February 7, 2011

A company that is helping the federal government track down cyberactivists who have been attacking business which refused to support Wikileaks has itself been hacked by the very same activists.

At the center of the storm is a leaderless and anarchic Internet group called Anonymous, which more recently has been coordinating attacks against Egyptian government Web sites. Late last month, authorities in the U.K. and the U.S. moved against at least 45 suspected Anonymous activists. Then, on Saturday, the Financial Times ran a story quoting Aaron Barr, the head of security services firm HBGary Federal, saying he had uncovered the identities of Anonymous’ leaders using social networking sites. Barr said he planned to release his findings at a security conference in San Francisco next week.

Anonymous responded by hacking into HBGary’s networks and posting archives of company executive emails on file-trading networks. The group also hacked the firm’s Web site and replaced it with a message saying it was releasing Barr’s findings on its own because the group was confident Barr’s conclusions were wrong.

“We’ve seen your internal documents, all of them, and do you know what we did? We laughed. Most of the information you’ve ‘extracted’ is publicly available via our IRC networks,” the statement reads. “The personal details of Anonymous ‘members’ you think you’ve acquired are, quite simply, nonsense. So why can’t you sell this information to the FBI like you intended? Because we’re going to give it to them for free.”

I tuned into this conflict late Sunday evening, after HBGary President Penny Leavy had waded into Anonymous’ public chat channel in an attempt to reason with the group. Earlier in the evening, Anonymous sympathizers hijacked several Twitter accounts belonging to HBGary employees, and used them to post offensive comments and personal information about the account holders.

The topic of the IRC channel Leavy joined said it all: “Mission: Aaron Bratt FIRED. His salary donated to Bradley Manning Defense Fund. Simple.” Leavy said the group was planning to publish online the entire email archive belonging to Greg Hoglund, the security researcher in California who co-founded HBGary, which is part owner of HBGary Federal.

A snippet from that conversation:

“[20:06:12] <+Penny> Guys, I can’t fire someone that owns a portion of the company  What i can promise is we will have a meeting to discuss next steps”

In a phone interview late Sunday evening, Hoglund said that unlike the more traditional Web-site attacking activities of Anonymous, the hackers who infiltrated HBGary’s system showed real skills, even social engineering a network administrator into giving them complete control over rootkit.com, a security research site Hoglund has long maintained.

“They broke into one of HBGary’s servers that was used for tech support, and they got emails through compromising an insecure Web server at HBGary Federal,” Hoglund said. “They used that to get the credentials for Aaron, who happened to be an administrator on our email system, which is how they got into everything else. So it’s a case where the hackers break in on a non-important system, which is very common in hacking situations, and leveraged lateral movement to get onto systems of interest over time.”

Hoglund said Anonymous had crossed a line, and that posting the company’s email online would expose internal, proprietary data that would likely cost HBGary millions of dollars. He added that Anonymous activists should be able to see — if they read the email they’ve stolen — that HBGary ultimately decided not to publicly name any of the members it had identified.

“Before this, what these guys were doing was technically illegal, but it was in direct support of a government whistle blower. But now, we have a situation where they’re committing a federal crime, stealing private data and posting it on a torrent,” Hoglund said. “They didn’t just pick on any company, but we try to protect the US government from hackers. They couldn’t have chosen a worse company to pick on.”


164 thoughts on “HBGary Federal Hacked by Anonymous

  1. Fredric L. Rice

    Um, no. The incompetent imbeciles at HBGary Federal were *not* “helping the federal government” do anything. What the imbecilic HBGary tried to do was sell a list of names of Facebook users and subscribers and public-accessed “nicks” from Internet Relat Chat servers to the Feebs in exchange for money, names which the imbecilic clown wanted to pretend some how tagged Anonymous “leaders” and “founders” and no end of amusing lunacy.

    The imbecile pretended to “infiltrate” and “penetrate” Anonymous’s oh-so-secret web of human rights and freedom of speech rights activists and advocates, trying to pretend that the Anonymous collective actually *has* leaders, decision makers, and founders and no end of stupidity, all of which *real* security companies are well aware of.

    Once the eyes of the Anonymous collective turned to HBGary for his pretentious effort to acquire fame and public recognition by pretending to attack Anonymous, eventually the hive mind of Anonymous turned toward exposing him as a pretender.

    Toward that end, Anonymous provided what they call a “security check” of his web sites, his data security, his emails, SQL databases, customer lists, whatever they could find to check his security on.

    Guess what. He failed. The loud-mouthed pretender HBGary failed utterly, and according to Anonymous it took only minutes to extract the “security” company’s data.

    There’s some object lessons to be had here. First off, HBGary Federal is trying to sell its customers the notion that they provide security when Anonymous has exposed for the world to see just how pathetic their “security” actually is.

    Secondly, Anonymous did HBGary Federal a service for explaining and describing in a stark and brutal (not to mention amusing) way what *real* security companies avoid by applying *legitimate* security. At the same time Anonymous did HBGary’s customers a service by exposing the company for what it really is, and if customers were standing ready to hand HBGary money, they should be thanking Anonymous for the lesson.

