you remember yours?) I was actually taken in by it for a couple of minutes until my 12 year old son said “it’s a scam Dad”.  I was doing security assessments at PricewaterhouseCoopers at the time so my hacking skills were in good shape. It took me *one* try to guess the password at the scammer’s Yahoo account. I changed his password.

 

And who among us has not followed up on a phishing email and checked to see if the phishers had properly configured their application so it was not susceptible to SQL insertion attacks? Or, failing that level of sophistication cut and pasted large tracts of text from the FBI’s web site into the form field just to see if you could fill up the server’s disk? 

 

Speaking of 419 scams what about the social service that scam baiters serve by scamming the scammers? (For a good time click here).

 

It is frustrating that retaliation against bad guys is illegal. There is no other recourse because law enforcement is incapable of acting against foreign hackers. First, they lack the technical skill, second, jurisdictional issues are so complicated they would rather devote their limited resources to local purps.

 

What’s to be done?  I have a proposal I am working on. More tomorrow…

 

 

 

Related

Azure's capacity limitations are continuing. What can customers do?
azurecapacitylimits

Azure's capacity limitations are continuing. What can customers do?

Cloud
This is the ultimate security key. Here's why you need one
Yubikey 5C NFC

This is the ultimate security key. Here's why you need one

Security
Four more apps that infected thousands of Android devices with malware removed from Google Play store
a-concerned-woman-looking-at-her-smartphone-getty.jpg

Four more apps that infected thousands of Android devices with malware removed from Google Play store

Innovation