Pushing Bounds And Tempting A Fight
Doug Bernard | Washington DC
If one could speak about Anonymous as a singular entity, then it’s clear that Anonymous is spoiling for a fight.
But of course, Anonymous is anything but a singular thing. It’s been called a hive of numberless drones, an amorphous hidden collective of computer hackers and even “The Borg.” By definition it’s a group that has no boundaries, and thus no members. Officially, at least.
“We are not a group. You cannot join us. We are an idea,” taunts the computer-generated voice in one of their many online videos.
OK, “Anonymous.” But for a group with no members, you sure have been busy of late. Consider that in just the last week or two, some tentacle of Anonymous has claimed responsibility for hacking the following people or groups:
“Ultimate Champion.” After feuding with anti-SOPA activists via Twitter, Dan White, founder of the lucrative “Ultimate Fighting Championship” found his website cracked and his personal information published online and shared via his own Twitter account. White has since gone silent on the web.
The FBI and Scotland Yard. Following the recent seizing (and freezing) of the Megaupload.com website and the arrest of its flashy owner Kim Dotcom in New Zealand, Anonymous brazenly recorded an entire conversation between FBI and Scotland Yard agents discussing last year’s arrest and prosecution of seven individuals believed connected to an earlier Anonymous hack. While the call wasn’t on a secure line, they were able to record without detection, and likely with help of cracked email files either at the FBI or Scotland Yard.
Puckett & Faraj. One of the more prestigious (and expensive) legal firms in the United States, Puckett & Farai represented U.S. marine Frank Wuterich, who was charged with dereliction of duty and convicted in a court-martial relating to the 2005 killings of 24 Iraqis in Haditha. Segments of Anonymous felt the conviction wasn’t enough, so promptly released 2 gigabytes of private information from the law firm for public view. So thorough was the data grab that Puckett & Faraj’s business manager is on record as saying “this may completely destroy the law firm.” (The Puckett & Faraj website is still nothing but a blank screen.)
Syrian President Bashar al-Assad. Yet another offshoot of Anonymous obtained what it calls the email addresses and passwords of hundreds of Syrian government officials, among many other documents, and predictably posted them all online, amid much smirking and self-congratulation. (As of 1900 UTC, Feb. 7, the list at Pastebin is still publicly viewable.)*
They hacked Polish government websites after that nation’s parliament passed the Anti-Counterfeiting Trade Act, as well as government websites in Italy, the Czech Republic and those of the EU. They released personal information about top city officials in Oakland, California, after that city’s confrontation with the “Occupy Oakland” protest group. They redirected online customers of CBS and Universal to dummy sites following their support of SOPA/PIPA. They even hacked Symantec, the firm whose software is supposed to protect computers against invasion and hacking, and released its source code (albeit old code, says the company.)
All this, not even counting the 100-odd small credit card hits along the way, spells a lot of busy little hacker hands, all calling themselves “Anonymous.”
Different Names, Same Result
As we’ve noted, Anonymous calls itself a group with no membership or leadership; that’s what it says, at least. But in reality, there are leaders and core members. There must be.
In truth there may actually be many competing leaders and subgroups all operating under the umbrella cover of “Anonymous.” AnonOps, AntiSec, LulzSec, AnonymousIRC, Anon_Sexy: these and many others look and sound like separate groups, with separate messages and pet causes. They even speak with different voices: a tweet or a posting by the now disbanded LulzSec reads like that of a cocksure 12 year-old boy, while videos and “news releases” from AnonOps have what you might almost call a seriousness about them.
Swarm attacks like DDoS hacks don’t just happen, they have to be planned and timed. While no one may be leading any particular hack, every one of them must get rolling at someone’s suggestion or instigation. And the more sophisticated multipronged attacks – like those that humiliated cyber-security firm HB Gary last year – require coordinated resources and actions. By definition, someone (or a group of someones) must be orchestrating the whole affair.
Take, for example, this week’s news of a new search engine for felons. Called “MegaSearch.cc” it coordinates the many separate lists of stolen credit card numbers held by various criminals around the world into one searchable database. That kind of coordination requires someone to register the site, maintain the data set and pay the bills, even if by theft. (By the way, a quick search of Megasearch’s registration suggests, unsurprisingly, that it is connected to a noted malware server, so readers are encouraged not to go exploring without protection.)
Part of the problem may also be the success of the Anonymous brand itself. As hacks have grown bolder and grabbed bigger headlines, unaffiliated hackers have no doubt been tempted to test their abilities for mischief and advertise their misdeeds under the “Anonymous” shadow, thus creating a new round of headlines, and on and on. Thus it seems like the “group” is constantly growing, but in fact it’s merely getting credit for the work of others it inspired.
Either way, the end result is the same. More hacker hands mean more hacks.
How Far Is Too Far?
Anonymous has its admirers, but it also has enemies, and not just those whose websites it has broken. One of them is “th3j35t3r” – code for “The Jester” – who self-describes as a”hacktivist for good” and has frequently taken shots at Anonymous (which has shot back). As generalizations go, it’s fairly true that hackers tend not to always play well with each other, and infighting among those who claim some Anonymous connection is common.
And there are missteps as well. Earlier this year someone claiming to be Anonymous released a video threatening to take down the servers of major international banks, the United Nations, Microsoft, YouTube, Twitter, and Facebook. “Operation Global Blackout” was billed as punishment for the megaupload.com seizure, and the voice warned that unless megaupload’s servers weren’t released within 72 hours, Anonymous would darken the web.
72 hours came…and went, with no serious activity. Shortly after, in a second video release, a voice claiming to be Anonymous explained:
“Why haven’t any of the things stated in the initial video happened yet? Simple. Because this proposed idea doesn’t have a set period of time when it will go into effect, as it is an on-g0ing operation. Like I said…I explained what we can do, not what we will do.”
Critics are unconvinced. Apart from the backtracking, the two statements have a different tone. Anonymous videos almost never use “I” or its variants, but the updated video is filled with them. Was it a mistake? Or are different hacker groups within or near Anonymous fighting again?
We’ve said before and say again that the safest bet is that Anonymous will soon be linked to another high profile, highly embarrassing hack attack. Private data will be released, faces will redden and Anonymous will gloat. But is that it? Nobody has ever been physically hurt, or worse, because of an Anonymous hack; no government has fallen and no commerce has been permanently disrupted. Which begs the question: is Anonymous little more than an embarrassment machine? Will anything seriously consequential ever result from their efforts?
How far will Anonymous go before it goes too far?
The answer may come sometime soon.
*Ed. Note: beyond the seriousness of any individual or group hacking and publishing government officials pass codes, we couldn’t help but note that nearly every password used wouldn’t even pass the most basic security analysis. “12345” is never, ever, a smart pass word; a drunken bear could probably crack that.