Outlaw Justice: When Hackers Retaliate Against Cyber Security

I used to be a hacker. It was a long time ago, decades before the future World Wide Web was available. I operated anonymously (except to my clients who paid me for what I discovered). I tracked down people whose cars, pledged as security on automobile loans, had been targeted for repossession.

I performed my "hacking" duties over the phone using codes and pretexts. I infiltrated semi-secure bureaucratic systems (unemployment claim offices, utility company billing desks etc.) to precisely extract the whereabouts of drivers who had borrowed money to buy automobiles and then skipped town without paying. To be clear, I didn't crack these systems for the challenge or the fun of it, as true hackers are said to, and it wasn't personal. I did it for hire. My tactics were not precisely illegal (the government had not yet passed fair credit and privacy laws), but some were on the line. Although I wasn't an outlaw, I knew where to find them.

It is a function of age and time that, as a grandmother, I've gotten squeamish about virtual breaking and entering, but I have retained a fondness for the current generation of hackers, some of whom have banded in a loose alliance called "Anonymous." I see these youngsters as natural extensions of the outlaws of my day -- inveterate snoops and mostly harmless believers in open access, driven by a commitment to transparency and a subtle addiction to cyber safe-cracking. (That said, hackers are sometimes impatient with boundaries and often go too far. Especially when technology, and the uses it can be put to, outpace a slow-by-design legislative and regulatory oversight process.)

Although they can take themselves very seriously and have lately been recast as "cyberactivists," and "hacktivists," hackers are historically seen as pranksters. (A key scene in last year's film "The Social Network," foretelling the creation of Facebook, depicts a prank by sophomore Mark Zuckerberg as he hacks into Harvard's content management system to retrieve images of co-eds while inviting fellow Cambridge-area classmen to rate them for attractiveness.) As fans of the 1995 Angelina Jolie film, "Hackers," recall, however, practitioners are ferociously loyal to their cultural values and you don't want to cross them.

Today's Anonymous group's members go by web handles such as "Q," alluding to the mysterious James Bond character, and have been known to break into government computers for both amusement and ideological reasons. The group is widely suspected of being a source for many documents that end up on WikiLeaks. In a statement last year, Anonymous claimed that its members "don't have much of an affiliation with WikiLeaks, [but] we fight for the same reasons."

For folks who obsessively fly beneath the radar, some Anonymous hackers raised their profile considerably last year by creating a "war of data" against companies that dropped WikiLeaks as their client, including Visa and MasterCard, painting the document repository as a venue for vigilante justice. In the hacker culture and perspective, they are good guys in a world where government and corporations keep secrets to the disadvantage of average citizens.

Where there are outlaws, however, there are sheriffs. Into that construct Anonymous hackers drew the attention of a cyber security firm with federal contracts that set out to get them to stop. The firm, HBGary Federal, waved a red flag in front of a bull last month when its CEO bragged to a Financial Times reporter in San Francisco that his company had unmasked Anonymous' ringleaders and planned to turn them over to law enforcement agencies. The HBGary Federal executive, Aaron Barr, told the FT that he had identified the hacker group's most senior organizers, a half dozen people scattered around the world who "co-ordinate and manage most of the decisions."

A few days later, DagBlog, a website read by hackers and those who admire their work, reported that Anonymous' hackers had "managed to breach every aspect of the HBGary Federal infrastructure. All of it. Even the phone system. They also breached the infrastructure of the parent company."

To make it clear they had trespassed and why they had done so, Anonymous left a calling card manifesto at HBGary Federal, taunting their targets as "a pathetic gathering of media-whoring money-grabbing sycophants who want to reel in business for your equally pathetic company."

Directing scorn and retribution at Aaron Barr, the executive who had spoken to FT, Anonymous immediately released tens of thousands of documents from Barr's personal e-mail account onto a torrent file. (Note to computer security experts: You do not need to save 50,000 e-mails. You are never going to read most of them again. Delete them as you go.)

What the purloined letters had to say aggravated the hackers even more. Files found on the security company's computers included proposals to potential clients (disturbingly referred by another client, the U.S. Justice Department), including a presentation for Bank of America proposing cyber-attacks against WikiLeaks servers. (WikiLeaks' founder Julian Assange had hinted recently that his group plans to "take down" major financial institutions.)

The Anonymous hackers also retrieved a blueprint intended for the U.S. Chamber of Commerce, touting the security firm's skills in beating the outlaws at their own game. Made public was a security plan seeking a $2 million contract to discredit critics of USCC, including creating and distributing counterfeit documents. The disclosure quickly brought forth disclaimers from the commerce group that the strategy "was not requested by the Chamber, it was not delivered to the Chamber and it was never discussed with anyone at the Chamber."

Although what the Chamber of Commerce knew, and when it knew it, has not been fully explored, the principal object of the security plan was a liberal, nonprofit oversight organization called ChamberWatch, organized in 2010 by "a federation of five unions and 5.5 million workers." Democrats on Capitol Hill quickly called for an investigation of a conspiracy to use "subversive techniques" and "possible illegal actions against citizens engaged in free speech."

HBGary Federal executives initially attempted damage control, announcing they had "been the victims of an intentional criminal cyberattack. . . . To the extent that any client information may have been affected by this event, we will provide the affected clients with complete and accurate information as soon as it becomes available." But as more embarrassing files were disclosed, the security firm's clients, business partners, and even HBGary Federal's parent company quickly distanced themselves from the firm's activities.

Rival security experts used the infiltrated files as a cautionary tale and (without noting the irony of a security company getting so thoroughly pantsed that, more than a month later its website is still offline) have developed security tips to avoid a similar attack. This week Aaron Barr was forced to resign. Moral: Don't try to beat outlaws at their own game.

In an observation of occupational drawbacks, a poster on a hacker blogsite noted that Barr had been bitten by the outlaw bug. "He was more or less riding the same high a hacker gets from cracking a system and had made it pretty personal."