RSA 2011There was lots of noise and distraction on the crowded Expo floor of the RSA Security Conference this year. After a grueling couple of years, vendors were back in force with big booths, big news and plenty of entertainment designed to attract visitor traffic. Wandering the floor, I saw – variously – magic tricks, a man walking on stilts, a whack-a-mole game, a man dressed in a full suit of armor and a 15 foot long racetrack that I would have killed for when I was 10.

The most telling display, however, may have been the one in Booth 556, where malware forensics firm HBGary displayed a simple sign saying that it had decided to remove its booth and cancel scheduled talks by its executives. This, after the online mischief making group Anonymous broke into the computer systems of the HBGary Federal subsidiary and stole proprietary and confidential information. The HBGary sign stayed up for a couple days, got defaced by someone at the show and was later removed. When I swung by HBGary’s booth on Thursday, it was a forlorn and empty patch of brown carpet where a couple marketing types where holding an impromptu bull session. 

It would be easy to say that the lesson of HBGary is that “anyone can get hacked.” After all, the company’s founder, Greg Hoglund is one of the smartest security folks around – hands down. He’s a recognized expert on malware and, literally, wrote the book on rootkit programs. HBGary Federal’s customers included the U.S. Department of Defense as well as spy agencies like the CIA and NSA.

Or maybe the lesson of HBGary is simply not to “kick the hornet’s nest,” so to speak: needlessly provoking groups like Anonymous who have shown themselves to be hungry for publicity and have little to lose in a confrontation. Maybe, the lesson is simply that, if you’re going to kick the hornet’s nest, as HBGary Federal CEO Aaron Barr was determined to, then at least to spend some time securing your Web- and e-mail infrastructure and following password security best practices before you commence said kicking.

But I think the real lesson of the hack – and of the revelations that followed it – is that the IT security industry, having finally gotten the attention of law makers, Pentagon generals and public policy establishment wonks in the Beltway, is now in mortal danger of losing its soul. We’ve convinced the world that the threat is real – omnipresent and omnipotent. But in our desire to combat it, we are becoming indistinguishable from the folks with the black hats. 

Of course, none of this is intended to excuse the actions of Anonymous, who HBGary President Penny Leavy, in a conversation with Threatpost, rightly labeled “criminals” rather than politically motivated “hacktivists.” The attack on HBGary was an unsubtle, if effective, act of intimidation designed to send a message to Barr and other would be cyber sleuths: ‘stay away.’

We can see their actions for what they are, and sympathize deeply with Aaron Barr, Greg Hoglund and his wife (and HBGary President) Penny Leavy for the harm and embarrassment caused by the hackers from Anonymous, who published some 70,000 confidential company e-mails online for the world to see. Those included confidential company information, as well as personal exchanges between HBGary staff that were never intended for a public airing. Its easy to point the finger and chortle upon reading them, but how many of us (or the Anonymous members, themselves) could stand such scrutiny?  

Its harder to explain away the substance of many other e-mail messages which have emerged in reporting by Ars Technica as well as others. They show a company executives like HBGary Federal CEO Aaron Barr mining social networks for data to “scare the s***” out of potential customers, in theory to win their business. While “scare ‘em and snare ‘em” may be business as usual in the IT security industry, other HBGary Federal skunk works projects clearly crossed a line: a proposal for a major U.S. bank, allegedly Bank of America, to launch offensive cyber attacks on the servers that host the whistle blower site Wikileaks. HBGary was part of a triumvirate of firms that also included Palantir Inc and Berico Technologies, that was working with the law firm of the U.S. Chamber of Commerce to develop plans to target progressive groups, labor unions and other left-leaning non profits who the Chamber opposed with a campaign of false information and entrapment. Other leaked e-mail messages reveal work with General Dynamics and a host of other firms to develop custom, stealth malware and collaborations with other firms selling offensive cyber capabilities including knowledge of previously undiscovered (“zero day”) vulnerabilities. 

Look, there’s nothing wrong with private firms helping Uncle Sam to develop cyber offensive capabilities. In an age of sophisticated and wholesale cyber espionage by nation states opposed to the U.S., the U.S. government clearly needs to be able to fight fire with fire. Besides, everybody already knew that Greg Hoglund was writing rootkits for the DoD, so is it right to say we’re “shocked! shocked!” to read his e-mail and find out that what we all suspected was true? I don’t think so.

