“I don’t hate technology, I don’t hate hackers, because that’s just what comes with it, without those hackers we wouldn’t solve the problems we need to solve, especially security.”
** Fred Durst (American musician, producer, director)
Published by some online media was a statement by Marilyn Ogah, the DSS spokesperson as she gleefully told the media how DSS uncovered a plot by APC to hack into INEC servers. I read her statement dutifully looking for a piece of evidence to warrant the allegations against APC, I found it tucked somewhere in the middle of the piece; it states that the raid at the APC data center in Lagos produced, among other things, videos of 21 hacking tutorials and a drive with a malicious code.
Some parts of the text read thus: “The tutorial video focused on the following areas: How to become a hacker and steps to take to avoid detection in the process of hacking web services. Steps and procedures of system hacking, passwords cracking, decrypting, escalating access privileges and creating backdoors to servers’’.
Further more the statement said the tutorial clearly explained how to evade security of database such as “Intrusion Detection Systems (IDS), firewalls and other measures put in place to deter hackers’’. … the video also outlined ways to identify vulnerabilities in systems and how to cleverly drop a USB flash drive in a target establishment. … “The video explains how to hack into the systems of media houses with the aim of broadcasting fake stories or headlines’’.
I do not know if Ms Marilyn Ogah discussed her “evidence” with a computer/online security expert before going public, but I suspect she didn’t.
Consider this, if you find in my possession a video of how to disarm a man with an AK47, it would be premature to (on the strength of the video) conclude I intend to use that knowledge to attack and disarm a Nigerian armed forces personnel. I could have been looking for that knowledge to defend self should an armed robber break into my home wielding a gun. It may be true you found the videos, but are the videos enough proof there is a plan to hack INEC? I doubt that very much. What if APC was only grooming people who would protect its servers against malicious hackers?
It is well known among cyber security operators that to guard against a hacker, you MUST ‘become’ a hacker. What this means is you must know what a hacker knows. To have an upper hand over a hacker, you must know what a hacker does, how he does it, how he gets away with it, what he needs in tools to execute a hack etc. To get to know these things, one MUST learn hacking; not because one intends to hack another’s system, but to protect ones system against attacks by hackers. Corporations spend huge sums employing hackers who constantly “attack” their systems; that way vulnerabilities are discovered and fixed before a malicious hacker finds them. Some corporations are known to reward, handsomely, hackers who find holes in their systems. Bottom line is you need a hacker to beat a hacker; you cannot guard against hacking until you have a good knowledge of what hacking is, and you can’t know what hacking is without learning the art of hacking. Until you know how a thief may break into your home, you can’t stop the thief from breaking in. Again I ask, what if APC was just training its personnel to give them a head start on how a hacker would attack and how to protect the facilities against that attack?
Does APC have any reason to be afraid of a hacker to the point of training its personnel to know what hacking is and how it is done to ensure they are able to protect it (APC) against malicious hacks? I believe it is a YES!
Shortly after the first raid on the APC Data Center Ms Marilyn told the nation DSS recovered servers (among other things) from the facility. If APC has a data center with servers then they have something that a hacker would want to have access to; the database housed on the servers. As a matter of fact, any device with a storage drive is of interest to a hacker for the simple reason that it may have vital data stored on it. Let it be known also that APC is the major opposition party, they have competitions all around them, any hacker who breaks into their systems would have hit a jackpot, literally. Preventing that from happening by way of getting staff acquainted with how it may happen seems an ideal course of action.
From the foregoing, it is my view that the evidence presented by Ms Marilyn Ogah on behalf of DSS does not in any way proof APC had a plan to hack INEC; except if they have some other evidence we are yet to know about. Shouts of confessions by those arrested alone will not suffice to proof (as you can torture a man to say whatever you want him to say). Already, APC has been shouting itself hoarse that her staff were malhandled, maltreated and tortured physically and emotionally to tell DSS what it wanted to hear. This may just be APC ranting again, but please tell me; if DSS has such good evidence and confession from suspects why are they not in court? Why the frequent press statements? Are these press releases a carefully crafted plan to tarnish the image of the major opposition party APC before the voting populace close to the elections like they (APC) are insinuating?
Reading through the piece, one could clearly see that Ms Marilyn Ogah frequently jumped from presenting evidence to making inference that could not have been arrived at based on the evidence. For example, when she said “The video explains how to hack into the systems of media houses with the aim of broadcasting fake stories or headlines’’, did she get the aim for the hack from the video or it was an inference based on her conjecture of what the purpose might be? Does she have evidence to support her thinking or did she just make the assertion because there was a camera lens focused on her?
DSS has the right to investigate anybody or any group, however in doing so it must not appear to be pursuing a predetermined goal. DSS should desist from pronouncing guilt or otherwise of persons or groups (that’s for the courts), her role should be to gather evidence of wrong doing, and where sufficient she should call on the courts to determine the guilt or otherwise of the person or persons concerned.
It is my strong convinction that DSS needs more investigations that end in water tight prosecutions than talking.
NOTE: The use of hacker by DSS is wrong. The right word is cracker. A hacker tests systems to patch vulnerable points; a cracker breaks into systems with malicious intents.