Five Questions About Aaron Barr’s DEFCON (by Aaron Barr)

Editor’s note: Finding Aaron Barr at this year’s DEFCON hacker conference in Las Vegas was like a giant game of “Where’s Waldo.” Given the events of the past year, you can hardly blame him for keeping a low profile. First there was the attack on him and his then-employer, HBGary Federal, his decision to part ways with HBGary, his work to rehabilitate his image and turn his personal misfortunes into a ‘teaching moment’ for the industry, and then the legal wrangling in recent weeks that threw cold water on his plans to take part in a panel discussion about Anonymous at DEFCON. Barr was courted by numerous news outlets at the show, including the mainstream media. But he preferred, for the most part, to keep his counsel. So when Aaron offered to contribute his thoughts on this year’s DEFCON to Threatpost, we jumped at it. Here’s what he had to say.  

Aaron BarrEditor’s note: Finding Aaron Barr at this year’s DEFCON hacker conference in Las Vegas was like a giant game of “Where’s Waldo.” Given the events of the past year, you can hardly blame him for keeping a low profile. First there was the attack on him and his then-employer, HBGary Federal, his decision to part ways with HBGary, his work to rehabilitate his image and turn his personal misfortunes into a ‘teaching moment’ for the industry, and then the legal wrangling in recent weeks that threw cold water on his plans to take part in a panel discussion about Anonymous at DEFCON. Barr was courted by numerous news outlets at the show, including the mainstream media. But he preferred, for the most part, to keep his counsel. So when Aaron offered to contribute his thoughts on this year’s DEFCON to Threatpost, we jumped at it. Here’s what he had to say.  

Question 1: OK – How weird was it being at DEFCON?

Being at the conference definitely felt odd. Here was a place where so many people knew this very public story about me.  I had no idea what to expect. Would I be confronted? Heckled or, possibly, welcomed?  I figured, going in, there were good odds that I would have some type of confrontation at some point. But it never came. In fact,  it was a great trip. Like all Blackhat/DEFCON trips, I hung out with friends, met new people, had lots of laughs, talked about the state of our industry, drank too much and didn’t sleep enough.  I had a handful of, “Hey you’re Aaron Barr!” encounters  (typically following an introduction as “Aaron”).  These included the two nice guys I shared a cab with to the airport.  One of them admitted he was in the AnonOps IRC channel during some of the initial heated conversations back in February.  He wouldn’t let me pay for my share of the cab ride, saying “I got it man you actually seem like a nice guy, plus I want to be able to say I paid for your cab”.  Other than those few occasions, it was I who felt anonymous (though maybe not as Anonymous as some).

Question 2: Did Aaron Barr attend the Aaron Barr Panel?

As you may know, my original plans were to sit on a DEFCON panel entitled “Whoever fights monsters: confronting Aaron Barr, Anonymous, and ourselves.” When circumstances prevented that, I determined to attend DEFCON anyway and, if possible, to attend the panel that would be, at least partly, about me. The panel started bright and early Saturday morning – 10 AM. (That’s early in ‘Vegas). I woke that morning and ran through numerous scenarios. I could be recognized during the talk and called out. I could end up being a distraction to the people on stage. The right course of action wasn’t clear. But, in the end, I was comforted by the fact that I had spent all day Friday at the conference and had moved about pretty much unrecognized. I thought I was pretty safe.  

That morning, I donned my disguise: a baseball cap, shorts, t-shirt, and a healthy 5 o’clock shadow. Not too subtle, I know, but most people only know me by the photo of me in a business suit staring at the camera (the only picture available of me on the net.)  My disguise didn’t make me look like someone else – just different from what everyone was expecting. And, as with many things in security, that ended up being good enough.  Feeling pretty safe, I went to the show, entered the conference hall and took a spot against the wall in the back.

