
"You've angered the hive" - acconrad
http://arstechnica.com/tech-policy/news/2011/02/anonymous-to-security-firm-working-with-fbi-youve-angered-the-hive.ars
======
smbwrs
What interests me most about Anonymous is the fact that it's actually two
groups: the small group of technically-competent individuals, and the LOIC
script-kiddie griefer minions who can be dispatched at will. The griefers get
the media attention and do it "for the lulz", while the folks with actual
skills penetrate systems and expose private information. If I had to guess,
I'd say that HBGary got a little information on a bunch of the griefers, and
near nothing on the people who can do real damage.

If I were a hacker, Anonymous - that is, the 4chan script-kiddie bunch - would
make for incredible front line. They generate an unbelievable amount of noise,
and a very particular kind of hacker-ish noise, which I'd imagine is fantastic
for redirecting attention and covering tracks as necessary. The recent FBI
raids, for example.
[http://news.yahoo.com/s/afp/20110128/tc_afp/britainarrestwik...](http://news.yahoo.com/s/afp/20110128/tc_afp/britainarrestwikileaksinternetanonymous)

~~~
lsb
So as long as you can convince impressionable young people that some entity is
acting against Freedom, you will be able to mobilize them to give you cover
for your activities.

That seems true in other circumstances also.

~~~
duairc
How I wish that were true! Most people, young and old, really don't care at
all.

~~~
vacri
"Don't care" in the form of getting out and proactively doing something, yes.

"Don't care" in the form of clicking a preorganised button ("sign online
petition", "retweet this travesty", "join this voluntary botnet"), plenty of
folk care that way.

If your engagement in the nominated activity can be fully completed before you
finish your beverage of choice, the internet is full of caring individuals...

------
JonnieCache
_"So why can't you sell this information to the FBI like you intended? Because
we're going to give it to them for free."_

As ill advised as messing with the FBI may be, this is a masterstroke. Hats
off.

~~~
jayzee
You can't buy stolen stuff. If the FBI wants to use the stuff they may still
have to pay for it.

Besides deals at that level are all political and given to their buddies. The
person who gave the deal to HBGary is going to still fork over the money since
what is a few $M between friends esp when they are not your $M.

~~~
jessriedel
Your second paragraph is true, but the first paragraph only applies to
physical property and, trivially, to legally protected intellectual property.
("Trivially" because in the case of intellectual property, the only value is
in the legal protection itself, whereas for physical property it's possible to
illegally transfer stolen goods even though the new possessor will not have a
legal claim to them.) However, private-eye type intelligence has no legal
protection as property as far as I know. It is only "sold" in the sense that
the person who has it reveals the info in exchange for compensation.

~~~
pyre
It depends on whether the information in question is the raw source
information, or the actual intelligence report created by the private-eye.

~~~
jessriedel
Only if the buyer intended to _publish_ the report, in which case it would be
the protected intellectual property I mentioned. But if the report were leaked
before the private-eye was able to sell it, there is nothing he could do
legally to prevent the potential buyer from acting on that information (which
is usually why people hire detectives). In particular, the FBI would legally
be able to investigate and prosecute people using HBGary's info without paying
HBGary. Professional courtesy and/or conflicts of interest might prompt them
to pay for it anyway, of course.

~~~
ZachPruckowski
What about chain of evidence? Who's to say that the hacker didn't change
details of the report between downloading it and publishing it? "This is a
report from a security expert" sounds quite a bit better in court than "This
is a report that another hacker claims is an unaltered copy he nicked from a
security expert".

------
steveklabnik
First, the satirical: "Anon concedes defeat"
[http://anonnews.org/?p=press&a=item&i=377](http://anonnews.org/?p=press&a=item&i=377)

Then, the 'actual' press release:
[http://anonnews.org/?p=press&a=item&i=378](http://anonnews.org/?p=press&a=item&i=378)

Some choice bits:

> The lack of quality in Aaron Barr's undertaken research is worth noting.
> Aaron Barr missed a great deal of information that has been available
> online, and in fact failed to identify some of those whose identities were
> never intended to be hidden.

