“People should not be afraid of their governments. Governments should be afraid of their people,” the fictional character V infamously remarked in the film V is for Vendetta.
Anonymous, a group which borrows its visual guise from that graphic novel-turned-film, has certainly been filling governments with frustration this year. The hacktivist group played a role in the unrest in the Middle East earlier this year, and now has claimed yet another target — the digital domain of the San Francisco Bay Area Rapid Transit (BART) system.
BART, San Francisco, California’s local government-owned traditional “slow” rail system (top speed: 80 mph), drew criticism in January 2009 when cell phone videos captured transit cop Johannes Mehserle fatally shooting Oscar Grant III execution-style in the back after the man appeared to be cooperating with an arrest.
That criticism only intensified after BART blocked cell phone traffic on its trains in an attempt to silence organizers of a protest at the station where the murder occurred.
Agency spokesman Jim Allison defends the decision, stating, “We’re going to take steps to make sure our customers are safe. The interruption of cell phone service was done Thursday to prevent what could have been a dangerous situation. It’s one of the tactics we have at our disposal. We may use it; we may not. And I’m not sure we would necessarily let anyone know in advance either way.”
Those efforts drew the ire of Anonymous who on Sunday defaced the transit service’s myBARTway page as part of a major operation [press release] dubbed “OpBART”.
Members also leaked over 2,000 user names, emails, and passwords (and in some cases addresses) to an Austrian domain name — DJMash.at. Anonymous writes:
Thus below we are releasing the User Info Database of MyBart.gov, to show that BART doesn’t give a shit about it’s customers and riders and to show that the people will not allow you to kill us and censor us. This is but the one of many actions to come. We apologize to any citizen that has his information published, but you should go to BART and ask them why your information wasn’t secure with them. Also do not worry, probably the only information that will be abused from this database is that of BART employees.
Anonymous‘s decision to implicate innocent commuters seems a questionable one. Anonymous‘s claim that peoples’ data “probably” won’t be abused is hardly reassuring. Anonymous seems a bit confused here — in V is for Vendetta, V never intentionally targeted civilian bystanders.
Marsha-Ann Sebay, a Vallejo woman whose personal information was released, told the San Francisco Chronicle, “To be honest with you, I’d like to kick their ass. If you have a problem with someone, you resolve it with that person. You don’t punish other people because you don’t agree with something. There’s other ways to protest. In my day, you bombarded them with letters.”
That said, the fact that Anonymous was able to crack the passwords so easy and display them in plaintext indicates they were either stored in plaintext or, at best, stored as unsalted MD5 hashed values. In that regard, customers should be mad at Anonymous for endangering them, but also at BART for failing to practice proper security.
Mr. Allison (whose info was not leaked, interestingly) tried to reassure customers stating, “We regret the inconvenience and stress that it’s created for customers. We’re disappointed that they would do this meant to be a service to our customers. We’re doing everything we can to protect bart.gov, which is used by nearly 2 million people a month as an important tool.”
In an email to customers BART wrote:
Several hours ago, myBART account information was compromised in connection with an illegal and unauthorized intrusion into our system. In response to this intrusion, we will temporarily shut down the myBART.org website, and have notified law enforcement authorities.
Although we are still investigating the details of this incident, we know that an unauthorized person has obtained contact information from at least 2,400 of our 55,000 members. In most cases, the information consists of names, email addresses, and passwords. In some cases, the database also listed an address and phone number. No financial information is stored in the myBART database.
Such statements sound like the commentary of an entity that didn’t do its work to properly protect its customers in the first place. Anonymous may not have made any friends with its antics, but maybe if BART was less worried about block peaceful protests and more worried about protecting customers’ private data properly, it wouldn’t have suffered such a breach.
Anonymous, for better or worse, is soldiering along. It’s launched a new operation dubbed “Op Britain” [Pastebin], which targets the English government for its plan of censorship in the wake of recent class riots (ironically, Anonymous also has plans to attack Facebook, one of the targets of England’s censorship bid). Anonymous is also targeting [Pastebin] the Fullerton, California city Police Department after the fatal July beating of a homeless man by six city cops. So far the Fullerton PD page has not been defaced.
The piracy police made one 9-year-old a very unhappy camper
ZMAX will come with a Snapdragon 400 processor and 720p display
UC Davis dares to go where Toyota won't with the Prius
An Apple spokesperson fires back over Microsoft's latest commercials
Engadget gets the scoop on Dell's latest "ultra-portable" notebook