Going After 'Hacktivists'

In the past few months, hackers like Anonymous and Lulz Security have claimed responsibility for breaching what were thought to be secure websites. But law enforcement seems at a loss to stop them. To help navigate through the web of cyber crime, Robert Siegel talks to Hugh Thompson, chief security officer at the software protection company People Security and adjunct professor of computer science at Columbia University.

Copyright © 2011 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

ROBERT SIEGEL, host:

Well, from the potential future chaos posed by new domain names to the very present challenge of Web security. In the past few months, hackers, like Anonymous and Lulz Security, have claimed responsibility for breaching many sites that were thought to be secure. And law enforcement seems at a loss to stop them.

To help us navigate through the web of cyber crime, joining us now is Hugh Thompson, chief security officer at the software protection company People Security and also adjunct professor of computer science at Columbia University. Welcome to the program.

Dr. HUGH THOMPSON (Chief Security Officer, People Security): Oh, thanks for having me.

SIEGEL: Here's a hypothetical case which happens to not be so hypothetical. Some hacker or a group of hackers break into the NPR computer system. First, just for starts, is that a crime? If so, do we know what crime it is? And who's trying to investigate that crime?

Dr. THOMPSON: You bring up a fascinating question. I think the law is really trying to sort this out now. And cyber crime has moved so quickly, the law has moved so slowly.

But to your hypothetical, one of the laws that prosecutors may use in their arsenal is the Computer Fraud and Abuse Act, which is a relatively recent piece of legislation that targets and covers computers that are in the federal interest.

SIEGEL: So if the NPR computer were in the federal interest, somebody could prosecute somebody for doing that. But what if they said: You know, it's just a radio network. It's not in the federal int-- It's not a dot.mil operation. Is it a crime for somebody to poke around in our computers?

Dr. THOMPSON: Then things get more complicated, so there's laws around stored communications. In many cases, prosecutors have had to get creative. But if you look at it from an individual perspective, obviously something wrong has happened; someone has trespassed, someone has caused harm to the system.

And I think what we're dealing with is a big lag between the speed with which technology has moved, and the lumbering speed of the legal process.

SIEGEL: Let's talk a little bit about Anonymous and Lulz Security. What do we know about these groups? What do we know about their motives for hacking into places?

Dr. THOMPSON: So Anonymous falls into this category loosely defined as hacktivism. So folks that believe in a cause and are using hacking as a new means of expression to forward that cause.

SIEGEL: We're talking about groups that hack into government or private enterprise computers just because they're there, because it'd be a fun thing to do.

Dr. THOMPSON: Yeah, it's interesting. It seems that there's a division. So there are hacktivists, which I'd say Anonymous mostly falls into that category. So they have a set of goals, ideals, principles, and they use technology as a means of expressing those ideals.

SIEGEL: But what are those ideals? What are those goals?

Dr. THOMPSON: Generally, they tend to support WikiLeaks, support free speech, support your ability to tinker and modify hardware and software.

Then if you go into groups like LulzSec, in that case most of the things that they've done so far have been for entertainment, to expose security issues, very anarchy-driven types of things, which is fascinating. Their tagline is: Laughing at Your Security Since 2011.

(Soundbite of laughter)

SIEGEL: There's a strange event on Sunday. The videogame company Sega was hacked and it lost some information from its database for, I guess, about a million of its customers. LulzSec has offered to retaliate on behalf of Sega.

What do you make of this idea of hacker vigilantism, and hackers saying we're good hackers and we'll go and get the bad hackers?

Dr. THOMPSON: We are truly in an interesting time. You've got Lulz Security, you've got Anonymous. There's another actor named The Jester. It feels like the Wild West again of information security. And in many cases, they're loosely collected around a set of ideals.

So they don't like Sony because Sony went out and prosecuted somebody that tried to manipulate the hardware and repurpose it, which Sony discourages. They seem to like Sega, because the Dreamcast allows you to make modifications; many people have. So it is a just a fascinating time.

SIEGEL: Hugh Thompson, thank you very much for talking with us.

Dr. THOMPSON: Thanks so much.

SIEGEL: Mr. Thompson is chief security officer at People Security, and he's an adjunct computer science professor at Columbia University.

Copyright © 2011 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.