by fiddler
Previous Newton's Third Law posts are Newton's Third Law, with two updates, written Wednesday and Thursday, posted Friday midday; and Newton's Third Law 3rd update, written and posted Friday. Now that it's Saturday, most of the new articles are roundups of older ones, but I've found (and been sent) some things that didn't surface before -- articles about methods, connections, ethical and legal questions and more. As in previous posts, all typos and bad grammar in original source material have been left unedited. I have also not corrected for variant spellings of HBGary.
Ars Technica: How One Man Tracked Down Anonymous And Paid a Heavy Price. (sent to me by liberal_japonicus). This is a look behind the scenes at Aaron Barr's actions at HBGary:
...Near the end of January, Barr began publicizing his information, though without divulging the names of the Anonymous admins. When the Financial Times picked up the story and ran a piece on it on February 4, it wasn't long before Barr got what he wanted—contacts from the FBI, the Director of National Intelligence, and the US military. The FBI had been after Anonymous for some time, recently kicking in doors while executing 40 search warrants against group members.Confident in his abilities, Barr told one of the programmers who helped him on the project, "You just need to program as good as I analyze."
But on February 5, one day after the Financial Times article and six days before Barr's sit-down with the FBI, Anonymous did some "pwning" of its own. "Ddos!!! Fckers," Barr sent from his iPhone as a distributed denial of service attack hit his corporate network. He then pledged to "take the gloves off."
When the liberal blog Daily Kos ran a story on Barr's work later that day, some Anonymous users commented on it. Barr sent out an e-mail to colleagues, and he was getting worked up: "They think all I know is their irc names!!!!! I know their real fing names. Karen [HBGary Federal's public relations head] I need u to help moderate me because I am getting angry. I am planning on releasing a few names of folks that were already arrested. This battle between us will help spur publicity anyway."
Indeed, publicity was the plan. Barr hoped his research would "start a verbal braul between us and keep it going because that will bring more media and more attention to a very important topic."...
And then, within a day, Anonymous attacked, as we know. The fallout was intense:
The situation got so bad for the security company that HBGary, the company which partially owns HBGary Federal, sent its president Penny Leavy into the Anonymous IRC chat rooms to swim with the sharks—and to beg them to leave her company alone. (Read the bizarre chat log.) Instead, Anonymous suggested that, to avoid more problems, Leavy should fire Barr and "take your investment in aaron's company and donate it to BRADLEY MANNINGS DEFENCE FUND." Barr should cough off up a personal contribution, too; say, one month's salary?...
Barr's theory and tactics:
Barr had been interested in social media for quite some time, believing that the links it showed between people had enormous value when it came to mapping networks of hackers—and when hackers wanted to target their victims. He presented a talk to a closed Department of Justice conference earlier this year on "specific techniques that can be used to target, collect, and exploit targets with laser focus and with 100 percent success" through social media.His curiosity about teasing out the webs of connections between people grew. By scraping sites like Facebook or LinkedIn, Barr believed he could draw strong conclusions, such as determining which town someone lived in even if they didn't provide that information. How? By looking at their friends.
"The next step would be ok we have 24 people that list Auburn, NY as their hometown," he wrote to the programmer implementing his directives. "There are 60 other people that list over 5 of those 24 as friends. That immediately tells me that at a minimum those 60 can be tagged as having a hometown as Auburn, NY. The more the data matures the more things we can do with it."
The same went for hackers, whose family and friends might provide information that even the most carefully guarded Anonymous member could not conceal. "Hackers may not list the data, but hackers are people too so they associate with friends and family," Barr said. "Those friends and family can provide key indicators on the hacker without them releasing it…"
Not everyone at the company liked Barr's ideas:
His programmer had doubts, saying that the scraping and linking work he was doing was of limited value and had no commercial prospects. As he wrote in an e-mail:
Step 1 : Gather all the dataBut Barr was confident. "I will sell it," he wrote.Step 2 : ???
Step 3 : Profit
To further test his ideas and to drum up interest in them, Barr proposed a talk at the BSides security conference in San Francisco, which takes place February 14 and 15. Barr's talk was titled "Who Needs NSA when we have Social Media?" and his plan to draw publicity involved a fateful decision: he would infiltrate and expose Anonymous, which he believed was strongly linked to WikiLeaks.
"I am going to focus on outing the major players of the anonymous group I think," he wrote. "Afterall - no secrets right? :) We will see how far I get. I may focus on NSA a bit to just so I can give all those freespeech nutjobs something… I just called people advocating freespeech, nutjobs - I threw up in my mouth a little."
With that, the game was afoot....
According to the article, Barr had originally admired Anonymous for its work in outing the killing of civilians by US military, but he changed his mind after the leak of the diplomatic cables. And then he set to work:
Barr created multiple aliases and began logging on to Anonymous IRC chat rooms to figure out how the group worked. He worked to link these IRC handles to real people, in part using his social networking expertise, and he created fake Twitter accounts and Facebook profiles. He began communicating with those he believed were leaders.
After weeks of this work, he reported back to his colleagues on how he planned to use his fake personas to drum up interest in his upcoming talk.