> It is also worth noting that Aaron Barr was also providing this
> documentation as an example of investigation protocol. This would introduce
> a systematic flaw to the FBI's investigative woodwork. The risk of
> institutionalising a flawed procedure exponentiates a problem, and it does
> so at the taxpayers expense in every sense. Had the FBI indeed bought this
> information from HBGary Federal, it would have been paid for by taxpayers
> money, and many innocent people would have been marked as leaders in actions
> they may not even have been associated with.

------
kbutler
The comments of "It's hard to be really secure, so don't make people mad" are
very short-sighted.

As society becomes increasingly reliant upon network infrastructure, those who
oppose society will increasingly target that infrastructure.

When terrorists can cause billions of dollars of losses by hacking the
airlines, why bother trying to smuggle weapons on planes?

When opposing nations can cripple military and economic infrastructure through
computers, why bother developing nuclear weapons?

We are rapidly entering a world where our computing infrastructure is both our
most critical and our most vulnerable asset.

"Speak softly" is completely insufficient without the "carry a big stick"
part.

kb

~~~
PakG1
Even so, I'd say bombs on a plane still would incite a type of fear that's
impossible to instill through cracking secure networks. Of course, lives could
be endangered by cracking network infrastructure, especially as we become more
reliant on it, but I'd argue that the average person is disconnected enough
from the concept to not be emotionally affected or angered by it. At least
until there's a really big incident on the level of Chernobyl that causes
people to irrationally distrust networks no matter how good network security
gets, similar to how some people irrationally distrust nuclear power plants
today, no matter how safe they may have become.

~~~
loewenskind
You think a bomb blowing up a plane is more scary than a plane just randomly
deciding to fly into something? I don't. Plane control hacking is vastly more
scary than bombs because one break means someone on the other side of the
earth can do what ever he/she wants with _all of them_ at the same time.

~~~
PakG1
I didn't say that. I said the average person would be too disconnected from
the topic to to fear it, most likely because they wouldn't be able to
intellectually consider it. I did say that it would take a Chernobyl-level
incident to wake people up, and if we ever get that, it would cause things to
swing to the opposite side from indifference to paranoia (if it were to
happen).

~~~
loewenskind
One plane getting hacked and crashing into something will be enough to create
a wave of panic like never seen before. Look what a few planes hitting a few
buildings did _when you could see the perpetrators_. Now imagine what happens
when you can't.

------
BrandonM
It's kind of gross the admiration people are expressing here. I work for a
security firm that does work with all kinds of organizations. At the heart of
the matter, we are scientists investigating the truth. If a break-in occurred,
who was responsible, and what was compromised? If someone is being charged
with distribution of child pornography, did they willfully download and
distribute it, or was it part of a wide net that was cast to download a whole
bunch of porn at once? This DDoS occurred: who was responsible? You have
security in place: is it sufficient to protect the data in an appropriate
manner?

We are a small firm. Our yearly revenue is probably nearly $1-1.5 million.
Including the founder, we have eight people employed: a mother of two, three
people who have poured over ten years of their lives into building the company
to its current level, a cancer survivor still undergoing treatment, and three
others who are doing good work while making ends meet and paying down school
loans.

Something like this happening to our company, an event that led to $1MM+ in
losses, would _wipe us out._ It would end a company that provides a valuable
service to dozens of law firms and other organizations (colleges, hospitals,
local political entities, etc.) each year. It would immediately put eight
people out of work and negate 50+ man-years of effort.

Call me crazy, but I am not patting these guys on the back. It's all fun and
games until you're ruining lives.

~~~
michaelchisari
_It's all fun and games until you're ruining lives._

This was never fun and games for the causes Anonymous has championed:
Wikileaks, Egyptian and Tunisian protestors, etc.

Anonymous, despite it's origins, is a political movement centered around the
cause of internet freedom. That's not a matter of fun and games, and I support
Anonymous because of that.

In other words, if given the choice between a political movement fighting for
an ideal I support, and the ability of a corporation to maintain it's revenue
stream, I'm going to fall in support of the political movement most of the
time.

