The Hacking Team debacle continues to make life miserable for defenders everywhere. Any vestige of organizational good will I may have built up over the last year, is gone after issuing five emergency patch requests over ten days. I’m exhausted and still wondering how many more 0-days are lurking around the corner.
The compromise was epic, with hackers releasing approximately 400GB of data, including thousands of internal emails and memos which were posted on Wikileaks. Reuters reported that all this mayhem was caused by six disgruntled former employees who also released Hacking Team source code. Frankly, I don’t have much sympathy for David Vincenzetti and his circle of douchery that includes government clients using Hacking Team’s brand of malware to spy on dissidents. While following the story, a Confucian proverb came to mind. “When you ride a tiger, it’s hard to get off.”
And so it has been for The Hacking Team, now bitten by that proverbial tiger and broken, a casualty of their own hubris. Whether they can recover from this disaster is questionable. Their arrogance only surpassed by that other sad sack of the security industry, HBGary, taken down by Anonymous.
There is a story of a soldier who went to see a famous Buddhist Monk, Ajahn Chah, to ask why he had been shot on the battlefield. Why had he been chosen to suffer, was it something he had done in a past life? Ajahn Chah answered that it was the karma of a soldier to be wounded. The real meaning of karma isn’t punishment, it’s simple cause and effect. With the Hacking Team it’s a case of security karma: they chose to enter the arena of offensive security and use the tools of attackers for questionable purposes. By doing so, they increased the odds that they would themselves become an object of retaliation.
Postmodern Security 