Anonymous versus HBGary

I don’t think the HBGary story has had the amount of attention it deserves from the mainstream.

It’s worth reading just as drama: Security researcher takes on the “Anonymous” hacker group, and loses so spectacularly it almost defies description.

It’s important for what it says about any organisation’s IT choices and their security implications. HBGary used Google Apps. Cloud services are enormously convenient, particularly for an organisation that does not really have a physical “home”, but using them means losing perimiter security altogether.

Perimiter security has a bad name, because in the old days it was all there was, and today it is not enough. But the things that are possible even if you try to protect your perimiter are much easier if you don’t even have one.

A basic IT risk assessment question for anybody is, “how much damage can an attacker do with one password?”. With one password, Anonymous downloaded all of HBGary’s corporate email from Google and posted it on the internet. They did more than that — the highlight for security commentators was the social-engineering attack on rootkit.org via a Nokia engineer — but the email was enough by itself, as well as enabling the other attacks. They got the email admin password from an ad-hoc CMS with a SQL-injection vulnerability, as it happens, but if your whole company can be destroyed with one password then you’re doing it wrong. (Damn, it’s so hard to avoid lapsing into dialect on this story).

And the third interesting angle is what is to be found in the data Anonymous posted. The company was proposing to feed fake data to WikiLeaks to discredit it, and to pressure journalists who defended WikiLeaks. There is chatter about government involvement in this, but I haven’t seen that actually substantiated. It may be in there somewhere. The HBGary Federal projects aimed at government clients seem to be standard network monitoring / intrusion detection stuff.

In case anyone gets confused, I’m not here to defend Anonymous, or for that matter to attack them. They exist. If they get caught they’ll get the book thrown at them, which is understandable, but I’m more interested in what the world looks like with them in it. Whereas Assange attempts to define his aims, and appeals for support, Anonymous claim only to be “in it for the lulz”, which is not open to disputation.

Update: Intriguing piece on HBGary government work on rootkits and penetration tools. In principle this should be verifiable from the email dumps, but I haven’t checked.

Cable and the Cables

I can’t help thinking that the Vince Cable story is a knock-on effect of Wikileaks.

The biggest effect of wikileaks may not be either the secrets that it tells, or even the fear of the secrets it may yet tell. It may be the secrets that others tell, because of the feeling, “when all that is already in the newspapers, why am I keeping X a secret?”

Is it a breach of confidence to secretly record what an MP tells a “constituent” that he has never met? It’s pretty thin… it is just a politician talking to a voter with no extra qualification; if he tells one voter something, what right does he have to keep it secret from other voters? But nobody did it before.

And, of course, the current story is based not just on the Telegraph’s secret recording, but on a leak of that recording — the Telegraph, perhaps for business reasons, chose not to reveal Cable’s claim to have “declared war on Murdoch”. So someone at the Telegraph leaked it to the BBC.

I rather suspect that norms as to what is publishable and what isn’t have changed suddenly.

Assange's Theory

I came across a link to a couple of articles by Julian Assange (from late 2006) detailing his motivation (via zunguzungu):

They don’t amount to much. He opens, promisingly, “Firstly we must understand what aspect of government or neocorporatist behavior we wish to change or remove. Secondly we must develop a way of thinking about this behavior that is strong enough carry us through the mire of politically distorted language, and into a position of clarity. Finally must use these insights to inspire within us and others a course of ennobling, and effective action.”

He goes on to completely skip over the first two requirements. His very next words are: “Authoritarian power is maintained by conspiracy” the rest of the two powers covers nothing but how to take apart the conspiracy of government. There is zero discussion of what “Authoritarian power” is, and why we dislike it, or “what aspect of … behavior we wish to change or remove”. Which is rather a shame. It’s all means, no ends.

The means, taking apart a government or other conspiracy by breaking the links of trust between elements, should work, and seems to be working, indeed. But what the ends are still eludes me – the word “authoritarian” means less to me than most other elements of unfamiliar theology. The natural consequence of the wikileaks style of attack would seem to be to produce networks with fewer and stronger links. I suspect that would be a good thing, but I have no idea whether Assange would consider it less “authoritarian”.

He does say that “The more secretive or unjust an organization is, the more leaks induce fear and paranoia in its leadership and planning coterie”. It’s not clear whether that’s put forward as a hypothesis or as an axiom: as a hypothesis, it’s plausible but there are arguments to the contrary.

The real weakness in the analysis is the claim that “Conspiracies are cognitive devices”. They are a lot more than that. Modern governments to not include so many hundreds of thousands in their conspiracies merely to enhance their information. Conspiracies gather power, and then they bring power to bear. By cutting off the extremities of the conspiracy, Assange is depriving it of some information, but that seems secondary; mostly he is reducing the reach of the conspiracy, both to gather power (for instance from allied governments) and to bring it to bear (for instance through distantly-deployed armies). The surviving conspiracy will have less total power at its command, which might be the point, but it will at the same time be constrained to use that power in a more concentrated direction.

More crucially, if it can no longer rely on power gathered from its periphery, the conspiracy will have nothing to offer the periphery. After all, the claim of (here it comes) democracy is that we are all part of the conspiracy – we are consulted, we exert influence, we communicate through our representatives. These are the weakest links that will be severed first.

So, I’m not here to criticise Assange’s actions – only his writing. I might be on his side, if I knew what side he was on.