What’s more disturbing is the way that the folks at HBGary – mostly Aaron Barr, but others as well – came to view the infowar tactics they were pitching to the military and its contractors as applicable in the civilian context, as well. How effortlessly and seamlessly the focus on “advanced persistent threats” shifted from government backed hackers in China and Russia to encompass political foes like ThinkProgress or the columnist Glenn Greenwald. Anonymous may have committed crimes that demand punishment – but its up to the FBI to handle that, not “a large U.S. bank” or its attorneys. 

The HBGary e-mails, I think, cast the shenanigans on the RSA Expo floor in a new and scarier light. What other companies, facing the kind of short term financial pressure that Barr and HBGary Federal felt might also cross the line – donning the gray hat, or the black one? What threat to all of our liberties does that kind of IT security firepower pose when its put at the behest of corporations, government agencies, stealth political groups or their operatives? Bruce Schneier – our industry’s Obi-Wan Kenobi – has warned about this very phenomena: the way the military’s ever expanding notion of “cyber war,” like the Bush era’s “War on Terror” does little to promote security, but a lot to promote inchoate fear. That inchoate fear then becomes a justification for futher infringement on our liberties. 

“We reinforce the notion that we’re helpless — what person or organization can defend itself in a war? — and others need to protect us. We invite the military to take over security, and to ignore the limits on power that often get jettisoned during wartime,” Schneier observed. That kind of conflation is clear reading Barr’s e-mails where the line between sales oriented tactics and offensive actions blur. The security industry veterans I spoke with at this year’s show were as aghast at Barr’s trip far off reservation, but they also expressed a weary recognition that, in the security business, this is where things are headed. 

What’s the alternative? Schneier notes that focusing on cyber crime as “crime” rather than “war” tends to avoid the problems with demagoguery. Focus on cyber crime and hacking in the same way as you focus on other types of crimes: as long term problems that must be managed within the “context of normal life,” rather than “wars” that pose an existential threat to those involved and must be won at all costs. The U.S. needs peacetime cyber-security “administered within the myriad structure of public and private security institutions we already have” rather than extra-judicial vigilantism and covert ops of the kind the HBGary e-mails reveal. Here’s hoping HBGary is the wake up call the industry needed to reverse course. 

Categories: Data Breaches, Government, Malware, Social Engineering, Vulnerabilities, Web Security

Comments (45)

  1. Anonymous
    2

    >but how many of us (or the Anonymous members, themselves) could stand such scrutiny?

    I could.  I don’t conspire against anyone and the most embarassing things in my e-mail are spam – or maybe IT help requests from my family.

    But I did have some sympathy for them until I found out how unethical and poorly run these HBGary companies are.

  2. Fredric L. Rice
    3

    Aw, look at all that buttthurt from  HBGaryfags who were exposed as fake “security experts.”

    What’s needed is felony indictments against Aaron Barr, HBGary, and HBGary Federal for the money they swindled out of the U.S. government under the pretext of being “security experts.” Then we need to see some Bank of america and U. S. Chamber of Commerce felons and traitors lynched from street lamps for their treason against us.

    Anonymous once again proved themselves to be the last remaining heroes who tirelessly work for the betterment of Democracies.

     

  3. Truth in Advertising
    4

    …and sympathize deeply with Aaron Barr, Greg Hoglund and his wife (and HBGary President) Penny Leavy for the harm and embarrassment caused by the hackers from Anonymous, who published some 70,000 confidential company e-mails online for the world to see. Those included confidential company information, as well as personal exchanges between HBGary staff that were never intended for a public airing. Its easy to point the finger and chortle upon reading them, but how many of us (or the Anonymous members, themselves) could stand such scrutiny?

    I have no sympathy for them whatsoever. Their company was criminally negligent with respect to their security preparations. Remember, these were the very same people who were advising U.S. government installations, such as Lawrence Livermore Labs, about how to secure their computer infrastructure against state-sponsored actors. Yet, this same company literally broke every rule in the book taught in Security 101 courses.

    Penny Leavy and her husband Greg Hoglund have been quite disingenuous at playing the victim, all the while lying to the press about :

    1) The veracity of the emails published by Anonymous — both Greg Hoglund and Penny Leavy claimed that the emails published by Anonymous were deliberately falsified. They only ceased making these claims after they were informed (in an email) that many of the messages carried S/MIME digital signatures made with a Class 1 VeriSign certificate purchased by Aaron Barr from Verisign.