    Normally I’m no fan of hackers and crackers who steal people’s data for either financial gain or to make a point or even for the LULZ. Normally I’m in favor of laws, rules, and polite societal behavior. Normally I denounce such activities as Anonymous engages since in the long run such behavior is detrimental to the safeguards of freedoms and liberties given the Fascist State’s typical response to such activities.

    In this particular case, however, I have to stand on the sidelines and applaud Anonymous for cracking HBGary Federal. If they really were trying to sell public information to the Feebs and if the Feebs were actually going to hand over our tax money to HBGary for worthless speculations and public names that anybody could get, Anonymous did me the tax-payer a huge benefit.

    For that I thank the Collective.

    My opinions only and only my opinions, as always. I may be entirely mistaken in anything I say here. I welcome rebuttle to frice@skeptictank.org

    1. nobody

      @Fredric, you are quite mistaken. What you so cavalierly call a “security check” is called a crime by the rest of the world. Just like a “security check” on a bank vault is a crime.

      Grow up.

      1. Fredric L. Rice

        I agree that it’s a crime, Nobody, that much is obvious. However you are simply wrong by suggesting that the security checks Anonymous affords as a valuable volunteer service they provide is some how without value.

        Many companies pay legitimate security companies to find the weak areas of their facilities, it’s been historically true that real data security is costly, requires effort, and requires planning and time.

        What Anonymous did here was lend what appears to have been a much-needed hand. If HBGary Federal actually manages to survive (in whatever form; they may have to change their name now) they as a “security” company should be much stronger for having learned this valuable lesson — which HBGary did not have to pay for.

        My opinions only, as always, and only my opinions. Rebuttles to frice@skeptictank.org are welcome.

        1. T.Anne

          You are correct that they didn’t have to pay for it in the sense of paying for the service to check their security. However, in my opinion, there are two things that contradict the statement –

          1. If it was a service they paid for, their information being leaked and the other actions taken by anon wouldn’t be considered appropriate – there would most likely be a legal suit against it.

          2. Even though they’re not paying for them to research their security flaws – they’re most definately paying for what has been done to them. As you point out – this has and will continue to cause some serious reputational harm (at the very least), which the company may not survive from. That cost alone is a LOT higher than what anyone would’ve paid to have a researcher look into things for them.

    2. Anton Onszers

      What these self-declared “security experts” of HBGary (who don’t even seem to be able to keep their own servers safe) did was falsely accusing lots of innocent people to be some kind of “leadership gang” of Anonymous. I only hope that they will be sued to their last penny by those people whose life they were trying to destroy. I sure hope it will cost them a fortune to settle all these cases, and then they do something useful for society – like, collect trash or sweep the pavement. But never, never allow this Aaron Barr and his imbecile companions to touch a computer again, because all they are doing is to try to hurt good people and they are too stupid to actually understand what they are doing.

      1. Fredric L. Rice

        Ah but Anton O, what HBGary did was *not* malicious and, in any event, their incompetence did not damage anyone’s reputation other than their own.

        What’s facinating — what *I* find facinating — is the object lessons that everyone should walk away with in the aftermath of this rather amusing crack.

        Everyone should win from this, including HBGary, it seems to me. The amart thing sould be for them to issue a press release admitting and accepting that kids outwitted them, then use the embarrassment as part of their resume on what it’s like to be a company that gets cracked and exposed — since HBGary finally has some experience in that arena thanks to Anonymous.

        My opinions only, as always, and only my opinions.

        1. sabba

          But surely, if they are as incompetent as they have been made to appear then it is better that they be removed from any positions in which they are required to advise organisations or governments on how to harden their systems. By that token, it would seem that Anonymous have performed the US citizenship a service. At least they are publicising the fact that they have cracked the systems. A rogue state might not be so generous.

      2. nogero

        HBGary must be on to something or you wouldn’t be freaking out over it. Your heightened level of response and comradery is giving you away.

        1. KFritz

          Well written. Concise. Not clear. Not close to direct. What exactly are you saying? Are you accusing anyone who’s posted of being part of Anonymous? A confederate of Assange?

          A weasel post.

          1. nogero

            @KFritz
            Well no, did I say everyone who posts are part of Anonymous? Got a guilty conscience? I said, there must be something to HBGary’s claims otherwise hundreds of you wouldn’t be getting all bent out of shape about it, which you obviously are.

          2. KFritz

            @ Nogero

            No, you didn’t say so directly. Instead, you implied it sneakily. Ergo “weasel.”

            As far as my being part of Anonymous, my skills are so far below what’s needed to do even elementary hacking that the thought is a hoot all by itself!

        2. inabsentia

          Right, they must be on to something. I guess Gene Simmons was onto something too when he spoke about copyright infringement…Anonymous must have felt really threatened, according to your logic, since they DDoSed his sites.

          One thing though…which makes me wonder if you even read the article at all…if Anonymous comes through on their claim that they’re providing HBGary’s supar-hacker-secret-info to the FBI, free of charge, preemptively, then they must not be too worried about its contents?

          But no, you’re probably right, you seem to be well-versed on this matter and well-spoken in general, your insight is legendary.

