Five Questions About Aaron Barr’s DEFCON (by Aaron Barr)

Editor’s note: Finding Aaron Barr at this year’s DEFCON hacker conference in Las Vegas was like a giant game of “Where’s Waldo.” Given the events of the past year, you can hardly blame him for keeping a low profile. First there was the attack on him and his then-employer, HBGary Federal, his decision to part ways with HBGary, his work to rehabilitate his image and turn his personal misfortunes into a ‘teaching moment’ for the industry, and then the legal wrangling in recent weeks that threw cold water on his plans to take part in a panel discussion about Anonymous at DEFCON. Barr was courted by numerous news outlets at the show, including the mainstream media. But he preferred, for the most part, to keep his counsel. So when Aaron offered to contribute his thoughts on this year’s DEFCON to Threatpost, we jumped at it. Here’s what he had to say.  

Aaron BarrEditor’s note: Finding Aaron Barr at this year’s DEFCON hacker conference in Las Vegas was like a giant game of “Where’s Waldo.” Given the events of the past year, you can hardly blame him for keeping a low profile. First there was the attack on him and his then-employer, HBGary Federal, his decision to part ways with HBGary, his work to rehabilitate his image and turn his personal misfortunes into a ‘teaching moment’ for the industry, and then the legal wrangling in recent weeks that threw cold water on his plans to take part in a panel discussion about Anonymous at DEFCON. Barr was courted by numerous news outlets at the show, including the mainstream media. But he preferred, for the most part, to keep his counsel. So when Aaron offered to contribute his thoughts on this year’s DEFCON to Threatpost, we jumped at it. Here’s what he had to say.  

Question 1: OK – How weird was it being at DEFCON?

Being at the conference definitely felt odd. Here was a place where so many people knew this very public story about me.  I had no idea what to expect. Would I be confronted? Heckled or, possibly, welcomed?  I figured, going in, there were good odds that I would have some type of confrontation at some point. But it never came. In fact,  it was a great trip. Like all Blackhat/DEFCON trips, I hung out with friends, met new people, had lots of laughs, talked about the state of our industry, drank too much and didn’t sleep enough.  I had a handful of, “Hey you’re Aaron Barr!” encounters  (typically following an introduction as “Aaron”).  These included the two nice guys I shared a cab with to the airport.  One of them admitted he was in the AnonOps IRC channel during some of the initial heated conversations back in February.  He wouldn’t let me pay for my share of the cab ride, saying “I got it man you actually seem like a nice guy, plus I want to be able to say I paid for your cab”.  Other than those few occasions, it was I who felt anonymous (though maybe not as Anonymous as some).

Question 2: Did Aaron Barr attend the Aaron Barr Panel?

As you may know, my original plans were to sit on a DEFCON panel entitled “Whoever fights monsters: confronting Aaron Barr, Anonymous, and ourselves.” When circumstances prevented that, I determined to attend DEFCON anyway and, if possible, to attend the panel that would be, at least partly, about me. The panel started bright and early Saturday morning – 10 AM. (That’s early in ‘Vegas). I woke that morning and ran through numerous scenarios. I could be recognized during the talk and called out. I could end up being a distraction to the people on stage. The right course of action wasn’t clear. But, in the end, I was comforted by the fact that I had spent all day Friday at the conference and had moved about pretty much unrecognized. I thought I was pretty safe.  

That morning, I donned my disguise: a baseball cap, shorts, t-shirt, and a healthy 5 o’clock shadow. Not too subtle, I know, but most people only know me by the photo of me in a business suit staring at the camera (the only picture available of me on the net.)  My disguise didn’t make me look like someone else – just different from what everyone was expecting. And, as with many things in security, that ended up being good enough.  Feeling pretty safe, I went to the show, entered the conference hall and took a spot against the wall in the back.

