Guy Fawkes Joker (Artwork by Mar – sudux.com)

Guy Fawkes Batman (Artwork by Mar – sudux.com)

Building a Better Anonymous – Details

By Josh Corman & Brian Martin

2012

If you are new to this series, please begin with Part 0 and the index.

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to Forbes.com and a more mainstream and business readership. Please comment toward improving/clarifying the content.

Building Upon the Foundation

Previously, we outlined a method for creating a new foundation for Anonymous or similar groups. The proposed foundation is based on defining explicit goals, a code of conduct, and streamlining the process. Here we further flesh out “streamlining”. A key element to “building a better” Anonymous is that of a defined path of conflict escalation. Until Anonymous, or any other activist group, adopts that principle we’re stuck with a relatively chaotic group of actors that frequently negatively impact government, business, and society – often without even meeting their own goals. In this article, we will focus on a few of the group’s key areas for improvement, and detail why it is critical for them to change. As with many causes, it is inevitable that perceived unjust laws will eventually be broken to achieve a stated goal – a matter of ‘when’, not ‘if. A better and more impactful group would see this as a last resort – and then only when justified by its just first principles.

As it stands, the group Anonymous has demonstrated they are a force to be reckoned with, or least respected. Whether that respect is based on fear or admiration simply doesn’t matter right now, although respect should ultimately be earned. It is also clear that, for better or worse, the group is not going to disappear any time soon. While law enforcement and corporations struggle to come up with plans for dealing with them, Anonymous will continue on, evolving as needed.

One thing society cannot do is ignore the group. Ignoring their activity, even in mainstream or social media coverage, will not make them go away. Insulting or dismissing the group will only provoke some of them. Thus, the logical route is to not only talk about the group, but to do so in a constructive manner. This may be counterintuitive to some professionals, especially ones that maintain any positive attention is a “BAD THING®©™”. That thinking is archaic and dangerous.

Having discussions about making a perceived adversary better or more difficult to deal with may initially seem unreasonable. In reality, those discussions are equally beneficial to the persons that must deal with the adversary. Anticipatory and proactive thinking leads to creating defenses and solutions before problems become unmanageable. In this case, a discussion on improving Anonymous not only helps to prepare, but hopefully serves to influence Anonymous members to achieve their goals in a manner that creates less collateral damage. That is a win for all sides of the equation.

For Anonymous, this article should appeal to their rational self-interests. Improving their methodology and philosophy will help them improve their batting average, so to speak. Rather than ‘striking out’ so often in the eyes of the public, more operations and activities will appeal to more people and have more lasting effect. Operations that can be accomplished without breaking the law and/or with minimal collateral damage will help deflect/reduce law enforcement attention. Further, an improved group will help to quell infighting and potentially increase the quantity and quality of the recruiting base.

Finally, if the last paragraphs did not appeal to a rational side, let us warn the rest of you. This type of thinking is not new. Anonymous, and the next group similar to them, are always thinking of ways to improve. It is human nature, and it cannot be avoided. In short, this article and the rationale behind it is a reality, you must deal with it. If you’re still not sure you want a “better” Anonymous, would you prefer a worse one?

Collateral

One of the most damning weaknesses of Anonymous is the disparity between their intended targets and actual victims. When striking out at an entity that has wronged the public, it is critical that the attack affect them, and only them. This is probably the single biggest mistake Anonymous continues to make, and it increasingly hurts their cause and lessens public support each time it occurs. Rather than being supported for what they do, they are branded as criminals and terrorists, instead of the Robin Hoods many members see themselves as. Time after time, Anonymous ends up hurting the public as much or more than their intended target, when leaking user and customer data. While this shows a level of insecurity in their target, the end result is that the average citizen is hurt. For the user who just had their personal information leaked, that is what they will remember; not the purpose of the ‘Op’ or what the target did wrong.

Looking at recent news, the list of Anonymous activities that resulted in the disclosure of user / customer information is depressing. These include attacks against law enforcement that also disclosed citizen information in an amnesty program for outstanding municipal offense warrants, a protest against Bay Area Rapid Transport (BART) that also leaked MyBART.org customer data, dumping information of LABusinessConnect.com members, as well as posting the e-mail addresses and passwords of Writerspace members. These are not government employees, military soldiers, or law enforcement. These are regular people caught up in Anonymous’ war on anything that strikes their mood. Often times, Anonymous will compromise a site, view the data, and only afterwards come up with a justification for their actions (e.g., LABusinessConnect.com lead them to find information on an ‘adult staffing’ firm).

Moving forward, a better group must remove the collateral damage from their operations. If a site is compromised and (if) data must be leaked to prove a point, do it in a fashion that only hurts the intended target. For example, dump the technical information on the system and the first 50 user/customer records, but redact the information to protect them. Leak enough information for a journalist to be able to validate the operation, but not enough to make the users victim of identity theft or harassment. This will force the company or agency’s hand in improving security and force them to follow data breach laws, while still ultimately achieving your goal. Even this point assumes that such a breach is even necessary or the most impactful way to achieve your objectives.

OpSec: Social Media Cuts Both Ways

Social media is perhaps the most powerful weapon in Anonymous’ arsenal. It gives them access to millions of people for real-time updates on activity and propaganda. In some cases, social media is used to organize and coordinate operations. In almost every case, it is then used to disseminate information about the target and the reasons for the activity. Without these platforms, Anonymous would be completely at the mercy of journalists who dug for information and opted to write about them.

In the digital world, where anonymity is crucial to daily operation, social media platforms like Twitter, Facebook, or Tumblr are also a recipe for disaster. These “free” services operate because “If you are not paying for it, you’re not the customer; you’re the product being sold” (source). Aggregated data on social media users is a powerful tool in the hands of advertisers and law enforcement. For every Facebook post, for every Tweet, for every word choice or manner of typing… a better social profile can be built on those participating. These profiles are the first line of investigating who is behind an online identity. With the arrests of several alleged Anonymous members over the last year, and increasingly larger busts happening since, it is safe to say that many involved are not practicing good Operational Security (OpSec).

Good OpSec not only involves a wide variety of technical precautions like using proxies and public WiFi, but also involves being extremely careful in what details are included. Seemingly innocuous comments can quickly be turned against a person, especially when considered in the bigger picture. The time of day, mention of weather, connectivity, ISP outages, and other social remarks can be used in conjunction with image meta data, IP addresses, and software choices to narrow down suspects. Once a person is in custody, those same details can help confirm or eliminate them as a suspect. For Anonymous to keep going strong, they must better understand not only OpSec, but how law enforcement works, and what information is made available. As we recently saw, it only takes a single slip up in OpSec to lead to a bust, sometimes as innocuous as using a single image.

More important to established members maintaining their own operational security, is that they teach prospective members the same. For example, in 2010, Brian Mettenbrink was jailed for a year and ordered to pay $20,000 in compensation to the Church of Scientology for his part in Operation Chanology. Later, in the We Are Legion documentary, Mettenbrink explains how he naively downloaded a tool for denial of service attacks, put in an IP, and hit ‘attack’, as instructed by Anonymous. He was not told what the tool did, that he could be easily tracked, or that it had serious repercussions. He is one of many that some see as Anonymous’ cannon fodder. While some Anon members have tried to help newcomers (e.g., Op Newblood), it is too little and often too late.

Regardless of how good an operative is, they can still succumb to failed OpSec and other elements of social human behavior. The best operatives and groups have been busted or infiltrated, so the goal is to raise the bar for would-be adversaries. Anonymity may have benefits to those who wish to work outside of law, but/and maintaining said anonymity is hard (very hard) and comes with costs. Paying these costs is especially a shame when transgressions were either unnecessary or of lower impact than intended.

Open Model and Infiltration

The open model of Anonymous, based on loose collaboration, is a great strength. At the same time, it is also a potentially crippling weakness. Like most things, there are trade-offs. With no real bar for membership, anyone can approach the group through a variety of channels and claim to be a supporter. This creates a perfect avenue for infiltration due to the lack of vetting process. There are at least three distinct times this has been used against Anonymous, whether successful or not.

The most notable occurrence was that of Aaron Barr, ex-CEO of HBGary Federal, who told the media that he had analyzed Anonymous IRC channels along with social media to figure out some of the leaders. Barr began publicizing the information without revealing exact names, leading to an article in the Financial Times. The story of what happened after, and the downfall of Barr, has been well covered, but it reminds us that very basic infiltration led to the reconnaissance.

A second incident, not directly aimed at Anonymous but undoubtedly affecting some members, was Tom Ryan and Occupy Wall Street (OWS). Ryan joined a mail list created for the organization and coordination of OWS efforts. With that information, he received a considerable amount of details about protesters, leaders, and more. Ryan leaked those emails to blogger Andrew Breitbart, who subsequently used them in an attempt to brand OWS participants as anarchists. Email is notoriously insecure, both in transit and as a target for hackers to access. Operating a mail list where anyone can join is almost guaranteed to ensure the information is shared with others beyond the list.

The most recent incident led to suspected Anonymous members getting arrested. Police arrested 25 people across four countries in an Interpol coordinated bust of people alleged to have been involved in attacks against Colombian and Chilean web sites. Shortly after the arrests, members of Anonymous in Spain posted a blog saying that the busts were a result of being infiltrated. The blog said that due to “carelessness” and “[giving] personal details to spies and people who were not members”, the police were able to determine the identity of many members. According to Anonymous, those busted were also all members of an Anonymous site (anonworld.info) created for discussing activities. This does not even begin to address the threat of so-called “trusted” members, such as a de facto leader and spokesperson named Sabu, who became an FBI informant for a year after getting busted.

Contrary to the idea of Anonymous, one way to help avoid infiltration in the future is to have established and trusted relationships with other members. This should be organized in a decentralized manner where any one member does not know details beyond a few other members. All of this goes back to maintaining good OpSec in order to provide as much protection for those involved as possible. While many anons cherish the open and flat, low barrier to entry, these benefits come too with an upper bound of effectiveness and being prone to infiltration. This doesn’t even touch upon the imposters and false flags we mentioned in Part 4 – nor speak to outside players attempting to steer and manipulate the pack toward their own selfish ends.

Disinformation; Friend or Foe

The art of disinformation is versatile. It can tie into proper OpSec, in that providing intentionally misleading or incorrect information can help protect you. Peppering a Twitter feed with subtle, but purposefully crafted ‘facts’ about the poster can re-frame and begin to throw off social profilers. Co-opting unsuspecting people to wear the Guy Fawkes mask or replace their Twitter avatar with an Anonymous-themed image can add confusion by giving a wide range of additional targets your adversary must take interest in. Clever campaigns designed to give the illusion that your most outspoken critics are secret members of the group are just the start of how disinformation can become a weapon.

On the other hand, disinformation at the wrong time can completely undermine your efforts and call into question the small bits of integrity you rely on. For example, the recent publishing of over five million emails taken from Stratfor was immediately called into question when news of the Stratfor CEO resignation was quickly denied by the company. The leaked email claiming the CEO was resigning was likely disinformation, but the question is from whom? If it came from Anonymous, then they undermine their own credibility in what may be an attempt to force the CEO to resign. If it came from Stratfor, then this is a perfect example of how disinformation can be used against Anonymous.

In part 5, we discuss a new framework for Anonymous or subsequent groups. One of the core strengths of the proposed model is to help a group set forth a statement of principles, code of conduct and operational parameters. With these defined in advance, disinformation used against the group is more easily challenged and refuted. Combating False Flags may become one of the biggest issues Anonymous faces moving forward.

Ready – Fire – Aim!

The “hacktivist” phenomenon of ‘belated justification’ is not exclusive to Anonymous. For many years, a wide range of hackers have scoured the Internet looking for vulnerable systems. In many cases, they scan hundreds of thousands of systems looking for a handful of easily exploited vulnerabilities. As they find vulnerable systems, their personal agenda takes over. For some, they immediately look to see if there is a web server running in order to deface the web page. For others, they immediately look to see if there is a trove of sensitive information for personal gain or public disclosure.

