Barr Unbowed: Former HBGary Federal CEO says We Need to Learn from LulzSec

This is the first in a two-part interview with Aaron Barr, the former CEO of HBGary FederalEach of us has made mistakes in our lives – woeful errors that we’ve been forced to learn from at great personal cost. Blessedly, those painful experiences are typically private affairs. Tears are spilled. Mea culpas are issued to those we’ve wronged, then we, the folks we hurt and the storm clouds move on.

This is the first in a two-part interview with Aaron Barr, the former CEO of HBGary Federal

Each of us has made mistakes in our lives – woeful errors that we’ve been forced to learn from at great personal cost. Blessedly, those painful experiences are typically private affairs. Tears are spilled. Mea culpas are issued to those we’ve wronged, then we, the folks we hurt and the storm clouds move on.

For an unfortunate few, however, blunders go viral. Their mistakes fuel evening news segments and column inches in the pages of leading newspapers. Millions queue up to watch them on YouTube and they get turned over for laughs by late night comedians. Think about lonely Congressman Weiner or that poor woman who, distracted by her cell phone texting, flopped into the fountain at a Kentucky mall.

Aaron Barr, the former CEO of security firm HBGary Federal, is one of those unlucky few. No fountain-flopper, Barr is a respected authority on computer security whose mistake was to openly speculate on the identities of members of the online hacking group Anonymous, then watch as events spun gruesomely out of his control. Infuriated by what they interpreted as an attempt to out them, Anonymous hacked HBGary’s servers and made off with tens of thousands of messages from the company’s e-mail server, which the group then posted online.  Anonymous’s preemptive strike put the inner workings of HBGary up for public view. That begot countless other storiesnot all of them accurate – as reporters poured over the contents of HBGary Federal’s correspondence, Wikileaks style. Their digging turned up troubling communications about the company’s plans to assist the U.S. government and various other Beltway interests with online reconnaissance. Before it was all over, no less than Comedy Central titan Stephen Colbert riffed on the controversy. And, not too long after that, Barr tendered his resignation from HBGary Federal.

Since then, Barr has kept his hand in the IT security game, but he’s also kept a low profile. On the other side of the fence, Anonymous and related groups, like LulzSec, have become emboldened by their success in the HBGary Federal attack, launching similar attacks on Sony Corp. and Monsanto, the U.S. Senate, the U.S. Federal Bureau of Investigation, the Public Broadcasting System, the federal police in Spain, the government of Turkey and other targets. There have been some arrests, but the core leadership of both Anonymous and the closely related LulzSec remain free.

But the unfortunate events of this Spring haven’t bowed the former CEO.
And the events of the last four months have, if anything, made him seem
prophetic. More than ever, Barr’s call for the IT community to focus attention on the individuals behind cyber attacks – not just the technical details of the attacks – rings true. In one of the first interviews he’s given since the hack of HBGary Federal in February, Barr talked, by phone, with Threatpost editor Paul Roberts about the hack of HBGary Federal, Anonymous, LulzSec and why most security investments are misplaced.

Threatpost: There’s a certain folk hero aspect to groups like Anonymous and LulzSec – a Robin Hood kind
of thing,  at least within some segments of online population.
But how should the public, governments and the private sector understand
these groups and what they’re doing and keep from getting in their
cross hairs?

Aaron Barr: Well, they’re certainly complex.
LulzSec is a bit less complex because they’re a smaller organization
that has broken off from Anonymous and are very focused. But Anonymous
is complex in its totality. But the people that have real capabilities –
the people that are the real threats, the Anonops folks and a small
core within Anonops folks are, I think, misrepresented. They’re
misrepresented purposefully by the group, but they’re also
misrepresented in the media.


Threatpost: How so?

