What interests me most about Anonymous is the fact that it's actually two groups: the small group of technically-competent individuals, and the LOIC script-kiddie griefer minions who can be dispatched at will. The griefers get the media attention and do it "for the lulz", while the folks with actual skills penetrate systems and expose private information. If I had to guess, I'd say that HBGary got a little information on a bunch of the griefers, and near nothing on the people who can do real damage.
If I were a hacker, Anonymous - that is, the 4chan script-kiddie bunch - would make for incredible front line. They generate an unbelievable amount of noise, and a very particular kind of hacker-ish noise, which I'd imagine is fantastic for redirecting attention and covering tracks as necessary. The recent FBI raids, for example. http://news.yahoo.com/s/afp/20110128/tc_afp/britainarrestwik...
So as long as you can convince impressionable young people that some entity is acting against Freedom, you will be able to mobilize them to give you cover for your activities.
You can't buy stolen stuff. If the FBI wants to use the stuff they may still have to pay for it.
Besides deals at that level are all political and given to their buddies. The person who gave the deal to HBGary is going to still fork over the money since what is a few $M between friends esp when they are not your $M.
Regardless of whether or not the information is handed over by Anonymous to the FBI, the company will get paid. There is a contract between the government and the contractor, and it will be upheld. It is embarrasing for the company but really this move won't change anything financially for either party.
I'm pretty sure it doesn't work that way and not because of "HBGary are friends with the FBI" as the other posters seems to think... HBGary probably have a contract with the FBI where the FBI pays either anyway or based on the results (probably the latter). Notice however that based on the results here is based on the results of HBGary only, unless there is false data in the results.
Think of it this way - if the FBI contracted HBGary and HBGary did all the work and gave it to the FBI only to find out that the FBI contracted a second group at half the price and now refuses to give money to HBGary - would it seemed fair/probable that such a contract have been signed?
> The lack of quality in Aaron Barr's undertaken research is worth noting. Aaron Barr missed a great deal of information that has been available online, and in fact failed to identify some of those whose identities were never intended to be hidden.
> It is also worth noting that Aaron Barr was also providing this documentation as an example of investigation protocol. This would introduce a systematic flaw to the FBI's investigative woodwork. The risk of institutionalising a flawed procedure exponentiates a problem, and it does so at the taxpayers expense in every sense. Had the FBI indeed bought this information from HBGary Federal, it would have been paid for by taxpayers money, and many innocent people would have been marked as leaders in actions they may not even have been associated with.
Even so, I'd say bombs on a plane still would incite a type of fear that's impossible to instill through cracking secure networks. Of course, lives could be endangered by cracking network infrastructure, especially as we become more reliant on it, but I'd argue that the average person is disconnected enough from the concept to not be emotionally affected or angered by it. At least until there's a really big incident on the level of Chernobyl that causes people to irrationally distrust networks no matter how good network security gets, similar to how some people irrationally distrust nuclear power plants today, no matter how safe they may have become.
It's kind of gross the admiration people are expressing here. I work for a security firm that does work with all kinds of organizations. At the heart of the matter, we are scientists investigating the truth. If a break-in occurred, who was responsible, and what was compromised? If someone is being charged with distribution of child pornography, did they willfully download and distribute it, or was it part of a wide net that was cast to download a whole bunch of porn at once? This DDoS occurred: who was responsible? You have security in place: is it sufficient to protect the data in an appropriate manner?
We are a small firm. Our yearly revenue is probably nearly $1-1.5 million. Including the founder, we have eight people employed: a mother of two, three people who have poured over ten years of their lives into building the company to its current level, a cancer survivor still undergoing treatment, and three others who are doing good work while making ends meet and paying down school loans.
Something like this happening to our company, an event that led to $1MM+ in losses, would wipe us out. It would end a company that provides a valuable service to dozens of law firms and other organizations (colleges, hospitals, local political entities, etc.) each year. It would immediately put eight people out of work and negate 50+ man-years of effort.
Call me crazy, but I am not patting these guys on the back. It's all fun and games until you're ruining lives.
It's all fun and games until you're ruining lives.
This was never fun and games for the causes Anonymous has championed: Wikileaks, Egyptian and Tunisian protestors, etc.
Anonymous, despite it's origins, is a political movement centered around the cause of internet freedom. That's not a matter of fun and games, and I support Anonymous because of that.
In other words, if given the choice between a political movement fighting for an ideal I support, and the ability of a corporation to maintain it's revenue stream, I'm going to fall in support of the political movement most of the time.
Destroying a company that both takes government security contracts, and also drops the firewall and gives out the root password after an email request is a public service. Such a company is a danger to the safety of every citizen in america and beyond. A lot more than eight lives could be ruined if they had been investigating organised crime or terrorism instead of anon.
I have nothing against security firms or their work, but
> At the heart of the matter, we are scientists investigating the truth.
No, you're not. You're consultants doing analytical work. I'm not arguing that one is intrinsically more worthwhile or valuable than the other, but post-hoc security analysis is not science.
In this particular case, anonymous is implicitly raising the question that if a security firm can't even secure their own web presence, their internal emails, and the data that they've gathered on an FBI contract, then how could their data and conclusions be trusted? Regardless of whether the employees of any particular security firm are sympathetic individuals, and whether being hacked would incur significant financial loss, you'd hope that a security firm would be, you know, secure.
Of course, waking up some kids and their parents and holding them at gunpoint is a commendable thing to do. As is bragging about it at a conference, while passing it off as a great achievement for national security. What this particular security firm was doing is despicable, and they deserve whatever they get, IMO.
That must be fake. No sysadmin would possibly bite on such an exchange ("is our root password still ...?"). And not in a "security firm", of all things.
I'd elaborate further but gotta run for now, a prince from nigeria just contacted me with an important transaction.
People keep on getting hacked. Is it really that hard to prevent that from happening, or is this another case of widespread incompetence and "It won't happen to me" thinking?
EDIT: I've commented here before about the scary potential of the /b/ crowd if some of them ever tried to organize and become activists.
The short answer is that it is that hard to fully prevent it from happening. For practical purposes, IT security's job is to make it not worth the effort to break in.
And even if you've built a really secure system all it takes is one user with their daughter's name as their password to make it all moot.
The most polite spin I can put on the cheering of these sorts of techniques, is that too many Hacker News members lack sufficient historical awareness to realize that these tactics are reminiscent of the public humiliation and crowd intimidation techniques employed by Italy's blackshirts in the 30s.
There are reasons why we have rule of law and courts. There are reasons why it is not acceptable for one group to retaliate against another group, no matter how strongly they may feel they are in the right.
"So it’s a case where the hackers break in on a non-important system, which is very common in hacking situations, and leveraged lateral movement to get onto systems of interest over time."
=
"We're too lazy to make sure each level of security is protected from the last."
in the pdf anonymous posted of the research [1], several (if not the majority) of the names were unquestionably fake. how does this affect the integrity of the whole document?
additionally, how does this whole fiasco impact this agencies possibility of continuing work with the fbi in the future?
> They also vandalized Barr's Twitter and LinkedIn accounts with harsh messages and personal data about Barr, such as his social security number and home address.
Ok, I respect what Anonymous is trying to do, but this is a step too far. I'm all for civil disobedience, but this crosses the line in my opinion.
Given that this is essentially what HBGary was going to do to them, it's actually a kind of poetic justice. Stupid, to be sure, but there's a method to the madness.
Taking it too far seems to be a hallmark of anon. Different people most likely did different things independently once the information started to flow.
Although I find the anons a bit creepy, in this case hats off to them. I find this move to be more or less equivalent to Wikileaks, so it's impossible to defend one and vilify the other. I actually think that it's much better for our society than Wikileaks since it exposes the type of clueless people/agencies that FBI pays (our) money to.
BTW, I'm a member (since a true anon would never reveal this, that's how you know I'm not one of them).
"There was a distinction made that HBGary only owns 15-percent of HBGary Federal, and that attacking both was wrong, as one had nothing to do with the other. The networks shared many common elements, that they are only moderately related was irrelevant to Anonymous."
"In addition, there were several calls for Barr to be burned by HBGary, but given that he is a partner, that is unlikely. At this stage, HBGary’s response is unknown. At the time this article was written, aside from the conversations on IRC, there has been no official comment."
Well done gentlemen. I don't give a fuck that I'm on that list. I use bounce email addresses and multiple, very difficult to crack passwords for a reason.
Don't these guys have something more productive to do with their time? Seriously, don't tell me 4chan is a freakin' political movement. If it really is, why don't they start by cleaning up the child porn that gets posted on their board daily?[1]
The "noble cause" they are supposedly defending is nothing but a pretext to go on their power trips.
[+] [-] smbwrs|15 years ago|reply
If I were a hacker, Anonymous - that is, the 4chan script-kiddie bunch - would make for incredible front line. They generate an unbelievable amount of noise, and a very particular kind of hacker-ish noise, which I'd imagine is fantastic for redirecting attention and covering tracks as necessary. The recent FBI raids, for example. http://news.yahoo.com/s/afp/20110128/tc_afp/britainarrestwik...
[+] [-] lsb|15 years ago|reply
That seems true in other circumstances also.
[+] [-] wh-uws|15 years ago|reply
They raided a kid at my university and all he was doing was administrating one of the IRC channels
[+] [-] RK|15 years ago|reply
[+] [-] JonnieCache|15 years ago|reply
As ill advised as messing with the FBI may be, this is a masterstroke. Hats off.
[+] [-] jayzee|15 years ago|reply
Besides deals at that level are all political and given to their buddies. The person who gave the deal to HBGary is going to still fork over the money since what is a few $M between friends esp when they are not your $M.
[+] [-] adn37|15 years ago|reply
Come on, we are talking about the rootkit.com guys. Not taking side is one thing, taking the opposite side is a completely different one.
Pretty much everything I learned for fun about rootkits, I learned it thanks to these guys.
I am speechless.
[+] [-] krschultz|15 years ago|reply
[+] [-] maayank|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] steveklabnik|15 years ago|reply
Then, the 'actual' press release: http://anonnews.org/?p=press&a=item&i=378
Some choice bits:
> The lack of quality in Aaron Barr's undertaken research is worth noting. Aaron Barr missed a great deal of information that has been available online, and in fact failed to identify some of those whose identities were never intended to be hidden.
> It is also worth noting that Aaron Barr was also providing this documentation as an example of investigation protocol. This would introduce a systematic flaw to the FBI's investigative woodwork. The risk of institutionalising a flawed procedure exponentiates a problem, and it does so at the taxpayers expense in every sense. Had the FBI indeed bought this information from HBGary Federal, it would have been paid for by taxpayers money, and many innocent people would have been marked as leaders in actions they may not even have been associated with.
[+] [-] kbutler|15 years ago|reply
As society becomes increasingly reliant upon network infrastructure, those who oppose society will increasingly target that infrastructure.
When terrorists can cause billions of dollars of losses by hacking the airlines, why bother trying to smuggle weapons on planes?
When opposing nations can cripple military and economic infrastructure through computers, why bother developing nuclear weapons?
We are rapidly entering a world where our computing infrastructure is both our most critical and our most vulnerable asset.
"Speak softly" is completely insufficient without the "carry a big stick" part.
kb
[+] [-] PakG1|15 years ago|reply
[+] [-] BrandonM|15 years ago|reply
We are a small firm. Our yearly revenue is probably nearly $1-1.5 million. Including the founder, we have eight people employed: a mother of two, three people who have poured over ten years of their lives into building the company to its current level, a cancer survivor still undergoing treatment, and three others who are doing good work while making ends meet and paying down school loans.
Something like this happening to our company, an event that led to $1MM+ in losses, would wipe us out. It would end a company that provides a valuable service to dozens of law firms and other organizations (colleges, hospitals, local political entities, etc.) each year. It would immediately put eight people out of work and negate 50+ man-years of effort.
Call me crazy, but I am not patting these guys on the back. It's all fun and games until you're ruining lives.
[+] [-] michaelchisari|15 years ago|reply
This was never fun and games for the causes Anonymous has championed: Wikileaks, Egyptian and Tunisian protestors, etc.
Anonymous, despite it's origins, is a political movement centered around the cause of internet freedom. That's not a matter of fun and games, and I support Anonymous because of that.
In other words, if given the choice between a political movement fighting for an ideal I support, and the ability of a corporation to maintain it's revenue stream, I'm going to fall in support of the political movement most of the time.
[+] [-] JonnieCache|15 years ago|reply
Harsh but I think true.
[+] [-] icedpulleys|15 years ago|reply
> At the heart of the matter, we are scientists investigating the truth.
No, you're not. You're consultants doing analytical work. I'm not arguing that one is intrinsically more worthwhile or valuable than the other, but post-hoc security analysis is not science.
In this particular case, anonymous is implicitly raising the question that if a security firm can't even secure their own web presence, their internal emails, and the data that they've gathered on an FBI contract, then how could their data and conclusions be trusted? Regardless of whether the employees of any particular security firm are sympathetic individuals, and whether being hacked would incur significant financial loss, you'd hope that a security firm would be, you know, secure.
[+] [-] nzmsv|15 years ago|reply
[+] [-] ciscoriordan|15 years ago|reply
[+] [-] tibbon|15 years ago|reply
[+] [-] vaksel|15 years ago|reply
[+] [-] hippich|15 years ago|reply
[+] [-] leon_|15 years ago|reply
yeah, tell that to yourself metasploit-cowboy :]
[+] [-] catnip|15 years ago|reply
[+] [-] steveklabnik|15 years ago|reply
Social engineering. People are always the weakest link...
[+] [-] moe|15 years ago|reply
I'd elaborate further but gotta run for now, a prince from nigeria just contacted me with an important transaction.
[+] [-] vaksel|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] stcredzero|15 years ago|reply
EDIT: I've commented here before about the scary potential of the /b/ crowd if some of them ever tried to organize and become activists.
[+] [-] benmathes|15 years ago|reply
And even if you've built a really secure system all it takes is one user with their daughter's name as their password to make it all moot.
[+] [-] freescale|15 years ago|reply
There are reasons why we have rule of law and courts. There are reasons why it is not acceptable for one group to retaliate against another group, no matter how strongly they may feel they are in the right.
[+] [-] michaelchisari|15 years ago|reply
Aren't they just as comparable to the satirical press releases of the Yippies and (more recently) the Yes Men?
Your comparison seems to be a case of false equivalency.
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] mkr-hn|15 years ago|reply
=
"We're too lazy to make sure each level of security is protected from the last."
[+] [-] evo_9|15 years ago|reply
[+] [-] catshirt|15 years ago|reply
additionally, how does this whole fiasco impact this agencies possibility of continuing work with the fbi in the future?
[1] http://hizost.com/d/zjb
[+] [-] chc|15 years ago|reply
[+] [-] j_baker|15 years ago|reply
Ok, I respect what Anonymous is trying to do, but this is a step too far. I'm all for civil disobedience, but this crosses the line in my opinion.
[+] [-] chc|15 years ago|reply
[+] [-] endtime|15 years ago|reply
Their goal in this case is to discourage people from messing with them. I'd say that their actions may have achieved exactly that.
[+] [-] flatline|15 years ago|reply
[+] [-] Jun8|15 years ago|reply
BTW, I'm a member (since a true anon would never reveal this, that's how you know I'm not one of them).
[+] [-] light3|15 years ago|reply
"There was a distinction made that HBGary only owns 15-percent of HBGary Federal, and that attacking both was wrong, as one had nothing to do with the other. The networks shared many common elements, that they are only moderately related was irrelevant to Anonymous."
"In addition, there were several calls for Barr to be burned by HBGary, but given that he is a partner, that is unlikely. At this stage, HBGary’s response is unknown. At the time this article was written, aside from the conversations on IRC, there has been no official comment."
[+] [-] pdenya|15 years ago|reply
"It would appear that security experts are not expertly secured,"
"It's unlikely that Anonymous cares about what Hoglund thinks"
I haven't laughed out loud at something I've read like this in a while.
[+] [-] hysterix|15 years ago|reply
Good for exposing their 'security' company.
[+] [-] olalonde|15 years ago|reply
The "noble cause" they are supposedly defending is nothing but a pretext to go on their power trips.
[1] (NSFW) http://boards.4chan.org/b/
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] stuhacking|15 years ago|reply
Just thinking out loud.
[+] [-] jayzee|15 years ago|reply
[+] [-] solutionyogi|15 years ago|reply