It’s commonplace for the prosecution in hacking cases to overstate the capabilities of the accused and exaggerate the damage they’ve caused. One is reminded of the assertion that Kevin Mitnick could launch nuclear missiles just by having access to a phone.
Sometimes this inflation of the dangers is detestable. At other times it is merely risible. But it never reflects well on lawyers, the judiciary or the legal process. And it may (deliberately or otherwise) serve a darker agenda – to partly relieve organisations from the responsibility of protecting their data.
In the trials of four LulzSec members in the UK, prosecutor Sandip Patel has apparently said that they were “at the cutting edge of the contemporary, emerging species of international criminal offending known as cybercrime”.
Cutting edge? Oh please. Put any of these four – Ryan Cleary, Ryan Ackroyd, Mustafa Al-Bassam and Jake Davis – alongside even the most average penetration tester and you’d see them for what they are – script kiddies with an inflated sense of self-importance.
LulzSec’s real talent lay in self-promotion. Their hacking skills, if you can call them that, were meagre at best. For the most part, the hacking activities of Anonymous and LulzSec involved little more than DDoS attacks (often involving followers who had little idea what they were doing), plus some SQL injection, usually involving automated tools. Probably the most sophisticated attack was that against HBGary Federal, which did at least show a little wit and skill in its social engineering component.
But this is all hacking 101 stuff, the sort of thing you could teach to a reasonably intelligent person in an afternoon.
Aside from the fact that they probably consider it a compliment, the attempt to paint these four as uber-hackers misses a very important point, one that the authorities would probably prefer not to confront.
They weren’t skilled hackers, but they didn’t need to be. The targets they attacked were weak. My dog could probably have hacked them. In fact, one of the motivations often professed by the likes of Anonymous and LulzSec has been to highlight just how poorly organisations are protecting their data – which is often our private information.
This comment by the prosecutor could be seen as an attempt to deflect attention from the real problem. But portraying the LulzSec crew as master criminals, it tacitly excuses the failings of the organisations they attacked. It’s not their fault: no-one could stand up to the ravages of ‘cutting edge’ cyber-criminals.
Prosecutor Patel is just doing his job – trying to get the stiffest possible sentence for convicted criminals. But he’s doing the rest of us a disservice by masking the culpability of firms that fail to properly protect themselves.