If I were a hacker, Anonymous - that is, the 4chan script-kiddie bunch - would make for incredible front line. They generate an unbelievable amount of noise, and a very particular kind of hacker-ish noise, which I'd imagine is fantastic for redirecting attention and covering tracks as necessary. The recent FBI raids, for example. http://news.yahoo.com/s/afp/20110128/tc_afp/britainarrestwik...
That seems true in other circumstances also.
"Don't care" in the form of clicking a preorganised button ("sign online petition", "retweet this travesty", "join this voluntary botnet"), plenty of folk care that way.
If your engagement in the nominated activity can be fully completed before you finish your beverage of choice, the internet is full of caring individuals...
They raided a kid at my university and all he was doing was administrating one of the IRC channels
As ill advised as messing with the FBI may be, this is a masterstroke. Hats off.
Besides deals at that level are all political and given to their buddies. The person who gave the deal to HBGary is going to still fork over the money since what is a few $M between friends esp when they are not your $M.
Why do you assume that it isn't "born copyrighted" like almost everything else? (The big exception is pure data, such as the phone book.) The expression of observations is clearly copyrightable.
And then there's trade secret protection. The fact that they got hacked doesn't necessary void that.
But on Feb 13, I leave the keys in the ignition when the car's in my driveway and you take it and give it to Susie as a present from you to her. You get the love, I get screwed.
Is it really stolen if you just give the car to her and it just so happens to be the same car that I was going to give?
The better example is, you found out where her long-lost cousin lived, some guy eavesdropped, and HE told her where said cousin lived, and she jumped into HIS arms and drove off into the sunset. You are not now without an object that you formerly owned; you just planned to exploit a scarcity of information that no longer exists, and you're mad about it.
You also feel cheated because you were the one that did all the work to find her cousin, and he got all the benefit. That doesn't make it the same as stealing a car.
But in this case, the information was actually of little value, but because there was a scarcity of information in the first place, the FBI would have been none the wiser.
The ethics of spreading information are complicated. Oversimplifying them by comparing them to the ethics of stealing physical objects is wrong and bad.
You also feel cheated because you were the one that did all the work to find her cousin, and he got all the benefit. That doesn't make it the same as stealing a car."
There's Something About Mary
Say you're a guy in a pub and you overhear some private company contractors talking about just learning that a group of terrorists is plotting to blow up the Empire State Building, and mentioning some things in detail. You decide to tell the FBI about the terrorists, while they might refuse to give up their information if the price isn't right.
After all, you wouldn't download happiness.
(see http://ycombinator.com/newsguidelines.html )
Come on, we are talking about the rootkit.com guys. Not taking side is one thing, taking the opposite side is a completely different one.
Pretty much everything I learned for fun about rootkits, I learned it thanks to these guys.
I am speechless.
If you can't even get GET/POST/cookie escaping correct in PHP after years, you should probably not be building web apps.
It's a shame that their site is so bad when their book is so awesome.
I am speechless because they (started?) monetize going after the 'bad guys', while they have been publishing grey/black hat stuff on Rootkit.com for many years.
The trust is gone.
p.s. - if anybody can crack my password, I'll be impressed.
I beg to differ.
National news about a security firm being hacked for its confidential IP can't be good for future business.
If necessary, they will change their name.
Believe me, there will be a lot of boxes that will need ticking, meetings, powerpoint shows, and sentences written in the passive voice.
1) The Federal Government (hereby, "Fed") wanted the data. Fed puts out a request for proposal to qualified federal contractors to solicit work bids. Qualified federal contractors respond with work proposals, detailing the level of effort, the likely strategy to obtain the information, and establishing a cost and payment terms. Cost structure is either Time & Materials (T&M) or firm fixed. If it's T&M, they'll be paid for the time, effort and overhead required to have performed the task. If it's firm fixed, they'll be paid a set cost as established in the proposal.
2) HBGary had an existing contract for work with Fed. This contract may cover intelligence gathering, cyber intel, whatever. Fed creates a new task order for HBGary on the existing contract. Contract is either amended (if firm fixed, after the effort is quoted) or falls under existing task orders. HBGary is paid according to the terms of the existing contract.
To cut to the chase, there are other likely scenarios, but they all look similar to the above, and all involve HBGary being paid under the terms of the contract. Whether they're paid a flat fee or based on the effort involved depends on the terms of the contract. When they get paid depends on the terms of the contract. How much they get paid depends on the terms of the contract.
It sometimes happens that the government opts out of paying for things like this, and someone decides to buck the red-tape-brigade, but those matters usually end up in court as a contract dispute. Generally speaking, I think it's fairly safe to assume that HBGary is getting paid.
What I suspect a lot of people are overlooking here is that generally, if the government has contracted to buy something, EVEN IF somebody completely different comes up with the same good (tangible or intangible) for zero or significantly reduced cost, the government is not allowed to purchase unless there are provisions in their existing contract that allow for this.
The rules governing this process are the "Federal Acquisition Regulations", are set in stone, and are established so that both sides 'play fair'. The terms of the contract are always upheld unless there are exceedingly dramatic reasons not to, or failures of performance. If I contract to buy 10 servers for the government for $1,000 each, and somebody else then offers 10 identical servers to the government for $0 each, I will still be paid.
Since the cost of technology generally goes down over time, this prevents Fed from buying cheaper after the original contract was penned, and is allotted to protect contractors from the Fed, as well as the other way 'round.
It's complicated as sin, and yeah, there are loopholes out the wazoo (most of which relate to winning work,) but it's also defined, repeatable and ends up in HBGary getting paid.
After you've gotten the contract, it's difficult to work with the government's red tape and still live up to the terms of the contract. If you've ever worked on a project with a prolonged or contracted management life-cycle, you have _some_ idea of what it's like, in a very small sense.
Changes requested are shot down by government lifers on little basis. "I vote no, until we've thoroughly thought about the security implications," was a valid rejection on a project I was running that involved, at least partly, replacing plain-text passwords stored in configuration files with Kerberos Keytab certificates. Infuriating, at best.
Meanwhile, slips to the project schedule don't affect your project's contractually obligated deadline. The government is generally happy to trod along at a tortoise pace while contractors run sprints in spurts -- weeks waiting on an approval for a change, then sprinting until it's done.
Add to that the required overhead of having somebody able to meet incessantly about every single line item in every single invoice.
Add to that the fact that in most government agencies, their IT staff is comprised by a heterogenous mix of slow government employees and other contractors that would love to see you fail (as they likely also bid on the work you won, and would love the opportunity to see it rebid in the event that you fail).
Add to that having to get approval on every single change in any product, no matter how trivial, by a committee of stakeholders -- the size of which shrinks and grows as the project moves on, and knowing that no change, however firmly approved, is ever REALLY approved until ship date (aside, months after development on a renovation had begun on a portal's backend infrastructure, senior government personnel were still arguing over the look and feel of a mockup that had been approved and finalized prior to the beginning of development.)
Again, red tape, red tape, red tape.
100% of my work is government contracting, thats not how this works. The only question is whether the FBI will ever use this company again, if the FBI thinks they are incompetent then HBGary is out of work. But if the FBI still believes they are competent then they will get another contract to find more information even if some of that information is already in the public domain. The FBI won't punish them for a criminal action. At my job, just because something leaked through Wikileaks doesn't mean its unclassified. We still abide by all the rules and you can get in a lot of hot water for talking about something off of Wikileaks that you do not have need-to-know on. It's as if leaks don't exist to the government.
You or I, and many companies would take advantage of the situation and just use the publically available information and not pay the PI firm. But this is the government. They operate in a whole different ballgame with a different set of rules. Anyone pointing their finger and laughing hasn't been through the requisition process, the government has thrown good money after bad in much fouler situations than this.
...as long as you're clear that this is merely company policy and is not actually a point of law.
Actual prosecutions for people without clearance revealing classified information are generally rare because it's usually done as a form of journalism, which brings first ammendment issues into play. That's probably why wikileaks has made such an effort lately to re-cast themselves as a journalistic organization instead of just a clearinghouse for "whistle blowers."
The scenario you describe simply doesn't exist, it has nothing to do with journalism, and the onus is on those advocating for the validity of these kinds of prosecutions to distinguish acts from those which AIPAC members had charges dropped in the Franklin case just a few years ago.
I'd be interested in hearing about any successful prosecutions, so consider me eager to be proven wrong.
I also didn't describe any scenario for prosecution, so I'm not sure what you're referring to when you say that the scenario I describe simply doesn't exist. The only scenario I described was the kind where prosecution doesn't happen.
My overall point was that your statement regarding the illegality was wrong: the illegality of distributing classified materials is not based on covenant, it is based on statute. The covenant part gives prosecutors a few extra charges to pile on for people who have clearances, but it's not the main piece. Whether or not such laws are enforceable in a practical sense does not change the fact that distributing classified material is, under current law, illegal regardless of who you are.
If the hypothetical piece of paper on the street were a single page marked with a classification level, but without the cover sheet and its explanation, you might be able to argue that you didn't think that you were legally prohibited from distributing that information. Then again, "I didn't know that was illegal, your honor," generally doesn't play well in the courts. IANAL, so I can't tell you what would happen in this situation, but I can tell you that even if you were to avoid conviction the overall experience would probably be time consuming, expensive, and generally unpleasant.
For that matter, I honestly couldn't tell you which statutes provide for prosecution of non-cleared persons who distribute classified materials. All I can tell you is that every classified document has a cover sheet, and that at least some of those cover sheets specifically state that you can be prosecuted for distributing the contents to unauthorized people, even if you haven't agreed to protect it. It's been a long time since I've seen one, so I don't remember the exact wording but the warnings were stern enough that I remember them being there. Maybe the cover sheets cite a statute, maybe they don't specify. Maybe the whole bit about prosecution is a bluff, but I somehow doubt that an anal-retentive government bureaucracy would print official documents with a bluff that audacious.
The FBI can't be that dense, can it?
If the FBI believes that the company can still fulfill its contract terms, and in a lot of situations that comes down to providing the requisite documentation showing sufficient protocols in place, then the FBI will continue to work with HBGary.
Much greater incompetence has been rewarded by the government bureaucracy than poorly picked passwords.
Isn't that a little bit kafkaesque?
Virtual Case File anybody? - http://en.wikipedia.org/wiki/Virtual_Case_File
Then, the 'actual' press release: http://anonnews.org/?p=press&a=item&i=378
Some choice bits:
> The lack of quality in Aaron Barr's undertaken research is worth noting. Aaron Barr missed a great deal of information that has been available online, and in fact failed to identify some of those whose identities were never intended to be hidden.
> It is also worth noting that Aaron Barr was also providing this documentation as an example of investigation protocol. This would introduce a systematic flaw to the FBI's investigative woodwork. The risk of institutionalising a flawed procedure exponentiates a problem, and it does so at the taxpayers expense in every sense. Had the FBI indeed bought this information from HBGary Federal, it would have been paid for by taxpayers money, and many innocent people would have been marked as leaders in actions they may not even have been associated with.
As society becomes increasingly reliant upon network infrastructure, those who oppose society will increasingly target that infrastructure.
When terrorists can cause billions of dollars of losses by hacking the airlines, why bother trying to smuggle weapons on planes?
When opposing nations can cripple military and economic infrastructure through computers, why bother developing nuclear weapons?
We are rapidly entering a world where our computing infrastructure is both our most critical and our most vulnerable asset.
"Speak softly" is completely insufficient without the "carry a big stick" part.
We are a small firm. Our yearly revenue is probably nearly $1-1.5 million. Including the founder, we have eight people employed: a mother of two, three people who have poured over ten years of their lives into building the company to its current level, a cancer survivor still undergoing treatment, and three others who are doing good work while making ends meet and paying down school loans.
Something like this happening to our company, an event that led to $1MM+ in losses, would wipe us out. It would end a company that provides a valuable service to dozens of law firms and other organizations (colleges, hospitals, local political entities, etc.) each year. It would immediately put eight people out of work and negate 50+ man-years of effort.
Call me crazy, but I am not patting these guys on the back. It's all fun and games until you're ruining lives.
This was never fun and games for the causes Anonymous has championed: Wikileaks, Egyptian and Tunisian protestors, etc.
Anonymous, despite it's origins, is a political movement centered around the cause of internet freedom. That's not a matter of fun and games, and I support Anonymous because of that.
In other words, if given the choice between a political movement fighting for an ideal I support, and the ability of a corporation to maintain it's revenue stream, I'm going to fall in support of the political movement most of the time.
