"I enjoy the LULZ"

Barr created multiple aliases and began logging on to Anonymous IRC chat rooms to figure out how the group worked. He worked to link these IRC handles to real people, in part using his social networking expertise, and he created fake Twitter accounts and Facebook profiles. He began communicating with those he believed were leaders.

After weeks of this work, he reported back to his colleagues on how he planned to use his fake personas to drum up interest in his upcoming talk.

I have developed a persona that is well accepted within their groups and want to use this and my real persona against eachother to build up press for the talk. Pre-talk plan. I am going to tell a few key leaders under my persona, that I have been given information that a so called cyber security expert named Aaron Barr will be briefing the power of social media analysis and as part of the talk with be dissecting the Anonymous group as well as some critical infrastructure and government organizations I will prepare a press sheet for Karen to give to Darkreading a few days after I tell these folks under persona to legitimize the accusation. This will generate a big discussion in Anonymous chat channels, which are attended by the press. This will then generate press about the talk, hopefully driving more people and more business to us.

Barr then contacted another security company that specializes in botnet research. He suspected that top Anonymous admins like CommanderX had access to serious Internet firepower, and that this probably came through control of bots on compromised computers around the world.

Barr asked if the researchers could "search their database for specific targets (like the one below) during an operational window (date/time span) to see if any botnet(s) are participating in attacks? Below is an attack which is currently ongoing." (The attack in question was part of Anonymous' "Operation Payback" campaign and was targeted at the government of Venezuela.)

The report that came back focused on the Low Orbit Ion Cannon, a tool originally coded by a private security firm in order to test website defenses. The code was open-sourced and then abandoned, but someone later dusted it off and added "hivemind mode" that let LOIC users "opt in" to centralized control of the tool. With hundreds or thousands of machines running the stress-test tool at once, even major sites could be dropped quickly. (The company recorded only 1,200 machines going after MasterCard on December 11, for instance.)

To boost the credibility of his online aliases, Barr then resorted to a ruse. He asked his coder to grab the LOIC source code. "I want to add some code to it," Barr said. "I don't want to distribute that, it will be found and then my persona will be called out. I want to add it, distribute it under a persona to burn and then have my other persona call out the code."

The code to be added was an HTTP beacon that linked to a free website Barr had set up on Blogspot. He wanted a copy of the altered source and a compiled executable. His programmer, fearing Anonymous, balked.

On January 20, the coder wrote back, "I'm not compiling that shit on my box!" He even refused to grab a copy of the source code from message boards or other IRC users, because "I ain't touchin' any of that shit as those are already monitored."

"Dude," responded Barr. "Anonymous is a reckless organization. C'mon I know u and I both understand and believe generally in their principles but they are not a focused and considerate group, the[y] attack at will and do not care of their effects. Do u actually like this group?"

The coder said he didn't support all they did, but that Anonymous had its moments. Besides, "I enjoy the LULZ."

"Dude—who's evil?"

At one time, Barr supported WikiLeaks. When the site released its (edited) "Collateral Murder" video of a US gunship killing Reuters photographers in Iraq, Barr was on board. But when WikiLeaks released its huge cache of US diplomatic cables, Barr came to believe "they are a menace," and that when Anonymous sprang to the defense of WikiLeaks, it wasn't merely out of principle. It was about power.

"When they took down MasterCard do u think they thought alright win one for the small guy!" he asked. "The first thought through most of their malcontented minds was a rush of power. That's not ideals."

He continued in this philosophical vein:

But dude whos evil? US Gov? Wikileaks? Anonymous? Its all about power. The Wikileaks and Anonymous guys think they are doing the people justice by without much investigation or education exposing information or targeting organizations? BS. Its about trying to take power from others and give it to themeselves. I follow one law. Mine.

His coder asked Barr how he slept at night, "you military industrial machine capitalist."

"I sleep great," Barr responded. "Of course I do indoor [enjoy?] the money and some sense of purpose. But I canget purpose a lot of places, few of which pay this salary."

The comments are over the top, of course. Elsewhere, Barr gets more serious. "I really dislike corporations," he says. "They suck the lifeblood out of humanity. But they are also necessary and keep us moving, in what direction I don't know.

"Governments and corporations should have a right to protect secrets, senstive information that could be damage to their operations. I think these groups are also saying this should be free game as well and I disagree. Hence the 250,000 cables. WHich was bullshit… Society needs some people in the know and some people not. These folks, these sheep believe that all information should be accessible. BS. And if they truly believe it then they should have no problem with me gathering information for public distribution."

But Anonymous had a bit of a problem with that.

The hunter and the hunted

As Barr wrapped up his research and wrote his conference presentation, he believed he had unmasked 80-90 percent of the Anonymous leadership—and he had done it all using publicly available information.

"They are relying on IP for anonymity," he wrote in a draft of his presentation. "That is irrelevant with social media users. U use IRC and FB and Twitter and Forums and Blogs regularly… hiding UR IP doesn't matter."

Barr would do things like correlate timestamps; a user in IRC would post something, and then a Twitter post on the same topic might appear a second later. Find a few of these links and you might conclude that the IRC user and the Twitter user were the same person.

Even if the content differed, what if you could correlate the times that someone was on IRC with the times a Facebook user was posting to his wall? "If you friend enough people you might be able to correlate people logging into chat with people logging into Facebook," Barr wrote.

The document contained a list of key IRC chatrooms and Twitter accounts. Facebook groups were included, as were websites. But then Barr started naming names. His notes are full of comments on Anonymous members. "Switch" is a "real asshole but knows what he's talking about," while "unbeliever" might be "alexander [last name redacted]."

In the end, Barr determined that three people were most important. A figure called Q was the "founder and runs the IRC. He is indead in California, as are many of the senior leadership of the group." Another person called Owen is "almost a co-founder, lives in NY with family that are also active in the group, including slenaid and rabbit (nicks)." Finally, CommanderX can "manage some significant firepower." Barr believed he had matched real names to each of these three individuals.

He wasn't doing it to actually expose the names, though. "My intent is not to do this work to put people in jail," Barr wrote to others in the company. "My intent is to clearly demonstrate how this can be effectively used to gather significant intelligence and potentially exploit targets of interest (the other customers will read between the lines)."

He then revealed himself on Facebook to the person he believed was CommanderX. "I am not going to release names," Barr said on February 5, using the alias Julian Goodspeak. "I am merely doing security research to prove the vulnerability of social media." He asked for Anonymous to call off its DDoS attack on HBGary Federal, an attack that had begun earlier that day.

Some of the responses from CommanderX were a bit chilling. Late in the conversation, CommanderX warned Barr "that your vulnerabilities are far more material. One look at your website locates all of your facilities. You might want to do something about that. Just being friendly. I hope you are being paid well."

Then came an IRC log that Barr sent around, in which a user named Topiary tried to recruit him (under the name CogAnon) for "a new operation in the Washington area" where HBGary Federal has its headquarters. The target is "a security company."

By late afternoon on the 5th, Barr was angry and perhaps a little scared, and he asked his PR person to "help moderate me because I am getting angry. I am planning on releasing a few names of folks that were already arrested." It's not clear that Barr ever did this, however; he admitted in another e-mail that he could get a bit "hot" in private, though he would generally cool down before going public.

Hours later, the attack escalated from some odd DDoS traffic to a full-scale break-in of HBGary Federal systems, one that showed tremendous skill. "What amazes me is, for a security company - you had such a basic SQL vulnerability on your website," wrote one Anonymous member later.

Days afterward, the company has still not managed to restore its complete website.