Only after that do the hackers justify their actions. If it happens to be a government server, the justification of “anti-government” comes easy. In other cases, it may be a stretch, as a mom-and-pop business finds themselves victim to a “lesson in security”. These high-level explanations are examples of popular “go-to” justifications for criminal activity. Without vetted incident data it is hard to qualify how often this happens, but based on one author’s personal experience researching and communicating with hackers, this is certainly a prevalent theme over the last 12 years.

Anonymous must consider their targets, and then act. By calling out a company or government body in advance of an attack, it removes any doubt that attacks are ex post facto justified or lucky. If there is concern that such announcements may make subsequent attacks more difficult, there are a variety of methods to establish a target was called out in advance, without publication. Sending a letter to a journalist organization that does not typically cover Anonymous related news, or PGP signing a message with a shared key to establish a time/datestamp are both effective without tipping your hand. Over time, this practice has the added benefit of giving legitimacy to the group’s ability to selectively target and carry out threats of hacktivism. Such a history could conceivably be used to encourage a target organization to “change their evil ways”, in order to avoid an attack that they are sure will succeed.

“Mercy is for the Weak”

Cobra Kai – No Mercy (source mrftw photobucket)

It is not a requirement that anonymous rules with fear and a refusal to forgive. The package deal of these choices may ultimately prove to be self-defeating. Regardless, they clearly have been using fear. Unless Anonymous is falling victim to a case of rhetoric, then those that they oppose are the enemy. As our favorite 80′s bad guy teaches us, “an enemy deserves no mercy”. Anonymous has done a decent job keeping this credo, but it bears repeating. Many will think that disclosing customer records or defacing a web page sends a clear message, or that more prolonged ops definitively state their position. True, perhaps, but preliminary evidence suggests companies quickly recover from breaches, financially speaking. Other than a short term ‘win’ in the form of a media black eye, Anonymous needs to keep the pressure on to make their point. Pressure in this case, is still adhering to our previously stated “defined path of conflict escalation”, where it does not necessarily mean illegal activity. Lasting changing is more “campaign” than “op”, more strategy than tactic, and will by necessity require the group does “fewer things, better”. Such pressure can be achieved in at least two ways.

First, a given operation against a target should not be thought of with a defined start and end. If a corporation or government agency is doing ‘wrong’, you can be assured they are doing that same ‘wrong’ for the long haul. Taking a lump along with their time in the press will pass, and many entities already rely on this fact. Instead, just as the heat seems to die down, Anonymous could hit them again, but harder and longer. Winning a war means a decisive victory in the eyes of your enemy. Your enemy must know with certainty that you will be there to punish them day in and day out. Only then, will they consider changing their ‘evil’ ways.

Second, the fear of retaliation can be a strong weapon. Anonymous already has an ample history of retaliation, such as their attacks on Interpol, defacement of the Boston Police web site, and DDoS attacks related to the MegaUpload takedown. Anonymous can benefit from a better public presence regarding this history, along with the promise that more retaliation hacks will occur if organizations do ‘wrong’. Law enforcement won’t give Anonymous a pass, but they may eventually begin to choose their takedowns carefully, and reconsider the subsequent press frenzy that follows. Corporations that are prone to support ridiculous legislation may begin to reconsider their endorsement of controversial politics. Today, some pockets within Anonymous already enjoy this reputation in some industries.

Building in Reality

Along the lines of maintaining good OpSec, Anonymous needs to tap into one of their greatest strengths; numbers. A handful of members doing the heavy lifting with thousands of glorified cheerleaders isn’t an effective use of support. Strength comes from quality; not just quantity. Tapping into the idea of Operation NewBlood (an operation designed to train new members how to better secure/anonymize their activities), educating members on how to better help achieve goals is crucial. Rather than see the large number of prospective members as cannon fodder, help turn them into members that can contribute more effectively. This is a model successfully used for decades in hacking crews – where mentoring would both teach you your skills and your code of conduct. As one example, this idea could be leveraged to use hundreds or thousands of people to do remote reconnaissance of a company in such a way that any one person is not breaking a law. Using the combined results, operations can be planned better, attacks can be more precise, and the chance of collateral damage minimized.

Along with training Anonymous members in the ideas of hacktivism, the older members must look at their organization like any other. New users unfamiliar with technology are more likely to blindly install software without considering the risk to themselves, their systems, or their fellow members. In recent months, Anonymous members have been tricked into installing trojans on more than one occasion. The lack of authoritative information sources for the groups may protect some members, but open the door for a greater number of members to be targeted. These members risk punishment from third parties or law enforcement, and ultimately will end up disillusioned with Anonymous.

Trailing Thoughts

These are just examples of issues that Anonymous will grapple with and attempt to manage over time. Looking to improve the effectiveness of any group is a good thing, but mileage will vary by group, sub-group, and operation. If done correctly, the end result will leave the group with all of its strengths, and fewer weaknesses. Most importantly, such changes will do a lot to win the hearts and minds of the public, force targets to take the group more seriously, and ultimately affect more positive change.

Your turn… What would you do to make such a future group or offshoot more effective and consequential?

Stronger? (Artwork by Mar – sudux.com)

Copyright 2012 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphics courtesy of Mar - sudux.com.

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.

A contemplative Anon (Artwork by Mar - sudux.com)

Building a Better Anonymous – Philosophy

By Josh Corman & Brian Martin

2012

If you are new to this series, please begin with Part 0 and the index.

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to Forbes.com and a more mainstream and business readership. Please comment toward improving/clarifying the content.

Acknowledgements

Today, Anonymous is both an identity / meme and a “group” / organizational construct (albeit amorphous and decentralized). The focus below is not to enhance or augment the identity / meme, but rather the latter. Adopting such enhancements will involve trade-offs – as everything does. The authors believe many of the current Anons (or would-be-anons) yearn for a larger impact, a better batting average, and to mitigate several complications inherent in the current approach (some of which were explored in Part 4).

When we define a “better anonymous” we realize that this may apply to as few as zero of its current participants. It is entirely possible that such an instantiation could emerge in ten years or with people currently unwilling to join the existing ranks. If it helps the reader, picture this “better Anonymous” under a different name, taking place five years from now, and sharing no members with current manifestations. While we do believe these refinements and enhancements can and would be of benefit to today’s manifestation(s) of Anonymous, this is immaterial to the following points.

Since no one “owns” Anonymous, and since its ranks are so diverse in ideology and motivational structures, it is best to judge the following ideas on their own merits – rather than expressing personal preference (positive or negative) for what the increasingly ill-fitting “they” would or wouldn’t like. Some of them will agree – some will be indifferent – and some will find these concepts detestable.

For these reasons (and others), we also expect the possibility of plural groups over time – with plural charters. Put another way, this installment may be less about building a replacement for Anonymous, but rather – “building better Anonymi” – especially where ideological and topical schisms reveal themselves.

Laying a New Foundation

In Leviathan, the philosopher Thomas Hobbes described the state of nature as a state of war. Paraphrasing slightly:

The state of nature is a state of war… “and the life of man, solitary, poor, nasty, brutish, and short”.

In contrast, John Locke considered the state of nature to be a state of inconvenience and inefficiency. Where they agreed is that out of rational selfish-interest, people must form social contracts to escape the limits of the state of nature.

To date, Anonymous has enjoyed its more chaotic lack of structure, openness, low barrier to entry, and other features. The downside of this has been an upper bounds of effectiveness, a lower batting average, a muddied focus, “brand damage”, arrests – and even catalyzing escalation with law enforcement, legislators, and other forces of “control”. As we’ve said, if not careful, Anonymous could help cause the very things they fear/oppose.

The authors believe that the current state is either untenable or of limited impact in the long run. To this we offer the following “three steps” as a straw man of “organized chaos” for consideration and dialectic, or debate. We argue that such an approach would, on the whole, improve the impact and mitigate several current challenges.

1. Statement of belief, values, objectives, and first principles – i.e. WHY you have come together
2. Code of conduct and operational parameters – i.e. HOW you conduct your pursuit of your common goals
3. A plan for streamlining success, increasing potency, and mitigating risks – i.e. WHAT will make you more successful

We will outline these three below for those who see themselves as “Chaotic Good” – as a sample use case. We will then directly link how such a system would mitigate several of today’s Anonymous challenges identified in Part 4.

#1: Statement of beliefs, values, objectives, and first principles (WHY)

To repeat, a mentor once told me:

“If you believe something, you should write it down. The more important the belief, the more critical it is that you are precise and clear in its articulation.”

Core to any meaningful group or endeavor is your purpose. Why have you come together? What are your beliefs? What are your values? What do you hope to change? What are your essential “first principles”?

For Martin Luther, it was nailing his 95 Theses to the Castle Church – sparking the Protestant Reformation to separate from what he saw as an increasingly corrupt Catholic Church. For Martin Luther King, Jr., this was the vision expressed in “I have a dream“.

It is a common purpose that binds movements together. Ad hoc bonds can be weaker bonds, but bonds formed in shared values and shared beliefs are not as easily broken. Commitment to shared purpose and objectives can serve to strengthen the resolve, staying power, and impact of those involved.

Historically, Anonymous has been ambiguous about what it stands for. Sure, there have been some more dominant themes but… too many of them. This has lead to a sort of stimulus diffusion in which ideas have been passed between people, but without the blueprint or foundation. Such diffusion can lead to an idea being refined and improved upon, or misunderstood and re-built as a hideous form of the original.

When everything is important, nothing is. Zen wisdom tells us, “He who chases two rabbits catches neither”. To reach critical mass, perhaps Anonymous needs a period of “valuable ambiguity”. To overcome its current limitations, smaller splinters may need to rally around fewer objectives, better. These splinters may not be instead of the “general population” of Anonymous, but for greater impact with less collateral damage and backlash; it may prove to be a logical necessity. For some, this personal recognition has already come. Such splinter groups may also serve another purpose; by focusing on more specific goals, the personal desires and reasons for involvement of each member are more likely to be met.

Here are some lines that a “Chaotic Good” group who cared about free speech and anti-censorship might hold:

• We believe in free speech for all.
• We reject attempts to control or limit free speech online.
• We aim to be a watchdog for the citizens of the net; to identify, expose, and rally resistance to legislation and special interests, which threaten these rights.
• We believe free speech applies to everyone – especially when we do not agree with it.
• When governments take access from their people, we will help to re-supply them with alternative access and vehicles to these basic rights.

Benefits of writing down why your group exists are numerous. First, you will attract more like-valued, and potentially more talented members. These beliefs will be the foundation of any brand to the rest of the world. It will give the group focus in the short term, and as time moves on it will give you the backbone to resist mission drift and spreading yourselves too thin. It is also your primary defense against the brand damage of False Flag operations done in your name. Further, such segmentation can insulate the group from any harm done by less aligned (and maybe less noble) members of the currently shared melting pot, general population of “Anonymous”.

When choosing your foundational beliefs and values, choose wisely.

#2: Code of conduct and operational parameters (HOW)

A “code” is not new to groups. For example, there is the bushido code way of samurai, honor among thieves, the pirate code (more what you’d call “guidelines” than actual rules)… and countless others that dominate both history and popular culture.

The hitman/cleaner in “Léon: The Professional” had a rule; “No women. No kids.”

In Fight Club: “The 1st rule of Fight Club is, do not talk about Fight Club”.

In The Transporter, “Rule #3: Never open the package.”

A code of conduct and explicit statement of operational parameters has benefits. Building upon the prior foundation of your statement of beliefs, your defined “how” will both attract like valued participants – and repel the opposite. Such statements will help to win the court of public opinion, both in establishing your “brand” and in defending it from pretenders and False Flags. Infiltrators would be more constrained to these narrower methods and False Flags would look anomalous in contrast.

