Barr Unbowed Part II: Setting the Record Straight on HBGary Federal

This is the second in a two-part interview with Aaron Barr, the former CEO of HBGary FederalIn the second half of his exclusive interview with Threatpost, former HBGary CEO Aaron Barr – speaking before the arrest of alleged Lulzsec member Ryan Cleary in the UK –  talked about the likely law enforcement reaction to the Anonymous and Lulzsec hacks, the mainstream media’s portrayal of the hack of HBGary, as well as how he was picking up the pieces after the embarrassing hack of his employer.

This is the second in a two-part interview with Aaron Barr, the former CEO of HBGary Federal

In the second half of his exclusive interview with Threatpost, former HBGary CEO Aaron Barr – speaking before the arrest of alleged Lulzsec member Ryan Cleary in the UK –  talked about the likely law enforcement reaction to the Anonymous and Lulzsec hacks, the mainstream media’s portrayal of the hack of HBGary, as well as how he was picking up the pieces after the embarrassing hack of his employer.

Threatpost: One question that folks have, given that Lulzsec and Anonymous aren’t secretive about what they’re doing, is why its taken the authorities so long to crack down on them?
Aaron Barr: Well…its going to happen. With all the attacks on Sony. And now an attack on an FBI affiliate – part of the FBI infrastructure. That’s not going to go unanswered. But the government still has rules and policies that they have to follow. Just because Lulz and Anonymous are making life very painful for the government and some companies, they’re not going to run roughshod over civil liberties and personal privacy. So they need to work very methodically. Also, organizations like Facebook and Twitter don’t necessarily like the idea of having to work with the FBI under subpoena and warrant. So there’s some animosity between the commercial companies that have the information on these guys because they all work online and the FBI’s goals of finding out who is doing the attacks. So that’s just the environment the FBI has to work in. They’re going to get there, but its going to take time, because what they don’t want is to get the wrong person or put out a search warrant for someone who isn’t involved.

One of the things i thought was one of the nieve about Anonymous was that they thought that whatever I was doing could be taken to the FBI and used to arrest innocent people. That would never happen. The FBI would never have taken my documents and said ‘OK, send out arrest warrants for the following people.’ That’s ridiculous. The FBI has a method of doing things and they follow that, and they’re diligent in following it.

Threatpost: So we shouldn’t presume that nothing’s been done because the members are not known to authorities or are so good at hiding their tracks or untraceable?

Aaron Barr: They’re not untraceable. I would assume that the reason arrests haven’t been made isn’t because members haven’t been identified but because they need to make sure 100% that who they might think is a particular person is that person before they go knocking down a door or issuing a search warrant, then gather evidence and if they have enough evidence they’ll make the arrest.

Threatpost: You’ve said that LulzSec is just a splinter group of the Anonymous leadership. What do you think the reason for forming a new group was?

Aaron Barr: I’m not sure, but having done some interesting jobs in my life, I’d say that the reason they broke off is two fold: they wanted to keep what doing what they were doing, but they also needed to close the group a bit. They knew they were touching some hot organizations and needed to try to plug up the holes.

 

Threatpost: But at the same time, they went on an even higher profile spree and higher profile targets? 
Aaron Barr: These guys are going for broke. Its like the ending scene of Butch Cassidy and Sundance Kid.

Threatpost: Is this because they know they’ll be arrested?

Aaron Barr: I think so. I think at this point they know they’ll get arrested. That said, I’m not sure what the near future is. The near future for me is next week and I’m not sure the FBI is willing to work that fast.


Threatpost:
So what’s up in the life of Aaron Barr?

Aaron Barr: I’m getting ready to enter the workforce somewhere. I have some opportunities I’m considering. Right now, I’m just taking time off and talking to folks — trying to see where things are going. I think because I was the front of the wave, there was a lot of speculation about what I was up to — things in my emails. So I needed to take a pause and figure out what the right thing for me to do was. I wasn’t sure whether I was going to be poisoned in my community or where the paths are going to go. Recently I’ve become more confident in terms of where things are going. I’m staring to get more active again with people inside the industry and publicly. I think I have a good story to tell and a good perspective that can help. So I’m interested to get back into that.

Threatpost: What do you think about the reaction of the security community? Do you feel like you were made to be a pariah?