Aaron Barr: Based on
what I’ve watched and conversations I’ve had, I don’t believe that the hacktivist; mentality that they’ve attached themselves to – and that a
good amount of the larger group believes in – -is core to their belief
system. I think core to their belief system is that they want to
(expletive) (expletive) up. They get a rise out of it. They get a
power hit off it, and they’re using the hacktivist ideology to ride
on. But, that said, the larger group Anonymous is much more complex.
Looking ahead, there might be some people that have real capability that
truly believe in the hacktivist ideology and will take a different
approach. But I don’t think that – other than being extremely cautions
and staying away from what are likely to be important issues – that you
can stay out of their crosshairs. How do you predict what’s going to…I
mean stay away from Wikileaks – check! Stay away from prosecuting
hackers – check! What’s next? I don’t know. Monsanto…they’ve had a
grudge against Monsanto for quite some time for genetically modified
foods. Anyone dealing with globalization has a problem. The IMF, the
World Bank…

 

Threatpost: The issues
are quite diverse. You’re forgetting about the Church of Scientology
which was their primary target for a long time. So there’s that. But the
list of issues is diverse and growing. And, of course, any tentative
connection you have to these issues could make you a target.

Aaron Barr:
Right and, you know, I get it. I get it. I grew up a liberal Democrat. I
remember being an angry 20-something full of ideology and a sense of
what’s right and wrong in the world. I was very adamant in my beliefs.
So I get it. What I don’t get is the destructive nature of the
organization. I fundamentally believe in civil disobedience as a
functioning part of our society. I believe in the right to protest as a
necessary element of our society. But they’ve taken – and I’ll lump
Wikileaks in the same boat – have taken what is a healthy element in our
society and made it destructive. I’ll jump off the cyber wagon for a
moment and talk Wikileaks. You can’t release 250,000 sensitive documents
into the wild and think you’re doing good for society. I don’t think
you can, because there’s no way you can vet all 250,000 documents for
whether there’s a need to release a specific document and what the
blow back to that doc might be. When you go back to other exposure
events, whether Watergate or the Pentagon papers, there was an awful lot
of research and an investigation that went into the release of that
information.

 

Threatpost: You mean that information was vetted prior to its release and a reason existed for releasing it?

Aaron Barr:
Yes. The information was vetted for its purpose and the potential
detriment. Because there’s no need. Plenty of people who work for the
State Department and federal government and commercial organizations
just work there. If you have an axe to grind about a specific issue, its
destructive to hurt the employees, in my opinion. Its destructive to
hurt all the liaisons working in embassies across the world on policy and
foreign affairs issues if its not to serve a particular purpose. And
transparency is not a good enough reason. There are reasons for some
information to be classified. There are reasons for businesses to hold
some info as sensitive. If you feel like a particular government
organization or a business has committed an illegal act and you feel
compelled to expose that illegal act, that’s your prerogative. Go to it.
In the meantime, if you get access to other information, I believe that
its irresponsible and destructive to release it. Freedom requires a
significant level of responsibility. So, coming back to Anonymous. Their
LOIC (denial of service) tool is reaching a scary point of automation of
capabilities, where you can have armchair protests and convince a bunch
of kids in 4chan to come over and help protest against Sony by
downloading a tool and, you know, connecting into the hive mind so
someone can remotely control very large botnet. A kid just needs to
download it, set it up and go back to playing Quake. But you’ve just
participating in a pseudo protest capability. I think that’s dangerous.
Protest used to require some amount of dedication and effort and
responsibility, You had to put yourself out there by standing in a
picket line and signing a petition. Now you’re hiding behind a cloak and
giving support to someone who might not have the same altruistic
motives as you do.

 

Threatpost: Why are these attacks getting headlines now as opposed to before? How do you think the government should sort out the differences between state sponsored espionage and attacks that are pranks, financially motivated attacks, and so on?

Aaron Barr: One of the reasons I think we are where we are is a few recent events in which LulzSec and Anonymous just pushed things over the edge. It started with the very public discussion of state-sponsored attacks. The reason the public now knows the term APT (advanced persistent threat) is because of the Aurora attack. Then you had Wikileaks, which isn’t necessarily a tradition cyber threat. But it does have insider threat components that’s are a huge concern and which we don’t have a lot of protections against. Then we had Stuxnet. And, while maybe the general public didn’t understand the significance of Stuxnet, those of us in the community did, and it was discussed very publicly. There was an analysis of a state-sponsored threat. That started to get the ball rolling and you saw increasing discussion even among mainstream news outlets. And then Anonymous and LulzSec just blew it out of all proportion. Its like watching cyber reality TV – we can’t not watch it. There was the extreme damage done to myself and my company, and then Sony. I mean, my God, you had people wondering ‘what part of Sony will get hit today?’ And it grabbed attention. People started to talk about significant cyber threats to the economy and corporations and nation states. The Chinese came out and publicly admitted they have a cyber army, which is the first time they’ve done that.