I think this tipped some folks off about how powerful Anonymous could be, if it was guided somehow. Or maybe, it was simply the awakening within Anonymous that it could be something other than a childish prankster.
I've always thought that 4chan was synonymous with the internet's "id;" now it seems as if Anonymous is the birth of the internet's superego. There may be people subtly playing with strings (the aforementioned - a few responses up in a different thread - inner circle of quite competent blackhats), but largely I think Anonymous has become self-fulfilling. A meme catches its interest, and it acts.
Hell, there's even a link to the "Stand Alone Complex" section of the Ghost in the Shell philosophy page. Not a philo-head myself, but it makes sense. Network intelligence together close enough, and a different kind of intelligence will probably emerge.
Historically, this describes a lot of political formations beyond Anonymous. There's a number of situations where semi-apolitical hooligans became political forces. The Young Lords, for instance.
What about Anonymous' attack on Gene Simmons, for expressing an opinion they did not agree with? Or is your notion of internet freedom that only people who have the right opinions get to speak?
In Anonymous' mind (I have absolutely no relationship with the group, other than academic curiosity), I believe it goes a little like the aversion we have as a society to not incite riots. He was advocating being (potentially) frivolously litigious. That made him a target - not some random opinion.
Compare how Gene acts towards the internet and how Trent Reznor acts towards the internet. Gene may have an order of magnitude higher net worth (~300mm vs ~35mm, according to "Celebrity Net Worth" - probably not a very good source), but he got it by playing crappy bass in a mediocre band, being a litigious douchebag, selling a lot of over the top merchandise. Trent made it by making good (subjectively) music, and continued to make it by making music instead of Nine Inch Nails-branded coffins. And uses the internet to great success.
Which is a better netizen?
I'm not Anonymous, so I'm not sure why you're addressing that to me.
And more importantly, those who took down Gene Simmons' website may not even have been the same people who had anything to do with Mastercard, Visa, Paypal, Egypt, Tunisia, Iran, etc. That's the nature of a decentralized, amorphous non-entity like Anonymous.
You said it was a political movement that you supported. It's entirely reasonable to ask you what that movement stands for.
(Hint: The reason you're finding that a difficult question is that Anonymous is not a political movement and you're just projecting your own beliefs onto it whenever it happens to do something you think is good.)
Gene Simmons was attacked because his statements, and his position as a pop star made him a target as a threat. Like all immune systems, Anonymous is known to overreact.
If you look at the targets for Anonymous in terms of political uprisings, you'll notice a concentration of places where the internet played a large role and/or was targeted. Uprisings occur the world over, but Anonymous gets involved when the internet is threatened.
In this sense, the use of the "V for Vendetta" mask is a perfect symbol for Anonymous, for anyone who has read the comic book (or even just seen the film adaptation).
The only verdict is vengeance; a vendetta, held as a votive, not in vain, for the value and veracity of such shall one day vindicate the vigilant and the virtuous.
V was not so much interested in popular revolt, anarchism, social equality, etc. per se. He was interested in revenge. Justice became the ultimate form of revenge against a tyrannical government.
You can see that similarly in the actions of Anonymous. Democratic movements are supported against dictatorships, and transparency is supported against representatives of Democracy. Not because Anonymous is a positive force for Democracy or transparency, but because those are weapons they can wield against the internet's perceived enemies.
So yes, Anonymous is a political movement, although a leaderless, amorphous, and pluralistic one united only in negative political space. They don't seek to create, as much as destroy their political enemies. But, as some say, "the urge to destroy is also a creative urge".
...you engender such a large selection bias that I remain as convinced as ever that you're simply projecting your own beliefs onto something considerably more nihilistic. Yes, if you throw out everything that doesn't fit the quotably Bakuninian pattern you expect by saying "oh, but that was different people" or "oh, that was just an overreaction", it all becomes so clear...but if you don't, you get a messy and impure reality in which Anonymous better resembles Brownian motion than a movement.
Now, if they take down censorship in China or targeted a similar actual oppressive regime instead of going after easy targets, then they'd have my respect.
For example, their attack on Scientology is something I respect, but that was only shortlived since Scientology is actually bad and will cause Anon significant damage.
So, as we can see, it is actually just for the lulz and not a higher ideal.
