Part 3: How We All Got it All Wrong

By Josh Corman & Brian Martin

2011

If you are new to this series, please begin with Part 0 and the index.

NOTE: We will post each installment here for the security industry to garner feedback for about one week prior to posting to Forbes.com and a more mainstream and business readership. Please comment toward improving/clarifying the content.

Like many, early on we carried a cognitive dissonance about Anonymous. Is this a good thing? Or a bad thing? Many people seemed to approve of the attacks against Scientology – or Anonymous’ apparent passion for transparency and their crusade against corruption. Helping oppressed people in Tunisia and Egypt? Absolutely, people see that as a force for good. Others operations however, were a bit more disconcerting for the onlookers. Leaking personal details of law enforcement, their families, and confidential informants did not sit well with many.

Riding on the back of Part 2: Fact vs Fiction, there are some additional points to make. When we explored fact and fiction, many of the points were based on a lack of understanding. In this article, we discuss how we collectively “got it wrong”. This moves beyond misconceptions born out of poor reporting or conflicting information, and into the realm of our simple lack of understanding. Further, it highlights that as a society, we seem to be unable to learn from our history. As George Santayana famously said in The Life of Reason,

“Those who cannot learn from history are doomed to repeat it.”

Everything Old is New Again

Regarding this article, the concept of speculating and proposing a “better”, more efficient, and more serious adversary is old. Government sponsored think-tanks and the U.S. military have been doing this for decades. With regard to Anonymous, the idea of the group is also not new. All of their diverse traits seen in a single group, even if nebulous, may be new to most people. However, many in information security or law enforcement have been exposed to most of these traits before. The concept of Hacktivism has been going on for well over a decade, primarily through groups defacing web pages with political messages.

Disregarding the apparent disconnect between a “computer-based group”, as Anonymous is often considered, and more traditional groups, the traits of Anonymous become more prominent. Compare some of the actions of PETA, the Black Hand, Ku Klux Klan, Weather Underground, or Earth First to some of the actions of Anonymous. Despite their goals being diverse, and each group having their share of radical members, there are many parallels to be drawn.

While they have far less in common than a broad swath of their members or observers would think, their common traits are certainly there. Each group is frustrated about their raison d’etre. Each group believes in presenting a unified front outwardly while embracing diversity and resilience internally. Despite being a heterogeneous group sociologically, Anonymous does a good job putting forth a homogeneous image (arguably propaganda) through the use of iconography and central messages.

Being Dismissive is a Disservice

Over the last year, many media outlets, pundits, and security professionals have given commentary on Anonymous and LulzSec. In many cases, the tone of the commentary has been negative, with the commentator essentially dismissing the groups’ actions. In some cases, it has been a general dismissive “the group is not effecting change” line. In other cases, pundits outright deride LulzSec as having no advanced hacking skills and only attacking the “low hanging fruit”. While most, if not all, of their hacking exploits have been easy to find and exploit, these pundits are missing the bigger picture.

First, LulzSec didn’t need more sophisticated exploits to compromise these organizations. An attacker is only as sophisticated as they are required to be; when companies don’t make it a challenge for attackers, there is no reason to use more advanced attacks. If large companies and law enforcement are protecting such valuable information, why are their own security programs not catching the low hanging fruit?

Second, what if the high profile compromises using basic exploits are just a noisy cover hiding the real activity? The concept of misdirection when hacking has been around for over twenty years. It is dangerous to assume that we know the whole picture when we are only seeing what makes the front page. There are two aspects to this idea: LulzSec could be using some of these attacks as a method of distracting onlookers from their real goals, or third parties unaffiliated with LulzSec and Anonymous may be using their brand for misdirection. For example, a disgruntled employee could launch a denial of service attack against his employer and embed a message such as “We are legion” in it, giving the impression the attacks are the work of Anonymous.

“Pretenders” also came up during the Q&A following our DEFCON 19 panel. Several in-room members of Anonymous claimed the two large Sony breaches of credit cards were “not us” but rather “the Russians” – as many suspected. Regardless, many have been dismissive of the group or the impact of an attack – until they’ve been on the receiving end.

The Media’s Field Day

To say the media has collectively had a field day with coverage of Anonymous is certainly an understatement. The group’s diverse actions, ranging from in-person protests or virtual sit-ins (DDoS attacks) to leaking information from hacked corporations, provides a gold mine of drama-rich news. The lack of a central authority or official channel for public statements from Anonymous helps the media run wild, and Anonymous must play a game of catch-up when trying to hold the media accountable. The perception that Anonymous is new and a game changer has led many media outlets to go to press without finding a qualified person to speak on the matter. Simply grabbing the nearest mouthpiece, that frequently has a personal or corporate agenda, does not help the media, Anonymous, or the public.

When LulzSec splintered off from Anonymous, the more revealing story was not the material results of their hacking; rather, it was the sad commentary on infosec-centric and mainstream news coverage alike. After 50 days of hacking into a wide variety of sites, accompanied by a high profile predominantly Twitter-based media presence, the pressure added up. With the looming threat of law enforcement catching up to them, LulzSec announced their retirement on Pastebin and broadcast it via Twitter. While the announcement was deemed inevitable, many figured we hadn’t heard the last from them, and they were right. Some in the mainstream media announced it and gave commentary on why it was inevitable and certain.

