SAN FRANCISCO/NEW YORK (Reuters) - One of the people accused by U.S. authorities of being at the core of Lulz Security, perhaps the most feared hacking group on the planet, led a nonprofit group in Galway, Ireland, dedicated to making websites more secure.
Darren Martyn, who was named in an indictment unsealed in Manhattan federal court on Tuesday, was a local chapter leader of the Open Web Application Security Project, which develops open-source applications to improve security, according to an official at the international group.
Thomas Brennan, who is a director of OWASP’s parent group, said Martyn resigned last week.
“It’s about laws and ethics, and people have to determine whether they want to follow the speed limit, follow the law,” Brennan told Reuters, referring to hackers who choose to break the law. “We have the same skill set as the bad guys, but the only difference is ethics.”
Martyn didn’t immediately respond to a request for comment. His Facebook page says that he attended the National University of Ireland in Galway and that “people who inspire” him include reformed hacker Kevin Mitnick, security professional HD Moore and Mahatma Gandhi.
Martyn was named in the same indictment as Jake Davis, accused of being Topiary, and Ryan Ackroyd, accused of being Kayla - both online handles made famous in the hacking world after their group chats were leaked last year.
Martyn was known online as Pwnsauce and Networkkitten, according to the indictment that was unsealed alongside the guilty plea by Lulz Security leader Sabu, exposed as Hector Monsegur of New York.
Martyn is listed in the indictment as currently residing in Ireland, but it was unclear if he had yet responded to the U.S. charges.
If found guilty, Martyn would hardly be the first hacker to do good things by day and bad things by night.
People drawn to computer security often gravitate to it at a young age - the indictment says Martyn is 25 but local Irish newspapers say he is 5 or 6 years younger than that - and they test their theories by breaking into places they shouldn‘t. Many respected professionals were once offensive hackers as teens but stopped before they ran into real trouble.
Others didn’t make the switch in time and continued to ply both ends. Consultant Max Butler was a significant contributor to open-source security software before being revealed in 2007 as “Iceman,” proprietor of the largest U.S.-based underground market for selling stolen credit cards and other hacked data.
Even many of those who went straight, or always were, have an ambivalent sympathy for Anonymous, the much larger cyber-activist group that gave rise to Lulz Security, or LulzSec.
Some share core political tenets including distrust of governments and a passionate belief that computers and the Internet are tools for individual empowerment that need to be defended.
Perhaps as significant, many in the trade are tired of not being listened to. They have warned corporate leaders for years about the need to spend in order to plug obvious holes in their security, but little has been done.
With spectacular hacks of well-known companies, Anonymous and Lulz Security have finally made company boardrooms give more than lip service to cyber security, corporate consultants and police investigators say privately.
At last year’s DefCon convention for amateur and professional security enthusiasts, a panel of experts went so far as to give advice on how Anonymous could improve itself. Among the ideas was for the amorphous group to publish guidelines and only attack companies that ran afoul of them.
Panelists Josh Corman and Brian Martin wrote in a follow-up blog post that they wanted a “better Anonymous.”
“`Better’ does not mean more criminal acts in the name of the greater good, it means a more efficient organization that can achieve the same (or better) results with less collateral damage,” they wrote.
Outside investigators working with the FBI have told Reuters that some employees of major security companies have been active in Anonymous, though it is unknown if any played a role as large as the one Martyn is accused of playing.
In a conversation posted online, an email sent under Martyn’s name appeared to acknowledge the temptation of using hacking skills for criminal ends. “Remember,” the email dated last October said, “all hackers have potential to do good as well as evil, it is just a matter of their choice.”
Reporting by Joseph Menn in San Francisco and Basil Katz in New York; Editing by Gary Hill