05:10 PM

Anonymous Hackers Are Hypocrites, Not Hacktivists

An amorphous group of hackers has proven its ability to breach, torment, and embarrass. But as its dance with BART shows, its larger ambitions ring hollow.

The hacker group Anonymous, which is less a coherent group of people working together toward a common cause than a random medley of hackers out to prank and disrupt the online world, has been busy these days. Multiple hacks on Bay Area Rapid Transit websites in response to BART's shutdown of the railway's underground cellular system have captured the attention of activists and technophiles alike. But even as the name Anonymous strikes fear into the hearts of many IT security workers, the group's political ambitions ring hollow.

Anonymous has a penchant for making grand--if sometimes dimly worded--proclamations about its motives. After the group initially hacked a BART website on August 14, it posted a message to the AnonOps blog that stated, "In the Bay Area, we’ve seen people gagged, and once more, Anonymous will attempt to show those engaging in the censorship what it feels like to be silenced." The group frequently issues demands in conjunction with its operations, and the BART hacks were no exception: "Anonymous demands that this activity revolving around censorship cease and desist and we know you are already planning to do this again."

Through its attacks against a variety of high-profile organizations, Anonymous has made itself difficult to ignore. But what's also hard to ignore is the hypocrisy and futility of the group's tactics. Even as the group proclaims its opposition to oppression, it resorts to little more than online bullying in pursuit of its aims. In purporting to advance the cause of freedom, the group brings its own brand of oppression to bear. Its message is pretty much always the same: Stop doing whatever it is we don't like, or we'll take down your website, steal your private data, and embarrass your workers and customers on the Internet.

In response to a decision by BART management to interrupt cell phone service in four underground stations in downtown San Francisco for a couple of hours on August 11, Anonymous hacked into a third-party BART website and released the personal information of thousands of BART riders, all of whom were innocent of BART's actions. The organization then proceeded to hack a BART police officer's association website and released the personal information of its users.

All told, within a week, this loose-knit group of hacktivists victimized a few thousand people who were in no way connected to the actions in question. As of Monday afternoon, the group is reportedly mounting a third protest, which we can only assume will be accompanied by further hacks targeting BART riders and workers. And amid all this chaos, thousands of Bay Area commuters have had their commutes disrupted, causing ripples of inconvenience and hardship throughout their lives.

Which part of Anonymous's ongoing assault against BART riders and employees is supposed to encourage change? Is there a specific policy that Anonymous would like BART to adopt? It's impossible to tell, because the group hasn't put nearly as much thought into advancing a substantial argument as it has into causing disruption. And this is where the intellectual bankruptcy of hacktivism reveals itself. It outlines no argument. It advances no coherent cause. It brings only vague threats and intimidation.

Ask yourself this: If Anonymous were to single out your organization for attack, what would you do? Would you search your soul for the source of whatever transgression might have elicited the group's animosity? Or would you spend a little extra on IT security and hunker down to weather the storm, while mobilizing your legal department to track down and prosecute the offenders? For anyone charged with running a business, the obvious answer is the practical one. Anonymous's tactics force an organization into IT defense mode, while doing little, if anything, to engage the organization's leadership in a meaningful dialog about the issues. It is, quite simply, online thuggery, with only the barest pretense of a political motive.

So for all the IT pros out there watching the Anonymous-BART drama unfold, there are certainly lessons to be learned. But those lessons have nothing to do with high-minded questions of liberty, equality, and human rights. Instead, they're just reminders to run your patches, secure your site's navigation layer, and enforce strict password policies on your users.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.