One of the most noticeable traits of media coverage during the 50 days LulzSec was active, was the lack of truly critical press. Publications and authors that have been more vocal and firm in the past seemed to pull their blows when covering the hacking activity of LulzSec. Since the group was executing a wide variety of attacks, and supporters of the group were carrying out DDoS attacks against detractors, it appeared that journalists were scared to be overly critical. Paul Carr wrote for TechCrunch saying “Please Hacker Don’t Hurt Us: The Media’s Coverage Of LulzSec Has Been Cowardly and Pathetic”. It should be noted the irony that this article came a day after LulzSec posted their retirement message. Worse, the timing of the article and criticality suggests that Carr, like many others, felt that the group was truly done and their “vandalism spree” was finished. Similarly, Bill Brenner wrote an article for CSO Online called “Whatever, LulzSec”, two days after the retirement message. The timing of these articles suggest the authors feared potential retaliation from LulzSec should their message be construed negatively. Provoking these groups may seem undesirable, but it would also prove an interesting point; if Anonymous or LulzSec retaliate over poor press, they may be considered the tyrants they so oppose.

Arresting Anonymous Won’t Help

The pursuit of Anonymous is just as futile as it is necessary. Thinking of the group in terms of traditional crime simply doesn’t hold up. This group is not four people that have been knocking over banks, where bringing even one of the four to justice may stop further robberies. For each Anonymous member busted, another will take his or her place, maybe two. That said, law enforcement cannot let the group go unchallenged. Public and corporate pressure to put a stop to their activity is stronger than ever. With a nebulous group that has new recruits ready to step in for fallen comrades, it could be a never ending battle. With a seemingly endless supply of new recruits, all with a strong belief in the movement, a few dozen arrests won’t put a dent in the organization.

Some have suggested the only way to truly stop these groups is to capitulate, and meet their demands, which is as much a pipe dream. With a diverse set of demands, that are often not well defined, or more of a general principle such as “maintain secure networks”, meeting them is often not possible. If you take away the reason someone is protesting, they will generally stop. Locking them up or pushing back rarely leads to a real solution. As Natalie Portman’s voice over in ‘V for Vendetta’ said,

“We are told to remember the idea, not the man, because a man can fail. He can be caught, he can be killed and forgotten, but 400 years later, an idea can still change the world.” (Source of mugshots: talkingpointsmemo.com)

Even with dozens of arrests in several countries, there is no indication that Anonymous is dissuaded.

Occam’s Razor Cuts Deep

Like most current topics, a prevailing trend in media coverage of Anonymous is heavily based on making assumptions. A news organization may receive one or two pieces of information about a situation or scandal, then fill in the blanks with their best guesses. We’ve become accustomed to news coverage that consists of a commentator standing by repeating the same fact over and over, interjected with their guess of additional facts. Moving beyond the simple (e.g., “the politician is greedy”), commentators will speculate wildly about state of mind or other actors that may or may not be involved. We, the viewers, are the cause of this. As a society, we are willing to forgo logic and simplicity in favor of drama and intrigue.

For Anonymous, a group largely grounded in the Internet as a medium and meeting place, the theory of Occam’s razor is largely applicable. Combine with that the Online Disinhibition Effect, and it becomes obvious that many are acting out because they can. More interesting is the notion that the casual members and new recruits, viewed as ‘cannon fodder’ by some, are the ones acting out the most. Further, they feel safer with a layer of anonymity and perceived protection that they do not enjoy in real-world protests or activity. In some cases, it is simply a matter of the participant not fully understanding technology and how it relates to anonymity. They feel that being virtual protects them, without understanding the exposure of a disclosed IP address that has not been masked with effective technology (e.g., TOR, proxies).

On the flip side, many members of Anonymous are proving that the Online Disinhibition Effect only goes so far. With members helping in Internet activism before proceeding to a local protest to square off with those they are protesting, anti-protestors, and law enforcement, one has to accept that not all members act differently simply because of perceived Internet anonymity. As this happens, media outlets are guilty of varying degrees of projection, assigning traits and beliefs to persons that have made no definitive actions of the sort.

In challenging the integrity or morals of someone that hides behind a mask or computer, many of us fail to realize that dissociative anonymity may also be helping our society. The protection provided by that anonymity may be leading people to find the strength or freedom to say things they wouldn’t otherwise. At DEFCON 19, one member of our panel began the session wearing a mask. When we asked the audience if he should remove it, a majority said “no” (with a noted selection bias). This lends to the idea that many sympathizers don’t want Anonymous unmasked, perhaps as a way of supporting or agreeing with a majority of their actions; or simply out of fear of repercussions. Like most tools, anonymity can be used for good or evil.

Those seeking anonymity may include people effectively whistleblowing, arguably a valuable public service that puts them at risk for the greater good of society. Further, asynchronous communications may be fueling people to embrace speaking out. The ability to voice opinions or share information on message boards, via e-mail, or on web sites, without immediate backlash or punishment is a powerful motivator for opening up and sharing.

There are many factors that contribute to the actions and mindset of a person affiliating themselves with Anonymous, LulzSec, or any group tangentially related to Anonymous. Despite all of the speculation and possibilities enumerated in this article, Occam reminds us that a group such as LulzSec may truly be doing it all “for the lulz“. Every time the media or an analyst takes a guess or makes a suspect claim about Anonymous’ motivations, it is important to go back to a more simple explanation and give it serious consideration.

Copyright 2011 by Josh Corman and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphic courtesy of Mar – sudux.com.

Should you feel generous, please donate a couple of bucks on our behalf to any 501(c)(3) non-profit that benefits animals or computer security.