What lessons should we learn from the Disqus security breach?
I did a news story this morning on Infosecurity Magazine: Disqus May Not Have Been Hacked; But It Was Certainly Exploited. As often happens, however, the implications and side issues are often as interesting as the raw news.
How Disqus describes itself
Background
A bunch of Swedish journalists belonging to ResearchGruppen (a group of politically motivated investigative journalists) working with the Swedish tabloid Expressen has downloaded something like 29 million comments from the Disqus service. In doing so, it also obtained the email addresses of otherwise anonymous commenters.
“You don’t need to trade in your identity for the ability to speak up. The freedom to express how you want is what lets you be truly authentic,” says the Disqus website. Anonymity is a key selling point – but here it was letting ResearchGruppen (and who knows who else) download the email addresses of its users. Those addresses were hashed with MD5; but with no mention of salting this is barely a delaying tactic.
Whatever way you look at it, this was a serious breach of security. It allowed politically motivated researchers to discover the real identity behind some rather inflammatory ‘anonymous’ posts.
The issue
But it wasn’t a hack – at least not in the traditional sense. ResearchGruppen did not have to break in and steal the email addresses. The group simply queried the Disqus API and obtained the details. To save time, they used a script to automate their enquiries, running ten enquiries simultaneously. (You have to wonder why the Disqus sys admins didn’t pick up on these queries – to obtain 29 million at 100 per throw would have required 290,000 API calls.)
The real issue in this episode is whether ResearchGruppen’s actions were illegal, and whether they should or should not have been illegal. Probing computers is, after all, the standard method used by security researchers to find flaws and improve internet security for everyone.
US Computer Fraud and Abuse Act
There can be little doubt that ResearchGruppen has broken the US Computer Fraud and Abuse Act (CFAA). Just ask ‘weev’. In 2010 he queried the AT&T system in a similar manner and obtained the email addresses of early iPad adopters. He was prosecuted under the Computer Fraud and Abuse Act, and sent to prison for his pains.
Andrew Auernheimer: in prison, but still tweeting…
Disqus is a US company with offices in San Francisco and New York. The US is not backward in demanding the extradition of foreigners who have broken their laws even if they have never set foot in America. Frankly, if I was a member of ResearchGruppen – especially given the close relationship between Sweden and the US – I’d be lawyering up or disappearing as fast as possible.
But, and it’s potentially a big but, US lawmakers and public are concerned that the Computer Fraud and Abuse Act allows law enforcement overreach. Ever since its use was implicated in the suicide of internet activist Aaron Swartz, it has been under scrutiny; and there are attempts to rein in its excesses.
Jan Philipp Albrecht – Green MEP and one of Europe’s good guys
In Europe
However, while the US is thinking about softening the CFAA, European lawmakers have been busy creating Europe’s own somewhat draconian CFAA look-alike. Early July this year the European Parliament approved the draft ‘attacks against information systems’ Directive, with 541 votes in favour, 91 against, and 9 abstentions. This is what Green MEP Jan Philipp Albrecht said about it:
Significantly, the legislation fails to recognise the important role played by ‘white hat hackers’ in identifying weaknesses in the internet’s immune system, with a view to strengthening security. This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals. The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems.
“MEPs had initially supported a number of Green proposals aimed at ensuring this legislation can contribute to internet security, and is not simply an ineffective law to punish unauthorised log-ons to open servers. However, most positive elements were frittered away in the legislative negotiations, due to the resistance of EU governments. The result is a heavy-handed and misdirected law that will do little to improve internet security.
So, while the European Parliament initially wanted to recognise and defend the role of security researchers, national European governments do not. They now have until July 2015 to transpose the Directive into national laws – after which time, security ‘research’ of the sort undertaken by ResearchGruppen will be clearly illegal throughout the European Union, just as it is in the US.