It's just a bunch of bored college kids looking for a cause to belong to.
Harsh but I think true.
Now if they were a company that baked and distributed cheesecakes, I'd give them a pass on criticism for having security issues.
I think you're forgetting Korea, Japan, Taiwan and several middle East countries. Even China isn't doing too bad, recently. And isn't western-style democracy much closer to economic Darwinism than eg. socialism?
China is a different case. Insofar as they respect human rights they prosper. Insofar as they don't they fail.
No, socialism is strongly tied to eugenics, which is state driven Darwinism. That is purposefully killing off the weak and unfit.
Capitalism is a matter of letting the best man win. Killing the weak is not a part of that.
Ahh good old fashion sarcasm.
Karma's a bitch eh?
> At the heart of the matter, we are scientists investigating the truth.
No, you're not. You're consultants doing analytical work. I'm not arguing that one is intrinsically more worthwhile or valuable than the other, but post-hoc security analysis is not science.
In this particular case, anonymous is implicitly raising the question that if a security firm can't even secure their own web presence, their internal emails, and the data that they've gathered on an FBI contract, then how could their data and conclusions be trusted? Regardless of whether the employees of any particular security firm are sympathetic individuals, and whether being hacked would incur significant financial loss, you'd hope that a security firm would be, you know, secure.
Is what Anon did illegal, or at least in the ambiguous grey zone? Sure, but I feel personally that they are more like the Robin Hoods keeping others in check for the deeds of corporations which may be legal, but significantly less moral.
it's not lifes ruined but company ruined in this case. It's just fail, but not life fail. Nobody will die, get in prison for 300+ years, get sick, etc. Your company failed - start it over and do it right next time.
yeah, tell that to yourself metasploit-cowboy :]
Social engineering. People are always the weakest link...
I'd elaborate further but gotta run for now, a prince from nigeria just contacted me with an important transaction.
Then you don't know many "sysadmins". Generally the people working as admins are not the brightest.
This is not my forte I'm likely off.
The only guard against something like this is SPF on the sender's domain and for the recipient's mail server to check (and enforce) SPF rules.
But seeing as this is security company why didn't they at least sign their messages using PKI/PGP certificates? And why would they keep their entire email on their webserver?
EDIT: I've commented here before about the scary potential of the /b/ crowd if some of them ever tried to organize and become activists.
And even if you've built a really secure system all it takes is one user with their daughter's name as their password to make it all moot.
I see what you did there.
If your security design allows anyone to SSH in to obtain significant system access using only a user selected password, it isn't "really secure."
If I were interviewing you, your answer would be considered nonsense and would cause you to not get hired in the first place. I actually need to write such a server for a product I'm working on. All it ever does is encrypted communications with other machines.
True. True for all small and big companies' IT. But if you are a security or even just a forensics firm, then you ought to be in the other 0.1%
Juicy! [making notes to buy a laptop for the express purpose of logging into the server]
maybe I will hit one of the servers communicating with this "secure" computer and see if you remembered to bounds check all the data coming in
All fields are fixed length.
So, even if it was secure, in this case it would have happened..
Some method of verifying the requester's identity out of band (e.g. 'call me for the password') is really the only way to go.
"From what I hear - yes... My friends who worked for whitehat security companies would first try to hack staff before hacking servers.
Best was to call up the ceo on his personal homephone every night at 3am, until they knew what he sounded like raving mad. Then they called up the admins doing a very good impression of the irate ceo demanding his passwords were reset there and then. Worked a stupid amount of times apparently..."
LAST EDIT: Fine. shibboleths, passwords, pins, safeword cards, emails, texts, callerid, voice, and face to face conversations are all great tools to use when trying to secure some asset. All I'm saying is Go out of band when you want to verify a person's identity. If you are emailing, call. If you are on the phone, and you don't trust them, call them back at their home. Or text them a code and ask them for the code. Or meet in a trusted place and take a DNA sample. Whatever is appropriate for the thing you are securing.
Sure, any of these methods can be compromised through social engineering, blackmail, theft, or violence. That's not the point.
If you care about a password, don't send it through the same channel that you use to verify the person that you are sending the password to. Shibboleths and ROT13ing won't solve the problem of knowing who you are talking to.
Also, what happens when your helpdesk's VoIP system gets hacked in the same way that the email system got hacked in this case?
