What lessons should we learn from the Disqus security breach?
I did a news story this morning on Infosecurity Magazine: Disqus May Not Have Been Hacked; But It Was Certainly Exploited. As often happens, however, the implications and side issues are often as interesting as the raw news.
A bunch of Swedish journalists belonging to ResearchGruppen (a group of politically motivated investigative journalists) working with the Swedish tabloid Expressen has downloaded something like 29 million comments from the Disqus service. In doing so, it also obtained the email addresses of otherwise anonymous commenters.
“You don’t need to trade in your identity for the ability to speak up. The freedom to express how you want is what lets you be truly authentic,” says the Disqus website. Anonymity is a key selling point – but here it was letting ResearchGruppen (and who knows who else) download the email addresses of its users. Those addresses were hashed with MD5; but with no mention of salting this is barely a delaying tactic.
Whatever way you look at it, this was a serious breach of security. It allowed politically motivated researchers to discover the real identity behind some rather inflammatory ‘anonymous’ posts.
But it wasn’t a hack – at least not in the traditional sense. ResearchGruppen did not have to break in and steal the email addresses. The group simply queried the Disqus API and obtained the details. To save time, they used a script to automate their enquiries, running ten enquiries simultaneously. (You have to wonder why the Disqus sys admins didn’t pick up on these queries – to obtain 29 million at 100 per throw would have required 290,000 API calls.)
The real issue in this episode is whether ResearchGruppen’s actions were illegal, and whether they should or should not have been illegal. Probing computers is, after all, the standard method used by security researchers to find flaws and improve internet security for everyone.
US Computer Fraud and Abuse Act
There can be little doubt that ResearchGruppen has broken the US Computer Fraud and Abuse Act (CFAA). Just ask ‘weev’. In 2010 he queried the AT&T system in a similar manner and obtained the email addresses of early iPad adopters. He was prosecuted under the Computer Fraud and Abuse Act, and sent to prison for his pains.
Disqus is a US company with offices in San Francisco and New York. The US is not backward in demanding the extradition of foreigners who have broken their laws even if they have never set foot in America. Frankly, if I was a member of ResearchGruppen – especially given the close relationship between Sweden and the US – I’d be lawyering up or disappearing as fast as possible.
But, and it’s potentially a big but, US lawmakers and public are concerned that the Computer Fraud and Abuse Act allows law enforcement overreach. Ever since its use was implicated in the suicide of internet activist Aaron Swartz, it has been under scrutiny; and there are attempts to rein in its excesses.
However, while the US is thinking about softening the CFAA, European lawmakers have been busy creating Europe’s own somewhat draconian CFAA look-alike. Early July this year the European Parliament approved the draft ‘attacks against information systems’ Directive, with 541 votes in favour, 91 against, and 9 abstentions. This is what Green MEP Jan Philipp Albrecht said about it:
Significantly, the legislation fails to recognise the important role played by ‘white hat hackers’ in identifying weaknesses in the internet’s immune system, with a view to strengthening security. This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals. The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems.
“MEPs had initially supported a number of Green proposals aimed at ensuring this legislation can contribute to internet security, and is not simply an ineffective law to punish unauthorised log-ons to open servers. However, most positive elements were frittered away in the legislative negotiations, due to the resistance of EU governments. The result is a heavy-handed and misdirected law that will do little to improve internet security.
So, while the European Parliament initially wanted to recognise and defend the role of security researchers, national European governments do not. They now have until July 2015 to transpose the Directive into national laws – after which time, security ‘research’ of the sort undertaken by ResearchGruppen will be clearly illegal throughout the European Union, just as it is in the US.
Implications for the future of independent security research
I personally would not call the members of ResearchGruppen either white hat hackers or security researchers. I believe they were politically motivated and intent on embarrassing the far-right. However, it would be ridiculous to have rules saying you can only do this if your motives are acceptable – and it looks like Europe is coming down on the same side as America: you can’t do it, period.
This will have a sad effect on security research. Consider the current rash of cross-site scripting vulnerabilities. Many are found and reported by researchers, and quickly fixed by websites. Many others are found and exploited by hackers before they can be fixed by the websites. In the future, the researchers may become reluctant to put themselves at risk of imprisonment – leaving the only people looking for, and finding, these flaws will be the criminals wishing to exploit them.
ResearchGruppen may not have done what it did for the purest of motives, but nevertheless it has found a flaw that will be rectified by Disqus. The result is a more secure internet. In the future we may find that the ResearchGruppens and more genuinely white hat hackers will fade away. The internet will become a darker and more dangerous place because of it.
see also: ResearchGruppen, the Disqus ruckus and the moral issues involved; which discusses Martin Fredriksson’s response to this post.
You might also be interested in a new article: Disqus breach + IRS theft = fraudulently obtained credit reports and political coercion in Sweden