I have developed a persona that is well accepted within their groups and want to use this and my real persona against eachother to build up press for the talk.Pre-talk plan.
I am going to tell a few key leaders under my persona, that I have been given information that a so called cyber security expert named Aaron Barr will be briefing the power of social media analysis and as part of the talk with be dissecting the Anonymous group as well as some critical infrastructure and government organizations
I will prepare a press sheet for Karen to give to Darkreading a few days after I tell these folks under persona to legitimize the accusation. This will generate a big discussion in Anonymous chat channels, which are attended by the press. This will then generate press about the talk, hopefully driving more people and more business to us.
Barr then contacted another security company that specializes in botnet research. He suspected that top Anonymous admins like CommanderX had access to serious Internet firepower, and that this probably came through control of bots on compromised computers around the world.
Barr asked if the researchers could "search their database for specific targets (like the one below) during an operational window (date/time span) to see if any botnet(s) are participating in attacks? Below is an attack which is currently ongoing." (The attack in question was part of Anonymous' "Operation Payback" campaign and was targeted at the government of Venezuela.)
The report that came back focused on the Low Orbit Ion Cannon, a tool originally coded by a private security firm in order to test website defenses. The code was open-sourced and then abandoned, but someone later dusted it off and added "hivemind mode" that let LOIC users "opt in" to centralized control of the tool. With hundreds or thousands of machines running the stress-test tool at once, even major sites could be dropped quickly. (The company recorded only 1,200 machines going after MasterCard on December 11, for instance.)
To boost the credibility of his online aliases, Barr then resorted to a ruse. He asked his coder to grab the LOIC source code. "I want to add some code to it," Barr said. "I don't want to distribute that, it will be found and then my persona will be called out. I want to add it, distribute it under a persona to burn and then have my other persona call out the code."
The code to be added was an HTTP beacon that linked to a free website Barr had set up on Blogspot. He wanted a copy of the altered source and a compiled executable. His programmer, fearing Anonymous, balked.Not everyone likes sock puppet tactics.
On January 20, the coder wrote back, "I'm not compiling that shit on my box!" He even refused to grab a copy of the source code from message boards or other IRC users, because "I ain't touchin' any of that shit as those are already monitored.""Dude," responded Barr. "Anonymous is a reckless organization. C'mon I know u and I both understand and believe generally in their principles but they are not a focused and considerate group, the[y] attack at will and do not care of their effects. Do u actually like this group?"
The coder said he didn't support all they did, but that Anonymous had its moments. Besides, "I enjoy the LULZ."...
... But when WikiLeaks released its huge cache of US diplomatic cables, Barr came to believe "they are a menace," and that when Anonymous sprang to the defense of WikiLeaks, it wasn't merely out of principle. It was about power.
"When they took down MasterCard do u think they thought alright win one for the small guy!" he asked. "The first thought through most of their malcontented minds was a rush of power. That's not ideals."
He continued in this philosophical vein:
But dude whos evil?His coder asked Barr how he slept at night, "you military industrial machine capitalist."US Gov? Wikileaks? Anonymous?
Its all about power. The Wikileaks and Anonymous guys think they are doing the people justice by without much investigation or education exposing information or targeting organizations? BS. Its about trying to take power from others and give it to themeselves.
I follow one law.
Mine.
"I sleep great," Barr responded. "Of course I do indoor [enjoy?] the money and some sense of purpose. But I canget purpose a lot of places, few of which pay this salary."
The comments are over the top, of course. Elsewhere, Barr gets more serious. "I really dislike corporations," he says. "They suck the lifeblood out of humanity. But they are also necessary and keep us moving, in what direction I don't know.
"Governments and corporations should have a right to protect secrets, senstive information that could be damage to their operations. I think these groups are also saying this should be free game as well and I disagree. Hence the 250,000 cables. WHich was bullshit… Society needs some people in the know and some people not. These folks, these sheep believe that all information should be accessible. BS. And if they truly believe it then they should have no problem with me gathering information for public distribution."
But Anonymous had a bit of a problem with that....
And more on his methodology:
Barr would do things like correlate timestamps; a user in IRC would post something, and then a Twitter post on the same topic might appear a second later. Find a few of these links and you might conclude that the IRC user and the Twitter user were the same person.
Even if the content differed, what if you could correlate the times that someone was on IRC with the times a Facebook user was posting to his wall? "If you friend enough people you might be able to correlate people logging into chat with people logging into Facebook," Barr wrote.
The document contained a list of key IRC chatrooms and Twitter accounts. Facebook groups were included, as were websites. But then Barr started naming names. His notes are full of comments on Anonymous members. "Switch" is a "real asshole but knows what he's talking about," while "unbeliever" might be "alexander [last name redacted]."
In the end, Barr determined that three people were most important. A figure called Q was the "founder and runs the IRC. He is indead in California, as are many of the senior leadership of the group." Another person called Owen is "almost a co-founder, lives in NY with family that are also active in the group, including slenaid and rabbit (nicks)." Finally, CommanderX can "manage some significant firepower." Barr believed he had matched real names to each of these three individuals.
