Cisco Logo


Security

The hacker group Anonymous has been in the news recently for a variety of reasons, including WikiLeaks, the HBGary breach, and other things. One recent item was a relatively high-profile defection from the organization, the departure of SparkyBlaze for a variety of reasons, including being “fed up with anon putting people’s data online and then claiming to be the big heroes.”

I run the @CiscoSecurity Twitter feed, so I spend a lot of time on Twitter, and saw that @SparkyBlaze was an active user, so I pinged him with a DM in an effort to get his side of the story. I also wanted to get a glimpse into things on the other side – it is probably in the best interest of everyone in the security industry to have a better understanding of Anonymous and others in the underground hacker community. While the human factors were of some interest, I was also really curious about his take on the state of corporate security and wanted to see what he had in the way of concrete recommendations for organizations wanting to prevent breaches and break-ins.

Some might ask, are we giving an illegal hacker a platform? I would say, no. Sparky himself says it very clearly: “Stay away from black hat hacking. White hat hacking is a lot more fun, you get paid for it, it is legal. A conviction for hacking and leaking a database will affect you for the rest of your life.”

Beyond the handle @SparkyBlaze and a Hushmail address, we know little about him, and beyond what we have below, he wasn’t talking. That said, here’s the interview:

JL: Can you tell us a little bit about your background?

SparkyBlaze: Well, I am from Manchester. I went through school not caring… my teachers always said I knew the stuff but I couldn’t be bothered to do anything. They were right, as nothing interested me. I am only hard-working if I am passionate about something, like computers. I went through my childhood bored as hell till I found computers. I love things like Defcon and hacker conferences and talking to other hackers. I love managing servers (and making sure they are secure).

I am white, in my 20′s and planning on moving to America to study computing and ethical hacking (I think it is best if they don’t know about me and anon ;D). I plan to live there as I have always wanted to. I love guns also, but it is mostly illegal in Britain and there are no ranges to shoot on.

JL: How did you get into computers and security?

SparkyBlaze: I got into computers as I grew up around them. I like physical security and just applied my interest to computers. Then I started to learn about firewalls and exploits… things like that.

JL: And how did you get hooked up with Anonymous?

SparkyBlaze: Well I got into Anonymous like most people there. I love hacking and I believe in things such as  free speech. I came across a page on Anonymous and was interested in them so I just started hanging out in IRC with them and it went from there.

JL: What are your thoughts on hacktivism?

SparkyBlaze: Hacktivism is an interesting subject. I love hacking and I believe in free speech and anti-censorship, so putting both together was easy for me. I feel that it is ok if you are attacking the governments. Getting files and giving them to WikiLeaks, that sort of thing, that does hurt governments. But putting user names and passwords on a pastebin doesn’t [impact governments], and posting the info of the people you fight for is just wrong.

JL: How do you think the rest of the world views hackers?

SparkyBlaze: Hackers and computer savvy people are just frowned upon. Hackers are the big, bad wolf and computer savvy people need to “get out of there basement.” Most people don’t know what hacking is, they use the same passwords everywhere and don’t use antivirus/firewalls. For them it’s an “out of the box” Windows install with IE7. This is the issue with people nowadays; they don’t understand the importance of computers and computer security.

JL: What is your take on the current status of the security industry?

SparkyBlaze: Information security is a mess, like I have just mentioned. Companies don’t want to spend the time/money on computer security because they don’t think it matters. They don’t encrypt the data nor do they get the right software, hardware and people required to stay secure. They don’t train their staff not to open attachments from people they don’t know. The problem isn’t the software/hardware being used… it is the people using it. You need to teach these companies why they need a good information security policy.

JL: What are some of the biggest challenges you see out there?

SparkyBlaze: In my mind social engineering is the biggest issue today. We have the software/hardware to defend buffer overflows, malware, DDoS and code execution. But what good is that if you can get someone to give you their password or turn off the firewall because you say you are Greg from computer maintenance just doing testing. It all comes down to lies, everyone does it and some people get good at it.

JL: So what sort of advice would you give enterprises and other organizations out there as they grapple with security-related issues?

SparkyBlaze: Here’s the advice I would give to companies:

  • Deploy defense-in-depth
  • Use a strict information security policy
  • Have regular audits of your security by an outside firm
  • Use IDS or IPS
  • Teach your staff about information security
  • Teach your staff about social engineering
  • Keep your software and hardware up to date
  • Watch security sites for news on computer security and learn what the new attacks are
  • Let your sysadmins go to defcon ;D
  • Get good sysadmins who understand security
  • Encrypt your data (something like AES-256)
  • Use spam filters
  • Keep an eye on what information you are letting out into the public domain
  • Use good physical security. What good is all the [security] software if someone could just walk in and take [your “secure” systems]?

JL: What kind of advice would you have for young folks who are interested in working in security?

SparkyBlaze: Stay away from black hat hacking. White hat hacking is a lot more fun, you get paid for it, it is legal. A conviction for hacking and leaking a database will affect you for the rest of your life.

For example:  You go for a job and it is down to you and someone else. You both have the same qualifications and are good at what you do. They do a background check on both of you… his is clean, yours says you hacked a server and put all the data online… Who will they give the job? It won’t be you.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.

47 Comments.


  1. Omgg what a nice and smart guy.God bless you Anon hacker

       3 likes

  2. Great Article ! thankx

       1 like

  3. that’s pretty interesting, i like the way he thinks, like someone mature.

       1 like

  4. Wow! What a very interesting interview.Keep up!

       0 likes

  5. Sparky this Anon…we miss you boohoo boohoo…please come back!!!

       0 likes

  6. yeah ..keep swallowing. Such a waste. .

       0 likes

  7. hey that’s a lot of knowledge but i am too interesteed in hacking

       1 like

  8. interesting interview.. liked it alot!

       0 likes

  9. Some things don’t change. This has’nt changed since my time as as a pen tester in the early 00′s.

    As part of my job at the time it was necessary to maintain links with ‘the dark side’ as exploit development is an important part of pen testing, and quite often we’d trade exploits. Obviously, private exploits and private tools.

    Hackers are very different to other criminals, they frequently have a ‘business focus’ and quite often are motivated by curiosity and a desire to understand (and exploit) systems. So a lot of what SparkyBlaze says and his attitude is par for the course.

    The one part he does not understand though is protecting an enterprise and the nature of the enterprise.

    I too admin’d high security web servers, these were constantly under attack from ‘real hackers’. We practiced defense in depth through encryption, OS and webserver tech hardening (Chroot, removing certain syscalls, using hardened PHP, Modsecurity, etc etc).

    This type of approach is rarely enterprise scalable or used within specific branches of the enterprise, where security can dictate over business requirement.

    In an enterprise you are a much bigger target so your ability to effectively defend is lessened. So you have your security policy, which is your trade off’s between security and business requirement.

    I know a reasonable number of ‘former blackhats’ who went to work for security companies as they grew up, had families and wanted to earn substantial hard cash for their considerable skills. Some remained on the dark side but are involved in corporate espionage, which is far more lucrative, but only the best (and laziest)choose this as a career move.

    I disagree on the main threat. The main threat is state sponsored espionage, when someone has a budget to attack your IS systems. This however is simply not something discussed today as it could be seen as an act of war, even though it routinely occurs.

    Good luck in your career change SparkyBlaze.

       0 likes

  10. oh, and as a headsup, hushmail is not as secure as touted. Don’t trust it to keep your emails safe and unencrypted if you don’t want certain emails to bite you on the ass later.

       1 like

  11. Like to hear more about security.
    Good for newbies in security
    keep it up.

       1 like

  12. Just did an interview with local radio station KGO earlier, hammered on the basics of passwords and patches for security. BTW thanks to those who have reached out and contacted me to provide additional insight and other perspectives. Always two sides to any story and I am always interested in hearing both.

       0 likes

  13. Bottom line is, he is saying to do the things the “industry” has been told to be doing for years. Problem is, no one implements and enforces said policies, which is why groups like Anonymous and LulzSec are getting into these systems. No one ever said the people in Anonymous or LulzSec weren’t mature or even educated. Its obvious they know what they are doing, or they wouldn’t be getting into these systems. The only difference between them and the rest of the infosec community, is they are embarrassing the companies publicly by dumping the databases which contain innocent people in the wake of these discoveries, which i find the be the wrong way to spread your message.

    DDoS’ing sites, dumping their databases, and then defacing the sites to promote your cause, is counter productive to the purpose of what Anonymous is supposed to stand for. His reasons for leaving are evident of this, and I applaud him for taking that stance. I would hope more like him in their group would have the courage to do the same, since its people like him who give real hackers a good name, while the actions for the majority of LulzSec and Anonymous tarnish the rest while making them look like criminals.

       0 likes

  14. Jason, Really awesome article – detail-rich. Thanks so much for following up with this guy !

       0 likes

  15. Complexity is the true evil here. We as humans have a remarkable ability to come up with fresh concrete and abstract concepts but this ability more often than not is outstriped by our inability to consider all possible consequences of actions, especially those driven by efficincy and lazyness.

    Do we need to have a database of customer data accessible through the internet? Why do I need to patch an OS for a vulnerable feature that’s integral with the OS but is never used? Is the ability to purchase cheap plastic goods online really worth the posiblity of my personal information being sold, rented or stolen?

    As a U.S. Air Force captain named Murphey once concluded, “If there’s more than one way to do a job and one of those ways will end in disaster, then somebody will do it that way.” Technological fixes more often than not find ways of creating larger problems than the technology was supposed to fix.

    If we want to go a long way of fixing the problem of insecurity, make systems simpler not more complex.

       0 likes

  16. Reading this and actually getting all the signs that I have actually felt that our computer issues could be a result of such type of acts. This is very interesting to me because although I know that hackers can have a very bad effect on an induviduals life I feel that some of my reasonings are a result of good information that I have seen and read. I am a skip tracer and actually have rules to follow and out of 14 yrs I pulled a few personal things for people that I feel now lied to me to get but I lost job fews days later for another reason they said. In my heart I felt like I had helped out someone that could not have told me the truth and ended up being something bad. I hate that people who are of the dark side have the access to our info but at same time I have had a life of good vs trouble and I was good at what I did until I got crossed up with the 2 times I pulled for individuals I shouldnt had believed there poss lies. I regret and really thought they might be of the good but both times I lost job . Live and Learn and I know if I ever get the chance again I wont do that . I related this to my situation bc I have done some not so on the line tasks to recover info for my job but only for good reasons and too outthink the opponent . My past helped me find my knack but I want to excel and not sure where to take my skills..thought this was informative

       0 likes

  17. Groups like Anonymous will never “serve” the public or a higher ideal for very long. Once you realize that you can expose any organization’s secrets, you’ll do it. It doesn’t matter who gets hurt. The temptation to abuse power becomes too overwhelming to resist. Every revolutionary who has promised to liberate their country from the oppressors has eventually become the oppressor.

       1 like

    • @james Revolutionaries?? You give hackers far too much credit. Most hackers are nothing more than childish graffiti artists and pranksters. I would estimate that fewer than 1% of hackers are actually “1337″ and of those few, only a small number use their expertise to expose and undermine abusive individuals and institutions in positions of power. From that perspective this tiny group are more akin to satirists or at worst guerrillas. The important point though is not whether they are revolutionaries or resistance fighters, it is that hidden behind the horde of idiots claiming to be “hackers” there exist some highly skilled and intelligent anons who can and do use their skills for purposes higher than defacing websites. So long as there are– governments, corporations and power-drunk individuals can’t consider themselves immune from scrutiny, including the anon’s themselves. Far from the destructive inference of revolution, it is this balance of power that is actually helping to keep things sane right now.

         1 like

      • I imagine the hackers that are part of Anonymous see themselves in a revolutionary light. If you read SparkyBlaze’s comments, he seemed to believe he was upholding free speech and “putting the hurt on the man”.

           1 like

  18. quite an interview, thanks for the detailed logs!

       0 likes

  19. One thing I remembered recently, Zero for 0wned.

    Zf0 routinely hack ‘respected’ hackers and hacking groups servers
    .
    If you can be bothered to read the ranting, zfo produce evidence of having hacked these hackers (passwords, directory structures and files from their hacked servers)
    A few victims were:
    Anonymous
    Dan Kaminsky
    Cult of the Dead Cow
    Robert Lemos