A “code of conduct” actually has precedent within Anonymous. In fact, this may have been the origin of donning the Guy Fawkes mask. During the Project Chanology planning to take to the streets against the Church of Scientology, a video was posted outlining the code of conduct. Rule #17 was to cover your face to protect your identity. It just so happened that the visage from V for Vendetta was available and “top of mind”. Here are some lines that a “Chaotic Good” group who cared about free speech and anti-censorship might hold:

• In all actions, we must take great care to prevent collateral damage – or to hurt innocents.
• In our pursuit to promote free speech, it is critical that we do not impinge upon the free speech of others – even when we disagree with them.
• We will conduct our operations within the bounds of the law, leveraging FOIA and open source information.
• Much like Rosa Parks did as a last resort, and in rare cases, where transgression is required and righteous, it must be supported by our statement of beliefs and part of a pre-defined path of escalation.
• We will NEVER {INSERT SCENARIO HERE}.

For readers that have played MMORPGs such as World of Warcraft, you may recall the frequent statement from Blizzard Entertainment; “No Blizzard employee will EVER ask you for your password.” Note the utility of such an explicit, absolute statement. By making it, gamers can immediately spot imposters. Therefore, such statements can serve to mitigate some of the risk of False Flag operations and unsanctioned, brand damaging attacks done “in the name” of the more principled group.

One of the first examples of defining a code of conduct in “Hacktivism” activities can be found in a paper presented to Yale Law School by 0xblood Ruffin of the Cult of the Dead Cow (cDc) entitled “Hacktivism, From Here to There“; in which he states:

I began to formulate some hard and fast rules for hacktivist tactics. First, no Web defacements. If groups or individuals are lawfully entitled to publish content on the Web, any violation of their right to distribute information is an abridgement of their First Amendment [freedom of expression] rights. The same goes for Denial of Service (DoS) attacks.

While groups like the Electronic Disturbance Theatre (EDT) disagree about DoS, they simply wouldn’t join 0xblood or Hacktivismo due to a difference in ideology. Maintaining a code and mission statement may be, at times, prohibitive to gaining wide support, but honesty and integrity are important, even to an organization who must resort to criminal acts to achieve their goals at times.

#3: A plan for streamlining success, increasing potency, and mitigating risks (WHAT)

What will be the difference makers and secrets to greater impact? Here we will consider a few. For example, it is often smarter to do fewer things, better. Will your actions make you look like a BadAss or a DumbAss? How you are viewed in the court of public opinion can be a major success factor. Knowing what your want and stand for is critical, but remember: A goal without a plan is called a wish.

Less is More

As we’ve suggested, it is ideal to do fewer things better. Would you rather have a superficial impact on ten fronts, or a meaningful impact on one front? The very things that “need fixing” are almost by definition “non-trivial”. If something is worth doing, it is worth doing well. If there are more ills to right, this simply may require more teams. Focusing on fewer fronts also allows more time and attention to be spent on each front. This would benefit operations that publish or leak information for example; rather than dumping gigabytes of information, time could be spent to pull out key pieces of interest.

Unlocking Your Inner BadAss

Another important factor is your potency and prowess. What’s more impressive to onlookers and adversaries, a fool shooting wildly – missing all targets? Or a sniper who makes every single bullet count; “One Shot. One Kill”. When a swordsman first takes up his blade, they may flail wildly and wastefully, but a master is more deliberate and deadly – with each stroke delivering the full impact of its intention. The true master may seldom need to draw his sword. While 2011 saw many Anonymous operations, there were several misses and/or mis-steps. Imagine instead a more potent group who seldom (if ever) misses and rejects more ops, for a better op – one that hits its targets without collateral damage. A pyro-maniac will torch everything – a pyro-technician will design and execute a targeted and effective “controlled burn“. An amateur will amputate, but the skilled surgeon will remove the tumor with precision.

Measure Twice, Cut Once

Toward that end, a more potent group would do more strategizing and prep-work. When you’re taught carpentry or wood-working, most of us are equipped with the wisdom of “measure twice, cut once”. Preparation helps to avoid mistakes. Fewer mistakes conserves limited resources and helps to promote / preserve a more BadAss image to your supporters and adversaries. During the StratFor hacks in December of 2011, many criticized the “steal $1 million to give to charities” aspect of the operation – as disingenuous or naïve. Those charities did not get to keep the money, nor was that ever a possibility. Such visible/perceived mis-steps only hurt the groups brand in the court of public opinion – and are avoidable with better planning on fewer operations. For other operations, why risk arrest and incarceration to steal information that was readily obtained through a FOIA request?

Finger on the Pulse

Finally, the “court of public opinion” matters. In studying the myriad of Anonymous and LulzSec operations throughout 2011, one could watch a volatile ascension and decline of support for Anonymous depending upon how noble (or ignoble) an operation was. The good will formed from lawful enablement of Occupy Wall Street could be undone by an unnecessary or overly aggressive illegal operation from different ranks in the same week. One could almost plot public support like a stock ticker – or a presidential/job approval rating. While some may “not care”, the savvy will not only pay close attention to the “pH level” or “barometer” of public opinion, but will also seek to assure their brand and accuracy of media coverage and narrative are an asset (versus a liability). Further, gauging public perception allows you to respond, make adjustments, and improve future ops.

This is not to say popular opinion should rule the day. In our Defcon 19 Q&A after the panel, it was revealed to us that the press failed to understand or cover the more restrained / responsible hacks. Rather than investing the time to better explain their motives and decisions, Anonymous instead opted for louder and noisier ones, which a sensationalist press responded to. The sad, yet accurate, catch phrase of modern media holds; “If it bleeds, it leads”. Knowing this is the case, investment in getting the public perception and media involvement more “on point” will be a key factor in a group’s ultimate success. Perception is reality.

Conclusion and Validation

Building a better Anonymous must be done from the ground up, with a solid foundation to set the direction and tone of the group. Perhaps the best way to validate this idea and such a foundation is to consider it in the context of Part 4: Failing in Practice (aka Pyrrhic Practices). All four failures we outline would have benefited substantially had their been a well-defined foundation. The case of doing “more wrong than right” during opBART could have been avoided had Anonymous stuck to principles and followed a code of conduct. OpDarknet, which saw a single chaotic actor hurt the operation and brand, could have been easily disavowed as not following a published code of conduct. Texas Takedown Thursday could have enjoyed great success, albeit slower, through a series of legal FOIA requests and strategic leaks of information if hacking was deemed necessary. OpSatiagraha would have been streamlined and a more potent operation if only the significant emails were released and highlighted. Another benefit to all of this is that there is less time wasted creating public announcements taking credit for, or denying, operations. They will be much more evident from their actions.

Coincidentally, as we worked on this article, news broke about a new splinter group of Anonymous, called “Malicious Security” (MalSec). This news came with the group releasing a video that introduced the group and outlined their objectives. MalSec firmly states they believe in free speech, and stresses that any defacement would add text to a web site, but they would not delete content, to support this idea. Many may disagree with their activity of breaking into web servers, but in setting this foundation for the group, they are in a position to maintain their principles while disavowing anyone that attempts to tarnish their brand. This is basically the same thing that happened with LulzSec; they weren’t happy with Anonymous, split off for 50 days, formed a new charter, and operated under it.

We expect the above to be debated and discussed, but we also believe something along these lines will come as a logical necessity. If you could make a better Anonymous, an ominous anonymous perhaps, what would you build?

Copyright 2012 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphics courtesy of Mar - sudux.com.

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.

fffuuu_failed - (Artwork by Mar - sudux.com)

Part 4: How Anonymous Has Failed in Theory & Practice

By Josh Corman & Brian Martin

2012

If you are new to this series, please begin with Part 0 and the index.

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to Forbes.com and a more mainstream and business readership. Please comment toward improving/clarifying the content.

While this post in the series gets more critical than prior ones, the post to follow (Part 5) serves as its companion on potential ideas for mitigating some of the issues identified below. We expect (and hope for) comments and discussion on the content below – and expect much of it will be addressed further in Part 5.  Also note that this post was written prior to the arrests of alleged LulzSec members earlier this week. We will not dive into the details or recent press coverage in this installment. While some of the content below is relevant to these developments, it was written independent of them and with a bigger picture in mind.

Before addressing how Anonymous has “failed in theory”, it must be stressed that Anonymous is not an organization known for its internal consistency. There is no charter that lays out their theories and goals, so we must make our best guesses as to their nature. Their lack of stated beliefs is dual-edged and (in fact) one of their weaknesses and stumbling blocks – but we will explore this more in Part 5.

Failed in Theory: An Unmanageable Brand

Anonymous is not a simple group. It is more a group of groups. It is a brand or franchise which can be used or abused by anyone – and has been. The uncoordinated actions of one pocket can dilute, confuse, and/or adversely impact the overall brand and public opinion of Anonymous. These impacts can come by accident, but also via deliberate actions of imposters of various types. Since the court of public opinion is a major factor for the brand long term, this will increasingly be problematic.

Failed in Theory: Imposters are Legion

Since anyone can claim to be Anonymous, many imposters will. One CISO in the DC area claimed, “Anonymous is God’s gift to the Chinese” – asserting that the phenomenon allowed for easy scapegoating and “False Flag” operations which masked and served as distraction to straight up espionage. Other imposters from organized crime, law enforcement, and foreign agencies have been suspected and spotted as well. Beyond doing operations “in the name of” Anonymous, infiltration into their operations is also something that regular participants will have to expect as reality. The inability to trust others you are collaborating with is exhausting and eventually untenable for the average human. This state of war/inconvenience is why rationally self-interested people tend to form social contracts like those described by Hobbes and Locke respectively.

Failed in Theory: Unclear/Inconsistent Ideology

A mentor once told me:

“If you believe something, you should write it down. The more important the belief, the more critical it is that you are precise and clear in its articulation.”

To this we add:

“At some point, if you can’t state your principles, you may not have any.”

While some semi-consistent themes emerge, so do diametrically opposed actions. As time progresses, we sense that one reason no formal principles, code of conduct, or statements of belief have surfaced could be from fear that they know they will not all agree. Such tactical ambiguity may be beneficial in the short run, but can also come at the cost of greater impact and effectiveness. Can anyone state their top 3 beliefs? If we asked five members of Anonymous, would we get the same list? Maybe it is time to render these more explicit.

Failed in Theory: V’s Ideas Do Not Bleed… (but see above)

Anonymous’ iconography of Guy Fawkes draws immediate comparisons to the movie ‘V for Vendetta’. At the start of the movie, Evey (played by Natalie Portman), does a voice over:

Remember, remember, the Fifth of November, the Gunpowder Treason and Plot. I know of no reason why the Gunpowder Treason should ever be forgot… But what of the man? I know his name was Guy Fawkes and I know, in 1605, he attempted to blow up the Houses of Parliament. But who was he really? What was he like? We are told to remember the idea, not the man, because a man can fail. He can be caught, he can be killed and forgotten, but 400 years later, an idea can still change the world. I’ve witnessed first hand the power of ideas, I’ve seen people kill in the name of them, and die defending them… but you cannot kiss an idea, cannot touch it, or hold it… ideas do not bleed, they do not feel pain, they do not love…

While Anonymous does not directly quote this, many commentators and some who affiliate with the group will frequently use phrasing from it. There is a certain amount of romance in the notion that “ideas do not bleed”, and that Anonymous’ ideas and goals are like that. The decentralized group centered around common goals with a commonly accepted icon, the Guy Fawkes mask, further reinforces this kinship with ‘V for Vendetta’. However, there is a stark difference between the historical Fawkes or ‘V’, and Anonymous. Anonymous does not have one goal, nor do they have a list of goals clearly defined. While the group may embrace the notion that “ideas do not bleed”, the scattered and diverse membership and objectives will unfortunately lend to movements that are quickly lost in the noise, and to history.

The group’s own diversity and wildly varying causes will likely be the most significant contributor to their own ideas bleeding away, and eventually dying. As time passes, Anonymous will take on an increasing number of operations (ops). Some of their ops will resonate with larger numbers of the public, and some ops will remain mostly in the dark, rarely spoken about. The success of a high profile operation that appears to be a major win for Anonymous, may also be the same thing that effectively kills a half dozen smaller goals; some of which never left the planning stage as the group’s momentum carried them along the path of the higher profile op.

