Hacking Team has finally released a response to the attack it incurred. Much like the company’s internal network security the response it posted should have people concerned. In addition to not following basic security practices, such as not storing login credentials in plaintext files, the company also doesn’t have a strong grasp of the English language:
Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies.
If Hacking Team could control who had access to the technology before the attack the attack wouldn’t have been successful. The fact the attack was successful proves that Hacking Team didn’t have control over its technology. Apparently whoever is doing public relations for the company doesn’t know what the meaning of control is.
The next two sentences, especially combined with the above sentence, are especially laughable to me:
Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.
Instead of governments and government agencies having exclusive use of Hacking Team’s technology now terrorists, extortionists, and others have access to its technology? What exactly is the difference between a government and an extortionist? None. Governments by their very nature are extortionists. They do tend to use nice sounding euphemisms like taxes, license fees, and citations but in reality government are in the business of forcefully taking wealth from the populace.
Looking a bit deeper we must asking how some of the governments and agencies Hacking Team sold to; such as Sudan, Ethiopia, and the Drug Enforcement Agency; differ in any notable way from other terrorist organizations. With the exception Hacking Team has accepted money from them there is no notable difference. Simply calling something by a different name doesn’t change what it is. Admittedly this is a problem many people have with the English language.
Outside of the failure to utilize the English language the Hacking Team response contains this gem:
HackingTeam is evaluating if it is possibile to mitigate the danger.
How could a company that discovers previously unknown vulnerabilities help mitigate danger to people? For actual security companies the answer is to work with developers to fix the vulnerabilities before they can be actively exploited. Hacking Team, on the other hand, sat on those vulnerabilities so it could sell tools for the sole purpose of exploiting them. Its entire business model relied on people being in danger. Had it actually cared about helping mitigate danger it wouldn’t have sold the tools it did, especially to the customers it did.
This Hacking Team breach just gets better by the day. Between the company’s scummy practices, source code getting open sourced, and complete failure at handling public relations this breach is the gift that keeps on giving.