 

Threatpost: How similar do you think state sponsored attacks are to LulzSec or Anonymous-linked attacks against a company or government? How different should the response be? More similar than dissimilar? 

Aaron Barr: We’re so far away from that now its really frightening. We still look at the problem as an incident response problem, for the most part. There are pockets of the government and intelligence community that have the capacity and authority to look at it slightly differently. Overall, by and large, we look at threats when someone gets compromised. When there’s an attack, or attempted attack and we try to trace it back to its source. We’re not looking at the problem in terms of where the real threat is.

For example, we got very good at identifying and taking down drug cartels. We started looking at how they finance themselves, how they move goods, how they operate. What means of communications do they have? We’re not looking at cyber threats from that perspective. We’re looking at them from a technical perspective. Until we start looking at the human actors and start to categorize them, we’re not going to know.How do we know with Anon(ymous) and LulzSec that there’s not a state-sponsored element hiding under the covers? There’s been a lot of discussion about APT. What is state sponsored? What is not? That is a discussion had by people that never really worked in government and the Department of Defense before. From my perspective, APT will look, smell and feel how it needs to in order to achieve an objective. In some cases, that may be using tactics that are crude, so it looks like some college kid out of Ukraine. In other cases, they will use techniques that are very sophisticated, like Stuxnet. Clearly, there are immense capabilities that are remotely deployed by state agencies that have never been found and might never be found. I mean, if you  have millions of dollars and pools of resources to point at a problem, what might you come up with?

 

Threatpost: Are there lessons from the hack of your company, HBGary Federal, that the U.S. government or firms like Sony need to learn? If so, what are they?

Aaron Barr: Operationally, businesses and even security companies fall to the weakness of getting overly focused on business operations and then letting security lapse. You need to send out an email and, oh, the guy sending it doesn’t have PGP so slowly, insidiously, it creeps and creeps and creeps. Security needs to be a significant focus and significant budget item, especially by security companies. But when you’re trying to get proposals out the door or there’s M&A (mergers and acquisitions)…One of the biggest weaknesses of large companies is that they hardly ever get fully integrated, especially when you have one company buying another big company. So there are weaknesses in the infrastructure and the bigger you get, there are more of them. But we have to focus on security. We have to assume now that no matter how many security precautions we take, they’re going to get in or already are in.

So what mitigating steps do we take? We’re already seeing a lot of focus on identity management amd  encryption and authentication. Those have to be areas we put big resources in. Perimeter and host defenses aren’t good enough, and never will be good enough. We don’t have good enough threat intelligence. Companies like HBGary, Fidelis, Sourcefire all do good work and have good products, but we don’t know what to tell them about preventing attacks. We can tell them what worked yesterday, but not what they’ll face tomorrow. Government and industry have poured resources into perimeter security, but we also have organizations that are more and more mobile.  And we’ve put so much emphasis on perimeter security because host security is so problematic. You need agents on every system. So our adversaries have a lot of ceiling – a lot of room to grow. We haven’t even talked about insider threat or supply chain threats, which we have very little ability to detect. If we focus on the vehicle of the attack, we’re always gonna lose. And if we don’t get better at offense, we’re never going to win. So we have to get better at figuring out who threats are – categorize them and develop strategies to combat them.

 

Threatpost: if you believe the claims of groups like Lulzsec, these attacks aren’t difficult to carry out. Or, at the very least, the doorways into these organizations – Sony, etc. – are out there and in the open. They’re unpatched, SQL injection or cross site scripting holes on public facing Web applications that are easily identified and exploited.