My impressions? – I think the panel did a great job of framing the debate over Anonymous, which is really one about the benefits or necessity of anonymity, the impact of hacktivism and hacktivist groups on the state of security, and the implications of vigilantism and offensive cyber tactics. The discussion about the possibility of “building a better Anonymous” – one that gave voice and force to the dispossessed, but saved their fire power for problems we could all rally around (such as stopping child pornography) was excellent. Frankly, I wondered afterwards if the talk was not better without me! There’s no doubt that many of the topics discussed would not have been covered if I was on stage because of the legal restrictions that I faced.  At the same time, the focus might have been too much on me rather than on larger issues that were, frankly, more important.  A few people told me afterwards it was the most important talk of the conference, that it needed to happen and will hopefully be the start of a dialogue rather than just a conflict. Selfishly I would have liked to be up there on stage with Josh, Scot and Jericho. I would have loved the opportunity to convey a few misunderstandings about me.

Question 3: Did DEFCON change your thinking about Anonymous?

I am, to use a phrase that Richard Thieme popularized at this year’s show, a  “world as grey” kind of person. The issues raised by the attacks that were discussed on the panel are not settled law to me – or even that clear cut. These are complex problems that don’t lend themselves to quick, reductive solutions. I have always been and still consider myself a liberal, but I am a liberal who has spent a career working in government and defense. I understand the importance of a solid defense and the necessity of a good offense. Some might be surprised to know I helped to lead a protest against Walmart in 2005 from putting up a store in my small town (we lost). I was, likewise, a vocal opponent of the war in Iraq from the beginning.

But I also support the ideal of Western information dominance as a means of protecting our freedoms – including the freedom to access information.  I believe that sometimes circumstances require more aggressive tactics in order to maintain stability. But I’m also aware that such tactics can run dangerously close to the line, and are susceptible to corruption.  These are not ideological choices for me, but opinions born out of what I see as a necessity.  I believe one of the main areas of failure in cyber defense is we do not have good enough intelligence on threats.  Good threat intelligence requires comprehensive real-time collection and analysis on all threats, and in a constantly connected, social media-dominated world, this appears to some as an encroachment by governments or companies on privacy in the name of security.  In my opinion, well-intentioned efforts run afoul of some civil libertarians and privacy advocates because of the perception of encroachment. But with mediums like social networking Web sites, which enable easy manipulation of identity, it is getting difficult to separate the actual threats from the bystanders.

Question 4: Anonymity: good or bad?

Key to the Anonymous movement is the concept of…well…anonymity. Its members either physically or digitally masking their identity to protect themselves from harassment and prosecution and to focus the movement on the ideals rather than the people.  This is not a new concept and is at the center of most of the cyber issues we deal with today a problem often discussed as the “attribution” problem of cyber threats. Related to activism, anonymity is both critically important and inevitably corrupting. No one can deny the importance of anonymity in places with extreme information control and oppression, such as Syria, China and Iran, to name but a few. In these cases efforts to push complete solutions for real identity are counter-productive to human rights.  In short: in parts of the world where there is a very real threat to life and liberty as a consequence of sharing opinions and experiences, anonymity is essential. In areas with more personal freedoms and protection the benefits of anonymity is debatable -especially when you consider the ways in which anonymity has provided a means for some to commit crimes, sow chaos, and bully, and harass those with opposing views.

The complexity increases when we consider what is protest behavior vs. criminal or bullying behavior online.  One thing is certain: anonymity has removed personal accountability within free societies. That lack of accountability has led to a surge in criminal activity and reckless behavior. Combine Anonymity with social media, and you can quickly find yourself in the midst of an online (or IRL) mob comprised of distributed and detached individuals with divergent agendas (if any).  I think there’s a clear line that can be drawn between online protest movements and efforts to expose important information – but that its an easy line to smudge or just step over. The Wikileaks case is a great example of that. Many people view the site’s publication of the “Collateral Murder” video as an important and necessary act of civil disobedience and whistle blowing that exposed apparently criminal acts by US troops fighting in Iraq. Wikileaks subsequent release of hundreds of thousands of classified diplomatic cables was another matter entirely, and one in which anonymity, technology and means of massive distribution were used to serve destructive rather than constructive goals.

The need for anonymity for in the latter case is critical to protect whistleblowers or dissidents.  In the case of the former – online protests – I believe anonymity and the lack of personal accountability is absolutely corrupting what I think are some of the key tenets of lawful protest. These include personal sacrifice and a willingness for individuals to stand up and be associated with a cause or idea with boots on the ground, as it were.  

