Net tightens around the hacktivists

[InfoSec News <isn () C4I ORG>]

Forwarded By:  kelley <kwalker2 () gte net>

http://www.guardianunlimited.co.uk/internetnews/story/0,7369,416954,00.html

Tania Branigan
Tuesday January 2, 2001

Big corporations and governments want to curb the protests of the
cyber hippies.

Rocketing numbers of political campaigners are embracing the internet
with the fervour their parents showed for sit-ins as they try to claw
back its independence and make online actions a standard part of
modern protests.

Computer activists - "hacktivists", as they have become known - are
squaring up to governments and corporations who want to restrict their
activities. They are not opposed to business, but their immediate
political aims, which range from improvements in working conditions to
political independence, are fuelled by anger at the commercial
dominance of cyberspace. Their tactics range from sending
straightforward emails of complaint to crashing websites or diverting
visitors to different sites. Some have overwhelmed servers with email
"bombs" of thousands of protest messages or launched computer viruses
and worms.

In the US election both Republican and Democratic sites were defaced
with anti-Bush and anti-Gore sentiments, while the Middle East
conflict has been fought almost as heatedly online as in the real
world. Palestinian and Israeli computer users have defaced websites,
set up spoof sites as propaganda and even stolen the credit card
details of their enemies.

Ingenious

But so far hacktivism has been dominated by social justice and
leftwing issues, with the far right using the internet only to
organise and recruit. In one case campaigners diverted visitors
seeking the Ku Klux Klan site to hatewatch.org instead; public
reaction is likely to be very different when someone tries to do the
opposite.

That day may come sooner rather than later, as new programs make it
easy for activists with little computer knowledge to enter systems or
crash a website. These newcomers have joined the original hackers:
highly skilled and ingenious programmers who share a distaste for
authority and belief in freedom of information. Some are malicious;
most see their hobby as a technical challenge; and increasingly, many
are investigating its political possibilities.

"People don't like the way the internet is increasingly
commercialised," says Paul Taylor, a sociologist at Salford University
who has written a book on hackers and is currently researching
hacktivism. "Comparisons are made with the land enclosure acts - who
owns common land? There are a lot of insidious ways in which corporate
power has increased and is pervading the whole social fabric. It's
happened within the structure of the internet; big corporations have
got an advantage over governments and their values are getting
incorporated into government policies."

Underlying tensions are coming to a head with the advent of new
legislation and information-gathering techniques. In Britain, the
Regulation of Investigatory Powers Act has given the police and
security services the power to collect internet data without a warrant
and to demand the keys to encrypted material. In the United States,
the FBI is seeking the right to capture all messages sent across the
internet with software called Carnivore. This would allow them to
trawl for emails containing particular words.

In both cases, the authorities insist that the measures are essential
to combat international crime and terrorism. But others worry that
they will be used to monitor and discourage legitimate political
activity and will ultimately ensure that only "acceptable" voices are
heard on the net. Hacktivists fear that politicians, often lacking
technical expertise, will be easily swayed by business.

"The prime minister of this country, by his own admission, gets most
of his information on the internet from his kids," says Paul Mobbs,
co-founder of the UK-based Electrohippies. "Politicians don't know the
first thing about it."

He fears that individuals may be driven off the net because they have
no rights to access. They are dependent on internet service providers
who, for commercial reasons, are likely to refuse to host material
that is controversial or which could attract expensive legal action
and who could block users requesting certain sites.

"E-commerce has driven the internet over the past few years. Anyone
who's not part of that is not supposed to be there," Mr Mobbs
complains. He acknowledges the damage that some hacktivists have
caused and accepts the need for policing. But he also says security
forces and businesses are scaremongering and believes that the RIP Act
and Terrorism Act are a dangerous combination.

"These new laws, rather than enabling free use of the internet by all,
are seeking to blur the distinction between public protest, crime and
terrorism in order to provide a 'safe environment' for corporations to
do their deals," he says. "The British government is seeking to define
a 'virtual corporate free state' where corporations can do business
free from public pressure."

What delights the protesters - but worries their opponents - is that
the internet acts as a magnifying glass for discontent. Individuals
using computers can wield power they could never command on the
street: it takes dozens, maybe hundreds, to occupy a building and
unveil a banner but only one to hack into a computer system and take
over a website. One person can bring down an e-commerce site,
disrupting or halting a firm's trading.

Oxblood Ruffin, of the respected hacker group Cult of the Dead Cow,
suggests that the versatility and technical knowhow of protesters
offers them a chance to redress imbalances of power in the real world:
"Hacktivism allows us to mount better arguments, rally unseen allies,
and take on any tyranny," writes Ruffin, who is based in Toronto. "It
shrinks any Goliath down to his true size. Usually puny.

"Where a large physical mass is the currency of protest on the street,
or at the ballot box, it is an irrelevance on the internet. Or more
correctly, it is not always necessary ... To think that it takes a lot
of people to execute an act of civil disobedience on the internet is
naive. Programs make a difference, not people."

For that reason, detractors argue that hacktivists are a classic
example of power without responsibility. But unlike the original
hackers many are happy to discuss their actions openly: Mr Mobbs
publishes his address and phone number on the web. The Electrohippies
informed the World Trade Organisation before launching an attack on
its website in November 1999, and ensured that their own site linked
to sites supportive as well as critical of the organisation.

They debate their tactics with passion and sophistication, citing
Aristotle, Thoreau and Lord Acton. Many, like the Electrohippies,
refuse to access other people's computer systems and regard denial of
service attacks as a last resort. Oxblood Ruffin goes further and
insists they are unforgiveable: "Denial of service attacks are a
violation of the freedoms of expression and assembly," he insists.
"You do not make a better point in a public forum by shouting down
your opponent. Say something more intelligent or observe your
opponents' technology and leverage your assets against them in
creative and legal ways."

It seems inevitable that many of the protesters' tactics will be
outlawed. Dr Taylor agrees that some measures may be needed, but
suggests that we have overreacted, encouraged by security specialists
who have a clear commercial interest in playing up the threat to
worried businesses and who may mislead the public with their real
world analogies.

One firm described the Electrohippies as "terrorists" for their WTO
action. Yet the Electrohippies refuse to intrude into computer
systems. "I think we have really twisted values," says Dr Taylor. "In
the Kosovan war the Pentagon was scared of using cyber warfare in case
it was a war crime - but they bombed civilians. It seems to me that
it's quite skewed values by which 1,500 lives are less relevant than
the legal elements of cyber war. People talk about the Tamils sending
email bombs to the Sri Lankan government, but surely that's better
than real ones."

He predicts that a "cat and mouse" game will ensue as talented hackers
find new ways to protest every time governments ban an old tactic.
Oxblood Ruffin, one of the most technically advanced of the
hacktivists, is currently working on a complex program that could mark
the next significant stage in online activism: it focuses on giving
people a tool rather than criticising or disabling opponents.

Project X, which should be completed by next summer, will enable users
around the world to access websites normally blocked by their
governments - such as human rights sites - without attracting
attention. Ruffin, who has recruited leading underground programmers
to assist him, believes it could jump-start a new movement of
politically aware hackers.

"We are trying to keep the internet healthy. The hacking community has
been online the longest, outside the military and academia, and we
have something to say about how the internet develops."

Weapons of online warfare

Denial of service attack: One of the most popular methods of attacking
websites. Users run a program that makes thousands of requests for a
site simultaneously, slowing the speed at which the server fetches
pages or in some cases crashing the server totally so that the target
site - and others hosted there - cannot be accessed

Mail bombing: Inundating an email address with thousands of messages,
again slowing or even crashing the server. It inconveniences other
server users and prevents the targets finding genuine messages in
their inboxes

Defacing: Changing the information shown on another person's website.
It involves hacking into the target's computer system and is therefore
illegal

Hijacking: Redirecting anyone trying to visit a certain site
elsewhere. Again, it is illegal because it involves accessing the
target's computer system without their permission


Useful links:

Cult of the Dead Cow homepage
http://www.cultdeadcow.com

The electrohippie collective website
http://www.gn.apc.org/pmhp/ehippies/index.html

Electronic Disturbance Theatre
http://www.thing.net/~rdom/ecd/ecd.html

Hacktivism discussion list
http://hacktivism.tao.ca/

Internet security firm
http://www.idefense.com/

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".