OK watching the news the last 24 hours I have seen the same thing said on many different sites, (like pcmag, sophos, google) that (something like) “companies that are lax on security need to be exposed … but the LulzSec approach wasn’t the way to do it.” (pcmag)
So what is the right way? How can a security expert/hacker “expose lax security” the “right way”? I suppose this right way is legal and by exposing lax security it would mean hacking a site to prove it’s “lax security” and publishing it. And to prove that you hacked the site either defacing it or releasing information that could have come from no other place? Otherwise no-one would believe you and the company with the lax security could just explain it away or ignore you.
So the question is if you are a young computer and you find a system with lax security and you want to get the company that owns it to get their butt in gear and fix their site what can you do different than what Anon and Lulz are doing? Yes Lulz should not have exposed a bunch of seniors info on the web. But I actually applauded when they posted the the porn users emails. But who am I to decide what they should do with their data. The fact that people still use Sony networks and Sony devices scares me.
I think that someone should set up an organisation like wikileaks, but not to publish the data but to provide an anonymous holding site to publish that the hack occurred, and provide some proof that it did without compromising users data then offer a sample of the data to the companies as proof they were hacked. At that time the company would be put on notice that the attack would be repeated to confirm that the company fixed the problem, and that they will be checked repeatedly for a year or more to ensure they don’t slip.
And this organisation would have to be supported. I think that community funding, or funding from donations would be the way to go. Donating would not be a guarantee that you would not be hacked, it might actually lead to being targeted. But if you have the right security in place that would not be a problem right?
The members of the site would be required to not be involved with any previous criminal activity and the site would have to get some type of government approval for it’s activities or risk being branded criminal. This is one way that the problem of companies being lax about security and hackers that expose their security issues could be brought together with the required results. Feel free to come up with your own ideas and post them with attribution.