I don’t think a DDOS is equivalent to a digital sit-in. A DDoS is more like a digital sucker punch thrown from a dark alley. Sure, taking part in a DDoS attack is against the law, but many of the civil rights and voting rights protests were technically violations of the (Jim Crow) laws that held sway in the South. Many thousands were arrested for their participation in these civil actions. So I’d say: “if your desire to protest for a cause doesn’t encompass the possibility that you, personally, might be disadvantaged by doing so, maybe you should rethink your decision to protest at all.”

Question 5: ‘Building a better Anonymous.’ Is that possible?

This was one of the key takeaways from the panel discussion. The idea seems to be to take the ideology, which has broader appeal, and wrap it in an organization that is more measured in its attacks, more discriminatory about its targets, and more careful about compromising non-target information, especially on users.  My opinion is that this would be no small feat.  I sat in the audience (right beside an unwitting Gregg Housh – BTW) for the Saturday evening session on Anonymous presented by Backtrace security where the dialogue became much more heated, sarcastic, and even combative.  During this one hour session there was yelling, chanting, singing, even a visit by a notorious Internet mascot. It was an example of the level of disruption and sarcasm Anonymous is willing to stoop to in order to get a laugh, and – not coincidentally- to drown out criticism.  This behavior is highly hypocritical for an organization whose chief pillar seems to be freedom of speech, opinion, and individuality.  

Anonymous has demonstrated an ability to be a serious activist organization during Operation Egypt and Tunisia. It showed its more capricious, childish side with the “Request a DDOS” and “Telephone DDOS” promotions. It looked like a straight-up criminal organization with its attacks on Law Enforcement and Sony.  For Anonymous to mature would require severing or alienating part of the collective and dropping the sensationalism that has captured media attention and the public’s fear.

Maturing, in other words, would require Anonymous to change what seems to be its essence.  That doesn’t mean that it cannot be done, or shouldn’t be done.  Certainly the world would welcome a less destructive and more focused Anonymous.  And who among us would be distraught if the serial haters at the Westboro Baptist Church found themselves on the wrong end of Anonymous’s LOIC DDoS tool? But, as the group, itself, admits: Anonymous is in it for the Lulz, so such an change would seem  to run against the grain of the group.Rather than debate whether there could be a “better Anonymous,” maybe we should debate whether we need an Anonymous at all? Or, to ask the question another way: is there a place for hacktivism or digital vigilantism in an increasingly digital world?  What are the benefits of such groups?  What are the societal costs?

There are no easy answers to these questions. And, in the end, the questions are academic. Regardless of whether Anonymous should exist, it will.  Regardless of how we feel about Anonymous’s style of hacktivism, it will remain as an outlet for individual and collective anger because it’s  effective.

These attacks do appear to have increased security awareness, but it might not have been the kind of benefit that Anonymous intended.  Anonymous attacks in concert with Stuxnet and very public attacks on RSA and a variety of other companies has made cyber security  headline news.  Board rooms now regularly discuss corporate vulnerabilities and mitigation strategies.  In turn, they are spending more on security as a result of these threats. That is a good thing right?  Maybe. But I find it ironic that the white hats Anonymous wants to punish seem to be the ones benefiting the most.  In the end does this make us more secure?  I don’t believe so.  Security is a complex issue that goes beyond properly configured web servers, patch updates, and strong passwords.  The problems we face are not going to be fixed by a quick influx of cash or focus of attention. They require fundamental changes in our use of technology within business operations and personal use.  Right now the extra money appears to mostly be spent on assessments, hardening, detection, and incident response.  Spending in these areas is important, but ultimately these measures are Band -Aids applied to the fundamental weaknesses in IT groups, which are under pressure to implement new technologies that increase productivity and drive down costs.

Suggested articles

Discussion

  • Anonymous on

  • Anonymous on

    Aaron Barr - still clueless after all these years...
  • Anonymous on

    I agree with everything this man say, except anonymity.  The "anonymity generate jerks" theory is wrong.  There will be always trolls on the internet, but most people don't act like trolls, is 1 every 100 or 200 persons that act like a troll. Possibly the main reason is that If you are know as $nickname, you are have a reputation to protect, the reputation of your internet person. So you can be anonymous, but at the same time have something to protect: your internet persona.    Like most people use the same password in different websites, most people try to use the same nickname in different sites (again, is probably a bad idea but..).   

    People that think anonymity is the reason of jerks is wrong. People is jerk with or withouth anonymity.

  • Anonymous on

    I totally disagree, anonymity allows you to be a jerk, and steal, and get away with it. That's why you and everyone else wants anonymity. So you don't have to be accountable for your actions.

  • Stanley De Boer on

    Ironic that you are posting as Anonymous then.

  • Anonymous on

    I have to agree with Coldmoon.. 

    I'm about damn tired of people telling me "you shouldn't have anything to hide". Yes, I should and do because I'm political... I've been chased by goons, skinheads and klansmen. I've had snipers on rooftops to protect me and my political message. My friends have had their homes broken into by said racist goons... To hell with the notion that we should abandon privacy out of fear. 

    As for Aaron Barr, I don't agree with his actions. I would expect people with DoD contracts and ties to intelligence and military to not behave like children in their work environment. 

     

  • Anonymous on

    All of Kaspersky Lab's horses and all of it's men, couldn't put HBGary's reputation back together again.

    I like http://www.h-online.com/ better than threatpost, Where I don't have to have establishment propaganda mixed in with my security news. It makes for a better day, and less drinking.

  • Anonymous on

    Aaron Barr is decidely more intelligent than I thought he would be.  His answers were actually thought provoking and followed logical reasoning, which is the opposite of most Anonymous letters and responses.

  • Anonymous Literati on

    At first I was convinced Barr had an aide of some kind write this, but his language gets lazy toward the end.  Writing in English has never been his strong suit, and he really gave this his all, but seriously...when you're offering an exclusive, it's assumed that responses are prepared.  They need to be of higher quality than this.

  • peterz on

    I guess this interview did help "humanize" Aaron Barr.

    But it doesn't change the fact that he ruthlessly betrayed Bradley Manning. Seriously, this guy has no consciense. I'm sure you've heard what the military has done to Bradley Manning since his arrest.

    If Aaron Barr is really against the war and as "liberal" as he claims, then why did he do this to someone who helped expose the lies in the war? Even the pentagon admits that no one was put in danger due to the release. Thus, either Aaron Barr is lieing through his teeth in this interview and really supports the US military trotting around the world killing people, or (more likely) the reward / fame of turning in Manning was just too great for him to resist. This is what Aaron Barr did. All in the name of protecting wars he supposedly doesn't agree with. 

    Sorry, I don't believe a word this guy says, and I, as someone who has not participated in any anonops, would never pay for his cab ride.

  • Anonymous on

    Does Aaron Burr's "World of Grey" go so far as to justify "Team Themis," his proposal to use social media and false-flag attacks to :

    "Feed the fuel between the feuding groups. Disinformation. Create messages around actions to sabotage or discredit the opposing organization. Submit fake documents and then call out the error."

    "Opposing groups" being organizations like WikiLeaks and Glenn Greenwald of Salon.com? Does Burr style himself a man-in-a-complicated-world when he sets out, via lies and disinformation, to discredit an American Journalist who holds opinions damaging to those who employ Burr? That's not a shade of grey, nor is it a moral connundrum. It's flat-out evil.

  • Anonymous on

    The last poster I believe you have him confused with Adrian Lamo maybe?  Two totally different people. I don't think Aaron Barr had anything to do with Bradley Manning. Confused?

  • Aigeanta on

    Interesting interview. It raises a lot of ethical conundrums. I support transparency in our governments and privacy for our citizens. Unless there is harm or risk of harm, nobody should have their liberties limited. I think Aaron's firm made a very big ethical mistake in planning electronic subterfuge against political enemies of their potential clients. I also think Anonymous makes big ethical mistakes when they dox innocent bystanders. Exposing or leaking pertinent information can be helpful in keeping our governments accountable. However, irresponsible whistle-blowing, including not taking the time to redact names and personally identifiable information that has nothing to do with the issues at hand, is clearly wrong. People who blindly support Anonymous or the government's line should do some research and find out what really happened. I wrote a blog post about this in February, and re-reading it, I'm still upset at the way Aaron's firm was going to discredit Wikileaks supporters. On the other hand, I keep seeing Anonymous flunkies releasing info on unrelated targets and causing collateral damage to innocent bystanders. If any of you have an opinion on the compartive ethics of this, I would appreciate it. http://www.aigeanta.net/blog/aigeanta/2011/02/16/hbgary-vs-anonymous-ethics-outsourced-espionage-against-public-citizens