    http://web.textfiles.com/ezines/ZF0/

       0 likes

  20. On Twitter, Jerry Gamblin (@JGamblin) has a response to “Sparky’s List” which I thought I should share:

    http://pastebin.com/7r9aePLw

    1.My Response to “Sparky’s List”
    2.
    3.
    4.• Deploy defense-in-depth
    5.Please tell me what defense-in-depth is and how you implement it. It’s a lot like saying a good way to be secure is to be secure.
    6.
    7.•Use a strict information security policy
    8.Easier said than implemented, but overall I agree.
    9.
    10.•Have regular audits of your security by an outside firm
    11.Good advice.
    12.
    13.•Use IDS or IPS
    14.Why wouldn’t you?
    15.
    16.•Teach your staff about information security
    17.Security awareness is one of the most important things a security team can implement. Every few companies invest the resources needed in this area.
    18.
    19.•Teach your staff about social engineering
    20.See above.
    21.
    22.•Keep your software and hardware up to date
    23.This is a great tip. Patched software and hardware stops a ton of hacks.
    24.
    25.•Watch security sites for news on computer security and learn what the new attacks are
    26.Agreed. Also run the tools mentioned in the attacks against your systems.
    27.
    28.•Let your sysadmins go to defcon ;D
    29.Why? How would spending limited training funds to send our sysadmins to defcon be smarter than sending them to a SANS class?
    30.
    31.•Get good sysadmins who understand security
    32.Also get unicorns who grants wishes. (Its easy to say, hard to find)
    33.
    34.•Encrypt your data (something like AES-256)
    35.All of your data? While its at rest? Always? Why?
    36.
    37.•Use spam filters
    38.Who doesn’t?
    39.
    40.•Keep an eye on what information you are letting out into the public domain
    41.True. If the information isn’t on the internet it can’t be leaked.
    42.
    43.•Use good physical security. What good is all the [security] software if someone could just walk in and take [your “secure” systems]?
    44.Not much? You are at a greater risk of attack from an online hack than you are from someone walking and stealing your server though.

       0 likes

  21. What a beautiful interview and unique too.

    Many IT students of mine just keep asking me what is my opinion about hacking. Well I will just sent them this url and I will keep in mind this….

    “What kind of advice would you have for young folks who are interested in working in security?” SparkyBlaze: Stay away from black hat hacking.

    Jim Tsap

       0 likes

  22. Omgg What a very interesting interview,God bless you.

       0 likes

  23. Really awesome interview. Thank you for sharing this good stuff with us.

       0 likes

  24. yea quite the interview indeed

       0 likes

  25. Apparently spending huge amounts of time reading security compliance policies and filling out audit paperwork doesn’t actually result in “beter security”. lol.

       0 likes

  26. dear SparkyBlaze,

    So you know everyone’s security is a mess, but clearly you don’t know much of the BS that goes on behind it. Your list of advice is also unrealistic. Obviously you do not think of the costs required to accomplish and maintain them, there are plenty of companies simply cannot afford to do all that. Sometimes you cannot even take a mission critical device offline for maintenance, so you can forget about updating it. The type of organizations that have the budget to implement all those is probably a three-letter-agency… but oh wait, even they couldn’t do it perfect, I guess you anonymous/lulzsec guys already proved that.

    Good luck with your future security job, maybe one day you’ll realize you’re not really changing anything, and understand the bitterness of those who do this as a living. And then probably by the time you’re at that stage, there will be other young “hacktivists” saying you’re not doing your job right. Heh ;)

       0 likes

  27. Very Powerful Interview and good Information transfer thanks a lot for this sharing! Patrick

       0 likes

  28. That is great information about the way of thinking of hackers.

    Thanks for sharing this great interview.

       0 likes

  29. Great interview, the thing many people don’t realise is that not all hackers are out to cause harm and leak company information. The media is mostly responsible for making people think all hackers are like Lulzsec etc.

    I’ve read transcripts from IRC of Lulzsec, those guys didn’t seem to have a big picture in mind. Just a “we are better than others because we can hack so and so” attitude and loved the media attention, which inevitably lead to their downfall.

       0 likes

  30. Very interesting interview. I’d be curious if this guy had a questionable history on hacking as opposed to pure free speech activism.

       0 likes

  31. I always wondered about the difference between white hat and black hat hacking. Being an I.T. guy myself and seing the understaffing in the security dept., I often wondered, (and sometimes saw first hand), how truly vulnerable the company I was working at was.

    Thank you so much for the insight and the article.

       0 likes

  32. There is no “after Anonymous”

    Anonymous is constant.

    Read the code.

       1 like

  33. I’m interested about Anonymous, I watched the video on youtube on their operation FAcebook on Nov. 5, 2011

    Back on the topic, I think hacker is still a hacker, there’s no former hacker, I guess and in my opinion, once a hacker, always a hacker ^_^

       1 like

  34. Good to see the advice on using good physical security, which is often overlooked in IT-centric circles.

       0 likes

Trackbacks and Pingbacks:

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home