Date Wed, 14 Feb 2001 12:36:10 -0500

[: hacktivism :]


For most Information Technology professionals "hacktivism" raises two
central questions. What is it? Do I need to worry about it? The actions of
Virtual Monkeywrench, the group that first stole and then sent confidential
information for hundreds, maybe thousands, of leaders and celebrities to th=
Swiss newspaper SonntagsZeitung provide some clues for answering both

Four hackers, via the Swiss newspaper, claim they stole a CD-ROMful of
personal registration data for 27,000 (present and past) participants of th=
World Economic Forum. They said it was easy. It is unlikely that the
foundation that housed this information had any idea how vulnerable they
were. Travel information and 1,400 credit card numbers were obtained in the
'crack'. Since many of the registrants are national or international
political figures, the media was quick to make the jump from IT security to
personal and national security risk. Charles McLean, the forum's Director o=
Communications and Public Affairs helped frame the discussion:

"We have no idea how the information got out. If they could have a security
breach at the Pentagon and they can have a security breach at the State
Department, it is possible to have a security breach at the World Economic

For relevance, we might have replaced "Pentagon" with "Nike" and "State
Department" with "eToys". The hacktivists' claimed motives are protesting
globalization and the increasing commercialization of the Internet.
According to Virtual Monkeywrench:

"In our eyes, intellectual property is illegitimate and serves the interest=
of the powerful. The Internet makes it possible to share the information
with the whole world."

They said that they would not be committing credit card fraud or
blackmailing anybody. Should we believe them? Pssst! Just between you and
us, the answer is =97 yes.

Why? Genuine acts of hacktivism, legal or not, are primarily motivated by
idealistic, not criminal intent. So, those of us not directly impacted,
involved, or responsible for the WEF security can take Virtual Monkeywrench
literally, unless or until they begin acting contrary to their words. We're
not condoning their actions and if we were on the list, we would certainly
cancel our credit card=85but lets get real here: this was primarily a
politically symbolic act; not a criminal or terrorist attack. There will be
no blackmail because the hacktivists achieved their objective the minute
they transferred the data to SonntagsZeitung. They called attention to thei=
cause and embarrassed not just Charles McLean, but the otherwise
inaccessible WEF.


No. It's important to grasp this fundamental truth. All night pizza and bre=
sessions that end by defacing a random Windows NT server (typically with
default configuration settings) to say something like "shoutz to my GIRL13Z=
especially our babe of a gym teacher=85oh=85and capitalists suck!" does not
constitute hacktivism. Graffiti is to (street) activism what defacements ar=
to hacktivism: a lowest common denominator adjunct, at best. Neither does
"DoSing" (degrading the services of) somebody's DNS (domain name
server)=85unless there is an obvious symbolic significance to the assault. =
doesn't count if, after the FBI tracks you down, you start opposing some

Hacktivists are committed to a cause. The cause may be trivial or abhorrent
to our readers' worldview, but they are not cracking Web sites to get rich
quick. Although Bill Gates can afford the potential $50 liability, most
likely he will not suffer the loss. Yasser Arafat would do well to change
(potentially) disclosed travel plans, not because hacktivists will conspire
to assault him, but because old enemies will read about them in the Swiss

Hacktivists try to make a point, a political one, through symbolic gesture.
For example, the very first hacktivist group, the Electronic Disturbance
Theatre, recently called for a "bombardment" of a military barracks with
paper airplanes. Their goal was not to crush the soldier's buildings with a
forest, but to draw attention to their cause. VIGILANTe has studied the
pattern of hacktivist activities and found mostly minor and temporary legal
transgressions. Indeed, the most prominent hacktivist groups advocate
against cracking sites in order to corrupt or destroy data. Of course, many
hacktivist leaders also oppose Web jacking and DDoS attacks (both immoral i=
not necessarily illegal tactics) and yet the "successful" actions against
Nike and eToys were widely celebrated in the larger hacktivist community.


Any organization that may have offended somebody, at some time, with
something, that could be construed, in any way, as 'political'. After all,
whether activists are idealists or not, the road to hell is paved with good
intentions. Any member of Virtual Monkeywrench might unilaterally decide
tomorrow that Davos makes an excellent departure point for redefining the
group as online 'Robin Hoods'. Obviously, just because we define hacktivism
as 'cause oriented' rather than 'personal', doesn't mean that everybody wil=
hue to our interpretation. This is purely a post facto academic discussion.
Security personnel will be held responsible for a security breach;
regardless of the attacker's rationale. Making routine, automated security
assessments, especially after Internet security perimeter configuration
changes, is a constant necessity. We recommend VIGILANTe's SecureScan
service for the most reliable and cost effective results.


[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]