There’s been quite a bit of drama with regards to whether or not to boycott the RSA conference over a deal that the RSA security vendor had made with the NSA. I will not be rehashing it here.

What I will say is that I can respect individual decisions for principled reasons.

My own choice is also based on a calculus of my principles; I hope those who made a different choice can respect that.

I will be speaking at RSA – for a number of very nuanced reasons.

Of these, the clearest in my mind was simply this…

I research security to help people better defend themselves and things that matter.

Love or hate the RSA Conference, it is the annual heartbeat of the security industry and for many mainstream security professionals, this is their best chance to learn, challenge themselves and interact with the industry’s leading minds. I thought long and hard about all of the sides of this issue and decided that those most likely to be hurt by me boycotting were the very people I do this for.

Trust has been damaged on many fronts over the last year. I believe these issues cut to the core of the industry and our “community”. They will need hard discussion and debate – and I will be there to make sure that happens.

My Speaking Slots:

Both Sunday and Monday, February 23/24, 2:00 – 6:00 PM — BsidesSF at DNA Lounge 

“I am The Cavalry” @ #BSidesSF DNA Lounge is at 375 Eleventh Street San Francisco, CA 94103

Our dependence on technology is growing faster than our ability to defend it. The Cavalry isn’t coming. It falls to us… While its roots come from many places, a key moment for the @iamthecavalry movement was my #BSidesSF closing keynote last year. One year later, we have a large and growing movement of security professionals focussed on having impact on security of consequence. As our focus converges on technologies with the potential to impact human life and public safety, come hear what we’re doing regarding Auto, Medical, Home Electronics, and Public Infrastructure. The full agenda for our 2 days of working session is posted at the BSidesSF Website.

I am The Cavalry

Tuesday, February 25, 8:00 AM PM – RSA USA – South “Viewing Point” in Gateway Halls – Keynote Commentary

“Expert” Commentary for Day 1 Keynotes

RSA is always experimenting. This year in the “Viewing Point” in Moscone South, folks can watch the Tuesday  keynotes with some running commentary and play by play analysis. I’ll be joined by Hugh Thompson and Wendy Nather for what should be a bit of fun and analysis, but will hopefully help to frame the discussions and the rest of the week.

Tuesday, February 25, 3:00 – 3:30 PM – RSA USA – North Room 134 – Speaker

Call in the Cavalry – WHY We Need The Cavalry and Why It Falls to Us

Our dependence on IT has grown faster than our ability to protect it. What was once our hobby became our profession, and now permeates every aspect of our lives. In this swarming internet of things, vulnerable, connected technologies now permeate every aspect of our lives. While our best and brightest struggle to defend our enterprises, no one is even thinking about our growing dependence and exposure. The sad news is… the cavalry isn’t coming – it falls to us. We must be the adults in the room. We must ready ourselves to be ambassadors of technical literacy and the voice of reason. We have to be better… and we will be… starting now.

Much of RSA Conference is about protecting your enterprise. We are very pleased that RSA acknowledged the need also focus our best and brightest on security for the internet of things. My Tuesday “WHY the Cavalry” talk is the first of three 30 minute Cavalry talks at RSA. On Wednesday, Nicholas Percoco will explain WHAT the Cavalry must lead. On Thursday Katie Moussouris will outline HOW the Cavalry will affect change. All three #RSAC Cavalry talks are listed here.  Also, come talk about the mission at out booth in the Sandbox:

  • Tuesday 1:00-5:00pm
  • Wednesday 8:30am – 1:00pm
  • Thursday 8:30am – 1:00pm
Wednesday, February 26, 10:40 – 11:40 AM – RSA USA – West Room 2014 – Panelist

ASEC-W03 – DevOps/Security Myths Debunked

As DevOps has become more popular a lot of myths have arisen with regards to security and many opponents claiming that you can’t do security in a DevOps environment. This panel will address a number of those myths and demonstrate how you can embrace DevOps and maintain the appropriate security profile for your organization.

Dwayne Melancon will once again moderate myself and fellow Rugged DevOps trailblazers: Gene KimDavid Mortman, and Nick Galbreath. The great news is that the ranks of security DevOps boundary spanners is growing to include folks like Neil MacDonald, Rich Mogull, Dan Kaminsky and others. If this is a new or threatening subject, my 30m RSA Europe 2013 Keynote was a good introduction:

Thursday, February 27, 8:00 – 9:00 AM – RSA USA – West Room 2020 – Co-Presenter

STR-R01 – Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome

Nearly every aspect of our job as defenders has gotten more difficult and more complex—escalating threat, massive IT change, burdensome compliance reporting, all with stagnant security budgets and headcount. Rather than surrender, it’s now time to fight back. This session will provide new approaches to finding financial and operational support for information security across the organization.

I’ll ride once more with David Etue for Part 3 of our “Modern Security Strategy Trilogy” based on work we’ve together over several years.
NOTE: The slides and visuals came out WELL BEYOND my expectations. You do not want to miss this.
Friday, February 28, 9:00 – 10:00 AM – RSA USA – West Room 2014 – Co-Presenter

ASEC-F01 – Software Liability?: The Worst Possible Idea (Except for all Others)

Nearly While many had hoped that market competition would influence security improvements, customers are forced to accept software as is with no alternatives. Software is responsible for our critical infrastructure, cars, medical devices and is a part of our daily lives including our well-being. Will we be able to achieve better software security without vendors facing financial consequences?

I’ve not yet worked with Jake before but we have had spirited exchanges in the past. We have come into the topic of Software Liability from very different paths, but it has been a good complement and I really hope this advances what is often a thought terminating debate. Jake knows a ton about how the Insurance industry has been looking at the issues. He also has an interesting vantage point through his work with the Open Source Vulnerability Database (OSVDB).
I hope to meet new people and new teammates.

Echo: Did I fall asleep?

Topher: For a little while.

I haven’t written here for almost a year.

The short version is my mother died last January.

I may eventually write more about it, but here is a quick bit.

Few things can rock your world like losing a parent – especially so young.

Two things happened instantly:

  1. My priorities of what truly mattered to me were crystalized
  2. I became hyper-conscious of time

One way (of many) to describe how I look back at 2013…

…I feel like maybe a boxer might when they get hit really hard. I know I kept fighting. My vision was blurred. My hearing was muffled and my ears ringing. I don’t full remember all the details, but over time they slowly came back to me.

It turns out, I was actually doing a lot of great things. I hope to catch up on some of it here in the near future.

I was more raw and candid, but also more vulnerable – and in that vulnerability, I was able to make deeper and more authentic connections with people.

In fact, I came out a lot stronger and clarified – and accomplished quite a bit (both individually and with others).

My “year of 1sts” is now behind me. While I’ll never be fully “over it”, I believe I’ve crossed a major time/space/emotional boundary.

I’m back, so to speak. I hope to start blogging here more frequently.

Q: Are you going to RSA?

A: Of course. RSA is mandatory punishment for people like me.

Like I said just before RSA USA 2012, each year at RSA I want to quit security.

At the end of the day, like with most things…

…it is what you make of it. Make it matter this year. Demand better. I will be.

My suggestions on are worth re-reading :

  • People Value
  • Non-RSA Venue
  • The Bizarre Bazaar of the Exhibit Floor

Anticipated Buzz-Words:

Remember: Just because a buzzword is abused and/or nausiating, doesn’t mean all uses or the ideas/facts behind them are nonsense. The trick is to ask people to define their use, defend their use, and provide specifics.

  • Big Data: This will be the least clear and most abused. It isn’t just having a hadoop cluster or *B or *flops of useless data.
  • Actionable Intelligence: Done right, this is becoming table stakes. Done wrong, this is a marketing retread. Ask for specifics. Most are offering a data feed. Good programs are combining and enriching from OSINT, HUMINT, SIGINT, pay-for feeds of various types, information sharing communities/pilots. This topic is worth sifting out Signal from Noise.
  • Offensive Security: For some, the term itself is “offensive”. This often is heard as “Hack Back”. Which is for most, a really, really bad idea. Aside from the legal or attribution debates… if you can’t consistently change default passwds or basic access control, why do you think you’ll win an escalating fisticuffs with your attacker? My Wed 1pm panel (END-W25) will try to clarify this.
  • Active DefenseThis is a less offensive spin on “Offense”, but definitions vary tremendously. It often means beginning to use deception, deterrence, increased work effort/work factor, increasing the entropy of the attack/er, etc. Again, my Wed 1pm panel (END-W25) will try to clarify this.
  • APT or APT1: Yes folks. The Kitten-Killing, Thought-Terminating Cliche’ is back. Given the one two punch of the Executive Order and the hotly debated APT1 materials put out by Mandiant; China, China, China will be discussed. Not all espionage is out of China. Lots is. Get past the groaning and try to get to substance.
  • Adversary: This is a good one I am pleased to see entering the lexicon. While many “thought leaders” dogmatically fight the inclusion of adversary analysis, they are wrong 😉 . The programs that are modernizing are trying to weave in the chaining of Adversaries -> Motivation Structures -> Preferred Assets Types -> Their Common/Range of TTPs (Tactics, Techniques & Procedures). Much like this artifact from our Adversary talk from RSA last year (slideshare here).


My Speaking Slots:

Monday, February 25, 3:30 PM – RSA USA – Innovators Sandbox – Room 134 – Facilitator

ISB-001 – Do You Know Your Enemy Enemies?: WHO & WHY do matter…

Much of RSA Conference will focus on WHAT & HOW; at Innovation Sandbox we will focus on WHO & WHY. From script kiddies to nation states (or chaotic actor/hacktivists to citizen soldier militias)… gone are the days where our adversaries are only financially driven. We now face a pantheon of adversaries – each with varying motivational structures, preferred asset type(s), capabilities and levels of skill/determination. This facilitated white boarding session will discuss the characteristics of modern adversaries and hopefully raise questions (and answers) on their implications to our risk management priorities.

This White Boarding session should be both fun and challenging – given the innovative crowd.

Monday, February 25, 4:00 – 5:30 PM — BsidesSF at DNA Lounge 

Closing Keynote: Joshua Corman

DNA Lounge is at 375 Eleventh Street San Francisco, CA 94103
I will be “taking the gloves off” in this audience of fellow digerati. We are not getting better (enough), fast enough. We are part of the problem. We need to level-up and we need to entertain some uncomfortable ideas. The pot will be stirred. If there is anything you’ve wished you could say to them, you have a few more days to load me up…It will be followed immediately by: “We Quit” – A Roast of the Infosec Business hosted by Jack Daniel, JadedSecurity, and Javvad Malik.

Tuesday, February 26, 3:50 – 4:50 PM – RSA USA – Room 132 – Panelist

ASEC-T19 – Making Rugged DevOps and Infosec Work

Because of widespread cloud adoption and the DevOps movement, information security has never been at more risk of being completely marginalized by development and the business. This panel will discuss how information security can integrate into these value streams, where agile businesses routinely conjure thousands of compute instances doing over 1000 deploys per day.

Dwayne Melancon will moderate myself and fellow Rugged DevOps trailblazers: Gene Kim, David Mortman, and Nick Galbreath.

Wednesday, February 27, 1:00 – 2:00 PM – RSA USA – Room 309 – Moderator

END-W25 – Offensive Security: Hope or Hype?

With the threat environment dramatically changing, there is a new consensus that it is almost impossible to keep targeted attackers out of any large-scale network. This panel will discuss new thinking around “Active Defense,” or what some would term “Offensive Activities.” We will explore the pros/cons of enacting an offensive security position in defending a company’s networks.

This one is going to be feisty. Born out of some hot offline debates, this clash of the titans needed to happen. I will have my hands full moderating, but I am up for the challenge – and for challenging them. Come watch George Kurtz (CEO of CrowdStrike), Chris Hoff (Juniper), Adam O’Donnell (Sourcefire) and Andrew Woods (Stanford) duke it out. Got anything you want asked?

Thursday, February 28, 8:00 – 9:00 AM – RSA USA – Room 135 – Panelist

HT-R31 – Mayans, Mayhem and Malware

This panel focuses on the persistent gaps and perennial conditions confronting organizations today, notably in areas of compliance and governance related to threat mitigation, education and awareness. Also, we examine the resurgence of advanced, malicious code & content intelligent enough to obfuscate, assess, re-assess and execute against a programmatic strategy.

Will Gragido, Brian Honan and I tried this at RSA Europe and it was surprisingly good – realistic and griity and honest… This time we’re adding two other dynamic characters.

Friday, March 01, 9:00 – 10:00 AM – RSA USA – Room 133 – Co-Presenter

GRC-F41 – Control Quotient: Adaptive Strategies for Gracefully Losing Control

Cloud, virtualization, mobility and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.

I’m teaming up again with David Etue and we’ve been maturing this idea/approach over several years. A lot of my best concepts/models are born near the end of final content creation. This happened again this year with this talk. One of our new models has been sanity checked with a few of you and we’re excited that it will pack a real punch.

I regret this is so early on the last day but this is not one to miss.

The 6 minute RSA Podcast pre-interview of our talk is posted here.

The security challenges have REALLY stepped it up… it’s time we do.

This is not a book review.

This is a fork in the road for every IT security professional – and the clock is ticking:

We can make excuses; or we can make changes.

Security is hard – increasingly so. At times it feels as if we’re pre-ordained to failure. In our bones we know it doesn’t have to be this way. Yet year after year, we remain marginalized and at odds with the business. Thus far, we’ve struggled to find anything resembling a game changer.

Here is your game changer:

The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win


While we hate to admit it, we know our security “Best practices” aren’t – that “Good enough” isn’t.  Our dependence on IT is growing faster than our ability to secure it. Moreover, the consequences of our failures have grown more severe.

There has to be a better way. For those of you who know me, I am convinced our current approaches cannot scale and have dedicated myself to help get the security community un-stuck – to reframe the issues – to experiment – to find a better way.

In 2007, a mentor told me if I truly want to transform the way security is done, I must read The Goal. What the HECK could a novel about the failing US manufacturing industry have to do with security?! But Eli Goldratt’s Theory of Constraints and continuous process improvement fundamentally transformed and rescued manufacturing, as we know it.

As “The Goal’s” spiritual successor for IT, Gene’s “Phoenix Project” outlines our fundamental transformation. This sorely needed narrative meets us in our compliance-distracted, security-debt-saddled despair but credibly paints our journey of redemption through the “3 ways” – grounded in fact and real world successes.

While we focus upon (and wallow in) failure, Gene has been seeking and studying achievement. While we remain isolated within the security echo chamber, Gene has studied high performers outside of it. Gene’s seminal research in Visible Ops on high performers in IT was just the beginning. For the last few years, Gene has been a force of nature within the DevOps revolution. It has been my honor and privilege to collaborate with him.

Gene Kim is our quintessential boundary spanner. His novel puts our security struggle into the broader context of the conflict between IT and the Business. It is cathartic and uncomfortable, but also instructive and inspiring. IT is undergoing a transformation with DevOps; where Development and Operations have figured out how to work together in ways that not only eliminate conflict, but allow organizations to drive value and do things they didn’t think possible. It is their philosophy and attitude that are most essential and can serve as a blueprint for any of us – in any type or size of organization.

This IT revolution is the moment security has been waiting for; the likes of which we may not see again for 30 years. We have a singular opportunity to change with it. What’s more, the DevOps pioneers are embracing Rugged DevOps with open arms. Are we ready to evolve and be embraced? If not now, when? If not us, who? This revolution has started without us, but it is not too late. We can break out of this death spiral.

To this end, Gene has made the first half of the book free for security professionals to read and share.
Download link HERE.

Read this book, now. Give it to your boss, your CIO, your CEO, and your peers.
Don’t be surprised if you can’t put it down. You will not look at your role the same way again.

There is a better way. Join the tribe.


Joshua Corman


DEF CON 19 Whoever Fights Monsters Q&A

DEF CON 19 Whoever Fights Monsters Q&A [No. Josh is not a member of Anonymous]

Will you be headed out to Vegas for this year’s MegaHackerWeek ? If so, I’d love to meet you.

I know some people get fatigued with the scene and some of these conferences, but I personally find the week incredibly valuable. Like with most things, you get out what you put in. Much like the RSA Conference does for the corporate/commercial side of the industry, this week in the desert is the heartbeat of the research and hacker community for the year.

While our challenges in security are tremendous, the intellectual potential in the hallways and bars of Vegas is humbling and inspiring. I look at this week as an asymmetric window of opportunity to:

    • determine the thrust and Zeitgeist of our demographic (in the now)
    • help to frame and set the tone for the next 12 months
    • challenge my various colleagues and teammates (and myself) out of respective ruts and comfort zones
    • meet new people and get to know people better in meat space
    • find new collaborators
    • stimulate new research topics and insights
    • eat bacon wrapped, almond stuffed dates (#BWASD) with red wine reduction and bleu cheese crumble
Bacon-Wrapped, Almond Stuffed Dates with Red Wine Reduction and Bleu Cheese Crumble

Bacon-Wrapped, Almond Stuffed Dates with Red Wine Reduction and Bleu Cheese Crumble

Highlights of Last Year

Here are a few of the things I fondly remember from last year:


At #BsidesLV in 2011, a few of us launched the beginning of acknowledging and studying the levels of fatigue and burnout in our industry and demographic. The room was honest and cathartic and intense. Seeing we had clearly struck a nerve, we later invested in the formal Maslach Burnout Inventory and presented more data at the RSA 2012 conference this spring. While there is much more to do, we’ve brought some of the challenges and support gaps to the surface and have started something needed. You can follow @SecBurnOut on twitter and the expanded IT Burnout Project. Many thanks to Jack Daniel, Dr. Stacy Thayer, KC Yerrid, Martin McKeay, and Gal Shpantzer who helped to kick-start the initiative.

