Schneier on Security
A blog covering security and security technology.
« Telex Anti-Censorship System |
| Google Detects Malware in its Search Data »
July 19, 2011
Members of "Anonymous" Hacker Group Arrested
The police arrested sixteen suspected members of the Anonymous hacker group.
Whatever you may think of their politics, the group committed crimes and their members should be arrested and prosecuted. I just hope we don't get a media flurry about how they were some sort of cyber super criminals. Near as I can tell, they were just garden variety hackers who were lucky and caught a media wave.
EDITED TO ADD (7/19): I understand that the particular people arrested are innocent until proven guilty -- hence my use of the word "suspected" in the first sentence -- but there doesn't seem any question that members of the group claimed credit for criminal cyber attacks. I suppose I could have said "the group allegedly committed crimes," but that seemed overly cautious.
And yes, I agree that calling them a "group" is probably giving them more organizational credit than they have.
EDITED TO ADD (7/19): More news articles.
EDITED TO ADD (7/25): Last December, Richard Stallman wrote about the Anonymous group and their actions as a form of protest.
EDITED TO ADD (8/12): Department of Justice press release on the arrests.
Posted on July 19, 2011 at 2:50 PM
• 107 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
ALLEGEDLY committed crimes.
"...the group committed crimes and their members should be arrested and prosecuted."
How about we let the FBI complete its investigation, then let the prosecutors assemble their case, and then have a judge determine whether or not anyone should be held over for trial...unless you're ready to proceed straight to sentencing.
"lucky and caught a media wave."
Not so sure about "lucky," given that Federal prosecutors are going to be slavering to make examples of them.
What they allegedly did was mostly just a denial of service attack. If that's illegal, then it shouldn't be. It's the cyber equivalent of a sit-in protest. You're just blocking the entrance so customers can't get in, to make a point.
4Chan Party Van!
If what they did was essentially a DOS attack, then (Nacho aside) what they did should be illegal if it isn't already. If you want to stage a protest, sit in front of your own door, not in front of mine. It is remotely possible that I may not agree with your particular agenda.
"Whatever you may think of their politics, the group committed crimes and their members should be arrested and prosecuted."
I usually like the technological articles on your blog but could you please refrain from venting your own opinion? Anonymous is just an group of protesters and as Nacho states: " It's the cyber equivalent of a sit-in protest. "
Signing off... Really... Unsubscribe... You are no longer the authority on security you where years ago... You've lost touch with the crowd...
A single finger salute from The Netherlands!
Sit in protests are often illegal - they are just non-violent. What they (allegedly) did is illegal. That said, I don't agree they should be arrested and prosecuted. Not all illegal activity requires punishment. Civil disobedience driven by social injustice (especially non-violent, as in this case) can trump "keeping the peace" values.
I think calling Anonymous a "group" is overstating matters a bit; that implies some degree of organization. ;)
Usually you're hijacking computers in order to launch a DDOS, so it's a sit-in protest where you kidnap 40,000 people to block the entrance for you.
Probably should be illegal, yes.
Apparently they are not longer anonymous
Suggest that they change there name to something that fits informers are just ratting one another
If they used a bot net...
on the other hand if all DoS was created by lower orbit cannon ... then no bot nets are involved and any DoS really came from a willing human... which is then quite close to a sit in protest.
they didn't just DOS or DDOS come on now, you're whole counter argument is misinformed and hence flawed
> Near as I can tell, they were just garden variety hackers who were lucky and caught a media wave.
In fact, however, they are more like political protestors or vigilantes, and for that reason, far from "garden variety hackers".
While a lot of Anonymous' activity is DDOS, they do have a history of defacing websites and hacking sites (ex: HBGary). There should be little question to whether those activities are illegal. Bruce didn't say the suspects were guilty--but there is little doubt that some of the group's activities went beyond DDOS and were illegal by any reasonable definition.
I've been following this blog for a year or so, and like most people here have stated, I've seen a decline in tech-news quality Mr. Schneier...Are you a consultant w/ tech authorities now or are you a man for freedom on the internet..? Guilty until proven innocent..? How are we sure that these people are guilty, since it's apparently "easy" to use other people's internet addresses and computers as proxies...Also, this is a protest like some have stated...Isn't that freedom of speech in a way..?
Never question The Bruce.
I think there's little question as to whether or not Anonymous did such things. The question that remains is whether or not these guys are actually Anonymous. Bruce's post does leave that open.
I personally found it more interesting when Brian Manning supporters were outraged that he was being court marshaled. They couldn't seem to understand that, because he signed a paper saying he'd safeguard classified information, that there were suddenly consequences for sharing said information.
Item one: Linking to Faux News immediately impairs my trust in the story.
Item two: The hackers of Anonymous have indeed broken quite a few laws, they should not be surprised to have the heat land on them
Item three: Sixteen folks? Even assuming the folks they rounded up are actually responsible for some fraction of Anonymous' work, I think they'll be replaced faster than Al Quaeda's #3 honcho.
Gotta say I'm rooting for anonymous. Civil disobedience in the face of ever-creeping authoritarianism.
Whether these guys are or were members, or just sympathetic or something, we'll probably never know. But I guarantee that the Feds will find *someone* to prosecute.
Some salient things to think about.
1, Fox.news is part of the Murdoch Empire.
2, It has been revealed in the UK that Murdoch employees where providing the police with information as confidential informants, and where paid in information from the National Criminal Intel Service computer systems.
3, The NCIS who acted as liason between the Met and MI5 are known to have had highly clasified information on their computers.
4, The information leaked to the Murdoch jornalists caused a prosecution of both a police officer and a journalist. The judge on examining the evidence noted the high level high value of intel going in both directions, therefore Murdoch journolists where willingly handing over information recognised as "Privaledged information" under UK law to MI5...
Now consider that this sort of behaviour appears endemic in the Murdoch empire of which Fox.News is part and they claim "exclusive" shortly after anonymous attacked the UK Sun Newspaper website. The Sun is a Murdoch "Red Top" and since Murdoch closed the news of the world is now the flagship of his UK newspapers.
