Thoughts on 'Building A Better Anonymous, Part 3'

Josh Corman and Brian Martin have released part 3 of their series exploring ways to make groups like Anonymous more useful to society. This segment explores how many of us were off in our assumptions from the get-go. I want to address one bit that mentions me in less-than-flattering terms, but let's start from the beginning.

The authors are right that people were overly dismissive of these groups in the beginning. They write:

Over the last year, many media outlets, pundits, and security professionals have given commentary on Anonymous and LulzSec. In many cases, the tone of the commentary has been negative, with the commentator essentially dismissing the groups’ actions. In some cases, it has been a general dismissive “the group is not effecting change” line. In other cases, pundits outright deride LulzSec as having no advanced hacking skills and only attacking the “low hanging fruit”. While most, if not all, of their hacking exploits have been easy to find and exploit, these pundits are missing the bigger picture.

First, LulzSec didn’t need more sophisticated exploits to compromise these organizations. An attacker is only as sophisticated as they are required to be; when companies don’t make it a challenge for attackers, there is no reason to use more advanced attacks. If large companies and law enforcement are protecting such valuable information, why are their own security programs not catching the low hanging fruit?

Second, what if the high profile compromises using basic exploits are just a noisy cover hiding the real activity? The concept of misdirection when hacking has been around for over twenty years. It is dangerous to assume that we know the whole picture when we are only seeing what makes the front page. There are two aspects to this idea: LulzSec could be using some of these attacks as a method of distracting onlookers from their real goals, or third parties unaffiliated with LulzSec and Anonymous may be using their brand for misdirection. For example, a disgruntled employee could launch a denial of service attack against his employer and embed a message such as “We are legion”in it, giving the impression the attacks are the work of Anonymous.

In the fullness of time, these groups have indeed made an impact. Not always a good impact, in my opinion, but they have forced the world to take notice.

There's a section of this piece that is highly critical of the media, myself included:

When LulzSec splintered off from Anonymous, the more revealing story was not the material results of their hacking; rather, it was the sad commentary on infosec-centric and mainstream news coverage alike. After 50 days of hacking into a wide variety of sites, accompanied by a high profile predominantly Twitter-based media presence, the pressure added up. With the looming threat of law enforcement catching up to them, LulzSec announced their retirement on Pastebin and broadcast it via Twitter. While the announcement was deemed inevitable, many figured we hadn’t heard the last from them, and they were right. Some in the mainstream media announced it and gave commentary on why it was inevitable and certain.

One of the most noticeable traits of media coverage during the 50 days LulzSec was active, was the lack of truly critical press. Publications and authors that have been more vocal and firm in the past seemed to pull their blows when covering the hacking activity of LulzSec. Since the group was executing a wide variety of attacks, and supporters of the group were carrying out DDoS attacks against detractors, it appeared that journalists were scared to be overly critical. Paul Carr wrote for TechCrunch saying “Please Hacker Don’t Hurt Us: The Media’s Coverage Of LulzSec Has Been Cowardly and Pathetic”. It should be noted the irony that this article came a day after LulzSec posted their retirement message. Worse, the timing of the article and criticality suggests that Carr, like many others, felt that the group was truly done and their “vandalism spree” was finished. Similarly, Bill Brenner wrote an article for CSO Online called “Whatever, LulzSec”, two days after the retirement message. The timing of these articles suggest the authors feared potential retaliation from LulzSec should their message be construed negatively. Provoking these groups may seem undesirable, but it would also prove an interesting point; if Anonymous or LulzSec retaliate over poor press, they may be considered the tyrants they so oppose.

I can't speak for other journalists, though I will say that everyone was afraid of retaliation this time last year. Hell, it's one of the only things people were talking about at RSA 2011. In fact, upon accepting a blogging award during last year's security blogger awards ceremony, one fellow said something like this: "If anyone from Anonymous is in the room, don't mess with me." In other words, don't hack his site. Do I think the guy was being a coward? No. He was just feeling what a lot of people were feeling -- that members of Anonymous were lurking around looking for people to retaliate against for criticizing them.

In my case, I think Corman and Martin got it wrong. Fear of retaliation was never a factor in what I wrote or when I wrote it. Why did I write "Whatever, LulzSec" the day after they supposedly retired? Because I simply had observations that were inspired by the retirement announcement itself. Some folks from the Anonymous-LulzSec camp actually took shots at me on Twitter, suggesting that I sounded "really mad" and that I should "go have a nice cup of tea."

Whatever the case with LulzSec, Anonymous has never pulled back in its activities and I've written several more posts where I repeat my opinion that their methods do more harm than good.

In one post I wrote about a threat by Anonymous to kill Facebook, saying, "The bigger reason I'm not worried is that Anonymous adores attention as much as the rest of us. Taking down Facebook would mean less attention for Anonymous, too. Given the lack of structure, it's pretty easy for egos to run wild in an organization like that." I wrote that in August.

Just a couple weeks ago I criticized Anonymous for targeting the Boston Police Department over what it saw as atrocities committed against Occupy Protesters. In the comments section, someone who at least seems to support the actions of Anonymous wrote, "Expect us."

If I was truly afraid of retaliation, I wouldn't be writing these posts. I'm not done, either (I can hear Martin groaning over that last comment, but it's simple fact).

All that said, Corman and Martin are entitled to their point of view. While I don't agree with that section, I don't take offense. When you express opinions for a living, people will disagree and question your motives. It's only fair.

On balance, their latest collaboration is worth the read, as is the rest of the series. Anonymous should certainly read it and learn something from it. I'm not holding out hope that they will.

By the way, the art Mar Williams did for the series is beautifully done, and I'd be a jerk if I didn't direct you toward her work. I trust Williams won't mind if I display one image as a thumbnail for this post.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies