Building a Better Anonymous – Details
By Josh Corman & Brian Martin
If you are new to this series, please begin with Part 0 and the index.
NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to Forbes.com and a more mainstream and business readership. Please comment toward improving/clarifying the content.
Building Upon the Foundation
Previously, we outlined a method for creating a new foundation for Anonymous or similar groups. The proposed foundation is based on defining explicit goals, a code of conduct, and streamlining the process. Here we further flesh out “streamlining”. A key element to “building a better” Anonymous is that of a defined path of conflict escalation. Until Anonymous, or any other activist group, adopts that principle we’re stuck with a relatively chaotic group of actors that frequently negatively impact government, business, and society – often without even meeting their own goals. In this article, we will focus on a few of the group’s key areas for improvement, and detail why it is critical for them to change. As with many causes, it is inevitable that perceived unjust laws will eventually be broken to achieve a stated goal – a matter of ‘when’, not ‘if. A better and more impactful group would see this as a last resort – and then only when justified by its just first principles.
As it stands, the group Anonymous has demonstrated they are a force to be reckoned with, or least respected. Whether that respect is based on fear or admiration simply doesn’t matter right now, although respect should ultimately be earned. It is also clear that, for better or worse, the group is not going to disappear any time soon. While law enforcement and corporations struggle to come up with plans for dealing with them, Anonymous will continue on, evolving as needed.
One thing society cannot do is ignore the group. Ignoring their activity, even in mainstream or social media coverage, will not make them go away. Insulting or dismissing the group will only provoke some of them. Thus, the logical route is to not only talk about the group, but to do so in a constructive manner. This may be counterintuitive to some professionals, especially ones that maintain any positive attention is a “BAD THING®©™”. That thinking is archaic and dangerous.
Having discussions about making a perceived adversary better or more difficult to deal with may initially seem unreasonable. In reality, those discussions are equally beneficial to the persons that must deal with the adversary. Anticipatory and proactive thinking leads to creating defenses and solutions before problems become unmanageable. In this case, a discussion on improving Anonymous not only helps to prepare, but hopefully serves to influence Anonymous members to achieve their goals in a manner that creates less collateral damage. That is a win for all sides of the equation.
For Anonymous, this article should appeal to their rational self-interests. Improving their methodology and philosophy will help them improve their batting average, so to speak. Rather than ‘striking out’ so often in the eyes of the public, more operations and activities will appeal to more people and have more lasting effect. Operations that can be accomplished without breaking the law and/or with minimal collateral damage will help deflect/reduce law enforcement attention. Further, an improved group will help to quell infighting and potentially increase the quantity and quality of the recruiting base.
Finally, if the last paragraphs did not appeal to a rational side, let us warn the rest of you. This type of thinking is not new. Anonymous, and the next group similar to them, are always thinking of ways to improve. It is human nature, and it cannot be avoided. In short, this article and the rationale behind it is a reality, you must deal with it. If you’re still not sure you want a “better” Anonymous, would you prefer a worse one?
One of the most damning weaknesses of Anonymous is the disparity between their intended targets and actual victims. When striking out at an entity that has wronged the public, it is critical that the attack affect them, and only them. This is probably the single biggest mistake Anonymous continues to make, and it increasingly hurts their cause and lessens public support each time it occurs. Rather than being supported for what they do, they are branded as criminals and terrorists, instead of the Robin Hoods many members see themselves as. Time after time, Anonymous ends up hurting the public as much or more than their intended target, when leaking user and customer data. While this shows a level of insecurity in their target, the end result is that the average citizen is hurt. For the user who just had their personal information leaked, that is what they will remember; not the purpose of the ‘Op’ or what the target did wrong.
Looking at recent news, the list of Anonymous activities that resulted in the disclosure of user / customer information is depressing. These include attacks against law enforcement that also disclosed citizen information in an amnesty program for outstanding municipal offense warrants, a protest against Bay Area Rapid Transport (BART) that also leaked MyBART.org customer data, dumping information of LABusinessConnect.com members, as well as posting the e-mail addresses and passwords of Writerspace members. These are not government employees, military soldiers, or law enforcement. These are regular people caught up in Anonymous’ war on anything that strikes their mood. Often times, Anonymous will compromise a site, view the data, and only afterwards come up with a justification for their actions (e.g., LABusinessConnect.com lead them to find information on an ‘adult staffing’ firm).
Moving forward, a better group must remove the collateral damage from their operations. If a site is compromised and (if) data must be leaked to prove a point, do it in a fashion that only hurts the intended target. For example, dump the technical information on the system and the first 50 user/customer records, but redact the information to protect them. Leak enough information for a journalist to be able to validate the operation, but not enough to make the users victim of identity theft or harassment. This will force the company or agency’s hand in improving security and force them to follow data breach laws, while still ultimately achieving your goal. Even this point assumes that such a breach is even necessary or the most impactful way to achieve your objectives.
OpSec: Social Media Cuts Both Ways
Social media is perhaps the most powerful weapon in Anonymous’ arsenal. It gives them access to millions of people for real-time updates on activity and propaganda. In some cases, social media is used to organize and coordinate operations. In almost every case, it is then used to disseminate information about the target and the reasons for the activity. Without these platforms, Anonymous would be completely at the mercy of journalists who dug for information and opted to write about them.
In the digital world, where anonymity is crucial to daily operation, social media platforms like Twitter, Facebook, or Tumblr are also a recipe for disaster. These “free” services operate because “If you are not paying for it, you’re not the customer; you’re the product being sold” (source). Aggregated data on social media users is a powerful tool in the hands of advertisers and law enforcement. For every Facebook post, for every Tweet, for every word choice or manner of typing… a better social profile can be built on those participating. These profiles are the first line of investigating who is behind an online identity. With the arrests of several alleged Anonymous members over the last year, and increasingly larger busts happening since, it is safe to say that many involved are not practicing good Operational Security (OpSec).
Good OpSec not only involves a wide variety of technical precautions like using proxies and public WiFi, but also involves being extremely careful in what details are included. Seemingly innocuous comments can quickly be turned against a person, especially when considered in the bigger picture. The time of day, mention of weather, connectivity, ISP outages, and other social remarks can be used in conjunction with image meta data, IP addresses, and software choices to narrow down suspects. Once a person is in custody, those same details can help confirm or eliminate them as a suspect. For Anonymous to keep going strong, they must better understand not only OpSec, but how law enforcement works, and what information is made available. As we recently saw, it only takes a single slip up in OpSec to lead to a bust, sometimes as innocuous as using a single image.
More important to established members maintaining their own operational security, is that they teach prospective members the same. For example, in 2010, Brian Mettenbrink was jailed for a year and ordered to pay $20,000 in compensation to the Church of Scientology for his part in Operation Chanology. Later, in the We Are Legion documentary, Mettenbrink explains how he naively downloaded a tool for denial of service attacks, put in an IP, and hit ‘attack’, as instructed by Anonymous. He was not told what the tool did, that he could be easily tracked, or that it had serious repercussions. He is one of many that some see as Anonymous’ cannon fodder. While some Anon members have tried to help newcomers (e.g., Op Newblood), it is too little and often too late.
Regardless of how good an operative is, they can still succumb to failed OpSec and other elements of social human behavior. The best operatives and groups have been busted or infiltrated, so the goal is to raise the bar for would-be adversaries. Anonymity may have benefits to those who wish to work outside of law, but/and maintaining said anonymity is hard (very hard) and comes with costs. Paying these costs is especially a shame when transgressions were either unnecessary or of lower impact than intended.
Open Model and Infiltration
The open model of Anonymous, based on loose collaboration, is a great strength. At the same time, it is also a potentially crippling weakness. Like most things, there are trade-offs. With no real bar for membership, anyone can approach the group through a variety of channels and claim to be a supporter. This creates a perfect avenue for infiltration due to the lack of vetting process. There are at least three distinct times this has been used against Anonymous, whether successful or not.
The most notable occurrence was that of Aaron Barr, ex-CEO of HBGary Federal, who told the media that he had analyzed Anonymous IRC channels along with social media to figure out some of the leaders. Barr began publicizing the information without revealing exact names, leading to an article in the Financial Times. The story of what happened after, and the downfall of Barr, has been well covered, but it reminds us that very basic infiltration led to the reconnaissance.
A second incident, not directly aimed at Anonymous but undoubtedly affecting some members, was Tom Ryan and Occupy Wall Street (OWS). Ryan joined a mail list created for the organization and coordination of OWS efforts. With that information, he received a considerable amount of details about protesters, leaders, and more. Ryan leaked those emails to blogger Andrew Breitbart, who subsequently used them in an attempt to brand OWS participants as anarchists. Email is notoriously insecure, both in transit and as a target for hackers to access. Operating a mail list where anyone can join is almost guaranteed to ensure the information is shared with others beyond the list.
The most recent incident led to suspected Anonymous members getting arrested. Police arrested 25 people across four countries in an Interpol coordinated bust of people alleged to have been involved in attacks against Colombian and Chilean web sites. Shortly after the arrests, members of Anonymous in Spain posted a blog saying that the busts were a result of being infiltrated. The blog said that due to “carelessness” and “[giving] personal details to spies and people who were not members”, the police were able to determine the identity of many members. According to Anonymous, those busted were also all members of an Anonymous site (anonworld.info) created for discussing activities. This does not even begin to address the threat of so-called “trusted” members, such as a de facto leader and spokesperson named Sabu, who became an FBI informant for a year after getting busted.
Contrary to the idea of Anonymous, one way to help avoid infiltration in the future is to have established and trusted relationships with other members. This should be organized in a decentralized manner where any one member does not know details beyond a few other members. All of this goes back to maintaining good OpSec in order to provide as much protection for those involved as possible. While many anons cherish the open and flat, low barrier to entry, these benefits come too with an upper bound of effectiveness and being prone to infiltration. This doesn’t even touch upon the imposters and false flags we mentioned in Part 4 – nor speak to outside players attempting to steer and manipulate the pack toward their own selfish ends.
Disinformation; Friend or Foe
The art of disinformation is versatile. It can tie into proper OpSec, in that providing intentionally misleading or incorrect information can help protect you. Peppering a Twitter feed with subtle, but purposefully crafted ‘facts’ about the poster can re-frame and begin to throw off social profilers. Co-opting unsuspecting people to wear the Guy Fawkes mask or replace their Twitter avatar with an Anonymous-themed image can add confusion by giving a wide range of additional targets your adversary must take interest in. Clever campaigns designed to give the illusion that your most outspoken critics are secret members of the group are just the start of how disinformation can become a weapon.
On the other hand, disinformation at the wrong time can completely undermine your efforts and call into question the small bits of integrity you rely on. For example, the recent publishing of over five million emails taken from Stratfor was immediately called into question when news of the Stratfor CEO resignation was quickly denied by the company. The leaked email claiming the CEO was resigning was likely disinformation, but the question is from whom? If it came from Anonymous, then they undermine their own credibility in what may be an attempt to force the CEO to resign. If it came from Stratfor, then this is a perfect example of how disinformation can be used against Anonymous.
In part 5, we discuss a new framework for Anonymous or subsequent groups. One of the core strengths of the proposed model is to help a group set forth a statement of principles, code of conduct and operational parameters. With these defined in advance, disinformation used against the group is more easily challenged and refuted. Combating False Flags may become one of the biggest issues Anonymous faces moving forward.
Ready – Fire – Aim!
The “hacktivist” phenomenon of ‘belated justification’ is not exclusive to Anonymous. For many years, a wide range of hackers have scoured the Internet looking for vulnerable systems. In many cases, they scan hundreds of thousands of systems looking for a handful of easily exploited vulnerabilities. As they find vulnerable systems, their personal agenda takes over. For some, they immediately look to see if there is a web server running in order to deface the web page. For others, they immediately look to see if there is a trove of sensitive information for personal gain or public disclosure.
Only after that do the hackers justify their actions. If it happens to be a government server, the justification of “anti-government” comes easy. In other cases, it may be a stretch, as a mom-and-pop business finds themselves victim to a “lesson in security”. These high-level explanations are examples of popular “go-to” justifications for criminal activity. Without vetted incident data it is hard to qualify how often this happens, but based on one author’s personal experience researching and communicating with hackers, this is certainly a prevalent theme over the last 12 years.
Anonymous must consider their targets, and then act. By calling out a company or government body in advance of an attack, it removes any doubt that attacks are ex post facto justified or lucky. If there is concern that such announcements may make subsequent attacks more difficult, there are a variety of methods to establish a target was called out in advance, without publication. Sending a letter to a journalist organization that does not typically cover Anonymous related news, or PGP signing a message with a shared key to establish a time/datestamp are both effective without tipping your hand. Over time, this practice has the added benefit of giving legitimacy to the group’s ability to selectively target and carry out threats of hacktivism. Such a history could conceivably be used to encourage a target organization to “change their evil ways”, in order to avoid an attack that they are sure will succeed.