Aaron Barr: Companies are never going to close all doors, that’s why organizations have to use authentication and encryption to make sure the critical data they have – user names and passwords and client information and PII is secured and encrypted, so that if it is stolen, there’s not much to gain from it. There’s always going to be a risk, whether you’re HBGary, which had very little external presence, or Sony, which had a massive external presence. I mean, the SQL injection (attack) that we succumbed to was because I asked a Web developer to make a change to our Web site just prior to the attack that added some features and functionality. That opened the SQL injection hole. So its a matter of your development processes and business processes and your security processes. How can you integrate those so that you protect yourself continually? The answer is you can’t.

Now, I’m easy to poke at because I’m a small company and a security company. And Sony was, maybe, because they had some data that should have been better protected. So those steps need to be taken, no doubt. You need to protect your critical data. That’s the number one takeaway. You need to focus on what sensitive data you have and how to protect it. You need to worry about protecting your perimeter as well, but you’re never going to close all the doors. There will always be a zero day (vulnerability). There will always be an insider threat, potentially. There’s always the potential for someone to get in.
 


Threatpost
: One of the problems that seems to be cropping up is that organizations don’t know enough about who their enemies are. PBS is an example. Their Frontline crew does a story on Wikileaks and they get attacked by LulzSec. In retrospect, maybe there should have been a conversation internally with IT that said ‘hey, we’re going to put out a story that could raise the ire of this hacking group. We could become a target of that group. So what methods might they use to go after us? Where would they come in? Will it be Frontline or could it be other shows or parts of our infrastructure?’ Clearly that conversation never took place, but it seems like other organizations that aren’t media organizations have the same problem. So, Sony, in going after (PlayStation 3 hacker) George Hotz couldn’t have anticipated that he’d become a cause célèbre of this anarchic hacking group.

Aaron Barr: That’s the core of the problem. They don’t understand, because nobody understands the threat. Its not like LulzSec and Anonymous have good opsec (operational security). They talk a lot. If you’re in their IRC channels or watch what they tweet, they give a lot of warnings. I mean, the (FBI) Infraguard attack, LulzSec was talking about doing something to the FBI for two weeks before that took place.

 

Threatpost:
You and I have talked about this. But prior to your decision to do a
presentation on Anonymous, did you consider that your company could be
the target of retribution?

Aaron Barr: When I was
planning to do the talk, I knew that I could potentially become a
target, but I didn’t know how significantly. I underestimated the
threat. We had discussions internally about (denial of service attacks),
and things like that. But I underestimated the threat at the time. I
won’t do that again. (Laughs) But prior to the talk, my company was very
little known. We were very very small. Just starting out and trying to
build business with the government. We weren’t public enough to be that
much of a threat or a target.


Threatpost: Yes. You’d assume someone in FBI was looking around internally.

Aaron Barr: Internally, yes. But maybe not Infraguard. But I know they were looking very hard internally at FBI.gov and their external presence. But also with Sony and PBS. You can assume that a discussion was happening somewhere online about these attacks, about the coordination of the attacks. So how do you become knowledgeable of the different groups that are out there and what their motives and actions are? To me, that’s what’s needed to get ahead of these threats and get some indication and warning about what’s coming. As it stands, there’s no way, outside of PBS just speculating, for them to know. But I’d say now, with these very public attacks – Sony, PBS, Unveilance – that its a conversation that needs to happen in board rooms when you are doing something that might be controversial. But what do they do about it after that? I don’t know. That goes back to our previous conversation about locking all the doors.

 

Threatpost: One of the things that has come up in the wake of the Sony hack is that there’s a split between Japan and the rest of the world. Sony wants to bring PlayStation Network back up and the government in Japan is saying ‘we’re not satisfied that you’ve done enough to secure this network and system to bring it back up.’ Whereas in EU and US, more or less, the authorities are taking Sony’s word that its ready to resume business operations on this gaming network. Is there a role for government., as with, say, an E.coli outbreak, in the wake of an incident for governments to come in and say ‘you’ve had a huge public health event and spilled alot of sensitive data, we’re now the arbiters of when you’re ready to  relaunch these services and get back in biz. The decision is not up to your internal IT team because you’ve already proven that you don’t know what the hell is going on.