Confronting Anonymous:

At DEF CON 19, we braved our “Whoever Fights Monsters” panel where we tackled the rise of Anonymous in a substantive way – perhaps for the first time. After Aaron Barr was legal-threatened off the panel and another quit fearing retaliation, we pulled together:

    • Joshua Corman (@joshcorman) <- me
    • Brian Martin / Jericho (@attritionorg)
    • “Baron von Arrrr” / Scot Terban (@krypt3ia)
    • Paul Roberts (@paulfroberts) <- As Moderator

The video of our panel and the more intense and meaningful audio of our Q&A room are both posted in the conclusion of our Building a Better Anonymous Series – which Jericho and I researched and wrote over this past year. The exchanges were so intense – and the press/industry/community knowledge was so poor – that we felt we had to drive this dialectic forward.

Winning Hacker Pyramid:

Somehow I went from watching 10,000 cent Hacker Pyramid to joining Dan Kaminsky in defending the crown. While Rogue Clown and Jayson Street were impressive and fought admirably in the final round, Dan and I squeaked out the win. This year, they are “in it to win it” and all manner of smack talk has already begun.

DEFCON19_HackerPyramid_WINNERS via CoolAcid

DEFCON19 HackerPyramid WINNERS via CoolAcid

HDMoore’s Law:

While technically born during Metricon 6 in San Francisco the Tuesday after DEF CON 19… a concept like HDMoore’s Law can really only be born after spending a week in Vegas, surrounded by brilliant hackers and pentesters, getting the bartender at the 303 party to pour HD Moore some stiffer cocktails while listening to nerdcore and then turning your brain inside out with a bunch of statisticians and risk professionals at a Metrics conference. While my brain felt as if it had been through an unnatural act, HDMoore’s Law turns out to have been a pretty useful concept – and many a practitioner is putting it into action in their environments.

Casual Attacker power grows at the rate of Metasploit

My Speaking Slots:

Tuesday, July 24 – 4:00 PM – Black Hat Executive Briefings (Caesars Palace)

Closing Panel – Analytical Response and Discussion

    • Joshua Corman
    • Rob Joyce
    • Rich Mogull
    • Kevin Overcash

After a full day of CISO briefings and discussions on this year’s Black Hat presentation themes, we’ll provide some broader context,  framing and friendly debate – to help enhance the CISOs’ experiences through out the rest of the week.

Tuesday, July 24 – 6:00 PM – CodenomiCON 2012 (Bellagio)

Unconventional Adversaries vs Conventional Wisdom

I’ll give give a short but hitting look at how two adversary classes have shattered a lot of security “conventional wisdom”.

Wednesday and Thursday, July 25 & 26 – #BSidesLV (The Artisan)

Interviews and Honey Badgers

Martin McKeay and I will be interviewing speakers and attendees on and off for most of the two days. I’ll also be giving away Honey Badger T-Shirts. There are far too few of you wearing Honey Badger T-Shirts. Find me or Martin.

Friday, July 27 – 8:00 PM (pretty sure) – Track 3 – DEFCON 20 (Rio)

25,000 cent Hacker Pyramid

Dan Kaminsky and I will attempt to retain the title.

Saturday, July 28 – 10:00 AM – Track 2 – DEFCON 20 (Rio)

World War 3.0 – Chaos, Control & The Battle for the Net

    • Michael J Gross – Moderator and author of World War 3.0 piece in Vanity Fair May 2012
    • Jeff Moss (The Dark Tangent)
    • Joshua Corman
    • Dan Kaminsky
    • Rod Beckstrom (playing the part of Vint Cerf)

This panel (FULL ABSTRACT) will build upon the Vanity Fair piece profiling these panelists and the escalating tension/conflict between forces of chaos and control – threatening a free and open internet. The December meetings of the ITU will likely bring these issues to a head. What role will the DEF CON community play in the coming months as this story and the fallout unfold?

Saturday, July 28 – 9:00 PM – Track 2 – DEFCON 20 (Rio)

FILM SCREENING and Q&A: We Are Legion by Brian Knappenberger

We’ll screen Brian’s documentary on Anonymous. I’ve seen an early cut and it was excellent. The film features several DEF CON speakers who will also do a Q&A after the film: Richard Theime, Chris Wysopal (WeldPond), Jericho, myself, Biella Coleman and loads of Anonymous members. Here is the Trailer.


Be sure to:

    • hydrate
    • pace yourself
    • hydrate
    • meet NEW people
    • hydrate
    • see NEW speakers
    • hydrate
    • be diligent about “how you can I bring this back with me and apply it?”

Hope to see you in Vegas!

Read the rest of this entry »

g0n3 ph1sh1ng

g0n3 ph1sh1ng

Gone Phishing…

It’s summer time here in the northern hemisphere. A friend is about to go on a camping and fishing trip and it got me a bit nostalgic about my youth. Below is a “starter list” of tweet-able phrases that came to mind.

Please add your own.


Remember when fishing was done with a rod & reel – finding quiet time in nature?


Remember when tweet was what the birds did in the trees along the water?


Remember when logs were for burning in the campfire?
Remember when flame was what you stared into for hours, like your ancestors did, contemplating the universe while you absorb its warmth and light?
Remember when flicker was what the flames did?


Remember when SPAM was a salty (but tasty), meaty, campfire treat?


Remember when Four Square was a game you played with chalk and other children on the pavement?


Remember when friends… were? when they were people you spent time with, who knew you better than you knew yourself?


Remember when clouds were what you’d assign animal shapes to – while you laid on a grassy hill – emptying your mind on an idle afternoon?


Remember when apt meant “quick at learning”? like apt at learning to whittle wood – or build a fire – or tie a lure?


Remember when anonymous simply meant “unnamed author” of the quote of wisdom or poem carved into the picnic table top?
Please take the time to get outside with loved ones once in a while.
Life is pretty short.
Be nostalgic.
Sometimes simpler is better.
[add your own in the comments and/or on twitter w/ HashTag #g0n3ph1sh1ng ]
Artwork by Anonymous Media

Artwork by Anonymous Media

Part 7: Abstract Ideas

By Josh Corman & Brian Martin


If you are new to this series, please begin with Part 0 and the index.

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to and a more mainstream and business readership. Please comment toward improving/clarifying the content.

In the first six articles, we have focused on objective observations and the concrete actions of Anonymous. In doing so, we hope to provide a better understanding of the group in order to help people make more rational decisions. However, the group’s more abstract ideas are important as well. Some of these considerations apply to Anonymous today, while some may apply to the Anonymous of tomorrow.

The authors of this article series have reached their opinions after lengthy discussion and debate. The thoughts presented in this article are our observations. We will be asking a lot of questions so that readers may reach their own conclusions.

How Will History Remember Anonymous?

They say “history is written by the victors” and “one man’s terrorist is another man’s freedom fighter”. So the big question is, how will Anonymous be remembered – and how will the story unfold?

In thousands of years, we as a society have not readily agreed on many aspects of history. When a decisive work is written, it is only a matter of time before new evidence or perspectives surfaces, challenging the history that we ‘knew’. History being written by the victors is a form of revisionist history that is often subtle, and sometimes nefarious. In some cases, the actual events are not really disputed, but their interpretation certainly is. For example, do we celebrate Anonymous’ questionable means like we do the Boston Tea Party? That night saw a mob of criminals trespass and destroy property to protest a wide variety of political issues. What if the group of men that boarded the ships in Griffin’s Wharf were wearing Guy Fawkes masks instead of Mohawk Indian disguises?

In contrast, will Anonymous be a present day Black Hand moment? While few people today remember why the Black Hand was formed, what we do know is that their assassination of Archduke Franz Ferdinand was the spark that lit the world on fire – beginning World War I. As one author’s High School Western Civilization teacher put it. “Any spark could have ignited this fire. All of the kindling and tension and instability and entanglement of alliances upon alliances… any spark would do.” And many feel such tension today; with such global economic instability, distrust in government, distrust in corporations, joblessness, disenfranchisement, and entanglement. Is the kindling and kerosene similarly primed for a spark to escalate in undesired ways? Are participants in Anonymous sure they will come out the revolutionaries versus the villains of history?

Black Hand

Emergent Property (Cause vs Effect)

When we set out to research this series, we knew that Anonymous was a phenomenon that commanded attention and required better analysis and consideration than we had seen. At the time, our focus was to understand what it was and wasn’t, and where it was going. Over time, it has become clearer, that something like Anonymous was inevitable. When asked to explain where Anonymous came from in a single sentence, one author replied:

Anonymous is an emergent property of, and a malformed response to, the current state of society and global hyper-connectivity.

Maybe not a “malformed response”, but an as-of-yet sub-optimal and forming response. As an aside, we’re curious what you would say as a one-liner (using the comments below).

While this series has focused on what has emerged, it is equally (if not more) important to understand the drivers that gave rise to this emergence. Those same drivers and forces will continue to fuel and shape the evolutions and permutations of Anonymous – and subsequent groups. This is perhaps why we see Anonymous less as the final product of technology and society, but rather as a canary in the coal mine – or as a harbinger of what is to come next. Either way, Anonymous is very likely the natural extension of evolution by the Internet and its denizens.

Despite having extensive experience with hacker culture and its history, neither of the authors have credentials in disciplines such as Psychology, Sociology, Anthropology, Behavioral Economics, Complex Systems Theory, or even Social Media (if it exists). We believe it would be very useful to assemble such a cross-disciplinary brain-trust to better understand these root causes and drivers – lest we wish to remain passive and reactive to them.

