The media myth of the hacker uptick

Paul Raven @ 22-07-2011

The Freakonomics people asked a bunch of folk whether they thought there had been a sudden explosion of hacking in recent times. One of the respondents was Bruce Schneier, who bursts the very myth that the question attempts to bolster:

None of this is new. None of this is unprecedented. To a security professional, most of it isn’t even interesting. And while national intelligence organizations and some criminal groups are organized, hacker groups like Anonymous and LulzSec are much more informal. Despite the impression we get from movies, there is no organization. There’s no membership, there are no dues, there is no initiation. It’s just a bunch of guys. You too can join Anonymous—just hack something, and claim you’re a member. That’s probably what the members of Anonymous arrested in Turkey were: 32 people who just decided to use that name.

It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.

Unmasking one of the many faces of the modern moral panic… I note that the other four respondents all conceded that there has been an increase in hacking, and that – unlike Schneier – they all hold high positions in computer security businesses.


Grasping around for a new enemy: Pentagon redefines hacking as act of warfare

Paul Raven @ 02-06-2011

So, with OBL offed and Al Qaida effectively beheaded (as if it hadn’t already been waning considerably in its ability to achieve anything of note), the defence budget of the US needs a new enemy to justify its continued expansion. But no one with sense would start an old-school land war these days (missions of liberation and the insurgencies they provoke are an entirely different category, of course), so what is there that merits a bit of saber-rattling?

“People we don’t like who also have nukes or are trying to get them” is a hardy perennial, but most of them have gathered enough friends (or mutual enemies-of-their-enemy) that it’s getting hard to make anyone care other than the lapdog allies over on Airstrip One. Something current, scary and poorly-understood would be ideal… something like the nebulous and poorly-defined notion of “cyberwarfare”, perhaps?

The Pentagon’s first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country’s military.

In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” said a military official.

Recent attacks on the Pentagon’s own systems—as well as the sabotaging of Iran’s nuclear program via the Stuxnet computer worm—have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. A key moment occurred in 2008, when at least one U.S. military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact.

The report will also spark a debate over a range of sensitive issues the Pentagon left unaddressed, including whether the U.S. can ever be certain about an attack’s origin, and how to define when computer sabotage is serious enough to constitute an act of war. These questions have already been a topic of dispute within the military.

I expect that open-endedness is a feature rather than a bug, because it offers a great opportunity to put the great economic enemy in the frame: if China’s consolidating the stranglehold on your economy which your own foreign and fiscal policies practically begged them to begin, it’s time to puff up your chest and get stern with them commies! Don’t take it from me, though – here’s Thomas P M Barnett with a plainly-titled post at TIME: “According to new Pentagon cyber strategy, state-of-war conditions now exist between the US and China“. Ouch.

In other words, if you, Country C, take down or just plain attack what we consider a crucial cyber network, we reserve the right to interpret that as an act of war justifying an immediately “equivalent” kinetic response (along with any cyber response, naturally). If this new strategy frightens you, then you just might be a rational actor.

Theoretically, this means if you, Country C, hack and disable the net of crucial US installation X, America can fire missiles at your equivalent civilian or military installation (C)X. Of course, by responding to your “act of war,” we are initiating our own war response, meaning we’d need presidential approval to start the fireworks. But the key point is, by hacking something that we consider to be national security-sensitive, you leave yourself open to a state-of-war response from the United States at the time of its choosing, so be forewarned.

Which facilities fall into this “eye for an eye (or ear or . . .)” category? Naturally, America shouldn’t say, so as to keep Country C in the dark (the essence of deterrence), but putting us in the dark (take-down of an electric grid) is an obvious one cited in the WSJ piece. Again, theoretically, almost anything can be described as crucial on some national security scale (e.g., hack Monsanto in just the right way and maybe you put US food security at risk), because the small damage that you, Country C, choose to create in our nets might easily cascade into something far larger, so virtually any hack emanating from your networks puts you at risk for a US war response.