    2) They further lied to the media regarding the ownership/control of HBGary Federal. They claimed that the company was under separate management, and that HBGary, Inc. only had a 15% stake in the company. However, the Operating Agreement for HBGary Federal, LLC, reveals that Greg Hoglund and Penny Leavy were two of the original six Founding Directors of HBGary Federal. Futher, Penny Leavy herself signed the incorporation application with the California Secretary of State. This Operating Agreement confims the 15% stake held by HBGary, Inc. in HBGary Federal, but it also reveals that Penny Leavy herself holds a 48% share in the company. Her 48% share, plus that of HBGary, Inc. (15%) puts their combined ownership stake at 63%. In terms of dollars invested, their investment in HBGary Federal amounts to some 87.5% of the total monies invested.

    This operating agreement can be downloaded from:
    http://cryptome.org/0003/hbg/HBG-Fed-OA.pdf

    3) When HBGary Federal was facing a cash crunch, and had insufficient funds to meet even basic operating expenses like payroll, Penny Leavy apparently made up the shortfall. Contrast this with their claims to ‘separate managment’ and only a 15% stake in the company. In truth, they were majority investors and, I suspect, had no small hand in the company’s operations.

    As such, their claims that they didn’t know the details of the contracts/activities of HBGary Federal are laughable. HBGary Federal’s potential contracts with Hunton & Williams for Bank of America/U.S. Chamber of Commerce stood to make them a great deal of money, so they would have had a considerable interest in the progress of negotiations toward securing such contracts. Consider that some of the emails, where they considered selling the company, put its value at some $2 million.

    By the same token, the contracts with Hunton & Williams stood to bring in $500-700K per month for a period of some six months, at least. At $500K per month, for six months, that amounts to $3 million dollars, or 50% more than what they optimistically expected to realize from a sale of the company. Given the dollar amounts involved, for them to claim ignorance of the details is absolutely ludicrous.

  4. @unwiredasia
    5

    My sentiments exactly. Brilliant. One caveat.

     

    Security – whether war or cirme – requires judgement, not just technique. The image of infosec practitioners is currently taking a huge pounding. Not the way to go … anon people comes across making judgements of what is right (or wrong). So-called white hat people don’t seem to … anythng that makes money.

     

    So, who’s white and who’s black here? Take away all the corporate branding, the answer is pretty obvious.

  5. Anonymous
    6

    > We can see their actions for what they are, and sympathize deeply with Aaron Barr, Greg Hoglund and his wife

    You might, I certainly won’t.

  6. Anonymous
    7

    If you actually read through the emails and docs and established a timeline, you’d have found that the chambers was not “targeting” progressive groups, rather they are doing recon on the  progressive groups that have been targeting the chamber like stopthechamber.com registered back in ’09 long before the chamber sought help from hbgary.

    Just reading the scope of work doc does not give a full picture. Ars Technica got it right though.

    Maybe next time just plagerize them.

     

  7. Larry Walsh
    8

    I couldn’t agree more with Paul’s basic premise — the focus
    on cyberwar verse cybercrime was untenable at RSA this year. I mused about it
    on my blog last week (http://channelnomics.com/2011/02/18/cyberwar-why-it-doesn’t-matter/).
    Vendors and security experts alike talked about cyberwar as if it was the most
    pressing priority facing enterprises today. In reality, enterprise security
    practitioners are faced with a variety of operational threats — and rarely is
    cyberwar among them. What is a real threat? Corporate espionage, data loss,
    regulatory compliance breaches and operational disruptions.

    Does the private sector play a role in safeguarding critical
    infrastructure? Yes, but to the point of safeguarding their operations.
    National defense is the responsibility of the government. The argument that the
    private sector must play a role in national cyber defense because they own 80
    percent of the critical infrastructure is tantamount to saying private
    corporations must have armed, professional security forces around their buildings
    because they own a substantial amount of property.

    I agree with Paul (and Bruce Schneier, by extension) that
    the focus should be on crime, and treating hacking and breaches by non-nation
    states as crimes. In the end, it’s a threat exposure/risk management equation.

  8. Larry Walsh
    9

    I will add that I defy anyone to produce an enterprise security officer that has successfully justified funding for a security project based primarily on the cyberwar threat.

  9. Anonymous
    10

    What it all sounds like to me is fighting crime with more crime.  How does that get anything fixed?

  10. Dwight Schrute
    11

    As I see it, the most important point to take away from all of this is that HBGary employs a man by the name of Dick Cummings. Dick Cumming! His must be the greatest name in the history of mankind.

