I've resisted discussing this but I think it's late enough after the event to chime in.
First off, disclaimer: We sell HBGary's products in the UK, I know Greg and Penny personally, as well as Jussi (who runs rootkit.com but as far as I'm aware does not work for HBGary). I'm not claiming to speak for anyone or company, just for myself on a purely personal level.
After looking into this, what happened is that HBGary invested in 15% of HBGary Federal, a company set up to do work HBGary didn't want to do. Now presumably (from TFA) they were looking at selling this off.
I don't know Aaron, but it sounds to me like he's a bit of a character at least (I'll leave it to others to resort to namecalling) and completely misunderstood what Anonymous are and how they work - FWIW we investigated Anonymous' years ago for some clients who'd been DDOSed and concluded that the simple solution is (to paraphrase Greg's irc comment) not to poke the wasps nest.
Penny, Greg and HBGary in general are in a bit of a tough situation now because of Aaron's actions and appear to have no ability to impose anything on HBGary Federal. This should serve as a warning to others that if you're going to use the name elsewhere, you better have a way of enforcing unforseen issues that may arise.
The sad thing about all of this is that Penny and Greg are really great guys, and HBGary is a good company with some insanely great technology. I'm sure they'll pull through, but I imagine there will be collateral damage for them resulting from this for some time to come.
We don't know if the security of the mailserver was at stake here. A web app was compromised through SQL injection, then lateral movement was used to get to the mailserver (which may or may not have been on the same box).
The rootkit.com mail server has nothing to do with HBGary AFAIK.
To put it in perspective, HBGary's (not HBGary Federal) technology is a thing called Digital DNA that cuts down the amount of time it takes to analyse memory fragments. That's their focus.
I could understand your reference if they were a company that wrote mail server software and were compromised through their mail server, but your point is a bit of an apple to oranges comparison.
The thing is, people get owned all the time. Even security companies. Heck, we get targeted attacks on us fairly routinely, and when something comes in we have (I think, and unlike most we have actually been able to test it's effectiveness) reasonably good methods for detecting bad stuff coming in and going out, but I'd never say that one day our emails won't end up spread across the Internet, and I wouldn't be so bold as to suggest that someone that has had systems compromised didn't do a proper job just because they were compromised.
The attacker only needs one way in. The defender has to protect against everything. That's not a level playing field.
A web app was compromised through SQL injection, then lateral movement was used to get to the mailserver (which may or may not have been on the same box).
If their aim was the highest level of security, then such lateral movement should not have been possible.
Which nobody has stated was there aim. There's a big misconception that somehow security firms should strive to have absolutely perfect security, which is completely wrong.
Security firms should aim for the most appropriate level of security to protect their information assets based on a reasonable approach. As should everyone else.
If their source code was stolen, then yes you could say that the level of protection was inappropriate because if the source code is the highest value asset they have, it probably shouldn't be accessible from the Internet.
That an Internet-facing web app was broken into and an email server for receiving and sending email to and from the Internet means that they have to be connected to the Internet to work. If these systems contained information assets that were sufficiently sensitive to the point of considering post-compromise lateral movement then they probably shouldn't be connected to the Internet.
Which nobody has stated was there aim. There's a big misconception that somehow security firms should strive to have absolutely perfect security, which is completely wrong.
Putting words in my mouth. No one said anything about perfect security.
Security firms should aim for the most appropriate level of security to protect their information assets based on a reasonable approach. As should everyone else.
And they did not do this.
That an Internet-facing web app was broken into and an email server for receiving and sending email to and from the Internet means that they have to be connected to the Internet to work.
Of course. It does not follow that breaking into the web server should compromise the mail server, or vice-versa. You're really losing me there. What you're saying is that they saved what was likely a small amount of money in exchange for a large amount of security. (All of the corporate emails.) I wouldn't want security work from a company as short sighted as that.
If these systems contained information assets that were sufficiently sensitive to the point of considering post-compromise lateral movement then they probably shouldn't be connected to the Internet.
I bet I could find a company that could set up an email server that couldn't be compromised just because the web server was compromised.
> Putting words in my mouth. No one said anything about perfect security.
No, you mentioned the highest level which I took to read as perfect. If that's not what you meant then I'm sorry for reading too much into it.
> And they did not do this
Which I feel more inclined to agree with rather than claiming they failed because they didn't meet the highest level of security. However, a compromise doesn't necessarily mean that they didn't do enough - as TJX would be happy to tell you. Compromises happen, if they didn't we wouldn't be in business.
> Of course. It does not follow that breaking into the web server should compromise the mail server, or vice-versa. You're really losing me there.
It depends - it's not clear whether or not these are the same server. As well as this what's important is that someone somewhere in HBGary considered the possibility of getting hacked as part of a process to determine what countermeasures they should look to put in place.
It might not have been a small amount of money, they might have saved a lot or nothing. Having mail servers compromised is embarrassing but shouldn't be the end of the world - because anything that would cause real pain you would have to expect countermeasures for. Where this gets interesting is that with some of the documents Mr. Barr has not considered the possibility that his account might get hacked. If you don't consider your defences compromised to begin with, you're likely to compromise on your defences. The issue isn't 4 Gig of mail has been leaked, the issue is more to do with whether or not anything sensitve should've been encrypted. Of course, we're all only human and make mistakes, but dealing with this will be part of paying for them.
> I bet I could find a company that could set up an email server that couldn't be compromised just because the web server was compromised.
I've no doubt you could find someone who'd claim that they could do it, but it's all going to depend on the architecture, configuration, software and maintenance involved. FWIW I don't believe that HBGary used a company for their mail, I read somewhere that Aaron Barr was the administrator - perhaps that was an oversight on HBGary's part given comments about his personality by other staff members.
> Putting words in my mouth. No one said anything about perfect security.
No, you mentioned the highest level which I took to read as perfect.
Given the opportunity, you choose a mediocre interpretation instead of the most intelligent one. (Actually, that's charitable. You ascribed an idea to me that everyone knows doesn't exist.) This results in a lower level of discussion.
> I bet I could find a company that could set up an email server that couldn't be compromised just because the web server was compromised.
I've no doubt you could find someone who'd claim that they could do it, but it's all going to depend on the architecture, configuration, software and maintenance involved. FWIW I don't believe that HBGary used a company for their mail, I read somewhere that Aaron Barr was the administrator
And how isn't this a red flag for organizational incompetence at HBGary?
I think we're talking across purposes here. I'm asserting that the fact that they were compromised isn't particularly bad. People get hit all the time. The fact that they were hit by an SQL injection bug is unfortunate and should've been picked up but these things happen all the time. I'd also say that while they're a security firm they should still be held to the same standards as everyone else, there's nothing inherently special about a security firm being compromised anymore than a plumber's getting a leak - what matters is the damage and how they fix it.
The red flags as you call them are not the facts nor the means of the compromise alone, it's the data that is lost and whether or not HBGary Federal a) practiced what they preached and b) followed appropriate processes and policies to protect the information assets according to their sensitivity.
My hope is that on balance they did b fairly well and maybe some of a. My expectation is that they did some of a and probably not a lot of b, the results of which would be the red flag.
Again, I don't think that security companies should be held to higher standards than others as on balance we tend to hold less sensitive data than our customers (although that which we hold we should handle correctly). If this were an online pet shop people would talk about the attacks being quite advanced, laugh a little and move on. HBGary Federal aren't the first security firm to get hacked into and won't be the last.
there's nothing inherently special about a security firm being compromised anymore than a plumber's getting a leak - what matters is the damage and how they fix it.
A word of advice: If a plumber gets a leak, it's no big deal. If a plumber's office gets massive but avoidable water damage through their short-sighted incompetence, don't hire them.
I don't think the down-vote was necessary. I agree it will always look bad, and obviously they need to do better. But there's no logical inference about the quality of the work they do for clients that can be made from them not securing themselves. In particular, if they are busy and thorough with clients they may not have the time to sort themselves out. As the saying goes...
Dogfooding is not so appropriate, regular testing of software/cooking through continuous use is quite different to infrequent security attacks. Perhaps they are testing intrusion detection ;)
> They're calling themselves a "security firm" (at least that's how everyone refers to them) and they engage in cyber-warfare against anonymous.
Random acts of stupidity by individual actors that should know better do not qualify as cyber-warfare.
> Having your mailserver compromised on that premise, during what was probably the first serious attack, disqualifies you from that game.
I sincerely doubt that was the first attack on their infrastructure and applications. We're routinely attacked by targeted threats and we're even smaller than HBGary.
> And by the way, how do you know their source code was not stolen or backdoored?
I don't, but I will be asking about it when I speak to them, as will everyone else they speak to. Hopefully they will segregate the code from the Internet.
> Excuse me? "Absolutely perfect security"?
> This was not some minor breach into some peripheral webserver. 4.71GB of their E-Mail is on BitTorrent
And what's the value of the information assets stored in that e-mail? Is it 4.71Gb of subscription reminders for icanhazcheezburger? What proportion of that mail is actually sensitive and unencrypted, or decryptable within a timeframe where the sensitivity is still relevant?
This is the thing, it's easy to scream about volume, but the fact is that there's a lot of data to go through. We've already seen stuff leak out from it that realistically was not best placed to be sent around unencrypted, but the same would apply in any company that had their mail servers broken into, the mail stolen and then distributed across the Internet.
> They're calling themselves a "security firm" (at least that's how everyone refers to them) and they engage in cyber-warfare against anonymous.
Random acts of stupidity by individual actors that should know better do not qualify as cyber-warfare.
A firm that can have their entire email database compromised by one individual's "Random acts of stupidity" doesn't have enough safeguards.
And what's the value of the information assets stored in that e-mail? Is it 4.71Gb of subscription reminders for icanhazcheezburger?
We know it's not that. Ask any random company what they think of having their email db out there as a torrent. No one is going to like that idea. It may not be the end of the world, but no one credible is going to say it's not a big deal. No one is going to say it's worth the money saved by not isolating your mail server.
This is the thing, it's easy to scream about volume
No one is screaming about volume. That wasn't even central to the point being made. You seem to be trying to pretend it is, though.
but the fact is that there's a lot of data to go through.
But then you turn around and invoke "security through too-much-stuff."
I think the issue here is that there are two entities: HBGary and HBGary Federal, that seem to be only linked by investment and name. HBGary Federal was 'engaged in cyber-warfare' against Anonymous, not HBGary.
"There's a big misconception that somehow security firms should strive to have absolutely perfect security, which is completely wrong."
I wouldn't use a dentist with bad teeth. I wouldn't get my hair cut by somebody with a bad hair cut. I wouldn't let my garden be tended by someone with an ugly yard.
You're completely right, they don't have to have absolutely perfect security, but it's a business card in the same way that getting all your data hacked and posted to the Pirate Bay is an anti-business card.
> To put it in perspective, HBGary's (not HBGary Federal) technology is a thing called Digital DNA that cuts down the amount of time it takes to analyse memory fragments. That's their focus.
naive question here. Why don't they market themselves as a memory analysis or debug toolsmiths or something else, instead of security firm?
I can't believe this guy has a job in a security company doing work for the federal government. I'm getting a strong vibe that he's schizophrenic. I've known an unmedicated schizophrenic, and this is the way they talked and acted. Self-aggrandizing, convinced they have comprehended great secrets based on little to no data (schizophrenics often believe that have "other ways of knowing" or extremely heightened intuition), and a belief that once they tell the whole story of the truths that have been revealed to them the world will take notice and be amazed.
The coder in this story is an hero (OK, just a reasonably nice guy, not afraid to tell the moronic "analyst" to go to hell), and obviously prevented a lot of damage by actively working against Barr's insane plans.
I feel the tiniest bit sorry for Leavy and the rootkit guy, as they clearly weren't encouraging this stuff, but really, they knew this guy was a whack-a-mole and they kept him on anyway, I guess because his crazy ego managed to close sales. It's really hard to take pity on someone that knows there's a crazy guy using company resources to go on a personal jihad against random kids on the Internet, and doesn't do anything to stop it.
The level of invasion of privacy this guy was taking part in, against children, is pretty much inexcusable. He's not law-enforcement, and should not be allowed to act as though he has a warrant for rifling through the personal lives of dozens or hundreds of children. All 50 states have laws that cover cyberstalking, cyberharassment, and cyberbullying; in a just world, this nutjob would end up in prison. Whether these kids have done anything wrong or not is irrelevant. Barr is a private citizen, and adult, and he ought to leave law enforcement activities to the police or FBI.
Edit: I should point out that I don't think anyone should be arrested for browsing facebook or twitter or whatever. I was a bit rambling in this comment, and the entirety of my thought processes are not exactly made clear by the text. The stuff that I think is probably illegal is the stuff he was doing outside of his actual research: Dropping hints and threats in mainstream media and in IRC about the data he was gathering, using his fake persona to stir up a shitstorm by leaking that a security company was gathering data on the people he was talking to, etc. I had to google cyberstalking to even know if there were laws about this stuff (and there are, and in all fifty states). While I don't know if those laws are reasonable or not, I'm pretty sure he crossed the line into breaking some of them, particularly in the case of his underage targets.
I'm not sure that schizophrenia is any better an explanation than straightforward arrogance. Assuming that the leaks of his work are reasonably accurate I'd be concerned if the government actually started using his research to arrest people though.
I'm not sure that Barrs interest in finding patterns in publicly available information in order to sell his intelligence is any different to advertising analysts doing the same thing. The attempt to socially engineer Anonymous via IRC is a bit more extreme, but I haven't seen any evidence that he intended harrassing them; the problem would have occurred if and when law enforcement bodies started harassing innocent people based on his dodgy intelligence. If you start making any investigative work or social network analysis carried out by private citizens online illegal on the basis of stalking laws then you risk censuring a lot of people actually doing good work.
True, and Barr's idea is not actually far off; Facebook and other social networking sites are intelligence goldmines, linking people to aliases, groups, networks, and a lot of other things. Think of how hard it may be for a fugitive to retreat to a trusted safehouse when he's published a list of everyone he's ever met on Facebook via the Friends list, and/or named the handful of people he hasn't friended in a status or note.
The CIA has shown interest in Facebook's database for a long time, because, besides the normal detective work a normal detective can do if he reads through a Facebook page, if you get a handful of real mathematicians working with that dataset, they can certainly rig something up that would at least return really interesting results.
I am not a lawyer, but I'd like to address your legal points.
Just as I don't need a warrant to view a publicly available website, he shouldn't either. What you are proposing is that it should be illegal to view public pages in a certain order or time. What is the difference of me viewing 100 of my new crushes friends pages over 2 days vs 2 years? There isn't, but the first is rifling, the second is innocent curiosity.
I don't believe he was cyberbullying anyone. However, to address cyberstalking and cyberharasamnet we first have to consider what a reasonable person would have felt had those actions been taken against us. Before the release of the data, and while this was going on, those on the list were unaware of what was occurring. Just as a reasonable person isn't threatened until they become aware of the stalking, threats, etc in real life. Being unaware of what he was doing would mean that no constitute cyberstalking, cyberharassment or cyberbullying took place.
Barr is a private citizen accessing public information and drawing crazy conclusions. There's nothing illegal about that nor should there be.
"Before the release of the data, and while this was going on, those on the list were unaware of what was occurring. Just as a reasonable person isn't threatened until they become aware of the stalking, threats, etc in real life."
People did become aware of it before the release, which is why the exploits of his servers happened, and why Anonymous got butthurt and went on a crusade.
He was dropping hints and threats in IRC, national media, and in email, that he was doing this stuff. He also "leaked" via his fake persona some of the kinds of information he was gathering to his victims so in order to drum up more publicity and to scare them into action. And, it now turns out, he planned to do a lot more than that.
I don't have a problem with him idly browsing facebook or twitter, though I have to question the mental stability of someone that spends all their time voluntarily reading and logging the incoherent ramblings of teenagers all day and trying to build a conspiracy out of it.
The legal issue is that he was threatening people with exposure, via major media outlets. When seeing this stuff, anyone who ever happened to drop in on the IRC channels had to think, "Crap. When is the FBI gonna show up to question me because I made a joke about Egypt on IRC?" You and I both know the government are wholly incompetent at dealing with issues on the Internet, and they try to make up for that incompetence by being extremely heavy-handed in execution of their misguided policies. I'd be scared as hell if I thought someone, apparently trusted by the government, was going to "reveal" my involvement in some wacky Internet conspiracy to the FBI.
The only real legal point you have is the hints and threats issue. There isn't a good public record of what was said. From the article, it appears as though he said he wasn't going to publish names publicly. Although, it seems to suggest this was post DDOS.
There isn't a clear enough public documentation of what happened to fully say one way or another. My suspicion is that those on the list did not tell him to stop, which is one way legally of measuring when harassment starts.
Wouldn't communicating an "untrue statement of fact" that certain people are leaders of an allegedly law-breaking group to government officials or other people constitute defamation (assuming that their reputations were harmed as a result)?
1. The first is that he did not release the report publicly, which is what would cause the defamation. Anonymous did. Thus he wouldn't be responsible for the release of the data. The issue here is really the publishing of it. He did not publish it, and selling it to a private law enforcement agency, in my mind at least is not publishing it.
2. The second issue is related to false police reports. In America, it is illegal to file a false police report. However, this is not what is happening here. He is not claiming to police that a crime was actually committed, instead he is providing information related to that crime. He is basically selling criminal leads to law enforcement. He's basically doing a crime stoppers like program, but generating the leads himself and going straight to the feds.
2. On #2, so if you want to harass someone without putting yourself on the line, generate "evidence" about them and provide it to law enforcement, but don't file a police report. Good to know!
Defamation and libel are civil offenses, meaning (in my lay understanding) a person can be held financially liable if sued but cannot be imprisoned or otherwise restricted except as far as he can be constrained to pay the judgment filed against him.
IANAL but it doesn't sound like he did anything criminal to me. He's obviously misguided and silly, thinking he can draw statistical relevance from assumptions based on his personal reading of Facebook profiles, but there is nothing illegal about reading information that someone posts on the internet.
Cyberstalking, to the best of my non-lawyer knowledge, involves real, disruptive harassment, not just a guy who saw you were friends with some other guy and drew some wild conclusions from that.
Barr never dropped the names so any post-facto prosecution for cyberstalking that would have been primarily based on his use of electronic methods to "identify" Anonymous leaders is unlikely.
I don't think there's anything wrong with doing your own detective work, and you certainly don't need a warrant to follow Facebook or Twitter pages. Private investigators do this kind of stuff in the "real world" all the time (granted, they have licenses).
I agree that Barr is incompetent and/or a tinge off his rocker, but the idea that only law enforcement should be able to search publicly accessible data is silly. If I find the page of a guy I haven't seen in five years, should it be illegal if I spend some time reading his publications? What if I just want to find someone that I've heard a story about so I can ask them more information? Should that be illegal? Remember, the people publishing these things publish them by their own choice with the understanding that they are making the information publicly accessible.
Dropping a bunch of names and recklessly implicating individuals in a criminal investigation is at least a civil offense, but there's no crime in drawing wild conclusions about people while cruising Facebook -- at least as long as you use the conclusions judiciously.
I believe what is illegal is that he was threatening these people, by dropping hints in IRC and national media. He used his fake persona to notify the people he had identified as "leaders" that a security company was researching them and had leadership information, etc.
I don't think it should be illegal to browse facebook, twitter, etc. But, the social engineering aspect of things and the kind of shitstorm he was cooking up was definitely evil and irresponsible. I believe some of the stuff he did does constitute bullying or harassment, and many of his targets are underage.
Regardless of the legality, which was just an afterthought in my post, honestly (I had to even search to see if cyberstalking and such had any legal meaning, and it turns out it does), I find what he was doing disturbing as hell.
"Self-aggrandizing, convinced they have comprehended great secrets based on little to no data (schizophrenics often believe that have 'other ways of knowing' or extremely heightened intuition), and a belief that once they tell the whole story of the truths that have been revealed to them the world will take notice and be amazed."
Are you describing a schizophrenic or a newbie entrepreneur? ;)
Regardless of whether the ones he called out are innocent (though I suspect most are, since his methods are the work of a madman), he trawled through hundreds of profiles, twitter feeds, IRC conversations, and basically cyberstalked the hell out of every friend of every person he thought might be a "leader" of Anonymous; many of them underage, and the vast majority completely oblivious about Anonymous. He even created a fake persona, who was a kid just like his targets. This is the stuff pedophiles and con-men do to get closer to their victims. I'm not suggesting the guy is a pedophile (but "con-man" might be a good word to describe him); I'm just saying that I can't believe any adult (if not Barr himself, who I don't think is quite sane, then one of the many people at his company who had some idea of what he was doing) would look at all these activities and not think, "Whoah! This is crazy and probably illegal. We need to reel this guy in, or get him out of this company before he causes us real trouble."
he trawled through hundreds of profiles, twitter feeds, IRC conversations, and basically cyberstalked the hell out of every friend of every person he thought might be a "leader" of Anonymous...This is the stuff pedophiles and con-men do to get closer to their victims might do.
That's also what private investigators and intelligence agents might do. By your logic, all private investigators using the same methods are pedophiles.
If I were deliberately smearing AB, I'd try to concoct a reason to mention him as you do in posts also mentioning "pedophile" and "schizophrenic" as often as possible, only I'd use logic that wasn't such an indiscriminate stretch.
That said, yes, I agree he's an unsavory character. His actions were also likely to get him in trouble. He was totally out of his depth and should've been fired.
"If I were deliberately smearing AB, I'd try to concoct a reason to mention him as you do in posts also mentioning "pedophile" and "schizophrenic" as often as possible, only I'd use logic that wasn't such an indiscriminate stretch."
Yeah, I would, too.
But, I'm being sincere. This is creepy behavior from a guy who was not listening to reason from anyone around him.
I don't think anyone needs to smear him...anyone who reads the emails can't come away thinking this guy is a good guy. I'm just ranting because this whole thing is terrifying to me.
The thought that our government might be funding this kind of insanity under the guise of "national security" is...well, have you ever seen The Lives of Others? It's a great film about the Stasi in East Germany, and how they read everything, watched everyone, kept dossiers on everyone, and basically just kept an eye on every single person on the off chance they might be up to something. This, to me, is the modern equivalent...though I would hope it's not taking place in any actual police office.
A friend of mine has a father who had a file on him by the Stasi. In it they had a "scent sample". Someone had broken into his bedroom and stolen a piece of linen that he had slept on while he was in the shower one day. It's crazy to think that someone had/has the job of collecting "scent samples". And what a government would need that for, really.
Oh man, I'm not sure if this is funnier if you meant it, or not...
> in a just world, this nutjob would end up in prison.
Yup. I'm interested to see what happens in the weeks ahead. I really doubt that anything bad (other than getting his SSN posted to Twitter...) will actually happen to him, though.
Isn't anonymous less an organized group with leaders and more a bunch of people who hang out and occasionally someone says "hey, it would be cool if we all did <thing>" and whoever is listening joins in?
Yes, but traditional media has a hard time grasping the concept. It's just a lot of directionless guys that latch onto whatever cause seems palatable at the time and requires no more effort than running LOIC/other simple DDOS programs. Basically the definition of script kiddies, there's just a large concentration of them on one message board system.
And assuming fun is not randomly distributed, then it should be possible to identify possible Anon targets by judging the amount of fun it would be for them to take on. Of course, this being Anonymous, it would be unfeasible to survey the full range of targets, because they seem to select those at random.
This is true, but doesn't mean there aren't coordinators, actually skilled hackers who embrace the directionlessness even as they give it direction. It isn't _just_ foot-soldiers.
There are no real leaders; they may break off into factions, like those that frequent a certain IRC room, but the group "Anonymous" is a non-entity by any meaningful definition. It's whoever happens to be on 4chan or other, mostly similar message boards, and out of those, whoever is enticed to join a chat room or download LOIC, and out of those, people that actually click the button to send a lot of requests to DDOS (or people that show up to taunt Scientologists, as the case may be).
There are lots of people that go there to marshal the forces and most fail, cf. "/b/ is not your personal army". If someone happens to generate a buzz that rings for most of the board's demographic, they can start a chain reaction where a lot of people hit MasterCard at once, and get a bunch of disciples attracted to an IRC room for who knows how long -- it may last a day or a month, there's no way to say definitively. The marshaller then becomes the leader of that group of disciples, but "Anonymous" isn't a group by itself.
The most accurate definition for Anonymous is "a subset of users of Xchan". That's not a very good definition, especially if you want to go around and pin DDOS and whatever else on individual people.
> The most accurate definition for Anonymous is "a subset of users of Xchan". That's not a very good definition, especially if you want to go around and pin DDOS and whatever else on individual people.
I mentally replace "Anonymous" with "protesters" whenever they're protesting anything. It makes it a lot more clear and it's more accurate. We already have amorphous groups of people who protest various things, and this is, as near as I can tell, the online equivalent.
I would guess that such groups are being manipulated by exceptionally smart people for specific ends, some significant fraction of the time.
I think that's a tempting theory to have. Explains a lot and is easy to understand, but I think it gives individuals too much credit.
I would guess exceptionally smart people drift in and out at random and attempt to use the group for specific ends. I think their success rate is slim and random.
By "random" I actually mean the group may go along if it thinks it would be "lulz". Notice I said "may", it also may not - lots of random noise in the hive mind.
What this means is that trying to control or predict the actions of the group is a fool's game. At best you may be able to influence them occasionally in some small way, its pure chaos theory.
I would guess exceptionally smart people drift in and out at random and attempt to use the group for specific ends. I think their success rate is slim and random.
I think that's what they want you to think. It may even be true. It's not a reason to give up on the "smart core group" theory, though.
I think it gives individuals too much credit.
This is a long running debate. There is a camp that thinks individual personalities have significant effects on History. I'd be willing to believe that Anonymous is entirely emergent, but in that case, there would be a "fossil record" of its evolution. (Great. Now that I've posted that, some smartass Anon is going to create one!)
What this means is that trying to control or predict the actions of the group is a fool's game. At best you may be able to influence them occasionally in some small way, its pure chaos theory.
There's no good way to guarantee which way a buffalo herd will stampede. Doesn't mean there's zero utility in doing so, or that no one can be held accountable.
You don't have to be exceptionally smart, only persistent and willing to eschew the trappings of leadership in favor of playing the "Anonymous has no leaders" game. Anonymous craves leadership but resents authority, so it's crucial to appear indistinct from the super- or trans-human whole while prodding the herd in your desired direction lest you pop the illusory bubble that gives it strength. This is not unlike what Jaron Lanier calls the "oracle illusion", by which something like Wikipedia gets much of it's percieved authoritativeness by scrubbing out any trace of individual authorship. Anonymous tells Anonymous what to do and Anonymous generally does it.
For instance, the most interesting thing about a thread like this[1] is the timestamps, because they give you a rough idea of how many Anons are actually participating. Two and three minute gaps between posts is an eternity on /b/, the kind of thing you see when a thread hasn't gotten much attention and is likely to die. What I am saying is that many (perhaps most) of the posts (even apparently dissenting ones) in the above thread are likely to have been the same person, persistently bumping an overlooked thread, waiting for it to gain traction.
Of course there is no way to prove this, and one can more easily perceive this is a vibrant conversation between a much larger group of people (which also can't be proved). Whether this was intentional or not, it is an easy way for a vocal minority to recruit from the largely apathetic majority. The perception of being part of a group has an enormous impact on getting people to participate[1].
Not only does anonymity amplify the power of "leaders" in this way it also reflects the yearning of the "followers" to be relieved of the burden of an individual identity or responsibility. As Eric Hoffer describes in The True Believer:"Those who see their lives as spoiled and wasted crave equality and fraternity more than they do freedom. If they clamor for freedom, it is but freedom to establish equality and uniformity. The passion for equality is partly a passion for anonymity: to be one thread of the many which make up a tunic; one thread not distinguishable from the others. No one can then point us out, measure us against others and expose our inferiority."
That isn't to say that Anonymous consists uniformly of maladjusted poltroons--it doesn't, by a long shot, nor are they generally fanatics in any but the most temporary sense--but it's not controversial to say that it harbors a large population of disaffected youth and misfits of every stripe. Some eager to "do something", others just bored, but all by definition willing to disappear into a crowd.
[2]:I think this is a pretty uncontroversial point, too, but Bill Wasik's "flash mob" work is particularly relevant http://www.harpers.org/archive/2006/03/0080963 "Q. Why would I want to join an inexplicable mob? A. Tons of other people are doing it."
I just wanted to thank you, this was the second post I read this morning because it looked interesting and you didn't disappoint. The way you master the English language is astounding and I only wish I was able to wield words as well as you.
Anonymous describes themselves best when they describe a hive.
Yes, a hive has a queen but she lasts only as long as the workers feel she is productive.
When a hive reaches a certain size it will establish a new hive, it too will have it's own queen.
Members of the hive will give off pheromones to signal the other members. Not all will follow, some will, however what's important is that the more pheromones of a certain signal propagate the larger the response. The workers are controlled by themselves to a large degree and the queen is in place with certain ceremonial roles. (laying eggs)
The only reason anonymous is a difficult concept to grasp is that from the day we are born we are taught to respect and obey a hierarchy of authority. This authority exists only in the minds of those that believe it. When the last person stops believing it, it will cease to exist.
Skilled technical hackers giving the attacks technical direction, or skilled social hackers who know how to get a bunch of anonymous teenagers to do their bidding?
Power law still applies. Most likely 90% of serious action is done by the same 0.1% contributors (same as it is on HN or reddit or anywhere else).
It may be a real difference if the 0.1% can be easily replaced, Stand Alone Complex style. Say they're all arrested one day, and a month after something happens (Julian Assange is extradited, there's a revolution in Iran, whatever piques Anonymous' interest). There's a good chance many people at the same time will think that something needs to be done, see that nothing is happening, and do it. Not as good as the "old guard" maybe, but they'll probably try.
We can't really know how well this replacement mechanism works...
If we go with the fact that Anonymous is infact a true distributed environment, then the replacement mechanism will be very easy. I think Anonymous is a kind of humanized group-comm architecture sans a coordinator.
You're overestimating the uniqueness of Anon. Most communities nowadays don't have coordinators. And Anon doesn't have limitless communication channels, only about a dozen. For a site/software to be a good choice, it has to be already in the "hivemind". Ask 10 Anon tot tell them 10 places where they hang, and the most common choices are the (only) ones that are viable.
There is a unique feature though - the anonymity. This could really make a difference if things get serious.
Actually no. I had been in their IRC for some time during the first couple weeks of the Wikileaks leaks, and it isn't like that. They are a group that, just like any other, like HN, have certain common and shared values and talk, discuss and act by them. In their case, basicly, they are pro free-speech, pro internet and privacy.
They, like we here in HN, organize themselves around those ideas. Sometimes they act together against someone that goes against their values, like they just did to Aaron, and sometimes they act towards other positive goals like they did in Egypt. It is not about being cool, having fun or anything like that. That is just one of the ways they attract kids and other people to join them in their attacks and other actions. There is no central leadership, no hierarchy, but all their actions are done following certain values and ethics that you cannot really grasp unless you are part of it, just like HN.
Although they don't have leaders, at least in their IRC, there are moderators, that, at least during the leaks, when there were over 3 thousand people in a single IRC channel, would lock the channel, summarize arguments, add questions and unlock it, while they were selecting targets. But usually that only happened when there were that many people and too many trolls spamming the chat.
They are people, from all ages that act by their shared values.
Isn't anonymous less an organized group with leaders and more a bunch of people who hang out and occasionally someone says "hey, it would be cool if we all did <thing>" and whoever is listening joins in?
This idea is repeated so often, I suspect that there's a group of people somewhere that wants that particular message to be repeated and believed. If I were manipulating a group like Anonymous from behind the scenes, that's exactly what I'd want the net at large to think.
On the other hands, if Anonymous were really as decentralized as implied in this meme, I should think everyone would want the media to think there was a shadowy conspiracy inolved -- if nothing then just for the LULZ.
My best guess is that the truth is somewhere in the middle. Anonymous is somewhat decentralized, but there is also a core group (are core groups) that started a self-perpetuating process toward some end. This core group is a little worried that things are a little out of hand, so they are now covering their tracks using the same social-media manipulation techniques used to start Anonymous itself.
Based on my own minimal experience, the majority of these IRC channels are just a small group of "Anonymous" doing whatever they want, different channels will get publicised at different times through different means, "Anonymous" doesn't exist in any way beyond being a label people use, I guess it could be compared to "emo" or "jock" in high school; they have no "leadership" but people join these groups and label themselves as such.
> The show was run by a couple of admins he identified as "Q," "Owen," and "CommanderX"—and Barr had used social media data and subterfuge to map those names to three real people, two in California and one in New York.
isn't Q the bot that runs on quakenet as a proxy admin?
I don't know what the chances are that Barr's actually that stupid/crazy, but Citricsquid is saying there's a reasonable chance the IRC admin Barr "tracked down the real identity of" was actually a bot.
I'm astounded at both the CEO's (Aaron's) lack of basic grammar skills, and predeliction for "script kiddie" talk. How do you get to be CEO of anything when you communicate (even informally) at the level of an 8th grader?
(edit: I meant Aaron; Penny was decently well spoken)
I assumed that all those garbled messages were from typing on an iPhone. One particular error reeked of autocorrect. If you've seen the things people post on Damnyouautocorrect...
Still no excuse for not writing professionally and at least checking up on what you just typed.
He thought that Anonymous was affiliated ("strongly linked") with Wikileaks, as if there was some secret backdoor agreement between them. Nutcase. There doesn't _need_ to be any agreement or promise between Anonymous and other parties.
Why is it so hard for some people to grasp that Anonymous are just what they claim to be - everyone and yet no one person? There is no roster, no voting, but they are still organized.
It's hard because corporate leaders have an incredibly difficult time organizing their own companies to achieve comparable feats to what Anonymous can do overnight.
You can actually use military techniques to analyze why this is. Anonymous operates inside the enemy ODA (Observe Decide Act) loop.
The ODA loop for a typical corporation is at least 5 people. Eg. from when someone observes something (anon is ddosing us) to when that information reaches someone who can act on it (the CEO) anonymous has already completed it's complete loop which is (post on IRC, have people read it and suggest action) the ODA loop for anonymous is on the order of 5 minutes, the ODA loop for a corporate CEO is probably more like 5 hours to 5 days.
Therefore anonymous will always be about 25 steps ahead of a corporate target. The primary advantage that comes from this is that anonymous appears to act 'randomly' which causes further stress on the enemy ODA loop and forces them to continually react which leaves the proactive party in control of the competitive landscape (battlefield)
If you study military genius you'll find that the most effective commanders were the ones that pushed command furthest down to the org chart.
We know that decentralized control is much more efficient than centralized control. Communism didn't lose because its a failed ideology or because its godless, it failed because it's command and control systems allocate resources poorly. They allocate resources poorly because of information asymmetry and the length of the ODA loop.
The important thing to take from this for software development is that your time from when you decide to implement a feature to when you deploy to production or get a product to market (AppStore,BestBuy,etc) is your ODA loop.
Also, for software watch what happens to your favorite webserver under intense load when you replace it's queue (FIFO) with a stack (LIFO). The LIFO drastically shortens the median response time.
The unifying concept is the half-life (exponential decay) of plans and information. The older your intel, the less valuable the plans you have built off of that information.
Top-down and waterfall approaches institutionalize this in order to provide an illusion of control to the executives and shareholders. Agile development and maneuver warfare each seek to tighten their feedback loops.
This guy is clearly a dangerous moron. This kinda makes me feel better for being so cold about this whole affair in the other thread.
The terrifying thing is that there are still people in government who believe sentences like "specific techniques that can be used to target, collect, and exploit targets with laser focus and with 100 percent success" through social media.
I mean, who claims one hundred percent success at anything?
EDIT: Also, that coder hopefully shouldn't be buying any drinks for a while.
The same people who believe that DRM can effectively prevent copying, if the people selling it say that it can. Which is to say, the ones who think of technology as wizardry, and evaluate wizards by looking for social proof. (They can't really evaluate what the guy's selling, but they sure can tell if he's the kind of person that would get respect at a cocktail party.)
> You want me to donate to bradley's fund
> OK BUT what if it puts people in harms' way? What
> if it cause bad ramifications for US citizens?
She's acting like there isn't going to be a trial of any sort. Sounds like she equates contributing to a defense fund with breaking someone out of prison.
A great read. It's amazing how Aaron Barr completely believed his hunches even when his programmer said that the data doesn't backup his analysis.
He is a business man trying to get paid big bucks from FBI for his hunches.
Sadly, were he rewarded with a continuing money stream, he would likely justify the innocent names as "collateral damage" as the money would have been a mark of success.
Aaron Barr fancies himself a modern-day witch-hunter, and it's good he was hoisted on his own petard.
My read: The piece is based on Anonymous propaganda. Anonymous itself is actually an amorphous propaganda outfit. The primary purpose of their actions is to produce media. Anonymous achieves these ends in part by taking on opponents with good story value, but no consequential power. They also engage in actions against significant players, like credit card companies, but these actions are most effective in creating media while only resulting in momentary financial damage. Anon is a media entity, not a financial one.
Some of them are. The Guy Fawkes masks are sort of a good way of describing them: a bunch of completely unrelated people assuming the same identity for a time. Likewise, the "Anonymous" you hear of is usually the "Anonymous" that pulls this sort of stunt and then publicizes it. There are a number of people hanging out on /b/ doing nothing but humorous (depending on your sense of humor) image manipulation, also calling themselves Anonymous, and people trolling LiveJournal doing the same. They've all got a different character, but if they all use the same name, it makes them difficult to attach attributes to.
They get to be anonymous by all assuming the same name, "Anonymous"; it's tricky to talk about them as a unified group because it's a group of groups, all with the same name. "This Anonymous" versus "that Anonymous" is hard to talk about. (It's a disclosed exploit in language.)
They get to be anonymous by all assuming the same name, "Anonymous"
People have been doing something like that for thousands of years. That's never meant that everything done under that name was wholly aimless and spontaneous.
I didn't say that; I said that it's hard to attach attributes to them since they're not a coherent organization, but a number of people claiming the same name.
FTA, from one of Barr's e-mails: "... accept during hightened points of activity..."
Did this drive anyone else bonkers? I think "accept" or "hightened" alone wouldn't have bugged me. But for some reason the juxtaposition of the two in this sentence made me nerdrage.
Not really any good evidence to support that conclusion unless you're using Barr's statistical methodology. That coder's responses to Barr aren't that far off from what I'd say in his position. It's not surprising that a programmer would be familiar with Internet geek subculture, and predicting that Anonymous will turn LOIC on a direct challenger is not much of a leap.
I've yet to see anyone address the behavior of anonymous, and it appears as though it's been justified by most because this dude was an asshole - but why not point a finger at them both?
Well, there's no story to really address there. Barr was dangerously ignorant and naive. He had a complete misconception of how these things were organized and how they worked while claiming to know all of the identities of "the leaders" by correlating Twitter posts with what someone in IRC was talking about.
If you get on the news and say, "Hello Criminal Group. We have a bunch of information on your leaders that will get them arrested, we are meeting with the FBI next week", it is only reasonable to expect some attempted retaliation. I think that no one is surprised that the targeted group compromised HBGary's servers -- there are, after all, much worse things that could happen -- except maybe the HBGary people themselves, who, as we see here, were already in way over their heads.
No one addresses the behavior of Anonymous because it is completely and totally the expected reaction. The shocking thing about the story is Barr's personality and behavior, not the idea that someone will retaliate if you threaten to decapitate their organization.
It doesn't make it OK. You said that you were surprised no one was talking about or condemning Anonymous's behavior. No one is doing that because there's nothing interesting to talk about there. We all already know that stealing and publishing private corporate data to embarrass its authors and defacing private networks is not good. We also already know that if you threaten a group capable of retaliation, with a long history of retaliation, they'll probably retaliate.
The silence is not an endorsement, it's just that it's so much more interesting to talk about Barr/HBGary's behavior than it is to waste time reiterating trite condemnations of script kiddies.
On a related note, what he was trying to do reminded me of a Kaggle.com winner on social networks, deanonymizing social networks: http://www.cs.utexas.edu/~shmat/shmat_oak09.pdf . The latter, of course, is better than gut feel.
Apparently the S/MIME signatures match just fine ... it is possible they got ahold of their private keys as well to sign messages, but that would be more difficult than hacking the central servers as private keys are stored locally on the clients machine.
Not necessarily. You can copy private keys to different machines just as easily as you can copy anything else. Since it's important not to lose private keys, it's plausible that lazy and/or ignorant persons would copy them to central servers for easy retrieval. It's much more hassle to burn to a CD and put them in a safe deposit box at the bank, after all.
Barr could have edited it out if he didn't really believe it. A fleeting moment of awareness that you support fascism isn't really all that important in the grand scheme of things.
First off, disclaimer: We sell HBGary's products in the UK, I know Greg and Penny personally, as well as Jussi (who runs rootkit.com but as far as I'm aware does not work for HBGary). I'm not claiming to speak for anyone or company, just for myself on a purely personal level.
After looking into this, what happened is that HBGary invested in 15% of HBGary Federal, a company set up to do work HBGary didn't want to do. Now presumably (from TFA) they were looking at selling this off.
I don't know Aaron, but it sounds to me like he's a bit of a character at least (I'll leave it to others to resort to namecalling) and completely misunderstood what Anonymous are and how they work - FWIW we investigated Anonymous' years ago for some clients who'd been DDOSed and concluded that the simple solution is (to paraphrase Greg's irc comment) not to poke the wasps nest.
Penny, Greg and HBGary in general are in a bit of a tough situation now because of Aaron's actions and appear to have no ability to impose anything on HBGary Federal. This should serve as a warning to others that if you're going to use the name elsewhere, you better have a way of enforcing unforseen issues that may arise.
The sad thing about all of this is that Penny and Greg are really great guys, and HBGary is a good company with some insanely great technology. I'm sure they'll pull through, but I imagine there will be collateral damage for them resulting from this for some time to come.