(I wonder what the reaction would be to an equivalent policy elsewhere? Let’s say – strictly hypothetically, of course – that Big Nation-state A is revealed to have funded and built some sort of infrastructural sabotage virus with the strict intent of targetting the facilities of Nation-state B; will the US fully understand Nation-state B declaring war on A, or will that be considered a disproportionate act by a rogue state? Guess it’ll depend on which of the two the Pentagon is more interested in keeping on-side.)

Seriously, though: when a pro-intervention pro-globalisation type like Barnett thinks this is a bad play, it’s got to be a real dick move:

This is an destabilizing step sideways in our security relationship with China: Beijing is being warned that its current and ongoing behavior can – at any time – be loosely interpreted as an act of war. Whatever situations or crises ensue, that handy rationale is now always sitting in the Pentagon’s back pocket, because I guarantee you, whenever big-war enthusiasts want to play that card, the Defense Department will be able to muster – at a moment’s notice – a long list of Chinese hacking attacks over the previous X hours/days/weeks/months. So when the President asks, “Do we have evidence that the Chinese are targeting us at this time for cyber-sabotage?” The answer will always be yes.

[…]

Bottom line? Strangelove has re-entered the Building.

That last line implies Strangelove ever left the building; I suspect he’s been stored in boardroom cupboards against the appropriate moment.

Deliberate or otherwise, the daftest thing here is that the Pentagon can grok that “cyberwarfare” is a threat, but doesn’t seem to entirely grok the fact that cyberwarfare doesn’t need to be a function of nation-state level decision-making. Indeed, the real threat is from non-nation-state actors, wherever they may be based. NATO seems wise to this, though, with the General Rapporteur issuing dire warnings to Anonymous, Wikileaks and their ilk:

Describing the rise of the group from its beginnings on internet picture message board 4chan, via campaigns against the Church of Scientology and, more recently, in support of whistle-blowing website Wikileaks, the report continues: “Today, the ad hoc international group of hackers and activists is said to have thousands of operatives and has no set rules or membership.”

The report goes on to lay out a stark warning to the group’s nameless participants:

“It remains to be seen how much time Anonymous has for pursuing such paths. The longer these attacks persist the more likely countermeasures will be developed, implemented, the groups will be infiltrated and perpetrators persecuted.”

Well, good luck with that, folks. If you thought trying to tame countries full of warring factions whose only common ground was a desire to get shot of the meddling infidels was no picnic, declaring war on the fluid alliances and ad-hocracies of the intertubes is going to be a long and frustrating game of whack-a-mole which, I fully suspect, you have no chance of winning. After all, Anonymous doesn’t have anything you can aim a missile at, does it?


Anonymous: an anarchist analysis

Paul Raven @ 12-05-2011

Over at The Guardian, Jana Herwig gets all theoretical on Anonymous. It’s probably the most lucid attempt to tease out what Anonymous means in the context of the wider world that I’ve seen in any major publication. There’s also a glorious degree of cognitive dissonance to be had from reading about such an irreverent and vernacular entity in the high diction of academe:

This collective identity belongs to no one in particular, but is at the disposal of anyone who knows its rules and knows how to apply them. Anonymous, the collective identity, is older than Anonymous, the hacktvist group – more to the point, I propose that the hacktivist group can be understood as an application of Anonymous, the collective identity.

This identity originated on imageboard 4chan.org, as a byproduct of a user interface policy called forced anonymity, also known for short as “forced anon”.

Forced anon made it impossible for users to type in their name when they published a forum post. Instead, “Anonymous” would invariably appear as the default author name for any post. As a result, and in particular for the uninitiated, discussions on 4chan would seem like an absurd soliloquy, with “Anonymous” posting a message and “Anonymous” and “Anonymous” responding.

What this interface policy prevented was the creation of a hierarchy among users, which is known to quickly establish itself in online forums, with older forum members dominating and “newbies” having little weight in the discussion. Anonymous’s (the group’s) present dismissal of hierarchies and leadership has its roots in this practice. The uncertainty about who is talking (or probably just talking to him or herself, feigning conversation) is characteristic of the “forced anon” experience.