  11. Anonymous
    12

    …other HBGary Federal skunk works projects clearly crossed a line: a proposal for a major U.S. bank, allegedly Bank of America, to launch offensive cyber attacks on the servers that host the whistle blower site Wikileaks. HBGary was part of a triumvirate of firms that also included Palantir Inc and Berico Technologies, that was working with the law firm of the U.S. Chamber of Commerce to develop plans to target progressive groups, labor unions and other left-leaning non profits who the Chamber opposed with a campaign of false information and entrapment. Other leaked e-mail messages reveal work with General Dynamics and a host of other firms to develop custom, stealth malware and collaborations with other firms selling offensive cyber capabilities including knowledge of previously undiscovered (“zero day”) vulnerabilities. 

    Look, there’s nothing wrong with private firms helping Uncle Sam to develop cyber offensive capabilities.

    Huh?  Helping BofA and the US Chamber of Commerce is helping Uncle Sam?  Did I miss something?

  12. Anonymous
    13

    Anonymous may have committed crimes that demand punishment – but its up to the FBI to handle that, not “a large U.S. bank” or its attorneys. 

    Okay, I should have finished reading before posting, but still, the section is misleading.

  13. Anonymous
    15

    I think the real moral of the story is “Don’t live  by the knife if you don’t want to die by the sword”. Of course Anonymous themselves wouldn’t like to be scrutinized like that, and that’s exactly the reason this happened. That employee was actively threatening to expose Anonymous and do to them what they ended up doing to HBGary.

  14. Anonymous
    16

    I wrote the above comment. I just wanted to add that  I think that Anonymous is going to get hit by this sort of scrutiny soon as well.

  15. Anonymous
    17

    I mostly agree, however  I do think that its far too easy to label what Anon has done as a crime at the same time minimizing what HBGary was doing as criminal.  Anon members apparently just started to push on that house of cards and it crumbled (passwd managment…sheesh).  HBGary spent day/weeks/months plotting and selling attacks that are illegal.  It will be interesting to see how professional our justice system is.  

     

    Side note:  Is anyone else surprised at the proposed costs of the services?  Are you kidding me?  With stakes that high I can only say that you have the clients scared to the point of broken when you have the nerve to even propose fees like that without blinking.   

  16. Anonymous
    18

    The important emails should have ben encrypted, specially the ones that deal with PCI related information, I do not know if that will hit their clients and certainly hope not but I guess if you play with fire you get burned (not saying it in the bad and raging meaning it can be)

    Greg Hoglund is also de the owner of a patent that over reaches and takes even manual penetration testing, since he founded Cenzic and created their patent.

    All the information is at http://www.stop232patent.com this patent covers all fuzzers, web scanners and methods as SQL Injections and other stuff!!

    Is interesting to see all the deals that happened, great article!!

  17. Anonymous
    19

    Re:  Blaming the victim

    I’m not sure I buy the accusation that those who blame HBGary for getting hacked due to faulty web security are effectively blaming the rape victim for asking for it.  Most rape victims do not hold themselves out as world leading expert rape avoidance and prevention ninjas.  

    I just get the sense that Anon deeply dislikes hypocrisy (like most predominantly teenage groups) and revel in shouting “the emprorer has no clothes.”  If you read the full transcript of the IRC log what you will see is far more angst about the faulty methodology that HBGary federal was using rather than the possibility that acutal Anon members would be discovered using HBGary Federal’s methods.  Now that does take a leap of faith that Anon chatters 1) were Anon members, and 2) are truthful in their pronouncements (and therefore not actually concerned that their true identities will be discovered).   The transcript does reveal that Anon members (and we have no way to verify if the talkers are the acutal perpetrators) found HBGary’s methods laughable, Aaron Barr basically is the most egotistical and juvenile security “expert” in most of the world who couldn’t stop spouting false arguments that only served to further incense Anon, and that Anon members who seemed to have knowledge of who held Greg’s emails were willing to make a deal to protect those emails in exchange for public humiliation of Aaron (like its possible to humiliate him more than already) and a donation to Bradley Manning’s defense fund.  That does not seem to be the act of simple vandals and anarchists, but actually a rational political actors.  Now we can argue about their methods and to be sure their methods are likely criminal in many regards, but (like many whistleblowers, and that’s what I would legitimately call them in this instance) their actions may be illegal in the technical sense, however, the result can be seen as a public good.  HBGary and cyber-counter terrorism firms will have much to review and consider following this incident, some hopefully for the better.

  18. Directive63
    20

    Good insight and well done article.  We’ve referenced it in a blog post and tweeted it to our followers.  Good work!