After his not-altogether-successful IRC discussion with members of Anonymous, in which his pseudonym was Julian Goodspeak, someone from Anonymous apparently tried to recruit him for a job, though Anonymous later said this was a joke:
Then came an IRC log that Barr sent around, in which a user named Topiary tried to recruit him (under the name CogAnon) for "a new operation in the Washington area" where HBGary Federal has its headquarters. The target is "a security company."
By late afternoon on the 5th, Barr was angry and perhaps a little scared, and he asked his PR person to "help moderate me because I am getting angry. I am planning on releasing a few names of folks that were already arrested." It's not clear that Barr ever did this, however; he admitted in another e-mail that he could get a bit "hot" in private, though he would generally cool down before going public.Topiary: Hello.
CogAnon: Hi
Topiary: We're recruiting for a new operation in the Washington area; interested?
CogAnon: potentially depends on what it is...
Topiary: I take it from your host that you're near where our target is. We could use local publicity.
CogAnon: Is it physical or virtual?
CogAnon: ah yeah...I am close...
Topiary: Virtual. Everything is in place.
CogAnon: I can be in the city within a few hours...depending on trafficlol.
CogAnon: oh ok.
CogAnon: ok so what do u need from me?
Topiary: Our target is a security company. We may need local help on information gathering.
CogAnon: ok well just let me know.
CogAnon: not sure how I can help still though?
Hours later, the attack escalated from some odd DDoS traffic to a full-scale break-in of HBGary Federal systems, one that showed tremendous skill. "What amazes me is, for a security company - you had such a basic SQL vulnerability on your website," wrote one Anonymous member later.
Days afterward, the company has still not managed to restore its complete website.
The coder he worked with continued to object to his methods:
Later, when Barr talks about some "advanced analytical techniques" he's been pondering for use on the Anonymous data, the coder replies with apparent frustration, "You keep saying things about statistics and analytics but you haven't given me one algorithm or SQL query statement."
Privately, the coder then went to another company official with a warning. "He's on a bad path. He's talking about his analytics and that he can prove things statistically but he hasn't proven anything mathematically nor has he had any of his data vetted for accuracy, yet he keeps briefing people and giving interviews. It's irresponsible to make claims/accusations based off of a guess from his best gut feeling when he has even told me that he believes his gut, but more often than not it's been proven wrong. I feel his arrogance is catching up to him again and that has never ended well...for any of us."
Others made similar dark warnings. "I don't really want to get DDOS'd, so assuming we do get DDOS'd then what? How do we make lemonade from that?" one executive asked Barr. The public relations exec warned Barr not to start dropping real names: "Take the emotion out of it -> focus on the purpose. I don't see benefit to you or company to tell them you have their real names -- published or not."
Another internal warning ended: "Danger Will Robinson. You could end up accusing a wrong person. Or you could further enrage the group. Or you could be wrong, and it blows up in your face, and HBGary's face, publicly."...
And then it all blew up:
The hack unfolded at the worst possible time for HBGary Federal. The company was trying to sell, hopefully for around $2 million, but the two best potential buyers started to drag their heels. "They want to see delivery on pipeline before paying those prices," [HBGary president Penny] Leavy wrote to Barr. "So initial payout is going to be lower with both companies I am talking with. That said our pipeline continues to drag out as customers are in no hurry to get things done quickly so if we dont sell soon and our customers dont come through soon we are going to have cash flow issues."And being blasted off the 'Net by Anonymous is practically the last thing a company in such a situation needs. After the attacks, Leavy told the Financial Times that they cost HBGary millions of dollars....
And who were Barr and his company up against in all this? According to Anonymous, a five-member team took down HBGary Federal and rootkit.com, in part through the very sort of social engineering Barr had tried to employ against Anonymous.
One of those five was allegedly a 16-year old girl, who "social engineered your admin jussi and got root to rootkit.com," one Anonymous member explained in IRC...
New York Times: Hackers Reveal Offers to Spy on Corporate Rivals. This is a good rundown of the whole situation; what I find most interesting is the correction appended to the later edition:
HB Gary Federal and HB Gary are two related companies that share some of the same owners and have shared the same offices as their California headquarters. But they are distinct entities. An earlier version of the story was not clear on this distinction.Hoovers.com, which provides detailed research on companies and their officers for sale or subscription, shows no company named HB Gary or HB Gary Federal. The limited information available for free (company names, addresses, type of company, some corporate officers' names and emails) includes two listings each for HBGary and HBGary Federal; none of the officers listed at any of them have the same names as anyone mentioned in any of the news reports or articles I've seen, online or off. It's possible that Hoovers' website hasn't been updated recently, though research-by-subscription sites tend to do their best to stay on top of all information. I may be wrong, but I'm under the impression that Hoovers is a standard reference used by government purchasing agents in connection with bids or contracts with private industry; that's what it was used for when I used to work in government. Perhaps a different source is considered authoritative now?
Salon.com: A disturbing threat against one of our own.
