This is the second in a two-part interview with Aaron Barr, the former CEO of HBGary Federal
In the second half of his exclusive interview with Threatpost, former HBGary CEO Aaron Barr – speaking before the arrest of alleged Lulzsec member Ryan Cleary in the UK – talked about the likely law enforcement reaction to the Anonymous and Lulzsec hacks, the mainstream media’s portrayal of the hack of HBGary, as well as how he was picking up the pieces after the embarrassing hack of his employer.
Threatpost: One question that folks have, given that Lulzsec and Anonymous aren’t secretive about what they’re doing, is why its taken the authorities so long to crack down on them?
Aaron Barr: Well…its going to happen. With all the attacks on Sony. And now an attack on an FBI affiliate – part of the FBI infrastructure. That’s not going to go unanswered. But the government still has rules and policies that they have to follow. Just because Lulz and Anonymous are making life very painful for the government and some companies, they’re not going to run roughshod over civil liberties and personal privacy. So they need to work very methodically. Also, organizations like Facebook and Twitter don’t necessarily like the idea of having to work with the FBI under subpoena and warrant. So there’s some animosity between the commercial companies that have the information on these guys because they all work online and the FBI’s goals of finding out who is doing the attacks. So that’s just the environment the FBI has to work in. They’re going to get there, but its going to take time, because what they don’t want is to get the wrong person or put out a search warrant for someone who isn’t involved.
One of the things i thought was one of the nieve about Anonymous was that they thought that whatever I was doing could be taken to the FBI and used to arrest innocent people. That would never happen. The FBI would never have taken my documents and said ‘OK, send out arrest warrants for the following people.’ That’s ridiculous. The FBI has a method of doing things and they follow that, and they’re diligent in following it.
Threatpost: So we shouldn’t presume that nothing’s been done because the members are not known to authorities or are so good at hiding their tracks or untraceable?
Aaron Barr: They’re not untraceable. I would assume that the reason arrests haven’t been made isn’t because members haven’t been identified but because they need to make sure 100% that who they might think is a particular person is that person before they go knocking down a door or issuing a search warrant, then gather evidence and if they have enough evidence they’ll make the arrest.
Threatpost: You’ve said that LulzSec is just a splinter group of the Anonymous leadership. What do you think the reason for forming a new group was?
Aaron Barr: I’m not sure, but having done some interesting jobs in my life, I’d say that the reason they broke off is two fold: they wanted to keep what doing what they were doing, but they also needed to close the group a bit. They knew they were touching some hot organizations and needed to try to plug up the holes.
Threatpost: But at the same time, they went on an even higher profile spree and higher profile targets?
Aaron Barr: These guys are going for broke. Its like the ending scene of Butch Cassidy and Sundance Kid.
Threatpost: Is this because they know they’ll be arrested?
Aaron Barr: I think so. I think at this point they know they’ll get arrested. That said, I’m not sure what the near future is. The near future for me is next week and I’m not sure the FBI is willing to work that fast.
Threatpost: So what’s up in the life of Aaron Barr?
Aaron Barr: I’m getting ready to enter the workforce somewhere. I have some opportunities I’m considering. Right now, I’m just taking time off and talking to folks — trying to see where things are going. I think because I was the front of the wave, there was a lot of speculation about what I was up to — things in my emails. So I needed to take a pause and figure out what the right thing for me to do was. I wasn’t sure whether I was going to be poisoned in my community or where the paths are going to go. Recently I’ve become more confident in terms of where things are going. I’m staring to get more active again with people inside the industry and publicly. I think I have a good story to tell and a good perspective that can help. So I’m interested to get back into that.
Threatpost: What do you think about the reaction of the security community? Do you feel like you were made to be a pariah?
Aaron Barr: Well it depends on if you mean public or private. All companies, right after it happened, were afraid to touch me because of the fear of being attacked – even companies I was very close with. I came with this Anonymous cloud over my head and people perceived that wherever I went, Anon would follow. So everybody was very cautious. But privately, I’ve gotten lots of support. There are lots of people who told me that I was on the right track and that what I was doing was the future of what we need to do — to follow the humans rather than the attack.
Threatpost: What lesson do you think the private sector has taken from the hack of HBGary and Sony and so on?
Aaron Barr: I think, you know, companies are still afraid. They’re all still afraid of being attacked. They’re saying ‘we want to make sure to focus on the risk and not take too big of a risk to create a target or do something that make a target. But also, I think they’re realizing the fact that to some degree, we can’t prevent that. So it’s like ‘what do we do now?’ I know I have a somewhat unique perspective on this because of where I’ve come from, but it seems that everything changed a bit. The community’s changed.
Threatpost: How so?
Aaron Barr: Well, we finally realized that there’s really nothing do to protect ourselves. And we don’t know now how to evaluate our actions versus our vulnerabilities. So what can we do? What should we do? When the next Geohot (George Hotz) comes along, what do we do? I’m not making a judgement of what Sony did as right or wrong, but now they have to evaluate their business decision based on ‘will there be some retribution to this?’ I don’t think this was discussed in board rooms before.
Threatpost: And there’s a monetary figure – not just a reputation risk, but a huge dollar risk attached to the worst case scenario now, if you look at Sony’s PSN being down for more than a month, and so on.
Aaron Barr: Yes. A huge dollar risk. And the weakness in all of this is what do we do about passwords?
Threatpost: Yes, if you look at these hacks, password reuse is certainly a common element — weak passwords and password reuse.
Aaron Barr: Right. For example, I had a fairly strong password. I did reuse it, but not pervasively. I reused it on Twitter, but not on Facebook or LinkedIn or my other social media accounts. But I did happen to reuse the same password on my corporate email, twitter and those are the ones they got. So you have to have zero password reuse, an that’s hard. The number of accounts I have was probably 50 plus. So I don’t know what the answer is.
Threatpost: You got a bad rap from Anonymous and the media about the work you were doing or proposing for HBGary Federal. Some of which was about what you’re talking about – profiling – and that was portrayed as big brotherish or underhanded and sleazy. What are your thoughts about how those emails were construed and the things that you were proposing with HBGary?
Aaron Barr: I can unequivocally say: none of what we developed was developed under a government contract. I read an interesting quote by (TaoSecurity’s) Richard Bejtlich, which was that the most troubling aspect of deterring cyber threats was the cost of deterring them. I tried to use that as a jumping off point for what I was trying to develop. I realized a long time ago that we were looking at protecting organizations backwards, from a malware perspective. We need to start looking at people.
Another thing I’d like to say is that I never used any technology we developed to intimidate or try to coerce anyone, including U.S. citizens. What I would develop and try to develop was the capability of allowing companies to protect themselves and allow them to protect selves from illegal activity. So if someone comes to me and say ‘we think labor unions or another organization is organizing to coerce certain results from us, and that’s illegal, and we want to try to identify if that is being done, can you help us do that using social media?’ I would have offered the same service to anybody.
I think a lot of people painted me as corrupt big business wonk. The reality is that I grew up a liberal Democrat. My dad is a poet. So being pro big business is not in my nature, but protecting people from illegal activity is. Yes, some of the things people discussed seem more aggressive in nature, but I think people need to remember that inside any business development process, you start with brainstorming. So if we want to start to mitigate the threat, how do we do it? I happen to have a military and government background, so here’s some ideas. Things were way more overblown from a – single slide, titled “Potential Proactive Tactics.”
Threatpost: Was the media too willing to accept Anonymous’s message?
Aaron Barr: Absolutely. I think that’s starting to change. But overwhelmingly from beginning, I was the bad guy and Anonymous was the good guy. HBGary was viciously attacked by Anonymous. HBGary had nothing to do with my talk. HBGary Federal was a completely separate company, but Anonymous folks took retribution on me because I was going to take retribution on them. My talk (at B-Sides San Francisco) was on social media. Anonymous was one use case of three. But they took retribution on me, HBGary employees, HBGary itself, just because we used the same mail server. And the press, because of things that were in the e-mail, took things out of context and sided with Anonymous.
Threatpost: Do you see that attitude changing because of the subsequent attacks?
Aaron Barr: I do. Certainly if you look at incidents like the hack of Unveilance and Karim Hijazi, their CEO. Lulzsec was clearly trying to extort him. So where are the hacktivist morals in that? And Sony – there was just one punishment after another on Sony. Where’s the point in that? I think the press is starting to see the group lose that Robin Hood veneer. When they go to jail, they’ll lose some more.