Also the information supplied about Mr Cleary in the UK appears at variance with the truth that is coming out. Further as is known Mr Cleary's details were placed on the Internet some period of time prior to his arest with claims he was various members of anonymous etc all of which have subsiquently been disproved. There appears to be a degree of certainty that a hate campaign was orchistrated against Mr Cleary by various members of another rival organisation who appear to belive he released their details.
Thus all things considered I would be very carefull about drawing any conclusions about anything any Murdoch organisation claimed about "anonymous" especialy as it is known that Murdoch Journalists interviewed members of anonymous in the recent past...
Based on what has come out in the UK it could well be the case that Fox have knowledge on these individuals from past interviews and actually passed the information on to the various LEA's and this is how they "got their exclusive".
The cops went after those hackers a lot quicker than they are doing so against the billionaire who did the same thing. No surprise really ...
It's Bradley Manning. And you sure are good at beating up strawman arguments.
The consequences of revealing that US tax dollars were funding pederasty, just to name one out of scores of examples of damning cables, should not be greater than, say, the consequences of torturing prisoners.
But it looks like whistleblowers are worse than torturers in the US, based on our actions.
I am divided as to whether participating in a DDoS should in and of itself be an illegal act. All that they are doing individually is establishing TCP/IP connections (or partial connections) to a server which has been setup for that purpose. They are doing that a lot, but is that something that should be illegal? I suppose we can rely upon the malicious intent to differentiate their activities from those of someone who connect automatically to download lots of data.
"'...the group committed crimes and their members should be arrested and prosecuted.' How about we let the FBI complete its investigation, then let the prosecutors assemble their case, and then have a judge determine whether or not anyone should be held over for trial...unless you're ready to proceed straight to sentencing."
I suppose. I didn't think there as any question that the group committed crimes -- or, at least, that the group took credit for committing crimes. The question that the judicial system will decide is whether or not the particular individuals arrested were the ones who committed those crimes.
"ALLEGEDLY committed crimes."
The individuals allegedly committed crimes, yes. I don't think any of us have any data about whether or not the FBI arrested the right people.
"What they allegedly did was mostly just a denial of service attack. If that's illegal, then it shouldn't be. It's the cyber equivalent of a sit-in protest. You're just blocking the entrance so customers can't get in, to make a point."
I sort of agree. I'd like there to be some strong doctrine of civil disobedience in cyberspace. Whether or not DOS attacks should be illegal depends a lot on the mechanisms of the attack, at least in my opinion.
"Guilty until proven innocent..? How are we sure that these people are guilty, since it's apparently 'easy' to use other people's internet addresses and computers as proxies..."
I think you've misread what I wrote above. The people are certainly not guilty until proven innocent, especially because it's easy to hijack other peoples' computers. I don't believe I said anything otherwise, and I certainly don't believe anything otherwise.
"Item one: Linking to Faux News immediately impairs my trust in the story. "
Agreed. It was the only link I could find when I looked up the story after another reporter called me about it.
There are more news stories on the net by now.
Here's something I didn't expect: Of the ages given in the Fox report, the average works out to 26.8. (I presume that the one person not named is a minor, so adjust it down a bit for that.) I'm not surprised to see a number of people well into their 20s, but I wouldn't have guessed the overall demographic would turn out to be as old as it is.
@Clive: you're definitely on to something. This is obviously fallout from the Murdoch investigations. The whistleblower was found dead (and not much else being said about exactly how he died). He knew more about the hacking than he got to reveal, and now suddenly 16 hackers are in the paddy wagon - with Murdoch-owned Faux Noise getting the "exclusive" scoop on those arrests. Sure, I can do that math.
"The group committed crimes and their members should be arrested and prosecuted"
Unless you are not a law-abiding citizen, this is the only correct analysis of their deeds. The somewhat smarter members of the collective are pretty much aware of the potential consequences of their acts too, and the ongoing massive crackdown - somewhat reminiscent of Operation Sundevil in 1990 - really can come to no one's surprise. Remember that many, if not most of the people visiting this blog are security professionals who are in the business of detecting, analysing, preventing and curing exactly the kind of activities Anonymous is indulging in. Some of us are making a good living out of it, hold special clearances and/or have a reputation to live up to when it comes to impartial analysis and judgement . Whether such acts originate from hacktivists on a mission, Chinese spies, media concerns, governments or shady contractors is pretty much irrelevant.
Then again, and before giving all of us the single finger salute, I would kindly invite you to read or re-read Shakespeare's Julius Caesar, Act 3, Scene II, where Antony addresses the people of Rome. For added effect, youtube the same starring Marlon Brando as Antony. And before you do anything stupid: Brutus and Cassius are long-dead.
I did some lurking on their IRC chats back in December when they were trying to take down some banks and such (I forget which date in particular). The "attack" wasn't going well for several reasons:
--The twitter-targeting account had been closed down, so the group DDOS attack wasn't automagically focused like the LOIC software was designed.
--The targets appeared to be doing a good job of dynamically blocking attackers' IP addresses. (How much of this was due to good prep and how much was due to forewarning, I don't know).
--The group was heavily fragmented.
I tend to believe that the last point was probably their greatest weakness. While the DDOS was supposed to be under way, there were still ongoing philosophical discussion about the "legitimacy" of the targets. Add to that the need to continually update where, exactly, the DDOS was to be aimed, and it was a surprise that they had any effect at all.
(This also seemed to show poor Intel (the information kind, not the mental kind).)
There was also a high-running paranoia about various law enforcement "agents" lurking on the site or trying to dissuade the group. (Possibly justified, since I was able to log on and what the entire bit of street theater without a problem.)
What really surprises me is that ONLY 16 people or so have been caught up in a law enforcement sweep. The LOIC software provides zero anonymity and the IRC chat was about as porous an organizational tool as you can imagine.
Political, philosophical, legal, and ethical concerns aside, random lynch mobs are a pretty damn poor way of making a point...unless their mere existence IS the point.