Implications for the future of independent security research
I personally would not call the members of ResearchGruppen either white hat hackers or security researchers. I believe they were politically motivated and intent on embarrassing the far-right. However, it would be ridiculous to have rules saying you can only do this if your motives are acceptable – and it looks like Europe is coming down on the same side as America: you can’t do it, period.
This will have a sad effect on security research. Consider the current rash of cross-site scripting vulnerabilities. Many are found and reported by researchers, and quickly fixed by websites. Many others are found and exploited by hackers before they can be fixed by the websites. In the future, the researchers may become reluctant to put themselves at risk of imprisonment – leaving the only people looking for, and finding, these flaws will be the criminals wishing to exploit them.
ResearchGruppen may not have done what it did for the purest of motives, but nevertheless it has found a flaw that will be rectified by Disqus. The result is a more secure internet. In the future we may find that the ResearchGruppens and more genuinely white hat hackers will fade away. The internet will become a darker and more dangerous place because of it.
see also: ResearchGruppen, the Disqus ruckus and the moral issues involved; which discusses Martin Fredriksson’s response to this post.
You might also be interested in a new article: Disqus breach + IRS theft = fraudulently obtained credit reports and political coercion in Sweden
Kevin Townsend 
I was wondering about the security of personal information at Disqus. My search led me to your blog. It is interesting that Bonnier Publishing Group allowed one of its member publications to participate in this fear-mongering. Researchgruppen refers to itself as “the Swedish Stasi” and judging by their behaviour their aim appears to be absolute control of the social\political narrative. Researchgruppen are thuggs who use terror & fear to silence those who oppose them. Researchgruppen is a terrorist organization.
Unless an outright criminal act has been committed, there is no reason or excuse for disturbing someone’s peace & privacy. Saying or writing rude, crude, unacceptable things is bad manners and offensive. The Researchgruppen tactic of burying an ax in the front doors of private citizens they don’t like is even more offensive. Such are the tactics of Hitler, Stalin, Mao, Pol Pot, Castro. Here are 3 links that shed some light on Researchgruppen thuggery:
http://spnwnewswire.spco.eu/News/20140422-01-news.html
http://swedenreport.org/2015/03/31/double-standards/
http://www.breitbart.com/london/2014/05/08/swedish-journalists-confront-online-commenters/
LikeLike
Many of the individuals whom now end up in the leftwingextremist opinionregister have more recent stated anything about migrants or anything even similar to rightwing opionions but still Martin Fredriksson and the aggressive organizations he and his individuals signify outs their private details and mailadresses openly.
LikeLike
Yesterday evening one of the anonymous commentators who was registered by the Researchgruppen/AFA Dokumementation and published by the Bonnier owned tabloid Expressen was the victim of a bombing. It was a miracle that nor the commentator nor the family was injured or worse…
This shows the danger of the Researchgruppen/AFA Dokumentation…
[Could someone provide independent verification of this assertion, such as a link to a news article? Without that verification it is meaningless — Kevin Townsend.]
LikeLike
Here is from Swedish state TV:
http://www.svt.se/nyheter/nyhetstecken/bombdad-hos-sd-politiker
Translated with Google:
http://translate.google.se/translate?hl=&sl=sv&tl=en&u=http%3A%2F%2Fwww.svt.se%2Fnyheter%2Fnyhetstecken%2Fbombdad-hos-sd-politiker
Could provide links for all information i have given, if you want it.
LikeLike
I posted this response to your post in the wrong place…
Here it goes. Today we can read about the extremists in the Researchgruppen/AFA Dokumentation and how they tweet about themselves:
”We’re not stasi-level yet, but we’re getting there” http://i.imgur.com/CeKx2Oe.png
”Vi är Sveriges Stasi. Lite fetare”, (We are Sweden’s Stasi. And a bit more. – trans.)
“The Stasi champagne is opened!”
“A Stasi gotta do what a Stasi gotta do…(to make a living)”
They even compare themselves to the very much feared Est-German communist secret police – the Stasi… (Ministerium für Staatssicherheit). Is that something that belongs in a western democracy?