          1. nogero

            Who is Gene Simmons? Just kidding. You must be right and HBGary isn’t on to something. The FBI can just get all their information directly from the evil, bad guys now. No need to bother doing any investigations. Case solved.

  2. Zom

    Another reason nobody is getting fired – I thought Penny and Greg were married?

  3. Richard Steven Hack

    As an anarchist myself, I applaud any effort by hackers to support Bradley Manning, and indirectly to damage the US government which is the largest and most dangerous group of organized thugs in the world.

    If anyone has doubts, observe how Obama and Clinton are in support of putting the chief torturer in Egypt as head of the government there.

    Nothing hackers do can possibly be compared to that crime.

    1. John F Byers

      Mr. Hack –
      You sound like your 17. If your are a true anarchist you would have no issues if I walked through your front door and took whatever I pleased and blew both your kneecaps out with my .45 so you wouldn’t stop me. You should learn your definitions.
      Also you support a group that does whatever they deem fit. This attack was based purely in retaliation (not that I oppose it) and only a few of the attacks actually do anything close of supporting anyone but Assange himself and anon.

      1. Rophuine Usiah

        Learn your own definitions. From the Wikipedia article:
        “Anarchism is a political philosophy which considers the state undesirable, unnecessary, and harmful, and instead promotes a stateless society, or anarchy. It seeks to diminish or even abolish authority in the conduct of human relations. … Some anarchists fundamentally oppose all forms of aggression, supporting self-defense or non-violence (anarcho-pacifism), while others have supported the use of some coercive measures, including violent revolution and propaganda of the deed, on the path to an anarchist society.”

        Anarchists no more support wanton acts of violence than do Buddhists. Anarchy is about a system of managing human interaction, much the same way various other political ideals are. An anarchist would abhor the behaviour you describe, and would have no qualms about defending themselves against you.

        Idiot.

        1. John F Byers

          From the wikipedia article on anarchy “Anarchy is the basic rule of a no rule society” and with “No rulership or enforced authority.” I would be free to commit such an act with out fear of police or “authority” repercussions. I admit there are Anarcho-pacifists but that only makes up a percentage of anarchists and sadly the OP didn’t not specify which he was. Also I quoted wikipedia in response to your wiki-quote but wikipedia really isn’t an overly credible source.

          1. Rophuine Usiah

            Hmmm. You said:
            “If your are a true anarchist you would have no issues if I walked through your front door and took whatever I pleased and blew both your kneecaps out with my .45 so you wouldn’t stop me.”

            Anarchists don’t believe that there should be no consequences, and no defense, which is what you’re saying. An anarchist believes that behaviour is self-regulating; that you don’t need “The Man” to regulate behaviour, but that individuals and society as a whole will regulate behaviour to a sufficient level. Rather than being submitted to courts and due process, someone acting like you were suggesting would either be shot in the act, or lynched by the community.

            You’re mistaking ‘Anarchy’ with ‘everyone lying down and letting you do anything you want without objecting’, and they’re about as far from each other as possible.

      2. Frank Bertrand Indigo

        You sir, have a poor grasp on English grammar and Anarchy. There are different schools of though for anarchism. What you see the punk rockers do in the name of Anarchy is completely misguided and chaotic.
        Anarcho-Syndicalists know what true and peaceful anarchy can be, unlike hog minded capitalists. Capitalism has it’s place and can work, but more often than nought it is abused and leaves many in poverty. There is always a tipping scale in actions taken by people.

        By the way,
        You sound like you’re a 13 year old conservative who has been raised under the wing of over-sheltering xenophobic parents.
        Just an observation.

        Be peaceful, because life is suffering.

        1. Frank Bertrand Indigo

          My earlier reply was for @John F Byers.

          I apologise for any misunderstanding, @Rophuine.

        2. John F Byers

          all of you seem to be very fast to point out anarcho-syndicalists and anarcho-pacifists but that doesn’t change the fact the anarchy leaves a power vacuum and men seek power over others. Its in our nature as can be observed through the history of mankind. So even if you got most of everyone into that you would still have a remaining percentage out for power and control. I’ve looked into this before. It is a wonderful idea but not a feasible one. Also thanks for that very partisan comment about my political points of view. It somehow reminded me of a insult I would have come up with 8 or 9 years ago when I was 13.

          1. inabsentia

            Monarchists used to claim that democracy was a wonderful idea but not a feasible one. No system of government is feasible, including a system without a government. It has to be made so, has to be fought for, has to be continually renewed…otherwise it withers and its fruit turns rotten before it ever hits the ground, just like our wonderful American republic. You people who claim “this won’t work” and “that won’t work” but simultaneously claim it’s all great and barry on paper need to emerge from your clouds of self-delusion. You either believe it’s sound on principle or you don’t. Making it work is another matter entirely, and if there is a will, there is a way. Failed experiments are not evidence of the infeasibility of an ideology. They are only evidence of failed implementations. We used to have a democratic republic, long ago, in the US. Now we have a corporate plutocracy. I guess that means representative democracy is a great idea but just isn’t feasible…let’s throw in the towel and just assume the fetal position until someone is kind enough to put us out of our misery.

  4. ssandu

    Criminal activities are deplorable. That said, I have tried HBGary’s products and let me just say whatever *proprietary* information that Anonymous stole, is worth nothing because the HBG’s products are crap.