@Martijn: Seems to me that if Anonymous is fighting for freedom, democracy, cold india pale ale and All Things Bright And Beautiful(tm), one of those things should certainly be the freedom for Bruce Schneier to have and dare voice his opinion on his own friggin' blog. Sheesh.
"I usually like the technological articles on your blog but could you please refrain from venting your own opinion?"
Gadzooks. Pretty much everything except the URLs are my opinion.
With so many posters jumping to support Anonymous, I have to wonder how many members we have visiting the site.
I'm sure many of them consider themselves security professionals or cyber superheroes.
Just remember, you're no longer 'anonymous' once all your proxies have been traced and your name is on an arrest warrant.
"I usually like the technological articles on your blog but could you please refrain from venting your own opinion?" (random asshole)
"Gadzooks. Pretty much everything except the URLs are my opinion." (Bruce Schneier)
I recall blogs being created for people to do exactly that. I was also thinking a few of these guys sharing the same view have a remarkably similar writing style. I wonder if an analysis of the IP addresses would show it was the same member(s) of Anonymous posting under different names to give them some good PR. Martin, in particular, writes like a typical Anonymous troll.
And to be clear, most aren't even garden variety hackers: they usually Google stuff and con people. A smaller portion are hackers and tend to do basic stuff. Nothing they've ever done was technically innovative enough to make even DefCon. The only clever thing they've ever done was making the epilepsy website blink in a way that caused visitors to experience the worst seizures in their lives. That was just sick.
@ Captain Obvious
It's funny how we were both writing and posting the same idea around the same time. Is the "Anonymous" infiltration of this blog that obvious? (No puns or insults to their steathiness intended.)
They committed crimes.
Yes, but that is not why the policing efforts were stepped up to the level they needed to be to get results, as they undoubtedly were. Rather, it's because they dared to support a free-press organization that was Anti American. Comforted the enemy.
Selective enforcement is far to powerful a tool. I would rather they got off scott free than they go to jail because the government decided they were too *uppity* to stay free and found a convenient excuse to get their way. Especially given their relatively benign crimes.
I believe Anonymous deserves a lot of support. They were one of the first groups to speak out against the U.S. persecution of Julian Assange and detention/torture of Bradley Manning, both of which are pretty repugnant U.S. policy.
"They committed crimes. Yes, but that is not why the policing efforts were stepped up to the level they needed to be to get results, as they undoubtedly were. Rather, it's because they dared to support a free-press organization that was Anti American. Comforted the enemy."
Partly. I think the reason was more that they got so much media attention for their attacks and their views.
"I didn't think there as any question that the group committed crimes -- or, at least, that the group took credit for committing crimes. The question that the judicial system will decide is whether or not the particular individuals arrested were the ones who committed those crimes."
Yup, someone probably did what some of these guys will probably be charged with, and until they are safely in the hands of a judge and jury they are at the mercy of the same bureaucracy that builds crappy conspiracy cases by letting confidential informants supply fake bombs to clueless wannabes, leaks classified details of its cases to the media when it serves its interests, renditions unnamed suspects to unnamed prison ships, runs Gitmo, and illegally spies on American citizens in the United States whenever asking for a warrant is regarded as undue interference with executive power...
Oh great, a decade of GWOT has gone and made me all radical sounding.
You can give your single-finger salute only because my elders risked their lives to protect your country. Else you'd instead be giving a stiff-armed, five-fingered "Heil Hitler".
They died for your freedom of speech. Have a little gratitude, and respect Bruce's.
@ DoS attack legality:
As I pointed out here:
intent is often a decider of crime/no crime. Those servers were set up to invite people to visit, do business, etc., one person using one connection at a time, and not one mastermind/botmaster firing millions of packets at it for the sole purpose of shutting it down.
DoS blocks the free-speech rights of the web site owner/admin. Two wrongs don't make a right, although a lot of commenters here seem to think they do. Not.
If you block the entrance to my business or home, you have harmed me and committed a crime, regardless of your motives. LULZ had a better plan, as they usually did no harm, but only brought public attention to the pitiable state of IT security. Somewhat less objectionable.
The power of mass protest, petition, etc. are still there. "Anonymous" may have done good by doing evil, but once you start down that path.... Who decides how much good justifies how much evil, and who weighs what is "good" in the absence of written statutes that are adhered to?
@ Bruce: Martijn doesn't seem to think that you are doing good. So, do you grant him the right to DoS your blog?
Hopefully, Mr. Schneier, your sense of morality is strong enough that you can distinguish right and wrong from legal and illegal.
The rationale behind making dramatic arrests is to apply significant pressure (the weight of the Feds and the 10yr /$250k penalties) in order to extract intelligence, legally comb extensively through all digital records seized and uncovered, and to see who will
c) agree to work undercover
The real targets are of course the king-pins and mouthpieces who are getting all the attention And they are still at large. IMHO domestic and foreign LE is already partly "inside" these groups, but not deep enough.
Just want to boost the signal for AlanS's contribution, the DOJ news release at http://www.justice.gov/opa/pr/2011/July/... .
They state that most of the arrests were specifically about the DOS attack on PayPal (for cutting off WikiLeaks), and mention another 35 search warrants executed.
Posting to prove I wasn't one of those arrested... :-) Anyone else missing here today? :-)
My take on Anonymous/Lulzsec: These aren't "bad guys", just "chaos anarchists" on a par with the guys who throw waste barrels through store windows at World Trade Organization meetings.
In other words, their politics aren't that bad, it's just their rather random tactics.
As an anarchist, I obviously can't support the arrest and conviction of anyone. In fact, I got out of jury duty once in Denver by making that clear to a prosecuting attorney during voir dire, pointing out that I would have to find for the defense in every case. The judge wasn't pleased with me - heh, screw him!
BTW, the fact that I don't support the law doesn't mean I don't support kicking someone's butt - or putting a .45 hollowpoint in his head - if they harm me - or anyone else in a coercive manner. I'm not a pacifist anarchist or a Buddhist.
All that said, going beyond, what Anonymous did is called "civil disobedience", not "crime" (even though both are illegal which by definition - and I mean DEFINITION - MAKES it "crime.") The law decides who is a criminal and who isn't, and by means other than deciding whether someone is in actual fact coercing someone else, which is the proper definition of "crime." This is how you end up with marijuana being a "crime".
The larger and more interesting question to me is whether "civil disobedience" is worth the effort, compared to more effective methods like terrorism, insurgency, guerrilla war, and "technological war". Or for that matter, outright "crime" against the corrupt corporations, banks, politicians, media and other scum who continue to make this world the disaster that it is.
In that respect, Anonymous doesn't impress me. But I respect the intent, even it's not terribly intelligently implemented. Still, they did embarrass a lot of people, and in the case of HBGary Federal and InfraGard, I think they did a real public service in exposing at least a little bit of the corruption inside the security industry.
Mostly, it's clear these guys didn't have a personal security strategy to keep them from getting arrested - assuming of course that the individuals arrested were actually involved.
The first rule of crime is: Get away with it.
The first rule of an assassination or espionage operation is: Work out a foolproof escape plan, THEN work on the actual plan.
If you're going to take on the Big Dogs, make sure you can evade them. Or be willing, in the manner of civil disobedient protesters, to take the consequences of your actions.
I have absolutely no intention of doing the latter when the time comes.
"Posting to prove I wasn't one of those arrested... :-) Anyone else missing here today? :-)"
Maybe. Or maybe your an identity thief taking advantage of poor authentication on this blog. A good one could even copy your writing style. I'll assume it's you, though, and you're semi-free. :)
"All that said, going beyond, what Anonymous did is called "civil disobedience", not "crime" (even though both are illegal which by definition - and I mean DEFINITION - MAKES it "crime.") "
That's it in a nutshell. Many posters are confusing "ethical" with "criminal." Like you said, the law decides what's criminal or not. It's just a set of rules of arbitrary morality. Whether an action seems ethically right or wrong, that's irrelevant to it's legality. (Unless jury nullification is the strategy, whereby ethics might play a big role.)
"The larger and more interesting question to me is whether "civil disobedience" is worth the effort, compared to more effective methods like terrorism, insurgency, guerrilla war, and "technological war". Or for that matter, outright "crime" against the corrupt corporations, banks, politicians, media and other scum who continue to make this world the disaster that it is."
I totally agree. The latter are much more effective methods. Civil disobedience (read: slowing them down or standing in line to be firehosed) is hardly a threat to these groups. The major cartels have successfully increased their power over years of sporadic resistance. The law is corrupt and serves to maintain the establishment. Logically, legal methods used within a corrupt legal system against criminal individuals will not work most of the time. With a power imbalance this great, the only way for the little guy to win is to use guerilla tactics in a targeted, damaging way. The Viet Cong proved that when they kicked our asses in Vietnam despite millions and billions in equipment, personnel, etc. Although I don't advocate that people use these tactics, I will admit that no others will work against such a formidable adversary as the established cartels.
"Mostly, it's clear these guys didn't have a personal security strategy to keep them from getting arrested - assuming of course that the individuals arrested were actually involved."
It happens more often than you think. Even I slack off at times. The kinds of people that do the dumb stuff Anonymous does are often more careless than most criminals. They're in it for the fun as much as the mission. Real OPSEC isn't fun: it's painfully tedious & pessimistic. You can haz as much OPSEC as you want, but you can't haz it fun or free. ;)
"The first rule of an assassination or espionage operation is: Work out a foolproof escape plan, THEN work on the actual plan."
This statement underscores the importance of not getting caught, but is incorrect. The escape plan depends on both the environment and what the agent is doing in the environment prior to escape. Hence, the two plans must be developed at the same time, with a change in one feeding to the other.
"Or be willing, in the manner of civil disobedient protesters, to take the consequences of your actions. I have absolutely no intention of doing the latter when the time comes."
"Hopefully, Mr. Schneier, your sense of morality is strong enough that you can distinguish right and wrong from legal and illegal."
We all hope we can, but history repeatedly shows that we get it wrong. I've been thinking about this a lot; it's a prominent theme in the book I'm writing.
Is Anonymous a hacker group? Is it a group? I thought it was more of an ironic attribution used by a loosely associated group of people (like signing a wall 'Kilroy was here'). I thought the point was that anyone using the first person plural when talking about Anonymous was 'part of Anonymous'.
Nick P: "The escape plan depends on both the environment and what the agent is doing in the environment prior to escape. Hence, the two plans must be developed at the same time, with a change in one feeding to the other."
Well, in the case cited, you pretty much know what you're going to be doing and where and who the opposition is and what the level of response is going to be once your plan comes off. So working out one - or better, several - escape plans first is easier than figuring out how to do your penetration. I'm speaking generally about E&E plans AFTER you exfiltrate from the target site. Clearly the latter requires the full plan to be developed as you correctly note.
Also, how you cover your approach is related to your after-action E&E - minimizing detection on the approach can make tracking you after that much harder - so that can influence the actual plan as well.
In general, ingress and egress is the hard part - the actual mission objective is already (should be) clearly defined and achievable once in. Of course, execution becomes all important then. But if Murphy happens, both exfiltration and E&E become far more critical and should be prioritized early.
Fun example: When Dick Marcinko's Red Cell SEAL team was reconning Point Mugu Naval Air Station, they found a back exit near the highway that was guarded only by a chainlink fence, a gate and a lock. They cut the lock off and replaced it with one of their own.
Later, when some of the gang were joyriding around on the flight line in a stolen vehicle being pursued by security, they drove up to that rear gate, where another member of the team had already unlocked it. They drove through, relocked the gate and drove away. Security didn't have a key and didn't want to destroy the gate, so...fail.
@ Richard Steven Hack
Thanks for your clarification. Yes, it's the egress part that I thought you were referring to. A more general plan of after-egress or worst-case escape should be formulated before egress plan and maintained consistently.
"Fun example: When Dick Marcinko's Red Cell SEAL team was reconning Point Mugu Naval Air Station..."
You didn't have to say no more. The Sharkman of the Delta taught me much of what I know of unconventional warfare (and cursing like a sailor, but that's irrelevant ;). I read all of his books and that was one of my favorite Red Cell ops, especially how dude took over police station with a revolver. lmao. How he repeatedly kidnapped that admiral was pretty nice, along with the guy's reaction. (Best summed up as BOHICA? hahaha!)
Did you ever see the Red Cell video footage? Many people read the book, but didn't get to see the ops. The good thing is that it's on YouTube. They were intense. The first two or three minutes show why they got disbanded. The sailors couldn't take the realism. I bet quite a few were traumatized for life by the "simulation." (Admittedly, I probably would be too.)
Red Cell Security Exercises part 1 of several
"One man's terrorist is another man's freedom fighter." It's a prominent component of a book I am writing about bad asses with guns spending American tax dollars on state sponsored military jauntas. STMF.
Nick P: Thanks for the link! I've actually never seen those.
Relevant to whether Anonymous are criminals is this new case against Aaron Swartz for hacking into JSTOR.
What would happen if you hacked into a library?
Clearly, it's illegal access to a computer system based on how it was done. But it's not clear what the damage actually is. It's more in line with old-school MIT hackers than anything else. It's clearly different than what Anonymous did but the prosecution is the same.
Okay, Mighty Bruce sort of slipped up. He left out a word. But if he were commenting on Casey Anthony, would you be so quick to criticize?
Nick P: Watching those videos now!
Love the bit in video 3 where Dickie is saying he jumped a fence, walking around with no badge, he sees people thinking "W..h..e..r..e..'..s h..i..s.. b..a..d..g..e..?.."
Bodges? We don' need no steeken bodges! LOL!
Most Hacking organizations seem to place extreme importance on anonymity but IMHO do so at the cost of ignoring other methods that can ensure you remain arrest free.
Here's my thoughts
1) It is a given that there are multiple LEO's from multiple countries working these cases, so learn their "Tells" and make your tactical MO an exact copy of a LEO agents operational MO. Think about it, they can't risk compromising a deep under cover agent, with an arrest and release..oops sorry... one of ours... no no no sorry I meant one of yours...
2) The best "false" trails lead to somewhere rather than simply ending nowhere (see 1.)
3) Beware of Viruses: Most viruses have Inoculation code to avoid infecting their own computers, your PC isn't on the list, so be extra careful.
4) Configure your laptop to match the typical hardware "finger print" of the LEO your hoping to be confused with.
5) Be very meta data aware.
Network access time's is a dead give away, as is comment style and length, as well as coding style, speed and unique system knowledge.
6) "Accidentally" reveal things you shouldn't know (create your own disinformation)
RH at July 19, 2011 4:10 PM
‘...personally found it more interesting when Brian Manning supporters were outraged that he was being court marshaled. They couldn't seem to understand that, because he signed a paper saying he'd safeguard classified information, that there were suddenly consequences for sharing said information.’
The outrage was focused on two aspects: torture; and that he was NOT court-marshaled.
He has not been court-marshaled to this day.
But of course the President has said he’s guilty.
You’re comfortable with that?
RobertT: The problem with making your hacking look like a LEO is that the other hackers in your group will now think YOU'RE an LEO and cut your off.
Which is one easy way to break up any group - get everyone accusing each other of being a snitch, regardless of whether anyone actually is. I can tell you from Federal experience that is incredibly easy.
And some competing LEO will try to sabotage your "investigation" due to inter-agency squabbles. :-)
Actually, any group hacking is doomed, just like most terrorist groups are easily infiltrated. It's really hard to vet someone so that you can be sure he REALLY supports the same goals you do. I think a science fiction writer pointed that out what in one of his stories, where an agent infiltrated several different groups by demonstrating an intimate knowledge of the history and belief structures and attitudes of those groups which he claimed "couldn't be faked" by a police agent - except it could.
Better to hack alone - or at worst, with people you've personally known for a long time - and even that's risky.
Again, the only possible secret is the one in your head you've never told anyone.
Do we have any knowledge of whether or not these folks did more than just run the LOIC? I've been hearing speculation that the FBI rounded up a few nobodies to keep up appearances, but I have no idea one way or another.
"The larger and more interesting question to me is whether civil disobedience is worth the effort"
It depends on your time perspective and the support you can muster. The likes of Rosa Parks come to mind. Times are of course much different today. I have no doubt that her actions in present day America would be met with a coordinated Fox media campaign to depict her as an unpatriotic lesbian with links to Al-Qaeda and a history of substance abuse and mental illness. Congressmen on the payroll of large corporations would propose bipartisan legislation for broad and unmonitored government powers to deal with her ideas and call it "The Protect Our Children"-Act. Financial institutions would make it impossible for sympathisers to make donations. I could go on.
So yes, unless you are willing to have your life and that of your family destroyed, risk serious time in jail and with little hope for any short-term return on investment, I'd say that civil disobedience only is probably not the way most of us would wish to go.
@Nacho, you seem to believe that sit-in and sit-down protests are not illegal.
Sit-down protests are obstruction of the highway, a criminal offence.
Sit-in protests are trespass with intent to deny the lawful occupier, which I am pretty sure is a criminal offence in many places (IANAL). (As opposed to straight tresspass without intent to deny lawful use to the occupier, which is generally a civil offence with actual damages recoverable only).
Both of them amount to breach of the peace.
Why did you think the police arrest such protesters if it's not illegal?
Wow, one extreme to the other.
@mcb: Don't be such a priss.
@Ben: Don't be such an idiot. Why would the police ever arrest someone if they hadn't done anything wrong? I mean they're angels on earth, right? They're never corrupt, they never get things wrong, arrests are always made solely because someone clearly broke the law and every arrest leads to a prosecution! Protests are not illegal in any civilised country.
--- The fact that young, 21-year-old kids are going to do hard, Federal time, for some DDoS protest, is disgusting and speaks to the abusive nature of the State.
--- That being said, those kids should have put their talents to writing actual software that helps to protect freedom.
--- Instead all they have managed to do is bring more heat down on everyone, get themselves thrown into jail, and speed up the draconianization of laws and enforcement. (All WITHOUT actually contributing any freedom-protecting software, and thus leaving things worse than they started.)
"Whatever you may think of their politics, the group committed crimes and their members should be arrested and prosecuted."
Of course, since port scanning or pinging a machine without authorisation falls under the idiotic purview of state 'crimes' perhaps we should not make such a bold statement.
A crime is something the state defines, very much temporarily, as wrong. Sometimes people who commit crimes should NOT be prosecuted because the original law is unjust or unreasonable, a product of the transient nature of law.
@RSH "Posting to prove I wasn't one of those arrested... :-) Anyone else missing here today? :-)"
I am here :-) I just dont have anything interesting to add to this, nor a particularly strong opinion to voice.
Other than to say, coming here and complaining about Bruce's opinion on something is a pretty weird thing to do. If you disagree argue your point - fine - complaining that the owner of a blog hs written what they think is a giant step on the road to madness.
Sadly, in this instance, as is so often the case, I suspect the FBI will have arrested some nobodies (as mentioned above) and it will have little or no impact on the activities of the "hacker groups" we talk about today. It will let the FBI claim it is doing something though.
For those comparing ddos to a sit in, you know sit-in protests are illegal? That is the point of them. It's illegal to restrict entry or hamper a business from operating.
It's also why you see the pro-lifer nutjobs not blocking entry into abortion clinics usually. If they do that they will get arrested.
"My take on Anonymous/Lulzsec: These aren't "bad guys", just "chaos anarchists" on a par with the guys who throw waste barrels through store windows at World Trade Organization meetings. In other words, their politics aren't that bad, it's just their rather random tactics."
I guess then defining them as "bad guys" depends on if you think their political viewpoint trumps their actions. I tend to think your actions speak louder than your politics.
That does bring out another point though. Even if you grant Anonymous every consideration on their stated motivations, they end up looking like the clueless street warrior throwing things through innocent bystanders windows. They cause a lot of collateral damage. I think they want to be viewed like the next Rosa Parks, but they have to clean up their act if they want to get up to her level.
I note that DOJ is doing nothing about the DDoS attack on Wikileaks eight days prior to this attack on Paypal.
But apparently the government can commit whatever crimes it wants to with impunity.
We are *not* obliged to presume innocence. There is no law that says everyone must presume innocence.
The reason the media uses "allegedly" is to prevent libel/slander lawsuits. The media has no obligation to presume innocence, but if they go around announcing guilt and they're wrong, they get sued.
Of course, I'd rather everyone presume I were innocent if I were indicted. But the "presumption of innocence" only applies to the members of the jury, everyone else is free to presume guilt as they wish.
Anon: One has to admit that is true. But presuming a lot tends to show one up as a fool eventually. So most people pay at least lip service to avoiding it.
There's also a difference between presuming someone did something and recognizing that one cannot prove it.
I'm pretty sure Dick Cheney had something somehow on some level to do with 9/11 but I can't prove it.
And of course in the French system one is guilty until proven innocent - conveniently for French law enforcement.
I'm surprised there isn't a push in the US system to switch to the French system because the attitude certainly would agree with most US cops and politicians and indeed most of the population.
"But presuming a lot tends to show one up as a fool eventually. "
Does it? Me, I'm nobody, and really, nobody cares what I think. All those people out there saying Ms. Anthony is guilty, do we really care if they turn out to be wrong? Do we care if they're right?
"There's also a difference between presuming someone did something and recognizing that one cannot prove it. "
Sure. But do people go around saying "In the beginning, God allegedly created the Earth" ?
We're allowed to believe things that can't be proven, to accept things on faith. At least, outside the courtroom.
"... attitude certainly would agree with most US cops and politicians and indeed most of the population."
Well, most of the population is swayed by what they see in the media, and it's sensationalism that brings in readers/viewers and thus brings in ad revenue. I doubt presumption of guilt would change all that much, just allow the media to print stories without having to say "allegedly".
Does Anonymous have a leader? Is there any centralized direction? If not, then how has it grown to be as large as it is purported to be? And how do they select their targets?
It is scary to ponder whether Anonymous is an example of a growing groundswell of dissatisfaction and rage in our society or just an anomaly. Has anyone ready Directive 51/Daybreak by John Barnes? Some interesting similarities.
Anon: I'm just saying it's better not to be one of those people.
And I think people here expected better of Bruce - although it's clear he said "the group" committed crimes - which is true - and not necessarily those arrested for it which is accurate. So people jumped the gun on that one in criticizing Bruce's language.
I agree Manning should be given a trial, so that he can be sentenced sooner. With any luck, he'll receive the death penalty before the year is out.
It is sad that these groups seem to be all tactics, no strategy.
In some ways they are doing more harm than good to their own causes.
Hmm. Anonymous have undoubtely broken some laws - however my suspicion is that these guys are low hanging fruit - idiots who downloaded their 'dos' software and directly hit various sites with many requests.
This is a completely different scenario to a typical ddos attack, the people who were using this software were intentionally sending many requests to a server from their client but not actually controlling other peoples computers to do the same against the owners will.
So depending on exactly what these people did, I'm not sure that your assertions are correct. Is what I describe above breaking the law? Which law?
Am I breaking the law if a website is a bit slow to respond and I spam the f5 key for a minute? 5 minutes?
I don't know very much about anything.
But I am a History buff. You all know the sayings.."Those who forget History, are doomed to repeat it."
"Nothing is constant but Change." ( Change but not of the coin variety )
"Chocolate is for Champions, mostly."
Countries spy on each other. They always have. Don't you, at least, want to make sure you're spying back? I'm not sure all the time the U.S. is doing that as well. As an American, I'm biased about my home. I want it to be OK. But, long after I'm dead and you're dead, who knows what our government will look like in 200 years? No one.
I'm waffly. I say that because I know the good guys..erm...anyway they say they need some kind of back door just to be on an even playing field. What I don't like very much is that they want to do that by telling private companies how to build their software. I don't like it, but, it goes on and probably has to a lot of the time. Even playing field. Pardon my wistfulness.
I think people feel informed, but powerless. So they see some group like Anon and feel a secret pleasure. SOMEONE'S DOING SOMETHING, I think is the thought. Americans don't seem to take to the streets as much to keep their government from donning tall, black boots. But there's Anon and they know they're breaking the law, else they wouldn't be apprehensive about anything.
We Americans started out as rebels. We broke a lot of laws at that time. Some people went to jail, then to war. And here we are.
Civil disobedience is good. But it's also bad.
So, there ya go :) Was it too 'heavy'?
My top 3 reasons is for the increase in Hacking:
1) Script kid's provide good cover and deniability for targeted covert government ops.
2) For profit hackers leverage LEO's focus on Hacktivists and even provide them with many of their tools. The logic is, if they are busy catching you than I'm safe.
3) Loyalty to "king and/or country" is becoming a quaint but outmoded concept in the modern global village. This is especially true in light of the comical farce characterizing the US's post 9/11 activities both militarily and economically.
Anonymous is the people. Not a hacker group. We are tired of the corruption and tyranny. Are you? www.whatis-theplan.org
To avoid confusion: the comments from here to July 27, 2011 11:25 AM were moved from another thread.
Bruce, in the past you have compared some forms of DDOS attacks to virtual sit-ins, suggesting that they were legitimate forms of cyber protest.
Since you obviously have a strong voice in the security community -- your writings about the principles of security have definitely shaped my career path and (I imagine) many others' -- are you willing to make a statement protesting the draconian charges against the sixteen Anonymous activists (who now face up to 15 years in jail and a $500k fine) and participate in today's PayPal boycott? Certainly this is a draconian, selective punishment in response to nonviolent civil disobedience.
"History will have to record that the greatest tragedy of this period of social transition was not the strident clamor of the bad people, but the appalling silence of the good people." -- MLK
Sadly Rosa, per last week's blog entry about the arrests, he seems to have come down firmly on the side of the reactionaries.
Someone with more tinfoil than I could try and work this into the overall conspiracy theory about the military-industrial-silicon complex inventing Anonymous to get their choice of laws through Congress, & thus increase their sales of security products & consultancy, but I'm not that paranoid myself.
(Possibly relevant, if a little off-the-wall, since I happened to read it last week, is the Prometheus Deception, by Robert Ludlum. A fairly entertaining read if you're into schlocky thrillers.)
Sit-ins are a legitimate form of protest and they are also illegal.
This is not a contradiction - it is the willingness to court arrest and punishment in order to make a point which makes it an effective protest. The suffragettes are the best example of this.
So to say because it is a legitimate protest it shouldn't be subject to punishment is to miss the point.
Without the threat of arrest and punishment you may as well just be on a picnic.
Rosa and S: If you're going to hack for purposes of resistance - or for that matter for any other purpose, or using any other tactics for purposes of resistance - you'd better make sure you have sufficient tradecraft not to get caught.
Because no one is going to help you if you get caught.
I did eight years, 3-1/2 months in Federal prison because I didn't have sufficient knowledge of what I was doing.
The next time I move against the system, I will be one hundred percent certain that I will not get caught. Because the next time it will be life in prison - or more precisely death (in prison or before.)
The Arabs have a saying: "When you draw your sword against your Prince, you must throw the scabbard far, far away." Which means your commitment is ultimate because failure is death and thus not an option.
William S. Burroughs used to say, "Battles are fought to be won - and this is what happens when you lose."
@ RSH (second post):
Yup, although in some cases the willingness to take the consequences can be considered part of the protest, for e.g. greater media attention, or to highlight the farcical nature of the law.
S: Yes, but my point is that such tactics are almost always completely worthless as no change is really effected.
In other words, there should never be a "willingness to take the consequences" - just a willingness to produce results.
Also, I'm not indicting "capitalism" (I used to be a "free market anarchist") except maybe the system we have now which is "state capitalism". Which, to return to the topic of the post, is why civil liability for insecure software will never happen.
What I'm indicting goes several levels below the economic system: right down to human nature. Which is why these sorts of tactics aren't effective in producing "change we can believe in."
And that latter phrase should be the death knell of any sort of "change monkeys" for all time to come, given the results of Obama's administration - as in "Meet the New Boss - Same as the Old Boss".
So you are saying that highly selective and grotesquely disproportionate punishment for those responsible for a relatively small contribution to a collective, nondestructive (though illegal) statement is totally appropriate in our supposedly open society. I see.
Rosa: See, this is why your tactics don't work - you can't read.
I'm saying there IS NO "open society" here or anywhere else and if you intend to change that, you'd better use more effective tactics than "nondestructive statements" and know enough to stay out of jail.
Otherwise, all they have to do is put all of you in jail. Which they CAN do. And would love to do.
Have you ever been in jail? I mean, real prison, not overnight in county and bailed out in the morning by your legal advisors and sentenced to a fine or thirty days probation? Trust me, it's not fun.
More relevant to this blog, however, is this:
Military chip crypto cracked with power-analysis probe
Nick P and others, weigh in. Didn't you guys mention Virtex 4 and Virtex 5 chips from Xilinx in past posts about "secure" hardware?
@RSH: sorry, that was directed toward Ben.
@RSH: Almost no good change happens because individuals are sneaking around in the dark doing hacker/spy things. It happens because the rulers are faced with a crisis (economic, uprising, etc) and they split (this is exactly what happened in Egypt). One group of the rulers aligns itself with a new political faction. Many people in important places listen to Bruce. He is an extremely well regarded public intellectual. If he makes a statement about the Anon-kiddies that represents them as protesters it will have a real positive political impact. It may also make him some enemies. He has to weight the risks of reprisal against him against the benefits to civil society.
OT: "Officers from the Metropolitan Police Service’s Police Central e-Crime Unit (PCeU) today (27 July) arrested a 19-year-old man in a pre-planned intelligence-led operation. The man arrested is believed to be linked to an ongoing international investigation in to the criminal activity of the so-called "hacktivist" groups Anonymous and LulzSec, and uses the online nickname “Topiary” which is presented as the spokesperson for the groups."
I disagree that it is selective, except inasumuch as they are only prosecuting the ones they can catch. We don't know if it is disproportionate, until we see the sentence.
Otherwise, yes, pretty much.
Before people get into to much of an argument over Anonymous and LulzSec and protesting they should read this,
Including the attached affidavit.
Basicaly Pay-Pal fingered a bunch of IP addresses and the FBI have sent out their heavily armed "snatch squads" on little if any further evidence.
In other words the FBI have actually failed to carry out what most would consider an investigation, they have simply gone out on the electronic equivalent of "hearsay" which is not at all the way they should be doing things.
For those that are interested in supposed LulzSec members, the following site claims to have outed some of them,
Apparently this was done by looking at IIRC etc chats...
Oh and it looks like the process is error prone because a writer by the name of "Barrett Brown" was outed.
If you want to know more the simplest google search that brings up a high signal to noise ratio is
["barrett brown" lulzsec]
@Clive Robinson, arrest does not require proof it requires probable cause only (a better-than-even chance is not required, and it can be derived from hearsay), and is generally the beginning of the investigation, not the end.
It appears that this arrest may prove problimatical.
A look through IRC logs indicates that topiary was a paymaster in that he was handing over largish sums of money for both desktop and server exploits.
So the first question is where does a person that age get that sorrt of money.
Secondly the person who some are saying has been arrested (Daniel Ackerman Sandberg) was outed some time ago by the Web ninjas.
However it appears there is some doubt that Daniel is topiary,
But also if Daniel is topiary his data of birth appears to be wrong...,
Oh a word of warning, don't go hunting this stuff down on a windows PC many of the links that come up have malware "landmines" for the unwary some of which don't get caught by the "usual suspects" of paid for AV suppliers.
@ Richard Steven Hack
"Nick P and others, weigh in. Didn't you guys mention Virtex 4 and Virtex 5 chips from Xilinx in past posts about "secure" hardware?"
Uh, no. I proposed in the past to use FPGA's to run robustly developed bitstream code to defeat remote or software-level attacks. Clive and RobertT have chimed in many times on the subject to show why they can't remotely be trusted to be free of hardware side channels or resist simple, sophisticated hardware attacks. In other words, the designs assume a trusted (or unsophisticated) administrator and no physical compromise. Nothing changes with the new information, except a validation of our viewpoint on FPGA hardware "security." ;) Thanks for the info though!
Also, I wouldn't call that military chip crypto. They want to sell it to military & military might even buy it, but it's made to commercial standards. If you want to see military, look up the General Dynamics Advanced INFOSEC Machine or other Type 1 crypto hardware offerings by companies like Harris & L-3. TEMPEST, side channel, etc. issues are considered during their design. The average certification process is 2 years of classified testing by the NSA, as per Green Hills. I'd love to see some researchers take a stab at finding easy exploits for them. It would be hilarious if they found them.
Another quick note. I just read the PDF. The only time they mentioned the word "military" is when they say (paraphrased) that anyone using it for military purposes could loose especially sensitive data during such a compromise. So, the "military chip crypto" was just attention-grabbing headline bullshit. What's correct is that this is the "tamper-resistant," "IP protecting" scheme Xilinx is pushing for military to adopt in Type 1 devices. Let's hope this doesn't happen.
Nick P: Thanks for the update. FPGAs are quite a bit above my "pay grade" with regards to hardware knowledge, although I know what they do.
I, too, would like to see the "real" military stuff get a testing from "outside the contractors" people. I suppose the problem is having real hackers get a hold of the hardware. I imagine a lot of this stuff is sold under "so-and-so only" rules. And I imagine the companies have no incentive to let just anyone test the stuff.
Ben: Yes, but as I noted one of those FBI raids ended up at a residence formerly occupied by a band who had an open WiFi connection. The FBI didn't even know the band had moved out weeks before. This doesn't inspire confidence that the FBI is doing proper investigation before rounding up people.
Looks Like I might not be the only one to smell a very large rodent with the Met Police Arrest in the Shetland Isles (Scotland).
Have a look at,
So I guess we are going to have to wait and see what pops out the other side of Padington Green Nick or wherever they might have him (Lewisham nick is another favourite).
@ Richard Steven Hack
"I imagine a lot of this stuff is sold under "so-and-so only" rules. "
More than that. Type 1 products are "controlled cryptographic items" that protect classified information, often using classified ciphers. They are typically keyed through NSA's Electronic Key Management System, with the keys loaded via dedicated keying devices. They can use Type 3 ciphers like AES & regular key exchanges to protect unclassified transmission. If I bought one, it would be loaded with Type 3 ciphers. Wikipedia has a nice summary of Type 1:
"A Type 1 Product refers to an NSA endorsed classified or controlled cryptographic item for classified or sensitive U.S. government information, including cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed."
That I recall, each company wanting to use them must get a COMSEC account and have a dedicated "COMSEC custodian" that accounts for them. The custodian ensures handing & distribution rules are followed & is the point of interaction with the government. It's all quite cumbersome, expensive and restrictive. Hence, I just want the hardware. I'll build the rest. ;)
"And I imagine the companies have no incentive to let just anyone test the stuff."
They spend millions of dollars engineering these things, go through a two year certification process, and then let some undergrad publicly crack it with under a $1,000 worth of easily obtained/used lab equipment? I THINK NOT!
@ Clive Robinson
"British police duped by LulzSec into arresting the wrong guy."
i want to blog all kinds of heinous groups from networking system.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.