Paging Doctor Freud: The Id Unleashed

To date, pop-psychologist onlookers could characterize the bevy of Anonymous Operations as “the Id unleashed”. In the case of Anonymous, social media technology has been a force multiplier of their Id and angst. Individuals have been catalyzed to action, but without much of a common plan. In retrospect, this series was an attempt to highlight opportunities to progress Anonymous from Id to Ego to Super Ego more quickly – thus helping all affected parties.



Angst is Legion

To say many in Anonymous are stuck at the Id level presupposes one knows what they want, but that may not even be the case. Sure, there are pockets of themes, but very few are universally held within Anonymous. One of many intrinsic traits throughout Anonymous is angst.

Angst: a feeling of deep anxiety or dread, typically an unfocused one about the human condition or the state of the world in general — Oxford Dictionary

Note we did not assert that angst is unmerited. On the contrary, there are so many things that could cause angst that one cannot assume common root causes with their ad hoc peers – nor shared belief as to what to do about it. While cathartic, being angsty together doesn’t actually make it better – nor is it certain that you all share the same reasons for it. Stronger and more lasting bonds require greater cohesion than this superficial bond.

Groups require some basis of cohesion – some “glue” to bind them – some common ground. In lieu of a clear unifying objective, or explicit ideology, the clearest basis of common ground (aside from the obvious, ambiguous Rorschach-prone iconography) is that of shared, but unspecific anxiety and anger.

Valuable Ambiguity (Or is it?)

We’ve confronted this willful, prolonged ambiguity many times – in this series, at conferences, and in conversations with Anons. We were especially surprised to see some of Anonymous’ active resistance to define anything (as we suggest in Part 5) – even in the face of all the inherent limitations and challenges of keeping things ambiguous (as we outlined in Part 4). This willful ambiguity highlights that it is perceived to be valuable – perhaps even foundational. What is less clear is if the perceived benefits of ambiguity outweigh the actual costs or downsides of it.

Some have expressed that by keeping things undefined, they can attract greater numbers (Quantity vs Quality). Others want the freedom to keep it redefinable and malleable over time, for different groups to use the brand in the future. Some articulate good reasons for keeping it – others sound like they are making excuses. We’ve all worked with people who say “I’m flexible” when the realistic translation is “I have no plan and am too lazy / noncommittal to make one and I will probably end up messing up your plans later when I prove to be the opposite of flexible.” One of the most self-aware reasons we were given came from one of the more seasoned Anons: “We avoid stating our beliefs because we know we don’t agree – and it might cause us to ‘break up’.”

Irreconcilable Differences

Denial or avoidance of the ideological schisms within Anonymous does not make them go away. It may have once been tactically valuable to keep things undefined, but this does not hold long term. Some of the schisms are merely differences in style. Other schisms are substantive – even incompatible and irreconcilable. As we watched the pre-screening of We Are Legion, it was clear that some early rifts formed between those who wanted “lulz” and those who wanted a more moral calling. Later, several expressed their disdain for DDoS – believing that you can’t be anti-censorship and then censor others. In contrast, others in the film see DDoS as the foundation of internet-age free speech and protest.

This is one reason that the authors believe there will be several splinters that emerge out of the common pool – potentially defined by mission focus, but also by the revelations and recognitions of some of these incompatible differences. Substantive schisms are increasingly manifesting as participants begin to answer for themselves “What do I want?”

To Repair or to Destroy. (What Does Anonymous Want?)

It is unclear if Anonymous wants to destroy the system – or simply destroy the bad parts and fix them. The answer is probably “both”. We’ve even heard such from long standing members; “It depends on the day – and my mood”. While we can’t be certain, we suspect that post-arrest, Anons will hope to rely upon their innocence until proven guilty, a trial by their peers, their rights and due process. From feedback and interaction, we do know that some want to improve the corrupt parts and abuses of an otherwise useful system. We also know that some within are more aggressively nihilistic and/or anarchistic, and would like the entire system (good and bad) burned down.

In the near term, individual actions of the destroyer and the reformer may be compatible, but they are ultimately not aligned. A little bit of chaos can be a beautiful thing; a healthy thing. It can keep a system honest, living, and vibrant. Too much can destroy in moments what took centuries of blood and sacrifice to secure. With no easy way to ask the populous of Anonymous how they divide in objectives or ideology, how can those who want to improve the system know when they are assisting more destructive, undesirable, or nefarious elements? When would they know if they were truly serving someone else’s agenda?

Puppet-Masters and/or Old Power

At this point, many older, manipulative power brokers have recognized the opportunity that is represented by a nameless, faceless, asymmetric force such as Anonymous. This includes nation states, criminals and cartels, profiteers, intelligence groups, corporations, and longstanding political movements; many with deep pockets. This is not their first rodeo. They have hijacked (and will increasingly hijack) the brand and its participants. This is what they do. A few Anons have spotted this, and are overwhelmed and/or disheartened. Others may find themselves unwitting pawns of unnamed interests, many with very different ends in mind than their own.

Sound & Fury (and Fatigue)

Yesterday, June 25th, marked one year since the “retirement” of LulzSec and the end of the Summer of Lulz. Despite the sound and fury of countless attacks, many question the impact. Among those asking are strident and committed members of Anonymous who have grown frustrated and tired. Today one member volunteered this take on what others in the group are doing to undermine more measured efforts and time commitments:

“A bunch of fringe activists and nutters who rant about radical ideologies and conspiracies and do their best to create masses of fear instead of fostering unity and energy to cause movement.”

We’ve heard much of the same from others who have begun to focus on more specific and lasting change and impact.


Traditionally, a group of people, be it activists or a knitting circle, has a clear line defining involvement. You are part of the group, or not, and there is no question about it. That simply doesn’t hold true with Anonymous. As we have discussed, there is no roster or membership guidelines. In addition, we have seen a wide variety of external influences on the group that forces us to reconsider what “involvement” means. This in turn leads us to consider a broad array of concepts about the group, the direction they are heading, and how they move forward.

Law enforcement (LE) is involved to varying degrees. As with any criminal group that comes under LE scrutiny, the investigation and pursuit influences the group. It causes them to change their tactics, take extra precautions, and may dictate what activities they carry out. If LE manages to turn a group member into a confidential informant, or places their own undercover agent in the group, LE has direct influence over how the group behaves, regardless of how passive they attempt to be. In the same vein, private intelligence firms that see opportunity in the actions of Anonymous (e.g., HBGary Federal) have a strong potential to influence the group in a variety of ways, both positive and negative. Even computer security firms that offer their opinions on Anonymous can influence the group.

The last element, and perhaps the most important in considering this idea, is the involvement of the average citizen. Increasingly, civilians are getting pulled into the group’s activities, like it or not. Operation BART, where Anonymous called for protests at BART train stations and ultimately leaked over 2,000 records of employees and customers, is one of many examples. In some cases, civilians were impacted trying to use the trains, while others had their private information posted to the Internet. Anonymous’ activity related to Occupy Wall Street, the war on Scientology, and dozens of other actions involve people from all walks of life (i.e. “collateral damage”). While civilians are not directly influencing Anonymous right now, we have previously argued that they should.

Everyone is involved, like it or not.


The idea of social manipulation is old. It is deeply ingrained in many cultures, in a wide variety of ways. For example, the last fifty years of American advertising have been dominated by psychology since John B. Watson joined J. Walter Thompson. Watson changed the field of advertising by making it more effective through appeal to three basic emotional response: love, fear, and rage. Jump to the last ten years; advertising and marketing is a science where unsuspecting consumers are psychologically manipulated through sound and images. We go through life seeing hundreds of advertisements a day, and we have absolutely no idea how we’re being influenced, directly or subliminally.

This leads us to the issue of influence and certainty in the context of a group like Anonymous. With everyone being involved in some form or another, each of us should question that involvement. Are we being manipulated? Are we being used? Do we really understand our own involvement in the saga of Anonymous? It is easy to dismiss these questions as absurd or far-reaching, but that dismissal is born out of a head-in-the-sand syndrome. Backing up a few steps to look at the bigger picture, can you even say with certainty who is really part of Anonymous, and who isn’t? The name has been co-opted by fringe elements, wannabes, computer criminals, law enforcement, and more. With such a nebulous metagroup to begin with, how are all of these other actors involved in the group make up?

If the group is truly made up of any person that has influence, or been influenced by, does it re-define the idea of the word “group” in this context? In Anonymous: Fact vs. Fiction, we previously mentioned the daunting threat of a modern day witch-hunt based on McCarthyism. If the definition of group is stretched to encompass anyone influencing it, how long before we hear suspected Anonymous members in court saying:

“I am not and have never been a member of Anonymous. I do not and have not adhered to the tenets of Anonymous. I have never followed the Anonymous party line.”?

Tyranny vs Chaos (Entanglement & Escalation)

Many (including Anonymous) have framed a conflict between the forces of Chaos and Order. What few realize is the entanglement and escalation between those extremes. Take for example, this quote from Commander X:

But I will choose chaos over tyranny any day.

However, chaos and tyranny can inspire each other. Anonymous is fueled (in part) by an allergy to a surveillance state and threats to a free and open internet. The actions and demonstration of will/might/aggression of chaotic actors, motivates and provides the justification for greater security and clamp down. These reactions, frequently poorly conceived, serve to incite more chaos – and the cycle continues. As such, turning up the volume can cause the very things individuals wish to avoid.

Like a Finger Trap, the harder each side pulls, the less likely we are to find a tenable balance of “organized chaos”. This is the basis of both the Vanity Fair Article by Michael Gross entitled “World War 3.0” and a DefCon 20 panel on the subject which aims to tackle how December’s ITU meeting in Dubai may threaten a internet freedom.

World War 3.0: Control vs Chaos (Source: Vanity Fair - May 2012 Issue)

World War 3.0: Control vs Chaos (Source: Vanity Fair – May 2012 Issue)

Endgame Ethics vs Hypocrisy

In thousands of years, we as a society have not readily agreed on whether the ends justify the means. The questions become; will we ever? Does it matter? Or is this something we must resolve on a case by case basis, because the ends can justify the means? If the end is something we agree on, do we ignore the means and hope to enjoy the revisionist history?

This dilemma has been debated endlessly, and likely will outlast us all. Whether or not you agree with Anonymous’ perception of the ‘bad’ that they fight, one cannot really argue that every member believes in their individual cause and are fighting for it. On one hand, they attempt to do good by fighting perceived tyrants and injustice. On the other hand, they frequently break laws or harm innocents in the process. This juxtaposition is a central theme in most of the activity carried out by Anonymous. Remember, for many, the cause may be as simple as “for the lulz” or their right to troll. Meanwhile, it is often trivial to argue that their own actions in the fight are also ‘bad’. How do we resolve this?

Perhaps the notion of “an eye for an eye makes the world go blind” is better said as “an eye for an eye makes the world pay mind”. Do all Anons feel the same way?

Hymenoptera Christian Pirates (Why Analogies Fail)

A running theme in describing Anonymous is the caveats when using the word ‘group’. One of the better comparisons was made by Patrick Gray who said Anonymous was like 17th century piracy; “They sailed the high seas and pillaged. They had a common flag. But they WERE NOT A GROUP.” This analogy goes a long ways, but eventually doesn’t hold up. Earlier this year, we compared Anonymous to Christianity, citing there are the truly good and giving members of the religion, as well as the less than desirable Westboro Baptists, all of whom share the same basic beliefs. If we leave the analogy that simple, it works. While Anonymous may be completely different than any other concept or group, it helps society to relate to them if they can be put in a context that is already understood to some degree. We offer a new analogy, that may help understand how a ‘leaderless’ group can operate, and promptly show how it too doesn’t hold up.

Consider Anonymous more like the Hymenoptera order of insects, which encompasses bees and ants. Per Wikipedia, ant colonies are “sometimes described as superorganisms because the ants appear to operate as a unified entity, collectively working together to support the colony.” This is done without every ant receiving instructions from a central leader. Similarly, in a colony of bees, when a queen dies, she is replaced by a new queen. The new queen, one of many who could fill the role, steps in out of necessity rather than any desire. In theory, this is how Anonymous is “supposed” to work, according to some members. The real goal, hypothetically, is that while there is a leader, occasional leader, or group of leaders, they are simply no more relevant than any other member of the group. Their role can be filled by any member who wishes to step up. More importantly, the leader does not need to be distinct in name, and their identity is irrelevant. The Hymenoptera analogy sounds good on the surface, but gets shot down when you substitute Sabu, AnonyOps, or Topiary into the analogy. Polarizing and strong-willed leaders don’t just run the hive, they change the entire tone and behavior of the colony.

As a society, we must quickly move away from this old defective crutch, and stop using analogies that do not hold up to some level of scrutiny. While they may be convenient in a one minute conversation or a high-level news article intended to quickly describe a group to people unfamiliar with a topic, ultimately they cause problems and bias rather than help someone truly understand.

What If?

The core of this article series focuses on “Building a Better Anonymous”. Over the coming years, what if Anonymous adopted our ideas and worked to improve the group in the ways we outline? If Anonymous became an activist group that achieved all of their goals while staying within the established (and reasonable) laws, would we as a society embrace them? In the spirit of a “better” Anonymous, it is conceivable that in time the group could shed many of the negative emotions and actions associated with it. A more positive Anonymous that affects change primarily through legal means, and only turns to breaking the law as an absolute last resort, would be interesting. With positive change, while pushing for people to get involved in bettering aspects of corporate and government control, what is next?

Anonymous, the political party. You may quickly dismiss this as absurd, but it is no more unlikely than a group of people who pirate software, movies, and music becoming a legitimate political party. Consider the Pirate Party in Sweden. Members of Piratbyrån had previously founded the BitTorrent tracker, “The Pirate Bay”, arguably the longest running and most resilient file sharing site in 2003. In 2006, the Swedish Piratpartiet became the first legitimate pirate party. From “illegal” file sharing to political party in three short years. Now, the Pirate Party has moved to the U.S. in the form of JP Hollembaek, running for Massachusetts state representative slot. With that in mind, consider it again; Anonymous 2016.


It is our hope that this article demonstrates the wide range of issues that surround Anonymous; both as the group is today, and what they may become tomorrow. Entire books can be written on the subject of Anonymous, and some already have been (and debated). If Anonymous is the tip of the hacktivist group iceberg, then it is important that we begin to think about and prepare for what comes next.

Copyright 2012 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphic courtesy of Mar –

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.

Guy Fawkes Joker (Artwork by Mar -

Guy Fawkes Joker (Artwork by Mar –

Guy Fawkes Batman (Artwork by Mar -

Guy Fawkes Batman (Artwork by Mar –

Building a Better Anonymous – Details

By Josh Corman & Brian Martin


If you are new to this series, please begin with Part 0 and the index.

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to and a more mainstream and business readership. Please comment toward improving/clarifying the content.

Building Upon the Foundation

Previously, we outlined a method for creating a new foundation for Anonymous or similar groups. The proposed foundation is based on defining explicit goals, a code of conduct, and streamlining the process. Here we further flesh out “streamlining”. A key element to “building a better” Anonymous is that of a defined path of conflict escalation. Until Anonymous, or any other activist group, adopts that principle we’re stuck with a relatively chaotic group of actors that frequently negatively impact government, business, and society – often without even meeting their own goals. In this article, we will focus on a few of the group’s key areas for improvement, and detail why it is critical for them to change. As with many causes, it is inevitable that perceived unjust laws will eventually be broken to achieve a stated goal – a matter of ‘when’, not ‘if. A better and more impactful group would see this as a last resort – and then only when justified by its just first principles.

As it stands, the group Anonymous has demonstrated they are a force to be reckoned with, or least respected. Whether that respect is based on fear or admiration simply doesn’t matter right now, although respect should ultimately be earned. It is also clear that, for better or worse, the group is not going to disappear any time soon. While law enforcement and corporations struggle to come up with plans for dealing with them, Anonymous will continue on, evolving as needed.

One thing society cannot do is ignore the group. Ignoring their activity, even in mainstream or social media coverage, will not make them go away. Insulting or dismissing the group will only provoke some of them. Thus, the logical route is to not only talk about the group, but to do so in a constructive manner. This may be counterintuitive to some professionals, especially ones that maintain any positive attention is a “BAD THING®©™”. That thinking is archaic and dangerous.

Having discussions about making a perceived adversary better or more difficult to deal with may initially seem unreasonable. In reality, those discussions are equally beneficial to the persons that must deal with the adversary. Anticipatory and proactive thinking leads to creating defenses and solutions before problems become unmanageable. In this case, a discussion on improving Anonymous not only helps to prepare, but hopefully serves to influence Anonymous members to achieve their goals in a manner that creates less collateral damage. That is a win for all sides of the equation.

For Anonymous, this article should appeal to their rational self-interests. Improving their methodology and philosophy will help them improve their batting average, so to speak. Rather than ‘striking out’ so often in the eyes of the public, more operations and activities will appeal to more people and have more lasting effect. Operations that can be accomplished without breaking the law and/or with minimal collateral damage will help deflect/reduce law enforcement attention. Further, an improved group will help to quell infighting and potentially increase the quantity and quality of the recruiting base.

Finally, if the last paragraphs did not appeal to a rational side, let us warn the rest of you. This type of thinking is not new. Anonymous, and the next group similar to them, are always thinking of ways to improve. It is human nature, and it cannot be avoided. In short, this article and the rationale behind it is a reality, you must deal with it. If you’re still not sure you want a “better” Anonymous, would you prefer a worse one?


One of the most damning weaknesses of Anonymous is the disparity between their intended targets and actual victims. When striking out at an entity that has wronged the public, it is critical that the attack affect them, and only them. This is probably the single biggest mistake Anonymous continues to make, and it increasingly hurts their cause and lessens public support each time it occurs. Rather than being supported for what they do, they are branded as criminals and terrorists, instead of the Robin Hoods many members see themselves as. Time after time, Anonymous ends up hurting the public as much or more than their intended target, when leaking user and customer data. While this shows a level of insecurity in their target, the end result is that the average citizen is hurt. For the user who just had their personal information leaked, that is what they will remember; not the purpose of the ‘Op’ or what the target did wrong.

Looking at recent news, the list of Anonymous activities that resulted in the disclosure of user / customer information is depressing. These include attacks against law enforcement that also disclosed citizen information in an amnesty program for outstanding municipal offense warrants, a protest against Bay Area Rapid Transport (BART) that also leaked customer data, dumping information of members, as well as posting the e-mail addresses and passwords of Writerspace members. These are not government employees, military soldiers, or law enforcement. These are regular people caught up in Anonymous’ war on anything that strikes their mood. Often times, Anonymous will compromise a site, view the data, and only afterwards come up with a justification for their actions (e.g., lead them to find information on an ‘adult staffing’ firm).

Moving forward, a better group must remove the collateral damage from their operations. If a site is compromised and (if) data must be leaked to prove a point, do it in a fashion that only hurts the intended target. For example, dump the technical information on the system and the first 50 user/customer records, but redact the information to protect them. Leak enough information for a journalist to be able to validate the operation, but not enough to make the users victim of identity theft or harassment. This will force the company or agency’s hand in improving security and force them to follow data breach laws, while still ultimately achieving your goal. Even this point assumes that such a breach is even necessary or the most impactful way to achieve your objectives.

OpSec: Social Media Cuts Both Ways

Social media is perhaps the most powerful weapon in Anonymous’ arsenal. It gives them access to millions of people for real-time updates on activity and propaganda. In some cases, social media is used to organize and coordinate operations. In almost every case, it is then used to disseminate information about the target and the reasons for the activity. Without these platforms, Anonymous would be completely at the mercy of journalists who dug for information and opted to write about them.

In the digital world, where anonymity is crucial to daily operation, social media platforms like Twitter, Facebook, or Tumblr are also a recipe for disaster. These “free” services operate because “If you are not paying for it, you’re not the customer; you’re the product being sold” (source). Aggregated data on social media users is a powerful tool in the hands of advertisers and law enforcement. For every Facebook post, for every Tweet, for every word choice or manner of typing… a better social profile can be built on those participating. These profiles are the first line of investigating who is behind an online identity. With the arrests of several alleged Anonymous members over the last year, and increasingly larger busts happening since, it is safe to say that many involved are not practicing good Operational Security (OpSec).

Good OpSec not only involves a wide variety of technical precautions like using proxies and public WiFi, but also involves being extremely careful in what details are included. Seemingly innocuous comments can quickly be turned against a person, especially when considered in the bigger picture. The time of day, mention of weather, connectivity, ISP outages, and other social remarks can be used in conjunction with image meta data, IP addresses, and software choices to narrow down suspects. Once a person is in custody, those same details can help confirm or eliminate them as a suspect. For Anonymous to keep going strong, they must better understand not only OpSec, but how law enforcement works, and what information is made available. As we recently saw, it only takes a single slip up in OpSec to lead to a bust, sometimes as innocuous as using a single image.

More important to established members maintaining their own operational security, is that they teach prospective members the same. For example, in 2010, Brian Mettenbrink was jailed for a year and ordered to pay $20,000 in compensation to the Church of Scientology for his part in Operation Chanology. Later, in the We Are Legion documentary, Mettenbrink explains how he naively downloaded a tool for denial of service attacks, put in an IP, and hit ‘attack’, as instructed by Anonymous. He was not told what the tool did, that he could be easily tracked, or that it had serious repercussions. He is one of many that some see as Anonymous’ cannon fodder. While some Anon members have tried to help newcomers (e.g., Op Newblood), it is too little and often too late.

Regardless of how good an operative is, they can still succumb to failed OpSec and other elements of social human behavior. The best operatives and groups have been busted or infiltrated, so the goal is to raise the bar for would-be adversaries. Anonymity may have benefits to those who wish to work outside of law, but/and maintaining said anonymity is hard (very hard) and comes with costs. Paying these costs is especially a shame when transgressions were either unnecessary or of lower impact than intended.

Open Model and Infiltration

The open model of Anonymous, based on loose collaboration, is a great strength. At the same time, it is also a potentially crippling weakness. Like most things, there are trade-offs. With no real bar for membership, anyone can approach the group through a variety of channels and claim to be a supporter. This creates a perfect avenue for infiltration due to the lack of vetting process. There are at least three distinct times this has been used against Anonymous, whether successful or not.

The most notable occurrence was that of Aaron Barr, ex-CEO of HBGary Federal, who told the media that he had analyzed Anonymous IRC channels along with social media to figure out some of the leaders. Barr began publicizing the information without revealing exact names, leading to an article in the Financial Times. The story of what happened after, and the downfall of Barr, has been well covered, but it reminds us that very basic infiltration led to the reconnaissance.

A second incident, not directly aimed at Anonymous but undoubtedly affecting some members, was Tom Ryan and Occupy Wall Street (OWS). Ryan joined a mail list created for the organization and coordination of OWS efforts. With that information, he received a considerable amount of details about protesters, leaders, and more. Ryan leaked those emails to blogger Andrew Breitbart, who subsequently used them in an attempt to brand OWS participants as anarchists. Email is notoriously insecure, both in transit and as a target for hackers to access. Operating a mail list where anyone can join is almost guaranteed to ensure the information is shared with others beyond the list.

The most recent incident led to suspected Anonymous members getting arrested. Police arrested 25 people across four countries in an Interpol coordinated bust of people alleged to have been involved in attacks against Colombian and Chilean web sites. Shortly after the arrests, members of Anonymous in Spain posted a blog saying that the busts were a result of being infiltrated. The blog said that due to “carelessness” and “[giving] personal details to spies and people who were not members”, the police were able to determine the identity of many members. According to Anonymous, those busted were also all members of an Anonymous site ( created for discussing activities. This does not even begin to address the threat of so-called “trusted” members, such as a de facto leader and spokesperson named Sabu, who became an FBI informant for a year after getting busted.

Contrary to the idea of Anonymous, one way to help avoid infiltration in the future is to have established and trusted relationships with other members. This should be organized in a decentralized manner where any one member does not know details beyond a few other members. All of this goes back to maintaining good OpSec in order to provide as much protection for those involved as possible. While many anons cherish the open and flat, low barrier to entry, these benefits come too with an upper bound of effectiveness and being prone to infiltration. This doesn’t even touch upon the imposters and false flags we mentioned in Part 4 – nor speak to outside players attempting to steer and manipulate the pack toward their own selfish ends.

Disinformation; Friend or Foe

The art of disinformation is versatile. It can tie into proper OpSec, in that providing intentionally misleading or incorrect information can help protect you. Peppering a Twitter feed with subtle, but purposefully crafted ‘facts’ about the poster can re-frame and begin to throw off social profilers. Co-opting unsuspecting people to wear the Guy Fawkes mask or replace their Twitter avatar with an Anonymous-themed image can add confusion by giving a wide range of additional targets your adversary must take interest in. Clever campaigns designed to give the illusion that your most outspoken critics are secret members of the group are just the start of how disinformation can become a weapon.

On the other hand, disinformation at the wrong time can completely undermine your efforts and call into question the small bits of integrity you rely on. For example, the recent publishing of over five million emails taken from Stratfor was immediately called into question when news of the Stratfor CEO resignation was quickly denied by the company. The leaked email claiming the CEO was resigning was likely disinformation, but the question is from whom? If it came from Anonymous, then they undermine their own credibility in what may be an attempt to force the CEO to resign. If it came from Stratfor, then this is a perfect example of how disinformation can be used against Anonymous.

In part 5, we discuss a new framework for Anonymous or subsequent groups. One of the core strengths of the proposed model is to help a group set forth a statement of principles, code of conduct and operational parameters. With these defined in advance, disinformation used against the group is more easily challenged and refuted. Combating False Flags may become one of the biggest issues Anonymous faces moving forward.

Ready – Fire – Aim!

The “hacktivist” phenomenon of ‘belated justification’ is not exclusive to Anonymous. For many years, a wide range of hackers have scoured the Internet looking for vulnerable systems. In many cases, they scan hundreds of thousands of systems looking for a handful of easily exploited vulnerabilities. As they find vulnerable systems, their personal agenda takes over. For some, they immediately look to see if there is a web server running in order to deface the web page. For others, they immediately look to see if there is a trove of sensitive information for personal gain or public disclosure.

Only after that do the hackers justify their actions. If it happens to be a government server, the justification of “anti-government” comes easy. In other cases, it may be a stretch, as a mom-and-pop business finds themselves victim to a “lesson in security”. These high-level explanations are examples of popular “go-to” justifications for criminal activity. Without vetted incident data it is hard to qualify how often this happens, but based on one author’s personal experience researching and communicating with hackers, this is certainly a prevalent theme over the last 12 years.

Anonymous must consider their targets, and then act. By calling out a company or government body in advance of an attack, it removes any doubt that attacks are ex post facto justified or lucky. If there is concern that such announcements may make subsequent attacks more difficult, there are a variety of methods to establish a target was called out in advance, without publication. Sending a letter to a journalist organization that does not typically cover Anonymous related news, or PGP signing a message with a shared key to establish a time/datestamp are both effective without tipping your hand. Over time, this practice has the added benefit of giving legitimacy to the group’s ability to selectively target and carry out threats of hacktivism. Such a history could conceivably be used to encourage a target organization to “change their evil ways”, in order to avoid an attack that they are sure will succeed.

“Mercy is for the Weak”

Cobra Kai - No Mercy (source mrftw photobucket)

Cobra Kai – No Mercy (source mrftw photobucket)

It is not a requirement that anonymous rules with fear and a refusal to forgive. The package deal of these choices may ultimately prove to be self-defeating. Regardless, they clearly have been using fear. Unless Anonymous is falling victim to a case of rhetoric, then those that they oppose are the enemy. As our favorite 80’s bad guy teaches us, “an enemy deserves no mercy”. Anonymous has done a decent job keeping this credo, but it bears repeating. Many will think that disclosing customer records or defacing a web page sends a clear message, or that more prolonged ops definitively state their position. True, perhaps, but preliminary evidence suggests companies quickly recover from breaches, financially speaking. Other than a short term ‘win’ in the form of a media black eye, Anonymous needs to keep the pressure on to make their point. Pressure in this case, is still adhering to our previously stated “defined path of conflict escalation”, where it does not necessarily mean illegal activity. Lasting changing is more “campaign” than “op”, more strategy than tactic, and will by necessity require the group does “fewer things, better”. Such pressure can be achieved in at least two ways.

First, a given operation against a target should not be thought of with a defined start and end. If a corporation or government agency is doing ‘wrong’, you can be assured they are doing that same ‘wrong’ for the long haul. Taking a lump along with their time in the press will pass, and many entities already rely on this fact. Instead, just as the heat seems to die down, Anonymous could hit them again, but harder and longer. Winning a war means a decisive victory in the eyes of your enemy. Your enemy must know with certainty that you will be there to punish them day in and day out. Only then, will they consider changing their ‘evil’ ways.

Second, the fear of retaliation can be a strong weapon. Anonymous already has an ample history of retaliation, such as their attacks on Interpol, defacement of the Boston Police web site, and DDoS attacks related to the MegaUpload takedown. Anonymous can benefit from a better public presence regarding this history, along with the promise that more retaliation hacks will occur if organizations do ‘wrong’. Law enforcement won’t give Anonymous a pass, but they may eventually begin to choose their takedowns carefully, and reconsider the subsequent press frenzy that follows. Corporations that are prone to support ridiculous legislation may begin to reconsider their endorsement of controversial politics. Today, some pockets within Anonymous already enjoy this reputation in some industries.

Building in Reality

Along the lines of maintaining good OpSec, Anonymous needs to tap into one of their greatest strengths; numbers. A handful of members doing the heavy lifting with thousands of glorified cheerleaders isn’t an effective use of support. Strength comes from quality; not just quantity. Tapping into the idea of Operation NewBlood (an operation designed to train new members how to better secure/anonymize their activities), educating members on how to better help achieve goals is crucial. Rather than see the large number of prospective members as cannon fodder, help turn them into members that can contribute more effectively. This is a model successfully used for decades in hacking crews – where mentoring would both teach you your skills and your code of conduct. As one example, this idea could be leveraged to use hundreds or thousands of people to do remote reconnaissance of a company in such a way that any one person is not breaking a law. Using the combined results, operations can be planned better, attacks can be more precise, and the chance of collateral damage minimized.

Along with training Anonymous members in the ideas of hacktivism, the older members must look at their organization like any other. New users unfamiliar with technology are more likely to blindly install software without considering the risk to themselves, their systems, or their fellow members. In recent months, Anonymous members have been tricked into installing trojans on more than one occasion. The lack of authoritative information sources for the groups may protect some members, but open the door for a greater number of members to be targeted. These members risk punishment from third parties or law enforcement, and ultimately will end up disillusioned with Anonymous.

Trailing Thoughts

These are just examples of issues that Anonymous will grapple with and attempt to manage over time. Looking to improve the effectiveness of any group is a good thing, but mileage will vary by group, sub-group, and operation. If done correctly, the end result will leave the group with all of its strengths, and fewer weaknesses. Most importantly, such changes will do a lot to win the hearts and minds of the public, force targets to take the group more seriously, and ultimately affect more positive change.

Your turn… What would you do to make such a future group or offshoot more effective and consequential?

Stronger? (Artwork by Mar -

Stronger? (Artwork by Mar –

Copyright 2012 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphics courtesy of Mar –

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.

A contemplative Anon (Artwork by Mar -

A contemplative Anon (Artwork by Mar -

Building a Better Anonymous – Philosophy

By Josh Corman & Brian Martin


If you are new to this series, please begin with Part 0 and the index.

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to and a more mainstream and business readership. Please comment toward improving/clarifying the content.


Today, Anonymous is both an identity / meme and a “group” / organizational construct (albeit amorphous and decentralized). The focus below is not to enhance or augment the identity / meme, but rather the latter. Adopting such enhancements will involve trade-offs – as everything does. The authors believe many of the current Anons (or would-be-anons) yearn for a larger impact, a better batting average, and to mitigate several complications inherent in the current approach (some of which were explored in Part 4).

When we define a “better anonymous” we realize that this may apply to as few as zero of its current participants. It is entirely possible that such an instantiation could emerge in ten years or with people currently unwilling to join the existing ranks. If it helps the reader, picture this “better Anonymous” under a different name, taking place five years from now, and sharing no members with current manifestations. While we do believe these refinements and enhancements can and would be of benefit to today’s manifestation(s) of Anonymous, this is immaterial to the following points.

Since no one “owns” Anonymous, and since its ranks are so diverse in ideology and motivational structures, it is best to judge the following ideas on their own merits – rather than expressing personal preference (positive or negative) for what the increasingly ill-fitting “they” would or wouldn’t like. Some of them will agree – some will be indifferent – and some will find these concepts detestable.

For these reasons (and others), we also expect the possibility of plural groups over time – with plural charters. Put another way, this installment may be less about building a replacement for Anonymous, but rather – “building better Anonymi” – especially where ideological and topical schisms reveal themselves.

Laying a New Foundation

In Leviathan, the philosopher Thomas Hobbes described the state of nature as a state of war. Paraphrasing slightly:

The state of nature is a state of war… “and the life of man, solitary, poor, nasty, brutish, and short”.

In contrast, John Locke considered the state of nature to be a state of inconvenience and inefficiency. Where they agreed is that out of rational selfish-interest, people must form social contracts to escape the limits of the state of nature.

To date, Anonymous has enjoyed its more chaotic lack of structure, openness, low barrier to entry, and other features. The downside of this has been an upper bounds of effectiveness, a lower batting average, a muddied focus, “brand damage”, arrests – and even catalyzing escalation with law enforcement, legislators, and other forces of “control”. As we’ve said, if not careful, Anonymous could help cause the very things they fear/oppose.

The authors believe that the current state is either untenable or of limited impact in the long run. To this we offer the following “three steps” as a straw man of “organized chaos” for consideration and dialectic, or debate. We argue that such an approach would, on the whole, improve the impact and mitigate several current challenges.

  1. Statement of belief, values, objectives, and first principles – i.e. WHY you have come together
  2. Code of conduct and operational parameters – i.e. HOW you conduct your pursuit of your common goals
  3. A plan for streamlining success, increasing potency, and mitigating risks – i.e. WHAT will make you more successful

We will outline these three below for those who see themselves as “Chaotic Good” – as a sample use case. We will then directly link how such a system would mitigate several of today’s Anonymous challenges identified in Part 4.

#1: Statement of beliefs, values, objectives, and first principles (WHY)

To repeat, a mentor once told me:

“If you believe something, you should write it down. The more important the belief, the more critical it is that you are precise and clear in its articulation.”

Core to any meaningful group or endeavor is your purpose. Why have you come together? What are your beliefs? What are your values? What do you hope to change? What are your essential “first principles”?

For Martin Luther, it was nailing his 95 Theses to the Castle Church – sparking the Protestant Reformation to separate from what he saw as an increasingly corrupt Catholic Church. For Martin Luther King, Jr., this was the vision expressed in “I have a dream“.

It is a common purpose that binds movements together. Ad hoc bonds can be weaker bonds, but bonds formed in shared values and shared beliefs are not as easily broken. Commitment to shared purpose and objectives can serve to strengthen the resolve, staying power, and impact of those involved.

Historically, Anonymous has been ambiguous about what it stands for. Sure, there have been some more dominant themes but… too many of them. This has lead to a sort of stimulus diffusion in which ideas have been passed between people, but without the blueprint or foundation. Such diffusion can lead to an idea being refined and improved upon, or misunderstood and re-built as a hideous form of the original.

When everything is important, nothing is. Zen wisdom tells us, “He who chases two rabbits catches neither”. To reach critical mass, perhaps Anonymous needs a period of “valuable ambiguity”. To overcome its current limitations, smaller splinters may need to rally around fewer objectives, better. These splinters may not be instead of the “general population” of Anonymous, but for greater impact with less collateral damage and backlash; it may prove to be a logical necessity. For some, this personal recognition has already come. Such splinter groups may also serve another purpose; by focusing on more specific goals, the personal desires and reasons for involvement of each member are more likely to be met.

