HBGary and the Future of the IT Security Industry

This is a really good piece by Paul Roberts on Anonymous vs. HBGary: not the tactics or the politics, but what HBGary demonstrates about the IT security industry.

But I think the real lesson of the hack - and of the revelations that followed it - is that the IT security industry, having finally gotten the attention of law makers, Pentagon generals and public policy establishment wonks in the Beltway, is now in mortal danger of losing its soul. We've convinced the world that the threat is real - omnipresent and omnipotent. But in our desire to combat it, we are becoming indistinguishable from the folks with the black hats.

[...]

...While "scare 'em and snare 'em" may be business as usual in the IT security industry, other HBGary Federal skunk works projects clearly crossed a line: a proposal for a major U.S. bank, allegedly Bank of America, to launch offensive cyber attacks on the servers that host the whistle blower site Wikileaks. HBGary was part of a triumvirate of firms that also included Palantir Inc and Berico Technologies, that was working with the law firm of the U.S. Chamber of Commerce to develop plans to target progressive groups, labor unions and other left-leaning non profits who the Chamber opposed with a campaign of false information and entrapment. Other leaked e-mail messages reveal work with General Dynamics and a host of other firms to develop custom, stealth malware and collaborations with other firms selling offensive cyber capabilities including knowledge of previously undiscovered ("zero day") vulnerabilities.

[...]

What's more disturbing is the way that the folks at HBGary - mostly Aaron Barr, but others as well - came to view the infowar tactics they were pitching to the military and its contractors as applicable in the civilian context, as well. How effortlessly and seamlessly the focus on "advanced persistent threats" shifted from government backed hackers in China and Russia to encompass political foes like ThinkProgress or the columnist Glenn Greenwald. Anonymous may have committed crimes that demand punishment - but its up to the FBI to handle that, not "a large U.S. bank" or its attorneys.

Read the whole thing.

Posted on February 25, 2011 at 6:14 AM • 73 Comments

Comments

Tim KeckFebruary 25, 2011 6:22 AM

If it walks like a duck and quacks like a duck...
Sounds to me like the HBGary group is a bunch of criminals.

WinterFebruary 25, 2011 6:36 AM

What exactly is the difference between organized crime and the organizations that hired HBGary and company, e.g., the Chamber, their law firm, General Dynamics?

BillFebruary 25, 2011 6:56 AM

-is now in mortal danger of losing its soul.

The security industry lost its soul long ago.

-But in our desire to combat it, we are becoming indistinguishable from the folks with the black hats.

Exactly. However it shouldn't be "we are becoming" the security industry "IS" indistinguishable from the folks with black hats. Of course Bruce has known this for a very long time. He even tries to say it on occasion. But the industry shuns thought processes like that. Its more of an us versus them mentality to get the dollars to run programs and operations against the very people they claim are the enemy.

Fear is the buzz word. Fear this scenario, fear that scenario, then make a presentation to the suits and go get that money after it. Money money money is all its ever been about. Sure we could collapse tomorrow, but we probably won't. However we can't get paid by selling that scenario now can we?

We have to sell "what if" and scare the hell out of anyone who will pay us. If we reversed it and said nothing really to worry over tomorrow, then no one would pay. So, best to say "eat drink and be merry for tomorrow we may die." That will get them pouring money into whatever operation you have ongoing to prevent it.

As for trojaning/logging people, that has been going on since the industry was built. They just now got caught with their hands in the cookie jar. And if you think these 3 companies were the only ones who thought or acted that way, you are in for a big surprise. I can hear the shredders going on daily since the leaks of HBgary lol.

This should be a wake up call to the security industry to best practices and ethics. However in a few months it will all be forgotten and replaced with some other story. Life will go on, and the security industry will be back at business as usual.

That is until someone else gets caught at it, and investigations start over the whole mess. Then and only then will you hear the battle cry that we need to clean up this cesspool of an industry. Until then, be wary, be vigilant, and be safe.

l0b0February 25, 2011 6:58 AM

@Winter: Credibility - Even if you knew full well what they were doing, unless someone digs up an email you can just counter any accusations with "It wasn't us, we hired these guys under false pretenses!"

bobhFebruary 25, 2011 7:18 AM

It would appear the same people are behind multiple efforts to subvert the American dream for their own agenda. Power and greed are all that matter. Sad.

RichardFebruary 25, 2011 7:35 AM

Twenty-four years as a criminal defense attorney taught me, all too often, that the primary difference between the cop and the criminal is a badge.

rogue7February 25, 2011 8:00 AM

@winter

"difference between organized crime and the organizations that hired HBGary..."

Nothing.

If the good guys do X then it's good, if the bad guys do X it's bad. It's still X. A hammer can be used to pound nails or hurt someone. As lawyers are fond of saying, "it's all about intent". Don't get me wrong, I don't condone HBGary's activities. But as other posters pointed out, we sell fear and then sell a solution to ease that fear. It also has to be an ongoing process; sell fear, sell solution, repeat. It is a major tactic used by US advertising companies for many products especially in the personal care industries - bad breath, bad teeth, bad hair, etc. "Buy our solution and for the next six weeks see such and such improvement." And because the solution doesn't last forever, you have to buy more to fix the fear. It's an endless money machine. Security companies are no different. They are in business to make money. The noble ones try to provide broad solutions against real threats with minimal impact to users at a reasonable price. The bad ones don't.

We have a culture of fear in the US and it extends from the corporations to the government. Didn't somebody write a book about this? :)

bob (the original bob)February 25, 2011 8:04 AM

This (HBGary's "aggressive defense") seems to me to be the same mindset that has SWAT teams kicking down doors at 3 AM to serve jaywalking subpeonas.

It is another manifestation of the "If you have a hammer, the whole world looks like a nail" truism; in other words if an organization has some tool, they will find a way to use it - regardless of how inappropriate it may be.

AlfieFebruary 25, 2011 8:10 AM

So when will HBGary, Palantir Inc and Berico Technologies and Bank of America be charged with conspiracy to commit a crime?

In capitalist America, bank robs you!

Dirk PraetFebruary 25, 2011 8:31 AM

"We can see their actions for what they are, and sympathize deeply with Aaron Barr, Greg Hoglund and his wife (and HBGary President) Penny Leavy for the harm and embarrassment caused by the hackers from Anonymous"

Er, no I don't. I would have if Fox News had publicly exposed Aaron Barr as a raving transvestite performing in shady bars on the Lower Eastside at night. That's his private life, which nobody has any business with as long as he doesn't hurt others. What was revealed in the HBGary mails is something completely different, and the embarrassment, damage and humiliation that came with them is called public accountability for your actions, irrespective of whether they were public or cloaked. For now, I'm sad to say that my sympathy goes with Anonymous, Jester and the like. What they are doing is illegal, but I've always had a soft spot for Robin Hood-types.

The entire HBGary saga for me begs two questions:

1) Some people will really do anything for a buck. What to think of a society and a corporate culture where the Ferengi Rules of Acquisition apparently have become more important than the Constitution ?

2) Why is the DoJ not pursuing HBGary Federal with the same vigour they've shown on Wikileaks, Julian Assange and Bradley Manning ? Are some pigs really more equal than others then ? Imagine the HBGary emails having revealed Wikileaks donors or contributors. The illegal nature in which the information had been acquired wouldn't have stopped anyone from immediately going after them.

Arguably HBGary is toast for now. They'll just change their name in due time, and most probably everyone will have forgotten about them in a couple of years.

naadarrFebruary 25, 2011 8:41 AM

I always come to think that the terms white hat and black hat were really just an artificial attempt to make the line less blurry - black vs white. But in reality I think the distinction was never that solid.

Clive RobinsonFebruary 25, 2011 8:46 AM

I'll be honest and say "so what"...

In reality what did HBGary do that hundreds if not thousands of other companies have not do or are currently doing. Likewise politicos and many others.

The simple answer is they took a risk and "they got caught".

Think of any "brand led" organisation where it is driven by the "marketing" people. Marketing is in general an amoral activity where telling "white lies" is the norm.

As I have found out when working for companies with good morals that get taken over by companies with "marketing morals" as their key ethic you are expected to "shape up or ship out" and "shape up" means "do whatever brings the bacon home" with the hidden understatment of "don't get caught or well disown you, and add to your pain".

More importantly however is how HBGary were caught...

Effectivly they believed that the FUD they were selling was just that and did not take precautions, against the FUD actually comming home to roost. Even worse they did not make alowance for "deniability" their internal email system signed each email thus when they made claim that the messages where not genuine the Verisign Cert and who purchased it were pointed out.

At the end of the day the HBGary mob have been hung up by their own arrogance.

But I very very seriously doubt they are a single "rotten apple" the barrel is full of them wrapped in pork fat.

bFebruary 25, 2011 8:49 AM

> Why is "mostly Aaron Barr"?

The emails show that Aaron Barr AND HBGary CEO Greg Hoglund have no professional or moral scruples and cannot be trusted.

Aaron Barr is the incompetent, immoral hack who wanted to use obviously flawed snakeoil to turn people in to the FBI and create a sock puppet campaign for BoA. Greg Hogland is the ignorant, unscrupulous amateur that told Barr to sell his snakeoil to the FBI so that the FBI would arrest actual individuals named by Hogland.

Just read the S/MIME emails:

http://hbgary.anonleaks.ch/greg_hbgary_com/3829.html

From: Greg Hoglund
To: Aaron Barr
Date: Sat, 5 Feb 2011 23:48:08 -0800
Subject: Re: Final - for me.

you should tell the FBI about B. DeVries.

On 2/5/11, Aaron Barr wrote:
> yeah I am getting close. See the last line in my last email. If they think
> I have nothing then publically ok me to release it all publicly.
>
>
> On Feb 6, 2011, at 2:43 AM, Greg Hoglund wrote:
>
>> Jesus man, these people are not your friends, they are three steps
>> away from being terrorists - just blow the balls off of it@

http://hbgary.anonleaks.ch/greg_hbgary_com/27413.html

From: Greg Hoglund
To: Aaron Barr
Date: Fri, 4 Feb 2011 22:19:31 -0800
Subject: Re: slightly revised copy

and here is a blog post that I want to post

HBGary Federal Pwns Anonymous
---
This is a proud day. HBGary Federal, lead by Aaron Barr, has made public their long term penetration of the Anonymous group, the DDOS group associated with Wikileaks. They were able to penetrate the group to the highest level, gaining the trust of the inner circle. The HBGary Federal team was able to learn the real identities of all the key players approximately 10 people. Now these individuals are being arrested by the FBI. Aaron and his team were also able to learn the identities of approx. 30 additional high level lieutenants. The Feds are finally taking down Anonymous, but it should be noted that HBGary Federal performed this entire operation without law enforcement or government involvement.


On 2/4/11, Aaron Barr wrote:
> Hold off don't post this yet please.
> I'll talk to you about it tomorrow...need sleep. :)
>
> On Feb 5, 2011, at 1:07 AM, Greg Hoglund wrote:
>
>> HBGary Federal Flexes Private Intelligence Muscle.
>> ---
>> HBGary Federal, the specialized and classified services arm of HBGary,
>> flexes its muscle today by revealing the identities of all the top
>> management within the group Anonymous, the group behind the DDOS
>> attacks associated with Wikileaks. HBGary Federal constructed and
>> maintained multiple digital identities and penetrated the upper
>> management of Anonymous, and was subsequently able to learn actual
>> identities of the primary management team BUILDING A COMPLETE ORG
>> CHART. This information was critical for law enforcement, yet all the
>> intelligence work was done without law enforcement or government
>> involvement. Only after achieving the mission did Aaron Barr, the CEO
>> of HBGary Federal, reveal this information to the Feds. This
>> underscores the need for new blood in the intelligence community and
>> the abilities of small agile teams that are unhindered by the
>> bureaucratic machine.
>>
>> what do you think? too negative on intel community?
>>
>> -G


Hogland the FBI to arrest real people actually named by Hogland based on nothing but HBGary's bullshit snakeoil, which Barr knew, or should have known, was bullshit snakeoil:

http://hbgary.anonleaks.ch/aaron_hbgary_com/11173.html

From: Mark Trynor
To: Aaron Barr
Date: Wed, 19 Jan 2011 10:45:13 -0700
Subject: Re: Another Thing

I'm not doubting that you're doing analysis. I'm doubting that statistically that analysis has any mathematical weight to back it. I put it at less than .1% chance that it's right. You're still working off of the idea that the data is accurate. mmmm.....taco!

On Wed, Jan 19, 2011 at 10:42 AM, Aaron Barr wrote:

> Wait just a minute.
>
> I considered Dan but then both Ted and I decided u would be better.
>
> Not all things that are worthwhile are easy... :) Ur still good right?
>
> :)
>
> On the gut feeling thing...dude I don't just go by gut feeling...I spend
> hours doing analysis and come to conclusions that I know can be
> automated...so put the taco down and get to work!
>
> On Jan 19, 2011, at 12:31 PM, Mark Trynor wrote:
>
> Yeah, how did that work out the first time. You wanted Dan to be your
> engineer not me. Want me to check that facebook page "I listened to Aaron
> Barr and now I'm under investigation". Yeah, your gut feelings are
> awesome! Plus, scientifically proven that gut feelings are wrong by real
> scientist types.
>
> On Wed, Jan 19, 2011 at 10:22 AM, Aaron Barr wrote:
>
>> pretty soon we will be running a company in Mantech or TASC called...
>>
>> Magpii
>>
>> Tell me my gut feelings are wrong again...
>>
>>
>> On Jan 19, 2011, at 12:20 PM, Mark Trynor wrote:
>>
>> Your probability based on frequency right now is a gut feeling. Gut
>> feelings are usually wrong.
>>
>> On Wed, Jan 19, 2011 at 10:19 AM, Mark Trynor wrote:
>>
>>> right, which is why i know your numbers are too small to draw the
>>> conclusion but you don't want to accept it.
>>>
>>>
>>> On Wed, Jan 19, 2011 at 10:17 AM, Aaron Barr wrote:
>>>
>>>> noooo....its about probabilty based on frequency...c'mon ur way smarter
>>>> at math than me.
>>>>
>>>> On Jan 19, 2011, at 12:15 PM, Mark Trynor wrote:
>>>>
>>>> and basing that assumption off of guilt by association
>>>>
>>>> On Wed, Jan 19, 2011 at 10:14 AM, Mark Trynor wrote:
>>>>
>>>>> You keep assuming you're right.
>>>>>
>>>>>
>>>>> On Wed, Jan 19, 2011 at 10:11 AM, Aaron Barr wrote:
>>>>>
>>>>>> What? Yes it will.
>>>>>>
>>>>>> I am running throug analysis on the anonymous group right now and it
>>>>>> definately would.
>>>>>>
>>>>>>
>>>>>> On Jan 19, 2011, at 12:08 PM, Mark Trynor wrote:
>>>>>>
>>>>>> No it won't. It will tell you how mindless their friends are at
>>>>>> clicking stupid shit that comes up on a friends page. especially when they
>>>>>> first join facebook.
>>>>>>
>>>>>> On Wed, Jan 19, 2011 at 9:31 AM, Aaron Barr wrote:
>>>>>>
>>>>>>> I would like to be able to do.
>>>>>>>
>>>>>>> Is check a persons friends list against the people that have liked or
>>>>>>> joined a particular group.
>>>>>>>
>>>>>>> That will give me information on how tightly connected that person is
>>>>>>> to that group or page...
>>>>>>>
>>>>>>> :)

Dirk PraetFebruary 25, 2011 8:57 AM

@ Clive

"At the end of the day the HBGary mob have been hung up by their own arrogance."

Best quote I've heared on this was from Colbert "they found a hornet's nest and then stuck their p*nis in it".

aftermathFebruary 25, 2011 9:32 AM

If one side is bound by rules that the other side does not follow then it shouldn't surprise you who is going to win.

Most laws don't limit specific acts. They just limit who can get away with those specific acts. Crime is only defined by being on the wrong side of the law. Everyday people are killed legally. Everyday drugs are sold legally. Everyday property is seized legally. Yet, our prisons are full of murders, drug dealers, and thieves.

If we're going to have criminals who violate the laws that bind the average citizen, then we better exempt a few of the good guys from those laws (and back them with the support of our community) to protect us from the scofflaws. It is not a perfect system, but the only other alternative is to have no laws at all.

Richard Steven HackFebruary 25, 2011 9:34 AM

The even wider view of this incident extends beyond the IT security industry to the "national security industry" itself.

As most people here probably know, the vast bulk of the US intelligence services are contracted out to private companies. The figures are unbelievable both in terms of cost and numbers of private bodies involved. It's as if the bulk of the US Army were mercenaries.

From just one article on the subject:

Quotes

According to Brian Ruttenbur a security analyst for the U.S. Homeland Security, in 2008 the turnover of services in the private sector may have exceeded 50 billion U.S. Dollars, which means that this industry has a considerable impact in the American market.

It is estimated that 70% of the budget for U.S. intelligence agencies is provided via subcontracts to private corporations.

In the U.S. 35% of the operations of DIA (Defense Intelligence Agency) and 95% of the NRO (National Reconnaissance Office) are undertaken by private employees who handle highly confidential projects and gain a full picture of the structure of the American state, but also of the whole world because of the American primal position within the global political system.

Over the last 5 years, 2,435 former senior U.S. military personnel have been recruited in 52 different private security and intelligence companies and 422 of those occupied roles identical to those when in active duty.

End Quotes

The Washington Post article "National Security Inc." is a good place to start.

Quotes

The Post estimates that out of 854,000 people with top-secret clearances, 265,000 are contractors.

Nine years later, well into the Obama administration, the idea that contractors cost less has been repudiated, and the administration has made some progress toward its goal of reducing the number of hired hands by 7 percent over two years. Still, close to 30 percent of the workforce in the intelligence agencies is contractors.

So great is the government's appetite for private contractors with top-secret clearances that there are now more than 300 companies, often nicknamed "body shops," that specialize in finding candidates, often for a fee that approaches $50,000 a person, according to those in the business.

Gates said he wants to reduce the number of defense contractors by about 13 percent, to pre-9/11 levels, but he's having a hard time even getting a basic head count.

"This is a terrible confession," he said. "I can't get a number on how many contractors work for the Office of the Secretary of Defense," referring to the department's civilian leadership.

*At the Department of Homeland Security (DHS), the number of contractors equals the number of federal employees. The department depends on 318 companies for essential services and personnel, including 19 staffing firms that help DHS find and hire even more contractors. At the office that handles intelligence, six out of 10 employees are from private industry.

*The National Security Agency, which conducts worldwide electronic surveillance, hires private firms to come up with most of its technological innovations. The NSA used to work with a small stable of firms; now it works with at least 484 and is actively recruiting more.

*The National Reconnaissance Office cannot produce, launch or maintain its large satellite surveillance systems, which photograph countries such as China, North Korea and Iran, without the four major contractors it works with.

*Every intelligence and military organization depends on contract linguists to communicate overseas, translate documents and make sense of electronic voice intercepts. The demand for native speakers is so great, and the amount of money the government is willing to pay for them is so huge, that 56 firms compete for this business.

*Each of the 16 intelligence agencies depends on corporations to set up its computer networks, communicate with other agencies' networks, and fuse and mine disparate bits of information that might indicate a terrorist plot. More than 400 companies work exclusively in this area, building classified hardware and software systems.

Hiring contractors was supposed to save the government money. But that has not turned out to be the case. A 2008 study published by the Office of the Director of National Intelligence found that contractors made up 29 percent of the workforce in the intelligence agencies but cost the equivalent of 49 percent of their personnel budgets. Gates said that federal workers cost the government 25 percent less than contractors.

End Quotes

HBGary Federal was just a tiny piece of ice off a major iceberg that the US public cannot see - or control.

hum hoFebruary 25, 2011 9:35 AM

@Clive:
"In reality what did HBGary do that hundreds if not thousands of other companies have not do or are currently doing. Likewise politicos and many others.

The simple answer is they took a risk and "they got caught"."
---

So it is ok to steal as well as long as others do it?

Or as long as you are *convinced* that others do it? Typical that a thief would think that "everyone steals".

That sort of mentality would in fact eventually destroy the society.

On another note, not wanting to take sides but it seems Anonymous did the society a service by bringing this to the surface.

Richard Steven HackFebruary 25, 2011 9:38 AM

Oh, and now ask this question: How many of those hundreds and thousands of firms have their own IT security capable of being penetrated by a SQL injection attack on their Web server, like HBGary?

What would we - or the Chinese - find out if their entire email server database was dumped out on Wikileaks?

Hackers have been wasting their time hacking into porn sites. The real payoff is hacking the US private security infrastructure. I suspect this lesson has come home to the hacker community after the HBGary incident.

Bob GezelterFebruary 25, 2011 9:53 AM

Nearly a decade ago, I noted that "Counter-Battery" attacks are indistinguishable from any other attack, and should be avoided. In effect, my recommendation was "Defensive Action Only" [see "Protecting Internet-Visible Systems". Chapter 21 in the Bosworth and Kabay (2002) "Computer Security Handbook, 4th Edition" @ Section 21.1.7, pp 21-4].

Little has changed. Defensive action is almost always safe. Offensive action can turn one from a hero into a "villain by proxy." My original recommendation and its rationale stand: Defensive is safe; Offensive is in effect, no better than another attack.

I would be concerned that any of this "information" found its way into the law enforcement community and court system.

There is also a significant danger from mis-analysis. Matching a pattern means only that, it does not say anything about the validity of the analysis. fragmentary fact, whether realized as such, or unconsidered, do not improve the conclusions. The world has not changed. I noted this in "Les Approximations Dangereuse: The Sorcerer's Apprentice and other Dangerous Approximations" (slides at http://www.rlgsc.com/e-protectit/sorcerers.html).

Defensive measures are acceptable to a fare thee well; offensive actions should not be part of a individual or corporate repertoire of responses.

ShaneFebruary 25, 2011 11:14 AM

@aftermath - I call bullsh1t.

By your logic, the police in my city would be allowed to carry automatic weaponry with armor piercing rounds, simply because many of the criminals are armed the same way.

You don't fight fire with fire. You fight it by removing / protecting the flammable materials, and dousing what cannot be saved from the flames.

Put it this way, DDoS a few of the root nameservers, CC co.s, telcos, etc, and you've disrupted an entire subsection of the world's ability to conduct business online. DDoS some 'Anonymous' servers, and they'll just boot up another set of them via their botnets, safe-havens, et al.

Just like the drug war: kill or incarcerate every single small-time dealer, smuggler, sovereign lord of commerce and production, every Escobar out there... and they'll have replenished in numbers before you even had the chance to give out their prison issue paper suits.

The only way to win a battle like that, is to remove the incentive for folks to fight it in the first place. Everything else is purely palliative.

DylanFebruary 25, 2011 11:27 AM


Obviously, HBGary is shady, but it seems that everyone is missing the best quote from the article: "Bruce Schneier - our industry's Obi-Wan Kenobi"

Lol, nice one.

Petréa MitchellFebruary 25, 2011 11:34 AM

I just saw that too-- are there any former apprentices of yours we ought to watch out for, Bruce? :-)

albatrossFebruary 25, 2011 1:24 PM

There's a fun irony here. HBGary is talking about how Anonymous carried out criminal attacks on them, and this is certainly true. But if they or their associates had carried out exactly the same attacks on Wikileaks supporters, on behalf of Bank of America, what do you suppose is the probability that there would have been any prosecutions?

Leaks offer a kind of window into stuff that's normally kept secret. In the Wikileaks-released diplomatic cables, there were some embarrassments, but mostly, I think the picture that emerged was of diplomats doing the sort of stuff you'd expect diplomats to do. In this leak, we're seeing something different--a picture of a whole industry of cyberattacks, intimidation campaigns, and smear campaigns offered commercially to powerful, rich organizations, for pretty explicitly political goals. From this one snapshot, what we can't know is how many companies are involved, or how common this is. But it's really hard for me to look at this and guess that these were the only ones offering such services. My guess is, these services, or variations on them, are being offered to and purchased by a whole bunch of "respectable" organizations who, in today's America, are in practice above any kind of legal consequences for them.

And this makes me wonder how much of the odd pattern of press coverage of various events and stories (the pre-emptive arrests during the RNC convention in 2008, the initial TARP bailouts, the Pentagon military advisors' scandal) was partly affected by this kind of operation. How would we find this out?

FnordFebruary 25, 2011 1:50 PM

I hate to jump to defend big corporations and whiteshoe law firms, but...

It looks to me like Hunton & Williams and their clients weren't buying what HBGary and Barr were selling. All the really black-hat ideas about falsifying documents, extortion, etc, are coming from HBGary and the other security companies. As far as I can tell, H&W wanted some social media scrapping and analysis, which, while perhaps slightly creepy, is nothing like the crap Barr wanted to pull.

RookieFebruary 25, 2011 1:54 PM

@Brian - If you’re talking about getting into the information security industry, come on in! There’s lots of opportunity and it isn’t nearly so bleak as some would have you believe. Some of us haven’t yet sold our souls.

Bruce’s articles and viewpoints are always interesting, but the comments section here can get carried away. I understand your apprehension; if you’ve been reading the comments here for the past several weeks you would have "learned":

- The US government is evil, and their military are terrorists
- The Internet criminals are actually better people than the people they attack, and serve as good “Robin Hoods” to the evil corporate and government “sheriffs”.
- There is no security anywhere, so don’t bother.
- The US government is evil, and everyone that works for them is incompetent.
- There is no privacy anywhere; you lost that a long time ago.
- Criminals and police are morally equivalent.
- All governments are evil, but the US government especially so.
- The entire security industry has no soul or integrity.
- IT security personnel could easily find and kill Bin Laden.
- Corporations are evil, and most Western countries are currently police states.

Yes, it sounds like a bad, sad world out there in the security industry, but remember to take other people’s opinions with a grain of salt and form your own opinions by looking at the facts, not someone’s Internet opines. The truth almost always lies between the polar opposites and the security industry can always use some more good guys.

Civil LibertarianFebruary 25, 2011 2:30 PM

@Dirk Praet : "They'll just change their name in due time, and most probably everyone will have forgotten about them in a couple of years."

I'm expecting an acquisition by Blackwater-- er, Xe.

Clive RobinsonFebruary 25, 2011 2:40 PM

@ Hum Ho,

"That sort of mentality would in fact eventually destroy the society"

The behaviour I described will if people were honest about it show up in all probability atleast a half of firms.

The thing is it is a culture of no responsability or deniability. You move up by taking risks, where risks realy means breaking the rules and some of those rules are codified into law.

So I don't think you've got it quite right with "will eventualy" I think it's already happened over the last fourty years or so.

I keep going on about "next quater" or "short term" viewpoint in executives and "hot potato passing" and "make it so" mentality. All apparently caused by the current view of what a "free market" is, from my perspective it boils down to the old "school boy bully" mentality of "might is right" and "the strong or the dead" and the "Mafia mentality" of getting minions to do the dirty work and take the fall should it go wrong.

But it's not just what most people would regard as criminals, you only have to look at the grubby behaviour of UK Politicos (Tony Blair being the most notable) to see the rot is being lead from the front.

As you say,

"On another note, not wanting to take sides but i seems Anonymous did the society a service by bringing this to the surface"

Both the UK and US have "whistel- blower" legislation, have people actualy thought what this actually says about society?

That is business is so corrupt in general that you need laws to protect the few brave individuals that stand up to it.

But worse in the UK Health Service (amongst others) those few who have blown the whistle have had their lives destroyed and in many cases they cannot work again in the UK as they are "unemployable" as far as those in charge are concerned.

So yes I'm all in favour of people anonymously blowing the whistle as sometimes "sun light is the strongest disinfectant" and "killing the messenger" is not the way society should be happy to be.

mooFebruary 25, 2011 2:41 PM

@Dirk Praet:
Thanks for mentioning the Colbert episode. I just watched it online, it is pretty funny. I thought Glenn Greenwald did a great job staying on-message while being interviewed by Colbert, each time Colbert pounced on something else, Greenwald used his reply to steer straight back to the point he wanted to make.

Richard Steven HackFebruary 25, 2011 2:53 PM

Rookie:
"-The US government is evil, and their military are terrorists
- The Internet criminals are actually better people than the people they attack, and serve as good “Robin Hoods” to the evil corporate and government “sheriffs”.
- There is no security anywhere, so don’t bother.
- The US government is evil, and everyone that works for them is incompetent.
- There is no privacy anywhere; you lost that a long time ago.
- Criminals and police are morally equivalent.
- All governments are evil, but the US government especially so.
- The entire security industry has no soul or integrity.
- IT security personnel could easily find and kill Bin Laden.
- Corporations are evil, and most Western countries are currently police states."

Thanks for summing up the correct state of the world. We appreciate it.

However, for some reason, you sound like you don't agree. Cognitive dissonance much?

Richard Steven HackFebruary 25, 2011 3:01 PM

Fnord: We don't now what the law firm would have agreed to because things fell apart before it got to that point.

I think it's clear that HBGary was picked for precisely the reasons that they were capable of coming up with this crap. And despite the protestations of the firms involved, there is reason to believe none of them had any real objections.

Ars has a followup article which touches on this:

Anonymous vs. HBGary: the aftermath
:http://arstechnica.com/tech-policy/news/2011/02/anonymous-vs-hbgary-the-aftermath.ars

Quote

As a member of Team Themis, Palantir became part of Aaron Barr's plans to go after WikiLeaks, put pressure on commentators like Salon.com's Glenn Greenwald, and set up a surveillance cell for the Chamber of Commerce. No one in the e-mails that we saw objected to any of the proposed ideas.

When news of the proposals came out, Palantir said it was horrified. Dr. Alex Karp, the company's CEO, issued a statement: "We make data integration software that is as useful for fighting food borne illness as it is to fighting fraud and terrorism. Palantir does not make software that has the capability to carry out the offensive tactics proposed by HBGary. Palantir never has and never will condone the sort of activities recommended by HBGary. As we have previously stated, Palantir has severed all ties with HBGary going forward."

As we noted in our initial report on the situation, several of the key ideas had come from Aaron Barr—but they were quickly adopted by other team members, including Palantir. I asked the company for more information on why Barr's ideas had shown up in Palantir-branded material. The company's general counsel, Matt Long, supplied the following answer:

We did make a mistake—one of a fast growing company with lots of decentralized decision making authority. Initial results of our ongoing internal diagnostic show that a junior engineer allowed offensive material authored by HBGary to end up on a slide deck with Palantir's logo. The stolen emails conclusively show that Aaron Barr from HBGary authored the content which was collated well past midnight for an early morning presentation the next day. This doesn't excuse the incident, but hopefully it brings much needed context to a context-less email dump.

That junior engineer, a 26-year-old, has been put on leave while his actions are being reviewed.

"We should have cut ties with HBGary sooner and raised internal concerns about this sooner," Long told me. "This is a huge mistake for sure; we aren't making excuses. But our company never approved hacking or carrying out dirty tricks on anyone."

As for the engineer's e-mail in which he said that the Team Themis project "got approval from Dr. Karp and the Board" on a new revenue sharing plan, Long said that it was simply "classic salesmanship ('I need to get my manager's permission for that. I really argued hard for you and got you this deal'). In our case we don't have sales people so it is very transparent/obvious coming from a 26-year-old engineer. Dr. Karp and the Board did not know about the specifics of the proposal—including pricing."

End Quote

In other words, we're going to blame it on some low-level flunk (else why constantly mention the age of the personnel involved?) and distance ourselves as fast as we can.

And I really doubt any big Washington law firm really is going to have scruples over this sort of thing.

Clive RobinsonFebruary 25, 2011 3:16 PM

@ Dirk Praet,

"Arguably HBGary is toast for now. They'll just change their name in due time, and most probably everyone will have forgotten about them in a couple of years."

You missed out a bit.

It is fairly clear if you dig a little (the emails for instance) that most if not all the seniors not only knew but were activly supporting the behaviour.

Now this effectivly makes the seniors a herd, and herds have two main charecteristics,

1, Safety in numbers.
2, Sacrifice to preditors the weak or isolated.

So...

The press (preditors) will start to focus on an individual and the seniors (herd) will effectivly "feed the press" by making it look like a "single rotten apple".

The seniors will effectivly throw that individual to the wolves and stand back.

To enforce this in the US should it come to litigation you have rules whereby the "sacrificial goat" mentality is encoraged (we have seen this with the likes of Enron, Conrad Black, etc, etc).

Now although this might get one or two top men it allows all those lower to get away with it simply because that's the price of the deal...

So expect one individual from HBGary to become the "evil incarnate" and all the others to be "innocents" or "repentants" who will walk away and pickup almost immediately where they left off...

Yep I know I sound jaundiced about this but you see it all the time with things like "corporate manslaughter" in the construction industry, and you just realise that to many seniors are just like serial killers not just in thought but actual deed, the difference being their self gratification is expressed throug profit not parts of their victims as keepsakes.

FnordFebruary 25, 2011 3:55 PM

I've read the Ars Technica follow-ups, yes. I was talking about H&W and their Clients, the Chamber of Commerce and the unknown bank, not the other security firms. Clearly Palantir and HBGary proper are in this up to their eyebrows, despite their attempts to distance themselves from HBGary Federal and Barr. And there's no reason to doubt that Berico was complicit, as well.

I haven't read all the leaked emails, but as far as the Ars Technica reporting goes, H&W apparently declined all of the proposals put to them by Team Themis, except for the "cybersecurity training" sessions, despite the fact that Barr was stalking the negotiators and their families. In fact, H&W's unwillingness to support Barr's private cyberwar wet dream is seemingly what drove him to start his bizarre crusade against Anonymous.

Trichinosis USAFebruary 25, 2011 4:03 PM

One of the more disturbing things I found in the Ars Technica piece was HBGary's tendency to repeatedly use "88" in the root password. This is a well known code for the phrase "Heil Hitler" (H being the eighth letter of the alphabet) used by white supremacist groups.

Dirk PraetFebruary 25, 2011 4:11 PM

"Thanks for summing up the correct state of the world. We appreciate it."

Now, now, Richard 8-) We should also be paying sufficient attention to the often hilarious absurdity of the security industry, which for me makes it worth all the cr*p we encounter on a daily basis. If this industry were an artist, it would combine all major strengths of Dali, Magritte, Miro and a couple of more.

@ Clive

Spot on. I guess Aaron Barr would make for the ideal candidate. It's his hubris that has brought doom upon HBGary. On top of that, he was failing to bring in the necessary contracts to keep HBGary Federal afloat anyway. I've read he's taking a leave of absence for the moment, which I can understand given the way he's been suckerpunched and made a laughing stock in front of the entire community as "the man who knew too little". My advice to him would be to try and catch at least one real Anonymous member, grow a beard and moustache, then try to get into the Witness Protection Program after which he may still stand a chance to find a job as an analyst at Facebook.

Dr. TFebruary 25, 2011 4:12 PM

@rogue7: "... It is a major tactic used by US advertising companies for many products especially in the personal care industries - bad breath, bad teeth, bad hair, etc...."

The difference is that the companies that market mouthwash, teeth whitener, hair gel, etc. don't break into our homes and give us halitosis, gray teeth, and scary movie hair before pitching their products.

AristotleFebruary 25, 2011 6:29 PM

@ Richard Steven Hack:

"Corporations are evil...."

I clicked on the link in your sig, and see that you run a computer-service business yourself. It wasn't clear whether it's incorporated, LLC, limited partnership, sole proprietorship, etc. But you are selling a product or service, which is what most corporations do.

So, are you therefore evil?
Or do you somehow exclude yourself from your own categorical statement?

Categorical statements are fraught with risk, and lump the good, the bad, and the ugly all together.

Also, if "- All governments are evil, but the US government especially so.", then why do you still live in the US? Why didn't you move to the worker's paradise, the Soviet Union? .. oh, wait, it collapsed under its own weight, didn't it? ... well, wherever else you think is less evil?

Cognitive dissonance, much?

BuckFebruary 25, 2011 6:34 PM

I think Michal Zalewski beat this guy to the punch:

> The reason why I am frightened is the emergence of a new class of government contractors - a class that depends on the perpetration of an alluring, yet completely irrelevant belief: that an incredibly sophisticated and determined adversary is constantly scheming to wage a devastating cyber-war against everything we hold dear.

> It is tempting to frame the constant stream of high-profile failures as a proof for the evolution of your adversary. But when you realize that almost every single large institution can probably be compromised by a moderately skilled attacker, this explanation just does not ring true.

> The inability to solve this increasingly pressing problem is no reason to celebrate - and even less of a reason to push for preposterous, unnecessary spending on silly intelligence services, or to promote overreaching and ill-defined regulation. If anything, it is a reason to reflect on our mistakes and perhaps go back to the drawing board. But between all the talk of cyber-jihad and APT, this unpleasant message is easy to overlook.

http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html

JohnFebruary 25, 2011 7:14 PM

"We can see their actions for what they are, and sympathize deeply with Aaron Barr, Greg Hoglund and his wife (and HBGary President) Penny Leavy for the harm and embarrassment caused by the hackers from Anonymous"

Having read his emails, Barr isn't an ethical person, obviously and easily known to all who would interact with him. Hoglund & Leavy choose to associate with Barr. I say, the crooks got what they deserved.

Also, it being 3 weeks later, after Ars ran their recap piece, Bruce is rather tardy in reporting - I guess he was waiting for the sort of pro-HBGary "puff piece" to be written that he could link to.

Imperfect CitizenFebruary 25, 2011 7:28 PM

@Rookie

I don't agree re: comments here hating America etc. I notice more dismay over the erosion of civil liberties, corruption, stupid security practices, etc.

I still love my country, the USA, despite what's been done to me since I've been targeted by the feds. I don't think the government is evil. Its not a fair generalization to say that about comments here. Seems like the moderator does a great job of cleaning that stuff up.

Today I learned from observers that I was initially targeted at a Teacher Professional Development Conference in 2/28/2002 held in Dearborn, MI. The crime? I was attending a seminar on Arab educational resources--to learn to teach Arab kids better in our classes. Hard to believe. It was required for a class I was taking. Men were taking videotapes of the session, I thought nothing of it, they do that in teacher ed all the time. I was told to sign up for free lesson plans, but I guess I was signed up for something else. I wonder how many poor, innocent teachers were targeted that day? There's a difference between national hysteria and "evil". Sometimes when you are on the receiving end though, it feels like persecution.

Davi OttenheimerFebruary 25, 2011 8:22 PM

I call BS on the "future" argument. The fine line is as old as security itself. Ever seen a cop gone bad movie?

@Buck you are correct about the Zalewski blog. Another point made by Zalewski (and in my BSidesSF presentation and on my blog too) is that despite all the "future" and sophisticated threat discussion, the vulnerabilities we see are still quite primitive.

It's common to hear about black ops and state-sponsored professional conspiracy threats even though it turns out the neighbor's kid can be just as dangerous.

I mean HBGary also demonstrates that the security industry might have experts protecting their universal six character non-complex passwords with MD5 and no salt. Ah, yes, what does it say about our future...

Seems to me the really shocking news, if we're going to talk about security professionals choosing sides, is from Libya where 130 soldiers were executed when they refused orders to attack civilians.

http://www.worldnewsco.com/3452/refusing-order-muammar-al-gaddafi-130-libyan-soldiers-shot-dead/

And two colonels in the army defected with their jets, and two warships defected, all after they were ordered to attack civilians.

The latest Rolling Stone article is a close second -- a US General tried to use military psyops against US Senators to manipulate them into supporting his budget.

http://www.rollingstone.com/politics/news/another-runaway-general-army-deploys-psy-ops-on-u-s-senators-20110223


DwightFebruary 25, 2011 8:28 PM

One very interesting fact to come out of these emails is the security of Apple and Linux relative to Windows. *ALL* the targeted rootkit activity -- MAGENTA, everything -- is aimed at Windows, and HBGary's attitude is that Windows is a big security open hole they can rape whenever they please, at work or on home networks.

In contrast, Anonymous was able to breach HBGary's servers and Linux systems by stupid avoidable tricks like unsanitized SQL inputs and social engineering a sysop to give out the keys to the kingdom.

Someone from the SecDef's office even contacts Aaron Barr asking about rootkits for OS X. Barr asks Hoglund, and comes back and says, no rootkits for OSX.

Why would anyone would use Windows ever again in light of these emails?

http://hbgary.leakmirror.org/aaron_hbgary_com/6269.html

From: Aaron Barr [mailto:aaron@hbgary.com]
Sent: Friday, January 07, 2011 3:46 PM
To: Merritt, David CTR OSD CIO
Subject: Re: mac rootkits?

Hey Dave,

No we are not.

How is it going?

Aaron

On Jan 5, 2011, at 2:47 PM, Merritt, David CTR OSD CIO wrote:

> Are you guys seeing much Mac OS X rootkit activity?
>
> Dave

wilcolaFebruary 25, 2011 8:49 PM

Sarah Palin Should Have Hired HBGary To Create Her Virtual Army
http://blogs.forbes.com/kashmirhill/2011/02/23/sarah-palin-should-have-hired-hb-gary-to-create-her-virtual-army/

Law Firm That Worked With HBGary Hit With Bar Complaint
http://blogs.forbes.com/andygreenberg/2011/02/25/law-firm-that-worked-with-hbgary-hit-with-bar-complaint/

The nuclear fallout from HBGary's tangle with the hacker collective Anonymous has blown into the territory of another player in the scandal: Hunton & Williams, the law firm that solicited proposals from HBGary on behalf of clients like Bank of America and the U.S. Chamber of Commerce. Kevin Reese, a lawyer [...]

AlbatrossFebruary 25, 2011 11:02 PM

Another contributing component to this mess is the fact that authoritarianism in America is waxing very strong right now. What we call "Republicans" or "Conservatives" are actually radical authoritarians trying to impose contemporary feudalism, also known as corportaism or fascism. What we call "Democrats" or "Liberals" are actually conservative populists, trying to preserve things like habeas corpus, the Fourth Amendment or the right to organize unions. The cultural battle is progressives vs. authoritarians.

Well authoritarians believe their ends justify their means. So as we see in this HBGary example, and with the Wisconsin Governor, and the sting that brought down Acorn, the authoritarians can and will do ANYTHING, without fear of reprisal or prosecution. AND should one of their operatives manage to get prosecuted, despite being insulated from such things by the mechanics of the authoritarian state, should one of them get prosecuted anyway they are simply abandoned (if too small a fish) or welcomed back and forgiven (if a big fish).

In an authoritarian worldview it is fine for members of the authoritarian tribe to take any steps, regardless of legality. But it is NOT fine for the powerless, the average person, to break ANY laws. If you lack authority, or power, you are not free.

Anonymous, whatever else you think of them, represent populism. Likewise Wikileaks. This is why they are so reviled, and their prosecution is so important to authoritarians.

But despite their corrupt incompetence (HBGary, Governor Walker) the law doesn't apply to authoritarians: because they have power, they are above the law.

And THAT'S why the security industry is facing a crisis. First, because when the Rule of Law collapses as it has in this country (Dick Cheney's obstruction of justice following shooting his friend, the failure to prosecute or even investigate anyone following the 2008 Wall Street collapse), the whole culture itself is a short way from collapse. Because Law requires Justice, and presently we don't HAVE justice.

This isn't to say that there was ever a perfect day when Law and Justice ruled absolutely, but in the cycles of such things we are certainly at a nadir.

When Law and Justice fail, then the apparatus of security ("cyber" or not) is SO easily corrupted into a tool of oppression.

The security industry is at a crisis because in an injust, authoritarian age, only the ethics of individual practitioners stand between justice and corruption. As an industry, we are only as reputable as the average of our practitioners. And nothing insulates us as security practitioners from suffering the consequences of taking an ethical stance.

Hopefully America will survive this powerful down-cycle of Justice, and up-cycle of authoritariansm. But until that changes our industry will be very vulnerable to the corrupting influences of authoritarian abuse. And the average practitioner will be forced to choose, again and again, between keeping their job and doing what their corrupt client demands.

FnordFebruary 26, 2011 12:16 AM

To summarize, here is what the bar complaint says this about H&R and their clients:

CoC has some general bad acts around the 2010 elections that are not connected to this case. Maybe true, and even criminal, but kind of off point. CoC and H&R talk to Fox News and other organizations about Velvet Revolution and Stop the CoC. You say bad things about them, they say bad things about you.

H&W contacted Palantir regarding Wikileaks. Palantir want to bring in Berico and HBGary. This is in October.

In November, H&W approach Themis, asking to retain them on behalf of the CoC. They cite a Palantir presentation on data tracking and analysis as selling the CoC.

Themis puts together a 12 million dollar dirty tricks plan with a broad range of targets from Glenn Greenwald to the SEIU. H&W ask for information about Velvet Revolution and Stop the CoC. HBGary provides some information, and H&W expresses interest in a meeting to work out an agreement. This is November 10.

Some back and forth for the next few weeks. Barr talks up how important big the deal could be for Themis and HBGary. H&W wants to talk more, but apparently nothing is done.

Starting November 29, Themis members start talking dirty tricks again, both among themselves sending proposals to H&W. Notably absent is anything H&W writes back about it. This continues through December, but still nothing is done.

January 14, H&W agrees to a "pilot project" of "research/analysis support". February 3, H&W asks Themis to prepare a presentation for the CoC. They refer to the presentation on data analysis and "apologize for confusion/misunderstanding". The next day, of course, Barr publicly goes off the deep end and the relationship ends.

1) H&R first approach Palantir, a data analysis firm, not HBGary.
2) H&R say the CoC was sold by a presentation about Palantir's data analysis expertise.
3) The only people who talk about malware, forgery, and fraud are at Themis, not H&W.
4) The only people who talk about targeting Greenwald or anybody except Wikileaks and VR/SCoC are at Themis, not H&W.

Davi OttenheimerFebruary 26, 2011 1:52 AM

@Albatross

Very eloquent and a nice summary of the political forces in America, but I beg to differ with regard to the industry.

"the average practitioner will be forced to choose, again and again, between keeping their job and doing what their corrupt client demands."

Security professionals actually are in a better position to take the high road than ever. More positions exist in more diverse organizations that all have respect for the role of a security career.

There are certainly still issues around coercion but they are more exception than the norm.

Twenty years ago...there was no way a security practitioner would be able to set the tone for IT let alone sit in a full-time role to build influence. Today it is not only possible, it often is required.

I could tell you so many stories about CIOs, CFOs, CEOs, in the past who at some point told me "Why security or audit instead of operations? Don't you want to do something with your career?" That never happens anymore. I will never forget the CIO who warned me that I was wasting my time with all the digital forensics work -- "there's no future in that". I continued nonetheless and he was "let go" after I did an investigation of his department.

Was HBGary stuck under the "corruption" of their client. It seems to me they proposed and wanted to do the work. They wanted it. They thought they were in the right.

This is the point I refer to above -- bad cop syndrome doesn't necessarily cast a shadow on the other (good) cops as much as it does on the management of cops.

Security, for as long as it has existed, has provided a double-edged sword to those who practice. HBGary made a willing choice but were outdone by those who opposed their path. Seems to me they were not led astray, and they were not forced...and if anything I think it makes other practitioners look better.

Companies that hire security professionals may look at this and be more careful with who they trust now, which helps differentiate the good from the bad.

Clive RobinsonFebruary 26, 2011 5:05 AM

@ John,

"Bruce is rather tardy in reporting - guess he was waiting for the sort of pro-HBGary"puff piece" to be written that he could link to."

It could be more to do with RSA last week which is where that HBGary "self promoting" poster trying to make themselves out to be "poor little victims" was photographed.

Also as Bruce has said before this blog is a security site note a news site.

Unlike many other blogs Bruce tends to wait until there is sufficient security related content that can be thoughtfully analysed befor posting.

If you look at the way the HBGary mess has been swinging backwards and forwards (and will more than likely continue to do so) you will see there is a lot more "dirt" and "consternation" yet to surface with possible legal activity.

But to be honest HBGary made the usual PR blunder thay made statments not made on actuality but on what they thought the press had and thus they portrayed themselves to be victims thinking it would put them in the best light.

They would have been better off acknowledging the problem and saying it was under investigation and leaving it at that.

A lesson that many PR prols should learn is not to play from the "little miss muffet" playbook. If you spill your curds and whey then don't turn around and blub at the "horrible" spider to get sympathy, it's the behaviour of imature people (ie children) not the behaviour of responsable and mature adults.

But you "reap what you sow" as HBGary are finding out and as they say "people who throw stones, should not live in glass houses" and with most popular OS's your system is more like a goldfish bowl than a fortress irespective of what you do to bolster it up.

NonameFebruary 26, 2011 7:55 AM

Eh, it's a gray line. How far is taking self-defense and self-preservation? If this was something breaking into your home, don't you have a right to 'fight back' ?

Seeing how this is taking place in cyberspace, there is no precedent set.

Since many of these crimes take place in foreign nations, what can the big corporations do to defend themselves, other than spend millions, if not billions (across the board)? That generates higher costs for the consumers in the long run doesn't it?

Let's throw the slippery slope in that if they attack bank of america, and BofA to combat the threat they spend X-millions of dollars, and then up the cost of fees across the board... if I'm a BofA customer, aren't there in theory attacking me indirectly?

I haven't though about this enough to make a real sound decision, but I'm leaning toward the best defense is a great offense. If a hacker is caught and reported to FBI, all assets frozen, thrown in jail for 1 year for every dollar spend to correct the problem - by all means.

Laws and punishments need to be harsh enough to actual deter the crime. Take drunk driving - if the officer proved your driving drunk, pulls out his weapon fires 3 shots into your center mass... how many MORE drunk driving incidents do you think there would be? Is it a fair analogy? No, but it gets my point across.

Clive RobinsonFebruary 26, 2011 10:45 AM

@ Noname,

I guess you have a reason to be anonymous.

When you say,

"Laws and punishments need to be harsh enough to actual deter the crime."

It has been known for well over a two centuries that "harsh punishment" in no way deters crime and a study of history shows it activly encourage it (which is one reason why we have so many feudal cultures stuck in the middle ages or earlier and also why religious texts more modern than the old testiment effectivly forbid "eye for an eye").

I could give you a load of weblink refrences but you can go and look them up yourself (not that you are likley to but google "bentham panopticon utilitarianism").

In a more modern society it can quickly be seen that those who recomend harsh punishment generaly have a vested interest (profit / power) or are the sort of person who scores higher than average on sociopath testing or not particularly high on SATS.

Nearly all studies that have investigated the roots of crime show that ensuring a good "social/emotional education" in those under 3years of age will prevent a lot of crime. Also the cost of the early years education costs less than ~1/8,000 of dealing with the consiquences of not providing the early years education.

So if you do the math on the number of criminals (ie those that have been convicted) in the US and the population you will actually see that if even only 50% of the children benifit from the early years eduction the direct cost of the education to the US taxpayer will be just a small fraction of the cost of the current prison system.

However this is not "politicaly" on message as the benifit will take 15-20years to come on stream.

There are other ways that will bring significant savings sooner such as seperating first and repeat offenders into different institutions and offering sensible education policy etc in the first offenders institutions. This seperation and education has been found to encorage socio emotional development as well as employability in something like 80% of first time offenders and reduce repeate offending (it also stops "criminal education" whereby experianced criminals teach first offenders how to be more violent more effective criminals).

But again this is "politicaly" not on message.

Have a look at the money flow around the US prison system to see who realy benifits and you will quickly find it is noot the ordinary taxpayer.

But there are other reasons for not "tit for tatting" or "defence by offence". When you do "eye for an eye" you get into a mind set of "use your brawn not your brains" and collateral damage is often high and leads to the "might is right" mentality of the "school bully".

I could go one at great length but look at it this way the Afghan War is likley to go on another 40-80years and achieve little or nothing except a huge budget deficit year on year. In the mean while the Afghan War has actually increased the opiate drugs flow into the US and a whole load of other things that can be directly shown to harm the average US taxpayer so double whamy. Again follow the money and see who gains the power and profit by the Afghan war to see why it still continues.

The way to deal with cyber crime (and that's what it is not war) is to,

1, Treat "cracking" as what it is which is crime not war.
2, Use LEA's not Armed forces to deal with it.
3, Develop better international LE relations.
4, Reduce "short term" / "next quater figures" thinking.
5, Start using more secure operating systems.
6, Start using more secure applications
7, Minimise OS/App functionality.

And a whole load of other quite minor changes that will pay big dividends for little or no real cost.

However when it comes to ICT (both development and deployment) the two most important changes should be,

1, Treat security as a quality issue, (ie build in from day 0 not bolt on after in use).
2, All techs need business qualifications.

JimFebruary 26, 2011 11:31 AM

Most compelling posts so far:

R.S. Hack
Albatross
Clive (As Usual)
Rogue 7
Bill

Most compelling post for H&W:

Fnord. (Gee, could you be more obvious that you are from H&W damage control?) However, very compelling statement from H&W if you are. I think when you start digging into H&W's email traffic (if they are not shredded by now) one might find out differently about their desires on these projects. But, did anyone really believe that H&W would be caught conspiring with anyone else?

Best post clearly was Albatross.

Clive followed up with his usual banter and spot on mathematical summaries. The last post by Clive on harsh treatment should be classroom material. However let me dig through Clive:

-There are other ways that will bring significant savings sooner such as seperating first and repeat offenders into different institutions and offering sensible education policy etc in the first offenders institutions.

Too bad that after a first conviction that the offender is all but doomed. No jobs available to him, other than sweeping streets or cleaning toilets. And add to that a host of other issues, such as travel restrictions around the globe, living arrangements, financial aid for schools, etc. Once convicted in the USA, always convicted. Clive, you need to leave the UK every once in awhile to see what a police state country the USA is today.

-When you do "eye for an eye" you get into a mind set of "use your brawn not your brains" and collateral damage is often high and leads to the "might is right" mentality of the "school bully".

Isn't that what the "War on Terror" is? Isn't that what the USA is: The biggest bully worldwide? Hasn't that been foreign policy since Truman? Isn't that why in the global village scheme of things the USA and its people are the most hated?

-However this is not "politicaly" on message as the benifit will take 15-20years to come on stream.

The United States government can't think that far in advance. They think about as far as their pricks stretch, and that is about the limits of their mentality and future planning.

-In the mean while the Afghan War has actually increased the opiate drugs flow into the US

That's because the USA thinks like Willie Sutton, that is where the drugs/money are, and that is why they rape rob and pillage other countries. Resources man, resources..

On 1-7 Agree completely.

-2, All techs need business qualifications.

As if that suddenly will get us off the hook. Business is mainly about money. Money is mainly about corruption and obtaining more money, which then enables more corruption. What we need less of in security is business people, and what we need more of is street level thinkers who can think beyond their dicks and their needs for fatter wallets. My opinion of course lol.

Clive, your brain is amazing.


Clive RobinsonFebruary 26, 2011 1:02 PM

@ Jim,

"Once convicted in the USA, always convicted"

I know it used to be bad pre-9/11 but I guess it's got worse. I made my mind up not to vist the US for business or pleasure ever again when I flew in a few days after they started taking fingerprints of the inbound passengers.

Does it not occur to people in the US with the ability to change things that not giving convicted criminals a choice in continuing in crime or becoming a useful citizen might actually increase violent crime especialy with "three strikes and out" type rules?

Having been the recipient of violent crime I'll be one of the first to put my hand up to saying that things have to change. But without giving people choice you can only expect things to get worse not better or is their something I've missed?

With regards business qualifications for techs it's a question of being an "ignored outsider" -V- "a tolerated insider".

The man that cuts the cheques at the end of the day "speaks business" not "tech" such people have a very very very limited tolerance of what they consider to be "techno babble". When it comes to listening to "Sales & Marketing" speaking his language and "ICT Sec" speaking what sounds like nonsense which way do you think he's going to vote?

A current example of this is "cloud computing" with "mobile computing" have a look at the vendors sales pitches and "business presentations" and ask yourself why such high risk technology is gaining such traction even when the techs can say fairly accurately and simply as "It cannot be secure with current technology"?

With regards,

"what we need more of is street level thinkers who can think beyond... "

I'm with you all the way on that, but they need to be listened to not just heard, and that means sad to say speaking the language the man speaks, because the man won't learn any other language as he's to busy.

EHFebruary 26, 2011 3:45 PM

Trichinosis: "One of the more disturbing things I found in the Ars Technica piece was HBGary's tendency to repeatedly use "88" in the root password. This is a well known code for the phrase "Heil Hitler" (H being the eighth letter of the alphabet) used by white supremacist groups."

I don't think it has to be that sinister. If you want to use numbers as an additional character class in your password, the 8 is the easiest to type with standard touch-typing methods. The right-hand middle finger has the easiest job with the numbers (for right-handed people), since the ring-finger is significantly weaker and the index finger has to cover both the 6 and 7.

EHFebruary 26, 2011 3:47 PM

That said, if I was going to use '88' in a password, I'd just as soon take the easy bump in complexity by using '8*' or vice versa. ;)

Clive RobinsonFebruary 26, 2011 6:14 PM

If people want another reason to hate HBGary try googling "cenzic" with either "hbgary" or "Greg Hoglund"

Basicaly Cenzic appears to be acting as a patent troll with a patent involving "fault injection" that depending on how you read it could effectivly stop many many security tools used for code and or penetration testing.

And guess who's name turns up on the very very questionable patent ;)

If you are to lazy to google try,

http://www.networkworld.com/community/node/71620

Peter GerdesFebruary 26, 2011 8:59 PM

Look back say 20 years or so when the secrets start to get leaked (people retire, companies go bust etc..). Things seem better now not worse. 9/11 was a turn for the worse but it's not watergate

Clive RobinsonFebruary 26, 2011 9:00 PM

@ BF Skinner,

"It's cause he's got more than one"

For my ears it is true, and it is also true both of them went a little pink on reading the complement.

I'm after all "British" and as I'm sure you know we do embarrassed fairly colourfully at the merest hint of a complement.

JimFebruary 27, 2011 4:24 AM

Clive;

-I made my mind up not to vist the US for business or pleasure ever again when I flew in a few days after they started taking fingerprints of the inbound passengers.

Yes, and retinal scans and body scans and what's next? Blood Tests? Urine Samples? Stool Samples? Footprints? Hair Follicle DNA tests? Think I am joking? I am not.

-Does it not occur to people in the US with the ability to change things that not giving convicted criminals a choice in continuing in crime or becoming a useful citizen might actually increase violent crime especialy with "three strikes and out" type rules?

Yes, so what does that tell you?

Tells me "File Clerks and Convicts." (See the movie Fail Safe for explanation of this analogy)

-But without giving people choice you can only expect things to get worse not better or is their something I've missed?

Worse, much worse. And one would think that there has to be a plan behind it right. The one thing that many can agree on is that criminals, former or current, get zero respect today no matter who they are or were. So, if you lock up half the citizens of the country for various infractions, you have created a new class of citizen. The Convicted, or in this case, The Damned.

-With regards business qualifications for techs it's a question of being an "ignored outsider" -V- "a tolerated insider".

Oh I understand that analogy clearly.

-When it comes to listening to "Sales & Marketing" speaking his language and "ICT Sec" speaking what sounds like nonsense which way do you think he's going to vote?

Agreed. This is the problem, and probably will always be the problem. Besides, who is going to tell the boss what he should or should not do?

Better to just shut up and get paid than to complain and risk job loss and ruination right. Of course this shows just how much Albatross was right in his post.

-A current example of this is "cloud computing" with "mobile computing" have a look at the vendors sales pitches and "business presentations" and ask yourself why such high risk technology is gaining such traction even when the techs can say fairly accurately and simply as "It cannot be secure with current technology"?

I assume you also realize just how much money is at stake in mobile payments to the - let's say - average criminal or cracker? Mobile payments will be the new horizon in fraud, and probably has already started. The key is understanding that and doing something about it now before its too late. However as things go in this business the suits at the top are always 2 years behind the curve, and as such, they are not working on this as of yet.

Mobile payments is worth billions and billions to those who can cheat it, break it, crack it or hack it.

-I'm with you all the way on that, but they need to be listened to not just heard, and that means sad to say speaking the language the man speaks, because the man won't learn any other language as he's to busy.

And that is the exact time when the street level people need to form their own business and start working on solutions to problems of the future that are easily seen today. Screw the man lol. Let him lose his ass by being behind the curve.

-If people want another reason to hate HBGary try googling "cenzic" with either "hbgary" or "Greg Hoglund"

That is groundbreaking stuff. So they patent a technology that everyone uses today and then go after the companies that use it or add code to it and claim its theirs and they want ransom money in return. No different than scamming or trolling for money or even criminally obtaining it through legal means. That alone should be a topic for discussion here.

-And guess who's name turns up on the very very questionable patent ;)

I wonder why he won't come over here to discuss it?

Amazing find Clive, just amazing. And no, I wasn't tooting your horn. Your thought processes are ones I study.

rogerFebruary 28, 2011 3:01 PM

while most of the fingers pointed at questionable ethics of hbgary, most folks are overseeing a great example how "mainstream" security outfit working with hbgary to fabricate "night dragon" FUD paper and that seems to be just a tip of an iceberg...

ShaneMarch 2, 2011 2:48 PM

@Clive

"[...] I know I sound jaundiced about this but you see it all the time [...] and you just realise that to many seniors are just like serial killers not just in thought but actual deed"

In fact, Clive, it's been shown recently that roughly 1/100 people in the US are clinically psychopathic. Of those, some are incarcerated for violent crime, but the majority are employed as white-collar executives, believed to be due to the fact that the nature of those positions are quite a natural fit for those lacking empathy.

So you're not coming off as bitter, simply correct. This is pure neuroscience, it's simply telling us what many of us suspected all along.

Clive RobinsonMarch 2, 2011 3:27 PM

@ Shane,

"So you're not coming off as bitter, simply correct This is pure neuroscience, it's simply telling u what many of us suspected all along."

And so dies an eternal optomist ;)

Anonymous1961March 4, 2011 8:35 AM

We fall into their trap the more we discuss this. Ignore them. Their only product is fear. They offer society nothing, and when they apply one of their so-called "attacks", work together as a team. They are trivial to defeat. But, only if you face fear with intelligence and a clear mind.

Read Mr. Schneier's books. Most of the basics that you need are there. Fill the blanks by thinking and discussing with those you work with. Then there is no fear, and no need for product. Without the product, they don't have their foot in the door. End of game.

Nick PMarch 7, 2011 12:37 PM

@ BF Skinner

"Because he's got more than one."

It's a ruse. Clive Robinson is actually an entire team of engineers, software developers, managers, and geopolitical consultants. It's a monoculture over there, so they all speak similarly. The rampant use of narcotics in the company, known for its effect on their creative problem solving skills, also results in the somewhat babbling presentation. The "hospital" and "mobile phone" excuses are taped to every monitor.

Nice try Clives, but I will not be fooled. :P

Nick PMarch 7, 2011 12:51 PM

@ Jim

"Amazing find Clive, just amazing. And no, I wasn't tooting your horn. Your thought processes are ones I study."

Ok, if you want to know so bad, I have a hypothesis for you. The Clives' thought processes work like this: input data + existing brain state (knowledge, memory & heuristics) = new brain state + output data (some to keyboard & some back to brain). It's a truly effective series of neural nets. He doesn't think: shit goes into his mind, entire essays come out. When Clive's actually thinking, it's about something that might take us hours to understand. Like the Unified Field Theory he came up with while on the john yesterday...

@ The Clives

Funny how you always bitch about feedback loops in state machines, yet a well-orchestrated feedback NN is the source of your brilliance. Are you really warning us about a dangerous approach to system development? Or are you just trying to keep us from building something that can compete with you in a given task? :P

Clive RobinsonMarch 7, 2011 1:40 PM

@ Nick P,

"The Clives"

That sounds to much like a skin condition and I've just started itching "enough already" [noise of vigorous scratching to stage left]

In the same vein as your comments,

The trouble with some feedback loops is they disapear within themselves never to be seen again as the whirl tighter and tighter in ever decreasing circles beyond their own event horizon... Sometimes I feel like Zaphod Beebolbrox, in that there are parts of my mind closed of for very deliberate but unknown reasons...

But back to reality sorry as far as I can tell my brain is just an ordinary bucket of grey white and pink goo with bits hanging out in the appropriat places just like everybody elses.

However a rumour has it a very large cat at some point must have crossed my path or scratched me. Because not only am I curious to the point of being terminal (I'll tell you about making an instant duck pond one day) I also appear to have atleast nine lives (I' think I'm on number seven currently).

Nick PMarch 8, 2011 1:01 AM

@ Clive Robinson

Haha you're right. It does sound like a skin condition. Better to get a case of The Clives than the hives. Might learn something from the experience. Seriously, though, sorry to hear of your hospital situation. Get a friend to bring a 5000 watt directional (hypersonic, i think they call it) sound system, point it at the crew, and play backstreet boys nonstop... the same song. The delay this creates should allow you some sleep, so long as the other patients shut up. ;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..