If you read security news, you most probably have already heard about hackersblog.org. It is blog created by a couple of my compatriots who feel that just talking about vulnerabilities in web websites is not enough and they must attract attention by actively exploiting the flaws and the posting their “trophies” Zone-H style.
As you can guess from the tone of the post up until now, I don’t really agree with them. Here are some more notes:
- It is my opinion that they are using automated vulnerability scanning tools (free or commercial) to perform most of the compromises. Now, they came out and publicly denied this several times, but the timing and the clustering around similar types of attacks leads me to believe otherwise
- Their point of view seems to change from time to time on what they consider “acceptable”. They started off by saying that data obtained trough these vulnerabilities is fair game and they will post the complete data since it is the website’s responsibility to secure the data. Later on they seem to have moved to the “notify the site admin first and (optionally) wait for them to fix it after which publish censored data”. This might be because they haven’t thought the whole thing trough from the beginning all that well :-), because it is a group and the members have differing opinions or perhaps for some other reason
- There are too many “we are not doing anything wrong” / “we are doing good” posts for my taste. IMHO these are a sign of the moral ambiguities they are trying to overcome (and that they are not at all sure about the fact that they are right)
My view? All software has flaws. People are very bad at waging risk. Features, in comparisons, are easy to observe, so priority will always be given to them. You can either believe in democracy (letting people learn see the err of their ways at their own) or in dictatorship (forcing them to do certain things in a certain way), but you can’t have it both ways (ie. “forcing” companies to have more secure sites by exploiting the existing flaws – and all of this to “show” people that those companies are “bad” in some sense of the world).
This type of behavior is most probably fueled by a mix of “wanting to do good, even with force” and wanting to show off one’s skills. This kind of behavior and the associate mindset can be very dangerous, because you never know when and in which direction will the pendulum swing to the extreme. On the upside, they provide business for security professionals :-).
Finally, here is the video of an interesting talk from Blackhat USA 2008 which I found via their blog:
Picture taken from hragvartanian's photostream with permission.