Aaron Barr: Right. And this gets to the heart of the prob. of .GOV protecting .COM. We’ve created a lot of rules and policies to separate that because we want to foster innovation and creativity. I mean the majority of great Web technologies and services have happened in the U.S. We want to continue to foster that kind of development so that it happens here. But government getting involved is the antithesis of sponsoring innovation and creativity. It will likely stifle it. But you do need to pay attention to significant security theaters. Government doesn’t want to get involved with the business of .COM and telling them what they need to do in relation to security. Government is still trying to wrap its head around that problem. But if you look at government initiatives like the consolidation of external entry points through TIC (the U.S. Department of Homeland Security’s Trusted Internet Connections program) or its effort to stand up Cyber Command and consolidate army and military networks, they’re  still trying to grapple with their own internal security issues. I am sure that .GOV and .MIL need to provide better information related to threats. But that will take a while.

So when you ask about (the government) jumping in and telling Sony they’re not secure enough, we’re not there. I’m not sure the Japanese government is there, either, but I understand their desire to do so because of the exposure to the Japanese citizenry. I do like the answer ‘you’re not ready to come back up again,’ but think that could be a regulatory or governing body making those calls after a significant compromise occurred.

Suggested articles

Discussion

  • Claudiu Francu on

    This interview contains a lot of bull**** IMHO. Barr speaks abouS Anonymous and LulzSec like they are the ellite of the ellite, but the truth is that they use simple attacks. Anonymous exploited a simple vulnerability, then built they're way up into their internal network.

    Something like that is totally unacceptable for a security firm. I understand if something like that happens to me, to you, but not to them!

  • Anonymous on

    I have a hard time listening to security advice from an "expert" when he himself uses the same password at several sites and allows himself to be exploited.  Do as I say, not as I do, I suppose.

     

  • Anonymiss Express on

    If you want to know about the real threat, instead of demonising Anonymous to distract people from what's really happening, then look at how individual civilians and their freedom and liberties have been replaced by a self serving political and corporate class using government functions and institutions to enlarge, entrench, and enrich itself. And the Old Spice no longer works. The trust of The People at whose expense this is happening is at an all time low. Earmark abuse, favorable campaign finance laws, bailing out banks and corps, confiscating large amounts of public wealth and income via taxes and inflation, and a general low priority for the needs and desires of civilians, those are some of the real threats. Anonymous protests against those threats to the people. Work on some real problems the people face please, and anonymous will lose its attraction. And that would be okay.
  • Anonymous on

    Oh, come on, Kaspersky. This is just image re-building for Barr. He doesn't grasp what is going on.

    Barr says: "LulzSec is a bit less complex because they're a smaller organization that has broken off from Anonymous and are very focused."

    You got that backwards. Unlike Anonymous, LulzSec is random and unfocused and the Anons I know are appalled that individuals behind LulzSec have exposed the private accounts of 10s of thousands of innocent people who used certain for-pay entertainment sites. What was the point? They just made life more difficult for a lot of powerless people.

    Does LulzSec work for an IT security company or are they just being distruptive until someone better takes them down? And there is ALWAYS someone better.

  • Anonymous on

    I have a hard time listening to security advice from an "expert" when he himself uses the same password at several sites and allows himself to be exploited.  Do as I say, not as I do, I suppose.

    Enough said.This guy was gangbanged by Anonymous & Lulzsec. He should change his identity and leave country, after that. 

    http://www.youtube.com/watch?v=rQGl43ks6bE

    http://www.youtube.com/watch?v=ExL4KQ3noOI

     

     

  • Anonymous on

    I like his funny comment: "There's always going to be a risk, whether you're HBGary, which had very little external presence, or Sony, which had a massive external presence. I mean, the SQL injection (attack) that we succumbed to was because I asked a Web developer to make a change to our Web site just prior to the attack that added some features and functionality. That opened the SQL injection hole. So its a matter of your development processes and business processes and your security processes. How can you integrate those so that you protect yourself continually? The answer is you can't."

  • AlAnonymous on

    I like his funny comment: "There's always going to be a risk, whether you're HBGary, which had very little external presence, or Sony, which had a massive external presence. I mean, the SQL injection (attack) that we succumbed to was because I asked a Web developer to make a change to our Web site just prior to the attack that added some features and functionality. That opened the SQL injection hole. So its a matter of your development processes and business processes and your security processes. How can you integrate those so that you protect yourself continually? The answer is you can't."