Failed in Theory: Winning the Battle, Not the War

As a group, or as individuals, Anonymous lacks long term vision. Only being able to focus on the here and now may be a side effect of the group’s nature, with members coming and going while limited resources are put entirely into the operation of the moment. Fighting one battle at a time, and not necessarily the most strategically sound battle, is not a recipe for winning a war. Small groups picking their battles is akin to guerrilla warfare. While problematic to an enemy with superior numbers and resources, such a tactic can be time consuming and very taxing on the smaller force. Without an end goal, without a defined way to ‘win the war’, Anonymous is left with a never-ending string of diverse battles and very few veterans to lead the troops. Big corporation (e.g., Visa), big money (e.g., Bank of America), and big religion (e.g., Scientology) have superior resources and deal with swings in performance and income as a matter of business. In short, they are used to the end result of an Anonymous operation. Some of these entities likely have a section of their disaster recovery policy that deals with protests. Even big crime (e.g., Zeta Cartel) will not be affected by a group such as Anonymous. After years of fighting a multi-million dollar war against law enforcement, they are well prepared for such an adversary.

The second problem Anonymous faces is that of commitment. While many core members of Anonymous are dedicated to the cause, a significant percentage of the group is made up of people that see themselves as casually involved. When your force is only half in the fight, your enemy has a significant advantage. The organizations that Anonymous fights are dedicated to their business, their bottom line. Showing up for a few hours on a weekend at a protest is great, but doesn’t send a message of being committed to the fight. This may give rise to hope in your opponent who sees waiting as a viable tactic. If your enemy is going to pack up and go home after weeks or months, you can focus on outlasting them, not beating them swiftly and surely.

The third issue we see, is that Anonymous sends mixed messages without realizing it. This is certainly a minor point, but most assuredly undercuts the message being delivered. For example, Anonymous has some level of involvement in the Occupy Wall Street (#OWS) movement. Activists in this fight write messages, communicate, and deliver manifestos complaining that corporations “have sold our privacy as a commodity”. They do this by delivering the message on Twitter and Facebook, two huge corporations that have undermined privacy in the most sinister of ways. Further, Anonymous has adopted the Guy Fawkes mask as one of their icons and wear the mask at protests and events. In doing so, they seem to forget that the rights to the image of Guy Fawkes is owned by Time Warner, parent company of Warner Brothers. Every time an Anonymous member buys a Fawkes mask, they contribute a tiny sum of money to a big corporation.

While minor, these points are not lost on the media and the companies they are fighting. Though Anonymous’ actions may go a long way to win the hearts and minds of some, the group also feeds their enemy by giving them weapons that can be used to undermine the group’s message.

Failed in Theory: Brand Management Examples

As we have mentioned several times, Anonymous is a nebulous group with no central leadership and no member roster. This is both a strength and weakness of the model. In the spirit of “building a better Anonymous”, we will focus on the weaknesses first, as they must be understood before they can be improved on.

With no list of members or official method for joining, any random person with a computer, Guy Fawkes mask, or fleeting desire can claim membership. This allows a single chaotic actor to commit an action that goes against Anonymous’ stated goals yet still claim to be part of the group. This in turn forces the group to issue a formal denial or denounce the actions of a person that is not part of the group, further reminding the world that their group makeup is questionable at best. If a rogue actor leaks a particularly sensitive database under Anonymous’ name, they have the ability to seriously hurt the public opinion of Anonymous. While the group may dismiss this, carrying public favor is an incredibly valuable tool in fighting perceived evil.

To counter this problem, Anonymous must figure out a channel for declaring projects, public action, or protests. The group already does this in many cases, but not consistently. If a goal or action is announced, even if it is not carried out, it helps confirm the legitimacy should an act be carried out. In the case of LulzSec, a splinter group of Anonymous, they maintained a Twitter feed that acted as their official channel to announce or deny involvement in activity. Falling back on “Did we Tweet it? No? Then not us!” became a simple and reliable method for journalists and bloggers to determine their involvement, should they be bothered to fact check.

In our previous article, Fact vs. Fiction we highlighted a recent example that clearly illustrates the weakness in an open model. The recent attack on Stratfor by Anonymous, as credited on the defaced Statfor web page quickly gave way to an “Emergency Christmas Anonymous Press Release” in which Anonymous claimed they were not responsible. Not even a day later, another release appeared once again taking credit as Anonymous. This will continue to be a problem for Anonymous in the future, and likely be used as a method to undermine the Anonymous brand.

To date, it appears that a handful of independent would-be do-gooders have been the only ones to undermine Anonymous in such a fashion. Anonymous simply isn’t prepared to deal with an adversary that uses this against the group intentionally, especially in bigger and more public ways.

First Rule of Anonymous; Stay anonymous

The second rule of Anonymous; stay anonymous. This amusing reference to Fight Club may seem a joke of sorts, but in reality it is an object lesson in how Anonymous is failing. Our preliminary count at the time of this posting shows the number of arrests or “busted” (search/seizure) is around 175 – including the 25 interpol arrests last week and the LulzSec arrests this week. The fundamental purpose of anonymity and presenting a uniform singular image is to strip away personal identity when committing an act of disobedience. Violating anonymity, whether it is at the hands of an Anonymous member, or through the diligent work of law enforcement, gives their enemy a win. Lapses in operational security (OpSec) are not just a matter of “leaking an IP address or name”, it may have a more serious impact such as being arrested or facing retaliation from a rival entity.

Some members of Anonymous dismiss these busts as inconsequential, stating “they weren’t really a member”. In some cases, when a high profile pseudonym is busted (e.g., Topiary), there are replies from the group saying “that wasn’t the real Topiary”. Such claims may be the truth, or disinformation. Eventually, claims that the police “got the wrong guy” become disingenuous as they simply can’t be wrong all the time. Either way, Anonymous appears to miss the more important point; each bust, no matter if legitimate, works against the group in several ways.

First and perhaps most importantly, every time law enforcement (LE) busts a member of Anonymous, public perception is swayed. The bust is always covered in the media, and the resulting press tells the public that law enforcement won a victory that day. This is LE’s attempt to win the ‘hearts and minds’ in the never-ending battle for public opinion. Second, if LE continually busts members, it may severely impact Anonymous’ recruiting efforts. Potential members or contributors that see a long string of arrests may reconsider becoming involved. Third, statistics are on LE’s side. For each person busted, there is a chance that they may seek a more lenient sentence and do so by turning state’s evidence. Even worse, they may become an informant who helps to infiltrate the group and report subsequent activity to law enforcement. NOTE: Much of this seems to have transitioned from theory to practice as of this week’s LulzSec / FBI activity.

Failing in Practice (aka Pyrrhic Practices)

This criticism of the theory behind Anonymous is not simply academic. The failure in theory has led to failures in action, as illustrated in the following examples. Note that as is often the case, the public does not have all the details of a given incident. We can only make these observations based on what we know.

OpBART – More Wrong than Right

In August, 2011, there was a flurry of news regarding Anonymous protesting the Bay Area Rapid Transport (BART) administration. This lead to a wide variety of drama as BART jammed cellular telephone signals at some of the stations, leading to cries of censorship and concerns for safety (e.g., inability to dial 9-1-1). Anonymous called for several types of attacks as well as defaced the mybart.org site as well as leak user data from the site. There are several issues with this operation that question if Anonymous is really helping and/or getting their message out there.

First, there is relatively little coverage of why the protests were originally called for. More mainstream media such as the Tech Herald wrote one piece on opBART, but did not cover the history. Non-mainstream sites like KnowYourMeme are about the only ones who give a concise and clear explanation of what prompted the protest (the shooting of a homeless man by two BART officers months earlier). Listening to Anonymous’ own two videos don’t give background. The leaking of mybart.org user emails, passwords, addresses, and phone numbers certainly doesn’t punish BART, rather it punishes their customers; the average citizens Anonymous claims to fight for. Between the lost message and collateral damage, Anonymous seams to undermine the overall message.

OpDarknet – A Question of Ethics

In what appeared to be a significant win for Anonymous, news broke about the group shutting down part of ‘Darknet’, a shadowy technical network dedicated to sharing child pornography among other things. This event, announced via pastebin, certainly garnered more attention, reaching the mainstream including CNN and Fox News. With child pornography, it is seemingly the universal immoral act that everyone is against. After Anonymous took out ‘Lolita City’ and ‘Hard Candy’, two sites dedicated to child pornography, a third site was compromised and declared to have the same material. In reality, OpDarknet called Anonymous’ own ethics into question as much as their victims.

Shortly after the news broke, a blogger named ‘Justice Duck’ wrote a piece that presents compelling evidence that the third site brought down by Anonymous was not actually a child pornography site at all. Based on the blogger’s research, it appears that the only person who likely had virtual child porn was a member of Anonymous. In addition, with the release of the densetsu.com site’s user list, Anonymous advocated the harrassment of what appear to be legitimate users (including many females) that are likely innocent of any allegations related to such pornography. The site’s members that signed up because of their interest in Hentai were in turn branded ‘child porn traders’ and paedophiles. While some may argue that Hentai is ‘virtual child porngraphy’, remember that law enforcement and retailers disagree.

There are enough bad actors committing heinous crimes out there, that Anonymous should never have to resort to the same criminal and unethical behavior as their targets do. Further, vigilante takedowns may complicate/undermine justice. If systems were compromised, is any evidence against true criminals contaminated and therefore inadmissible? What is to stop the attackers from planting false accounts to smear enemies? Given this subject matter, suspects are especially “guilty until forever” in the court of public opinion.

Texas Takedown Thursday (#ttt) – Crime vs. Bureaucracy

Anonymous has been in a half-year war against law enforcement, targeting their systems and releasing sensitive data. In an operation titled Texas Takedown Thursday, Anonymous released extensive emails and details from TexasPoliceChiefs.org. Some of the emails released exposed a variety of problems within law enforcement including abuse of government resources, racist and sexist messages, and pornography. Such an exposure is likely good for the citizens who pay the salary of law enforcement via tax dollars. On the other hand, criminal trespass into a computer system to leak the emails may not be as effective as other legitimate avenues.

In a Star-Telegram article about the incident, Saginaw Police Chief Roger Macon made the observation that “[Anonymous] could have had … a whole lot more [e-mails] just by sending a public information request.” Some of the emails leaked that were marked ‘Law Enforcement Sensitive’ may not be covered under such requests, but a surprising amount of information is available from all levels of government offices if you know how to ask correctly. After figuring out the procedures which vary on a nearly per-office basis, it becomes pretty straight forward.

If Anonymous is truly intent on opening government records, a coordinated series of Freedom Of Information Act (FOIA) requests would be interesting and potentially compelling. To date, Anonymous does not appear to have considered this route, instead relying on computer intrusion to obtain documents. A completely separate, but more relevant issue to the law enforcement leaks, is that Anonymous is leaking data that puts police officers and their informants at risk. You may not agree with some police activity, but to put them at increased risk of violence or attack does not help anyone, especially the citizens they are supposed to protect. It also damages the Anonymous brand in the court of public opinion. This is not because breaking any law will be judged. Rather what may be judged is breaking laws unnecessarily or breaking “unjust” laws without the aforementioned, articulated ideology to support the “unjust” claim.

OpSatiagraha – Separating the Wheat from the Chaff

The last year has seen Anonymous leak a considerable amount of data from the victims of their hacking. The leaking of user databases and thousands of emails is becoming a routine part of their hacktivism methodology. The downside to such data dumps, is that the amount of information is overwhelming to a majority of would-be readers. As Scot Terban writes, the material is often interesting, but “it’s certainly not earth shattering.” Hundreds of megs (or gigs) of data with no context or analysis, puts the burden on journalists to scour the information looking for the juicy bits. Anonymous will go so far as to imply a conspiracy or overstate the scope of the data being released, only to leave readers underwhelmed when the data is finally made public.

When faced with thousands of routine email correspondences, finding the handful of gems becomes the more valuable service. This is something that Wikileaks has had to contend with over the years. Rather than rely on journalists or hope that a member of Anonymous will pick out the material of interest, Anonymous needs to focus on analysis as much as providing the data dumps. For all we know, they could have leaked earth-shattering information a year ago, and it was simply lost in the noise. Without methodical analysis of each data dump, we may never know.

