Hello

This story is dizzying in its permutation, but it features one of the best story of ownage ever - with a lot of disquieting things exposed, and pandora's box being blown open.

So in brief:

HBGary is a computer security consultant firm and they want more publicity. One of their higher ups, Aaron Barr, decides to infiltrate anonymous, find names, and expose them. Anonymous gets winds of this, and *owns* HBGary, hacking their server, defacing their website, and posting 60 000 internal emails (ish) on the web.

This is bad enough - HBGary's reputation is demolished. But then people started reading these e-mails, and all sorts of goodies came out:

-HBGary had been contacted by the Bank of America to go after Wikileaks, and HBGary was debating going afters specific people who support it, as well as using various dirty tricks including malware.

-The US Chamber of Commerce has asked HBGary to go after unions and progressive groups to discredit them

I believe both institutions are denying these links.

-HBGary's security was seriously deficient for a security company: see how the hack was done (technical but very easy to understand even for computer noobs like me) http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars

-HBGary was looking at Stuxnet, and had some version of the code (reports are mixed on if it's a better or worse "type" than the original). http://www.smartplanet.com/technology/blog/thinking-tech/anonymous-hacktivists-add-stuxnet-code-to-their-arsenal/6282/ So basically HBGary allowed a bunch of hackers to get said code, and potentially release it on the internet.

http://www.geek.com/articles/news/anonymous-release-translated-stuxnet-worm-code-online-20110216/

-HBGary's list of names was obtained via some rather dubious method, potentially exposing several innocent people to "attention" from the FBI

This story hasn't fully broke open of the full stage (too technical for the main media?), but it is astonishing in its potential consequences and exposure. I cannot help but wonder if some members of them may face legal penalties, or worse (ie black ops). They are starting to play in the big leagues.

I also wonder if the legal authorities are going to do anything against HBGary. They are calling for legal action to be taken against anonymous, but they themselves seemed to have engaged in a conspiracy to commit various computer crime themselves so...

More info on how HBGary was writing backdoor and rootkit for the government:

http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars/

from the link above:

The leaked e-mails provide a tantalizing glimpse of life behind the security curtain. HBGary and HBGary Federal were small players in this space; indeed, HBGary appears to have made much of its cash with more traditional projects, like selling anti-malware defense tools to corporations and scanning their networks for signs of infection.

If rootkits, paranoia monitors, cartoons, and fake Facebook personas were being proposed and developed here, one can only imagine the sorts of classified projects underway throughout the entire defense and security industry.

Whether these programs are good or bad depends upon how they are used. Just as Hoglund's rootkit expertise meant that he could both detect them and author them, 0-day exploits and rootkits in government hands can be turned to many uses. The FBI has had malware like CIPAV (the Computer and Internet Protocol Address Verifier) for several years, and it's clear from the HBGary e-mail leak that the military is in wide possession of rootkits and other malware of its own. The Stuxnet virus widely believed to have at least damaged Iranian nuclear centrifuge operations is thought to have originated in the US or Israeli governments, for instance.

But the e-mails also remind us how much of this work is carried out privately and beyond the control of government agencies. We found no evidence that HBGary sold malware to nongovernment entities intent on hacking, though the company did have plans to repurpose its DARPA rootkit idea for corporate surveillance work. ("HBGary plans to transition technology into commercial products," it told DARPA.)

And another document, listing HBGary's work over the last few years, included this entry: "HBGary had multiple contracts with a consumer software company to add stealth capability to their host agent."

The actions of HBGary Federal's Aaron Barr also serve as a good reminder that, when they're searching for work, private security companies are more than happy to switch from military to corporate clients—and they bring some of the same tools to bear.

When asked to investigate pro-union websites and WikiLeaks, Barr turned immediately to his social media toolkit and was ready to deploy personas, Facebook scraping, link analysis, and fake websites; he also suggested computer attacks on WikiLeaks infrastructure and pressure be brought upon journalists like Glenn Greenwald.

His compatriots at Palantir and Berico showed, in their many e-mails, few if any qualms about turning their national security techniques upon private dissenting voices. Barr's ideas showed up in Palantir-branded PowerPoints and Berico-branded "scope of work" documents. "Reconnaissance cells" were proposed, network attacks were acceptable, "target dossiers" on "adversaries" would be compiled, and "complex information campaigns" involving fake personas were on the table.

Critics like Glenn Greenwald contend that this nexus of private and public security power is a dangerous mix. "The real issue highlighted by this episode is just how lawless and unrestrained is the unified axis of government and corporate power," he wrote last week.

Especially (though by no means only) in the worlds of the Surveillance and National Security State, the powers of the state have become largely privatized. There is very little separation between government power and corporate power. Those who wield the latter intrinsically wield the former.

The revolving door between the highest levels of government and corporate offices rotates so fast and continuously that it has basically flown off its track and no longer provides even the minimal barrier it once did. It's not merely that corporate power is unrestrained; it's worse than that: corporations actively exploit the power of the state to further entrench and enhance their power.

Even if you don't share this view, the e-mails provide a fascinating glimpse into the origins of government-controlled malware. Given the number of rootkits apparently being developed for government use, one wonders just how many machines around the globe could respond to orders from the US military. Or the Chinese military. Or the Russian military.

While hackers get most of the attention for their rootkits and botnets and malware, state actors use the same tools to play a different game—the Great Game—and it could be coming soon to a computer near you.

I have to admit I'm surprised by the lack of replies, I would have figured the group here would have been entranced by this little saga...:o

It is a great story, I just don't find anything insightful to say.

It is a great story, I just don't find anything insightful to say.

Yup, the same. I liked the story.

I have to admit I'm surprised by the lack of replies, I would have figured the group here would have been entranced by this little saga...:o

I just noticed this thread.

And honestly I'm not sure I want to take part of yet another "Assange is a traitor/Assange is a revolutionary" type of thread.

But I'm following it for sure, so, yeah, you guys do it. I'll watch.

I have to admit I'm surprised by the lack of replies, I would have figured the group here would have been entranced by this little saga...:o

I never had time to answer before now.

The interesting thing in this story, to me, is not so much what Anonymous did but what they revealed about the dude and his company.

Here we have someone who is deeply stupid yet is able to convince government people to pay him lots of money for bogus advice. That same person is, going by the content of his email, doing highly illegal actions on behalf of private companies, actions which are way worse than what Anonymous is doing.

I thought I lived in a world where, when big companies need criminals to perpetrate crimes on their behalf, they needed to contact some shady dude in a dark alley and pay him with a big briefcase of cash or maybe do it themselves. But no, it seems that criminals (not white collar criminals, mind you) can operate as a perfectly legal company with the blessing of the US government. What's next ? Murder Inc and ads in the newspaper ?

And honestly I'm not sure I want to take part of yet another "Assange is a traitor/Assange is a revolutionary" type of thread.


I think that's just an interesting side aspect to the story, and not the "core"

The interesting thing in this story, to me, is not so much what Anonymous did but what they revealed about the dude and his company.

Here we have someone who is deeply stupid yet is able to convince government people to pay him lots of money for bogus advice. That same person is, going by the content of his email, doing highly illegal actions on behalf of private companies, actions which are way worse than what Anonymous is doing.

I thought I lived in a world where, when big companies need criminals to perpetrate crimes on their behalf, they needed to contact some shady dude in a dark alley and pay him with a big briefcase of cash or maybe do it themselves. But no, it seems that criminals (not white collar criminals, mind you) can operate as a perfectly legal company with the blessing of the US government. What's next ? Murder Inc and ads in the newspaper ?

Exactly.

I mean, I'm sure the FBI will investigate the Anonymous hack. But are they going to investigate HBGary? It seems that there is at least conspiracy to commit several computer crimes here... But I guess if you are a corporation, you can do no wrong...

I mean, I'm sure the FBI will investigate the Anonymous hack. But are they going to investigate HBGary? It seems that there is at least conspiracy to commit several computer crimes here... But I guess if you are a corporation, you can do no wrong...

That's the way it has always been. Powerful peoples abusing their power is no threat to the natural order of things, thus, they are rarely punished by the institution. But weak peoples abusing what little power they have is a dire threat to the society stability, and will be fought with all the required force.

Likewise, when bankster and their shareholders are threatened with bankrupcy, the State is ready to pour thousands of billions dollars upon them, so that the rich stay rich. When poor and average peoples face the same threat, they can just go fuck themselves.

The goal of our law and institutions is to preserve the society hierarchy, because it has never be so frail : when one lone guy ear thousands more than the average and own one hundred of thousands more, you need a very intricate and brutal politic/civic/economic/cultural organization to protect him from being lynched : in real "law of the jungle" setting, one can't defend against more than three or four, and thus can't take more than three or four. Culture and civilization have been created to allow for incommensurable greater inequality between beings of similar physical and intellectual abilities.

That's the way it has always been. Powerful peoples abusing their power is no threat to the natural order of things, thus, they are rarely punished by the institution.

But that guy was not that powerful. He was a guy who started his own business and was desperately scrounging for contracts so that it took off.

But that guy was not that powerful. He was a guy who started his own business and was desperately scrounging for contracts so that it took off.

His potential clients are. And his potential targets are not. In the UK, electronic devices targeting young and homeless peoples are available on the free market. Just try to use them against some Bilderberg meeting...

More fallout from this story as people are finally reacting and more emails are read:

Democrats in Congress wants an investigation of the actions of HBGary AND an ethical complaint has been made against the law firm that acted as the middlemen:

http://arstechnica.com/tech-policy/news/2011/03/democrats-push-for-congressional-investigation-of-hbgary-federal.ars

The letter: http://www.scribd.com/doc/49777524/Hunton-Williams-Investigation-letter

Given evidence of their proposal to infiltrate computer systems, discredit and disrupt theoperations of U.S. advocacy groups, Team Themis and Hunton and Williams may haveconspired to carry out or previously carried out actions in violation of federal law, including:
•

Forgery under 10 USC §923
•

Mail and Wire Fraud under 18 USC §1341 and 18 USC §1343
•

Fraud and Related Activity in Connection with Computers 18 USC §1030 The possibility that any one of these crimes was committed warrants investigation. It is deeplytroubling to think that tactics developed for use against terrorists may have been unleashedagainst American citizens


An HBGary email reveals that Morgan Chase was hacked by Chinese hackers, during the same "Aurora" attack that had targeted Google:
http://www.ft.com/cms/s/0/6a74de02-4438-11e0-931d-00144feab49a.html#axzz1FPbZfMmG

Anton Barr resigns:
http://www.pcmag.com/article2/0,2817,2381207,00.asp