My impressions? – I think the panel did a great job of framing the debate over Anonymous, which is really one about the benefits or necessity of anonymity, the impact of hacktivism and hacktivist groups on the state of security, and the implications of vigilantism and offensive cyber tactics. The discussion about the possibility of “building a better Anonymous” – one that gave voice and force to the dispossessed, but saved their fire power for problems we could all rally around (such as stopping child pornography) was excellent. Frankly, I wondered afterwards if the talk was not better without me! There’s no doubt that many of the topics discussed would not have been covered if I was on stage because of the legal restrictions that I faced.  At the same time, the focus might have been too much on me rather than on larger issues that were, frankly, more important.  A few people told me afterwards it was the most important talk of the conference, that it needed to happen and will hopefully be the start of a dialogue rather than just a conflict. Selfishly I would have liked to be up there on stage with Josh, Scot and Jericho. I would have loved the opportunity to convey a few misunderstandings about me.

Question 3: Did DEFCON change your thinking about Anonymous?

I am, to use a phrase that Richard Thieme popularized at this year’s show, a  “world as grey” kind of person. The issues raised by the attacks that were discussed on the panel are not settled law to me – or even that clear cut. These are complex problems that don’t lend themselves to quick, reductive solutions. I have always been and still consider myself a liberal, but I am a liberal who has spent a career working in government and defense. I understand the importance of a solid defense and the necessity of a good offense. Some might be surprised to know I helped to lead a protest against Walmart in 2005 from putting up a store in my small town (we lost). I was, likewise, a vocal opponent of the war in Iraq from the beginning.

But I also support the ideal of Western information dominance as a means of protecting our freedoms – including the freedom to access information.  I believe that sometimes circumstances require more aggressive tactics in order to maintain stability. But I’m also aware that such tactics can run dangerously close to the line, and are susceptible to corruption.  These are not ideological choices for me, but opinions born out of what I see as a necessity.  I believe one of the main areas of failure in cyber defense is we do not have good enough intelligence on threats.  Good threat intelligence requires comprehensive real-time collection and analysis on all threats, and in a constantly connected, social media-dominated world, this appears to some as an encroachment by governments or companies on privacy in the name of security.  In my opinion, well-intentioned efforts run afoul of some civil libertarians and privacy advocates because of the perception of encroachment. But with mediums like social networking Web sites, which enable easy manipulation of identity, it is getting difficult to separate the actual threats from the bystanders.

Question 4: Anonymity: good or bad?

Key to the Anonymous movement is the concept of…well…anonymity. Its members either physically or digitally masking their identity to protect themselves from harassment and prosecution and to focus the movement on the ideals rather than the people.  This is not a new concept and is at the center of most of the cyber issues we deal with today a problem often discussed as the “attribution” problem of cyber threats. Related to activism, anonymity is both critically important and inevitably corrupting. No one can deny the importance of anonymity in places with extreme information control and oppression, such as Syria, China and Iran, to name but a few. In these cases efforts to push complete solutions for real identity are counter-productive to human rights.  In short: in parts of the world where there is a very real threat to life and liberty as a consequence of sharing opinions and experiences, anonymity is essential. In areas with more personal freedoms and protection the benefits of anonymity is debatable -especially when you consider the ways in which anonymity has provided a means for some to commit crimes, sow chaos, and bully, and harass those with opposing views.

The complexity increases when we consider what is protest behavior vs. criminal or bullying behavior online.  One thing is certain: anonymity has removed personal accountability within free societies. That lack of accountability has led to a surge in criminal activity and reckless behavior. Combine Anonymity with social media, and you can quickly find yourself in the midst of an online (or IRL) mob comprised of distributed and detached individuals with divergent agendas (if any).  I think there’s a clear line that can be drawn between online protest movements and efforts to expose important information – but that its an easy line to smudge or just step over. The Wikileaks case is a great example of that. Many people view the site’s publication of the “Collateral Murder” video as an important and necessary act of civil disobedience and whistle blowing that exposed apparently criminal acts by US troops fighting in Iraq. Wikileaks subsequent release of hundreds of thousands of classified diplomatic cables was another matter entirely, and one in which anonymity, technology and means of massive distribution were used to serve destructive rather than constructive goals.

The need for anonymity for in the latter case is critical to protect whistleblowers or dissidents.  In the case of the former – online protests – I believe anonymity and the lack of personal accountability is absolutely corrupting what I think are some of the key tenets of lawful protest. These include personal sacrifice and a willingness for individuals to stand up and be associated with a cause or idea with boots on the ground, as it were.  

I don’t think a DDOS is equivalent to a digital sit-in. A DDoS is more like a digital sucker punch thrown from a dark alley. Sure, taking part in a DDoS attack is against the law, but many of the civil rights and voting rights protests were technically violations of the (Jim Crow) laws that held sway in the South. Many thousands were arrested for their participation in these civil actions. So I’d say: “if your desire to protest for a cause doesn’t encompass the possibility that you, personally, might be disadvantaged by doing so, maybe you should rethink your decision to protest at all.”

Question 5: ‘Building a better Anonymous.’ Is that possible?

This was one of the key takeaways from the panel discussion. The idea seems to be to take the ideology, which has broader appeal, and wrap it in an organization that is more measured in its attacks, more discriminatory about its targets, and more careful about compromising non-target information, especially on users.  My opinion is that this would be no small feat.  I sat in the audience (right beside an unwitting Gregg Housh – BTW) for the Saturday evening session on Anonymous presented by Backtrace security where the dialogue became much more heated, sarcastic, and even combative.  During this one hour session there was yelling, chanting, singing, even a visit by a notorious Internet mascot. It was an example of the level of disruption and sarcasm Anonymous is willing to stoop to in order to get a laugh, and – not coincidentally- to drown out criticism.  This behavior is highly hypocritical for an organization whose chief pillar seems to be freedom of speech, opinion, and individuality.  

Anonymous has demonstrated an ability to be a serious activist organization during Operation Egypt and Tunisia. It showed its more capricious, childish side with the “Request a DDOS” and “Telephone DDOS” promotions. It looked like a straight-up criminal organization with its attacks on Law Enforcement and Sony.  For Anonymous to mature would require severing or alienating part of the collective and dropping the sensationalism that has captured media attention and the public’s fear.

Maturing, in other words, would require Anonymous to change what seems to be its essence.  That doesn’t mean that it cannot be done, or shouldn’t be done.  Certainly the world would welcome a less destructive and more focused Anonymous.  And who among us would be distraught if the serial haters at the Westboro Baptist Church found themselves on the wrong end of Anonymous’s LOIC DDoS tool? But, as the group, itself, admits: Anonymous is in it for the Lulz, so such an change would seem  to run against the grain of the group.Rather than debate whether there could be a “better Anonymous,” maybe we should debate whether we need an Anonymous at all? Or, to ask the question another way: is there a place for hacktivism or digital vigilantism in an increasingly digital world?  What are the benefits of such groups?  What are the societal costs?

There are no easy answers to these questions. And, in the end, the questions are academic. Regardless of whether Anonymous should exist, it will.  Regardless of how we feel about Anonymous’s style of hacktivism, it will remain as an outlet for individual and collective anger because it’s  effective.

These attacks do appear to have increased security awareness, but it might not have been the kind of benefit that Anonymous intended.  Anonymous attacks in concert with Stuxnet and very public attacks on RSA and a variety of other companies has made cyber security  headline news.  Board rooms now regularly discuss corporate vulnerabilities and mitigation strategies.  In turn, they are spending more on security as a result of these threats. That is a good thing right?  Maybe. But I find it ironic that the white hats Anonymous wants to punish seem to be the ones benefiting the most.  In the end does this make us more secure?  I don’t believe so.  Security is a complex issue that goes beyond properly configured web servers, patch updates, and strong passwords.  The problems we face are not going to be fixed by a quick influx of cash or focus of attention. They require fundamental changes in our use of technology within business operations and personal use.  Right now the extra money appears to mostly be spent on assessments, hardening, detection, and incident response.  Spending in these areas is important, but ultimately these measures are Band -Aids applied to the fundamental weaknesses in IT groups, which are under pressure to implement new technologies that increase productivity and drive down costs.

Suggested articles