LikeLike
Researchgruppen was, at it has been pointed out, called AFA Documentation up until a few years ago.
The leaders of this far-left intelligence service are known AFA members, previously convicted of political crimes like for example assault with iron rods.
And AFA who has killed people in Sweden, regularly have been burying axes in people’s doors where they live.
Researchgruppen, on top of that, is owned by the grandson of Olof Aschberg who financed the formation of the Soviets Red army, Lenin, Trotskij and the October revolution. A communist ideology the grandson have been faithful to half of his life, officially.
LikeLike
And now we can read that Reasearchgruppen/AFA Dokumentation tweeted the following:
”We’re not stasi-level yet, but we’re getting there” [http://i.imgur.com/CeKx2Oe.png]
”Vi är Sveriges Stasi. Lite fetare”, (We are Sweden’s Stasi. And a bit more. – trans.)
[http://www.friatider.se/wp-content/uploads/cache/picture673341.jpg]
“The Stasi champagne is opened!”
“”A Stasi gotta do what a Stasi gotta do…(to make a living)”, ”
[http://i.imgur.com/7C76XVc.png]
This is how the Researchgruppen/AFA Dokumentation tweets…
How about that!
LikeLike
Actually, many of the comments weren’t inflammatory or racist at all. But the people who made the comments are still portrayed as “haters”. You should be aware that the so called “researchgruppen” is a far left organzation. I´m not sure what they are trying to accomplish, except scaring people who don´t share their beliefs.
LikeLike
Martin Fredriksson sounds supriced “Not very grateful to people pointing out their weakness.” Well companys and people are not usually very grateful to have their accounts haked by criminals.
LikeLike
The Researchgruppen (formerly AFA Dokumentation – Anti Fascist Action is a part of the violent autonomous left) is a highly political organization, they are the extremists in Swedish politics – not only communists but hardcore communists of the same type as the RAF in Germany.
A great problem with this is that a lot of media workers are also communists so they can cooperate. The swedish journalist education has been controlled by communists since 1968.
AFA Dokumentation/Reserachgruppen have no business collecting information and registering Disqus users or any other users.
The Swedish authorities should act against Researchgruppen but if they don’t I think their actions should be tried in a US court of law.
LikeLike
Martin Fredriksson of Researchgruppen is a convicted criminal.. he is dangerous and have been in prison before. The group all together is made of extremist from the whole country who would like to create a group similar to the Eastern German group Stasi. Hopefully US law will put them in life time prison or death penalty.. Swedish people are going to court to get justice!
LikeLike
Many of the people whom now find themself in the leftwingextremist opinionregister have newer commented anything about immigration or anything even resembling rightwing opionions but still Martin Fredriksson and the violent organisations he and his fellow members represent outs their personal information and mailadresses publicly.
Many of those feel unsafe since its not a secret that both Martin himself and most of the other extremists have prior convictions for horrible acts of political violence. I read Martins latest conviction recently and find it stange that the swedish tabloid chose to work with a man whom just recently got on the subway and threatend to kill another passenger with his knife and also had a concealed weapon on him.
This is the kind of people whom the swedish media chooses to work with and try to stop free speech.
LikeLike
Interesting article! I just heard that Disqus had changed stance. From “there has been no breach” to “we have contacted law enforcement”. Not very grateful to people pointing out their weakness.
I personally think the Disqus-aspect is the most interesting of all in this. A company which prides itself of storing millions and millions of people’s private opinions, yet take no effort in protecting sensitive data. The “emailhash” values were available through their API and was even documented in their manuals. Makes you think.
We’re not very concerned about a criminal case in the US. It would give this issue the attention it deserves.
We focused on swedish hate sites and didn’t really know what to do with the comments from media sources. Just downloaded it to “prove a point”. I still don’t know what to do with it. Delete it or see what politicians, economists and lobbyists are really concerned about, when they think they’re anonymous.
Anyway, thanks for writing about this.
LikeLike