
Anonymous vs. HBGary: the aftermath - hardik988
http://arstechnica.com/tech-policy/news/2011/02/anonymous-vs-hbgary-the-aftermath.ars
======
barrkel
"What happened to Barr? Anonymous loudly and angrily demanded that Penny Leavy
fire him, since his list of Anonymous names could allegedly have gotten
"innocent people" into serious trouble. Leavy made clear that HBGary Federal
was a separate company from HBGary, one in which she owned only a 15 percent
stake, and that she couldn't simply "fire" the CEO."

I found the comments on this article interesting:
[http://threatpost.com/en_us/blogs/rsa-2011-winning-war-
losin...](http://threatpost.com/en_us/blogs/rsa-2011-winning-war-losing-our-
soul-022211)

"They claimed that the company was under separate management, and that HBGary,
Inc. only had a 15% stake in the company. However, the Operating Agreement for
HBGary Federal, LLC, reveals that Greg Hoglund and Penny Leavy were two of the
original six Founding Directors of HBGary Federal. Futher, Penny Leavy herself
signed the incorporation application with the California Secretary of State.
This Operating Agreement confims the 15% stake held by HBGary, Inc. in HBGary
Federal, but it also reveals that Penny Leavy herself holds a 48% share in the
company. Her 48% share, plus that of HBGary, Inc. (15%) puts their combined
ownership stake at 63%. In terms of dollars invested, their investment in
HBGary Federal amounts to some 87.5% of the total monies invested.

"This operating agreement can be downloaded from:
<http://cryptome.org/0003/hbg/HBG-Fed-OA.pdf> "

Exhibit B in the Cryptome PDF (page 31) does indeed show Penelope Christine
Leavy with 48%, in addition to HB Gary Inc's 15%.

------
barrkel
From what I've read elsewhere, in terms of online crimes, the FBI is treating
Anonymous second only to child porn
([http://www.dailycampus.com/mobile/news/fbi-raids-house-
on-n-...](http://www.dailycampus.com/mobile/news/fbi-raids-house-on-n-
eagleville-1.1961646)). Probably a function of the power and money behind the
people they've attacked (the Visa/Mastercard DDoSes in particular).

~~~
jbooth
That, and the fact that their existence is a direct challenge to the FBI's
collective ego.

------
quacker
The characterization of Anonymous as some single or unique entity is
misleading. The sign at the booth and the fax HBGary received were (likely)
not perpetrated by the hackers who did the damage. Anyone in the right mood
might have gone through with it, fueled by the success of the original attack.
And the point made at the end of the article that Barr's list of supposed
identities contained many innocent people was very true.

~~~
iuguy
I would expect hijinks from the guys at Mandiant or any other exhibitor
constituting even tangential competition (or anyone from Palantir for that
matter) could include something like that sign.

There's something clearly going on that we're not being told - but then again,
bear in mind that they're a private company so it's not like there's an
obligation to disclose.

------
Luyt
_..."they struck gold with an SQL injection attack on HBGary Federal's content
management system. [...] They quickly grabbed and decrypted user passwords
from the website_ "

A security firm cracked by scriptkiddie tricks? Storing passwords in the
database, instead of hashes? Hmmm...

~~~
fleitz
From the information available it appears the passwords were hashed but not
salted.

~~~
tomjen3
If that is true, then they must have used some really, really simple passwords
for them to be cracked in such a short time.

~~~
bigiain
There's some remarkably complete rainbow tables out there for MD5... Last time
I heard any details, every 11char string and every combination of dictionary
words including letter/number substitutions out to 16chars is now just a
lookup away...

Any password small enough to remember is probably vulnerable if stored as an
unsalted MD5 hash.

~~~
stcredzero
Ugh. Time for me to go to all 32 character passwords.

~~~
yuhong
Or even better, don't use the same password on every site.

~~~
stcredzero
Why would I have plural "passwords" but only use one on every site?

------
ajays
Not much substance in the article, but: HBG come across as whiny little losers
("oh noes! we are being threatened!!"), and Anon seems to have gotten bored
and moved on.

~~~
wladimir
I have somewhat mixed feelings about it, but I think I like it how, with
modern technology, civilian semi-organized groups can challenge and shame such
shady and clearly power obsessed companies. It feels like a kind of balancing
force against the most dystopian possible future.