Aaron Barr: Well it depends on if you mean public or private. All companies, right after it happened, were afraid to touch me because of the fear of being attacked – even companies I was very close with. I came with this Anonymous cloud over my head and people perceived that wherever I went, Anon would follow. So everybody was very cautious. But privately, I’ve gotten lots of support. There are lots of people who told me that I was on the right track and that what I was doing was the future of what we need to do — to follow the humans rather than the attack.

 

Threatpost: What lesson do you think the private sector has taken from the hack of HBGary and Sony and so on?

Aaron Barr: I think, you know, companies are still afraid. They’re all still afraid of being attacked. They’re saying ‘we want to make sure to focus on the risk and not take too big of a risk to create a target or do something that make a target. But also, I think they’re realizing the fact that to some degree, we can’t prevent that. So it’s like ‘what do we do now?’ I know I have a somewhat unique perspective on this because of where I’ve come from, but it seems that everything changed a bit. The community’s changed.

 

Threatpost: How so?

Aaron Barr: Well, we finally realized that there’s really nothing do to protect ourselves. And we don’t know now how to evaluate our actions versus our vulnerabilities. So what can we do? What should we do? When the next Geohot (George Hotz) comes along, what do we do? I’m not making a judgement of what Sony did as right or wrong, but now they have to evaluate their business decision based on ‘will there be some retribution to this?’ I don’t think this was discussed in board rooms before.

Threatpost: And there’s a monetary figure – not just a reputation risk, but a huge dollar risk attached to the worst case scenario now, if you look at Sony’s PSN being down for more than a month, and so on.

Aaron Barr: Yes. A huge dollar risk. And the weakness in all of this is what do we do about passwords?
 

Threatpost: Yes, if you look at these hacks, password reuse is certainly a common element — weak passwords and password reuse.

Aaron Barr: Right. For example, I had a fairly strong password. I did reuse it, but not pervasively. I reused it on Twitter, but not on Facebook or LinkedIn or my other social media accounts. But I did happen to reuse the same password on my corporate email, twitter and those are the ones they got. So you have to have zero password reuse, an that’s hard. The number of accounts I have was probably 50 plus. So I don’t know what the answer is.

Threatpost: You got a bad rap from Anonymous and the media about the work you were doing or proposing for HBGary Federal. Some of which was about what you’re talking about – profiling – and that was portrayed as big brotherish or underhanded and sleazy. What are your thoughts about how those emails were construed and the things that you were proposing with HBGary? 

Aaron Barr: I can unequivocally say: none of what we developed was developed under a government contract. I read an interesting quote by (TaoSecurity’s) Richard Bejtlich, which was that the most troubling aspect of deterring cyber threats was the cost of deterring them. I tried to use that as a jumping off point for what I was trying to develop. I realized a long time ago that we were looking at protecting organizations backwards, from a malware perspective. We need to start looking at people.

Another thing I’d like to say is that I never used any technology we developed to intimidate or try to coerce anyone, including U.S. citizens. What I would develop and try to develop was the capability of  allowing companies to protect themselves and allow them to protect selves from illegal activity. So if someone comes to me and say ‘we think labor unions or another organization is organizing to coerce certain results from us, and that’s illegal, and we want to try to identify if that is being done, can you help us do that using social media?’ I would have offered the same service to anybody.

I think a lot of people painted me as corrupt big business wonk. The reality is that I grew up a liberal Democrat. My dad is a poet. So being pro big business is not in my nature, but protecting people from illegal activity is. Yes, some of the things people discussed seem more aggressive in nature, but I think people need to remember that inside any business development process, you start with brainstorming. So if we want to start to mitigate the threat, how do we do it? I happen to have a military and government background, so here’s some ideas. Things were way more overblown from a – single slide, titled “Potential Proactive Tactics.”

Threatpost: Was the media too willing to accept Anonymous’s message?

Aaron Barr: Absolutely. I think that’s starting to change. But overwhelmingly from beginning, I was the bad guy and Anonymous was the good guy. HBGary was viciously attacked by Anonymous. HBGary had nothing to do with my talk. HBGary Federal was a completely separate company, but Anonymous folks took retribution on me because I was going to take retribution on them. My talk (at B-Sides San Francisco) was on social media. Anonymous was one use case of three. But they took retribution on me, HBGary employees, HBGary itself, just because we used the same mail server. And the press, because of things that were in the e-mail, took things out of context and sided with Anonymous.