    1. inabsentia

      Criminal activities are deplorable? That’s a pretty broad brush you’re painting with there, did you forget about the happy little trees? If the government decides to criminalize freedom of expression, it then becomes a deplorable act to speak your mind? I’m not suggesting that everyone should simply pick and choose which laws they want to follow – murder, for instance, is wrong, regardless of what the criminal codes and statutes have to say about it. Written laws do not codify right and wrong. I’m not comparing Anonymous to Dr. Martin Luther King Jr…but you do realize he committed criminal acts and inspired others to do so, and yet I’ve never heard anyone take the position that his activities were deplorable. Is that really what you’re saying?

      1. inabsentia

        When an African-American man drinks from a fountain that sits below a sign proclaiming “Whites Only” or attempts to attend a school that is segregated BY LAW, it is a deplorable act. Shame on that man. Deplorable, deplorable!

        When our founding fathers fired musket rounds at British soldiers, they were committing crimes! Deplorable, deplorable! Our whole nation is deplorable, as it was founded only through a series of criminal acts of destruction. Raise the hue and cry, someone dares violate the LAW, which is immutable, perfect, infallible, written by God’s Own Hand.

        What’s that? Attempting to buy liquor on Sunday in Texas? DEPLORABLE, DEPLORABLE, YOU SHOULD BE SENT TO PRISON!

        Here’s a quandary for you: When the authorities write laws to retroactively immunize criminal behavior from prosecution, which law is the right one? The original law or the new law? When a written law violates the Supreme Law of the Land, is it deplorable to violate the first one or the second one? Are they both deplorable, just different degrees of deplorable? The law is the law, right? No room for interpretation.

        I got news for you bud…some of the greatest human beings that ever walked the face of this planet committed criminal acts. I can’t think of a single one that didn’t.

        Also, a Protip for you in case you haven’t been paying attention to the world around you: you aren’t aware of every law on the books. No one is. There are too many. Some criminalize things you would never dream of. How do you even know you are law-abiding? You think you are, but I promise you the authorities could prove you wrong.

        Are you deplorable too? I hope so, because those willing to violate the law are the only hope liberty has of surviving this century.

  5. brucerealtor

    I have been trying to recover the picture of my ‘original avatar’ that I previously used in making posts on the WashingtonPost Web Site.

    Brian, I AM SURE that you recall the picture of which I speak.

    So if you Anonymous guys are really so good, see if the WashingtonPost web site is ‘hiding it’ somewhere, will you?

    Now its not on my current machine, nor for that matter is anything embarrassing [because little ever embarrasses me these days] and I must presume that any skilled hacker, or even hacker trainee could get into my machine.

    Liberator of the Oppressed & Forewarned is Forearmed

  6. brucerealtor

    Brian

    In all good humor, I guess that I have one other major concern about the ‘supposed limits of hacking’ and that is that it would be totally unnecessary for a country to even steal another nation’s ‘nuke,’ or spin out its own bomb fuel, IF ONLY

    it could instead only launch a nuclear missile strike from a major power [anyone so capable is major enough] for when missiles start to fly and systems start to go offline, NO ONE is going to say this is a hacker missile strike.

    OR ARE MY FEARS POINTLESS ???

  7. Armchair General

    Sensationalist activity begats more sensationalist activity. What were the folks at HBGary expecting when they decided to expose Anonymous using a tool like a press release? This has got to be one of the most ill-judged stunts I’ve seen.

    Not all PR is good PR.

    I’ve already seen confidential HBGary client files posted on a chatroom, results from security assessments, and an incident report. For a more constructive piece on how the State Department should have been managing their information and handling it’s leaking try this:
    http://360is.blogspot.com/2011/02/wikileaks-lessons-for-uk-information.html

    AG

  8. bob

    As soon as you see the words “Anonymous” and “leaders” in the same sentence, you know someone’s about to get schooled.

  9. papapatat

    Greg, I hold your work high. But the statement “[…]but we try to protect the US government from hackers[…]” really makes me shruck.
    The company policies, the technical implementation the lack of any seriouse security measures made their information fall pray within hours. Read that? Hours. I am sure the ‘US government’ is way better of without the ‘protection’ of experts like that.

  10. Ryan

    “[…]but we try to protect the US government from hackers[…]”

    They can’t even protect their own website and data, how can they protect the government?

    Common sense.

    Find a new security company to be affiliated with.

  11. Jim

    As posted by FLR, I do not condone or rally with hackers and crackers. However, with HBGary I am in support of the way they were exposed as the Black Water of Gov security.

      1. Seikku

        > I wonder who recommended HBGary to the FBI?
        >> Gov’t contracts are usually won by the lowest bidder.

        I wonder who and by what capabilities accept these lowest bidders. And it’s alike all over the “civilized” world!

  12. Joe

    Ah yes…the “one illegal act against another” makes it justified. So technically if the government is using any type of [service or software], attacking the type of [service or software] is just…if you work for the “Gubment” you are fair game? You hear that all you evil people down at the welfare programs?

    Anonymous should read Anonymous Coward.