  • Anonymous on

    Hey Aaron, after reading about all that happened with Anon, I always thought you were going to do something completely different for ten years, that is, things not involving computers, and take a step back from the limelight, but here you are a few months later, acting undercover spy and publishing your insights on the internet, ok yes the (US) comeback, but maybe it's too soon, don't you think
  • Captain Nemo on

    Until he wises up that it is STUPID and WRONG to give the FBI poorly-sourced lists of names while that same FBI is banging down doors of the group to which these names allegedly belong, he's a pariah. Calling it "research" doesn't make it right, continuing to defend it makes him look worse than he already does.

    At least HBGeary and HBGeary Federal had enough brains to force him out; he says he wanted more time with his family, but then, don't they all?

    This clown is @aaronbarr at Twitter. If someone has his email, please post it. Until he admits he was wrong to try making money by selling the innocent to the FBI (and however much he tries to redefine it away, that's what was going to happen if the FBI bought Barr's proposed solution to ID anonymous or if the FBI issued a subpoena for Barr's "list"), we should spam him under.

    Remember: he was dragging a list of names past the FBI as being members of anonymous in an effort to sell the FBI his method for outing anonymous members. That the list of names was wildly erroneous and his method for id'ing anon members a joke just makes his actions worse.

    He brought this on himself and should not be allowed to walk away from it until he apologizes to the many innocents he almost burned to the feds. Vindictive? no. Appropriate punishment? yes.

     

  • Captain Nemo on

    And, as to why I'm so fired up about this, I used to work with CICPES*, a non-violent political group opposed to the US policy in San Salvador. The US gov't under Reagan got tired of CICPES and the US citizens who travelled to Nicaragua lecturing about the reality there as opposed to the US's twisting that they decided to have the FBI name CICPES as a (wait for it) terrorist organization. Yup. People who met in church basements got their names on a government list that said the associated with a terrorist group.

    And then, all of a sudden, there were late-night breakins at the church office where CICPES met and the police were apparently stumped, stumped they were, at how to solve this crime. I should say, this repeated crime, as it happened several times and each time all that was taken was computer disks with membership lists I had begged the CISPES rookies to stop leaving in the computer or on files at the office. Stumped, the police were, stumped.

    All the Feds have to do is put you on the wrong list and your life goes to Hell. Getting your life back is almost impossible and even if you can it takes YEARS.

    So people like Barr who continue to justify what are egregiously stupid overtures to the Feds made in an effort to make money garner only my contempt and active resistance.

    I was THERE, folks, and I saw what happened and know what the kind of "help" Barr offers can lead to.

    From wikipedia re CISPES:

    CISPES was a target of two highly controversial FBI investigations during the 1980s, as documented in the book Break-Ins, Death Threats and the FBI by Ross Gelbspan [1] (ISBN 0-89608-412-4).

    But in late 1983 a directive was sent to all FBI field offices initiating a nationwide investigation that engulfed all members of 180 CISPES chapters as well as nearly 200 other groups that had the slightest connection to CISPES. The new investigation hinged mostly on information supplied by an informant, Frank Varelli, who the FBI later admitted had not been properly vetted and should never have been taken seriously.

    * CISPES Committe In Solidarity with the People of El Salvador

  • Captain Nemo on

    And, as to why I'm so fired up about this, I used to work with CICPES*, a non-violent political group opposed to the US policy in San Salvador. The US gov't under Reagan got tired of CICPES and the US citizens who travelled to Nicaragua lecturing about the reality there as opposed to the US's twisting that they decided to have the FBI name CICPES as a (wait for it) terrorist organization. Yup. People who met in church basements got their names on a government list that said the associated with a terrorist group. And then, all of a sudden, there were late-night breakins at the church office where CICPES met and the police were apparently stumped, stumped they were, at how to solve this crime. I should say, this repeated crime, as it happened several times and each time all that was taken was computer disks with membership lists I had begged the CISPES rookies to stop leaving in the computer or on files at the office. Stumped, the police were, stumped. All the Feds have to do is put you on the wrong list and your life goes to Hell. Getting your life back is almost impossible and even if you can it takes YEARS. So people like Barr who continue to justify what are egregiously stupid overtures to the Feds made in an effort to make money garner only my contempt and active resistance. I was THERE, folks, and I saw what happened and know what the kind of "help" Barr offers can lead to. From wikipedia re CISPES: CISPES was a target of two highly controversial FBI investigations during the 1980s, as documented in the book Break-Ins, Death Threats and the FBI by Ross Gelbspan (ISBN 0-89608-412-4). But in late 1983 a directive was sent to all FBI field offices initiating a nationwide investigation that engulfed all members of 180 CISPES chapters as well as nearly 200 other groups that had the slightest connection to CISPES. The new investigation hinged mostly on information supplied by an informant, Frank Varelli, who the FBI later admitted had not been properly vetted and should never have been taken seriously. * CISPES - Committe In Solidarity with the People of El Salvador
  • Captain Nemo on

    for clarity:

    "Nicaragua lecturing about the reality there as opposed to the US's twisting" should be "Nicaragua and then returned to the US to lecture about the reality there as opposed to the US's twisting"

    cf "Witness for Peace"

     

  • Captain Nemo on

    So, to wrap up, "useful idiots" like Mr. Barr have been a tool for the FBI since at least the McCarthy era. For what idiots like Barr are used FOR, I refer you to the US Senate report on just what exactly went wrong in the illegal, politically-motivated FBI surveillance of CISPES.

    http://intelligence.senate.gov/pdfs101st/10146.pdf

    Remember: in the CISPES investigations THOUSANDS of honest, law-abiding folks who went to a few perfectly legal meetings wound up on federal TERRORIST investigation lists because a "useful idiot" named Varelli told lies and relayed erroneous information. Sound familiar, Mr. Barr?

    For those slow to get the point, it isn't that the FBI needs an excuse to get started once their political handlers lean on them, but often **having** an excuse (like the alleged data turned up by Mr. Barr) is what allows the feds to kick off a politically-motivated witch hunt such as COINTELPRO, the anti-CISPES probe, "Tommy the Traveler" type agents provocateur in the anti-Viet Nam War movement; the list is long.

    So, let's not let a "useful idiot" get away with it.

  • Anonymous on

    Aaron Barr is a fucking moron and he has no place on the internet.

    He is hated by the internet and will be ruined further

  • Anonymous on

    useful idiot? no way, he wore a tshirt, baseball cap, and went unshaved to cover his identity at his own skipped talk. very clever man that no one should care about. or just the latter.

    barr makes for a not-so-useful idiot.

  • Anonymous on

    This was a great article. Thank you Aaron and ThreatPost.

  • Anonymous on

    And who says anyone has it right at all about him? People want to rail him for being some evil person, but for what again? Anonymous is hacking companies and spilling user data all over the web and then Anonymous wants us to boohoo because Aaron Barr was collecting information about them for a security talk? He was doing a proposal on how he could help a company against wikileaks releasing their stolen data? He was helping another company protect against the unions? Ya know the unions are as corrupt a special interest group as all the others. I like the other posters comment, stop focusing on what you think you know of him and focus on what was written. or continue to be a whiny $%@!*.
  • Anonymous on

    we will not focus on what was written because it is all lies. attempts to spin aaron into a positive light.  no, we will not focus on what was written, because we have so much more to rely on.  aaron's email spool speaks for itself. it shows his true nature.  if you want to get to know aaron barr then read his email.  it shows he is a media whore who is only after self promotion and profit. and that he is willing to do unscrupulous things to attain them:

    http://hbgary.anonleaks.ch/aaron_hbgary_com/9464.html

    http://hbgary.anonleaks.ch/aaron_hbgary_com/7390.html

    READ his email and you will see the truth. this "article" is a joke, as much as aaron barr is a joke.  unfortunately for him, he still doesn't seem to get it.  for doing this "interview" shows that he is still whoring for media attention and attempting to profit from his "experience" with anon.  good luck to his new employer sayres & ASSociates and his upcoming "talk"

    http://www.techexecnetworks.com/event_2011.09.12.asp

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.