  • Anonymous on

    Why interview with this pathetic guy?? #fail

  • Anonymous on

    This is the guy that uses the same weak password on various different sites. he should have committed suicide by mow

  • Anonymous on

    "Aaron Barr: Operationally, businesses and even security companies fall to the weakness of getting overly focused on business operations and then letting security lapse. " Shouldn't this mean that these security people should be banned from the industry? If you're a security company, and let security lapse, shouldn't that invalidate your business as a whole?
  • Anonymous on

    I stopped reading this article when it said "Barr is a respected authority on computer security". Enough said.
  • Anonymous on

    I have a lot of respect for Threat Post articles. They are usually very good at breaking down the information out there and providing excellent external links for further research. Interviews like this though, terrible. Not the fact that is in interview, but WHO is being interviewed. Enough information came out of HBGary hack to know this guy is neither an expert or a person of good moral conscious. Some of the things HBGary were scheming with the government and that messed up trifecta of organizations that distanced themselves from HBGary once the bad press hit is enough for me to know that this guy is not a "good guy". It was evident from the internal mailings that Barr was using unintelligent logic to try and root out anonymous members; plans that could have easily pinpointed innocent people as being threats. Even his colleagues were miffed at some of the inane things he was coming up with. And don't even get me started on their plans to target people in the media that reported things like WikiLeaks in a favorable light. Free speech my arse. That was a very long winded way of saying this guy is most undeserving of an interview, much less to be cast in some kind of white-hat light. Sorry ThreatPost, this makes you look bad; choose your interview candidates with more care in the future; your readers are more intelligent than this.
  • Anonymous on

    Aaron has fallen prey to the misconception that you can stopping this by stopping those currently doing it.

    If you arrested all members of all groups, others (like China's government) would just step in to fill thier shoes. The real question is Arron, why was the sercurity of YOUR company so so very bad. If a bank were to leave its vaults and doors unlocked over night, would anyone suggest that they should just start arresting people or start locking up as the solution. Not saying they shouldn't be arrested, just saying that will not solve the problem. HBGary left the doors WIDE open.

    Really,we should be thanking these groups for pointing out just how bad security measures are right now. All of what happened at HBGary was 100% preventable by just following normal secuirty lessons.

    Also, could you ask Greg H. why I got notified by a russian hacker that my creds had been comprised on rootkit.com INSTEAD OF HIM! Because of that gross negligence by Greg H, to not  bother to notify his users, I have little pity or repect for him. 

     

     

  • Anonymous on

    tl;dr

  • Commander X on

    Wow, where to start !

     

    "You can't release 250,000 sensitive documents into the wild and think you're doing good for society. I don't think you can, because there's no way you can vet all 250,000 documents for whether there's a need to release a specific document and what the blow back to that doc might be."

    Barr just doesn't get it. The "blowback", i.e. serious damage to the government being exposed, is THE  POINT of the disclosure !  The whole idea is to seriously weaken these governments through disclosure as part of an over all shift of power FROM the governments and TO the people. Any State that fails to grasp this will be destroyed in this war.

     

    And why is there no mention of the fact that his dox of Anonymous was 95% incorrect, thus exposing 100's of completely innocent people to being falsley accused of being associated with Anonymous ?  Why is there no discussion of the morality of this idiot spying on private citizens and their online activities ?

     

    This man is an amoral fool, he deserved what was done to him. This article can safely be ignored.

     

    Commander X

    Peoples Liberation Front

  • Anonymous on

    And a little something the Mr Barr could have used prior to the mess, is a website where he could check if his password was compromised. Like this one: http://shouldichangemypassword.com/

  • Anonymous on

    Cracker Suite Gary in the land of the Lulz Lizards: Act II, shilling for pennies. http://en.wikipedia.org/wiki/Aaron_Barr Are you intentionally trying to add another paragraph of fail to that already epic list? Go work on your level 83 Elf warlock, no-one else cares. p.s. "A kid just needs to download it, set it up and go back to playing Quake." Yes, Aaron, go get into your Delorean & travel back to when kids played Quake. Way to pander to the cats&grannies Foxnews audience... given you play WoW, I'm guessing you're pandering. /Shill.
  • Anonymous on

    What happened to Barr and HBGary still makes me chuckle.