Herwig’s piece is in part a response to the recent schism within Anonymous; within any “normal” hierarchical group, such a schism would probably spell its imminent demise, but I suspect the very nature of Anonymous will ensure its survival, even if it mutates and undergoes a sort of metastasis. The choice of the V For Vendetta masks as part of their iconography is quite telling; the point Moore was making in the book about emergent resistance to hierarchy and fascistic control is echoed in the unpredictability of their target choices. Dissent cannot be bridled or steered; that is its power, and its self-limiting principle.

To unpack that last statement: self-identifying as a member of Anonymous is a lot like self-identifying as an anarchist, in that anyone can slip on the mask at any time, and the non-hierarchical nature of the collective means that there is no authority with the power to deny your validity. This has its downsides, in that it makes for easy pillorying and demonisation of the collective identity (such as the way that a few self-identifying anarchists bricking windows on protest marches are conveniently assumed to be representative of all anarchists), allowing a convenient way to obscure the genuine problems of hierarchy by focussing on the more foolhardy and socially unacceptable attacks made upon it.

But there are upsides, too, in that the more nihilistic wearers-of-the-badge tend to perform acts that are self-limiting in the long term; because the collective is headless, it cannot be destroyed, so the hierarchical world has to content itself with the sort of decapitations that symbolically represent the defeat of a system or group in their own narrative, while all they’re doing is trimming the wilder edge-growths of the rhizome and preventing it from becoming a hierarchy itself.

All of which is to say that I think Anonymous – and anarchism-as-philosophy – aren’t going anywhere soon; in fact, I’m beginning to think they’re an inevitable product of a global networked culture, a counterweight to the structure of society that increases in mass in proportion to the rigidity of the systems it opposes. Neither are an end-point or a goal; those that join in the hope that they are will soon leave, disappointed, because the individual reward they subconsciously seek for their actions are incompatible with the anonymity under which they are obliged to operate.

Of course, you may think I’m blowing pretentious smoke out of my own arse here; it wouldn’t be completely out of character, after all. So why not tell me why I’m wrong in the comments, eh? 🙂


A kraken, enraged

Paul Raven @ 17-02-2011

This Ars Technica rundown of the whole HBGary Federal vs. Anonymous/Wikileaks thing is really quite astonishing for a whole number of reasons, not least the staggering hubris and chutzpah of Aaron Barr, but there’s also the comparative ease with which Anonymous nailed Barr to his own mizzen. Maybe it’s just me, but the subtext I get from the whole business is that Barr’s desire to “take down” Anonymous stems from a sort of envy and admiration of them; funnier still are the communications between Barr and his pet programmer, who makes no bones about telling Barr he’s walking out onto very thin ice indeed.

Most astonishing of all (though hardly news in this day and age) is the staggering amount of money that shadowy and largely unaccountable outfits like can charge government agencies for work that neither party fully understands or – more importantly – wants the general public to know about. And as Chairman Bruce points out, there’s probably a whole lot more operations just like it that we never get to hear about:

The question now is, do people stumble over the truth here and just sort of dust themselves off and traipse away sideways — or are there more shoes to drop? The furious and deeply humiliated lawyers at HBGary ought to have enough federal clout to pursue their Anonymous harassers and nail them to the barn like corn-eating crows — after all, they claimed they know who they are, and that’s why they got savagely hacked in the first place.

However — are HBGary gonna be able to carry out that revenge attack with their usual discretion — the shadowy obscurity with which they help deny climate change and break labor unions for the Chamber of Commerce? It’s like watching a shark fight a school of ink-squirting squids.

Normally, one never sees a submarine struggle like this. If it does happen to surface, it gets cordially ignored, or ritually dismissed as a sea-monster story. But boy, this one sure is leaky.

Things are getting very permeable of late, aren’t they?


The Net interprets censorship as damage…

Paul Raven @ 10-12-2010

… and routes around it. So runs Gilmore’s old theory, anyhow, and it looks like we get to witness a full testing of it as the Wikiwars roll on. Too much happening for me to be able to do any sort of coherent commentary on it, really; I suspect we’ll still be picking apart the fag-end of 2010 a decade from now. So instead, a bunch of links:

Interesting times ahead…

chaotic system hazard sign


Next Page »