Hacking

Guest Post: Laurie Love’s Asperger Syndrome

I don’t have Asperger’s as far as I know (which is in the spectrum of Autism) but a friend of mine gave me their article to share. They’d prefer to stay anonymous. I really like the topic and it brings up some great points on the UK case around hacker Laurie Love, who may be extradited to the US. It’s of interest especially for the IT industry that contains many people with Asperger Syndrome, so here are their thoughts on the situation:

By Anonymous:

I have Asperger’s. However, I don’t hack the US government infrastructure looking for little green men and such.  Laurie Love is claiming that he shouldn’t be extradited to the United States due to his mental status and partly because he has Asperger’s syndrome.

In the case I find myself truly torn. On the one hand I have no love for the US government, their treatment of whistle-blowers such as Manning, Snowden et al. I fully support the work of the ACLU, EFF and other privacy groups.  I also support the rule of law.

However the computer world now finds itself in somewhat of a “McKinnon II” situation where Mr Love is concerned. Each time this scenario crops up it makes us Aspies look that little bit weirder and therefore having to work that bit harder to not be tarred with the same brush that is used by most uninformed media outlets.

Whilst it is completely understandable that Love wouldn’t want to be sent to the US to stand trial with what most people would see as an extremely one-sided justice system with excessive sentencing in a much maligned prison system, he does a dis-service to other Asperger’s suffers and people with mental illness by using it as a means to avoid what many now see as an inevitable trial in the US.

Let me set the record straight about Asperger’s from a first hand point of view.

Most critically, on a macro scale we (people with Asperger’s) know right from wrong. Sure, we can be a bit more curious than perhaps we should be occasionally but we have the capacity to understand that actions have consequences.

When was the last time you heard someone plead not guilty to GBH because they had Asperger’s? Just because its seen by his supporters as a victimless crime does not mean it isn’t a crime.  Admittedly the GBH scenario is extremely unlikely in an Aspie world because we tend to not be inclined to violence or even much toward social interaction!

We are however programmed to ask why. We take things apart, we fiddle with them and such but to go breaking into military computers invites a world of hurt.

We (Aspies) are not where or how people but Why. Why does this thing “x” work the way it does? We need to find out! We can’t just leave it. This may go some way as to explaining why Love did what he did.

Laurie Love undoubtedly knew that trying to hack the military computers of a super power state was not a wise move and it would have dire consequences if he were to be caught. Although I may not agree with the US sentence put forward, the methods used or some aspects of the prosecution I believe that the US have a reasonable right to extradite him. He (allegedly) broke the law and not in a trivial way.

To now turn around and claim, as his father has, that his son isn’t prepared to go to the US to face charges under any circumstances smacks of blind arrogance. His father, a prison chaplain, claims that he sees people with such illness commit suicide.

As a group, people affected with Asperger’s do tend to look on the negative side of things and have a slightly higher risk profile than then general populace. His family portray him as a suicide risk. Anybody who faced ninety-nine years in the US federal prison would be the same I suspect, Aspergers or no Aspergers.

Most people would have the same mind-set given the situation. The human mind is trained to look for solutions to problems and suicide or taking yourself out of the situation is one solution to a (usually temporary) problem.

The presiding judge, Judge Tempia addressed this issue by noting that she was suitably assured that the US could provide for the medical needs of Love. I do however disagree with the stance that he should be held in solitary. I along with most believe this to equate to a cruel and unusual punishment.

If you want to see the US in action just look at the treatment of Kevin Mitnick. He could launch missiles by whistling down a phone the less IT inclined people repeated in ignorance.

I personally have gotten inquisitive about a site or two that I was asked to provide extremely confidential information to on behalf of another party.  I did some digging with information that was absolutely public domain, if you knew how to use the tools correctly. I stopped before I crossed the line.

There are however alternatives to this US/UK stalemate including a prosecution by the NCA or secondly serving his sentence in the UK. Love obviously would prefer the whole thing to go away. Being prosecuted by the British Government removes the whole question of going to the US to stand trial, the jail, the lengthy sentence. It negates almost all the issues raised by the Love team.

More importantly at a personal level it means the presence of Asperger’s becomes mute in terms of it becomes a get out of jail free card. He could use it in court but at the same time he gets a trial and can be cross-examined on the role of Asperger’s in his situation.

Essentially it somewhat mutes that entire line of questioning. Getting the US to agree to such a deal a high profile case however would not be an easy battle.

No matter which side wins or how it unfolds, it does people with Asperger’s no favours. The whole McKinnon/Love scenario makes us as a group look rather pathetic and unwilling to face the results of our actions.

In reality we are highly motivated, intelligent and we are an asset rather than a liability (Just ask GCHQ. There are more than a few of us that work there!). We as a group don’t all go round breaking into computers then using Asperger’s as a mechanism to try and avoid the long arm of the law.

Only time will tell the real outcome but Love needs to grow up and face up for his actions and not blame it on the condition.

People Don’t Care About Security

Someone dumped hundreds of Dropbox uernames and passwords today, with the claim that they are just a small sample of the 7 million hacked accounts. One of the pastebins with this information is located here  http://pastebin.com/Ntgwpf  containing the following intro:

Dropbox Hack third Teaser.

Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts
To see plenty more, just search on pastebin for the term Dropbox hack.

According to Dropbox, most of the credentials shared so far (roughly 400) don’t actually work. Dropbox are also saying they weren’t hacked, but an unrelated service had these credentials stolen instead. That’s actually very likely, but Dropbox themselves don’t have the best track record. In 2012, they were hacked when someone used credentials of Dropbox staff members to gain access. Maybe this has happened again, but you’d hope that they forced two form authentication onto their staff members, rather than making it optional for outside users of their service.

Looking back further to 2011, Dropbox was under heat about their security practises and ability to actually protect data. It was reading that news that first made me very concerned about the company Dropbox, and their ability to protect documents.

Jumping forward to 2013, it was then shown that the two form authentication could be reverse engineered, yet again pointing out Dropbox’s insecurities. This one required access to the victim’s Dropbox client, and if they’ve gotten that far the victim is in a world of trouble anyway.. so not as scary as previous incidents, but not ideal.

Despite this, Dropbox has over 200 million users. It would be an article in itself to see how they got to this stage, but the two main reasons are: They were free, and simple to use. Security is not a consideration for most people, and the general idea that a well known corporate entity should know what they’re doing is more than enough assurance for the general user of their services. The latest breach, regardless of who was at fault, will not see a mass exodus of users from their service.

I believe this comes down to the lack of caring from people. Most out there wouldn’t know that Dropbox ever had an issue. They probably started using it when someone shared a file with them, and seeing how easy it was, they used it to share another file. It is easy, and that’s really all that matters (the free part matters greatly, but really adds to the ‘easy’ label). Dropbox gets used in businesses all the time, by people who just need to get work done. The chance that someone else might read a confidential document doesn’t even cross their minds – they’ve emailed things around for years, so why not upload a document and share it with one person?

For most people reading this, I’ve probably just stated the obvious. My point on this though, is that the mindset of people won’t change anytime soon, possibly ever… so you shouldn’t expect it to. ytplasy Anyone who had a Playstation 3 account in 2011 lost their credentials due to a hacker, but the PS4 is the best selling console of the current generation. Xbox 360/Wii didn’t have this, but people just don’t care about their personal information enough to actually *not* get something they want.

If people found out that the government was actually recording every single phone call made, people would be up in arms. But along with that, would be everyone else still using their phones and not caring. You can be walking down the street and hear someone read out their credit card number over the phone for the same reason.

What is the solution to this lack of caring? For a business, it’s generally enforcing rules. Strong password requirements, RSA tokens, lock down of settings and USB devices on computers – whatever the business can justify to itself to protect it’s own data. In the consumer world though, nobody else is going to protect the consumer’s data without a financial reason to do so. Should a company like Dropbox force two factor authentication upon all their users? If they’d done this from the start, would they be as successful as they are now, or would everyone have signed up to another service that just used a username and password – easier to use?

So, in the consumer space all we have to work with is education. “Don’t use the same password for everything you do” is a simple tip, but again do people actually care enough to follow? Usually not – so something has to change. Maybe it will be government legislation around security and user requirements for services, and put the onus on the companies providing the services to meet these requirements.

Feel free to comment if you disagree or have an amazing solution, and we’ll go halves in selling it to the world. For me, I’m just going to use a fake name and password for everything I do, and add an extra layer to the tin foil hat.

Signing Out,

Mr X