    Heh, heh, heh.

  • AlertAshAnon on

    Poor Aaron Barr. All he did was  "to openly speculate on the identities of members of the online hacking group Anonymous."

    Wrong. He attempted to infiltrate, deceive, and out them to the FBI. Instead, he got pwned by his own epic failure to understand what he was dealing with. Observe the hubris of his replies to the Anons he targeted. Acting the fool the whole while. I would go to arstechnica and read them for yourselves. Come on, Aaron, you're an unlucky victim in the same way I'm an unlucky victim when I kick a hornet's nest.

  • Anonymous on

    http://oo.thebanzaieffect.com/2011/06/lulzsec-downs-cias-public-site-appears-to-be-subject-of-framing-attempt/ He's still at it - attempting to be relevant by providing false information on LulzSec "hacking" BitCoin - directly tweeting false information either knowingly, or stupidly. Blatantly relying on the anchoring effect to spread disinfo - as if there aren't /actual/ whitehats after LulzSec. Or worse still, being used as a cheap shrill shill knowing he'll blurt out his "insider" knowledge... and being laughed at. The industry needs to cease all contact with this man if it wants to look any way professional. At the moment, he makes the entire sector look like its run like a banana republic in the 70's - corrupt, inefficient, lawless and worst... stupid. The real threat at this time are fools like Aaron acting as if legal process doesn't apply to online activities - the Themis pitch to BoA / Chamber of Commerce was illegal, fyi - the problem is that once /no-one/ respects the law, then you're *all* LulzSec; that's the irony you've missed, and the irony that is sinking all your boats. If the Law becomes a joke (and it has, oh it has) then you're stuck with the law of the sea - may the best amoral bastards win. Which is either GS or the Lulz Lizards, and not Aaron Baarrrrr [sheep] at this point in time. "Freedom requires a significant level of responsibility." - Yes, and you proved conclusively that you don't have the necessary levels of moral fiber, Aaron. So, please - stop tweeting, go do something good for your society, and stop acting out online. Frankly, its embarrassing now.
  • AmazingGrace on

    Is this guy *seriously* claiming the Pentagon Papers were "vetted" before publishing ? Could Threatpost maybe set up an interview with Daniel Ellsberg to have his opinion on that ? And why this interview ? He's been the laughing stock of the entire security community ever since HBGary Federal was breached due to his hybris (and poor network security). And that's even without mentioning the Romas/COIN government surveillance program that's all over the news and which he seems to have been involved with. Some folks just don't get. If I were in his shoes, I'd be herding camels in Southern Mongolia and having nightmares about Seal Team Six by now.

  • Anonymous on

    "Anonymous hacked HBGary's servers and made off with tens of thousands of messages"

    guess he's not an authority on computer security then is he.

  • Anonymous on

    This articale is inhumanly biased, it represents a unfair view. lulszec found that he was using RATS (forcefuly remote access) on 15 yearolds because he was pretending to me a cam whore. this guy is really messed up and only cares about money, he is a snitch and will report anyone to the FBI. 

  • Anonymous on

    Wow, the 14-22 year old fanboy base is strong here.

  • Kaylaja L. on

    Authorities in the UK have detained an alleged participant of a hacker group that may have contributed to the Sony Playstation Network hack. The arrest was carried out in conjunction with other law enforcement agencies. The male was taken from his home in Wickford, less than 50 miles from London, to Scotland Yard for supposed computer infractions. I read this here: Accused member of hacker group LulzSec arrested in UK

  • PhoenixNewMedia on

    I know you booked him for the conference but why do you describe Barr as a "respected authority on computer security?"  He was a former petty officer with a good sales pitch. Did you read the e-mail exhanges with his programer? Clearly, this incident exposed him as a fraud and novice on computer security.  The same is true of the security "experts" at Mantech.  All of these DOD contracting companies are filled with incompetents who are only there because of their DOD connections.  The Chinese must be laughing their asses off.  How do you say "sucker" in Mandarin?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.