Threatpost:
Do you see  that attitude changing because of the subsequent attacks? 

Aaron Barr: I do. Certainly if you look at incidents like the hack of Unveilance and Karim Hijazi, their CEO. Lulzsec was clearly trying to extort him. So where are the hacktivist morals in that? And Sony – there was just one punishment after another on Sony. Where’s the point in that? I think the press is starting to see the group lose that Robin Hood veneer. When they go to jail, they’ll lose some more.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Discussion

  • @sharpesecurity on

    It strikes me as slightly disingenuous to say HBGary Federal was an entirely separate company.  The truth is - and this is straigth from Greg Hoglund - that HBGary Federal was started by HBGary do do their classified work and to avoid having any HBGary intellectual property declared classified. 

  • Bazz on

    What I dislike immensely is the nobody cares that crap is made and sold as a good OS.

    And someone else profits from that crap.

    Anonymous just disliked the hypocrisy and arrogant greed of prostitutes who sold their souls and remained virtuous because it was to the USA!

    Well you can have Castro or JFK but when money is involved its prostitution!

    And anyone including anonymous can join in the romp!

  • Anonymous on

    stickin it back in the hornets nest?

  • Anonymous on

    Not sure why threatpost has been interviewing Mr. Barr. He is history and so is HBGary. Their reputation is ruined beyond repair in minds of everyone I work with in the Infosec industry. The only time anyone mentions HBGary now is when they want a good laugh.

  • Anonymous on

    Thats not the same industry I work in.  Initially most of the peers I spoke to were questioning what was going on, most now support HBGarys ability to withstand this and I hear they are doing well.

  • Anonymous on

    The irony of most of these posts being made by Anonymous is not lost.
  • Really? on

    Threatpost, this is really disappointing.  Why in the world are you interviewing Aaron Barr for insight into Anonymous or LulzSec, when from the information that is now extraordinarily public, we know that he has absolutely no insight at all -- despite his attempts at media hype using psuedo-science, manipulation, and outright lies.

    Why would you interview someone who was been exceptionally, thorougly, and effortlessly owned on best practices for not being hacked?  After all that, he still doesn't even get it. How can he expect to say that he had a strong password and have us believe it, when we all saw his password? It seems like he finally understands that password reuse could be a problem, but still doesn't know what the solution is?  It's called a password manager.

    Everything this guy says wreaks of either incompetence or overwhelming naievete.  The FBI would *never* do anything that could result in the wrong people being put under scrutiny? Just today there are several stories about the FBI gobbling up all the servers in a data center near the one they happened to be interested in. This community knows the truth: day after day we see stories about hackers and researches of all types being scooped up and having their lives ruined for no good reason at all, whether it's Byron Sonne or Steve Kurtz.

    Lastly, to ask these types of leading questions, which suggest that any of the information that was picked up by the media or the trade press in the aftermath of the HBGary hacks was somehow "taken out of context" is totally ridiculous. It's not like we just saw a single quote and drew conclusions, we saw *every email that has ever been sent or received*. We got the *entire* picture, and it's an ugly one of incompetence, manipulation, negligence, invasive posturing, and lies.

  • TG on

     

    Security companies have been cowering in fear of Anonymous and afraid to speak up, lest they become the next target.  What does that tell you about the reality of the security industry? It’s about time Aaron started talking again.  He should have told his side of the story sooner, IMHO.  Up until now the only person talking in the room has been the Anonymous PR staff.    

    As for supporters of Anonymous, they don’t belong in the security industry.  Regarding the security industry - if your IT staff or security consultants are sympathetic to Anonymous, they are a liability.  There should be no quarter given to grey-hats who support a criminal hacking group.

     

  • Anonymous on

    Which were what exactly that he was doing research on an organization that was conducting illegal activity and has now started to endanger LE officers working counter narcotics and terrorism?  Maybe Aaron saw something that needed addressed before the rest of us did.  I don't see anything in his emails that most of us in this community aren't a part of or have discussed as needed at one point.  Most of the people that submit comments here sound like the are either Anonymous/Lulzsec or their supporters.  How about more comments from people actually in this industry.

  • Anonymous on

    And u know what one more thing. No one that actually works in this business could withstand the scrutiny of having their email stolen and published to the world.  It seems Anonymous and some of the media blew some stuff way out of proportion.  And Hypocritically Anonymous took retribution for something it does in a much bigger way.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.