blog A number of technology media outlets yesterday reported they had spoken to a member of the Anonymous collective of Internet activists, who stated that they had broken into a major Australian ISP and were preparing to release a vast package of internal data to prove that the Federal Government’s surveillance and data retention plans weren’t secure. You can find solid articles on this subject, for example, at SC Magazine and The Register. El Reg reports:
“Anonymous is preparing to reveal 40GB of data its members say came from an Australian internet service provider (ISP) and contains “600k+” of customer data.”
At Delimiter, we’ve been hearing rumours for a few weeks of this kind of security breach as well, but we haven’t yet seen any hard evidence of it. In general, while the antics of Anonymous can often be quite amusing, it’s hard to support this kind of behaviour in this instance. The Federal Government’s surveillance and data retention reform proposal may be a highly concerning package, but that doesn’t mean we should break the law to oppose it; Anonymous’ actions will likely only strengthen the case for the package to be passed by Federal Parliament.
In opposing this kind of draconian Internet monitoring and control legislation, rational words and reason should be enough; after all, that’s what has seen Labor’s mandatory filter package largely knocked back. There’s no reason that the same approach can’t be taken with the current package of surveillance legislation being proposed at the moment.
Image credit: Vincent Diamante, Creative Commons
This is to show that the ISPs are not adequately able to ensure that the information they are required to store will be safe. I have a problem with my information being stored by a company who could be hacked in this manner and the data posted. It is a good illustration, I think, that this policy is flawed; and if it takes a hack to make people take notice then good luck to them.
@Clint
“I have a problem with my information being stored by a company who could be hacked in this manner and the data posted.”
Ever used Google? Facebook? Yahoo? What about Online Banking? eBay?
All these are exactly the same. Many HAVE been hacked. Multiple times.
Why is this argument always made in respect to the ISP’s holding data that, certainly in the case of Online Financial transactions, is arguably much LESS a breach of privacy?
If you don’t agree with it, fine, but this argument doesn’t make any sense unless you don’t use ANY of these things on the internet.
Whats the bet its telstra, as we have seen in the past they aren’t exactly switched on when it comes to security.
Im pretty sure it could be any ISP. They all seem to be fairly rubbish at that.
Im with Renai here, I strongly believe that this is likely to just give a massive boost to the surveillance legislation. If anything its basically just put foot-in-mouth of anyone who was standing against the policy.
=(
http://www.theregister.co.uk/2012/07/25/anonymous_names_au_target/
Unconfirmed but it appears to be AAPT.
‘Unconfirmed but it appears to be AAPT’
I thought they said a ‘major’ isp…
AAPT is major?
Really?
Yes, they are a Tier 1 provider
Still, I think many expected one of the ‘big 4’ o be the attackee…
I seem to remember the leaking of part of the proposed mandatory filter list being a pretty important factor in building public opposition, so I wouldn’t say it was defeated (or more likely delayed) by rational debate alone. Unfortunately it seems like leaks of this nature are sometimes required to cut through the weasel words and and give people a concrete view of what is really at stake.
So IF its AAPT, aka iiNet ?
>< FML.
Don’t these companies do penetration testing? Nearly every Anonymous hack I’ve read about that included details of their entry vectors demonstrated fundamental, often amateurish mistakes had been made with security. To be perfectly honest, Anonymous are providing a public service demonstrating how rudimentary it is to gain access to websites and databases that are meant to be secure, and yet only the vaguest effort has been made with security. Sorry, but I have zero sympathy for companies who cut corners with IT security & IMO criminal charges should be brought to bear against THEM for risking (& losing) their customers’ private & confidential data.
Expected press release: ‘ASIO needs more power to stop attacks like this and catch those responsible’.
There is really something suspect here, I can understand why Anonymous would have done the hack (to protest against the government proposed data retention policy and show how easy it would be to get said data), but actually releasing the data publicly and causing individual harm against AAPT’s customers and not the government seems to go against their mandate.
I’m getting quite frustrated at this whole thing.
Anonymous, as Renai has said, in the past has essentially done things in good fun, or to point out security flaws as a matter of course. This reeks of rank abuse of the power they have gained through their workings.
If you disagree with these changes in law, you have every right and there are lawful, legal and ethically correct ways to make your opinion known. Anonymous’ “leaking” of hacked ISP data just proves the need for these sorts of laws in this instance.
I don’t agree with most people in that I would like to see some of these proposed changes enacted, in an open and transparent manner. However, I would not hack a medical database and release names of AIDS patients, highly confidential and life changing information, to prove my point when no one could catch me. That is rank abuse of process. Not highly different from Anonymous’ approach here.
I haven’t actually seen the alleged data, so I can’t comment on the sensitivity or potential damage from the release, but you’re right in that releasing data exposing individual customer data goes completely against their ethos, assuming that exposure could be seriously damaging. If it’s merely inconvenient, I can absolutely see why they would release it – because without it the hack has very little impact, but by affecting tens of thousands of people you generate a groundswell of outrage they hope to redirect at the government & make opposition to the proposals mainstream.
https://twitter.com/AnonPR_Network/status/228556568076091392
AAPT data release held over until Saturday.
Anonymous is a prime example of ‘self-important moral outrage’ — it seeks to expose, to show weakness, and it will happily trample on individuals for the common good.
It’s nothing to expose private details, because the end always justifies the means.
Right?
And “don’t people test” is the same as asking “don’t you always have every possible thing required for every conceived eventuality on your person?” I mean I carry an entire warehouse with me, just in case, don’t you?
Resources, money are finite; flaws will always exist. There are limits.
Welcome to the real world. :)
And “don’t people test” is the same as asking “don’t you always have every possible thing required for every conceived eventuality on your person?”
Don’t be obtuse. If you’re paying people to create websites and databases you can pay for them (or someone suitably qualified) to lock down all your exposed entry points & perform penetration testing. If you want to make comparisons, that’s like expecting a software vendor to test their product before they ship it out to stores – about the bare minimum. I’m not talking over engineering to cope with a foreign cyber-military attack, I’m talking about basic best practice that every business in charge of customer data must undertake (and believe me, if they are found to be in breach of the Australian privacy act relating to protection of retained data they will face criminal charges).
As for the ‘cost’ of exposing data about individuals, it really depends on the data exposed as to the cost or impact it will have. If the information released includes their name, address and phone number, then yes I consider the release to be quite acceptable as a strategy to bring greater exposure to the issue and thus greater pressure against the proposed legislative changes. However, if the release includes detailed information such as financial records or data that can be used for identity theft, then that recklessly endangers those people and is thus unacceptable.
Are people referring to the AAPT hack?
http://www.smh.com.au/it-pro/security-it/hackers-steal-customer-data-to-prove-risk-of-retention-proposal-20120726-22v67.html
AAPT got hacked?? This is the first I’ve heard about it.
Lol….not being mean, but do you read ANY tech websites ;D
It’s been plastered across Gizmodo, ZDNet and Delimiter for 2 days…..
I was actually responding to Matthew’s post above mine and that was exactly my point, it is plastered all over every other tech news site and is pretty well the only major hack at the moment. And is actually what the article we’re all responding to is about too.
Next time I’ll use a /sarcasm tag for you :)
Ha! Lol. I didn’t even read who you were replying to…
Fridayitiss…….
Comments are closed.