While these failures in theory and in practice are not exhaustive, we now have a basis for discussing some ways one could “build a better Anonymous” in Part 5 of this series.

Which failures, weaknesses, or challenges would you add? Please comment below.

Copyright 2011-2012 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphic courtesy of Mar – sudux.com.

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.

RSA 2012

RSA 2012 is close upon us (Feb 27th – Mar 2nd) – for better or worse.

Love it or hate it, RSA is the single largest security conference of the year – and if the security industry has a rhythm and a cadence, then it is the RSA Conference sets it.

Though I sometimes quip that:

RSA is mandatory punishment

or

Every year at RSA I want to quit security

…there is no denying the importance of the event on framing the upcoming year’s buzz words, topics, trends, etc.

Below are:

• a few quick thoughts on how to make the most of the conference week
• a few topics/times I’ll be speaking in case you’d like to catch me

People Value:

The best parts of the RSA conference aren’t the actual conference. Be sure you embrace the Hallway-Con, the Bar-Con, the Lobby-Con, and nearby eateries… People are what drive the progress of our industry more than any vendor or sponsored keynote. We are blessed with some very creative minds and dynamic personalities. Network as ferociously as you can. My best collaborators have been born from happenstance chats in some hallway or lobby.

Non-RSA Venue:

Some of the best talks and debates are at adjacent events to RSA. BSides and BSidesSF has become a force (despite its growing pains). I get a ton of value out of the AGC Security Conference (America’s Growth Capital) which brings great content to a high octane audience of the investment community, the founders of innovative start-ups, and potential acquirers. Mini-MetriCon 6.5 continues to push the rock up the hill to drive us from faith based security to evidence based models. There are a myriad of other events and working groups which converge that week. While many are closed or filled up by now, do some digging – as they are well worth it.

The Exhibit Floor:

While the exhibit floor is a bit of a Bizarre Bazaar (Hat Tip to Neil Gaiman), you must try to walk the floor. Embrace the horror. Treat it as a Tour de Force of what matters and what doesn’t. Of who is a source of SIGNAL and who is a source of NOISE. In fact, develop a justified, righteous indignation against hyperbole, FUD, and vendor B.S. Vendors do this because they can, because we let them, and because there are seldom consequences for doing so. Provide the feedback loop that alters that equation for them.

Last year I walked the floor with Paul Roberts and we gave this a try. We knew just about ever vendor, who had the goods, who was full of [insert your favorite here], etc. We saw maybe a dozen vendors making credible claims about emerging security challenges and offering valuable products/services in response. We asked each vendor who was thumping APT to define it – with nearly none of them even close to real substance. Asking for specifics will quickly reveal the snake-oil from the substance. We even quipped a safe rule of thumb (at least last year):

The frequency of the phrase “APT” by a vendor is inversely proportional to their actual expertise or comprehension of it

Put the vendors to the test. Ask for specifics. Maybe take some dramamine 1st.

My Speaking Slots:

Monday, February 27, 12:30 PM – RSA - Room 302

PROF-001 – Stress and Burnout in the Information Security Community

Jack Daniel, Stacy Thayer,  Gal Shpantzer, Martin McKeay, Joshua Corman (and @kcyerrid shhh!)

We’ve done real survey work with proven non-security-models and this is an important topic. We did a less formal version at BSidesLV 2011 with great feedback, validating the need for this.

Monday, February 27, 3:00 PM - AGC’s Security Conference - Main Stage at Westin Market St

PM Keynote: Apocalypse Now: Adapting to Espionage and Chaotic Actors

Joshua Corman

I’m excited to confront the VC and Investment community to actually rise to substantive changes in the space – versus repackaging old “kit” into the latest compliance or FUD buzzwords. This industry used to innovate, and it is time to again. What’s really cool about this, is my keynote is followed by two child panels: one on adapting to Espionage developments – one on implications of Chaotic Actors. With the money and the innovators in the room, confronting these topics, perhaps we can catalyze some action.

Tuesday, February 28, 1:10 PM – RSA - Room 305

CLD-106 – Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed

Gene Kim & Joshua Corman

Gene and I have been collaborating for a little over a year and a half on this topic. I’m most excited about this one. **BONUS POINTS if you can name the movie reference in the title

Here is a short podcast teaser we did with RSA

Wednesday, February 29, 9:30 AM – RSA - Room 309

GRC-202 – Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M?

Joshua Corman & David Etue

David and I have been working this idea for several years. After last year’s pantheon of adversaries and pervasive failures became clearer, more practitioners may be ready for this concept. HDMoore’s Law will be discussed.

Here is a short podcast teaser we did with RSA

If you need/want to reach me while there, hit me on twitter: @joshcorman

RSA is what you make of it…

• What are you expecting?
• What are you dreading?
• Which people/talks are you eager to see?

]]> http://blog.cognitivedissidents.com/2012/02/15/rsa-2012-preamble/feed/ 3 joshcorman RSA 2012 http://blog.cognitivedissidents.com/2012/02/13/building-a-better-anonymous-series-part-3/ http://blog.cognitivedissidents.com/2012/02/13/building-a-better-anonymous-series-part-3/#comments Tue, 14 Feb 2012 00:37:21 +0000 joshcorman http://blog.cognitivedissidents.com/?p=231 ]]>

Anonymous Good and Evil (Artwork by Mar - sudux.com)

Part 3: How We All Got it All Wrong

By Josh Corman & Brian Martin

2011

If you are new to this series, please begin with Part 0 and the index.

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to Forbes.com and a more mainstream and business readership. Please comment toward improving/clarifying the content.

Like many, early on we carried a cognitive dissonance about Anonymous. Is this a good thing? Or a bad thing? Many people seemed to approve of the attacks against Scientology – or Anonymous’ apparent passion for transparency and their crusade against corruption. Helping oppressed people in Tunisia and Egypt? Absolutely, people see that as a force for good. Others operations however, were a bit more disconcerting for the onlookers. Leaking personal details of law enforcement, their families, and confidential informants did not sit well with many.

Riding on the back of Part 2: Fact vs Fiction, there are some additional points to make. When we explored fact and fiction, many of the points were based on a lack of understanding. In this article, we discuss how we collectively “got it wrong”. This moves beyond misconceptions born out of poor reporting or conflicting information, and into the realm of our simple lack of understanding. Further, it highlights that as a society, we seem to be unable to learn from our history. As George Santayana famously said in The Life of Reason,

“Those who cannot learn from history are doomed to repeat it.”

Everything Old is New Again

Regarding this article, the concept of speculating and proposing a “better”, more efficient, and more serious adversary is old. Government sponsored think-tanks and the U.S. military have been doing this for decades. With regard to Anonymous, the idea of the group is also not new. All of their diverse traits seen in a single group, even if nebulous, may be new to most people. However, many in information security or law enforcement have been exposed to most of these traits before. The concept of Hacktivism has been going on for well over a decade, primarily through groups defacing web pages with political messages.

Disregarding the apparent disconnect between a “computer-based group”, as Anonymous is often considered, and more traditional groups, the traits of Anonymous become more prominent. Compare some of the actions of PETA, the Black Hand, Ku Klux Klan, Weather Underground, or Earth First to some of the actions of Anonymous. Despite their goals being diverse, and each group having their share of radical members, there are many parallels to be drawn.

While they have far less in common than a broad swath of their members or observers would think, their common traits are certainly there. Each group is frustrated about their raison d’etre. Each group believes in presenting a unified front outwardly while embracing diversity and resilience internally. Despite being a heterogeneous group sociologically, Anonymous does a good job putting forth a homogeneous image (arguably propaganda) through the use of iconography and central messages.

Being Dismissive is a Disservice

Over the last year, many media outlets, pundits, and security professionals have given commentary on Anonymous and LulzSec. In many cases, the tone of the commentary has been negative, with the commentator essentially dismissing the groups’ actions. In some cases, it has been a general dismissive “the group is not effecting change” line. In other cases, pundits outright deride LulzSec as having no advanced hacking skills and only attacking the “low hanging fruit”. While most, if not all, of their hacking exploits have been easy to find and exploit, these pundits are missing the bigger picture.

First, LulzSec didn’t need more sophisticated exploits to compromise these organizations. An attacker is only as sophisticated as they are required to be; when companies don’t make it a challenge for attackers, there is no reason to use more advanced attacks. If large companies and law enforcement are protecting such valuable information, why are their own security programs not catching the low hanging fruit?

Second, what if the high profile compromises using basic exploits are just a noisy cover hiding the real activity? The concept of misdirection when hacking has been around for over twenty years. It is dangerous to assume that we know the whole picture when we are only seeing what makes the front page. There are two aspects to this idea: LulzSec could be using some of these attacks as a method of distracting onlookers from their real goals, or third parties unaffiliated with LulzSec and Anonymous may be using their brand for misdirection. For example, a disgruntled employee could launch a denial of service attack against his employer and embed a message such as “We are legion” in it, giving the impression the attacks are the work of Anonymous.

“Pretenders” also came up during the Q&A following our DEFCON 19 panel. Several in-room members of Anonymous claimed the two large Sony breaches of credit cards were “not us” but rather “the Russians” – as many suspected. Regardless, many have been dismissive of the group or the impact of an attack – until they’ve been on the receiving end.

The Media’s Field Day

To say the media has collectively had a field day with coverage of Anonymous is certainly an understatement. The group’s diverse actions, ranging from in-person protests or virtual sit-ins (DDoS attacks) to leaking information from hacked corporations, provides a gold mine of drama-rich news. The lack of a central authority or official channel for public statements from Anonymous helps the media run wild, and Anonymous must play a game of catch-up when trying to hold the media accountable. The perception that Anonymous is new and a game changer has led many media outlets to go to press without finding a qualified person to speak on the matter. Simply grabbing the nearest mouthpiece, that frequently has a personal or corporate agenda, does not help the media, Anonymous, or the public.

When LulzSec splintered off from Anonymous, the more revealing story was not the material results of their hacking; rather, it was the sad commentary on infosec-centric and mainstream news coverage alike. After 50 days of hacking into a wide variety of sites, accompanied by a high profile predominantly Twitter-based media presence, the pressure added up. With the looming threat of law enforcement catching up to them, LulzSec announced their retirement on Pastebin and broadcast it via Twitter. While the announcement was deemed inevitable, many figured we hadn’t heard the last from them, and they were right. Some in the mainstream media announced it and gave commentary on why it was inevitable and certain.

One of the most noticeable traits of media coverage during the 50 days LulzSec was active, was the lack of truly critical press. Publications and authors that have been more vocal and firm in the past seemed to pull their blows when covering the hacking activity of LulzSec. Since the group was executing a wide variety of attacks, and supporters of the group were carrying out DDoS attacks against detractors, it appeared that journalists were scared to be overly critical. Paul Carr wrote for TechCrunch saying “Please Hacker Don’t Hurt Us: The Media’s Coverage Of LulzSec Has Been Cowardly and Pathetic”. It should be noted the irony that this article came a day after LulzSec posted their retirement message. Worse, the timing of the article and criticality suggests that Carr, like many others, felt that the group was truly done and their “vandalism spree” was finished. Similarly, Bill Brenner wrote an article for CSO Online called “Whatever, LulzSec”, two days after the retirement message. The timing of these articles suggest the authors feared potential retaliation from LulzSec should their message be construed negatively. Provoking these groups may seem undesirable, but it would also prove an interesting point; if Anonymous or LulzSec retaliate over poor press, they may be considered the tyrants they so oppose.

Arresting Anonymous Won’t Help

The pursuit of Anonymous is just as futile as it is necessary. Thinking of the group in terms of traditional crime simply doesn’t hold up. This group is not four people that have been knocking over banks, where bringing even one of the four to justice may stop further robberies. For each Anonymous member busted, another will take his or her place, maybe two. That said, law enforcement cannot let the group go unchallenged. Public and corporate pressure to put a stop to their activity is stronger than ever. With a nebulous group that has new recruits ready to step in for fallen comrades, it could be a never ending battle. With a seemingly endless supply of new recruits, all with a strong belief in the movement, a few dozen arrests won’t put a dent in the organization.

