Global Security, Privacy, & Risk Management

BitDefender: “Anonymous is ‘good’ for security” – REALLY?! March 28, 2012

A March 14th, 2012 article on ZDNetAsia sums up one of the major problems with security.  Specifically, it is the victims that are consistently blamed for the crime and the belief (very arrogant, I might add) that companies simply don’t care about security and this is why they are victimized.  According to the article:

“Alexandu Catalin Cosoi, chief security researcher at BitDefender, for one, said that hacktivist group Anonymous has been “good” for security. This is because even though it had disclosed people’s personal information publicly online, the security breaches it organized had a positive impact, he added. Now, more companies are willing to secure their networks and private data, which is good news, he stated.” 

The statement clearly places the blame of being hacked on the companies that are victimized.  It is irresponsible to suggest that Anonymous, or any other criminal group is ‘helping’ the industry by forcing companies to “secure” their networks.  It appears that Mr. Cosoi is suggesting the ‘ends justify the means’.  Who cares of some private information is compromised as long as it causes other companies to take better care?  The statement attributed to  Cosoi clearly suggests that he believes companies simply are “unwilling to secure their networks” until they see another company get hacked.  Really?  I have worked with some very good CSOs that work their butts of day and night trying to keep criminals at bay.  There are a number of very dedicated companies focused upon security.

Starting in March, 2011 a sexual predator began targeting women in Brooklyn, NY.  While sexual assaults are, unfortunately, more common than we would like, this particular string was known for the police’s statements and actions. In September, 2011 a Brooklyn police offer stopped a woman in the vicinity. According to the woman: “He pointed at my outfit and said, ‘Don’t you think your shorts are a little short?’” she recalled and about other women in the vicinity. “He pointed at their dresses and said they were showing a lot of skin.” He said that such clothing could make the suspect think he had “easy access,” said Lauren. She said the officer explained that “you’re exactly the kind of girl this guy is targeting.”  This is an asinine position for any police officer to take.  When the predator continued his assaults on women dressed more conservatively, maybe the police would have suggested chastity belts, or suits of armor?  The point is that while you can certainly make yourself less of a target in certain instances, to suggest that a woman wearing a skirt “did not care about her security” is stupid.

Using Mr. Cosois rational, it would seem appropriate to suggest that the man assaulting the women in Brooklyn was actually good for the overall security of women in Brooklyn.  Using his own words and modifying a bit (additions in blue): “This is because even though it had disclosed people’s personal infmation publicly online women were assaulted, the security breaches it organized assaults had a positive impact, he added. Now, more companies women are willing to dress less provocatively and take security more seriously secure their networks and private data, which is good news…”  Obviously, that is a ridiculous position to take.

The previous statement was intended to be sensational and controversial. I am not suggesting for a moment that a violent crime should be considered the same as a property or other crime.  The challenge lies on ascribing blame solely or primarily to the victim of ANY crime.  There is always a temptation to look back and make a statement that If X had been different, then Y would not have happened.  This is a dangerous proposition.  It is also irresponsible for a security researcher to suggest that because a company was breached, they were at fault, or were “unwilling to secure their networks”.  Could a review have shown a company have done things differently?…sure. That being said, I would challenge a reader to find a statement in the news where a breached company is given kudos for their security after a breach. Doesn’t happen.  The immediate response is to lay the blame solely upon the victim.

No doubt Anonymous has been good for BitDefender.  I doubt that many people would agree that a criminal organization stealing personal information is “good” for the industry, at large.