Just make sure you decide before the emergency who needs to be trusted with that information, and be smart about how you exchange keys with everyone involved.
Didn't think of that. Great idea.
Reminds me of these tricks: http://www.skepticfiles.org/cowtext/bbs/cbv.htm
So if you say "Can you reset my password to foobar" then your admin knows to actually set it to "sbbone."
They can then just send a normal reply saying "ok your password has been set to 'foobar'" and then as long as both parties remember the secret protocol, you are OK.
You could then also watch for login attempts using "foobar" to warn you of foul play.
But seriously, the only password in SSH auth procedure should be the one you decode your private key with.
Nothing educates like brainstorming in public and being shot down by experts, thanks :)
The effort put in securing the system pretty much defines how much effort and ingenuity is required to penetrate it. Kind of a cat and mouse game or chess.
There are reasons why we have rule of law and courts. There are reasons why it is not acceptable for one group to retaliate against another group, no matter how strongly they may feel they are in the right.
Aren't they just as comparable to the satirical press releases of the Yippies and (more recently) the Yes Men?
Your comparison seems to be a case of false equivalency.
"We're too lazy to make sure each level of security is protected from the last."
additionally, how does this whole fiasco impact this agencies possibility of continuing work with the fbi in the future?
An approximately 50 year old joke.
Ok, I respect what Anonymous is trying to do, but this is a step too far. I'm all for civil disobedience, but this crosses the line in my opinion.
Also, they already released all the info themselves, so Barr giving it to the police would be redundant.
Regardless, poetic justice is more about fate making the good guys get their reward while still being good and the bad guys get punished as a result of their actions. This isn't a case of fate. It's a case of someone (deliberately) posting someone's social security numbers online for everyone to see. Was that the just thing to do? I suppose that's debatable. But I don't think it meets the literary definition of poetic justice.
I disagree with your definitions. I would say justice is sanctioned legally, while revenge isn't. Aside from that, they're nearly indistinguishable. And given what is and isn't legally sanctioned by countries ("torture" for example), I think the difference is even less.
Sure, justice gets twisted on a regular basis. But that doesn't mean it doesn't exist, as a concept, as something different from revenge.
Their goal in this case is to discourage people from messing with them. I'd say that their actions may have achieved exactly that.
A scorched earth policy regarding those who come after them is pretty much the only rational course of action, given the consequences of being positively identified as taking part in those activities. They aren't equipped (nor are most of them of the disposition), to kill, physically intimidate, or otherwise silence people that cross them or hold evidence against them, as most organized crime groups or corrupt law enforcement officers do. So, they have to take extreme actions to prevent people from wanting to gather evidence against them. Intimidation via a constant stream of uneasy feelings about how much of your life they can and will reveal is generally pretty powerful.
It's also probably important that they stick close to the side of "right" enough of the time that it is unpopular to attack them, even if they occasionally cause some actual harm to people who maybe didn't deserve that level of harm.
In this case, though, I'd say this was a funny result. A lot of "security experts" are nothing of the sort, and are deserving of ridicule at the very least. If this prevents incompetent security contractors from suckling at the government teat, I'm all for it.
> Via IRC: <MGMX> Posting his SSN number was way the hell over the line though. << Anonymous finds the line and then crosses it. #noregrets
The goal is always the lulz. That's why they actually welcome people messing with them.
BTW, I'm a member (since a true anon would never reveal this, that's how you know I'm not one of them).
"There was a distinction made that HBGary only owns 15-percent of HBGary Federal, and that attacking both was wrong, as one had nothing to do with the other. The networks shared many common elements, that they are only moderately related was irrelevant to Anonymous."
"In addition, there were several calls for Barr to be burned by HBGary, but given that he is a partner, that is unlikely. At this stage, HBGary’s response is unknown. At the time this article was written, aside from the conversations on IRC, there has been no official comment."
"It would appear that security experts are not expertly secured,"
"It's unlikely that Anonymous cares about what Hoglund thinks"
I haven't laughed out loud at something I've read like this in a while.
Good for exposing their 'security' company.
The "noble cause" they are supposedly defending is nothing but a pretext to go on their power trips.
 (NSFW) http://boards.4chan.org/b/
Just thinking out loud.