    Notwithstanding…HBGary was hacked because of their own stupidity. It’s the little things that can kill you….

    1. nogero

      I am sure the majority of readers on this blog approve of what Anonymous did since they accomplished an excellent security check on hbgary as all good “security researchers” do.

  13. Jole Petrović

    Gentlemen

    Let’s not piss and moan about the evil of Bradley Manning, the regrettable damage done to all the worldwide quislings on the American payroll, etc

    Let us instead enjoy ourselves watching Anonymous doing the dirty chicken dance in HBGary Federal’s end zone, pointing mockingly and chanting “you! you! you! you!”

    What’s it like to lose, crash, and burn – and have your dox and data splashed across the net, Barr? Anonymous wouldn’t know, we wouldn’t know, but I was thinking, well, Aaron Barr might just know, ha ha ha ha ha?

    1. Jole Petrović

      > “its not about them…its about our audience having the right impression of our capability and the competency of our research.”

      Have no anxiety, dear boy. It’s like your kind heart to worry, but have no anxiety – the audience got exactly the right impression of your, ah, ‘capability and competency’.

      > “I have pwned them! :)”

      you sure have.

    2. george

      From the pastebin link: When I see someone so full of himself and his capacities as this Aaron was, well, I bring closer the vomit bowl.
      And from the image posted by Brian: If the times in there were not tampered, it might suggest it happened at about 11:23a.m California time and the anon impersonating Hoglund was using a mail system on East Coast time. That would make about 21:00-22:00 in Europe, where Hoglund was purportedly in a hurry to join a small meeting. If nothing else has rung any bells with Jussi, you would think this and the common sense of receiving requests from his/her boss on a gmail account would have prevented this incident. It obviously didn’t.

      1. Jole Petrović

        George, you might think Aaron Barr is a vomit-inducing incompetent, but here, for your entertainment, is how he sees himself on his newly restored linkedin profile –

        “Aaron Barr’s Summary

        A confident, innovative, and enthusiastic technology professional with 20 years of distinguished performance. Demonstrated thought leadership, developing solutions to difficult national challenges. Visionary, processing and developing technology roadmaps to future technical environments and customer requirements. Skilled at tailoring corporate capabilities and investments to meet business objectives. Effective and proven business development acumen. Strong relationships throughout all levels of the community. Proactive manager, team builder and planner with an ability to attract and secure key talent in building strong and lasting capabilities. Decisive leadership with proven ability to overcome challenges and execute to plan.”

        😀

        1. john barleycorn

          Mr Barr, a bit of advice: referring to yourself as a someone who displays “thought leadership” is a little on the gauche side for someone who just got so thoroughly schooled. Really, you’re terrible at your job. Try referring to yourself as “eternally living in the shadow of Anonymous.” At least people will believe it.

        2. george

          Thank you, Jole.
          His profile is quite honey-soaked, even by LinkedIn standards, but he have an excuse: He hopes it will help him land his next job. Seriously, does the “B” in HBGary stand for Barr ?

        3. Doubtful Guest

          Marketing, pure marketing. How to turn embarrass yourself in one description.

          Gild that turd all you want, Aaron. Just don’t try to cash it in at the bank.

  14. Russ

    Crime is crime. I’m not rooting for Anonymous, but certainly HBGary Federal has fulfilled it’s destiny. Password “w0cky”? That’s worse than what Anonymous guy suggested. Casually taking the firewall down after an email? These guys need to google “change control”.

    If they survive this (who would still do business with them?) they can prevent another embarrassment with the proper training: http://krebsonsecurity.com/2010/10/earn-a-diploma-from-scam-u/

  15. John

    LOL! That dude is right; Anon couldn’t have picked a worse company to target. LOL!

    Seriously, how do you ‘protect America’ from cyberattacks if you can’t protect yourself?

    Former government spooks with GED or non-computer Bachelor-degrees should leave real cyber-security up to real technologists.

  16. T.Anne

    I don’t get how anon can continually be praised for doing something illegal. This sounds to me a bit of retaliation – perhaps Barr was actually onto something so they jumped on it to figure a way to make it look like nothing, perhaps Barr was completely wrong and they wanted to call him out, or perhaps Barr jumped the gun and didn’t do complete research and they focused on him because of the press release announcement. Whatever the reason, what they’ve done is illegal. Two wrongs don’t make a right, stupidity doesn’t justify illegal retaliation. I could understand it when anon was supposidly taking a stand for what they believed in (while I don’t view it the same as a peaceful protest – I do get it), but this isn’t done for the right to free speach or anything… this is going after a company out of spite… to me, both parties are in the wrong here – HBGary approached it wrong (at the very least), as did Anon.

    1. Fredric L. Rice

      No, Barr was not “on to something.” He simply logged IRC discussions and tried to pretend he could match them with names while also pretending the people he logged were “leaders.”

      His “infiltration” and his “penetration” consisted of what any teenager would do: bring up an IRC client and setting logging ON, then try to find Facebook accounts and real names for some of the people participating in IRC.

      In a word, lunacy. In another word, lame. Barr has no p0w3rz as would appear to be evident from the latest exposure. Legitimate security companies don’t get pwned like this for a reason.

