To me, the real story on HBGary Federal is the ease with which the security consultancy was hacked and exposed. The company's sinister proposals -- using fake documents to attack enemies of the Chamber of Commerce, outing members of Anonymous, and targeting Glenn Greenwald's career -- seem all the more craven and stark against the incredible incompetence of HBGary executive staff. Peter Bright interviewed members of Anonymous, the hacktivist social network behind WikiLeaks, for Ars Technica:
When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.
Alas, two HBGary Federal employees—CEO Aaron Barr and COO Ted Vera—used passwords that were very simple; each was just six lower case letters and two numbers. Such simple combinations are likely to be found in any respectable rainbow table, and so it was that their passwords were trivially compromised. (Emphasis mine)
That's an Alabama ass-whoopin', and it means we can stop paying hyper-attention to Julian Assange and Bradley Manning. Both are less important, interesting, or consequential than Anonymous. WikiLeaks is not a person; it is a network, and one whose members see themselves as the Alderaan Death Legion of internet freedom. Much more after the jump...
It is not an exaggeration to say that Anonymous is well-armed for virtual warfare. During "brute force" DDoS (Distributed Denial of Service) attacks, Anonymous uses a botnet weapon called "Low Orbit Ion Cannon" (LOIC):
The idea behind LOIC is that it can allow you to participate in attacks even if you’ve no clue how to hack. Just download a copy of LOIC (available for Windows, Mac, and Linux!), punch in the target information like a URL or an IP address and zap. (Emphasis mine)
The WikiLeaks website has proven amorphous and impossible to kill, spreading itself farther out into the internet with each attack -- and replying in kind. PayPal, Visa, MasterCard, and Amazon have each paid a price for their cooperation against WikiLeaks when Anonymous trained LOIC on their websites and fired for effect.
Note that LOIC is a free download. Targeting consists of typing or pasting a site's URL. The trigger is a mouse click. Of course, any download from 4chan is a dubious proposition; I am not advising or inviting readers to participate in hacktivism -- you are warned. But such acts of resistance are so simple, so democratic in origin, that they are impossible to stop. You can arrest Julian Assange if you want; it makes no difference to Anonymous. At the height of last December's DDoS attacks, the Guardian talked to
(a) 22-year-old spokesman, who wished to be known only as “Coldblood”, (who) told the Guardian that the group – which is about a thousand strong – is “quite a loose band of people who share the same kind of ideals” and wish to be a force for “chaotic good”.
There is no real command structure in the group, the London-based spokesman said, while most of its members are teenagers who are “trying to make an impact on what happens with the limited knowledge they have”. But others are parents, IT professionals and people who happen to have time – and resources – on their hands. (Emphasis mine)
In other words, this snake has no head. It isn't even a snake; Anonymous is more like a cloud. Except to invite the pantsing his firm received from nerdy Dungeons and Dragons enthusiasts*, Aaron Barr's threat was pointless. If it seems like you've watched this movie, that's because you have: the first virtual conflict of state and non-state to gain worldwide attention follows a script only fanboys could love.
I am not sure anyone in the White House gets this. No longer free to surf the internet on his Blackberry, the president resides in a purpose-built bubble. As I imagine the scenario, uniforms and suits told the president that WikiLeaks was a threat to American security; at no time did anyone say, "Mr. President, the Anonymous hacktivists have a low-orbit ion cannon." Knowing little about DDoS attacks and even less about Anonymous, the president authorized action without realizing that he had effectively declared war on the internet. All the rest of this story follows from that beginning, though the virtual ion cannon 'casualties' have so far not included a single federal agency.
It is a truism among progressives that "War is a Lie," to quote the book title by David Swanson. As far as state-on-state conflict, Swanson is certainly correct, though I would counter that mankind has been practicing homicidal conflict since before there were states. War is a cultural phenomenon, too (the "Lethal Custom," as Gwynne Dyer calls it), and we could have no better example than the WikiLeaks story. It is a virtual fight between a culture of crusading coders and a culture of power and secrecy.
Indeed, said culture is larger than one man, or even one organization. HBGary, a firm with deep federal ties, proposed attacks on WikiLeaks to Bank of America, which is still facing an eventual release of CEO emails by WikiLeaks. Dating from the bailout period, when BOA swallowed Countrywide and Merrill Lynch, those documents may prove very consequential -- even criminal. They may reveal how the bank came to be sued by the Attorneys General of all 50 states over fraudulent foreclosures, for instance. Little wonder the bank is afraid; and in a classic turn, HBGary saw an opportunity to capitalize on their fear.
Maybe everyone in this story deserves what they're getting? Maybe the sound you hear is oligarchy screaming?
* Full disclosure: my half-ogre paladin will smite unbelievers with his +5 Holy Avenger maul so be careful what you say about him in the comments.