NATO 'Cyberwar' Manual Says Hacktivists Must Wear A Uniform

from the dressed-to-kill dept

Last year, Techdirt wrote about an interesting article suggesting that we should welcome "cyberwar" since it would be so much less painful than the ordinary kind. Of course, that begs the question what we actually mean by "cyberwar", since some forms are probably less humane than others. As we have pointed out, the use of the totally embarrassing "cyber" prefix is really just an excuse for more government controls and for security companies to get fat contracts implementing them.

Against that background, the following news from The Verge about an attempt to pin down what exactly "cyberwar" might be, is particularly interesting:

A landmark document created at the request of NATO has proposed a set of rules for how international cyberwarfare should be conducted. Written by 20 experts in conjunction with the International Committee of the Red Cross and the US Cyber Command, the Tallinn Manual on the International Law Applicable to Cyber Warfare analyzes the rules of conventional war and applies them to state-sponsored cyberattacks.

The Tallinn Manual on the International Law Applicable to Cyber Warfare is a fascinating, if rather dry read: it consists of 95 key statements or rules about "cyberwarfare", each followed by pages of academic argument about what that statement means, and why. Mostly, it's about transposing existing law on warfare into the online world, defining things like "sovereignty", "attack", "force", "proportionality" etc. But there's one area where old ideas don't help: that of "hacktivists", defined in the Manual as "A private citizen who on his or her own initiative engages in hacking for, inter alia, ideological, political, religious, or patriotic reasons."

That's because conventional war makes a distinction between combatants -- those fighting in regular armies -- and those who are "unprivileged belligerents". The difference is crucial: the former enjoy important rights, for example to be treated as prisoners of war if captured, whereas "unprivileged belligerents" do not. The distinction between the two groups is relatively obvious in traditional warfare, where combatants are organized and subject to clear command structures. Hacktivists, by contrast, may decide to defend their country by taking part in group attacks from their home or from a local café, say; the issue then becomes whether or not they are to be considered combatants with rights, or "unprivileged belligerents" without them.

The following section from the Tallinn Manual shows the experts floundering here -- and just how hard it is to come up with sensible rules for this "cyberwar" stuff:

Combatant status requires that the individual wear a 'fixed distinctive sign'. The requirement is generally met through the wearing of uniforms. There is no basis for deviating from this general requirement for those engaged in cyber operations. Some members of the International Group of Experts suggested that individuals engaged in cyber operations, regardless of circumstances such as distance from the area of operations or clear separation from the civilian population, must always comply with this requirement to enjoy combatant status.

So if you're ever tempted to engage in a little patriotic hacking into enemy computers, please don't forget to put on your uniform first...

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: cyberwar, hacking, hactivism, nato, rules, uniform

Hacktivism: Anonymous Breaches Australian ISP To Protests Data Retention

from the proving-a-point dept

Glyn Moody recently wrote about Australia reviving some troubling internet snooping policy, part of which includes an aggressive data retention policy for ISPs, in which they need to collect and maintain connection data from their users for up to two years. As Glyn notes, this policy mirrors what other nations throughout the world are attempting to put in as well, despite the serious pushback on security and privacy grounds from the technology community.

So perhaps it shouldn't be all that surprising when famed hacktivist group Anonymous decides to make the concerns a reality to prove a point. Slashdot points us to news that Anonymous has breached one Australian ISP, AAPT, and lifted some 40GB of data using an un-patched Adobe Cold Fusion exploit. As Australian site ITnews reports, this hack appears to be yet another attempt at activism by Anonymous:

"Anonymous had threatened earlier this week to release the data but was reportedly working to minimise potential harm to individual customers.The compromised data is suspected to be a 40 GB backup of an Adobe Cold Fusion database, accessed through a well-known vulnerability.

The threatened release of data appears to be in protest against Australia's proposed data retention regime, which would mandate ISPs to collect and hold transmission data from its users for up to two years.

One hacker told iTnews' sister publication SC Magazine that the data was stolen "to prove a lack of security at ISPs and telcos to properly protect the information" that would be stored under the Federal Government's data retention draft policies."

This is what happens when you ignore complaints by the very people who can bring about the unintended consequences of your unfortunate internet legislation. Pushing forward with data retention bills even as it is proven that customer data is accessable seems problematic. Perhaps Anonymous and other groups can use this as an ongoing example of why such retention policies are dangerous.

Filed Under: anonymous, australia, data retention, hactivism

EU Cybercrime Bill Targets Anonymous: Makes It A Criminal Offense To Conduct 'Cyber Attack'

from the seems-a-bit-broad dept

While we're still sorting through the crazy cybersecurity bill proposals in the US, it appears that some in the EU are going through a similar process. The EU Parliament's "Civil Liberties Committee" has approved a legislative proposal concerning "cyber attacks," which appears to ramp up criminal penalties for all sorts of broadly defined activities. It even applies criminal penalties to a company if an employee hacks into a competitor's database (even if they weren't told to do it). But where it gets scary is when it appears to directly target "hactivism" like what Anonymous does. While we still think Anonymous' DDoS attacks are incredibly counterproductive, are they really criminal?

The Committee's proposals would make it a criminal offence to conduct cyber attacks on computer systems. Individuals would face at least two years in jail if served with the maximum penalty for the offence.

A maximum penalty of at least five years in jail could apply if "aggravating circumstances" or "considerable damage ... financial costs or loss of financial data" occurred, the Parliament said in a statement.

One aggravating circumstance in which the heavier penalty could be levied is if an individual uses 'botnet' tools "specifically designed for large-scale attacks". Considerable damage may be said to have occurred through the disruption of system services, according to plans disclosed by the Parliament.

Even more ridiculous? Merely "possessing... hacking software and tools" could lead to criminal charges. Does that make everyone with a computer a criminal? This whole thing seems like a bad overreaction by politicians who are freaked out, but who clearly don't understand the technology in question.

Filed Under: anonymous, cybercrime, european union, hactivism

Hacktivist Judo: Musician Exploits New Spanish Law To Overwhelm System With Legitimate Infringement Complaints

from the you-want-infringement?-we'll-show-you-infringement dept

As Techdirt reported earlier this year, Spain's Sinde Law, designed to combat file sharing by blocking sites with allegedly infringing material, has an extremely complex history. It finally went into effect on 1 March, and was immediately met with a clever denial of service attack from a Spanish group with the self-explanatory name "Hackivistas". As TorrentFreak explains:

They encouraged sites to link to a copyrighted track from the artist Eme Navarro, who’s a member of the music rights group SGAE, but critical of the Sinde law.

While Navarro generally publishes his music under a Creative Commons license, he created an "all rights reserved" track specifically for the protest. Thanks to the hacktivist campaign hundreds of websites are now linking to this copyrighted song without permission, and Navarro reported a first batch of sites to the Ministry of Culture early this morning.

As a result, the commission tasked with reviewing all the requests will be overloaded with complaints. All the reported sites have to be processed on order of arrival, so the protest will significantly slow down this review process.

As well as gumming up the legal machinery for a while, this action is designed to obtain some much-needed details about how the Sinde Law will work in practice:

"Nobody knows how they will shut down websites. We suspect that they will ask Spanish companies hosting the websites to shut them down, and that Spanish service providers will block websites that are hosted outside of Spain."

This is pretty extraordinary. How can the Spanish government claim any legitimacy for a law that was not only brought in at the behest of a foreign power, but was rammed through the legislative process in such a way that those most affected by it -- the Spanish people -- still have no idea how it will be implemented?

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: copyright, denial of service, hactivism, sinde, spain

The End Of LulzSec Is Not The End Of Hactivism

from the don't-be-misled dept

Lots of news over the weekend concerning the surprise announcement that LulzSec -- the group of "hactivists-for-the-lulz" who were able to generate so much attention -- had announced plans to disband just a day or so after promising many more hacks. The speculation, of course, was that they realized that law enforcement might be closing in on some of them. The group, not surprisingly, denies all this and insists it always planned to call it quits about now anyway. I doubt this is true, but I don't think it really matters. I think the thing that people are underestimating is that LulzSec wasn't so much an "organization," as it was a group who got together in an ad hoc manner and decided to go on this hacking rampage. The point is that pretty much any group of decently skilled hackers could decide to do the same thing. Hell, the same group could decide to do the same thing under a different name. Between LulzSec, Anonymous and others, people are beginning to recognize that they can have a pretty big impact with some pretty straightforward hacks. That realization isn't going to go away any time soon.

Filed Under: hactivism, hactivists, lulzsec