      My opinions only, as always, and only my opinions.

      1. T.Anne

        I wasn’t saying he was onto anything in particular – I was trying to say that there’s any number of things that could have happened as we don’t know the whole story.

        Do I think it sounds like Barr made some serious mistakes, yes.
        Do I think it sounds like Barr isn’t as good at his job as he thinks he is, yes.
        Do I think social engineering can work against just about anyone if done right, in most cases, yes.
        Do I think Barr needed to have his ego checked, yes.
        But do I think Barr’s stupidity justifies the actions taken, no.

        I think it’s horrible that he would try to sell the information – if it was legit, he should had it over if that’s what he felt was right… but the fact that he was trying to sell it, to me, screams that he was just looking for something that might look convincing to earn himself some extra cash while all this anon stuff is a big deal. He’s jumping on the craze to try to profit from it. If he were really trying to stop them or help if that’s how he views it – he wouldn’t be trying to benefit from his “research”

        That said… I don’t get why Anon going against the company is justified. Leaking private details about the company and employees… posting SSNs and addresses, etc, to me, isn’t a justified retaliation. That’s breaking the law. I don’t get why they couldn’t hack in – release the information (like they did) to make the point that it was nothing, and, if anything else, just mess with Barr’s accounts in the sense of pointing out that the security sucked. Going so far as to make public private personal information and so much private company information is truly the only piece of the whole thing that I just can’t get my mind around to think of as justifiable.

        What is it that makes that part ok?

        I welcome any explanations – perhaps I’m just being dense… but to me it just seems like a serious over reaction with the intent to cause harm… What am I missing?

        1. Seikku

          @T.Anne
          I guess the missing part is, this is not a regular security check on HBGary, as the Barr’s message was not a neutral press release; this is WAR.

          More precisely IW, US gov’t and it’s allies (loosely connecting Barr to the topic) vs Anonymous as an ally of Assange et al. And if you go asking for what is legal what is not in war, you are hypocrite. The only justice for “crimes of war” is the after-war justice of winners, usually rewriting rules to suite their political needs.

        2. Moe45673

          The problem with Anonymous is that they are “everyone and noone”. I agree that the retaliation was overdone. However, as they are everyone and noone, some of them are 15 year old prodigy hackers. Not all of them are measured. There is no real hierarchy, they are composed more like an open source project (unsurprisingly).

          All those involved in hacking HBGary could be a completely separate group who never communicated with those who hacked Visa or the Egyptian government. Fighting them is like waging a war on terror by conquering every country in the world….. you’ve accomplished nothing. They don’t have a sense of morality or conscience because they aren’t a cohesive/collective unit, they are like an organism where each cell is truly independent. What happened to HBGary wasn’t one well thought out action, but a series of independent actions.

          I hope this gets the point across. This is how Anonymous responds, there are no limitations.

          1. T.Anne

            I understand that they’re everyone and noone – and that those involved in this particular case may not have had anything to do with any of the past actions taken, or they could’ve been there from the very beginning.

            Though I don’t see it as trying to take action against the world – why couldn’t you just address those involved in each individual action taken? You can’t blame the whole for the actions of one, but you can blame that one. Now this is assuming they could figure out who those involved were (which I highly doubt they will/can), but I don’t get why they “don’t have a sense of morality or conscience”… wouldn’t the individuals still have that? I get that the collective may not as there isn’t really a collective since they all act individually and support the causes they see fit… but each individual is still a person – with their own thoughts and opinions. They still have a conscience. Or are you saying because they are part of a bigger group that there is more group think going on than individual opinion? That because of the collective whole they cannot be responsible for their individual actions because they may not act that way on their own if it were not for the whole?

            Personally, as a whole – I can totally see some of anon’s actions as justified, while others I can’t. Perhaps other individuals within the group feel the same way – believing in the bigger picture and perhaps not supporting every action taken by someone else within the group. It may be in some ways like a protest – where all don’t approve of the situation, but they all have different view points of what is considered appropriate action to address the situation. As a result, while they may all be standing for the same thing – they go about it in very different ways. (and yes, I get this is a bit of a stretch as anon supports many different causes – but I think it can apply to each cause individually)

            I’m not saying what they did was wrong as a whole, nor that it wasn’t justified… simply that, to me, it was overkill. But perhaps it was done simply because it’s considered WAR and in war there really is no fine line of what is an appropriate reaction and what isn’t. They were putting their opponent in check. Honestly I didn’t know it was viewed as war between the two sides (thanks for the clarification there Seikku).

        3. Jole Petrović

          Anne, I’d say the point of releasing proprietary and private data was completely destroying Barr’s (and HBGary Federal’s) credibility.

          You could argue this is too harsh. I’m guessing Anonymous feel justified in light of the company’s cynical plans. Reading this morning’s Independent, I came across the following comment that seems to point at Hoglund as a culprit and paint Barr in a more flattering light, This is what Hoglund (allegedly) wrote –

          “I think these guys (anonymous) are going to get arrested, it would be interesting to leave the soft impression that Aaron is the one that got them, and that without Aaron the Feds would have never been able to get out of their own way. So, position Aaron as a hero to the public. At this point they are going to get arrested anyway. But, Aaron has some concerns on how that might affect commerical business (although I’m not clear on why yet)”

          http://www.independent.co.uk/news/media/online/hacktivists-take-control-of-internet-security-firms-2207440.html

          1. T.Anne

            I would say they were successful there, and I can see that being their intent. While I may see it as too harsh, more of an eye for a head instead of an eye for an eye – odds are anon does see it more as an eye for an eye and justified. My views are naturally skewed as I’m not involved and don’t know all the details behind what led up to the whole chain of events, nor do I know the views of either party to be able to understand their thought process.

            I am amazed Barr could be painted in any type of flattering way after all this. Though I would think most would understand that’s not reality and that he’s not as good as he gives himself credit for.

        4. Rophuine Usiah

          Allow me a perspective. I believe in some of the civil disobedience Anonymous organises. I believe in the peaceful and lawful protests against Scientology. I think Anonymous has done good things in the past, and may well do great things in the future. So I sometimes jump onto the IRC channel. I’ve talked.

          The flip-side? I don’t think Anonymous should get involved in the greyer side of civil disobedience, and I generally think DDoS attacks are childish and ineffective at raising the right kind of awareness. I don’t condone a lot of what’s gone on lately. But you know what? I still jump on IRC sometimes.

          Based on the methodology HBG apparently used, they may have gathered some of my information. That’s cool; I don’t mind. If I were doing anything wrong, I would be much more careful about hiding my information. Passing it on to the FBI as if I’ve done something wrong, however, is making a false and unsubstantiated accusation. If the FBI were to over-react, I could end up on no-fly lists, or watch lists, or who knows what.

          I don’t condone what Anonymous did. It crossed the line between civil disobedience and illegal hacking (a line which has been crossed plenty before – I’m not saying otherwise, but I refuse to be involved when it is crossed.) But you know what? I understand their motivation.

          1. nogero

            The members of Anonymous “might end up on no-fly lists”? You’re kidding right? There will be at least a few that are going to spend at least a year behind cold, hard steal bars, in an 8×12 cell with no window. Law Enforcement will make an example out of this case. Some should think hard, even ask some hackers who got caught, what time in prison is like. At least a few are going there sooner or later. This isn’t civil disobedience or activism, it’s just plain old felony hacking. Try that argument for your defense.

          2. Rophuine Usiah

            No, @NoGero, if you’d read my comment at all you would have noticed that I said that *I* might end up on a no-fly-list. I did nothing wrong, I didn’t take part in this ”hacktivism”, etc etc, but I do jump in the IRC channel now and then and so could be on HBG’s stupid list of wild and unsubstantiated speculation. You’ll note that I even said this:
            “It crossed the line between civil disobedience and illegal hacking…”

            Try to address what I actually said next time.

    2. Seikku

      The point is not about actions taken being legal or not; there should be a law against stupidity. Actually I guess there is: writers of such idiotic press releases loose their customers…

    3. Silemess

      I have to agree with you T.Anne, it does seem like Anon crossed the line. Their idea of dealing with any event seems to be to respond with as much force as possible in order to generate respect through intimidation.

      That being said, HBGary went ahead and gave them a challenge. They couldn’t ignore it and lose face, so they went after HBGary. Who, unfortunately, did not follow the best security practices that they probably preach.

      It reminds me a bit of those “real life superheroes.” The folks who dress up and run down dark alleys after criminals. Sooner or later, they’re going to actually find trouble. If they’re not prepared for it, they’re going to get badly hurt. And frankly, even if they ARE prepared, they may still get badly hurt. The criminal is wrong, but that doesn’t mean that the other party is without responsibility.

  17. The CSM

    Leadership for Anonymous is … well there is none thats what they pride themselves on. No leadership. Independent pieces moving together to create a larger machine. Yes there are some larger cogs and gears in there than others, but leaders… there are none.

    1. nogero

      There must be leadership or hundreds of you wouldn’t be repeating “there’s no leadership” over and over and over. Are you really all kids too? It does seem like Andre slipped into baby talk with “Gahahahaha”.

      Man I’ll bet the FBI profilers are working on you now. I do believe the federal approach to cyber security is somewhat embarrassing though, especially how they feed the Washington Post stories of cyber threats, fear uncertainty and doubt. I take pleasure in the embarrassment of the boys who got the spotlight as champion white hats, just like your assurance the leader of Anonymous has been identified.

      1. john barleycorn

        Nogero, you say “Man I’ll bet the FBI profilers are working on you now.”

        Care to elaborate on this vaguely fascist fantasy of yours? I mean, sure, we’re all turr’rists as long as we disagree with you, but could you elaborate – does the guy who just said ‘hahahahah’ merit a trip to federal pound-me-in-the-ass prison or Guantanamo Bay just as much as the more outspoken mockers of HBGary’s incompetence?

        Inquiring minds want to know.

        1. Kamu

          I’d take a guess and say he is one of the 4channers trolling. Of course he’ll just deny it but he seems to be arguing with any and all viewpoints.

          1. helly

            I think he is mostly a bit fixated on the idea that only criminals post on this blog… A few gems from the last few articles:

            “This post gave them more publicity than they ever dreamed of getting from a forum post.”

            “Oh come on, geesh this place is counter-intuitive. Have you heard the old saying, “Any publicity is good publicity”? How many hits will this post get? Among those hits will be very qualified potential customers.”

            “Great logic there Helly. Did you call everyone up and ask them to make that incredible proclamation?”

            “You readers (groupies) crack me up.”

            “The censoring of comments via Like/Dislike has rendered these comments just about useless.”

            “I am starting to get it now. This is a security blog just like the hacker is a security researcher. Brian do you actually endorse your little ‘Like Disklike’ comment voting system? It appears those who approve of breaking into websites and companies are Liked and those who object are Disliked.”

            “Oh I get it. They have declared POF a “grease bag” and numerous other rationalizations so it is OK to hack into that website. Unbelievable. This website is becoming a security septic tank that appears to be frequented by hackers more than legits concerned about security. Wow, it is amazing Brian likes the direction and reputation this blog is headed.”

            “Good to hear Brian. It’s obvious from this comment section that criminals are removing posts of legits by means of voting, thereby encouraging illegal activity. That should give you a bit of concern I should think.”

            “@ POF since 2007 Actually it wasn’t my post removed that set me off, but I see they have taken out my posts too. When I saw @Tiredofitall comments removed before I had a chance to read them I got alarmed considering the general tone of this thread–where those approving of criminal activity outnumber those who disapprove and remove posts.

            “Russo is no “whitehat hacker”. He is a criminal hacker who went for a publicity move. Do some research yourself. Your “pass judgement” argument is cracked anyway since the majority, including you pass judgement that POF deserved to be hacked for reasons such as: he’s a greasebag, he’s making lots of money and gloats about it in magazines, he uses plain text passwords, his website doesn’t meet your measure of security. Those may or may not be true, but it is irrelevant to the fact that Russo committed a felony. Its bad precedent. That is my point.”

            “Just who is the “honey” or “vinegar” intended for, @Since?”

            I don’t think hes a troll, but maybe some less inflammatory or accusatory language would go a long with his difficulties with the moderation system. 😉 Not trying to call you out Nogero but help yah out with the mod system.

          2. nogero

            @helly

            Thanks helly. Its reassuring to see you pay close attention to my comments. Flattering.

            GaHahahahaahahahaha!

          3. KFritz

            @Nogero

            Flattered? A good hunter pays attention to scat.

    1. Silemess

      I don’t want to pull the tail on the tiger, so please take this as just an honest inquiry.

      Given that Anon has repeatedly claimed that there are no leaders, was there any value in attacking HBGary other than to taunt them? No leaders means egg on HBG’s face when they reveal their data and it turns out to be wrong.

  18. JCitizen

    I’m more impressed with the people of Egypt, and the leaders who took great risk NOT being anonymous, and had the guts to come out and call a spade a spade. If FaceBook wants to take some of the credit, well at least they are there to serve the people(and make money).

    I’m just not a big fan of secret societies, even though I can understand their motives for operating as such.

    I’m definitely not a fan of HBGary Federal at this point either!

    I think our originators of the Constitution come as close to anarchy as you can and have a society that maximizes benefit for all. When you read some of their letters, it can be quite shocking! Benjamin Franklin believed in revolution every five years; and actually when you study US history – we have had sweeping change in one sector or another every five years!

  19. Jackson Telforde

    Somehow “p0wnd” just doesn’t do this one justice. Suggest a new word be created for accomplishments and achievements on a grand scale such as this. A Noble Prize of Hacking; The Medal of Honor for Non-Meritorious Blackhattery.

    1. Steph

      I disagree. I think that pwnt perfectly encapsulates what happened. HBGary got pwnt like the noobs they are.

  20. JS

    It is interesting how the FUD, which is now possible, will play into the court system in the future.

    Any counterops just needs to write a good Eliza script, based on input from someone’s hacked comm’s trove; it adopts the targets style and then when countops gives it talking points and it goes to work.

    It would be hooked into hacked social media and other feeds posting from from the targets machine on seemingly on behalf of the target but under the control of counterops. This mis-info could be a chore to dispute in court. It doesn’t have to say much; just has to be “just enough” convincing to shape opinion.

    It will probably take months of litigation to sort out what is actual and real and what was generated and then injected into the interwebs.

    Similar to wiki leaks redacting.

    Without some serious data leak tracing for style, keys, words, inserted mistakes, etc to provide provenance; what is injected will become part of the “working” memory of the interwebs. I doubt even wikileaks preserves traditional file metadata well

    The working memory of the interwebs, awash already in cruft, will likely be what is not real and the real will be transitory.

  21. meh

    Go back to your videogames Greg. YOUR the governments bitch, not the other way around.

  22. zeos

    wow, this story has almost as many comments as a /. global warming story.

      1. random guy

        Lol, maybe! But you are kinda dumb to think that because that guy posted anonymously he had anything to do with Anonymous or the individuals that attacked HBGary under the anonymous banner. People’s failure to grasp the concept of Anonymous never fails to amuse me.

        Anonymous = democracy. People working for the good of people… because our governments and corporations no longer do.

        I<3 anonymous.

Comments are closed.