...But what the authors of the report meant when they plotted how Glenn and the others could be "disrupted" or "pushed" is as unclear as it is ominous -- and has us deeply concerned. The report was exposed by Anonymous, the pro-WikiLeaks hackers who went after the companies that dropped services to the whistle-blowing organization last year. Anonymous was apparently acting in retaliation to HBGary, whose head of security services, Aaron Barr, had earlier claimed to have infiltrated the Anonymous network. HBGary has since responded, claiming that "information currently in the public domain" from the leak "is not reliable because the perpetrators of this offense, or people working closely with them, have intentionally falsified certain data."
But the security firm Palantir wasted little time severing all relations with HBGary, with Palantir CEO Alex Karp issuing a statement saying that "I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters." Karp also reached out and apologized directly to Glenn.
We have no reason not to take the report seriously. As a result, I've asked both Hunton and Williams and Bank of America to explain any role they played and address whether HB Gary (or any of the firms) were being paid, or promised payment, for its development. I'll update this post when we hear their responses.
As bumbling as this whole saga sounds -- Internet security firm can't keep its shadowy dirty tricks campaign from being hacked -- what's outlined in these sets of proposals, as Glenn points out, "quite possibly constitutes serious crimes." And as it relates to Glenn and the others, it constitutes an unconscionable attempt to silence journalists doing their jobs. We'll continue to stay on this story until we get some real answers.
At the time I write this, Berico, its CEO Guy Filippelli and COO Nick Hallam have formally severed ties with HBGary and issued a statement (at the Salon link.) Bank of America spokesman Scott Silvestry denied seeing the presentation, denied engaging HBGary Federal, and denied interest in any practices "discussed in recent press reports involving HBGary Federal." Salon editor-in-chief Kerry Lauerman has not at this point received answers to her questions regarding the targeting of Glenn Greenwald.
USA Today: The US Chamber of Commerce has joined Bank of America in denying any ties to disinformation campaigns against Anonymous. This article describes the actual attack by Anonymous:
[Gregg] Housh [described earlier in the article as "a well-known activist and close observer of Anonymous"] emphasized that he does not participate in Anonymous' attacks, nor is he a spokesman for the hacking group, which may be best known for seeking revenge on corporations that attempted to cripple WikiLeaks.But Housh regularly hangs around public Internet Relay Chat rooms where Anonymous members are known to congregate. He was in such a chat room with about 100 others last weekend when the HBGary hack was hatched. So he had a ring side seat.
Housh says a 16- year-old girl who part of a team of five elite hackers that conducted the hack played a pivotal role. She tricked a systems administrator into giving her access deep inside the company's network by persuading the admin into letting her use a temporary password: changeme123.
The team then swooped in to quickly deface the company's website and destroy data and applications, including wiping out back-up programs. They broke into the company's Google Enterprise cloud-based e-mail service and spent several hours downloading e-mail from Barr and five other senior employees. The entire hack took about eight or nine hours, with most of that time spent downloading emails, estimates Housh.
About 50,000 of Barr's e-mails very quickly got released on the Internet. But roughly 27,000 e-mails from the account of HBGary co-founder Greg Hoglund were held in reserve.
Anonymous group members who did not participate in the hack, along with a handful of reporters, began poring through Barr's email....
And on Thursday, Feb. 10, Lee Fang, a reporter for ThinkProgress.org, published this story tying the U.S. Chamber to preparations for a $2 million dirty-tricks campaign to undermine non-profit and labor groups who oppose the chamber's lobbying missions on behalf of large corporations.
Barr's e-mails contained details of plans to create faked personas to try to infiltrate such groups. One tactic discussed was how to entice opponent groups to go public with the bogus documents smearing the chamber, then exposing the documents as erroneous.
Even more worrisome were plans to harvest and circulate sensitive and unflattering information about spouses and children of progressive group leaders, says ThinkProgress reporter Scott Keyes....
"It's important to note that the smears and disinformation plans only saw the light of day because these e-mails were leaked," says Keyes. "Otherwise all this stuff very likely would have ended up in the mainstream dialogue, without people realizing that this was a smear plot deliberately hatched by the U.S. Chamber of Commerce."
The e-mail revelations may not be over. Housh says Anonymous members late Friday were pushing ahead with plans to begin releasing Hoglund's e-mails -- on a user-friendly web page.
"So now they're working on a searchable, web-based interface that allows anyone to go through and categorize 27,000 more pieces of e-mail," says Housh. "They're saying very clearly that some of this next stuff to come out is worse. We'll see."
Firedoglake: Security Contractor HBGary Tries to Protect US from Anonymous, WikiLeaks This article considers possible implications of government connections with or consent to Barr's work for HBGary Federal, and asks relevant ethical and legal questions:
...HBGary and Palantir are partners. Palantir Technologies has been sought by the CIA, DHS and FBI to help government analysts “integrate unstructured open source information with data from various agency databases to analyze them for outstanding correlations and connections in an attempt to mitigate the burden of rummaging around through the immense amount of information available to them.” Either Palantir Technologies found the time to stop serving government and work with Hunton and Williams to help Bank of America stop WikiLeaks from releasing documents that might impact Bank of America operations, or, possibly the US government had given tacit approval to Palantir to participate in this operation.Berico Technologies worked with the National Security Agency (NSA) to invent technology that “made finding roadside-bomb makers easier and helped stanch the number of casualties from improvised explosive.” They also decided to participate in this initiative or, again, possibly someone in the US government suggested private corporations begin to go after WikiLeaks....
HBGary counts as an advisor Andy Purdy, who was a member of the White House staff team that helped to draft the U.S. National Strategy to Secure Cyberspace in 2003. He joined the Department of Homeland Security and served on “the tiger team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT).” He worked for three and a half years and spent the last two heading the NCSD and US-CERT as a “Cyber Czar.” With HBGary he is involved in an Anonymous style hacktivist attack.
For fiscal year 2011, the federal budget for homeland security will provide “$364 million to the Department of Homeland Security to support the operations of the National Cyber Security Division which protects Federal systems as well as continuing efforts under the Comprehensive National Cybersecurity Initiative to protect our information networks from the threat of attacks or disruptions.” Should companies engaged in this kind of conduct be allowed to take government money to fund their company’s operations, which are supposed to protect government cyber infrastructure?...
NetworkWorld: The Year Hacking Goes Mainstream. After summarizing the Story Thus Far:
...It seems HBGary was working with Bank of America on a plan to take down WikiLeaks -- and, strangely, CNN and Salon commentator Glenn Greenwald, whom it deemed instrumental to WikiLeaks' continued existence, along with a handful of other prominent journalists.HBGary was one of five firms allegedly involved in the discussion, along with law firm Hunton & Williams, data-gathering firms Palantir and Berico, and consultants Booz Allen Hamilton. Business Insider published the slides this group prepared for BofA. It's pretty chilling.
...That presentation [for Bank of America] suggests strategies such as sowing dissension within the WikiLeaks org, disinformation (submitting false documents to WikiLeaks in order to discredit it), cyber attacks against WikiLeaks' service providers, a media smear campaign, and "using social media to profile and identify risky behavior of [WikiLeaks] employees."
Does that last one sound like blackmail to you?
HBGary is trying to sell the idea that Anonymous falsified some of the documents, but I doubt anyone's buying it. Palantir has already publicly apologized to Greenwald and severed its ties with HBGary, which suggests the information contained in that leak is accurate.
To recap: A massive U.S. corporation is targeting whistleblowing websites and mainstream American journalists, with the help of several data/security/consulting firms with strong ties to the U.S. government. It sounds like the plot of a Hollywood summer blockbuster. It's not.
So tell me: Who are the white hats and who are the black hats here?
Fasten your seatbelts. It's going to get a lot more bumpy from here on out.
CSO Online: Lessons of the HBGary Hack This is a guest post by Nick Selby, who is "CEO of a stealth-mode technology start-up. He is a sworn law enforcement officer in Texas, and will speak at BSIdes San Francisco on February 14th about ways in which information security professionals can work with law enforcement.":
...Now, I don't know much about law enforcement, but I do think that, if you're planning, say, to serve a felony warrant, it's a bad idea to phone ahead and let the guy know you'll be by in 15 minutes. If?A good rule of thumb is that you don't tip your hand about the specifics of your work on any case for any reason. And drumming up business through publicizing your specific public service is as bad a reason as any.
Reasons for this fall into two categories. The first is that fighting crime is, you know, dangerous. Criminals generally engage in criminal enterprises for the money (few people have a driving passion to establish, say, an industry-leading counterfeiting ring for the societal benefit), and those who stand between criminals and their goal risk the ire of the criminals. This is not fair or just, but it is so.
Now, stating in a newspaper that you possess the secret identity of a criminal? This falls squarely into the category of "standing between a criminal and his goal." That's a tip, kids. Write it down. To paraphrase Wendy in A Fish Called Wanda, one only briefs the public on an upcoming law enforcement action if one is congenitally insane or irretrievably stupid....
One wonders whether these tactics might be useful to authoritarian governments interested in suppressing pro-democracy movements - they wouldn't care how many innocents got caught in the gears.
Posted by: RepubAnon | February 12, 2011 at 09:59 PM
I wonder if the invitation to Barr (as CogAnon) to participate was a subtle way of telling him he was busted, and maybe if he had picked up on that and left quietly, the excrement would not have have been tossed at the fan. This is a counter-factual, but I still wonder about it.
Posted by: liberal japonicus | February 12, 2011 at 10:22 PM
I doubt the accuracy of the "16 year old girl" claim, just on the basis that the phrase "16-year-old-girl" is something of a meme with these people. If this information came from Anonymous, then it's just their in-joke way of implying that the admin deserted his post in exchange for underage nude pictures.
Similarly, any statement from Anonymous containing the words "over 9000" should be taken with a grain of salt.
Posted by: Baf | February 13, 2011 at 12:56 AM
At the time I write this, Berico, its CEO Guy Filippelli and COO Nick Hallam have formally severed ties with HBGary and issued a statement (at the Salon link.) Bank of America spokesman Scott Silvestry denied seeing the presentation, denied engaging HBGary Federal, and denied interest in any practices "discussed in recent press reports involving HBGary Federal."
Where have I heard this before?
Posted by: russell | February 13, 2011 at 01:48 AM
Remember how we've spent decades with Baby Boomers whining about how they didn't get the scifi future they were promised as kids in the 50s and 60s? How all that moon-base, jet-pack stuff never came to pass?
Well... I grew up in the 80s, back when cyberpunk was the future. And, from the look of things, it just arrived.
Massive worldwide data network? Check.
Absurd corporate-owned government structure oppressing the citizenry behind a pleasant facade? Check.
Collectives of teenage quasi-anarchist hackers running amok? Check.
Yeah. Now, admittedly, the Asian Country Running The World (tm) will apparently be China and not the Japan as planned, but you have to make a certain number of allowances for these things....
Posted by: Anthony Damiani | February 13, 2011 at 04:28 AM
I grew up in the 80s, back when cyberpunk was the future. And, from the look of things, it just arrived.
Damn kids, you don't appreciate how hard we've worked to make your dystopian dreams come true...
Posted by: liberal japonicus | February 13, 2011 at 07:42 AM
If this information came from Anonymous, then it's just their in-joke way of implying that the admin deserted his post in exchange for underage nude pictures.
Baf, can you back this up with any evidence? That's a pretty serious presumption to be based on ... what? Do you have knowledge/experience of this occurring, or a link you could share in which this was a previous action of Anonymous?
Posted by: fiddler | February 13, 2011 at 03:35 PM
Nice series of stories. Thanks for sharing these.
Posted by: nous | February 13, 2011 at 08:56 PM
Like the whole Wikileaks thing, I'm super ambivalent about this. Barr is an ass, clearly. But on the other hand Anonymous isn't exactly covering itself with glory here. They seem to be taking it out on a company that goes well beyond Barr, and are insisting on the right to continuously disrupt their network presence unless they fire Barr.
What happens if they are ever wrong about anything? Do we just not care?
Posted by: Sebastian | February 13, 2011 at 09:01 PM
Do we just not care?
Yeah, I don't really care.
I mean, perfectly legitimate companies get hammered by international criminal gangs all the time and they have to deal with it. Barr and his associates were basically planning on defrauding the government and tarring random innocent people and were extraordinarily stupid. So I don't really care about them. And of all the problems that afflict serious companies on the internet, Anonymous just isn't a priority. Not at all. Not even a little bit.
Posted by: Turbulence | February 13, 2011 at 09:22 PM
"Do we just not care?
Yeah, I don't really care"
A little different,
I care about Anonymous, but not Barr. At some point they (Anonymous) will get po'd at someone who will have my money, then I will care a lot.
Posted by: Marty | February 13, 2011 at 09:26 PM
At some point they (Anonymous) will get po'd at someone who will have my money, then I will care a lot.
To be fair, they've gotten pissed off at Mastercard, Visa and Amazon. But that didn't matter because Anonymous has very limited capabilities when faced against technically sophisticated adversaries (which HBGary was not). Anonymous ran their little DDOS attacks against MC/Visa/Amazon but unlike real criminal gangs, they don't actually control a botnet, they're just some random guys with home network pipes and that's not much of a threat.
Posted by: Turbulence | February 13, 2011 at 09:36 PM
At some point they (Anonymous) will get po'd at someone who will have my money, then I will care a lot.
Conversely, at some point Barr, or someone quite a bit like Barr, might be the guy who has your money, and might piss it away through being an insufferable jerk.
There are some folks associated with HBGary who are having that experience right this very minute.
Posted by: russell | February 14, 2011 at 09:37 AM
True enough russell.
Posted by: Marty | February 14, 2011 at 09:43 AM
One thing related to this that I meant to write about when Wikileaks was getting kicked off/out of Amazon, BofA, Mastercard, etc. is the extent to which our lives are at the mercy of corporate "Terms of Service." The justification/fig leaf that all (or maybe most) of those companies used for severing their ties with Wikileaks was that the latter had violated their Terms of Service.
I don't think I've ever read the Terms of Service for anything I use online, now or ever. Amazon's ToS states "Amazon reserves the right to refuse service, terminate accounts, remove or edit content, or cancel orders in their sole discretion." I assume that other sites/services have similar rules, including what appears to have been cited in Wikileaks' case, that Wikileaks violated the site/service's ToS by "facilitating illegal activity."
Presumably the sites are primarily concerned with the illegal activity of the user with the account, here Wikileaks, but I think they're writtent broadly enough that if your use of the site facilitates the illegal activity of someone else you account can be canceled. Further, what is my recourse if Amazon cancels my account, or if an online pictures storage website does the same and deletes all my pictures or my online email account is canceled and deleted? My bank/Paypal account?
Suppose BofA decides it doesn't like the ACLU and goes about closing the accounts of members/donors,* and convinces Citibank, Wells Fargo, etc. to follow suit, what then?
Has this sort of "live by the ToS, die by the ToS" world always been around, or is this something new these days?
Just seems a little frightening.
*I assume that this may be harder for an FDIC insured bank to do with respect to basic checking accounts than, say, Amazon canceling your online account.
Posted by: Ugh | February 14, 2011 at 09:57 AM
Has this sort of "live by the ToS, die by the ToS" world always been around, or is this something new these days?
I think we've always had a form of this kind of social coercion: if you were supporting the civil rights movement in the 60s, in many towns I suspect that local businesses would decide that their ToS suddenly prohibited doing business with you.
It is a bit different now though in that the big productivity revolution involves outsourcing services like crazy. For MC/Visa, it is especially pernicious because they've locked up the whole market. Amazon's cloud offerings haven't reached that level of dominance yet, but moving off of them can be really hard given the lack of standardization in the infrastructure as a service market.
For places like Amazon, ToS are written entirely to their benefit rather than their customers. I can see the justification for a right of arbitrary termination with zero notice in the case of faulty or malicious applications that are damaging Amazon's network or clearly breaking the law, but in cases where that hasn't happened, I don't see why they can't settle for 'your service will be terminated in 30/90 days' model. Network integrity has become the excuse used to justify all sorts of things that have nothing to do with network integrity.
Posted by: Turbulence | February 14, 2011 at 10:37 AM
Outstanding blogging. Really good stuff.
Posted by: Jadegold | February 14, 2011 at 11:21 AM
Jadegold, nous, thank you! Ugh, I'd be very interested to read your views on Terms of Service contracts.
Posted by: fiddler | February 14, 2011 at 04:45 PM
Ugh, I'd be very interested to read your views on Terms of Service contracts.
Well, not sure I have much beyond what I worry/muse about above.
My general concerns are that it costs companies virtually nothing in the vast majority of cases to cancel an account or kick someone off their service. That they can do this for any reason or no reason. In contrast, it will cost the individual user in many cases much more time, money and effort to fight to be allowed to stay on the service after being kicked off.
Further, I worry about collusion among the big players to effectively strangle an individual's or group's ability to function in modern society. If your bank accounts and credit cards are canceled, along with your online email service and cable/internet/phone bundle, what can you do? It seems much more likely for this to happen today when it's relatively easy for big companies to shut such things off and also find out what other companies are doing with respect to a particular user or group. This is especially the case (and most worrisome) if the federal government is actively encouraging the big players to shut down someone the government doesn't like.
Anyway, I've been thinking about this since the Wikileaks case and after reading this article in which he is all "Hey! Put your stuff in the cloud, you'll never have to worry about computer viruses erasing you content again!" To which (one of) my first thoughts was "yeah, until whatever service you're using decides it doesn't like you and deletes all your stuff."
Posted by: Ugh | February 15, 2011 at 09:38 AM
Sebastian: "What happens if they are ever wrong about anything? Do we just not care? "
We've seen the US government sink to new lows, get caught, and get away with it. We've seen Wall St actually break the world financial system, and not only get away with it, but make a profit. With the GOP and the Tea Party, we're watching the people most responsible for this come right back into the game, blaming everybody but themselves - successfully.
Do you not care about that?
Posted by: Barry | February 15, 2011 at 02:32 PM
But I've read a lot, and rejected many, and I always read any that involve making use of my writing, because there's no way on earth I'm signing away some of the stuff that one is often asked to, and anyone who signs a legally binding document without reading it... I politely won't finish that sentence.
But I'll suggest that anyone who does that has no argument against what they agreed to.
Take a look -- well, this probably won't interest anyone who isn't a professional writer, or in publishing, but I offer the case of what BlogBurst tried to do.
Just for starters:
Yeah, like I really want to give up all rights to my own words "perpetually."That's rather a long time.
Josh Marshall's TPM, after it first went corporate, had a similar TOS that you had to click to agree to before you were allowed to comment.
No effing way, bub. You want my words? Pay me. Or I'll give you them free, and no rights. But don't shove a stick up my rear end, tell me I'm selling you all rights to my words in return for the thrill of you having ownership of them.
Other TOS have similar thefts. Don't wanna read them? Kewl.
Maybe we should make everyone who wants to comment on ObWi agree that they're committing to turning over $1k a month, and no one will read that, either.... :-)
As you may gather, I think signing legally binding agreements without reading them is... well, hey, if that works for you, it's not my business. Literally.
That I don't see anything wrong with. It's no different than a sign in the store saying we don't have to serve you if you're an assh*le.On the other hand:
It's no different than the posting rules here. Or saying that you reserve the right to not guarantee everyone in the world the right to show up with a bullhorn in your bedroom at 4 a.m. What's wrong with any of this?
Take your business elsewhere. I'm not seeing what's the objection here: does the Constitution demand that you provide services to other people against your will, other than as mandated by the 14th Amendment?What you're demanding is the right to slavery. If Amazon doesn't want to do business with you, why on earth should they be required to, so long as they're not discriminating against you by forbidden class? What's your objection to this? Do you feel other people should be required by law to have you serve them? I doubt it, but how can you have a law that says it only works one way, and not both ways? How would that be worded, exactly?
Jeepers, if you don't have redundancy, well, then, don't be surprised when you lose all your stuff! You have no recourse other than not expecting things to go wrong.Maybe you've never had stuff like that happen to you. You've lived a very very lucky life, in that case, is all I can say. What recourse do you have if your apartment building burns down with your stuff in it, and you have no insurance? You're SOL, that's your recourse.
This is news?
First of all, anti-trust law. Origin and scope of contract law: Yes, it's been around for rather a long time. Do you want to go back to Roman law, or the Bible, or Chinese history, or Ancient Greek, or Eqyptian, or take your choice.I expect it started with language.
I can't claim I've ever read every TOS I've agreed to, because I haven't.Posted by: Gary Farber | February 17, 2011 at 01:08 AM
Of course you use multiple back-ups! This is computer safety 101!
Why is this a problem? Do you keep all our money under your mattress and think that's safe?
If you want to keep your data safe of course you use multiple hard drives, a remote location, and multiple online back-ups. Duuuh!
How on earth else would you keep your data safe? Pray to the lord?
First, I've never had a credit card in my life, so not seeing the problem there. Second, last I looked, there were, again, thousands of choices. What you can do is pick several hundred. Um, what? There are thousands of uploading services! Tens of thousands! What kind of bleeding idiot would back their stuff up to only one?Posted by: Gary Farber | February 17, 2011 at 01:17 AM
Gary - thanks. I'm not sure I disagree with any of your individual points taken separately, though I'm not sure I'm in total agreement with:
and anyone who signs a legally binding document without reading it... I politely won't finish that sentence.
But I'll suggest that anyone who does that has no argument against what they agreed to.
Perhaps in a world where everyone had unlimited time and ability and there was a true "meeting of the minds" with respect to each and every contract then I would agree, but I don't think that's the world we live in, legally or otherwise.
In any event, I guess my general point is that many of these large businesses need to be treated as common carrier such that, yes, they MUST do business with you except in certain, limited defined circumstances that they do not get to set unilaterally. And also that it's very easy for them to just cut you off, without warning, for any reason or no reason, and easy for them to coordinate with other businesses (actually or tacitly) in a way that does not, e.g., violate antitrust laws.
Posted by: Ugh | February 17, 2011 at 09:54 AM
Um, what? There are thousands of uploading services! Tens of thousands! What kind of bleeding idiot would back their stuff up to only one?
In the case of Wikileaks, I think specificity destroys this argument. If you're running a small business or some sort of free service that is moderately complex from Amazon's infrastructure, you don't have thousands of alternatives. You have maybe two or three alternatives that are price-competitive with Amazon. I mean, there just aren't that many providers that can give you disk/cpu/bandwidth pay for what you use with distribution in multiple data centers at the price Amazon charges. Rackspace can do it. Google can do it with App Engine, kind of.
But switching to them isn't something you can just do at the drop of a hat; you need a fair bit of technical sophistication and time to make the transition because these sorts of services are not standardized at all. Alternatively, there are thousands of co-lo providers that can you can deploy anything to, but the service they are offering is much more low level than what Amazon/Rackspace/GAE offers. If you want to play that game, you have to spend a lot more money (system administrators don't work cheap). Again, you can do anything if you have an infinite pile of money.
First, I've never had a credit card in my life, so not seeing the problem there. Second, last I looked, there were, again, thousands of choices. What you can do is pick several hundred.
There are tens of thousands of credit cards, but only a small handful of issuers. The market has been locked up by two major providers. If Visa/MC decide that you can't have credit cards anymore, then you won't be able to get credit cards from anyone else. And without credit cards, paying for online services is really hard: you can pay by check, but that means that you get no service for a week or two or four.
Posted by: Turbulence | February 17, 2011 at 10:46 AM
Themis Applies JSOC Techniques to Citizens “Extorting” from Corporate Clients.
Etc.Posted by: Gary Farber | February 17, 2011 at 11:12 AM
Ugh:
True. I wasn't trying to imply we live in The Best of All Possible Worlds. Much should be done to improve things, and laws requiring plain but legal language are good, obfuscation is bad, TOS that you "agree" to by cutting plastic is bad, and so on.I just tend to cut to more root reform needed.
Posted by: Gary Farber | February 17, 2011 at 11:15 AM
Turbulence, also true. And because of my physical limitations, I do a lot of business with Amazon because I can't get out much, can carry less, have little time, and they're the best alternative in many circumstances; otherwise it's all trade-offs with physical pain in some way, including time. (And this morning, arthritis in hands really limiting typing, even.)
Pluses and minuses of capitalism, really.
Agree credit card companies need strict laws; some advances by last Congress and Obama good; more would be better. Watching the way the companies are squirming with weasel wording in boilerplate and ads is amusing, but still easy for them to fool those who don't know what's going on; their wording still makes it appear that you should opt-in to garbage, and basically there are limits to how much you can protect low-information people, but there's always room for improvement by law, while also needing to be careful about law of unintented consequences, laws passed drafted by lobbyists, badly worded laws, etc.
If only government led by vanguard of wise people like us were a good idea.... :-)
Posted by: Gary Farber | February 17, 2011 at 11:21 AM
But crucial point: debit cards work just like credit cards for most purposes, but without same catches. Of *course* I have debit cards. Don't cost anything, provide all services, just don't end up losing lots of money to charges, setting aside minor fact no one in right mind would give me credit. :-)
Nor would I want any credit, save to be able to rent habitation, or if I drove, etc. It's basically a scam, otherwise, unless you can afford to just toss money down rathole, or watch like hawk.
Posted by: Gary Farber | February 17, 2011 at 11:23 AM