Subsequent to publishing my “Lulzsec Ups the Ante” post attrition.org and I had a very interesting discussion on my criticisms of Lulzsec using criminal methods to highlight the weak security used by the companies that were breached. Attrition.org has posted a rebuttal to my post and highlights issues that Attrition.org has with my post. The topic of how best to disclose security weaknesses in systems, websites and applications has long been debated within the infosec field and we still have yet to come up with a solution that ensures companies respond to security weaknesses in their systems in a prompt and appropriate manner.
Companies need to take the appropriate security measures to protect the information entrusted to them by their clients. If they don’t put those measures in place there should be mechanism by which they can be suitably punished. On the flip side individuals should not take it upon themselves to publish the personal information of individuals to demonstrate the weak security of a company. The old saying two wrongs don’t make a right is, I think, apt for this situation.
The real losers in all this are the end users as their information, privacy and in some cases their financial data is now exposed and being abused. It also means that valuable law enforcement resources are now being diverted away from tackling the online organised gangs as they investigate these spate of attacks.
Paul Ducklin in his blog post “Whither Anonymous, our new generation of cyberfreedom fighters?” calls on those responsible for the recent attacks to divert their energies into something more productive while Adam Shostack ponders “Are Lulz our best practice?” which he follows up with “Communicating with Executives for more than Lulz“.
How we communicate security issues with organisations needs to be resolved or else we will continue to be on this hamster wheel getting no-where fast.