Some have suggested the only way to truly stop these groups is to capitulate, and meet their demands, which is as much a pipe dream. With a diverse set of demands, that are often not well defined, or more of a general principle such as “maintain secure networks”, meeting them is often not possible. If you take away the reason someone is protesting, they will generally stop. Locking them up or pushing back rarely leads to a real solution. As Natalie Portman’s voice over in ‘V for Vendetta’ said,

“We are told to remember the idea, not the man, because a man can fail. He can be caught, he can be killed and forgotten, but 400 years later, an idea can still change the world.”

Anonymous Alleged Mugshots

(Source of mugshots: talkingpointsmemo.com)

Even with dozens of arrests in several countries, there is no indication that Anonymous is dissuaded.

Occam’s Razor Cuts Deep

Like most current topics, a prevailing trend in media coverage of Anonymous is heavily based on making assumptions. A news organization may receive one or two pieces of information about a situation or scandal, then fill in the blanks with their best guesses. We’ve become accustomed to news coverage that consists of a commentator standing by repeating the same fact over and over, interjected with their guess of additional facts. Moving beyond the simple (e.g., “the politician is greedy”), commentators will speculate wildly about state of mind or other actors that may or may not be involved. We, the viewers, are the cause of this. As a society, we are willing to forgo logic and simplicity in favor of drama and intrigue.

For Anonymous, a group largely grounded in the Internet as a medium and meeting place, the theory of Occam’s razor is largely applicable. Combine with that the Online Disinhibition Effect, and it becomes obvious that many are acting out because they can. More interesting is the notion that the casual members and new recruits, viewed as ‘cannon fodder’ by some, are the ones acting out the most. Further, they feel safer with a layer of anonymity and perceived protection that they do not enjoy in real-world protests or activity. In some cases, it is simply a matter of the participant not fully understanding technology and how it relates to anonymity. They feel that being virtual protects them, without understanding the exposure of a disclosed IP address that has not been masked with effective technology (e.g., TOR, proxies).

On the flip side, many members of Anonymous are proving that the Online Disinhibition Effect only goes so far. With members helping in Internet activism before proceeding to a local protest to square off with those they are protesting, anti-protestors, and law enforcement, one has to accept that not all members act differently simply because of perceived Internet anonymity. As this happens, media outlets are guilty of varying degrees of projection, assigning traits and beliefs to persons that have made no definitive actions of the sort.

In challenging the integrity or morals of someone that hides behind a mask or computer, many of us fail to realize that dissociative anonymity may also be helping our society. The protection provided by that anonymity may be leading people to find the strength or freedom to say things they wouldn’t otherwise. At DEFCON 19, one member of our panel began the session wearing a mask. When we asked the audience if he should remove it, a majority said “no” (with a noted selection bias). This lends to the idea that many sympathizers don’t want Anonymous unmasked, perhaps as a way of supporting or agreeing with a majority of their actions; or simply out of fear of repercussions. Like most tools, anonymity can be used for good or evil.

Those seeking anonymity may include people effectively whistleblowing, arguably a valuable public service that puts them at risk for the greater good of society. Further, asynchronous communications may be fueling people to embrace speaking out. The ability to voice opinions or share information on message boards, via e-mail, or on web sites, without immediate backlash or punishment is a powerful motivator for opening up and sharing.

There are many factors that contribute to the actions and mindset of a person affiliating themselves with Anonymous, LulzSec, or any group tangentially related to Anonymous. Despite all of the speculation and possibilities enumerated in this article, Occam reminds us that a group such as LulzSec may truly be doing it all “for the lulz“. Every time the media or an analyst takes a guess or makes a suspect claim about Anonymous’ motivations, it is important to go back to a more simple explanation and give it serious consideration.

Copyright 2011 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphic courtesy of Mar - sudux.com.

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.

2012 Social Security Bloggers Awards to take place at RSA

It’s an honor just to be nominated.

A few weeks ago, the nominations for the 2012 Social Security Bloggers Awards came out.

Given how spanky new this blog was, I was shocked to see it receive a nomination for “Most Educational Security Blog“. This is a tough category and a humbling one. I almost took it as a suggestion/challenge to rise than any other meaning. I do really try to add signal and researched backed concepts (versus simply adding noise) – so I feel great that at least a few noticed that. I also want point out that Brian Martin (aka Jericho @attritionorg) has co-authored the “Building a Better Anonymous series” – and therefore is also part implicated/reponsible.

Regardless, I am honored to have “Cognitive Dissidents” included among some excellent resources (pasted below):

The Most Educational Security Blog:

Cognitive Dissidents http://blog.cognitivedissidents.com/

Tao Security http://taosecurity.blogspot.com/

F-Secure blog http://www.f-secure.com/weblog/

The New School Security Blog http://newschoolsecurity.com/

AppSecInc Blog http://blog.appsecinc.com/

Evil Bytes/John Sawyer http://www.darkreading.com/blog/archives/evil-bytes/index.html

All of those are excellent resources. I’d probably vote for The New School Security Blog. Each offer something different, so I’d highly encourage you to try them each.

There are many great nominees for various categories of BLOGs and Podcasts. If you haven’t taken a look, I’d encourage you to do so. There are also some glaring omissions from some of the nominees, so feel free to suggest write-ins or ask more about the nomination process.

E.g. Best Security Podcast  was missing Risky Business and the Social-Engineer.org podcasts – the former being the best source of weekly security news and the latter being one of the most structured and educational in its monthly format.

Like the SAG (Screen Actors Guild) awards, these are voted upon by other bloggers. You need a security blog to vote. If you have one, and have not voted yet, please do so before it closes. Here’s a convenient link to the voting form.

Like many of you, I feel a bit conflicted about these kinds of things. Sure there is a bit of echo chamber and digerati and cult-of-personality stuff with any of these awards. That said, there are some truly excellent researchers and bloggers who devote a ton of their personal time to helping advance this space. This is a small, easy way to acknowledge their contributions.

Fact vs. Fiction? we see what we WANT to in Anonymous - (Artwork by Mar - sudux.com)

Part 2: Fact vs. Fiction

By Josh Corman & Brian Martin

2011

If you are new to this series, please begin with Part 0 and the index. You may also recognize the above ink blot from a short post in November (which has several comments worth reading).

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to Forbes.com and a more mainstream and business readership. Please comment toward improving/clarifying the content.

The story of Anonymous is interesting. Some of the activities and exploits of the “group” are surely entertaining. As such, the media tends to run wild and loose with fact, injecting a healthy dose of fiction along the way. With as much truth as fiction in the news, it makes it difficult to understand and accurately portray such a group. It skews our perception of Anonymous’ activities and goals. Reporting with a lack of information or perspective is often just as big a disservice as reporting inaccurate information.

After our DEFCON 19 Panel “Whoever Fights Monsters…”, we had several intense discussions with many attendees and even some self-identifying members of Anonymous. While there were many take-aways, our biggest was that one of the reasons our collective narrative is so far off base is due to a bit of a Rorschach effect. We see in Anonymous, what we want to see. We project. Our narrative says more about us than it does about them. Just because we may want them to be “demonstrating insecurity in order to catalyze better security”, doesn’t mean that’s what is driving them. In fact, there isn’t even one singular, monolithic motivation or cause – and that is one of the next points.

With that, we examine some of the myths and fiction surrounding Anonymous. Anonymous is surrounded in contradictions and represents a paradox. Exploring the paradox is part of the dialogue, as contradictions are inherent in the subject matter.

Fact or Fiction: Leadership and a Defined Group

Anonymous is a loose collective with no membership roster, not a monolithic group. One could say it is an “idea”, but even that is incorrect, as it is a collective of ideas. Without structure, without a roster, without leadership, how can a collection of people even be called a group, let alone affect change? Despite that they call themselves a group, and by definition they are one. They assemble under the banner and ideal of Anonymous. What exactly that is, is hard to nail down. The idea of such a nebulous group that can usually work together to achieve a goal is a foreign concept to most people. For law enforcement, who is already struggling to break away from the mindset that digital criminal organizations are like the Mafia, Anonymous represents an entirely new paradigm.

To add even more confusion, Anonymous may have equally undefined sub-groups; people who associate with Anonymous, but only to participate in a specific cause or action. These pockets have different backgrounds, different motivations, and different levels of involvement. When people seem surprised that Anonymous did this or that – that it may be “out of character for them” – this is often due to the fact that they assign a singular, cohesive persona and timeline to one group – when reality is more of a morphing plurality of parties and interests. Commentary from the group mentions a hive mind, or collective consciousness in psychology. Using IRC and Twitter, the group gathers like-minded individuals for operations and they effectively become a cell of the group.

Take for example the recent attack on Stratfor by Anonymous. The initial news reports credited the attack to Anonymous, as the hack and defacement of the Stratfor web page was signed Anonymous. Shortly after, an “Emergency Christmas Anonymous Press Release” was released claiming the attack was not the work of Anonymous. A day after that, another release appeared once again taking credit as Anonymous. This back-and-forth credit game perfectly punctuates the problem with such a decentralized group.

Anonymous is less of a cohesive singular personality than it is a brand or a franchise – which can be borrowed by anyone – and it has been. “Anonymous is not Unanimous”. This introduces complications for the group, when anyone can claim involvement and then tarnish the brand. This can be used by a bored person or a more organized subversive group that seeks to undermine Anonymous.

Family Tree courtesy of Eric Limer - click for his full piece

More importantly, there has been at least one splinter group, LulzSec, that formed from Anonymous. A month after splintering, LulzSec and Anonymous announced that they “made up” so to speak, and fully support each other. With multiple groups operating and focusing on different goals, while still not having a defined roster, the question of membership becomes more important. This becomes evident when a journalist must qualify an interview in the headline: Our ‘Possible’ Interview with a Member of LulzSec. The first part of the article further articulates the confusion:

DataDoctors First question: How do we know that this is really a LulzSec account and not a wanna be fan?

Lulzsec: We do not represent the twitter voice of LulzSec. We are the original founders.

Further updates to the article indicate LulzSec denied this person is legit, while the interviewee insists they are part of a splinter group of LulzSec. Regardless, the one thing that is abundantly clear is that leadership appears to be in short supply. Despite that, there is some sense of leadership, as hundreds, if not thousands, of members can mobilize to achieve the same goal. Temporary thought leaders can emerge on designated IRC channels. Anyone can take up this title by being in channel and making an argument that people want to follow.

Fact or Fiction: Hacktivism is New

Digital or Internet activism is the use of technology to facilitate a group of people to more effectively communicate over large distance in order to effect some form of change. When one of the methods used to this end is hacking (generally accepted as committing some form of computer crime), the term “hacktivism” is used. Anonymous has used hacking as a vehicle to expose private information they felt should be public.

Hacktivism predates Anonymous by a decade a more. Perhaps the first documented instance comes from 1989, when a malicious worm called “WANK” was used to protest nuclear weapons. According to Wikipedia’s timeline of hacktivism, the first incident of hacktivism not involving self-replicating software was the “Intervasion of the UK orchestrated by a group called the Zippies on Guy Fawkes Day”. While unrelated to the group Anonymous, the coincidence of it occurring on Guy Fawkes Day is certainly interesting.

Not all hacktivism involves illegal activity. The legitimate use of technology to gain access to information from diverse sources and piecing it together can often appear to be the result of hacking. Using open-source intelligence (OSINT) to piece together details, it is possible expose a wide range of information that may not have been thought of as public, despite being available to anyone that looked for it. This activity historically took the form of “doxing” (document dropping), an old practice of exposing detailed personal information about an individual such as name, phone number, address, or relative names. Primarily used as a threat or indirect attack, exposing a person conducting illegal hacking in such a way can assist law enforcement in apprehending the person. However, by publishing information on people in sensitive positions (e.g., law enforcement that may be undercover) or persons wishing to stay out of the spotlight (e.g., political donors), “doxing” can be used by activists in a similar manner.

Fact or Fiction: A Force for Good

A fundamental trait of many original Anonymous is their desire to do good. The group’s actions are born out of a sense of righting wrongs and combatting injustice. There is an ethical delimna when achieving goals in pursuit of good require breaking the law, but it is one the group sees as a necessary evil. Despite good intentions, some of the group’s activities are certainly questionable, while others are clearly misguided and do more harm than good.

In early December, 2011, Anonymous drew criticism for “OpRobinHood”, an operation intended to steal from the rich and give to the poor. This idea was great in theory, but many suspected it would end up hurting the common people, not banks or big corporations. This was put to the test when credit cards pilfered from the Stratfor hack were used to donate to several charities. Instead of helping charities, the fraudulent transactions are being returned. Not only did the money not end up helping the charities, the misguided attempt to help ended up causing them administrative overhead in trying to make things right. Worse, at least one charity said they are charged $35 for each fraudulent transaction and pleaded with Anonymous not to make any more donations. The full story and operation have yet to play out, but early signs show that things are more complex and more cleanly ‘good’ in practice, than in theory.

Ultimately, in attempting to help the poor and needy, Anonymous has hurt both charities and common people. The credit cards taken from Stratfor were not corporate cards tied to faceless businesses. They were mostly personal credit cards of average citizens, including some that had to close their accounts and did not have the money donated. The banks will likely not absorb the cost of the fraudulent transactions. Rather, they will pass the costs around to merchants in the form of additional fees. This may in turn lead to an increased cost of service as merchants pass the costs down. In the end, Anonymous may have robbed from the poor, not the rich.

Fact or Fiction: Anonymous and LulzSec Make you Vulnerable

The classic phrase, “don’t shoot the messenger” must be remembered. While it takes a criminal to break into your system and cause some form of mischief, that person did not make your system vulnerable. They merely exploited the vulnerabilities that were already present. Either through manufacturer defect or misconfiguration, the system has weaknesses before the hacker attackers. The private information that is being exposed by groups such as Anonymous and LulzSec was being stored on systems with inadequate protection.

Members of LulzSec have claimed their activity was based on showing that the emperor has no clothes. Subsequently, LulzSec believes they have revived the Antisec Movement, focusing on general insecurity, where the original movement was based primarily on exposing problems with security companies and professionals. Others following in the footsteps of LulzSec fomented the Antisec Movement by attacking not only security companies, but any other company they found to be vulnerable.

Fact or Fiction: Anonymous and LulzSec are a Terrorist Organization

Until recently, most media outlets and victims of Anonymous’ actions have labeled them a nuisance or criminals. With the publishing of the Arizona Department of Public Safety confidential documents, Jimmy Chavez, president of the Arizona Highway Patrol Association, went one step farther by labeling them a terrorist organization:

“They don’t need any additional pressure on them from a — let’s just call it what it is — a terrorist organization.” — Jimmy Chavez

Noted privacy researcher and advocate Dissent once commented, “It was a Class C misdemeanor when an AZ state employee revealed PII that endangered others, but when @LulzSec did it, it’s ‘terrorism?’” Chavez’ labeling either group a “terrorist organization” is disingenuous and self-serving at best, as Anonymous / LulzSec’s activity certainly don’t fit the definition of terrorism. Increasingly aggressive acts against policy makers and law enforcement will certainly invite the term ‘terrorist’, even if it is misapplied. In addition, given the diverse nature of the group, many members or people that identify with Anonymous have morals that would preclude them from staying involved if they thought they were close enough to even be mistaken for “terrorism”. Further, such a brand would work to counter their objectives and movement.

Fact or Fiction: They Are Not Moral

Cries that Anonymous is not legitimate in the activism movement because of a supposed lack of morals are shortsighted. It simply does not matter if you feel they are moral or not. Their activities are not about your morals or values. Ethics are a secondary thought at best; if Anonymous feels that a specific action will have the desired result, they act based on their perception of the greater good. It is clear that to many involved, the ends justify the means. In other cases, for some members of Anonymous, the real-world consequences for their digital activity may not be fully realized.

As previously covered, the notion that such a group adheres to any one set of beliefs, morals or code of ethics is wrong. With a large, nebulous, diverse group such as Anonymous, we must also consider that decisions are unlikely to be made according to any one person’s sense of morality (more on this later), making it difficult to ascribe an ethical standard to the group as a whole. There are simply too many factors at play and too many individuals affiliated with the group to ascribe a binary value of “yes” or “no” to the question of Anonymous’ morals.

Fact or Fiction: The Concept of “Organized Chaos” is Absurd

As people try to wrap their head around the concept of such a fundamentally different group, conclusions are reached that seem contradictory. The idea that a group or idea can be “organized chaos” appears to be an oxymoron, yet it certainly applies. The loose structure, lack of central leadership, diverse objectives, and wide range of tools at their disposal speak to this. They are certainly organized, as demonstrated by the BART protests. They are also most assuredly chaotic, practicing a form of civil disorder that borders on general chaos.

The concept that organization and logic can be found in chaotic situations has been studied and falls under the category of a complex adaptive system. Both Murray Gell-Mann and Kevin Dooley write about the topic as it applies to a variety of systems, including socially. Dooley writes:

Contingency theory states that an organization structures itself and behaves in a particular manner as an attempt to fit with its environment. Thus organizations are more or less complex as a reaction to environmental complexity. An organization’s environment may be complex because it is turbulent, hostile, diverse, technologically complex, or restrictive. An organization may also be complex as a result of the complexity of its underlying technological core.

Applying this to Anonymous is fitting and revealing.

Fact or Fiction: They Believe in Anonymity

As their name suggests, the group certainly cherishes their own anonymity. With some of their actions crossing moral and legal lines, anonymity becomes a protective blanket to keep them running afoul of the law. However, there is a flip side; many affiliated with Anonymous do not believe in the anonymity of the people they expose. This can be seen in their leaking of BART police information, leaking Booz Allen email and logins, and Arizona law enforcement information leak that included officer and confidential informant information. During our feisty DEFCON Q&A, David Etue posed this to the Anons participating in the exchange:

“There is something paradoxical about a group that promotes transparency, but isn’t transparent themselves; and believes in anonymity, but negatively impacts the anonymity of others. How do you resolve your values and operations?” — David Etue

This is further exacerbated when Anonymous claims to fight for the people, yet performs actions that directly hurt the common person. Leaking databases full of consumer information surely teaches a company a lesson in security, but does so in a manner that yields a high amount of collateral damage. Leaking the personal information about police officers and their family makes a point, but does not fight corruption or the relatively small number of “bad apples” in police departments. This not only belies a cognitive dissonance, but may also hint at the presence of less noble/righteous participants – and even psychopathy within the group.

Fact or Fiction: Anonymous Supports Free Speech & Civil Liberty

On the surface, this is most assuredly true. Looking deeper, there appears to be a lack of understanding of causality that could drastically impact both free speech and civil liberties. Legislators have a history of introducing new laws as part of a knee-jerk reaction to a high profile negative incident. If Anonymous continues to break the law to achieve their goals, they risk legislators replying the only way they know how; more legislation. In doing so, the risk of sweeping laws being enacted that are poorly considered is high. This could lead to new laws that limit free speech, suspend or restrict civil liberty, and take away freedoms we currently enjoy. As one of the authors remarked at DEFCON and elsewhere,

When threatened… powerful, uninformed people make powerfully uninformed decisions.

If Anonymous continues in the same fashion as they have for years, what will the group say when a “Cyber Patriot Act” modeled after the Patriot Act or “Cyber Neo-McCarthyism” is enacted as a direct result of their actions?

Fact or Fiction: Disinformation Cuts Both Ways

With such a radical shift from a classic activist group, the level of inaccurate or misleading information is immense. The disinformation we see about Anonymous and their actions come from a variety of sources, including the media, analysts, law enforcement, chaotic actors (that may or may not associate with the group) and Anonymous themselves.

Law enforcement and media are consistently contributing to a campaign of disinformation, often times without realizing it. As we see more frequent articles announcing the “bust of # members of Anonymous”, it gives the perception that law enforcement is making steady progress fighting the group. In addition, it is easy to read into such articles and believe that they are “key” or “core” members of the group. In reality, they may be casual members, sympathizers or completely unaffiliated with the group. Regardless of their affiliation, once the announcement is made, they are branded as such and the world is rarely exposed to a correction or follow-up with details. The articles that claim “Topiary of LulzSec busted” or “Commander X taken down” also call into question the ratio of persons to handles. What if multiple people assume the same name, just as they assume one name as a group?

There are an increasing number of people that consider themselves ex-Anonymous. For a variety of reasons, they no longer identify themselves as part of the group. For example, “SparkyBlaze” quit the group leaving a missive behind focusing on Anonymous removing innocent peoples’ right to stay anonymous themselves. In a few cases, the persons will stay involved to some degree. For example, Gregg Housh no longer identifies with the group, but calls himself an observer of the group as he maintains a timeline related to Anonymous. Another person that is involved, but from a slightly removed stance, is St4rFox (Twitter feed now gone), who has talked about his involvement in running a site to train would-be Anonymous members on hacktivism and hacking, titled Operation NewBlood. Both of these individuals call to question if they are part of the group as a fringe element, members of the group that are attempting to manage public perception, or simply acting as sources of information and disinformation as is convenient.

With dozens of Twitter feeds likely operated by twice as many people, the level of accuracy and trustworthiness of the information being broadcast by Anonymous is questionable. With so many sources of noise about the group, for example Joseph Black and his creating confusion with wild claims, it becomes hard to find the signal. Finally, there are an unknown number of actors that are influencing, or attempting to influence, perception of the group such as a supposed Federal Bureau of Investigation (FBI) psychological profile of Anonymous that was later determined to be fake. Additionally, private citizens, some with an apparent motive to profit, have been attempting to infiltrate their ranks.

Anonymous: A Visit from Rorschach

This isn’t a case of fact versus fiction, this is a simple truth about human nature and perception. We project our own desires, fears and love on others, and Anonymous is no different. Anonymous is a real Rorschach test, helping us discover what we see in the group day to day. Yes, day to day because perception changes quickly, and what we see in the group can change just as quickly. Early on, one author of this article saw Anonymous as “light gray hats demonstrating insecurity to catalyze security”. Over time, that opinion changed as more activity occurred and Anonymous matured.

Many sympathetic to Anonymous see them as a group of Robin Hoods, hitting the rich and powerful in the name of the oppressed people. Some analysts see them more as the Joker, a purely chaotic actor that wants to see the world burn. Others romanticize the group, seeing the greater good they hope to accomplish, falling in love with the anti-hero ‘V’. This projection and perception says more about us than it does about Anonymous. In short, we see what we want to see in the group.

In the next installment: “How We Got It All Wrong”.

Copyright 2011 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphic courtesy of Mar - sudux.com.

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.

Expect Anonymous Fight Club Soap (Artwork by Mar - sudux.com)

Part 1: Introduction & Approach

By Josh Corman & Brian Martin

2011

If you are new to this series, please begin with Part 0 and the index.

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to Forbes.com and a more mainstream and business readership. Please comment toward improving/clarifying the content.

Why Write This & Operating Parameters

As we sit here to write this in October and November of 2011, we’d like to render a few things explicit. As objective observers, we’ve seen the rise of Anonymous and other chaotic actors as both intriguing and “of consequence”. We’ve also seen very little in the way of what we’d call “insight” or “understanding” toward the evolution of the “group(s)”. Those who are publicly speaking don’t seem to “get it”. Those who seem to have insight are frequently unwilling (and in many cases afraid) to speak.

So with natural curiosity, we have attempted to ask questions, engage in dialectic, apply logic and analysis, and see if other willing minds can’t nudge the conversation forward in useful and non-confrontational ways for the benefit of all. As the group(s) continue to morph and evolve – and as our comprehension (hopefully) improves, this will clearly re-cast the content of what you will read throughout these articles. We will attempt to capture thought at this time – and when necessary, we may adjust/augment/update against this point-in-time content.

