Conference DEFCON 19. Anonymous and we. Part 2

Original author: Paul Roberts and others
  • Transfer
Conference DEFCON 19. Anonymous and we. Part 1

Joshua Corman: you know, I am not a supporter of mob justice, but I do not think that this approach should disappear. This is an important question. If we think that our industry is dysfunctional and not sure that we will be heard, then let's apply a more strategic and clever approach. If you do not create these three things, fear, insecurity and doubt, then you will never hear about us. If you use this practice, it will become exactly what happens to you.

I think that you may have more chances of chaos, which motivates stupid fear, this is a very focused thing, and the effect of its use can change the behavior of the target.

Jericho: and I will defend a fair mob, which in some cases suits me perfectly. If Anonymous accepts applications for "destruction", then we have a whole list of companies that threaten pentesters with legal prosecution, if they find a vulnerability or some kind of dramatic bypass of security systems, saying: "if you publish your research results, we will submit to take you to court. ”

There are TOP-10 companies that truly deserve to be punished in one way or another. The same goes for HBGary, who should be taught another similar lesson for threatening Barr with criminal prosecution simply for his desire to participate in our conversation. A statement about freedom of speech comes to my mind, but I do not know the exact quote. HBGary is no longer just a bunch of jerks who rushed to declare that they have nothing to do with it, this is all their branch of HBGary Federal, they also put all the blame for what happened on the director of this branch Aaron Barr, like, he is the main jerk. But excuse me - now, after Barr left the company, they turned around 180 ° and showed that they represent a much greater evil, trying to limit his freedom of speech. I will tell you what was in reality. Paul knows this - Aaron twice informed us of his intention to come here. The first time he said he would come, but first he had to talk about it with his new employer. He spoke with him, and he had nothing against Barr's speech at our conference. Then he contacted us and said that he was threatened from the place of his old job, and since he could not risk the welfare of his wife and children, he was forced to refuse to meet with us. Just keep this in mind so that you have a whole picture of what is happening. and since he cannot risk the welfare of his wife and children, he is forced to refuse to meet with us. Just keep this in mind so that you have a whole picture of what is happening. and since he cannot risk the welfare of his wife and children, he is forced to refuse to meet with us. Just keep this in mind so that you have a whole picture of what is happening.

Paul Roberts: I want to talk about HBGary in order to “thank” them for suing Aaron because of our discussion and would like to avoid it at all. You all know what unsightly facts about the activities of this company surfaced after Anonymous hacked them and published their letters. So we will definitely talk about it in order not to let HBGary shirk responsibility or prevent our discussion of what happened.

Let's return to our conversation. I was surprised that you see Anonymous as a tool for improving the industry. Regarding your ideas about the practice of self-righteousness, I note that someone from the audience told me yesterday - it's like films with Clint Eastwood, where he comes to the city and brings order there. You never know which city it will come to and where it will go to restore, or, more precisely, establish order, its version of order.
Joshua Corman: I recognize that this is happening, and it will not disappear anywhere. We have seen evidence that there is a split inside LulzSec, and when you do not have organizational principles, there is no mission, no goal, you just do shit, and this is the right way to self-destruct.

Paul Roberts: do you think the information that surfaced as a result of the attack on HBGary, including their dubious plans regarding Team Themis, Hunton & Williams and the Chamber of Commerce, confirmed that we, as a society, consider the attack an adequate response to transactions of this kind? And the second question: do any of you think that making such information public will reduce the number of such deals, which, as HBGary said, “are aimed at reducing the number of opposition groups”?

Baron von Aaarr: this has been happening in the private sector for a very long time. Intelligence for the private sector is a very big business. Even before the emergence of Z or Blackwater, many former intelligence officers went into the business, where they began to carry out for companies something like secret Black Ops operations inside and outside our country. This is nothing new, just this time someone caught their hand.

Jericho: I have a question for the audience. After all this HBGary saga, when we learned what they were doing and what they really were, who of you was surprised at what they did, offered to do and what ideas did they put forward? Type: "wow, I never heard companies do this!". I think I saw only one hand, which is good. Because, as Baron said, this is a multi-million dollar, if not billion, business. We just don’t know all the companies that did this because they didn’t get into the news.
They ask me why we listen to this guy if he does not want to show his face?
Baron von Aaarr: Should I Disguise?

Joshua Corman: Then consider yourself dead.

Jericho: judging by the reaction of the hall, we have two opposite opinions. Then the question arises: who listens to LulzSec, when they say that someone has been hacked, but at the same time do not publish any stolen information, and who believes Anonymous, when they report something like that?

Joshua Corman: I think we should not listen to the nonsense that he does not show a face, because it can be a federal, so let those who think that Baron should take off his mask raise their hands. Come on, be bolder! Just a couple of people?

Jericho: OK, now raise your hands to those who think the Baron should keep a disguise? Most in the room, great, I thought so!

Paul Roberts: these are those who are called the “selective population."

Jericho: In fact, this is a big question: why should someone reveal his identity if he is well versed in the subject matter and has relevant experience? Now that we have reached the middle of our conversation, I will say that we checked him, we know him, we know something about him and that he did something that we can’t say openly. We believe that he will make a useful contribution to our discussion, so we agree that he is present here as he sees fit.

Baron von Aaarr: I am a squirrel! (laughter in the hall). And I am in favor of speaking openly. I have never been closed, I am always open.

Jericho: great, now anyone in this room will see what kind of person was hiding under a mask!

Baron von Aaarr: I'm open, but I don't take pictures too often!

Jericho: Let those who know this man raise their hands! Four ... five ... six people!

Baron von Aaarr: we can assume that I am still in a mask!

Jericho: it confirms what I said: it does not matter whether there is a mask on a person or not. It really does not matter, it is important that this person strive to convey, it is important content.

Paul Roberts: can you introduce yourself to the public?

Baron von Aaarr: I’m known by the nickname Cryptiya, I have a WordPress blog, and I’ve been writing about LulzSec and Anonymous for quite a while, so they know who I am. I crossed the line and told them: “Do you want to make people stop doing bad things? Fine! Then do it right! ”. Stop doing this nonsense type of SQL injection and steal data of no importance. The last dump you stole contained a confidential, but absolutely non-secret SPU document that you can find on Google!

Learn your goal, find out what it does. In one of my last posts I wrote: look, real dirt comes from insiders! You know that you have Pentagon papers, you had Deep Throat, now also Manning's documents. You have knowledgeable people who have access to really very, very dirty things, who decide to tell the powerful truth and bring to light this important information. I saw the transcript of the Bradley Manning case and came to the conclusion that because of all the shit he went through, he became, to a certain extent, a mentally unbalanced person. It was a bad idea for him to become a military man, which he considered a matter of his life, because of this he was under tremendous pressure.

However, the publication of information about war crimes is very important because it brings the crap to the surface in the army, revealing what we don’t know. This makes sure that there is a lie in relations between the US and other countries, and we just have to deal with people we don’t like, such is the nature of the game. So if you want to find dirt, you will always find it and pass it on to the newspapers.

This is exactly what WikiLeaks wanted to do and do before they created the cult of Julian Assange very quickly.

Jericho: Yes, the publication of the 250,000 secret telegrams is really cool, but there was too much fuss over the publication of completely unimportant documents. It would be much better to choose from them the 50 most essential ones, which reveal the disgraceful essence of what is happening, or publish something like a “telegram of the day”. I do not deny the importance of this company, but I should focus on the largest production, on telegrams, which contain really terrible things that people should know about.

Baron von Aaarr: One key question: how do you know that this is real dirt, not misinformation?

Jericho: Indeed, we know how companies spread misinformation to trap LulzSec and Anonymous. We were fed a bunch of crap, and now we know about it.

Paul Roberts: Let's not let HBGary off the hook!

Joshua Corman: we feel powerless against this nameless faceless flash mob, because instead of focusing on a common enemy, we fight each other, because that's exactly what we can.

It's like the Streisand Effect - the more they seek to intimidate Aaron, the more they attract attention. 5 people approached me who said: “Try to guess who will be my next goal - HBGary”! I do not incite this, but people are already thinking about it.

Baron von Aaarr: and even pursue Ruffalo in a black hat to take a photo of someone disguised as Anonymous.

Paul Roberts: with an eye to everything that happened and taking into account what has been going on in big business for many years, I would like to ask if we should conclude that nothing really happened from Anonymous that would trigger HBGary and Aaron Barr to cross what the hell?

Jericho: Yes, I believe that HBGary and Aaron Barr crossed the line, but for business it is a common phenomenon, and so do dozens of companies. Many companies that do not even actively collect information and industrial intelligence still make ethical mistakes. The list of such crap can be turned on the screen page by page for 10 minutes in a row, and then only because we have no opportunity to devote more time to this occupation. If you build a real time line of activity of companies with which we cooperate, it turns out that all of them have done some dark things in the past, moreover, have done such things in the past 3 months.

Joshua Corman: Paul, you, as a person more connected with the press, can devote us to the details of the action plan that HBGary was going to propose to the Chamber of Commerce?
Paul Roberts: thanks to the Anonimus attack, it became known that HBGary sent a letter to the law firm Hunton & Williams suggesting how to destroy WikiLeaks by first throwing disinformation at them and then exposing them. This proposal was developed by HBGary together with analytical companies Palantir Technologies and Berico Technologies.
Since this Hunton & Williams also represented the interests of the Chamber of Commerce, HBGary offered them a strategy to destroy the US Chamber Watch group, which opposes the Chamber of Commerce. The operation was supposed to be carried out according to the type of FUD strategy, by “discrediting, bringing into confusion, shaming” this group, and then penetrating into it for the purpose of final destruction. The meaning of the proposal was based on the fact that the Chamber of Commerce is a fairly corrupt organization, and groups such as USCW, undermined the reputation of its members, highlighting corrupt deals.

HBGary was going to use for this purpose tools developed by Palantir and Berico, data from open sources, industrial intelligence. However, they are not the Ministry of Justice, and even if there was a violation of the RICO law, they still would not have the right to prosecute them. However, this was what they came to Aaron with and said that in order to carry out his plan, HBGary needed the help of the HBGary Federal company he headed.

Baron von Aaarr: I would like to remind you of the "October Surprise" and some of the things that Karl Rove revealed to society, that is, the case when a person from the government actually spoke out against the government.

Paul Roberts: I think, wasn’t the media mistaken about buying the interpretation of the content of these letters made by Anonymous? What feelings would we have if a progressive left-wing organization, “Prosperity Americans” and similar groups appeared on the spot of the US Chamber of Commerce? I mean, what were our feelings if we knew that behind these law firms are completely different people? Aaron always said that he would do it for any client he knows, of course, for the Chamber of Commerce, but he would have done the same for organizations like Greenpeace or PETA.

Baron von Aaarr: that is, he does not care about his clients.

Paul Roberts: Yes, it didn't matter to him who his client was. It was all about money, not dreams. So, the press was wrong?

Jericho: In general, I can answer: yes and no. You know, the press is a kind of muddy group, like Anonymous, I mean that some journalists tried to objectively investigate this matter, and some were only concerned about the sensational component of the incident.

Joshua Corman: I think Jericho is right, I mean that 60 minutes of our discussion is a sufficient informational reason that will fall on the front pages of investigative journalism. And personally, I fear that this will lead to various manipulations of public opinion, to the use of methods of social engineering, because the press is a powerful help for LulzSec or AntiSec.

I also saw that if you are trying to serve the press as a source of true anonymous information, then from a social engineering perspective it will not necessarily be used in the right way. I think that now in the press there is a certain asymmetric effect in favor of Anonymous, because the press does not have a filter, or it is not possible to use the best journalists to cover this issue, sifting everyone else in the media information space.

Paul Roberts: Do organizations, I mean not only the Chamber of Commerce, have the right to defend themselves from damage or illegal activities in the same way that states do? We are not going to say that the United States has the right to cyber attack, but do corporations have such a right?

Joshua Corman: this is why I am angry with HBGary and their lawyers seeking to remove Aaron from the stage, because he had a couple of really hot issues, a couple of really great moments and now finally had a chance to openly discuss what is legal in protecting your own interests. If someone physically invades my home or country, do I have the right to kill him?

We have practically no opportunity to fight off at least half, to conduct some kind of own investigations, because the legislation does not keep pace with real life. I like the power component of this particular case, because it put an edge to the question about the legality of the retaliatory strike. The absence of laws gives rise to ambiguity and, perhaps, if you consult with your “internal lawyer”, you can resolve this ambiguity at least for yourself. We can not resist these attacks, using only passive defense, otherwise we just hope ass.

Baron von Aaarr: other states have rules they created for corporations. They assigned corporations the status of a single physical entity that allows them to be treated as one person. Let's say all these cases that were recently considered in the Supreme Court. Suppose that someone hacked you as a physical person, and you hacked it and got caught in response. If you declare: “they attacked me, I attacked them in response — what is there?”, Trying to apply something like the virtual medieval law of Castle Low (“Doctrine of the fortress”), then it will not work. So I think - no, they have no right to do that.
Joshua Corman: Let's look at offensive countermeasures. They are not legal, but we could move from a clean defense to some kind of active actions if we had some kind of legal cover, some kind of legalization of retaliatory measures, allowing us to move a little further in security.

Paul Roberts: I will repeat for those who came later - we collect your questions in the A & Q room, I also view your questions on Twitter, you can use the tpanel hashtag and send me your questions. For now, let me ask you a question: do you think Anonymous protect us, stand up for us or, on the contrary, are we being terrorized?

I would like to ask the audience how they feel safe, expressing their critical attitude to Anonymous in a public blog or in the press, do they fear that this will lead to a response attack from Anonymous?

Joshua Corman: In short, are you sure that you are not putting your penis in the hornet's nest?
Paul Roberts: Exactly. By security, I mean that you will not worry about revenge.

Jericho: It's not about whether you will express your respect for them or not. Just to discuss the actions of Anonymous or LulzSec need to be approached with healthy criticism. That is, it should be noted that in general they are doing something good, but it would be worthwhile to improve, and to use a different approach to this. In this case, constructive criticism takes place, for which you will not be attacked. Let me give you an example: LulzSec retweeted one of my articles, saying: “look how well everything is written here”!

Although many people say that they are just wild, crazy kids, but Anonymous and LulzSec are aware that what they do can be done better, and you know that they are not going to lash out at anyone who calls on other people to exercise towards them aggression or talking nonsense about them.

Joshua Corman: I don’t say that we don’t have to do this at all, I’m saying that there is a real opportunity to do a lot of good things if you manage your power properly. If you bluntly and rudely, it will cause in response those things that we do not want. Because it is a complex and interconnected system of relationships, and if you poke into some place, something will definitely happen. The question is whether this act will cause a positive reaction or turn into evil. I'm not talking about how to destroy Anonymous, but how to make them better.

Paul Roberts: I did not ask this question because I wrote critically about Anonymous myself and was attacked for it, and I think that many journalists can confirm the same thing. I asked a question because I am interested in your opinion on this matter.

Jericho: here we are asked about the documentary about Anonymous, which was financed by the state, and I can repeat it again - journalists can say really stupid things, because such is journalistic work.

Paul Roberts: they tell me from the audience that we are aware of at least two news agencies that have been attacked by Anonymous. It's like a joke about Armenians, when the news reports that just two people of Armenian nationality were attacked, and, as it turned out, one Armenian was injured, and the other one who attacked him. So, I still think that we should not worry about the Anonymous retaliatory attacks simply because we are trying to objectively present our point of view or to understand the true picture of what is happening.

Well, this is where our discussion is over, thanks to everyone who came here, and now you can go to our room of questions and answers.

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until spring for free if you pay for a period of six months, you can order here .

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?

Also popular now: