After spending few hours on looking through data obtained by Anonymous and published on pastebin (you can find them while reviewing @YourAnonNews account on Twitter) during #LulzXmas action I felt concerned about the privacy of all those ppl which data are flying now all around the internet.
It’s obvious for me that if someone had to put his hands such data like this held by Stratfor (I really can’t find a better words than complete idiots to call them) Anonymous group is the best option (it doesn’t really matter if those were Anonymous or Lulzsec or Antisec, their ways are really close). They at least are talking and spreading the news all around instead of using the data. If it was someone else I bet it’d take a really long time for Stratfor “specialists” (have their ever heard of the thing called data encryption?) to find out what has happened and by then really big amount of money’d be gone from their client accounts.
By looking at their facebook fan page (yea, the best, safest and privacy friendly service to spread this kind of news) I lost all my hope about them telling their clients what really happened and what they should do in this case to save their privacy and money (just look at this). After looking at two more archives published by Anonymous from next companies I thought about an open source software/script/service which’d allow to send anonymously an email informing about a leak, current situation and steps which should be taken to increase clients/users (which were hit by the leak) privacy, safety and get their current and future situation straight.
When I told about my idea on #telecomix IRC channel RYU has raised the voice that ppl won’t appreciate that. Some of them will send back thanks, but the most part won’t even care or will tell me to fuck off and accuse me of stealing those data. IMO this isn’t the important part. At first we need to provide those users complete information on fixing their privacy issues, it doesn’t mean much to me what these ppl will do with such information it’s their conscious choice.
Another important voice was raised by mlowdi who told that by doing this we can at least try to “push corporations towards owning up and actually admitting their mistakes… which we’d all like”. And this is it…
So what now? I’m going to make today at least a prototype of such script and than try to make reusable app from it and finally provide a complete online service enabling anyone to scan archives found on the internet for email addresses, then allow user to modify the default template of such message and finally send it anonymously to all users/customers hit by that data leak.
The biggest problem for me seems to be finding a good way to keep sender anonymous. If you know any service or way to achieve that, any help’d be much appreciated (it’ll save me much time dedicated for the research). Soon I’ll post here links to the repository with a prototype and next stages for this app, but for now I want to get more feedback on this idea, so if You can, please do share.
Not all what Anonymous is doing is bad (and I don’t think it’s even a big part of their activity), they are crackers and they are doing their part well. It is IMO hacktivists responsibility to take part in that process and help the users with improving their privacy status.
[flattr /]
P.S.- If you want to know more about what can be found in the data leaked from Stratfor, there is a good summary called Identity Finder Releases Detailed Analysis of Personal Information ‘Anonymous’ Attack on Stratfor.
UPDATE
If you think that any part of this post needs clarification please ask for it in the comments. I’ll be glad to elaborate. Because of the discussion that has started after I’ve posted link to this post on Telecomix channel I’m holding back and waitin’ for more feedback before I’d start implementing it.
2nd UPDATE
marcink also told me that there is a need for a clarification on why Stratfor is the one which is bad here. To do it, I’ll quote some stats from the Identity Finder Team Blog:
- 50,277 Unique Credit Card Numbers, of which 9,651 are NOT expired. Note: Many credit cards are re-issued, and many credit card processors do not check the expiration date. Consequently, more than 9,651 credit card holders may still be at risk.
- 86,594 Email addresses, of which 47,680 are unique.
- 27,537 Phone Numbers, of which 25,680 are unique.
- 44,188 Encrypted Passwords, of which roughly 50% could be easily cracked.
- 73.7% of decrypted passwords were weak
- 21.7% of decrypted passwords were medium strength
- 4.6% of decrypted passwords were strong
- Average decrypted password length: 7.1 Characters.
- 10% of decrypted passwords were less than 5 characters long.
- Only 4.8% of decrypted passwords were 10+ characters long.
- Presumably the remaining non-decrypted passwords were stronger than the decrypted subset.
- 13,973 of the addresses belonged to United States victims; the remainder belonged to individuals from around the world.
And all this credit card data was NOT encrypted and can be easily used to set up a PayPal account with connected credit card. Just because so-called security specialists at Stratfor didn’t cared about data encryption group of crackers lookin’ for some email addresses found the key to Stratfor clients money. I hope, I’m not the only one who thinks that Stratfor should take full responsibility for it and should be punished. They really are those who should be sued by the customers.
3rd UPDATE
So there is now a project page for anonmailleakinfo in my personal redmine.