Operating parameters of this series:

• We are not now, nor have we ever been, members of Anonymous
• We have not joined any IRC rooms affiliated with Anonymous
• We are not seeking to “break” any story, but rather to logically analyze events as they unfold and to anticipate likely future scenarios and developments
• We are not seeking to identify or investigate individuals, but rather to understand broader attitudes and motivations
• By writing this article, we are not endorsing or denouncing Anonymous

Anonymous Background

Unstructured and nebulous, a group called Anonymous, born in the trenches of virtual trolling, has become a household name based on a reputation of civil disobedience and digital activism. They are a wildly diverse and unpredictable group, one that takes up arms to fight a varied collection of causes, while having no stated charter or organizational chart. Despite these seemingly limiting traits, Anonymous has flourished and become a force to be feared or respected, but not reasoned with.

Many people believe they know the history – but “which one?” The history of Anonymous is just as murky as trying to define them. The very brief history we present below could be thought of as a commonly accepted history. However, a similar history claims the background is more wrong than right. Gregg Housh, a former Anonymous member who now observes the group, has put together a considerably more thorough “chanology timeline” that attempts to chronicle all events related to Anonymous.

Formed in 2003, Anonymous was born out of a community / forum known as “4chan”, with a subset message board called “/b/”. Gawker wrote a concise summary of these boards and other 4chan affiliated projects, to better explain the origin of today’s Anonymous. Widely perceived as putting their attention and power toward a greater good only in the last three years, Gawker notes that previous pranks may have begun to show their ‘good’ side much earlier. Based on the concept of an anonymous community that became a shared collective identity, the Anonymous name gained international attention in 2008 for Project Chanology, a coordinated fight against the Church of Scientology. Years before Project Chanology, between 2006 and 2007, Anonymous demonstrated that they were heading down a path of righteousness with several high profile activities. In subsequent years, the group continued activities that garnered mainstream media that demonstrated the concept of digital activism, sometimes based on illegal hacking activity.

Anonymous activities in 2011 have helped them become a household name, covered by all types of media and gaining increased attention from law enforcement and pundits. Security firm and government contractor HBGary Federal angered Anonymous after claims that they were working with the FBI to unmask key Anonymous members, resulting in more than 60,000 private e-mails of CEO Aaron Barr and other employees being published. In response to Sony suing Geohot (aka George Hotz), Anonymous launched a Distributed Denial of Service (DDoS) against the corporate giant, resulting in Sony blaming them for subsequent attacks they had no declared part in, which were numerous. Banking giant Bank of America dealt with Anonymous when they released internal mails that claimed to prove corruption and fraud. “Operation Anti-sec” was (re)born, with the Anonymous splinter group LulzSec teaming back up with their parent group to protest a list of government transgressions by breaking into numerous sites ranging from the Arizona Department of Public Safety to The Times to the Fox News Twitter Account. One of the most recent attacks after our DEFCON 19 panel was launched against the Bay Area Rapid Transit (BART) after the death of BART passenger Oscar Grant, leading to BART customer information being exposed and increased calls for protests. These activities, and more, have resulted in the group being perceived as more dangerous as well as more effective.

Understanding Anonymous

It is not easy to claim understanding of a group so diverse as Anonymous. At best, one can attempt to understand some of the fundamental principles and ideas that motivate some, but not all, members. There are several articles that attempt to display this understanding, written from a variety of perspectives (and possibly involvement). For example, Adrian Crenshaw wrote “Crude, Inconsistent Threat: Understanding Anonymous“, in which he discusses the motivation and organization of the group. Josh Corman, co-author of this article “ has previously written about the topic“. Cole Stryker has even authored a book on the topic, titled “Epic Win for Anonymous: How 4chan’s Army Conquered the Web“. One thing should remain clear; no one person will ever fully understand Anonymous beyond the broad influences.

Throughout their history, Anonymous has exposed weakness and vulnerabilities in a wide variety of social and technical systems. In doing so, the group has been demonized unfairly by a wide range of people including the media and law enforcement. One fundamental truth that seems to escape many observers is that the vulnerabilities were already there. Anonymous just brought them to the public’s attention. In crying for the heads of Anonymous, we are effectively shooting the messenger bearing bad news. Gene Spafford, from the Center for Education and Research in Information Assurance and Security (CERIAS), summarized the underlying issue that is absolutely critical for everyone to understand:

“First, if a largely uncoordinated group could penetrate the systems and expose all this information, then so could a much more focused, well-financed, and malevolent group – and it would not likely result in postings picked up by the media. Attacks by narcotics cartels, organized crime, terrorists and intelligence agencies are obvious threats; we can only assume that some have already succeeded but not been recognized or publicized.” — Gene Spafford

Anonymous Zeitgeist in Popular Media

For those who wish to avoid the laborious task of trying to define a chaotic and disparate group, there are several pop culture leanings that may help paint the group in a very broad stroke. These media references are based on Anonymous’ actions and the authors’ interpretation of their activity and writings.

V for Vendetta by Alan Moore

Due to the adoption of the Guy Fawkes mask as a symbol of the group, perhaps the most popular pop culture reference would be Alan Moore’s V for Vendetta. Toward the end of the movie, the protagonist V outfits thousands of citizens in a black cloaks and Fawkes masks to create an anonymous army of sympathizers fed up with the totalitarian government. This scene is perhaps the ultimate symbolism for the group as we know it; an army of oppressed citizens finally fed up with an abusive regime that has stripped them of privacy, civil liberty and ultimately power.

Fight Club by Chuck Palahniuk

Chuck Palahniuk’s Fight Club touches on broad leanings of Anonymous members. The idea of a near cult-like group engaging in diverse projects under the names ‘Project Mischief’ and ‘Project Mayhem’ certainly draws parallels to Anonymous. Members of the group determine their own level of involvement, a strong theme of Anonymous. Ultimately, tapping into the latent frustration of members, eloquently summarized by Tyler Durden (Brad Pitt) in the movie adaptation:

Man, I see in Fight Club the strongest and smartest men who have ever lived. I see all this potential, and I see it squandered. Goddammit, an entire generation pumping gas, waiting tables, slaves with white collars. Advertising has us chasing cars and clothes, working jobs we hate so we can buy shit we don’t need. We’re the middle children of history, man; no purpose or place. We have no Great War, no Great Depression. Our Great War is a spiritual war. Our Great Depression is our lives. We’ve all been raised by television to believe that one day we’d all be millionaires and movie gods and rock stars. But we won’t; and we’re slowly learning that fact. And we’re very, very pissed off.

Watchmen by Alan Moore

Another Alan Moore graphic novel, The Watchmen, highlights several aspects of the Anonymous collective; post-modern anti-heroes willing to do evil things to avoid a greater evil, a cast of characters confront and challenge both morality and alignment, redefining the popular concept of heroes embodying good. One of the running themes throughout the novel is the idea of “who watches the watchmen?”

The Dark Knight

The Dark Knight introduces people to a purely chaotic evil actor, The Joker, who the butler Alfred draws an allegory to. He tells Bruce Wayne of a bandit he helped chase in a forest who was throwing away the jewels he stole, saying “Some men aren’t looking for anything logical … [they] just want to see the world burn.” Wayne asks how he was ultimately caught. Alfred replies, “We burned the forest down.” A simple solution, but one that is easily argued as worse than the bandit’s actions. Opposite of the chaotic evil Joker is Batman, a chaotic good hero that demonstrates a steady scale of escalation to fight evil, just as Anonymous appears to do often times. At the same time, Anonymous likely has a handful of chaotic evil actors involved, even if they don’t realize it yet.

Ghost In The Shell: Stand Alone Complex The Laughing Man

There are several other notable media that draws parallels to Anonymous to some degree or another. Ghost in The Shell – Stand Alone Complex is eerily prophetic about these concepts, with a villain named Laughing Man that is essentially a collective of infectiously contagious meme copycats of an original that may not even exist.SLC Punk showcases the fleeting catharsis, contradictions, inconvenience, and ultimate emptiness experienced by a few young anarchists.

SLC Punk!

With the group constantly changing and adapting, losing followers as often as they gain new interest from the disenfranchised, understanding will come in small waves and require reexamination every step of the way.

Copyright 2011 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphic courtesy of Mar - sudux.com.

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.

A Better Anonymous – (Artwork by Mar – sudux.com)

By Josh Corman & Brian Martin

2011

This multi-part article, with original artwork by Mar, is a follow-up to a one hour panel discussion at DEFCON 19 titled “‘Whoever Fights Monsters…’ Confronting Aaron Barr, Anonymous and Ourselves” moderated by Paul Roberts, discussed by Josh Corman, Brian Martin and Scot Terban. The views of the authors are not meant to be a criticism of Anonymous, nor are they meant to be encouragement for future criminal activity. It is an inevitable fact that Anonymous, or similar groups, will become bigger, stronger, and more effective. Discussions on how to build a more potent digital hacktivism group (illegal hacking to achieve a political goal) have occurred for over a decade. This article will not attempt to introduce groundbreaking new ideas, but rather will summarize many existing ideas and subject them to analysis from two security practitioners on two sides of this issue. If anything, this will serve more as a ‘Lessons Learned’ with the aim of broadening the reader’s understanding of the topic, while demonstrating that the “problem” is not going away; the “problem” is evolving and growing.

When we say “building a better Anonymous”, we seek to explore the ideas of making such a group truly better. That means better for all parties involved; the group, end users, citizens and law enforcement. “Better” does not mean more criminal acts in the name of the greater good, it means a more efficient organization that can achieve the same (or better) results with less collateral damage. We envision a group with better defined goals, more accountability, a healthy dose of humor and the legendary resolve of the sabertooth squirrel. Of course, the chaotic nature of a group such as Anonymous means that any hopes of improvement will likely come in the form of small numbers of members guiding the rest toward these goals.

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to Forbes.com and a more mainstream and business readership. Please comment toward improving/clarifying the content.

Below you will find an index for the series (links will be added as published):

1) Introduction & Approach

A brief introduction to this article series and Anonymous.

2) Fact vs Fiction

Figuring out the fact versus fiction of Anonymous.

3) How We Got it All Wrong

How the media and professionals got it wrong.

4) How Anonymous Has Failed in Theory & Practice

Anonymous, as they are today, and various shortcomings.

5) Building a Better Anonymous – Philosophy

A foundation/framework for improving on the Anonymous blueprint.

6) Building a Better Anonymous – Details

Extending the new foundation for improving on the Anonymous blueprint.

7) Abstract Ideas

Other considerations relevant to this topic.

8) Conclusion

What have we learned, and what we hoped to teach.

Copyright 2011 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphic courtesy of Mar - sudux.com.

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.

We see in Anonymous what we WANT to see (Anonymous Rorschach) - (Artwork by Mar - sudux.com)

I have a “simple”, non-rhetorical question for you:

When you look at Anonymous, what do you see?

Context:

Jericho (@attritionorg) and I have been working on a BLOG series about Anonymous, as a follow-on to our DEFCON19 Panel called “Whoever Fights Monsters: Confronting Aaron Barr, Anonymous and Ourselves”. We’re pretty close to posting the 1st of these (possibly next week).

It dawned on me as we researched that one of the “distortion fields” surrounding “understanding Anonymous” is that we see in them what we WANT to see – like we do with a Rorschach ink blot test. We project. Our narrative says more about us, than it does about them. This is the double-edged sword that sometimes comes with symbols and iconography.

For those who didn’t immediately recognize the Friedrich Nietzsche reference in that DEFCON title, it comes from this:

Whoever fights monsters should see to it that in the process he does not become a monster. And if you gaze long enough into an abyss, the abyss will gaze back into you.

As a teaser to our series – and as I finalize my slides for my Anonymous talk for next Thursday at SOURCE Barcelona, I thought I’d throw this Non-Rhetorical Question out to each of you…

When you look at Anonymous, what do you see?

As succinctly as you can – either within the Comment field or with a BLOG post/response of your own… please add your take on Anonymous (initially, today, going forward, all of the above…)

I hope to share some of the more interesting responses during my talk in Barcelona.

Remember… as you gaze into the Anonymous Abyss… it too gazes back into you.

Artwork Note:

This Rorschach and several other BEAUTIFUL pieces of orignal artwork come from -MAR- at sudux.com – just amazing.

We see in Anonymous what we WANT to see... what do you see? (Artwork by Mar - sudux.com)