Meet The Lebanese Hacker Tormenting Sony “For Moral Reasons”

The image on Lebanese hacker Idahc's Twitter account.

The unprecedented hacker feeding frenzy that has surrounded Sony since early April has been fueled by complex motives: The hacker collective Anonymous originally barraged Sony for its lawsuit against hacker George Hotz. And the newly-emerged group LulzSec continues to pound the company for, well, the “lulz”–the pure joy of destruction. “If you want ethics, go cry to Anonymous. True lulz fans, stay tuned in,” the group wrote on its Twitter after hacking three more Sony sites on Saturday.

But ask one lone Lebanese hacker who has been targeting Sony for three weeks why he continues to torment the company, and he offers an even more ambiguous answer: It began as “justice,” says the hacker who calls himself “Idahc.” Then it became “a game.” And now, he argues, he’s actually trying to make the Web more secure. “I did this to push Sony to pay more attention on their security and to show everyone that I.T security is fundamental,” he writes to me in an email. “I don’t hack for ‘lulz’ but for moral reasons.”

Idahc says he’s an 18-year old Lebanese computer science student, working from a “poor Internet connection” and a laptop, hiding his identity with the usual tricks such as VPNs and proxy servers that disguise his origin, as well as hacking into his neighbor’s network. From that humble setup, he’s managed to evade arrest while hacking Sony three times, most recently compromising a database of Sony Portugal users last Thursday by exploiting three different types of Web vulnerabilities on one page: A cross-site scripting flaw, a SQL injection, and an iFrame injection.

Idahc made a point, however, of not exposing the entire database, only a small sample of the email addresses. “I am not a black hat to dump all the database,” he wrote in his now-deleted announcement of the hack on publishing site Pastebin. “I am grey hat.”

That Sony breach makes three for Idahc, after the young hacker earlier penetrated Sony Europe’s database with a similar web bug and exposed 120 users’ information, and before that hacked Sony Ericsson in Canada, compromising 2,000 users’ information and posting about half of it online. “ALL websites of Sony are vulnerable ……0.0001% security,” he wrote on Twitter over the weekend.

But Idahc maintains that he has stayed apart from groups like LulzSec because he considers them to be “black hat” hackers without his restraint. ” I like to work alone, especially because when you are in a group it will always be a team decision, so when it’s about confidential info some person may choose to do something illegal with it, ” he writes. “I like to handle it in my own way.”

That Idahc considers himself a “grey hat” hacker, however, shows how far towards the darker end of the spectrum that term has shifted. The 1990s hacker group the L0pht, for instance, which claimed to be  ”grey hat” hackers, worked directly with the companies whose products it hacked to fix their flaws. But Idahc hasn’t contacted Sony to discuss the company’s security issues, and argues that the company wouldn’t have responded if he had. “The best way is to show in public some information like emails of the vulnerable server and they will directly correct the flaw,” he writes.

I contacted Sony for comment, but didn’t immediately hear back from the company.

Even if Idahc’s methods may cross the line of what the infosec community calls “responsible disclosure,” to put it lightly, he nonetheless criticizes LulzSec’s recent escapades, like hacking the FBI program Infragard and the security firm Unveillance. “They shouldn’t play with the FBI,” he says. “I think this act falls on the black hat side.”

Likewise, he says he wouldn’t have breached one million of the passwords in Sony Pictures’ database, as LulzSec did earlier this month. “I didn’t even publish all the information I had,” he writes. “It is not my goal to destroy. I want to help Sony.”

With more than 17 hacking embarrassments in just the last two months, it’s safe to say this is the sort of “help” Sony would happily decline.