Here are some lines that a “Chaotic Good” group who cared about free speech and anti-censorship might hold:

  • We believe in free speech for all.
  • We reject attempts to control or limit free speech online.
  • We aim to be a watchdog for the citizens of the net; to identify, expose, and rally resistance to legislation and special interests, which threaten these rights.
  • We believe free speech applies to everyone – especially when we do not agree with it.
  • When governments take access from their people, we will help to re-supply them with alternative access and vehicles to these basic rights.

Benefits of writing down why your group exists are numerous. First, you will attract more like-valued, and potentially more talented members. These beliefs will be the foundation of any brand to the rest of the world. It will give the group focus in the short term, and as time moves on it will give you the backbone to resist mission drift and spreading yourselves too thin. It is also your primary defense against the brand damage of False Flag operations done in your name. Further, such segmentation can insulate the group from any harm done by less aligned (and maybe less noble) members of the currently shared melting pot, general population of “Anonymous”.

When choosing your foundational beliefs and values, choose wisely.

#2: Code of conduct and operational parameters (HOW)

A “code” is not new to groups. For example, there is the bushido code way of samurai, honor among thieves, the pirate code (more what you’d call “guidelines” than actual rules)… and countless others that dominate both history and popular culture.

The hitman/cleaner in “Léon: The Professional” had a rule; “No women. No kids.”

In Fight Club: “The 1st rule of Fight Club is, do not talk about Fight Club”.

In The Transporter, “Rule #3: Never open the package.”

A code of conduct and explicit statement of operational parameters has benefits. Building upon the prior foundation of your statement of beliefs, your defined “how” will both attract like valued participants – and repel the opposite. Such statements will help to win the court of public opinion, both in establishing your “brand” and in defending it from pretenders and False Flags. Infiltrators would be more constrained to these narrower methods and False Flags would look anomalous in contrast.

A “code of conduct” actually has precedent within Anonymous. In fact, this may have been the origin of donning the Guy Fawkes mask. During the Project Chanology planning to take to the streets against the Church of Scientology, a video was posted outlining the code of conduct. Rule #17 was to cover your face to protect your identity. It just so happened that the visage from V for Vendetta was available and “top of mind”. Here are some lines that a “Chaotic Good” group who cared about free speech and anti-censorship might hold:

  • In all actions, we must take great care to prevent collateral damage – or to hurt innocents.
  • In our pursuit to promote free speech, it is critical that we do not impinge upon the free speech of others – even when we disagree with them.
  • We will conduct our operations within the bounds of the law, leveraging FOIA and open source information.
  • Much like Rosa Parks did as a last resort, and in rare cases, where transgression is required and righteous, it must be supported by our statement of beliefs and part of a pre-defined path of escalation.

For readers that have played MMORPGs such as World of Warcraft, you may recall the frequent statement from Blizzard Entertainment; “No Blizzard employee will EVER ask you for your password.” Note the utility of such an explicit, absolute statement. By making it, gamers can immediately spot imposters. Therefore, such statements can serve to mitigate some of the risk of False Flag operations and unsanctioned, brand damaging attacks done “in the name” of the more principled group.

One of the first examples of defining a code of conduct in “Hacktivism” activities can be found in a paper presented to Yale Law School by 0xblood Ruffin of the Cult of the Dead Cow (cDc) entitled “Hacktivism, From Here to There“; in which he states:

I began to formulate some hard and fast rules for hacktivist tactics. First, no Web defacements. If groups or individuals are lawfully entitled to publish content on the Web, any violation of their right to distribute information is an abridgement of their First Amendment [freedom of expression] rights. The same goes for Denial of Service (DoS) attacks.

While groups like the Electronic Disturbance Theatre (EDT) disagree about DoS, they simply wouldn’t join 0xblood or Hacktivismo due to a difference in ideology. Maintaining a code and mission statement may be, at times, prohibitive to gaining wide support, but honesty and integrity are important, even to an organization who must resort to criminal acts to achieve their goals at times.

#3: A plan for streamlining success, increasing potency, and mitigating risks (WHAT)

What will be the difference makers and secrets to greater impact? Here we will consider a few. For example, it is often smarter to do fewer things, better. Will your actions make you look like a BadAss or a DumbAss? How you are viewed in the court of public opinion can be a major success factor. Knowing what your want and stand for is critical, but remember: A goal without a plan is called a wish.

Less is More

As we’ve suggested, it is ideal to do fewer things better. Would you rather have a superficial impact on ten fronts, or a meaningful impact on one front? The very things that “need fixing” are almost by definition “non-trivial”. If something is worth doing, it is worth doing well. If there are more ills to right, this simply may require more teams. Focusing on fewer fronts also allows more time and attention to be spent on each front. This would benefit operations that publish or leak information for example; rather than dumping gigabytes of information, time could be spent to pull out key pieces of interest.

Unlocking Your Inner BadAss

Another important factor is your potency and prowess. What’s more impressive to onlookers and adversaries, a fool shooting wildly – missing all targets? Or a sniper who makes every single bullet count; “One Shot. One Kill”. When a swordsman first takes up his blade, they may flail wildly and wastefully, but a master is more deliberate and deadly – with each stroke delivering the full impact of its intention. The true master may seldom need to draw his sword. While 2011 saw many Anonymous operations, there were several misses and/or mis-steps. Imagine instead a more potent group who seldom (if ever) misses and rejects more ops, for a better op – one that hits its targets without collateral damage. A pyro-maniac will torch everything – a pyro-technician will design and execute a targeted and effective “controlled burn“. An amateur will amputate, but the skilled surgeon will remove the tumor with precision.

Measure Twice, Cut Once

Toward that end, a more potent group would do more strategizing and prep-work. When you’re taught carpentry or wood-working, most of us are equipped with the wisdom of “measure twice, cut once”. Preparation helps to avoid mistakes. Fewer mistakes conserves limited resources and helps to promote / preserve a more BadAss image to your supporters and adversaries. During the StratFor hacks in December of 2011, many criticized the “steal $1 million to give to charities” aspect of the operation – as disingenuous or naïve. Those charities did not get to keep the money, nor was that ever a possibility. Such visible/perceived mis-steps only hurt the groups brand in the court of public opinion – and are avoidable with better planning on fewer operations. For other operations, why risk arrest and incarceration to steal information that was readily obtained through a FOIA request?

Finger on the Pulse

Finally, the “court of public opinion” matters. In studying the myriad of Anonymous and LulzSec operations throughout 2011, one could watch a volatile ascension and decline of support for Anonymous depending upon how noble (or ignoble) an operation was. The good will formed from lawful enablement of Occupy Wall Street could be undone by an unnecessary or overly aggressive illegal operation from different ranks in the same week. One could almost plot public support like a stock ticker – or a presidential/job approval rating. While some may “not care”, the savvy will not only pay close attention to the “pH level” or “barometer” of public opinion, but will also seek to assure their brand and accuracy of media coverage and narrative are an asset (versus a liability). Further, gauging public perception allows you to respond, make adjustments, and improve future ops.

This is not to say popular opinion should rule the day. In our Defcon 19 Q&A after the panel, it was revealed to us that the press failed to understand or cover the more restrained / responsible hacks. Rather than investing the time to better explain their motives and decisions, Anonymous instead opted for louder and noisier ones, which a sensationalist press responded to. The sad, yet accurate, catch phrase of modern media holds; “If it bleeds, it leads”. Knowing this is the case, investment in getting the public perception and media involvement more “on point” will be a key factor in a group’s ultimate success. Perception is reality.

Conclusion and Validation

Building a better Anonymous must be done from the ground up, with a solid foundation to set the direction and tone of the group. Perhaps the best way to validate this idea and such a foundation is to consider it in the context of Part 4: Failing in Practice (aka Pyrrhic Practices). All four failures we outline would have benefited substantially had their been a well-defined foundation. The case of doing “more wrong than right” during opBART could have been avoided had Anonymous stuck to principles and followed a code of conduct. OpDarknet, which saw a single chaotic actor hurt the operation and brand, could have been easily disavowed as not following a published code of conduct. Texas Takedown Thursday could have enjoyed great success, albeit slower, through a series of legal FOIA requests and strategic leaks of information if hacking was deemed necessary. OpSatiagraha would have been streamlined and a more potent operation if only the significant emails were released and highlighted. Another benefit to all of this is that there is less time wasted creating public announcements taking credit for, or denying, operations. They will be much more evident from their actions.

Coincidentally, as we worked on this article, news broke about a new splinter group of Anonymous, called “Malicious Security” (MalSec). This news came with the group releasing a video that introduced the group and outlined their objectives. MalSec firmly states they believe in free speech, and stresses that any defacement would add text to a web site, but they would not delete content, to support this idea. Many may disagree with their activity of breaking into web servers, but in setting this foundation for the group, they are in a position to maintain their principles while disavowing anyone that attempts to tarnish their brand. This is basically the same thing that happened with LulzSec; they weren’t happy with Anonymous, split off for 50 days, formed a new charter, and operated under it.

We expect the above to be debated and discussed, but we also believe something along these lines will come as a logical necessity. If you could make a better Anonymous, an ominous anonymous perhaps, what would you build?

Copyright 2012 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphics courtesy of Mar –

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.