Why we all lost in the Stratfor hack

commentary I like hearing when companies pay the price for lax security, but in the case of Stratfor, proving that someone's security is weak by spilling everyone's details is like peeing your pants to prove your parents aren't supervising you. It might feel good and warm at first, but you ultimately end up being the loser.

(Classy dude image by Jón Sigurðsson, CC2.0)

Stratfor is one of the latest companies allegedly targeted by Anonymous. The breach, which began to make headlines on Christmas day in the US, resulted in the loss of 200GB worth of data and ultimately the publication of its customers' emails, credit card numbers, and corresponding verification numbers and addresses.

The hackers wanted to release the credit card details because they belonged to "rich and powerful oppressors". But even the author behind the release stated that of the 860,000, just 50,000 email accounts were from military or government domains. How many of those 50,000 were even responsible for oppressing anyone? And even if all 50,000 were, was it really worth ruining the privacy of 810,000 other likely innocent bystanders?

Sure, Shadow Communications Minister Malcolm Turnbull and Generation Investments founder David Smorgon, who were two Australians that had their private details published, might have a lot of money, but are they rich and powerful oppressors?

Some may argue their opinion that Turnbull is oppressive given his stance on the NBN, but the fact of the matter is that government requires the constant checks and balances, which an opposing politician provides. We are, as a whole, less oppressed through any role that keeps government in check.

What about Smorgon? Well, for a guy who has been awarded the Medal of the Order of Australia for his contributions to health, education and social welfare organisations, surely he's not oppressive, right?

Both men have money, but consider US Homeland Security employee Cody Sultenfuss, which the Associated Press learned did not have the money that was stolen from his account. He said he wasn't rich, and I seriously doubt he could have had much of a hand in oppressing people. It's not just the rich that are the victims.

What about Stratfor itself? The company is an intelligence firm, not a security company. While that doesn't exclude it from attack, most would have thought it would be of little interest to Anonymous. It even provided Anonymous with a warning once. During Anonymous' Operation Cartel, a plan to release the names of those involved in the Mexican Zetas drug cartel in response to the kidnapping of an Anonymous member, the company wrote in a report: "we have seen evidence of cartels employing their own computer scientists to engage in cybercrime, it is logical to conclude that the cartels likely have individuals working to track anti-cartel bloggers and hackers" such as Anonymous' members.

There also appears to be division within Anonymous itself.

Shortly after Stratfor customer information was leaked, a post defending the company was released claiming that Anonymous is not and should not be held responsible for the attack.

"Stratfor analysts are widely considered to be extremely unbiased. Anonymous does not attack media sources," the post read.

"This hack is most definitely not the work of Anonymous."

While Stratfor shouldn't be let off the hook for its lax security practices, there are better ways to prove a point and still stay classy about it.

Partial card numbers, or hashes of the same information provide ways for the rightful owners to confirm their details had been stolen. The information could also have been provided anonymously to multiple government, or independent, privacy institutions.

What experienced hacker wouldn't know about the concept of only providing a hash of sensitive information or covering their tracks to submit information anonymously?

In the absence of data breach laws and the refusal or ignorance by organisations to assess their security, Anonymous and spin-offs like LulzSec certainly do have a role to play in raising awareness of information security, but it's only when the average citizen Joe is protected that we get both the satisfaction of (renegade) justice and the lulz.