“Mercy is for the Weak”
It is not a requirement that anonymous rules with fear and a refusal to forgive. The package deal of these choices may ultimately prove to be self-defeating. Regardless, they clearly have been using fear. Unless Anonymous is falling victim to a case of rhetoric, then those that they oppose are the enemy. As our favorite 80’s bad guy teaches us, “an enemy deserves no mercy”. Anonymous has done a decent job keeping this credo, but it bears repeating. Many will think that disclosing customer records or defacing a web page sends a clear message, or that more prolonged ops definitively state their position. True, perhaps, but preliminary evidence suggests companies quickly recover from breaches, financially speaking. Other than a short term ‘win’ in the form of a media black eye, Anonymous needs to keep the pressure on to make their point. Pressure in this case, is still adhering to our previously stated “defined path of conflict escalation”, where it does not necessarily mean illegal activity. Lasting changing is more “campaign” than “op”, more strategy than tactic, and will by necessity require the group does “fewer things, better”. Such pressure can be achieved in at least two ways.
First, a given operation against a target should not be thought of with a defined start and end. If a corporation or government agency is doing ‘wrong’, you can be assured they are doing that same ‘wrong’ for the long haul. Taking a lump along with their time in the press will pass, and many entities already rely on this fact. Instead, just as the heat seems to die down, Anonymous could hit them again, but harder and longer. Winning a war means a decisive victory in the eyes of your enemy. Your enemy must know with certainty that you will be there to punish them day in and day out. Only then, will they consider changing their ‘evil’ ways.
Second, the fear of retaliation can be a strong weapon. Anonymous already has an ample history of retaliation, such as their attacks on Interpol, defacement of the Boston Police web site, and DDoS attacks related to the MegaUpload takedown. Anonymous can benefit from a better public presence regarding this history, along with the promise that more retaliation hacks will occur if organizations do ‘wrong’. Law enforcement won’t give Anonymous a pass, but they may eventually begin to choose their takedowns carefully, and reconsider the subsequent press frenzy that follows. Corporations that are prone to support ridiculous legislation may begin to reconsider their endorsement of controversial politics. Today, some pockets within Anonymous already enjoy this reputation in some industries.
Building in Reality
Along the lines of maintaining good OpSec, Anonymous needs to tap into one of their greatest strengths; numbers. A handful of members doing the heavy lifting with thousands of glorified cheerleaders isn’t an effective use of support. Strength comes from quality; not just quantity. Tapping into the idea of Operation NewBlood (an operation designed to train new members how to better secure/anonymize their activities), educating members on how to better help achieve goals is crucial. Rather than see the large number of prospective members as cannon fodder, help turn them into members that can contribute more effectively. This is a model successfully used for decades in hacking crews – where mentoring would both teach you your skills and your code of conduct. As one example, this idea could be leveraged to use hundreds or thousands of people to do remote reconnaissance of a company in such a way that any one person is not breaking a law. Using the combined results, operations can be planned better, attacks can be more precise, and the chance of collateral damage minimized.
Along with training Anonymous members in the ideas of hacktivism, the older members must look at their organization like any other. New users unfamiliar with technology are more likely to blindly install software without considering the risk to themselves, their systems, or their fellow members. In recent months, Anonymous members have been tricked into installing trojans on more than one occasion. The lack of authoritative information sources for the groups may protect some members, but open the door for a greater number of members to be targeted. These members risk punishment from third parties or law enforcement, and ultimately will end up disillusioned with Anonymous.
These are just examples of issues that Anonymous will grapple with and attempt to manage over time. Looking to improve the effectiveness of any group is a good thing, but mileage will vary by group, sub-group, and operation. If done correctly, the end result will leave the group with all of its strengths, and fewer weaknesses. Most importantly, such changes will do a lot to win the hearts and minds of the public, force targets to take the group more seriously, and ultimately affect more positive change.
Your turn… What would you do to make such a future group or offshoot more effective and consequential?
Copyright 2012 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphics courtesy of Mar – sudux.com.
Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.