~~~
intended
That palantir page was really disturbing to see. I have to be glad that it was
leaked.

~~~
bane
This case, and the lawsuit with i2 has firmly put Palantir on my list of
"sleazy companies" not to do business with or try to go work for.

------
forgotAgain
The biggest worry here is that HBGary is not being held accountable for their
criminal activities. They have been using tools and psy-ops practices
developed for the military against U.S. political targets. That is against the
law.

------
fleitz
From the article:

    
    
      "Instead, he believes that Anonymous has "decided to continue their antics. They're in it for the laughs… this is a real funny game for them." Not content with the damage they have inflicted, they "harass a company that's trying to get back to work." Each time a new story about the company appears in the press, Butterworth said that these attacks spike again."
    

If the press is bad for HBGary why do they participate in it? A no comment
would have been sufficient. I think HB Gary is participating in the press to
incite attacks so they can present themselves as victims, collect evidence,
have someone charged, and declare victory. Seriously, a sheet of paper written
in sharpie. They're expecting me to believe that the RSA holds a security
conference with out badges, with out video monitoring and that some anon in a
Guy Fawkes mask walks up to the table and places a threatening did it for the
LULZ paper on their booth with no one noticing. Maybe, V for Vendetta is a
real movie and such a person really exists who can easily pass through
intelligence services and evade video monitoring. If I was HB Gary I'd have
extensive surveillance on the booth to catch just such a thing. I'll use the
Aaron Barr method of finding anons and assume the anon who placed the paper is
employed by HB Gary. This from a company whose services are retained for their
ability to plant false documents. The sign should read 'We got laughed out of
the security conference for using weak passwords, storing them weakly, and
reusing passwords in addition to being vulnerable to basic SQL injection.'

In my opinion, officers of HBGary Federal were engaged in stalking people
online and selling private information about individuals for commercial
purposes, as well as engaged in defaming these individuals with false
information to the FBI. Given the demographic of anonymous it's quite likely
that some of these individuals were children. I'm not sure if this is illegal
in the US, but if they collected and prepared to sell personal information
without consent about Canadian citizens they'd likely be in violation of
Federal Law. (PIPEDA)

Also, regarding the millions of dollars in damages, these claims would be
impossible to verify with a private company. Public companies on the other
hand are required to file damages to the company both tangible and intangible.
In a lot of hacking cases you'll see millions of dollars claimed, but if you
look at the 10-Qs (SEC Required docs) you'll see no such filing. If you want a
case to look at in particular for this, look at what happened to Kevin
Mitnick. Why is it ok for HBGary to take money to compromise computers, but
when Anonymous engaged in expression of speech they are targetted by federal
investigators?

This is a company that used intelligence assets against pro-union websites. My
personal feelings regarding unions aside, this is attempting to violate the
rights of individuals to peaceably assemble. Even if it isn't illegal per se,
it's highly unethical.

If HB Gary only engaged in ethical business practices there would be little
damage from the disclosure of the emails. The damage results from the
conspiracy to commit activities that are likely criminal.

A better question to ask is given the emails why Federal charges have not been
laid against HBGary?

<http://en.wikipedia.org/wiki/National_Labor_Relations_Act>

~~~
mcburton
I'm pretty sure at any given RSA conference there are multiple folks who might
personally/privately identify as members of anonymous, ie. they wouldn't need
to "sneak in" to the conference b/c they are already there as legitimate
members of the security community. <pure-speculation> Hell, there could be
employees of HB Gary who think of themselves at anonymous. This would support
your speculation that HB Gary made the sign, but complicate the motivations.
</pure-speculation>

I do agree that HB Gary should be investigated as much as–if not more
than–anonymous since there is some evidence of illegal or unethical business
practices in the released email. I would like to think that we hold corporate
security companies up to a higher standard of practice...

~~~
sudonim
Anyone attending that conference could have decided to be "Anonymous". Isn't
that the way the organization works?

~~~
stcredzero
Yes, the references to "V for Vendetta" aren't incidental. Many of the ideas
in that graphic novel are an important component of the Anonymous ideology.

------
grudolf
On the first photo, was that "Defeating malware" or "Delivering malware"?

------
VladRussian
the more i read about this HBGary the more i feel that justice is being
served. These fat and lazy morons thought that because they've been doing
dirty things for government they are above the law and basic ethical rules ...
Of course, they are above the law that enforced by their government friends,
yet there is the Karma law and "we the People".

~~~
daeken
"These fat and lazy morons..." Can we avoid juvenile attacks like these,
please? C'mon, this is HN, not Kindergarten.

------
jeffthebear
The Cobert Report summary: <http://ca.gawker.com/5769950/>

------
forsaken
The power of anonymous is that _you_ can become part of anonymous at any
point.

