Conference DEFCON 19. Anonymous and we. Part 1

Original author: Paul Roberts and others
  • Transfer
You see the phrase “Who Fights the Monsters” on the screen, and I am the moderator of this presentation, Paul Roberts, editor of, a computer security news portal. We have a large group of speakers, which I will introduce in a couple of seconds, but for now I’ll tell you about the main rules of our discussion. We also have slides that relate to what each discussion participant will tell.

After the speech, we are going to answer questions, but we have only an hour, so I ask you to take notes with questions out at that door, there we will have a Q & A question and answer room, and then your questions will be passed on to the speakers.

So, I'm Paul Roberts, presenting to you the story of the well-known Anonymous and Aaron Barr, an employee of the HBGary company, who stated that he identified the leaders of this hacker group, after which Anonymous attacked the company's servers. Our portal, like many others, covered this story.

I am personally acquainted with Aaron, he addressed me after I wrote an editorial entitled “Win ​​the war, but lose my soul” (the current link to soul-022211/74958 ).

This article was written during the annual RSA security conference this February. If you remember, HBGary was hacked literally at the last minute of this conference, and soon Aaron turned to our editorial office. You can find this information in google.

Probably, I was one of the few journalists who expressed their sincere sympathy to Aaron about the fact that he had to endure as a result of the Anonymous attack, and as you know, we were all wrong! Most of us do not have our own Stephen Colbert, who would ridicule our mistakes, which, unfortunately, Aaaron could do for him. Therefore, Joshua and I thought that speaking at Defcon was a great chance to return, as I had hoped, with this case to Aaron and find out what happened then. To be honest, Aaron also really wanted to take part in our discussion, but HBGary lawyers put an end to this plan. They contacted Aaron and threatened him with a lawsuit that if he agreed to participate in today's conversation, they would inform his new employers about it and generally try to ruin his life.

Aaron is a guy who has a wife, children, a mortgage, and we know how such threats work, so Aaron was forced to refuse to participate in our conversation. However, before the start of the discussion, I still want to express my favor to him for the fact that he, at least, had the courage to accept our proposal, and if it were not for the onslaught of the lawyers, he would certainly have come here.
So let me introduce the members of our group. The one on my left is Joshua Corman, he is the director of the Akamai Corporation Security Service.

If you have plans to attack him, just in case, I will say that he also heads the practical security unit in the regional group Defcon 451. His group has existed for more than ten years, and Joshua himself has vast experience in providing network security and software development, being also the chief strategist of IBM's Internet security systems.
Jericho is sitting to his right, he has been involved in hacker security for about 18 years, of which 12 have accounted for the formation of such valuable skills as healthy skepticism and tolerance to drinking. This year, he tested how a hacker could deal with security. This is a great prospect for creating negative feedback on the work of any security system. Jericho is a great specialist in this matter and today we will talk about it.

He thinks that the very idea of ​​some kind of progressive thinking is outdated, because a person must think all the time. No degree, no certificate, he does not want to talk about himself and remains the champion of good faith in security. “Fair and balanced” is the motto of an incomprehensible little creature posted on the main page of his website

Baron von Aaarr sits to the right of Jericho. He has been a security professional for 13 years and has collaborated with IT companies such as IBM. Baron is involved in incident response systems, computer forensics and security audit of a leading aerospace company.

His expertise includes pentesting ethics, social engineering, information security audits, open source systems research, and the like.

On the screen you see a list of the participants in our discussion and their Twitter accounts. And now I hand over the word Jericho.

Jericho: please raise your hands to those who do not consider themselves a jerk. I see only one hand! Leave the hall, we do not need cheaters here! Now let those who do not benefit from their work in the field of security raise their hands. Great, someone raised their hand. Finally, let those who are familiar with the background story of HBGary, or at least a half of the Anonymous saga, raise their hands. One hand is probably another deceiver! So, none of you are going to admit that you are working in HBGary?