~~~
tzs
> Anonymous, despite it's origins, is a political movement centered around the
> cause of internet freedom. That's not a matter of fun and games, and I
> support Anonymous because of that.

What about Anonymous' attack on Gene Simmons, for expressing an opinion they
did not agree with? Or is your notion of internet freedom that only people who
have the right opinions get to speak?

~~~
michaelchisari
_Or is your notion of internet freedom that only people who have the right
opinions get to speak?_

I'm not Anonymous, so I'm not sure why you're addressing that to me.

And more importantly, those who took down Gene Simmons' website may not even
have been the same people who had anything to do with Mastercard, Visa,
Paypal, Egypt, Tunisia, Iran, etc. That's the nature of a decentralized,
amorphous non-entity like Anonymous.

~~~
GHFigs
_I'm not sure why you're addressing that to me._

You said it was a political movement that you supported. It's entirely
reasonable to ask you what that movement stands for.

(Hint: The reason you're finding that a difficult question is that Anonymous
is not a political movement and you're just projecting your own beliefs onto
it whenever it happens to do something you think is good.)

~~~
michaelchisari
I don't find it a difficult question, actually. It's something I've been
meaning to write about for a while now. Anonymous is a political movement that
is analogous to the internet immune system. It self-organizes, and attacks
that which it deems a threat to internet freedom.

Gene Simmons was attacked because his statements, and his position as a pop
star made him a target as a threat. Like all immune systems, Anonymous is
known to overreact.

If you look at the targets for Anonymous in terms of political uprisings,
you'll notice a concentration of places where the internet played a large role
and/or was targeted. Uprisings occur the world over, but Anonymous gets
involved when the internet is threatened.

In this sense, the use of the "V for Vendetta" mask is a perfect symbol for
Anonymous, for anyone who has read the comic book (or even just seen the film
adaptation).

 _The only verdict is vengeance; a vendetta, held as a votive, not in vain,
for the value and veracity of such shall one day vindicate the vigilant and
the virtuous._

V was not so much interested in popular revolt, anarchism, social equality,
etc. per se. He was interested in revenge. Justice became the ultimate form of
revenge against a tyrannical government.

You can see that similarly in the actions of Anonymous. Democratic movements
are supported against dictatorships, and transparency is supported against
representatives of Democracy. Not because Anonymous is a positive force for
Democracy or transparency, but because those are weapons they can wield
against the internet's perceived enemies.

So yes, Anonymous is a political movement, although a leaderless, amorphous,
and pluralistic one united only in negative political space. They don't seek
to create, as much as destroy their political enemies. But, as some say, "the
urge to destroy is also a creative urge".

~~~
GHFigs
_If you look at the targets for Anonymous in terms of political uprisings..._

...you engender such a large selection bias that I remain as convinced as ever
that you're simply projecting your own beliefs onto something considerably
more nihilistic. Yes, if you throw out everything that doesn't fit the
quotably Bakuninian pattern you expect by saying "oh, but that was different
people" or "oh, that was just an overreaction", it all becomes so clear...but
if you don't, you get a messy and impure reality in which Anonymous better
resembles _Brownian motion_ than _a movement_.

~~~
michaelchisari
I take those into account but disregard them because of my experience with
asymmetrical umbrella movements. Because a dozen griefers do something and
call themselves Anonymous or are labelled with it by the media doesn't mean
that they have the capability to define a movement. It's not insignificant,
but at the same time, it's barely significant. Groups with these formations
are defined by their most significant actions, not their least.

------
steveklabnik
Oh, and check out this pastie: <http://pastie.org/1535735>

Social engineering. People are always the weakest link...

~~~
moe
That must be fake. No sysadmin would possibly bite on such an exchange ("is
our root password still ...?"). And not in a "security firm", of all things.

