Anon Defector: 14 Ways to Secure ITWith a Change of Heart, White Hat Convert Seeks the American Dream
A repentant SparkyBlaze, as he's known on Twitter, wants to go legit, leaving behind the hacktivism he helped foster as a member of Anonymous and start a career in the United States as a ethical hacker.
The 20-something from Manchester, England, in an interview posted on the blog of Cisco marketing manager Jason Lackey, says he's "fed up with anon putting people's data online and then claiming to be the big heroes."
A lackluster student in school, SparkyBlaze only showed passion when working with computers. He says he's interested in physical security and just applied that interest to computers, learning about firewalls and exploits, things like that:
"I got into Anonymous like most people there. I love hacking and I believe in things such as free speech. I came across a page on Anonymous and was interested in them so I just started hanging out in IRC with them and it went from there.
What does he think about hactivism?
"It is OK if you are attacking the governments. Getting files and giving them to WikiLeaks, that sort of thing, that does hurt governments. But putting user names and passwords on a pastebin doesn't (impact governments), and posting the info of the people you fight for is just wrong."
Karen Evans, the federal government's onetime top IT official, is on a mission as national director of the U.S. Cyber Challenge to get the likes of SparkyBlaze to consider the ethical route before they dabble on what she calls the dark side. Here's Evans from a video interview I conducted last year (see Why Cyber Challenge is Needed) speaking about creating opportunities for would-be hackers:
"One of the questions we always get asked is, 'How do you know they won't go to the dark side?' And, there is no guarantee. But what I believe, in the heart of hearts, is that everybody wants to do the right thing. ... People don't wake up every day and say, "Gosh, I want to break the law.' ... What they want to do is to contribute positively to society, so this is really capitalizing on this curiosity and competitive nature, and highlighting everything that is good about how you can do this for the greater good."
SparkyBlaze seems to want to do the right thing. As penance, perhaps, and sounding a bit like a high-priced IT security consultant, SparkyBlaze offers 14 ways organizations can protect their digital assets:
- Deploy defense-in-depth.
- Use a strict information security policy.
- Have regular audits of your security by an outside firm.
- Use intrusion detection or prevention systems.
- Teach your staff about information security.
- Teach your staff about social engineering.
- Keep your software and hardware up to date.
- Watch security sites for news on computer security and learn what the new attacks are.
- Let your sysadmins go to Defcon.
- Get good sysadmins who understand security.
- Encrypt your data, something like AES-256.
- Use spam filters.
- Keep an eye on what information you are letting out into the public domain.
- Use good physical security. What good is all the security software if someone could just walk in and take your 'secure' systems?
SparkyBlaze doesn't think highly of the current state of IT security, as practiced by governments and corporations. He doesn't hold back any punches:
"Information security is a mess ... Companies don't want to spend the time/money on computer security because they don't think it matters. They don't encrypt the data nor do they get the right software, hardware and people required to stay secure. They don't train their staff not to open attachments from people they don't know. The problem isn't the software/hardware being used ... it is the people using it. You need to teach these companies why they need a good information security policy."
He sounds as critical about the dark side of hacking:
"Stay away from black hat hacking. White hat hacking is a lot more fun, you get paid for it, it is legal. A conviction for hacking and leaking a database will affect you for the rest of your life. You go for a job and it is down to you and someone else. You both have the same qualifications and are good at what you do. They do a background check on both of you ... his is clean, yours says you hacked a server and put all the data online. Who will they give the job? It won't be you."
As long as SparkyBlaze is known only by his handle, he may one day come to America and rise to a high, IT security position, perhaps at the National Rifle Association. Why the NRA? As he tells Lackey:
"I love guns also, but it is mostly illegal in Britain, and there are no ranges to shoot on."
Plenty of opportunities in the U.S. to take aim, not only at a target's bullseye, but at defending IT from the likes of the non-repentant SparkyBlaze of the past.