Paul Roberts: or HBGary Federal, these are different companies!
Jericho: Yes, I know that these are different companies.
Voice from the audience: I have an email address for this company!
Jericho: are they paying you?
Voice from the audience: no, they do not pay!
Paul Roberts: probably this email address was created just in February!

Jericho: well, that narrows the search, there is already one member in our group Anonymous. So, think about my questions, because if you honestly raised your hand, answering at least one of them, you can safely get out of this audience. Because the task of our group is to objectively consider the position of both parties and the accusations made against Aaron, since there was too much criticism in this case, but at the same time we forgot to look at ourselves and admit that we ourselves are half way to becoming monsters.

Joshua Corman: on this slide you see information for those who do not know our philosophy - the one who does not fight monsters does not necessarily become one of them. In this sense, I observe cognitive dissonance in the behavior of those who want to join the NonOps group and the Fortune 50 guys who want to fight them. I think it is useless to talk about all these white, gray and black hats, clearing the dungeons Dungeons & Dragons.

This is not just a struggle between good and evil. I mean, some people represent Aaron as a kind of Robin Hood, a good Arab spring that liberated the oppressed. Others see him as an evil Joker who dreams of burning the whole world. You know, when we tried to find out the truth, our conversation did not move forward, assuming a chaotic character, because we wanted to give an objective assessment of the incident without labeling good and evil. Most of all we were confused by the romanticization of the positive aspects of his act, but at the same time we were not fully aware of the roles that we would like to play ourselves. I think the point of Paul’s article is that fighting monsters like Aaron did, we lose a piece of our own soul. Aaron is the living embodiment of how you can break your personal ethics by committing such actions. Because of this, we do not control the situation, but rather We fall prey to the circumstances we have provoked. Therefore, trying to understand this conflict, think about how you would behave when you were in the position of one or the other side. Try on the roles of both parties to the conflict, because in the pursuit of improved security, we can get to something even worse than the 2001 Patriot Act.

We can force influential, but not informed people to make powerful, but ill-considered steps.

Jericho: and pretty quickly, and Aaron probably didn't take that into account. You see these boxes with hats, and if none of these hats are right for you, try to find one of the other six cells for yourself. Baron, what do you think about this?

Baron von Aaarr: I am in the middle of all this, because on the one hand there is a government, special services and other organizations involved in such activities, especially Aaron’s company, and on the other hand, people who began to disclose how the authorities misinform people gather personal information and the like. Aaron just crossed the line, telling his company or a law firm that is ready to pursue people in a way that even the CIA does not allow itself.

One of Anonymous also crossed this line, trying on Black Hat, but as Jericho said, all of us are Gray Hats. One person is a terrorist, another person is a freedom fighter, and you need to know what place you yourself are in order not to be trapped in a vice.
Paul Roberts: thanks, those were good thoughts. I think you first need to ask the question of who these Anonymous are and where they come from.

Joshua Corman: I will take a hit on myself and express the opinion that several people from this group are present in this room, and maybe even on this stage. This is not just a group, and we all know about it; it’s like a fashion brand, like a franchise. I mean some people who decided to call it that because they are doing something like the “Arab Spring” at the local level, something like the anonymous PostSecret project. This is a way to do something without fear of being caught, maybe as a whistleblower, and such people can form a very valuable part of our culture. I think that this is a kind of hijacking of ideas from small groups, and now it can either act in favor of society, or pose a threat to it, depending on who you are. Personally, I’m very disappointed if you really think you can improve security,

What the Fortune 50 did with Cisco in no way made security better and did not increase it.

Jericho: wait, do you want to say that the coverage of failures and vulnerabilities does not contribute to improving security?

Joshua Corman: No, no, let's look at it from another point of view. I mean that any intervention will have an effect, another thing that often is not the effect we want to achieve. I do not want these processes to create chaos, but I do not want to eliminate those who do, just let us somehow organize our game. Why not direct LulzSec activity, for example, to sites that exploit children, or why people don’t bother to discover jihadi sites. We have the opportunity to cause not just chaos, but cause purposeful chaos, so to speak.

But if in reality we feel powerless over the fact that PCI-hijacking has seized our industry, if in reality we don’t know how to do our work responsibly, because management doesn’t want to listen to us, then there could be more constructive ways others.

Baron von Aaarr: I think they came up with this after they first said that they just wanted to crack these things in order to give some legitimacy to their actions. They wanted to catch someone, which would then sue him, saying, “We did it because we believed in it.” I do not believe that this is the point. I think that this practice is widespread up to the highest state level, therefore we have actors in many countries that attack various things, and they can fulfill the role of red blood cells, who work within other government intelligence groups, because they are Anonymous !

Jericho: I do not agree with this definition. I mean that we, working in this industry for quite a long time, 40 to 80 hours a week, beat our heads against the wall, because we are not listened to. How many of us have gone through the fact that the result of our work can cause physical changes in the detected problem only after, say, 15 years? At the same time, every six months we come back, recheck the results of our pentesting and see that absolutely nothing has been fixed! They did not fix remote services, did not clean the software, they did nothing of what we recommended them to do. So maybe now it is the turn of Anonymous or LulzSec to take on these companies, to “bend” them thereby to awaken from hibernation? (audience laughter)

Baron von Aaarr: I agree that Anonymous could act as a business model. I would agree that there is a need for this, but I think that even after this the bosses of the companies will simply return to their somnambulism, to games with their iPads and other new toys, while continuing to ignore the security policy, thinking: “this does not concern me, because I belong to the level "C". So no matter how frightened they are, they will still return to the old unfit pattern of behavior, and nothing will change.

Joshua Corman: I absolutely do not think that hacker attacks can serve as an opportunity to somehow change the existing situation in favor of strengthening security. I saw the reaction of the victims of the LulzSec attacks and I assure you that this did not make them smarter. This is my point of view, but I think that there is an opportunity here to initiate another conversation in order to move things forward. Instead of just standing still for 15 years, until our work takes effect. I just do not see such messages reach their goals. Look at Sony. Its leadership believes that the earthquake caused them much more damage and financial damage than hacker attacks - if I'm not mistaken, there were 23 attacks on Sony on the Jericho website.

Let's just think about temporary changes - we have moved from unmotivated and ignorant chaotic behavior of the actors to their conscious and motivated actions, but at the same time, we have simply simply moved from the inaction of one kind to the inaction of another kind. In fact, I'm very sorry for Sony. Yes, we have shown vulnerability in its security systems, however, it is impossible to compare losses from an earthquake with losses from attacks, and I am afraid that powerful, but ignorant leaders will find the losses of the latter kind quite acceptable. I do not say “do not do this”, I just think that there are many aspects that allow us to direct these events in the right direction, because if this serves as another reason to ignore our entire industry, it means we screwed up.
Jericho: you say that companies are not learning anything, but as an example, I’ll say that after LulzSec was “hacked” by Sony in not very sophisticated ways, they immediately dismissed all Internet security personnel. So they study well, but it may be that someone in their own security service was Black Hat. If they had all this security staff who didn’t care, it was possible that this person decided to provoke such a situation so that they would understand what they would be worth neglecting the safety recommendations?

Joshua Corman: maybe it makes sense to attract people like me, for example, to the press, to control the situation in this area? Because what Anonymous and LulzSec could do with Sony is a good lesson. I try not to focus on how they did it, nobody cares that there are a million ways to do this.

If you ignore Pentester, who discovered the vulnerability of your platform, then you should be ready for what you have "will have". I believe that if you don’t try to understand what is behind what is happening, then these actions will have even more negative consequences for you, so I just hope that such attacks will be able to teach the company something.

Paul Roberts: I think you know that hacktivism has a long history, just look at the Electronic Disturbance Theater group, founded in 1997, a whole legion of underground groups that call themselves the Cult of Dead Cow federation, the “Cult of a Dead Cow” and so on. You know that many hacktivist incidents, and this is documented, were provoked by political reasons, such as the struggle for human rights. I think that Joshua meant it when he talked about creating a better “Anonymus”. I just want us to try to find some kind of connecting link, similarities between hacktivist operations in Tunisia and Egypt, attacks on Sony, anonymous attack Anonymous on HBGary and the activities of pentesters, so that we try to figure out what binds us together and what we can to do.

Baron von Aaarr: I would like to go back a little. It is not by chance that insurance against hacking is becoming more expensive. Many companies, in particular, I heard about it yesterday, but I will not mention the names, fired a bunch of people from the security service and bought insurance against hacking.
Jericho: I'll pay you $ 100 right now if you call them!

Baron von Aaarr: no, thanks!

Paul Roberts: Who among those present in this audience has a burglary insurance? Baron von Aaarr: let's go back to your question, did I forget how it sounded?

Paul Roberts: he referred to the fact that historically hacktivism was ideologically motivated, whether it was opposition to China and support for Myanmar or speaking out against the Republican Party, bless her Lord. But if you look at Anonymous or LulzSec, then it is quite difficult to understand what they are trying to convey to society through their activities. The operations of hacktivists in Tunisia and Egypt looked unequivocal, and it was clear what they were trying to prove, but in the cases with Sony and HBGary I did not understand what they were trying to achieve.
Baron von Aaarr: I would say that in the genesis of Anonymous there was a struggle against Scientology. They had people involved in Scientology, they had friends, there were families who supported this trend, and the beginning of Anonymous’s activities was the creation of websites criticizing the Church of Scientologists. They fought a giant who had a lot of money and a lot of lawyers. They tried to organize a real “Arab spring”, they tried to do something good and to resist the attacks on the Internet. But when the “Anonymus” movement started branching on AntiSec, LulzSec and everything that arose right before HBGary, it became clear that this is something completely different. And I am sure that their motivation to launch an attack was that Aaron spoke about them publicly in the news, which destroyed their anonymity, and it was for this that they punished him. His fault is that the truth about what they were doing was going out. But after that, LulzSec began to look like they had lost a specific goal - now they just attack the police in Phoenix, Arizona, because they don’t like the local immigration laws.

I don’t like it either, but law enforcement officers who are obliged to obey laws adopted by the legislature and who have no leverage over laws other than their own voter’s voice do not deserve to be endangered. They say that the CIS list was recently published, I haven’t seen it yet, but people inside it may also be in danger because their names are known as CIS.
Joshua Corman: I know that there are many practitioners in this audience who want to change things in their favor. We work hard every day to make sure that we can fulfill our mission, but when such demonstrative, noisy, well-known attacks occur, everyone’s attention is turned to them

I don’t give a damn about the fact that they stole a bunch of credit card numbers, but I know that this fact has very few negative consequences compared to the consequences of the theft of intellectual property, which cannot be replenished. In fact, it distracts us from our main mission, just as PCI distracts us from the main mission, because our managers are distracted from risk management in taking care of protecting the standard of payment cards. And the consequence of factors distracting from risk management are noisy DDoS attacks that threaten entire organizations and lead to layoffs, the loss of these irreplaceable assets.

So now we have a new noisy thing that distracts us from the true mission. We all know about groups that reveal the exploitation of children. None of us likes the exploitation of children, and we know that there are bad people doing bad things, this is the specifics of the Internet. However, they can be fought in a less defiant way.
Let those who do not like the tactics of manipulating the FUD consumer demand in our industry raise their hands. After all, surely someone came across a supplier of products that was complete shit.

As you know, there are three components FUD - Fear, Uncertainty, Doubt, fear, uncertainty and doubt that can cause the same effect that the three-tier DDoS attack or DDoS campaign causes, so that we will be able to keep vendors from spreading crap, spreading among they are fear, insecurity and doubt.
Jericho: in short, Anonymous should develop a menu, for example, a two-day DDoS attack against unscrupulous vendors.

24:55 min

Conference DEFCON 19. Anonymous and we. Part 2

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr's users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until spring for free if you pay for a period of six months, you can order here .

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?

Also popular now: