Hacker News new | past | comments | ask | show | jobs | submit login
"You've angered the hive" (arstechnica.com)
521 points by acconrad on Feb 7, 2011 | hide | past | web | favorite | 214 comments



What interests me most about Anonymous is the fact that it's actually two groups: the small group of technically-competent individuals, and the LOIC script-kiddie griefer minions who can be dispatched at will. The griefers get the media attention and do it "for the lulz", while the folks with actual skills penetrate systems and expose private information. If I had to guess, I'd say that HBGary got a little information on a bunch of the griefers, and near nothing on the people who can do real damage.

If I were a hacker, Anonymous - that is, the 4chan script-kiddie bunch - would make for incredible front line. They generate an unbelievable amount of noise, and a very particular kind of hacker-ish noise, which I'd imagine is fantastic for redirecting attention and covering tracks as necessary. The recent FBI raids, for example. http://news.yahoo.com/s/afp/20110128/tc_afp/britainarrestwik...


So as long as you can convince impressionable young people that some entity is acting against Freedom, you will be able to mobilize them to give you cover for your activities.

That seems true in other circumstances also.


How I wish that were true! Most people, young and old, really don't care at all.


"Don't care" in the form of getting out and proactively doing something, yes.

"Don't care" in the form of clicking a preorganised button ("sign online petition", "retweet this travesty", "join this voluntary botnet"), plenty of folk care that way.

If your engagement in the nominated activity can be fully completed before you finish your beverage of choice, the internet is full of caring individuals...


I would totally agree with this.

They raided a kid at my university and all he was doing was administrating one of the IRC channels


Sort of a 4chan version of Mechanical Turk.


More like a human shield.


Meat shield


"So why can't you sell this information to the FBI like you intended? Because we're going to give it to them for free."

As ill advised as messing with the FBI may be, this is a masterstroke. Hats off.


You can't buy stolen stuff. If the FBI wants to use the stuff they may still have to pay for it.

Besides deals at that level are all political and given to their buddies. The person who gave the deal to HBGary is going to still fork over the money since what is a few $M between friends esp when they are not your $M.


Your second paragraph is true, but the first paragraph only applies to physical property and, trivially, to legally protected intellectual property. ("Trivially" because in the case of intellectual property, the only value is in the legal protection itself, whereas for physical property it's possible to illegally transfer stolen goods even though the new possessor will not have a legal claim to them.) However, private-eye type intelligence has no legal protection as property as far as I know. It is only "sold" in the sense that the person who has it reveals the info in exchange for compensation.


> However, private-eye type intelligence has no legal protection as property as far as I know.

Why do you assume that it isn't "born copyrighted" like almost everything else? (The big exception is pure data, such as the phone book.) The expression of observations is clearly copyrightable.

And then there's trade secret protection. The fact that they got hacked doesn't necessary void that.


It depends on whether the information in question is the raw source information, or the actual intelligence report created by the private-eye.


Only if the buyer intended to publish the report, in which case it would be the protected intellectual property I mentioned. But if the report were leaked before the private-eye was able to sell it, there is nothing he could do legally to prevent the potential buyer from acting on that information (which is usually why people hire detectives). In particular, the FBI would legally be able to investigate and prosecute people using HBGary's info without paying HBGary. Professional courtesy and/or conflicts of interest might prompt them to pay for it anyway, of course.


What about chain of evidence? Who's to say that the hacker didn't change details of the report between downloading it and publishing it? "This is a report from a security expert" sounds quite a bit better in court than "This is a report that another hacker claims is an unaltered copy he nicked from a security expert".


I was assuming there would be some sort of copyright issues with the information. I think that HBGray owns copyright on the report itself since they likely have some sort of analysis in addition to the raw information organized in an understandable fashion, though I guess there might not be any 'fruit of the poisoned tree'-type issues with the FBI using that information in their investigation.


Is it really stolen if people just tell the FBI the information, and it just so happens to be the same information that the security group was going to give?


Say you and I know this really cute girl. Let's call her Susie. I just won the lottery and I bought a new Mercedes (or whatever the devil it is these kids are driving nowadays...) that I want to give to Susie for Valentine's day.

But on Feb 13, I leave the keys in the ignition when the car's in my driveway and you take it and give it to Susie as a present from you to her. You get the love, I get screwed.

Is it really stolen if you just give the car to her and it just so happens to be the same car that I was going to give?


No, that's an example of stealing an object. Stealing an object is fundamentally not the same as telling someone something, even if it's something you didn't want them to say. This is why your example induces an obvious ethical reaction, whereas the original example induces a much more complicated one.

The better example is, you found out where her long-lost cousin lived, some guy eavesdropped, and HE told her where said cousin lived, and she jumped into HIS arms and drove off into the sunset. You are not now without an object that you formerly owned; you just planned to exploit a scarcity of information that no longer exists, and you're mad about it.

You also feel cheated because you were the one that did all the work to find her cousin, and he got all the benefit. That doesn't make it the same as stealing a car.

But in this case, the information was actually of little value, but because there was a scarcity of information in the first place, the FBI would have been none the wiser.

The ethics of spreading information are complicated. Oversimplifying them by comparing them to the ethics of stealing physical objects is wrong and bad.


"The better example is, you found out where her long-lost cousin lived, some guy eavesdropped, and HE told her where said cousin lived, and she jumped into HIS arms and drove off into the sunset. You are not now without an object that you formerly owned; you just planned to exploit a scarcity of information that no longer exists, and you're mad about it.

You also feel cheated because you were the one that did all the work to find her cousin, and he got all the benefit. That doesn't make it the same as stealing a car."

There's Something About Mary


Please, let's stop equating information with property.

Say you're a guy in a pub and you overhear some private company contractors talking about just learning that a group of terrorists is plotting to blow up the Empire State Building, and mentioning some things in detail. You decide to tell the FBI about the terrorists, while they might refuse to give up their information if the price isn't right.


You wouldn't download a car.


Obligatory piracy warning from The IT Crowd: http://www.youtube.com/watch?v=ALZZx1xmAzg


Fuck you I would.


this is the reference (contains same language as parent post)

http://www.google.com/imgres?imgurl=http://www.thevrabec.com...


I actually have downloaded blueprints for every patent filed...well, did in 2005. I'm just waiting for my printer.


Of course not, it'd block the tubes!


I recommend familiarizing yourself with the concept of rivalrous goods.


I recommend familiarizing yourself with the concept of making people think that treating nonrivalrous goods as rivalrous is a moral imperative.

After all, you wouldn't download happiness.


Ah, but you can steal a kiss.


Please, don't downvote opinions you don't agree with. Even though the opinion may look ridiculous to you in general(it does to me), it is clearly stated and has its inner logic and has the right to be expressed. Downvoting is for irrelevant or emotion-driven comments.

(see http://ycombinator.com/newsguidelines.html )


Not all opinions are equally valid and worthwhile. In particular, opinions derived from from oversimplifications do not help the conversation and should be downvoted regardless of the stance.


This is a thoughtful enough contribution to the discussion. Should you really be downvoting something to oblivion because you disagree with the sentiment or find the content erroneous/apocraphyl?


Wouldn't the FBI want to get HBGary's copy anyway? Why wouldn't they expect the torrent to be tainted or incomplete?


The most astonishing info here is that this is HBGary that is involved.

Come on, we are talking about the rootkit.com guys. Not taking side is one thing, taking the opposite side is a completely different one.

Pretty much everything I learned for fun about rootkits, I learned it thanks to these guys.

I am speechless.


Expertise with Win32 internals doesn't make you a competent sysadmin or web application developer. rootkit.com runs one of the worst custom web apps I've ever seen.

If you can't even get GET/POST/cookie escaping correct in PHP after years, you should probably not be building web apps.

It's a shame that their site is so bad when their book is so awesome.


Indeed.

I am speechless because they (started?) monetize going after the 'bad guys', while they have been publishing grey/black hat stuff on Rootkit.com for many years.

The trust is gone.


Yes to everything you said. The book is amazing, yet their web site is awful. It sucks seeing as how I'm in that list too.

p.s. - if anybody can crack my password, I'll be impressed.


Regardless of whether or not the information is handed over by Anonymous to the FBI, the company will get paid. There is a contract between the government and the contractor, and it will be upheld. It is embarrasing for the company but really this move won't change anything financially for either party.


> It is embarrasing for the company but really this move won't change anything financially for either party.

I beg to differ.

National news about a security firm being hacked for its confidential IP can't be good for future business.


That's very true. But the conjecture that the FBI "won't pay [the firm]" becuase "[anonymous] will give it to them for free" is pure bullshit. Trust me, the company will still get paid.

If necessary, they will change their name.


They will also probably do some security audit.

Believe me, there will be a lot of boxes that will need ticking, meetings, powerpoint shows, and sentences written in the passive voice.


I call BS on your BS call. Releasing something like this puts it into the public domain. Unless the FBI has a contract already in place, payment is not ensured.


Given the nature of how the government provisions work to contractors, they almost certainly do. Not being privvy to the task at hand, they likely had one of the following scenarios at play:

1) The Federal Government (hereby, "Fed") wanted the data. Fed puts out a request for proposal to qualified federal contractors to solicit work bids. Qualified federal contractors respond with work proposals, detailing the level of effort, the likely strategy to obtain the information, and establishing a cost and payment terms. Cost structure is either Time & Materials (T&M) or firm fixed. If it's T&M, they'll be paid for the time, effort and overhead required to have performed the task. If it's firm fixed, they'll be paid a set cost as established in the proposal.

2) HBGary had an existing contract for work with Fed. This contract may cover intelligence gathering, cyber intel, whatever. Fed creates a new task order for HBGary on the existing contract. Contract is either amended (if firm fixed, after the effort is quoted) or falls under existing task orders. HBGary is paid according to the terms of the existing contract.

To cut to the chase, there are other likely scenarios, but they all look similar to the above, and all involve HBGary being paid under the terms of the contract. Whether they're paid a flat fee or based on the effort involved depends on the terms of the contract. When they get paid depends on the terms of the contract. How much they get paid depends on the terms of the contract.

It sometimes happens that the government opts out of paying for things like this, and someone decides to buck the red-tape-brigade, but those matters usually end up in court as a contract dispute. Generally speaking, I think it's fairly safe to assume that HBGary is getting paid.

What I suspect a lot of people are overlooking here is that generally, if the government has contracted to buy something, EVEN IF somebody completely different comes up with the same good (tangible or intangible) for zero or significantly reduced cost, the government is not allowed to purchase unless there are provisions in their existing contract that allow for this.

The rules governing this process are the "Federal Acquisition Regulations", are set in stone, and are established so that both sides 'play fair'. The terms of the contract are always upheld unless there are exceedingly dramatic reasons not to, or failures of performance. If I contract to buy 10 servers for the government for $1,000 each, and somebody else then offers 10 identical servers to the government for $0 each, I will still be paid.

Since the cost of technology generally goes down over time, this prevents Fed from buying cheaper after the original contract was penned, and is allotted to protect contractors from the Fed, as well as the other way 'round.

It's complicated as sin, and yeah, there are loopholes out the wazoo (most of which relate to winning work,) but it's also defined, repeatable and ends up in HBGary getting paid.


Getting government rents must be very nice.


It's actually quite a hard way to earn a living. GETTING the contracts is next to impossible, as despite having the FAR in place, they generally are wired for a particular company. Most government work is, of course, only eligible to companies who have 'past qualifications' of doing similar work for government agencies, meaning that new companies have an even harder time breaking into the network of opportunities and that even if you've built a 100 'websites & cms systems' for government agencies, you're not qualified to build a system categorized as 'web portal' unless some of the work you've previously done was labelled as such in the contracts.

After you've gotten the contract, it's difficult to work with the government's red tape and still live up to the terms of the contract. If you've ever worked on a project with a prolonged or contracted management life-cycle, you have _some_ idea of what it's like, in a very small sense.

Changes requested are shot down by government lifers on little basis. "I vote no, until we've thoroughly thought about the security implications," was a valid rejection on a project I was running that involved, at least partly, replacing plain-text passwords stored in configuration files with Kerberos Keytab certificates. Infuriating, at best.

Meanwhile, slips to the project schedule don't affect your project's contractually obligated deadline. The government is generally happy to trod along at a tortoise pace while contractors run sprints in spurts -- weeks waiting on an approval for a change, then sprinting until it's done.

Add to that the required overhead of having somebody able to meet incessantly about every single line item in every single invoice.

Add to that the fact that in most government agencies, their IT staff is comprised by a heterogenous mix of slow government employees and other contractors that would love to see you fail (as they likely also bid on the work you won, and would love the opportunity to see it rebid in the event that you fail).

Add to that having to get approval on every single change in any product, no matter how trivial, by a committee of stakeholders -- the size of which shrinks and grows as the project moves on, and knowing that no change, however firmly approved, is ever REALLY approved until ship date (aside, months after development on a renovation had begun on a portal's backend infrastructure, senior government personnel were still arguing over the look and feel of a mockup that had been approved and finalized prior to the beginning of development.)

Again, red tape, red tape, red tape.


..until they come to negotiate their next contract.


And what then? The FBI uses the Bittorrent archive instead of paying the company? Please.

100% of my work is government contracting, thats not how this works. The only question is whether the FBI will ever use this company again, if the FBI thinks they are incompetent then HBGary is out of work. But if the FBI still believes they are competent then they will get another contract to find more information even if some of that information is already in the public domain. The FBI won't punish them for a criminal action. At my job, just because something leaked through Wikileaks doesn't mean its unclassified. We still abide by all the rules and you can get in a lot of hot water for talking about something off of Wikileaks that you do not have need-to-know on. It's as if leaks don't exist to the government.

You or I, and many companies would take advantage of the situation and just use the publically available information and not pay the PI firm. But this is the government. They operate in a whole different ballgame with a different set of rules. Anyone pointing their finger and laughing hasn't been through the requisition process, the government has thrown good money after bad in much fouler situations than this.


At my job, just because something leaked through Wikileaks doesn't mean its unclassified.

...as long as you're clear that this is merely company policy and is not actually a point of law.


I'm pretty sure this _is_ actually a point of law. Being released via Wikileaks (or similar) does not change the classification of the information released.


Correct, but classification does not cover regular citizens. The only people who can be prosecuted for revealing classified information are those who have sworn to protect it, i.e. people who have previously agreed to respect the secrecy. It's a covenant.


Not true. Classified documents have cover pages explaining that they are classified and warning that you can be prosecuted for distributing classified information even if you haven't made the normal agreements associated with a security clearance. People who do have access, and who have signed the corresponding agreements are open to additional charges as well as pre-emptive extra-legal action for purposes of preventing or investigating security leaks (background investigations, polygraphs, etc.).

Actual prosecutions for people without clearance revealing classified information are generally rare because it's usually done as a form of journalism, which brings first ammendment issues into play. That's probably why wikileaks has made such an effort lately to re-cast themselves as a journalistic organization instead of just a clearinghouse for "whistle blowers."


Prosecuting the possession of information without clearance is done so rarely because a conviction on any of the points that touch the act is impossible.

The scenario you describe simply doesn't exist, it has nothing to do with journalism, and the onus is on those advocating for the validity of these kinds of prosecutions to distinguish acts from those which AIPAC members had charges dropped in the Franklin case just a few years ago.

I'd be interested in hearing about any successful prosecutions, so consider me eager to be proven wrong.


I didn't say anything about possession: I said distribution. Huge difference.

I also didn't describe any scenario for prosecution, so I'm not sure what you're referring to when you say that the scenario I describe simply doesn't exist. The only scenario I described was the kind where prosecution doesn't happen.

My overall point was that your statement regarding the illegality was wrong: the illegality of distributing classified materials is not based on covenant, it is based on statute. The covenant part gives prosecutors a few extra charges to pile on for people who have clearances, but it's not the main piece. Whether or not such laws are enforceable in a practical sense does not change the fact that distributing classified material is, under current law, illegal regardless of who you are.


The US does not have a state secrets law the way the UK and others do. If I find a piece of paper on the street, post a scan of it on the chans, then find out it was classified, what law have I broken? If you're going to say The Espionage Act, I don't agree. My understanding is that the prohibition on distribution covers only people who have previously agreed to respect classification.


If you had no idea it was classified before you distributed it, you probably wouldn't have broken any laws. Given the way classified documents are labeled, that's an incredibly unlikely scenario: classified documents are marked with the classification level on every page and paragraph (individual paragraphs may be classified at a lower level than the overall document), and have cover sheets explaining exactly what the classification level means, which includes a statement warning the reader that anyone can be prosecuted for unauthorized distribution, not just people who have agreed to protect it. So your understanding is wrong: the prohibition extends to everyone. There are also directions for what to do with it if you aren't supposed to have it (e.g. "Return to nearest office of [appropriate federal department or agency].")

If the hypothetical piece of paper on the street were a single page marked with a classification level, but without the cover sheet and its explanation, you might be able to argue that you didn't think that you were legally prohibited from distributing that information. Then again, "I didn't know that was illegal, your honor," generally doesn't play well in the courts. IANAL, so I can't tell you what would happen in this situation, but I can tell you that even if you were to avoid conviction the overall experience would probably be time consuming, expensive, and generally unpleasant.


Please cite the laws under which you propose that people without clearance be prosecuted for viewing Wikileaks releases.


Enough with the strawmen: I never said anything about viewing. I keep saying "distribute" and you keep substituting other words like "possess" or "view." Please stop.

For that matter, I honestly couldn't tell you which statutes provide for prosecution of non-cleared persons who distribute classified materials. All I can tell you is that every classified document has a cover sheet, and that at least some of those cover sheets specifically state that you can be prosecuted for distributing the contents to unauthorized people, even if you haven't agreed to protect it. It's been a long time since I've seen one, so I don't remember the exact wording but the warnings were stern enough that I remember them being there. Maybe the cover sheets cite a statute, maybe they don't specify. Maybe the whole bit about prosecution is a bluff, but I somehow doubt that an anal-retentive government bureaucracy would print official documents with a bluff that audacious.


It's interesting government adopt this approach, seems weird that a government on the other side of the world could be discussing american diplomatic affairs while members of the government in america would be bared unless they are cleared under a classification system that has failed in this case.


They clearly stated it was public before they leaked the documents to begin with.


But if the FBI still believes they are competent

Excuse me?

The FBI can't be that dense, can it?


The competence of the firms intelligence gathering ability is unrelated to the security of their computer systems. Whether the intelligence gathering was any good is hard to say, unless you take the released documents at face value. Taking something released by Anonymous at face value does not seem like a good strategy.


It isn't about HBGary being competent or not, its about whether or not they were able to fulfill the letter of their contracted terms.

If the FBI believes that the company can still fulfill its contract terms, and in a lot of situations that comes down to providing the requisite documentation showing sufficient protocols in place, then the FBI will continue to work with HBGary.

Much greater incompetence has been rewarded by the government bureaucracy than poorly picked passwords.


> At my job, just because something leaked through Wikileaks doesn't mean its unclassified. We still abide by all the rules and you can get in a lot of hot water for talking about something off of Wikileaks that you do not have need-to-know on.

Isn't that a little bit kafkaesque?


Touche about governments throwing good money after bad money ( or just bad money after bad money for that matter)...

Virtual Case File anybody? - http://en.wikipedia.org/wiki/Virtual_Case_File


I'm pretty sure it doesn't work that way and not because of "HBGary are friends with the FBI" as the other posters seems to think... HBGary probably have a contract with the FBI where the FBI pays either anyway or based on the results (probably the latter). Notice however that based on the results here is based on the results of HBGary only, unless there is false data in the results. Think of it this way - if the FBI contracted HBGary and HBGary did all the work and gave it to the FBI only to find out that the FBI contracted a second group at half the price and now refuses to give money to HBGary - would it seemed fair/probable that such a contract have been signed?


First, the satirical: "Anon concedes defeat" http://anonnews.org/?p=press&a=item&i=377

Then, the 'actual' press release: http://anonnews.org/?p=press&a=item&i=378

Some choice bits:

> The lack of quality in Aaron Barr's undertaken research is worth noting. Aaron Barr missed a great deal of information that has been available online, and in fact failed to identify some of those whose identities were never intended to be hidden.

> It is also worth noting that Aaron Barr was also providing this documentation as an example of investigation protocol. This would introduce a systematic flaw to the FBI's investigative woodwork. The risk of institutionalising a flawed procedure exponentiates a problem, and it does so at the taxpayers expense in every sense. Had the FBI indeed bought this information from HBGary Federal, it would have been paid for by taxpayers money, and many innocent people would have been marked as leaders in actions they may not even have been associated with.


The comments of "It's hard to be really secure, so don't make people mad" are very short-sighted.

As society becomes increasingly reliant upon network infrastructure, those who oppose society will increasingly target that infrastructure.

When terrorists can cause billions of dollars of losses by hacking the airlines, why bother trying to smuggle weapons on planes?

When opposing nations can cripple military and economic infrastructure through computers, why bother developing nuclear weapons?

We are rapidly entering a world where our computing infrastructure is both our most critical and our most vulnerable asset.

"Speak softly" is completely insufficient without the "carry a big stick" part.

kb


Even so, I'd say bombs on a plane still would incite a type of fear that's impossible to instill through cracking secure networks. Of course, lives could be endangered by cracking network infrastructure, especially as we become more reliant on it, but I'd argue that the average person is disconnected enough from the concept to not be emotionally affected or angered by it. At least until there's a really big incident on the level of Chernobyl that causes people to irrationally distrust networks no matter how good network security gets, similar to how some people irrationally distrust nuclear power plants today, no matter how safe they may have become.


You think a bomb blowing up a plane is more scary than a plane just randomly deciding to fly into something? I don't. Plane control hacking is vastly more scary than bombs because one break means someone on the other side of the earth can do what ever he/she wants with all of them at the same time.


I didn't say that. I said the average person would be too disconnected from the topic to to fear it, most likely because they wouldn't be able to intellectually consider it. I did say that it would take a Chernobyl-level incident to wake people up, and if we ever get that, it would cause things to swing to the opposite side from indifference to paranoia (if it were to happen).


One plane getting hacked and crashing into something will be enough to create a wave of panic like never seen before. Look what a few planes hitting a few buildings did when you could see the perpetrators. Now imagine what happens when you can't.


It's kind of gross the admiration people are expressing here. I work for a security firm that does work with all kinds of organizations. At the heart of the matter, we are scientists investigating the truth. If a break-in occurred, who was responsible, and what was compromised? If someone is being charged with distribution of child pornography, did they willfully download and distribute it, or was it part of a wide net that was cast to download a whole bunch of porn at once? This DDoS occurred: who was responsible? You have security in place: is it sufficient to protect the data in an appropriate manner?

We are a small firm. Our yearly revenue is probably nearly $1-1.5 million. Including the founder, we have eight people employed: a mother of two, three people who have poured over ten years of their lives into building the company to its current level, a cancer survivor still undergoing treatment, and three others who are doing good work while making ends meet and paying down school loans.

Something like this happening to our company, an event that led to $1MM+ in losses, would wipe us out. It would end a company that provides a valuable service to dozens of law firms and other organizations (colleges, hospitals, local political entities, etc.) each year. It would immediately put eight people out of work and negate 50+ man-years of effort.

Call me crazy, but I am not patting these guys on the back. It's all fun and games until you're ruining lives.


It's all fun and games until you're ruining lives.

This was never fun and games for the causes Anonymous has championed: Wikileaks, Egyptian and Tunisian protestors, etc.

Anonymous, despite it's origins, is a political movement centered around the cause of internet freedom. That's not a matter of fun and games, and I support Anonymous because of that.

In other words, if given the choice between a political movement fighting for an ideal I support, and the ability of a corporation to maintain it's revenue stream, I'm going to fall in support of the political movement most of the time.


Anonymous is not a political movement. Some of the causes it champions are for internet freedom, certainly. The ends, anyway. You have to remember it didn't begin that way. It began with childish 'raids' on Habbo Hotel, DDOS of Support Online Hip-Hop, etc. The first big movement for freedom was Project Chanology (mixed in with the childish attacks).

I think this tipped some folks off about how powerful Anonymous could be, if it was guided somehow. Or maybe, it was simply the awakening within Anonymous that it could be something other than a childish prankster.

I've always thought that 4chan was synonymous with the internet's "id;" now it seems as if Anonymous is the birth of the internet's superego. There may be people subtly playing with strings (the aforementioned - a few responses up in a different thread - inner circle of quite competent blackhats), but largely I think Anonymous has become self-fulfilling. A meme catches its interest, and it acts.

Hell, there's even a link to the "Stand Alone Complex" section of the Ghost in the Shell philosophy page. Not a philo-head myself, but it makes sense. Network intelligence together close enough, and a different kind of intelligence will probably emerge.


I think this tipped some folks off about how powerful Anonymous could be, if it was guided somehow. Or maybe, it was simply the awakening within Anonymous that it could be something other than a childish prankster.

Historically, this describes a lot of political formations beyond Anonymous. There's a number of situations where semi-apolitical hooligans became political forces. The Young Lords, for instance.


> Anonymous, despite it's origins, is a political movement centered around the cause of internet freedom. That's not a matter of fun and games, and I support Anonymous because of that.

What about Anonymous' attack on Gene Simmons, for expressing an opinion they did not agree with? Or is your notion of internet freedom that only people who have the right opinions get to speak?


Anonymous' attack on Gene Simmons was for his advocating suing the pants off of anyone and everyone. Then he went and said, basically, that he'd found some of them and was going to post their pictures online. That really let loose the hounds.

In Anonymous' mind (I have absolutely no relationship with the group, other than academic curiosity), I believe it goes a little like the aversion we have as a society to not incite riots. He was advocating being (potentially) frivolously litigious. That made him a target - not some random opinion.

Compare how Gene acts towards the internet and how Trent Reznor acts towards the internet. Gene may have an order of magnitude higher net worth (~300mm vs ~35mm, according to "Celebrity Net Worth" - probably not a very good source), but he got it by playing crappy bass in a mediocre band, being a litigious douchebag, selling a lot of over the top merchandise. Trent made it by making good (subjectively) music, and continued to make it by making music instead of Nine Inch Nails-branded coffins. And uses the internet to great success.

Which is a better netizen?


Or is your notion of internet freedom that only people who have the right opinions get to speak?

I'm not Anonymous, so I'm not sure why you're addressing that to me.

And more importantly, those who took down Gene Simmons' website may not even have been the same people who had anything to do with Mastercard, Visa, Paypal, Egypt, Tunisia, Iran, etc. That's the nature of a decentralized, amorphous non-entity like Anonymous.


I'm not sure why you're addressing that to me.

You said it was a political movement that you supported. It's entirely reasonable to ask you what that movement stands for.

(Hint: The reason you're finding that a difficult question is that Anonymous is not a political movement and you're just projecting your own beliefs onto it whenever it happens to do something you think is good.)


I don't find it a difficult question, actually. It's something I've been meaning to write about for a while now. Anonymous is a political movement that is analogous to the internet immune system. It self-organizes, and attacks that which it deems a threat to internet freedom.

Gene Simmons was attacked because his statements, and his position as a pop star made him a target as a threat. Like all immune systems, Anonymous is known to overreact.

If you look at the targets for Anonymous in terms of political uprisings, you'll notice a concentration of places where the internet played a large role and/or was targeted. Uprisings occur the world over, but Anonymous gets involved when the internet is threatened.

In this sense, the use of the "V for Vendetta" mask is a perfect symbol for Anonymous, for anyone who has read the comic book (or even just seen the film adaptation).

The only verdict is vengeance; a vendetta, held as a votive, not in vain, for the value and veracity of such shall one day vindicate the vigilant and the virtuous.

V was not so much interested in popular revolt, anarchism, social equality, etc. per se. He was interested in revenge. Justice became the ultimate form of revenge against a tyrannical government.

You can see that similarly in the actions of Anonymous. Democratic movements are supported against dictatorships, and transparency is supported against representatives of Democracy. Not because Anonymous is a positive force for Democracy or transparency, but because those are weapons they can wield against the internet's perceived enemies.

So yes, Anonymous is a political movement, although a leaderless, amorphous, and pluralistic one united only in negative political space. They don't seek to create, as much as destroy their political enemies. But, as some say, "the urge to destroy is also a creative urge".


If you look at the targets for Anonymous in terms of political uprisings...

...you engender such a large selection bias that I remain as convinced as ever that you're simply projecting your own beliefs onto something considerably more nihilistic. Yes, if you throw out everything that doesn't fit the quotably Bakuninian pattern you expect by saying "oh, but that was different people" or "oh, that was just an overreaction", it all becomes so clear...but if you don't, you get a messy and impure reality in which Anonymous better resembles Brownian motion than a movement.


I take those into account but disregard them because of my experience with asymmetrical umbrella movements. Because a dozen griefers do something and call themselves Anonymous or are labelled with it by the media doesn't mean that they have the capability to define a movement. It's not insignificant, but at the same time, it's barely significant. Groups with these formations are defined by their most significant actions, not their least.


That is all fun and games under the rationalization of easy, naive moralizing.

Now, if they take down censorship in China or targeted a similar actual oppressive regime instead of going after easy targets, then they'd have my respect.

For example, their attack on Scientology is something I respect, but that was only shortlived since Scientology is actually bad and will cause Anon significant damage.

So, as we can see, it is actually just for the lulz and not a higher ideal.


One can have high ideals without necessarily being brave or persistent in the pursuit of those ideals.


But then they aren't worth praising, especially if their "pursuit" of said ideals harms people's lives needlessly.


"Anonymous, despite it's origins, is a political movement centered around the cause of internet freedom. That's not a matter of fun and games, and I support Anonymous because of that."

It's just a bunch of bored college kids looking for a cause to belong to.


Destroying a company that both takes government security contracts, and also drops the firewall and gives out the root password after an email request is a public service. Such a company is a danger to the safety of every citizen in america and beyond. A lot more than eight lives could be ruined if they had been investigating organised crime or terrorism instead of anon.

Harsh but I think true.


You people are so socially retarded. How can such speculation justify ruining actual lives in anyway? There is no way you can concretely justify anything you claim there.


In capitalism inept companies go out of business. If you're a security company that just got hacked 6 ways to Sunday, you're inept. Maybe it's time for some other startup company to "make" the lives of i's employees by stepping in to the void and doing the work properly.


Are they a security company or a forensics company? Different skillsets.


Different, but related. A forensics company does not have the ability to claim ignorance of security issues - /especially/ if their role is digging up dirt on others. They should be fully aware of privacy and security issues.

Now if they were a company that baked and distributed cheesecakes, I'd give them a pass on criticism for having security issues.


But that's not the service they're providing, thus incompetence in that arena does not endanger multitudes of American lives and anon ruining their company is unjustified.


If you constantly kill everything that is weak you destroy your ecosystem. Much better is to build up the weak, which is why the West prospers and other cultures do not. Social and economic Darwinism do not work.


> which is why the West prospers and other cultures do not

I think you're forgetting Korea, Japan, Taiwan and several middle East countries. Even China isn't doing too bad, recently. And isn't western-style democracy much closer to economic Darwinism than eg. socialism?


And do those companies build up their people or destroy them? Don't miss the forest for the trees in your response.

China is a different case. Insofar as they respect human rights they prosper. Insofar as they don't they fail.

No, socialism is strongly tied to eugenics, which is state driven Darwinism. That is purposefully killing off the weak and unfit.

Capitalism is a matter of letting the best man win. Killing the weak is not a part of that.


It's called creative destruction, and it's a wonderful thing.


"the West prospers and other cultures do not."

Ahh good old fashion sarcasm.


All the cultures explicitly founded on Darwinism crash and burn. Name an exception.


Ruining actual lives. I've heard of a few government agencies who have some experience in that.

Karma's a bitch eh?


Lack of internet & information freedom is ruining lives.


I have nothing against security firms or their work, but

> At the heart of the matter, we are scientists investigating the truth.

No, you're not. You're consultants doing analytical work. I'm not arguing that one is intrinsically more worthwhile or valuable than the other, but post-hoc security analysis is not science.

In this particular case, anonymous is implicitly raising the question that if a security firm can't even secure their own web presence, their internal emails, and the data that they've gathered on an FBI contract, then how could their data and conclusions be trusted? Regardless of whether the employees of any particular security firm are sympathetic individuals, and whether being hacked would incur significant financial loss, you'd hope that a security firm would be, you know, secure.


Of course, waking up some kids and their parents and holding them at gunpoint is a commendable thing to do. As is bragging about it at a conference, while passing it off as a great achievement for national security. What this particular security firm was doing is despicable, and they deserve whatever they get, IMO.


You aren't taking into account the problems caused by this company doing shoddy work.


However, going after anon is also ruining lives.


Yep, I ask myself what HGBary thought would happen after they would give a list of "anonymous key members" to the FBI.


Surely, they view it as 'going after the bad guys', and no different than reporting data on any other 'bad' group.

Is what Anon did illegal, or at least in the ambiguous grey zone? Sure, but I feel personally that they are more like the Robin Hoods keeping others in check for the deeds of corporations which may be legal, but significantly less moral.


don't bait Anon and they'll leave you alone...in this case the firm has noone to blame but the founder.


Or.. if you are a security company, make sure as hell you know how to secure your company.


this is company. legal entity. if something like this will happen - bankrupt it and create new one with same people and same contacts.


Ok. For downvoters will try to clarify:

it's not lifes ruined but company ruined in this case. It's just fail, but not life fail. Nobody will die, get in prison for 300+ years, get sick, etc. Your company failed - start it over and do it right next time.


Security and forensic companies are built on individual reputations. The opinions put forth by expert witnesses have to be defensible in court. Your suggestion is unrealistic in its original context: once an expert witness's reputation is ruined, it's time to find a new field of work.


> At the heart of the matter, we are scientists investigating the truth.

yeah, tell that to yourself metasploit-cowboy :]


What firm are we talking about here exactly?


Oh, and check out this pastie: http://pastie.org/1535735

Social engineering. People are always the weakest link...


That must be fake. No sysadmin would possibly bite on such an exchange ("is our root password still ...?"). And not in a "security firm", of all things.

I'd elaborate further but gotta run for now, a prince from nigeria just contacted me with an important transaction.


Also, running a kernel built five years ago from the 2.4 series. Haven't there been some serious vulnerabilities in the last five years affecting 2.4?


> That must be fake. No sysadmin would possibly bite on such an exchange ("is our root password still ...?").

Then you don't know many "sysadmins". Generally the people working as admins are not the brightest.


not really that wouldn't have worked if they didn't hack the email first


It was simply spoofed, from what I understand.


Spoofing would be hiding the senders address, but something, either a hacked account or MITM attack, would need to happen to get the responses from the IT person.


whois 65.74.181.132 shows that they ssh'd into the webserver from another machine on hbgary's network, perhaps the mailserver. I believe it's really easy to do email MITM when you have a login to the mailserver or own a machine on the same subnet and put its NIC into promiscuous mode.


Couldn't you display the one email and use a separate Reply-To addy to get responses? (and hope no one notices)

This is not my forte I'm likely off.


Yes, and depending on the email client on the other end, the other person wouldn't even notice.

The only guard against something like this is SPF on the sender's domain and for the recipient's mail server to check (and enforce) SPF rules.


You could also use DKIM, you can see if message has been DKIM signed in Gmail by clicking "show more info" in webapp interface.

But seeing as this is security company why didn't they at least sign their messages using PKI/PGP certificates? And why would they keep their entire email on their webserver?


Ah, good catch.


People keep on getting hacked. Is it really that hard to prevent that from happening, or is this another case of widespread incompetence and "It won't happen to me" thinking?

EDIT: I've commented here before about the scary potential of the /b/ crowd if some of them ever tried to organize and become activists.


The short answer is that it is that hard to fully prevent it from happening. For practical purposes, IT security's job is to make it not worth the effort to break in.

And even if you've built a really secure system all it takes is one user with their daughter's name as their password to make it all moot.


> one user with their daughter's name as their password to make it all moot.

I see what you did there.


> And even if you've built a really secure system all it takes is one user with their daughter's name as their password to make it all moot.

If your security design allows anyone to SSH in to obtain significant system access using only a user selected password, it isn't "really secure."


likewise, you could prevent your users from creating such passwords.


What if you only have one "user" who only logs in through SSH using port knocking and all of the server's other communication with the rest of the net is through encrypted binary data in UDP packets with fixed-size fields?


Then you're fired because the server doesn't actually work.


Then you're fired because the server doesn't actually work.

If I were interviewing you, your answer would be considered nonsense and would cause you to not get hired in the first place. I actually need to write such a server for a product I'm working on. All it ever does is encrypted communications with other machines.


OK, you're right. You'd only be fired in the other 99.9% of cases, where servers have to support standard protocols and normal users.


99.9% of cases, where servers have to support standard protocols and normal user.

True. True for all small and big companies' IT. But if you are a security or even just a forensics firm, then you ought to be in the other 0.1%


I have to wonder why you consider port knocking to be a useful security-usability tradeoff. If SSH alone isn't "secure" enough for you, then adding a port knock doesn't actually lift it over that boundary.


I just feel better that most of the time, other parties won't be able to even see the actual port.


OK, so then forget your "super secure" server. I would instead focus on compromising one of the admin computers that has the "special user" ssh key and the port knock sequence; or maybe I will hit one of the servers communicating with this "secure" computer and see if you remembered to bounds check all the data coming in; maybe even see if you network stack has any exploits in its tcp/udp implementations while I am at it...


OK, so then forget your "super secure" server. I would instead focus on compromising one of the admin computers that has the "special user" ssh key and the port knock sequence

Juicy! [making notes to buy a laptop for the express purpose of logging into the server]

maybe I will hit one of the servers communicating with this "secure" computer and see if you remembered to bounds check all the data coming in

All fields are fixed length.


That sounds like a bad balance of usability to security.


The entire purpose of the machine is to manage session keys. Yes, this is part of a system that will make money. No, it's not a web app. Warning: answering programming/security questions as if web apps are the whole of computing won't win you points with everyone.


Well, for the highly specialized purpose that I didn't know about before you explained it in this comment, your solution works.


And for seeing if someone has the knowledge and imagination to come up with such a purpose, I think I've found a good filter.


Unlike benmathes, I'm going with "incompetence". The /b/ crowd hasn't shown much sophistication (yet) - then again, if this kind of straightforward social engineering works, why bother? (Seriously, a security firm that falls for "please drop the firewall and e-mail me the root password"?)


This is insane and should be cause for extreme suspicion.. As a sysadmin if someone asks you to do this, the correct response is "haha not likely", and at the very least confirm their identity - call them or something. Don't sent the password over email.


It might be that they have never been hacked in this way before, so they don't even consider it. Probably seen older employees do it when they were new giving them the impression that it's just how thing are done.


Not really the answer to the question, but this was the result of social engineering -> http://pastie.org/1535735

So, even if it was secure, in this case it would have happened..


I think if they required the use of a shibboleth or key phrase in the email they could have avoided this.

http://en.wikipedia.org/wiki/Shibboleth

http://en.wikipedia.org/wiki/List_of_shibboleths


But once you have access to a person's email, you could just go back through the history and look for past communications like this and mimic them. That's my guess about how they were able to ask specific questions about the root password.

Some method of verifying the requester's identity out of band (e.g. 'call me for the password') is really the only way to go.


>'call me for the password' is really the only way to go.

Nope.

"From what I hear - yes... My friends who worked for whitehat security companies would first try to hack staff before hacking servers. Best was to call up the ceo on his personal homephone every night at 3am, until they knew what he sounded like raving mad. Then they called up the admins doing a very good impression of the irate ceo demanding his passwords were reset there and then. Worked a stupid amount of times apparently..."

http://news.ycombinator.com/item?id=2067063


You kind of ignored my point about verifying the person's identity while you have them on the phone.

LAST EDIT: Fine. shibboleths, passwords, pins, safeword cards, emails, texts, callerid, voice, and face to face conversations are all great tools to use when trying to secure some asset. All I'm saying is Go out of band when you want to verify a person's identity. If you are emailing, call. If you are on the phone, and you don't trust them, call them back at their home. Or text them a code and ask them for the code. Or meet in a trusted place and take a DNA sample. Whatever is appropriate for the thing you are securing.

Sure, any of these methods can be compromised through social engineering, blackmail, theft, or violence. That's not the point.

If you care about a password, don't send it through the same channel that you use to verify the person that you are sending the password to. Shibboleths and ROT13ing won't solve the problem of knowing who you are talking to.


How would you identify the person on the phone? Their voice clearly isn't enough. Caller ID can be spoofed. With another password? What happens when they forget that as well? I guess you could require a face to face meeting to reset that password. But by having two alternative passwords, you have increased the attack surface. The user is much more likely to write the second "emergency" password down I expect.

Also, what happens when your helpdesk's VoIP system gets hacked in the same way that the email system got hacked in this case?


Only document the full procedure on paper, and forbid people from mentioning the full procedure except in person. If an admin gets an email asking for a password, they should reply with a fake password, and then await a call to give a real password. Or vice versa. If the person contacting them tries repeatedly, they should feign incompetence and / or laziness, escalating if it gets out of hand (even if escalating means passing to another equal-rank admin.)


Or just PGP encrypt any emails with root passwords or other details about your system.

Just make sure you decide before the emergency who needs to be trusted with that information, and be smart about how you exchange keys with everyone involved.


This is the right idea. A feedback loop is critical to hacking. If you take away the feedback loop it becomes nearly impossible.


>If you are on the phone, and you don't trust them, call them back at their home.

Didn't think of that. Great idea.


We used to do this when managing unreachable firewalls. Dial out to the modem attached to the firewall console and type in that modem's password. The remote modem drops our call, then dials us back with a console login prompt. So even if you had the password, you had to at least be dialing in from our phone line.


old school BBS callback verification!

Reminds me of these tricks: http://www.skepticfiles.org/cowtext/bbs/cbv.htm


A company with truly good security practices would put into place a protocol for transferring passwords over voice comms. I'm making a note right now.


Or, have an agreement that all password resets will be silently ROT13'd against what is requested.

So if you say "Can you reset my password to foobar" then your admin knows to actually set it to "sbbone."

They can then just send a normal reply saying "ok your password has been set to 'foobar'" and then as long as both parties remember the secret protocol, you are OK.

You could then also watch for login attempts using "foobar" to warn you of foul play.


That's mostly security by obscurity, in which you're bound to get burned.


Though it could be effective, assuming attacker WILL try non-translated version first. Basically run honeypot on default password: if successful login attempt then go into panic mode.

But seriously, the only password in SSH auth procedure should be the one you decode your private key with.


Could you elaborate?


The security of that system comes from hoping nbobody will guess your key exchange protocol. The security in real key exchange protocols comes from mathematics problems that would take more computer power than the universe has available to solve. So 'your way' is clearly inferior; the attacker guesses (or is told) that ROT13 is what's going on, and you're 0wned and you will never know. Problem.


Yeah this is really obvious now. When I wrote that, I didn't make the mental comparison to PGP or similar; obviously that provides actual cryptography with essentially the same information-exchange workflow.

Nothing educates like brainstorming in public and being shot down by experts, thanks :)


I think it really is that hard to prevent it from happening. Every organization/system is going to have vulnerabilities from time to time. If you are drawing the ire of those who want in, it's just going to be a matter of time. I really think the best way to secure yourself, is not to piss off folks like Anon.


There is nothing such as a perfectly secured system. There are just less and more secured systems.

The effort put in securing the system pretty much defines how much effort and ingenuity is required to penetrate it. Kind of a cat and mouse game or chess.


I'm reminded of the mitnick/tsutomu tales. I think Anon may be in for some hurt with a guy like Hoglund pissed at them. He's been on the front lines of security research for at least a decade.


I had the same thought. Hoglund is a bamf. It'll be interesting to see what goes down.


It is difficult. In this case I am sure they knew Anon will come after them and they were SURE they were secure. But when you play with fire you gona get burned


The most polite spin I can put on the cheering of these sorts of techniques, is that too many Hacker News members lack sufficient historical awareness to realize that these tactics are reminiscent of the public humiliation and crowd intimidation techniques employed by Italy's blackshirts in the 30s.

There are reasons why we have rule of law and courts. There are reasons why it is not acceptable for one group to retaliate against another group, no matter how strongly they may feel they are in the right.


the public humiliation and crowd intimidation techniques employed by Italy's blackshirts in the 30s

Aren't they just as comparable to the satirical press releases of the Yippies and (more recently) the Yes Men?

Your comparison seems to be a case of false equivalency.


"So it’s a case where the hackers break in on a non-important system, which is very common in hacking situations, and leveraged lateral movement to get onto systems of interest over time."

=

"We're too lazy to make sure each level of security is protected from the last."


My admiration for this group just went up another big notch. Very well played.


in the pdf anonymous posted of the research [1], several (if not the majority) of the names were unquestionably fake. how does this affect the integrity of the whole document?

additionally, how does this whole fiasco impact this agencies possibility of continuing work with the fbi in the future?

[1] http://hizost.com/d/zjb


Just to emphasize how fake some of the "identities" they uncovered are: The list implicates Guy Fawkes (http://en.wikipedia.org/wiki/Guy_Fawkes).


Uhh uhh, bad news for Karl Kot ("Karl Shit") and Daniel Düsentrieb (Gyro Gearloose).


right. and "Maxx Anu Infobomber", and "Kygon Infraction", and "Buckaroo Bonzai", and "Electromagentic Bomb", and "Wholly Subversive", and "Anonim Espana" (from Spain), and...


I'm sure you would appreciate "Guido la Vespa" which would sound in english like Guy Wasp, but is also italian for "I drive the Vespa (a kind of scooter)".

An approximately 50 year old joke.


> They also vandalized Barr's Twitter and LinkedIn accounts with harsh messages and personal data about Barr, such as his social security number and home address.

Ok, I respect what Anonymous is trying to do, but this is a step too far. I'm all for civil disobedience, but this crosses the line in my opinion.