I'd elaborate further but gotta run for now, a prince from nigeria just
contacted me with an important transaction.

~~~
cookiecaper
Also, running a kernel built five years ago from the 2.4 series. Haven't there
been some serious vulnerabilities in the last five years affecting 2.4?

------
stcredzero
People keep on getting hacked. Is it really that hard to prevent that from
happening, or is this another case of widespread incompetence and "It won't
happen to me" thinking?

EDIT: I've commented here before about the scary potential of the /b/ crowd if
some of them ever tried to organize and become activists.

~~~
benmathes
The short answer is that it _is_ that hard to fully prevent it from happening.
For practical purposes, IT security's job is to make it not worth the effort
to break in.

And even if you've built a really secure system all it takes is one user with
their daughter's name as their password to make it all moot.

~~~
stcredzero
What if you only have one "user" who only logs in through SSH using port
knocking and all of the server's other communication with the rest of the net
is through encrypted binary data in UDP packets with fixed-size fields?

~~~
wmf
Then you're fired because the server doesn't actually _work_.

~~~
stcredzero
_Then you're fired because the server doesn't actually work._

If I were interviewing you, your answer would be considered nonsense and would
cause you to not get hired in the first place. I actually need to write such a
server for a product I'm working on. All it ever does is encrypted
communications with other machines.

~~~
wmf
OK, you're right. You'd only be fired in the other 99.9% of cases, where
servers have to support standard protocols and normal users.

~~~
bioh42_2
_99.9% of cases, where servers have to support standard protocols and normal
user._

True. True for all small and big companies' IT. But if you are a _security_ or
even just a _forensics_ firm, then you ought to be in the other 0.1%

------
freescale
The most polite spin I can put on the cheering of these sorts of techniques,
is that too many Hacker News members lack sufficient historical awareness to
realize that these tactics are reminiscent of the public humiliation and crowd
intimidation techniques employed by Italy's blackshirts in the 30s.

There are reasons why we have rule of law and courts. There are reasons why it
is not acceptable for one group to retaliate against another group, no matter
how strongly they may feel they are in the right.

~~~
michaelchisari
_the public humiliation and crowd intimidation techniques employed by Italy's
blackshirts in the 30s_

Aren't they just as comparable to the satirical press releases of the Yippies
and (more recently) the Yes Men?

Your comparison seems to be a case of false equivalency.

------
mkr-hn
"So it’s a case where the hackers break in on a non-important system, which is
very common in hacking situations, and leveraged lateral movement to get onto
systems of interest over time."

=

"We're too lazy to make sure each level of security is protected from the
last."

------
evo_9
My admiration for this group just went up another big notch. Very well played.

------
catshirt
in the pdf anonymous posted of the research [1], several (if not the majority)
of the names were _unquestionably_ fake. how does this affect the integrity of
the whole document?

additionally, how does this whole fiasco impact this agencies possibility of
continuing work with the fbi in the future?

[1] <http://hizost.com/d/zjb>

~~~
chc
Just to emphasize how fake some of the "identities" they uncovered are: The
list implicates Guy Fawkes (<http://en.wikipedia.org/wiki/Guy_Fawkes>).

~~~
catshirt
right. and "Maxx Anu Infobomber", and "Kygon Infraction", and "Buckaroo
Bonzai", and "Electromagentic Bomb", and "Wholly Subversive", and "Anonim
Espana" (from Spain), and...

~~~
riffraff
I'm sure you would appreciate "Guido la Vespa" which would sound in english
like Guy Wasp, but is also italian for "I drive the Vespa (a kind of
scooter)".

An approximately 50 year old joke.

------
j_baker
> They also vandalized Barr's Twitter and LinkedIn accounts with harsh
> messages and personal data about Barr, such as his social security number
> and home address.

Ok, I respect what Anonymous is trying to do, but this is a step too far. I'm
all for civil disobedience, but this crosses the line in my opinion.

~~~
endtime
I don't think Anonymous has ever been concerned about crossing lines. In fact,
you could say that crossing lines is their default mode of operation.

Their goal in this case is to discourage people from messing with them. I'd
say that their actions may have achieved exactly that.

~~~
SwellJoe
Agreed. They're taking part in dangerous work, with very little
protection...the laws regarding the activities they participate in are
ridiculously overpowered, and have occasionally landed teenagers in prison for
years.

A scorched earth policy regarding those who come after them is pretty much the
_only_ rational course of action, given the consequences of being positively
identified as taking part in those activities. They aren't equipped (nor are
most of them of the disposition), to kill, physically intimidate, or otherwise
silence people that cross them or hold evidence against them, as most
organized crime groups or corrupt law enforcement officers do. So, they have
to take extreme actions to prevent people from _wanting_ to gather evidence
against them. Intimidation via a constant stream of uneasy feelings about how
much of your life they can and will reveal is generally pretty powerful.

It's also probably important that they stick close to the side of "right"
enough of the time that it is unpopular to attack them, even if they
occasionally cause some actual harm to people who maybe didn't deserve that
level of harm.

In this case, though, I'd say this was a funny result. A lot of "security
experts" are nothing of the sort, and are deserving of ridicule at the very
least. If this prevents incompetent security contractors from suckling at the
government teat, I'm all for it.

------
Jun8
Although I find the anons a bit creepy, in this case hats off to them. I find
this move to be more or less equivalent to Wikileaks, so it's impossible to
defend one and vilify the other. I actually think that it's much _better_ for
our society than Wikileaks since it exposes the type of clueless
people/agencies that FBI pays (our) money to.

BTW, I'm a member (since a true anon would never reveal this, that's how you
know I'm not one of them).

------
light3
From <http://www.thetechherald.com/article.php/201106/6785>

"There was a distinction made that HBGary only owns 15-percent of HBGary
Federal, and that attacking both was wrong, as one had nothing to do with the
other. The networks shared many common elements, that they are only moderately
related was irrelevant to Anonymous."

"In addition, there were several calls for Barr to be burned by HBGary, but
given that he is a partner, that is unlikely. At this stage, HBGary’s response
is unknown. At the time this article was written, aside from the conversations
on IRC, there has been no official comment."

------
pdenya
I love the writing as much as the quotes in this article.

"It would appear that security experts are not expertly secured,"

"It's unlikely that Anonymous cares about what Hoglund thinks"

I haven't laughed out loud at something I've read like this in a while.

------
hysterix
Well done gentlemen. I don't give a fuck that I'm on that list. I use bounce
email addresses and multiple, very difficult to crack passwords for a reason.

Good for exposing their 'security' company.

------
olalonde
Don't these guys have something more productive to do with their time?
Seriously, don't tell me 4chan is a freakin' political movement. If it really
is, why don't they start by cleaning up the child porn that gets posted on
their board daily?[1]

The "noble cause" they are supposedly defending is nothing but a pretext to go
on their power trips.

[1] (NSFW) <http://boards.4chan.org/b/>

~~~
leon_
yeah, they should start working for the government to build intelligent drones
that could hunt down those muslin terrorists around the world!

------
stuhacking
Anon hacks HBGary and all they get is a lot of already public information?
Maybe Anon just stuck their hand in the honeypot...

Just thinking out loud.

------
jayzee
If this is this the website: <http://www.hbgary.com/> then it is even funnier.

~~~
solutionyogi
Nope, that's not the company website. Company website is at
<http://www.hbgaryfederal.com/> and is currently down.

------
vilya
Anonymous begins to remind me of the rabbit from Vernor Vinge's "Rainbows
End"...

------
bueller
<http://www.youtube.com/watch?v=l6gXhPFHRDo>

~~~
bueller
how is this link not related to this story...vote me down more jackasses

------
juiceandjuice
Ladies and gentleman, the definition of pwnd.

------
bgurupra
This is like the Fight Club of the internets!

~~~
bgurupra
if I may ask why the downvote?

~~~
bgurupra
hahahahaha this is frickin unbelievable, I get downvoted but the guy who says
not to talk about the fight club is upvoted like crazy - so THIS is the FIGHT
CLUB!

~~~
bgurupra
and seriously screw you guys downvoting me (sorry for being douchy) - but it
is really irritating to get downvoted without being told why

~~~
BrandonM
Your post had little substance, and using the phrase "the internets" certainly
didn't help.