  19. diocyde
    21

    While this article is wholely sympathetic to HBGary, I will make clear distinctions to parse what I would think many of these readers and the general public are NOT privy to.  There is a wholly and completely different world out there awash in serious serious threats.  Our governments for the sake of our publics sanity white wash many of these in the names of diplomacy, investigations, classified secrets, national security ecetera….   The “security industry” is @R$$$ completely clueless as the crap they put out is wholely ineffectual.  America’s systems along with everyone elses systems are getting plundered by cyber actors that are wantonly ripping the innovation of our leaders and brightest innovators out by the guts.  Foreign intelligence, military organizations have a presence in approximately 80 percent of our infrastructure and organizations and there is nothing we can do about it.  They could turn the lights off with a nice Sdelete.exe and it would be good bye.  The same goes for most of the western world, and europe. 

    So when it comes to these occasional calls from Bruce S and Howard S, and other pacifist idiots, who want to treat cyberwar as a cyber crime thing, I would ask them, Do you really know how effective our existing national/state Law enforcement regimes are?  Would you like me to horrify you by filling you in?  REDACTED… I could give you stats that make your effin ears bleed.  If you’ve never worked in Intel/LE/CounterIntelligence, you dont really, really know what threats we are facing on a daily basis.  

    As far as HBGary and their money hungry angle at targeting US citizens in IO style campaigns, they where idiots.  If you view my blog you would know that Attribution (true attribution is POWER) and you dont go off taking bad research and making your self a target for self serving goals.  In this ironic aspect Wikileaks should have been the Answer for these guys.  They should have done Real GOOD research and then released it Anonymously, (Ironic, being that the group was ANONYMOUS).  Anyone in the know might have realized who it came from.  But no, they effed it up.  Amateurs, Link analysis and the angle of Social Networking is the CORE of intelligence collection.  They have been doing it for years and is extremely large scale and advanced, in ways that makes HBGarys crappy methods PALE in comparison.  The real problem is connecting the dots in the sea of information. 

    From the aspect of development of cyber weapons the fact that HBGary was developing them for many clients is not suprising, however what to me personally was suprising is that you ripped yet ANOTHER of my ideas, my autonomous malware not requiring a C2 connection with your Magenta rootkit.  Now I grant you, your not going to actually publicly credit me for inspiring your awesome creation due to classification and Offensive IO weapons development, but neither did you consult me on my ideas or even engage me in talks.  I will simply take it for what its worth,  imitation is the sincerest form of flattery.  Ironically again, I think I actually did another blog posting about that when after discussing my Malware DNA idea, you developed code for it in private 30 days later, filed for a trademark, and then patented it and released it 6 months later as a marketable product, all along declaring to Goverment clients in proposals that this was solely developed by you and another developer with PRIVATE funds.  Well how can you have created an idea with private funds, and then turn around and say that no, it was developed with McAfee and SBIR dollars.  Something doesnt pass the smell test.

    But I digress. 

    What sucks about this article by “noted” security luminaries is the fact that the trend is towards pussy pacifism in cyber operations and not more offensive action.  And I DONT mean actions against domestic threats and US citizens.  The reason HBGary fed, Barr and crew even got in this mess is because they came from a military Information Operations background where this type of warfare is PAR for the course.  Just reference the article this week were an Afgan IO unit was instructed to run PsyOps on our Senators and visiting dignitaries… For christ sake… Thank god they refused but now they are tarnished….  The operations that take place against organized crime/terrorist ectera go on for a reason.  They have impacts that your audience couldnt even begin to fathom.  They are GOOD.  The problem is with this type of sh#t and lawyers, it provides good fodder to completely neuter any other operations that stand to yield some type of positive effect for forces that fight for freedom. 

    Offensive actions for a corrupt or ignorant goverment should be aborred, but offensive cyber actions against the worst basest elements of cyber crime, and cyber espionage should not be ignored.  To do so would be a great peril that our leadership and country wont realized for years.  When you wake up under a Chinese flag, or have breakfest knowing your country ranks 29th in the world behind Vietnam…

    Wake the hell up.  Its a new age, we need MORE offensive, Aggressive actions in the cyber world not less.  the overclassification of cyber threat data is a albatross on our country that keeps people in the dark.

    O and btw, a buddy of mine called me to ask “why the hell Arron Barr wound up in Mantech’s personnel listings….”  Check the emails and see if you can figure out who hired him…

    You see, It will continue to continue, like it or not there are entire industries built on secrets, on Information Operations campaigns, they have existed for years for reasons.  The only sad fact of this debacle and article is that some retarded idiots decided they had to whore them selves out and earn a buck targeting US citizens, and ruin it for the rest of us.

    Diocyde

    http://www.conanthedestroyer.net

    -For More on real game changers, information warfare strategy, and real threats, don’t believe the hype.  Visit.  If you have a real desire to collaborate, drop me a line on email.

  20. Pseudonymous Revolution
    22

    An excellent and insightful article that I hope will encourage your fellows to consider IT’s role going forward. I fear, however, that they will not reflect very long or deeply; the reason is stated quite clearly by you in your essay:

    “Look, there’s nothing wrong with private firms helping Uncle Sam to develop cyber offensive capabilities. In an age of sophisticated and wholesale cyber espionage by nation states opposed to the U.S., the U.S. government clearly needs to be able to fight fire with fire.”

    Can’t you see that you have yourself already lost your soul?  The wrong-headed assumption that offensive capacities and cyber-weapons must be developed insures that corpo-statist interests will use those technologies offensively against the citizenry: e.g. NSA wiretaps, targeted assassination of U.S. citizens, torture.

    Any of this sound familiar? In case you haven’t noticed, there are more than a few people in business and government who cannot resist the temptations of power.

    Call Anonymous criminals; they’ve already said they don’t mind:

    “Breaking into  is a crime, by law. understands, go and investigate. But will you please also investigate what we found?”

    But without there “crimes” there is every reason to believe HB Gary’s plans would have gone forward.  Would poor Penny Leavy-Hoglund have put a stop to it?  Or would she have been thrilled to see a sales quota met so she could buy that $1.8 million yacht Greg was so excited about? (http://tinyurl.com/HB16469http://tinyurl.com/GregYacht)

    I’m certain you want the best for us all and I don’t wish to offend or alienate you, but PLEASE WAKE UP!  You’re being too easy on yourself…and your fellows.

     

     

  21. diocyde
    24

    Ha! Well it all just used to be called Computer…. CNA CNE CNO, but If you find a better term for the activity roiling the Internetz goes for’s itz!

  22. Kevin Zeese
    25

    Thanks to Anonymous for exposing the attack of HBGary and the other security firms, Hunton & Williams, the Chamber of Commerce and Bank of America.  A project I work on, StopTheChamber.org was one of those targeted and I am thankful that this plot was exposed before it went further than it did. 

    These kinds of cyber attacks and harasment have no place in politics.  How dare these firms plot what seem to be a range of crimes against political activists and journalists.  Citizen participation in democracy and journalists who tell the truth are critical to a functioning democracy.  The corporate powers that were using these tactics were unAmerican in doing so.

    The comment in the article “HBGary President Penny Leavy . . . rightly
    labeled [Anonymous] ‘criminals’ rather than politically motivated ‘hacktivists.’” Nonsense to that claim.  Anonymous is on the side of a democratized media that WikiLeaks is at the forefront of.  A new media where more people can provide information without retribution, more people can distribute information through independent outlets and more people know what big business and government are doing with great transparency. They are very politically motivated on the most important political issues of the time — freedom of speech and press in the internet age, expanding democracy and greater transparency in government — all of which challenges corporate domination of government.

    The big concern Americans should be asking about regarding the private security industry is — how widespread is this type of activity? Anonymous did not go to HBGary to discover this, they just happened to do so in response to an HBGary attack on them.  My concern is this is more common than the security industry is admitting.

    Kevin Zeese
    http://www.ProsperityAgenda.US

  23. Anonypussy
    26

    “to excuse the actions of Anonymous,”

     

    There’s no reason for excuse. Information is free.

  24. Anonymous
    27

    Even if scrutiny were brought against anonymous, that would only further assist anonymous. The more press given to anon, the more the angry masses will find a faceless voice in the chaos that is anon. Thus the better off anon will be because this will bring new ideas and new ‘leaders’ to anon. 

    We are legion.

  25. Anonymous
    28

    Just think about what could have been accomplished by the same tactics except avoiding anything that drew attention. Imagination is the limit. Go read your logs.

    I used to be on the front lines but it tends to burn you out. I gladly let someone else have that headache. No country for old men.

    Users are all stupid and will blame you for their own ignorance.

     

  26. Jon Crane
    29

    The author is right.

    Your whole industry is quickly becoming nothing better than online attack dogs for government and corporate interests. Disinformation champaigns to discredit wikilieaks and  datamining to blackmail journalists. Really?!

    If disinformation and blackmail are the services you think its okay to provide, then Anonymous was justified in what it did to HBgary, Not only that, but it should continue to fight companies who wish to follow the same unethical, hypocritical and reprihensiblle business model.

    For shame!

  27. Anonymous
    30

    Hey sweet, does anyone have a copy of Magenta or 12 Monkeys laying around? Please let me know.

  28. Horst H. von Brand
    31

    This whole novel shows (yet again) that being an expert cracker (“wrote the book on rootkits”) is far, far removed from being a real security expert.

  29. Anonymous
    32

    Crowdsourcing resistance is probably the only way resistance movements will be able to sustain themselves in the future. But maybe that’s the way it’s always been. Anonymous are people but it will grow to be adopted as a standard by others. Look back to the first  American revolution. 

      I have no sympathy for HBGary. They are criminals selling illegal services to the Chamber of Commerce (nowadays a right wing organization and an arm of the Republican Party (or vis-versa)). And trying to sell their services to BofA and other organizations. And not competent enough to secure their own networks. Heglund was supposed to be an expert on rootkits? Feh! I found his briefing on rootkits interesting. But it’s not my field or I probably would have thought it old and tired and full of claims of expertise that really belonged to others. 

    The biggest problem with fighting limited illegal and unethical warfare is that it’s creating disorder in a system that doesn’t work well as it is.  It’s like the fools playing with Chernobyl, running the sytem up and down. Sometimes things get away from the instigator. Often, I think. Do you think Bank of America  could stand against concerted citizen warfare? Or the Chamber of Commerce. They operate on the tolerence of the citizenry.

    People in this country know that they have been scammed and cheated and that the government is so corrupt that nothing will be done about it. And that the corporations have become overweaning in their arrogance. This anger will continue to grow. 

     

  30. Anonymous
    33

    Apologetics at its finest. HBGary was conspiring to smear Wikileaks in an unethical campaign which would hurt all of us. Of course the HBGary executives would call them criminals, those slimy people were directly hurt by Anonymous.

     

    A really excellent way to avoid “losing your soul” as you put it is to avoid siding with evil people.

  31. Anonymous
    34

    HBGary are criminals.  They got caught for sticking their noses into a political issue, where a for profit security company simply DOES NOT BELONG.  Smearing journalists, intimidating labor unions…I believe their new name is HB PINKERTON.

    Anonymous is pretty far from “criminal,” i.e. stealing credit cards, trading stolen user data etcetera.  Those are the CRIMINALS that IT security companies and practitioners should be battling.  Labelling political protestors and activitists as “criminal” is a typical fascist tactic.

    it is old and tired.  HBGary is revealed for what they are.  Anonymous is the chaotic voice of the people.  Unpredictable, dangerous, even ignorant sometimes, but to the government, and corporations that THINK they control the citizens of the world, I suggest that you LISTEN, or ignore at your peril.

     

  32. Dave Keays
    35

    Other “collateral damage” and people who were or will be hurt by anonymous.

    1) People who want to buy things on-line but don’t want their details, credit card passwords or otherwise, to be transparent to the world.

    2) Store owners that will lose business when potential customers get even more wary of the Internet than they are now. To a small business with a small shopping cart on-line, those customers could be enough to spell bankrupcy.

    3) eBay purchasers who will be more open to scams if PayPal reverses their new policies of banning questionable accounts. Wikileak’s account wasn’t the only one Paypal suspended. It doesn’t look to me like Paypal was targeting Wikileaks. That will take away Anonymouses excuse for mischief. Oh darn!

    So once again, the global community that the Internet once was, will probably be going dormant thanks to this crowd of script-kiddies. That is unless you think 100% of everybody will buy into Wikileaks “vision”. Why does that “vision” look so much like the one Hitler, Stalin, and Mao had?

    I’m sorry if I’m biased against them, but who ever did the hack on the EFA, and they are the main suspect last I heard, isn’t going to get any sympathy from me.

  33. Moroccan
    36

    Absurdity itself :“Look, there’s nothing wrong with private firms helping Uncle Sam to
    develop cyber offensive capabilities. In an age of sophisticated and
    wholesale cyber espionage by nation states opposed to the U.S., the U.S.
    government clearly needs to be able to fight fire with fire. Besides,
    everybody already knew that Greg Hoglund was writing rootkits for the
    DoD, so is it right to say we’re “shocked! shocked!” to read his e-mail
    and find out that what we all suspected was true? I don’t think so.”

  34. Truth in Advertising
    37

    @ Fredric L. Rice (not verified) on Tue, 02/22/2011 – 5:25pm.

    Aw, look at all that buttthurt from HBGaryfags who were exposed as fake “security experts.”

    I would disagree that they were ‘fake’ — arrogant, and overconfident, certainly (not to mention unethical). They also had one of the most severe cases of tunnel vision imaginable — they were thinking only in terms of their site being DDOSed, when the recent experience with Gawker should have convinced them what they were potentially in for.

    This reminds me of nothing so much as the maxims of Sun-Tzu:

    If you know the enemy, and know yourself, you will succeed in every battle;
    If you know the enemy, and not yourself, for every victory you will suffer a defeat;
    If you know neither the enemy nor yourself, you will succumb in every battle.

    What’s needed is felony indictments against Aaron Barr, HBGary, and HBGary Federal for the money they swindled out of the U.S. government under the pretext of being “security experts.” Then we need to see some Bank of america and U. S. Chamber of Commerce felons and traitors lynched from street lamps for their treason against us.

    Hear, hear!

    Anonymous once again proved themselves to be the last remaining heroes who tirelessly work for the betterment of Democracies.

    And for that ‘crime’, if apprehended, they will be severely punished. After all, what are the rights of the people compared with the ownership rights of the plutocracy?

  35. Paul
    39

    hey – thanks for commenting. i’d certainly agree that the effort to separate HBGary Federal from HBGary Inc. doesn’t pass the sniff test. It was, at the best, a wholly owned subsidiary with identical management. At worst: it was simply a legal creation to allow them to keep classified work separate from their commercial work. 

    As for the “criminally negligent” with regard to security…well…they didn’t comport themselves very well and it would be right if you’re a customer to pursue the “do as I say not as I do” angle. Of course, them neglecting the security of their Web sites or CMS doesn’t justify what Anonymous did. That’s kind of the “you deserved to get accosted ’cause you were wearing that sexy outfit” line of thinking. 

  36. Robert Paulson
    40

    The crime was being ignored.  Now it has been brought to light by a little whistleblowing.  We are supposed to support that.  If Anon had discovered a truly hienous crime, they would be heroes.  They just discovered some really bad crimes (that most average people don’t care about) and are being called criminals.  They are doing what is right.  They are uncovering the evils of coporations.  That is a wonderful thing and should be celebrated!

  37. Truth in Advertising
    41

    @ Paul (not verified) on Thu, 02/24/2011 – 4:19pm.

    hey – thanks for commenting. i’d certainly agree that the effort to separate HBGary Federal from HBGary Inc. doesn’t pass the sniff test. It was, at the best, a wholly owned subsidiary with identical management. At worst: it was simply a legal creation to allow them to keep classified work separate from their commercial work.

    I’d agree. I’d further add that in an email to the rest of the company welcoming Aaron Barr and Ted Vera, HBGary, Inc. CEO Greg Hoglund described HBGary Federal as a ‘wholly owned subsidiary’:

    “…I am extremely excited to announce that Aaron Barr and Ted Vera have joined the HBGary team! Ted and Aaron will operate and lead HBGary Federal, a wholly owned subsidiary of HBGary, with a focus on contracting in the government space….”
    Message-ID: <1296999591.M233191P3547Q8.cybercom>
    Date: Mon, 23 Nov 2009 08:13:56 -0800

    … Of course, them neglecting the security of their Web sites or CMS doesn’t justify what Anonymous did. That’s kind of the “you deserved to get accosted ’cause you were wearing that sexy outfit” line of thinking.

    That was never my intent. There is no question that what Anonymous did was illegal; that said, it would appear that these illegal practices on the part of HBGary, Palantir and Berico (and doubtless others) would have never come to light if it were not for Anonymous’ efforts.

    It almost goes without saying that no one in any of these companies will even be investigated, while the feds will go after Anonymous with all the resources they can muster.

    It reminds one of Animal Farm: “Some animals are more equal than others.”

  38. COMMONSENSEFORCOMMONGOOD.COM
    43

    Couldn’t agree more! Indict and prosecute, plus, get our public money back where we can.

  39. Brick
    44

    fighting crime with more crime”

    Oh, you mean fighting fire with fire?

    The blackhats are getting strong and arrogant. They need their ass kicked and

    thrown into prison for an extended period. If a few ppl have their “rights” violated in

    the pursuance of the goal, so f#%&ing be it.

  40. Anonymous
    45

    you fell to see the real point of the article, hacking and framing Wikileaks is a crime and if it is in conjunction with Our Government is still a crime….thats  is not a democracy.. im glad the leak came out..

Comments are closed.