Given that this is essentially what HBGary was going to do to them, it's actually a kind of poetic justice. Stupid, to be sure, but there's a method to the madness.


This wasn't justice. It was revenge. There's a difference. Justice accomplishes something. It keeps a bad person from doing bad things. Revenge only makes things worse. I mean, if Barr was going to turn over their information to the FBI before, he sure as hell is going to now. So what dis they accomplish by releasing Barr's personal info? Nothing, morally or practically.


I think you might be unfamiliar with the term "poetic justice." It doesn't really have anything to do with the justice system, per se — it's more closely related to the common conception of karma or the idea of "comeuppance." Poetic justice is unequivocally a tit-for-tat repayment for misdeeds, not the kind of deterrent you describe.

Also, they already released all the info themselves, so Barr giving it to the police would be redundant.


I know what poetic justice is. I'm reminded of an English professor who said that it was so-called because it only happens in poetry. :-)

Regardless, poetic justice is more about fate making the good guys get their reward while still being good and the bad guys get punished as a result of their actions. This isn't a case of fate. It's a case of someone (deliberately) posting someone's social security numbers online for everyone to see. Was that the just thing to do? I suppose that's debatable. But I don't think it meets the literary definition of poetic justice.


> This wasn't justice. It was revenge. There's a difference. Justice accomplishes something. It keeps a bad person from doing bad things. Revenge only makes things worse.

I disagree with your definitions. I would say justice is sanctioned legally, while revenge isn't. Aside from that, they're nearly indistinguishable. And given what is and isn't legally sanctioned by countries ("torture" for example), I think the difference is even less.


I'd say justice is more than legal punishment, it is punishment appropriate to the crime. If you steal from me and then I shoot and kill you, that's revenge but it's probably not justice.


Justice is meant to break the cycle of vengeance. Justice is based on objective morality whereas vengeance is based on feelings. Justice is what has cause western civilization to be so successful. On the other side you have dictators and despots.


Very cynical, and wrong. Revenge is carried out by the victim or someone who is emotionally attached. Justice is an objective third party, punishing based on evidence and an established standard which the offender has knowingly agreed to and broken. (By being a citizen of our country, you have implicitly agreed not to murder, for example, or by signing this contract, you explicitly agreed to complete the work.)

Sure, justice gets twisted on a regular basis. But that doesn't mean it doesn't exist, as a concept, as something different from revenge.


Regardless of the semantics, my point was that Anonymous hasn't accomplished anything aside from a feeling of satisfaction. Use whatever language you wish.


I don't think Anonymous has ever been concerned about crossing lines. In fact, you could say that crossing lines is their default mode of operation.

Their goal in this case is to discourage people from messing with them. I'd say that their actions may have achieved exactly that.


Agreed. They're taking part in dangerous work, with very little protection...the laws regarding the activities they participate in are ridiculously overpowered, and have occasionally landed teenagers in prison for years.

A scorched earth policy regarding those who come after them is pretty much the only rational course of action, given the consequences of being positively identified as taking part in those activities. They aren't equipped (nor are most of them of the disposition), to kill, physically intimidate, or otherwise silence people that cross them or hold evidence against them, as most organized crime groups or corrupt law enforcement officers do. So, they have to take extreme actions to prevent people from wanting to gather evidence against them. Intimidation via a constant stream of uneasy feelings about how much of your life they can and will reveal is generally pretty powerful.

It's also probably important that they stick close to the side of "right" enough of the time that it is unpopular to attack them, even if they occasionally cause some actual harm to people who maybe didn't deserve that level of harm.

In this case, though, I'd say this was a funny result. A lot of "security experts" are nothing of the sort, and are deserving of ridicule at the very least. If this prevents incompetent security contractors from suckling at the government teat, I'm all for it.


https://twitter.com/#!/aaronbarr/status/34508448984989696

> Via IRC: <MGMX> Posting his SSN number was way the hell over the line though. << Anonymous finds the line and then crosses it. #noregrets


"Their goal in this case is to discourage people from messing with them."

The goal is always the lulz. That's why they actually welcome people messing with them.


Taking it too far seems to be a hallmark of anon. Different people most likely did different things independently once the information started to flow.


Although I find the anons a bit creepy, in this case hats off to them. I find this move to be more or less equivalent to Wikileaks, so it's impossible to defend one and vilify the other. I actually think that it's much better for our society than Wikileaks since it exposes the type of clueless people/agencies that FBI pays (our) money to.

BTW, I'm a member (since a true anon would never reveal this, that's how you know I'm not one of them).


From http://www.thetechherald.com/article.php/201106/6785

"There was a distinction made that HBGary only owns 15-percent of HBGary Federal, and that attacking both was wrong, as one had nothing to do with the other. The networks shared many common elements, that they are only moderately related was irrelevant to Anonymous."

"In addition, there were several calls for Barr to be burned by HBGary, but given that he is a partner, that is unlikely. At this stage, HBGary’s response is unknown. At the time this article was written, aside from the conversations on IRC, there has been no official comment."


I love the writing as much as the quotes in this article.

"It would appear that security experts are not expertly secured,"

"It's unlikely that Anonymous cares about what Hoglund thinks"

I haven't laughed out loud at something I've read like this in a while.


Well done gentlemen. I don't give a fuck that I'm on that list. I use bounce email addresses and multiple, very difficult to crack passwords for a reason.

Good for exposing their 'security' company.


Don't these guys have something more productive to do with their time? Seriously, don't tell me 4chan is a freakin' political movement. If it really is, why don't they start by cleaning up the child porn that gets posted on their board daily?[1]

The "noble cause" they are supposedly defending is nothing but a pretext to go on their power trips.

[1] (NSFW) http://boards.4chan.org/b/


yeah, they should start working for the government to build intelligent drones that could hunt down those muslin terrorists around the world!


Anon hacks HBGary and all they get is a lot of already public information? Maybe Anon just stuck their hand in the honeypot...

Just thinking out loud.


If this is this the website: http://www.hbgary.com/ then it is even funnier.


Nope, that's not the company website. Company website is at http://www.hbgaryfederal.com/ and is currently down.


Anonymous begins to remind me of the rabbit from Vernor Vinge's "Rainbows End"...



how is this link not related to this story...vote me down more jackasses


Ladies and gentleman, the definition of pwnd.


This is like the Fight Club of the internets!


if I may ask why the downvote?


Because you're not supposed to talk about it.


hahahahaha this is frickin unbelievable, I get downvoted but the guy who says not to talk about the fight club is upvoted like crazy - so THIS is the FIGHT CLUB!


and seriously screw you guys downvoting me (sorry for being douchy) - but it is really irritating to get downvoted without being told why


Your post had little substance, and using the phrase "the internets" certainly didn't help.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: