Gabriella Coleman has published an interesting analysis of the hacker group Anonymous:
Abstract: Since 2010, digital direct action, including leaks, hacking and mass protest, has become a regular feature of political life on the Internet. The source, strengths and weakness of this activity are considered in this paper through an in-depth analysis of Anonymous, the protest ensemble that has been adept at magnifying issues, boosting existing usually oppositional movements and converting amorphous discontent into a tangible form. This paper, the third in the Internet Governance Paper Series, examines the intersecting elements that contribute to Anonymous’ contemporary geopolitical power: its ability to land media attention, its bold and recognizable aesthetics, its participatory openness, the misinformation that surrounds it and, in particular, its unpredictability.
Posted on October 3, 2013 at 6:43 AM •
For a while now, I have been thinking about what civil disobedience looks like in the Internet Age. Certainly DDOS attacks, and politically motivated hacking in general, is a part of that. This is one of the reasons I found Molly Sauter’s recent thesis, “Distributed Denial of Service Actions and the Challenge of Civil Disobedience on the Internet,” so interesting:
Abstract: This thesis examines the history, development, theory, and practice of distributed denial of service actions as a tactic of political activism. DDOS actions have been used in online political activism since the early 1990s, though the tactic has recently attracted significant public attention with the actions of Anonymous and Operation Payback in December 2010. Guiding this work is the overarching question of how civil disobedience and disruptive activism can be practiced in the current online space. The internet acts as a vital arena of communication, self expression, and interpersonal organizing. When there is a message to convey, words to get out, people to organize, many will turn to the internet as the zone of that activity. Online, people sign petitions, investigate stories and rumors, amplify links and videos, donate money, and show their support for causes in a variety of ways. But as familiar and widely accepted activist tools — petitions, fundraisers, mass letter-writing, call-in campaigns and others — find equivalent practices in the online space, is there also room for the tactics of disruption and civil disobedience that are equally familiar from the realm of street marches, occupations, and sit-ins? This thesis grounds activist DDOS historically, focusing on early deployments of the tactic as well as modern instances to trace its development over time, both in theory and in practice. Through that examination, as well as tool design and development, participant identity, and state and corporate responses, this thesis presents an account of the development and current state of activist DDOS actions. It ends by presenting an analytical framework for the analysis of activist DDOS actions.
One of the problems with the legal system is that it doesn’t make any differentiation between civil disobedience and “normal” criminal activity on the Internet, though it does in the real world.
Posted on May 22, 2013 at 6:24 AM •
Can anyone make heads or tails of this story? (More links.)
Remember that Ohio was not the deciding state in the election. Neither was Florida or Virginia. It was Colorado. So even if there was this magic election-stealing software running in Ohio, it wouldn’t have made any difference.
For my part, I’d like a little — you know — evidence.
Posted on November 20, 2012 at 12:53 PM •
I have several stories in the news (and one podcast), mostly surrounding the talks I gave at the RSA Conference last month.
Posted on March 15, 2012 at 2:35 PM •
the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach to password security.
Posted on October 20, 2011 at 6:25 AM •
Freakonomics asks: “Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches?”
They posted five answers, including mine:
The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school violence, natural fluctuations in data become press epidemics, as more reporters write about more events, and more people read about them. Just because the average person reads more articles about more events doesn’t mean that there are more events—just more articles.
Hacking for fun—like LulzSec—has been around for decades. It’s where hacking started, before criminals discovered the Internet in the 1990s. Criminal hacking for profit—like the Citibank hack—has been around for over a decade. International espionage existed for millennia before the Internet, and has never taken a holiday.
The past several months have brought us a string of newsworthy hacking incidents. First there was the hacking group Anonymous, and its hacktivism attacks as a response to the pressure to interdict contributions to Julian Assange‘s legal defense fund and the torture of Bradley Manning. Then there was the probably espionage-related attack against RSA, Inc. and its authentication token—made more newsworthy because of the bungling of the disclosure by the company—and the subsequent attack against Lockheed Martin. And finally, there were the very public attacks against Sony, which became the company to attack simply because everyone else was attacking it, and the public hacktivism by LulzSec.
None of this is new. None of this is unprecedented. To a security professional, most of it isn’t even interesting. And while national intelligence organizations and some criminal groups are organized, hacker groups like Anonymous and LulzSec are much more informal. Despite the impression we get from movies, there is no organization. There’s no membership, there are no dues, there is no initiation. It’s just a bunch of guys. You too can join Anonymous—just hack something, and claim you’re a member. That’s probably what the members of Anonymous arrested in Turkey were: 32 people who just decided to use that name.
It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.
Posted on July 21, 2011 at 6:07 AM •
The police arrested sixteen suspected members of the Anonymous hacker group.
Whatever you may think of their politics, the group committed crimes and their members should be arrested and prosecuted. I just hope we don’t get a media flurry about how they were some sort of cyber super criminals. Near as I can tell, they were just garden variety hackers who were lucky and caught a media wave.
EDITED TO ADD (7/19): I understand that the particular people arrested are innocent until proven guilty — hence my use of the word “suspected” in the first sentence — but there doesn’t seem any question that members of the group claimed credit for criminal cyber attacks. I suppose I could have said “the group allegedly committed crimes,” but that seemed overly cautious.
And yes, I agree that calling them a “group” is probably giving them more organizational credit than they have.
EDITED TO ADD (7/19): More news articles.
EDITED TO ADD (7/25): Last December, Richard Stallman wrote about the Anonymous group and their actions as a form of protest.
EDITED TO ADD (8/12): Department of Justice press release on the arrests.
Posted on July 19, 2011 at 2:50 PM •
One of the effects of writing a book is that I don’t have the time to devote to other writing. So while I’ve been wanting to write about Anonymous vs HBGary, I don’t think I will have time. Here’s an excellent series of posts on the topic from ArsTechnica.
In cyberspace, the balance of power is on the side of the attacker. Attacking a network is much easier than defending a network. That may change eventually — there might someday be the cyberspace equivalent of trench warfare, where the defender has the natural advantage — but not anytime soon.
EDITED TO ADD (3/14): Stephen Colbert on HGary. Another article.
Posted on February 28, 2011 at 5:58 AM •
This is a really good piece by Paul Roberts on Anonymous vs. HBGary: not the tactics or the politics, but what HBGary demonstrates about the IT security industry.
But I think the real lesson of the hack – and of the revelations that followed it – is that the IT security industry, having finally gotten the attention of law makers, Pentagon generals and public policy establishment wonks in the Beltway, is now in mortal danger of losing its soul. We’ve convinced the world that the threat is real – omnipresent and omnipotent. But in our desire to combat it, we are becoming indistinguishable from the folks with the black hats.
…While “scare ’em and snare ’em” may be business as usual in the IT security industry, other HBGary Federal skunk works projects clearly crossed a line: a proposal for a major U.S. bank, allegedly Bank of America, to launch offensive cyber attacks on the servers that host the whistle blower site Wikileaks. HBGary was part of a triumvirate of firms that also included Palantir Inc and Berico Technologies, that was working with the law firm of the U.S. Chamber of Commerce to develop plans to target progressive groups, labor unions and other left-leaning non profits who the Chamber opposed with a campaign of false information and entrapment. Other leaked e-mail messages reveal work with General Dynamics and a host of other firms to develop custom, stealth malware and collaborations with other firms selling offensive cyber capabilities including knowledge of previously undiscovered (“zero day”) vulnerabilities.
What’s more disturbing is the way that the folks at HBGary – mostly Aaron Barr, but others as well – came to view the infowar tactics they were pitching to the military and its contractors as applicable in the civilian context, as well. How effortlessly and seamlessly the focus on “advanced persistent threats” shifted from government backed hackers in China and Russia to encompass political foes like ThinkProgress or the columnist Glenn Greenwald. Anonymous may have committed crimes that demand punishment – but its up to the FBI to handle that, not “a large U.S. bank” or its attorneys.
Read the whole thing.
Posted on February 25, 2011 at 6:14 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.