Skip to content

Holding Back the Ocean

Monday, May 2nd, 2011

Several recent incidents online have shown that the Internet can be a radical force for change. For those nations who try to control the Internet, these latest developments call into question their efforts. Is there any point in stemming the Internet tide?

The Internet is more of an uncontrollable beast than pundits previously thought. Such is the impression that I have gotten following the recent unfolding of major international events. The latest feats from Anonymous, the Egyptian protests, and the ongoing Wikileaks controversy point out the mercurial force of the Internet, or more precisely, the mob of people connected to it, which makes one wonder if it can ever be effectively controlled. This question becomes especially important when talking about those nations which seek to actively control the Internet. Are their efforts ultimately futile?

Some things just make you sit back and stare in wonder. That’s what happened to me last week when Anonymous, the online personification of mob mentality, utterly destroyed a US-based security company in a few days just for fun. The perfect storm of dangerous secrets, lax security, and the interest of hostile parties came together to leave a formerly respected security company that was busy wooing fat government contracts humiliated, penniless, and without data.

Now, explaining what happened is complicated by the mystique that computer security and Internet hacking have in the popular culture. Hearing people talk about hacking and cyber-warfare brings to mind one or several badly-illustrated movies of absolute geniuses doing arcane things on computers with multiple monitors. These hackers perform a techno-voodoo magical spell in order to do what should not be possible – get all your secrets and control all your systems. Perhaps in a fit of spite they make your computer equipment explode, as part of the magic. But what really happened to Aaron Bar’s security company HBGary wasn’t magic at all, just incompetence. That’s all you can call it when hackers get the password to your most sensitive data simply by asking for it.

Based on the company’s complete body of email, which was copied and released to the public by Anonymous, the cybersecurity firm HBGary was deep in the process of winning lucrative security contracts from US government agencies. They were in contact with the FBI, the US military, and the Director of National Intelligence. Then their CEO, Aaron Barr, decided to win some online street cred and boost his company’s prestige in the eyes of the federal government by uncovering the secret leadership of Anonymous, the online hacker organization that has most recently been in the news with regard to DDoSing Mastercard, Visa, and Paypal because of their refusal to work with Wikileaks. Barr had undertaken a personal research project and believed he had uncovered the real names and addresses of the top Anonymous leadership, which he planned to turn over to the FBI in a presentation. He went on to show in a file that the whole thing was run by three people identified as Q, Owen, and CommanderX. By watching Facebook, Twitter, and IRC, Barr believed that he had matched up these online identities to real people, two in California and one in New York.

Aaron Barr’s plan was simple. He wanted to “start a verbal brawl between us and keep it going because that will bring more media and more attention to a very important topic”, as he stated in an email exchange with Karen Burke, the director of marketing and communications at HBGary. The two were discussing the reaction to a recent article on the web site Daily Kos, in which an interview of Aaron indicated that he knew the Internet handles of key Anonymous members. He also said, “They think all I know is their irc names!!!!! I know their real fing [sic] names. Karen I need u [sic] to help moderate me because I am getting angry.” He was about to get a lot more than angry, however.

Aaron Barr believed a lot of things that were not true. He had just let on in an online article with Daily Kos that he knew the real identities of top Anonymous leadership. He believed the most likely result of this claim was an upcoming verbal sparring match with said leadership. He also believed that it would be good for his company to do this, and that he would get publicity, notoriety, and land fat government contracts based on his presentation with the FBI that was scheduled to happen the next day. But none of that happened because Aaron Barr was very, very wrong.

The first thing that Barr was wrong about was that the group Anonymous had top leadership. It doesn’t. It isn’t really right to even call it a group, or an organization, or a collective. It is none of those things. Anonymous can best be described by a plot point in the movie V for Vendetta. In this movie, the vigilante known as V wears a Guy Fawkes mask, and eventually distributes at least 100,000 more masks to the general population. Anonymous is the digital version of that Guy Fawkes mask. Anybody can wear the label of Anonymous, and anybody can do whatever they want while wearing it, and claim to be Anonymous. One can guess that each individual act of Anonymous is spearheaded by one or more interested parties, and the popularity of the idea serves to recruit more or fewer followers. Really popular, awesome ideas can garner thousands of followers and create the kind of online presence needed to do something big, like taking down Mastercard’s payment system for the day. Less popular ideas do not gain the necessary traction to make it big and are eventually discarded when their novelty wears off. Understanding that Anonymous is not a shadowy hierarchical cabal should be obvious, because the idea is right there in the name. Nevertheless, clueless security firm executives and government employees who are used to thinking this way believe that Anonymous is an organization that can be fought in the way that other organizations are fought – by attacking the head. Aaron Barr tried to attack the non-existent head of Anonymous, and it offended the people who most closely associated with the Anonymous identity. So they struck back.

The second thing that Aaron was wrong about was Anonymous’s possible response. He was looking for spirited debate. But within the space of one day, hackers wearing the mask of Anonymous had managed to take out HBGary Federal’s web site, replacing it with a pro-Anonymous message saying “Now the Anonymous hand is bitchslapping you in the face.” The hackers got into HBGary Federal’s email server and copied over 40,000 emails, putting them up as a torrent file which anybody could download. They claimed to have deleted over one terabyte of backup data, and had remotely wiped Aaron Barr’s iPad of all data. They took over his Twitter account and wrote explicitly disparaging content about him. Eventually the company’s president, Penny Leavy, entered the Anonymous IRC chat room to beg the group to stop the attack. The hackers, elated with their extreme amounts of success, demanded that she fire Aaron Barr and donate money to the Bradley Mannings Defense Fund. Several members in the IRC chat began dissecting individual emails that they had found within the data that they had looted, asking Penny extremely precise and personal questions about her company and its operations. “Did you also know that Aaron was peddling fake/wrong/false information leading to the potential arrest of innocent people?”, one person asked. Another said, “The document that [Aaron] had produced actually has my girlfriend on it. She has never done anytihng [sic] with anonymous, not once. I had used her computer a couple times to look at a group on facebook or something.” The document that they were referring to was a presentation that Aaron had put together to show the FBI. That was the third thing that Aaron was wrong about. The information that he thought he had painstakingly assembled was incomplete, incorrect, and dangerous. It was a minefield of embarrassment for anyone who might have acted on it. In this sense, Anonymous did the federal government a favor by destroying Aaron Barr’s company – they had saved the government from a potential waste of time and potential embarrassment as well.

But did Anonymous really do that much damage to the company? Based on the emails recovered by Anonymous, yes, they did. The company was hurting financially. Aaron Barr complained that he was overdrawn on his personal checking account, and that the company was running extremely low on cash. This personal research project of his on Anonymous was a lastditch effort to get an edge over the competition and present the company as worthy of millions of dollars in government contracts. Unfortunately, he bit off more than he or his company’s network infrastructure could chew. Extensive analysis around the Internet has determined that Anonymous was able to be so successful not because they are hacking voodoo geniuses, but because the supposed cyber-security company had failed to take even the most basic precautions regarding the security of their own network infrastructure. The company was actually not a real security company, but just pretending to be. They were using powerpoint presentations filled with buzzwords and the confident smile of their CEO to appear to be much more than they actually were. The Anonymous hacking attempt exposed their false claims for what they really were and ruined their reputation at the worst possible moment – when they had nothing left but their reputation to do business with. There is no way for the company to recover from this loss of reputation, and no way for them to be profitable now.

This overwhelming victory by a few anonymous Internet users against a cybersecurity firm teaches a few valuable lessons. The first is that the collective attention of random people on the Internet can be bad for business, if you are a two-bit shyster trying to sell the world with a smile and a song. The complete destruction of HBGary can be contrasted with the relative ease that shrugged off the concentrated DDoS attack by Anonymous last month. pretty much wrote the book on distributed computing, which is an excellent counter to DDoS attacks. Their servers never showed any signs of being slowed by Anonymous, and the hive mind collective eventually moved on to the easier targets of Mastercard and Visa. The second valuable lesson that one can learn from this attack is that bored people sitting at home behind moderately powerful computers can be more technically savvy than an actual cyber-security company. Expertise is not limited to company names, but can be distributed wherever Internet users are. When we go back to the beginning premise of this article and consider that entire countries feel threatened by the Internet, then we can begin to see why they do feel threatened, and why doubts about their ability to control the Internet pop up.

But this is not the only recent incident that spells doom to governments with a repressive Internet policy. The successful protests in Egypt that resulted in the president of the country stepping down were Internet-related, at least peripherally. The Egyptian government thought so, at least. They were first caught trying to steal the Facebook passwords of their entire country, a move which Facebook countered by offering SSH logins for their service. Then protests escalated in the capital and the country shut down its connection to the Internet and most cell phone networks, hoping that the lack of communication would disperse the crowds. However, that was not the case, as the protesters reverted to older means of communication and successfully maintained their protests. While in this case a strong argument can be made for many other factors besides the Internet being responsible for the protests, the fact that the government believed Facebook to be important enough to steal login information from and the Internet itself to be influential enough to shut down is a most obvious move that the Egyptian government feared and tried to eliminate it, albeit unsuccessfully. What they should have done was control the Internet to prevent the people from communicating and organizing to begin with. That is what China does, as does its North Korean neighbor.

Which is really what the point of the article is about. North Korea is the most successful government in the world if you view success as controlling the people’s ability to communicate with each other and the outside world. The second most successful country would be China, which has extensively tried to censor and control its Internet infrastructure for many years. China and Egypt have been linked together recently by the actions of a few Chinese calling for a Jasmine Revolution, which refers to Egypt’s recently successful regime change. Chinese citizens were taken away after laying down hundreds of white jasmine flowers outside a popular McDonald’s in Beijing, along with a large crowd of unorganized yet agitated individuals. Online calls for more protests are being censored as soon as they can be, and yet it is imperfect. China has been prepared for this eventuality for a long time. They are doing their best to nip things in the bud, and avoid going down the path that Egypt has gone. However, the Internet, by which I mean the people on it, is showing itself again and again to be an uncontrollable force. Governments like China can maintain control now, but I do not think they can maintain control forever. The Internet is the people, and the will of the people cannot be contained by laws, or regulations, or technical restrictions – it always comes out ahead in the end. One might as well be trying to hold back the ocean with their own hands.

Login or register to tag items

Open source newspaper and magazine cms software