I am amazed, although I shouldn't be, at the level to which Wikileaks is stooping to make hay from the theft and release of Stratfor internal emails. So far none of the emails exhibit any wrong doing but only a well plugged in company with competent analysts doing the job of open source analysis. In the process of open source analysis you get information where it is available. Sometimes that means reading local newspapers and watching local television programs, sometimes that might be taking polls or using poll data, and sometimes it might mean paying people for information. As long as you are paying for information that doesn't break any confidentiality agreements or classification issues (and even then thats on the source not Stratfor) there are no issues. Wikileaks of all organizations it seems laughable to me they have an issue with this. It is not a crime to make money. There is zero illegal or immoral surrounding a company that has developed a business model around collecting, compiling, and selling insights to information. If Wikileaks wants their information they just have to subscribe like everyone else.
The idea there is something nefarious with Stratfor looking to develop an investment capability based on the information it collects is ludicrous. Any decent investment institution does the exact same thing but they probably don't have as robust of information sources. You don't make investments without conducting analysis on the prodcutcts, companies and environment in which you are going to make the investment. Since Stratfor had what appears to be ZERO insider trading connections but a host of people and connections that had a strong pulse on the political, social, and economic climates globally, I can see absolutely nothing wrong with this endeavor.
I will post more thoughts here on this release and the emails and analysis to follow but so far I am very disappointed and I will be even more disappointed if the discerning public and MSM buys in to this sensationalism to the point they will dispense rational thought and feed the biggest troll on the Internet - Wikileaks.
As for the relationship now solidified between Anonymous and Wikileaks, it was always there now just public. I think this partnership illustrates an organization taxed by legal battles, lack of funding, and lack of continued relevancy. Its a hail mary, the dying breaths of an organization that has lost its way and given in to the ego of a grade-A Narcissist.
Monday, February 27, 2012
Saturday, February 25, 2012
ANONYMOUS DECONSTRUCTED
There is much debate on what is and what is not Anonymous. Are they freedom fighters holding a sword to the tyranny of governments and corporations who desire to control and wield the Internet for their own power and profit? Are they terrorists, striking fear into individuals and organizations through the use of violent digital attacks and intimidation tactics? Are they a loose band of leaderless, faceless individuals fighting for a set of common ideals of freedom and equality for everyone? Are they anarchists that seek to use the movement to force the system into a violent conflict that in the end will destroy the system itself? Are they just mobs of youth with axes to grind, way to much free time, and a fundamental lack of understanding and respect for authority or even their fellow man? The answer to all of these questions - yes. I am not writing to add my words to the effort to dissect the group. I have my opinions and likely some or all of them will come out in later pieces. My intent here is to write about the actions of the organization and their effects in the context of current events.
Let me make one thing perfectly clear, I am not particularly enamored with Anonymous activities as a whole. I hold this view not because I am in favor of the current system and those that manage it, I am not. Whether you are discussing the state of IT security today or the current economic and political systems - I believe we are broken and I do not believe it is in the interest of those that maintain the current system to fix it. I also don't believe its in the interest of the masses to fix it, because that will require real effort and sacrifice, something as a society we seem to have in short supply. So someone or some group has to shake some things up, get people out of their comfort zones and think and act for the betterment of society and our communities rather than for themselves. This requires real cooperative activitism and positive reinforcement of a more productive and healthy path for everyone rather than the collective wining and polarity coming from all of the current popular activist groups. In the end I believe the actions of Anonymous will do more harm than good. As a whole their actions leave a pile of reasons why the system needs more control and oversight, not less. What they fail to realize is while they may be legion within their circle they represent a small, albeit very vocal, percentage of society and the fact that they can destroy something doesn't at all demonstrate power only carelessness. Anyone can destroy, few can create. What they also fail to realize is while freedom is a right, it take responsibility, accountability, and cooperation to maintain a free society. These are qualities the Anonymous movement distinctly lacks.
But there is no doubt their actions have altered the state of things. They have been successful at bringing attention to causes of their interest through DDOS, defacement, and disclosure of sensitive information obtained through theft. These same actions have been shown to be crippling to some brick and mortar organizations that have no real effective means of response to these types of targeted and very public attacks. This doesn't infer guilt or weakness on the part of these organizations only that they have equities and responsibilities that are of first consideration. We can be sure their success in garnering attention with these tactics are being watched carefully by others and will be incorporated into other groups future operational planning. A good piece was written on this by Scot Terban, The Shifting Digital Sands of Online Jihad.
Speaking of Islamic extremists, one controversial label has been discussed in regard to Anonymous - terrorism. Can some of the actions of Anonymous be considered acts of terrorism. I believe the answer is yes. Not the strap a bomb to your chest and blow yourself up in a crowded market place type of Terrorism but psychological terrorism created by extreme uses of threats and intimidation for the purpose of instilling fear. When a group is using non-kinetic violence sustained against a system or set of organizations to achieve some level of coercion in those organizations I believe that can be considered an act of terror. Unfortunately the word terrorism has been hijacked over the last decade and means something much more specific to most people. The Wikipedia definition is, "The systematic use of terror, especially as a means of coercion". There is also a definition for Paper Terrorism which describes a non physically violent means of coercion and intimidation. So when I say parts of Anonymous have used terrorism tactics against governments, agencies, and other organizations I am using these definitions to come to that conclusion. There are some good points that are made in a recent post on Infosec Island by Robin Jackson that address some of these issues, also examples here, here, and here.
Can and is Anonymous being used or being considered as a possible conduit by other organizations, including Al Qaeda, Foreign Intelligence Services, or other criminal organizations to hide/mask operations. The simple answer is why the hell would they not. Given the structure of Anonymous it would not be difficult to conduct a cyber exploitation or attack operation under the umbrella of Anonymous, which in turn would complicate a formal investigation or response given the current climate. It wouldn't even be that difficult to get some of the more influential members co-opted for certain operations if the right arguments and incentives were made for the cause. There have been a few references to this made by some islamic extremist groups such as the Indonesian islamic extremist group ar Rahmah which openly approved of the Anonymous operations against Israel. Also numerous posts in support of Anonymous on islamic extremists forums such as the continual posting of Anonymous exploits on the Islamic ansar1.info forum, here.
But there is no doubt their actions have altered the state of things. They have been successful at bringing attention to causes of their interest through DDOS, defacement, and disclosure of sensitive information obtained through theft. These same actions have been shown to be crippling to some brick and mortar organizations that have no real effective means of response to these types of targeted and very public attacks. This doesn't infer guilt or weakness on the part of these organizations only that they have equities and responsibilities that are of first consideration. We can be sure their success in garnering attention with these tactics are being watched carefully by others and will be incorporated into other groups future operational planning. A good piece was written on this by Scot Terban, The Shifting Digital Sands of Online Jihad.
Speaking of Islamic extremists, one controversial label has been discussed in regard to Anonymous - terrorism. Can some of the actions of Anonymous be considered acts of terrorism. I believe the answer is yes. Not the strap a bomb to your chest and blow yourself up in a crowded market place type of Terrorism but psychological terrorism created by extreme uses of threats and intimidation for the purpose of instilling fear. When a group is using non-kinetic violence sustained against a system or set of organizations to achieve some level of coercion in those organizations I believe that can be considered an act of terror. Unfortunately the word terrorism has been hijacked over the last decade and means something much more specific to most people. The Wikipedia definition is, "The systematic use of terror, especially as a means of coercion". There is also a definition for Paper Terrorism which describes a non physically violent means of coercion and intimidation. So when I say parts of Anonymous have used terrorism tactics against governments, agencies, and other organizations I am using these definitions to come to that conclusion. There are some good points that are made in a recent post on Infosec Island by Robin Jackson that address some of these issues, also examples here, here, and here.
Can and is Anonymous being used or being considered as a possible conduit by other organizations, including Al Qaeda, Foreign Intelligence Services, or other criminal organizations to hide/mask operations. The simple answer is why the hell would they not. Given the structure of Anonymous it would not be difficult to conduct a cyber exploitation or attack operation under the umbrella of Anonymous, which in turn would complicate a formal investigation or response given the current climate. It wouldn't even be that difficult to get some of the more influential members co-opted for certain operations if the right arguments and incentives were made for the cause. There have been a few references to this made by some islamic extremist groups such as the Indonesian islamic extremist group ar Rahmah which openly approved of the Anonymous operations against Israel. Also numerous posts in support of Anonymous on islamic extremists forums such as the continual posting of Anonymous exploits on the Islamic ansar1.info forum, here.
The most recent controversy surrounding Anonymous is a briefing by Gen. Keith Alexander, currently Director of NSA and Commander of US Cyber Command, given at the white house where he expressed concern that Anonymous may eventually obtain and possibly use the capability to disrupt the power grid. Some of the more influential members of Anonymous came back swiftly in criticism of his comments and defending their actions. I have heard many discussions within the security community that also are of the impression that the idea of Anonymous taking down the power grid is going a bit too far. I disagree. It is a highly collaborative decentralized group that has demonstrated there is little they won't do digitally when compelled by the right offenses to their ideology. We have also witnessed Anonymous members that have gained access to SCADA systems as was written about here. I believe all it will take to bring about this type of an attack is the right set of circumstances, and given things are going to get a lot more combative before they get better, I don't think it is wise from a planning perspective to discount this possibility entirely. What I believe Gen. Alexander was saying was given the state of SCADA security, the history of the group and the likely future conflicts to come, it is possible that someone in the organization will acquire and use the capability to down a SCADA system.
So I will end this first piece with an attempt to say something positive. And that is a reflection on the question is there anything positive that is coming from the actions of Anonymous. There is a great piece written by Josh Corman and Jerico on whether or not it is possible to build a better Anonymous that is worth the read. The short answer to both of these questions is no, But I think there are many within the group that believe they are doing good (thats the positive). There seems to be two main thrusts of activity within the movement. One is to expose poor security practices and charlatan security companies, the other is to expose and oppose government and corporate corruption and oppression of citizens. I think Anonymous as a group has a poor understanding of the complexities of these issues and how we are all complicit in their existence. We all seem to work in a frenzy to adopt new technologies into our lives without much regard to the problems they create. Those of us that work in the IT industry or have grown up with these technologies all around us also fail to recognize there are much larger portions of the population that interface with technology with discomfort and anxiety. One such issue that gets a lot of attention is weak and rampantly re-used passwords. This unfortuntaely is not an easily solved problem as some might believe. It is easy and humorous to poke fun at the person(s) that uses the password 123456 on all their most frequented websites, but its not constructive in dealing with the issue that passwords are a failed mechanism for security. Anonymous would like everyone to think they are doing us a favor by exposing the poor security practices within all these companies, yet they don't address at all how complicit they are in adding to the #1 reason why most systems are compromised, which is some crafty person puts together an email that compels the user to click a link or open an attachment. By exposing masses amounts of email addresses and passwords Anonymous is making it easier for phishing attacks to be effective.
To the last issue of the opposition to governments and corporations I am not in complete opposition. There are a lot of nasty regimes and government practices that need to be opposed and I believe we need an increase in scrutiny and pressure on government organizations to do more to make continued oppressive practices difficult. That said, Anonymous and other groups fail in many cases to understand or recognize the complexity of foreign diplomacy and cultural tensions. It is a reality that sometimes the devil you know is better than the devil you don't. We will likely see cases of this as we watch the outcomes of the Arab Spring, removing agreeably ruthless leaders such as Khadafi and Mubarak in the short term are a success but if not followed through by committed and organized democratic movements will likely be replaced by the likes of the Muslim Brotherhood or worse groups that will likely instill a rule of law that will set back personal freedoms, especially for women, by decades. It's easy to stand in opposition to something, its far more difficult to work cooperatively to build a better tomorrow.
So I will end this first piece with an attempt to say something positive. And that is a reflection on the question is there anything positive that is coming from the actions of Anonymous. There is a great piece written by Josh Corman and Jerico on whether or not it is possible to build a better Anonymous that is worth the read. The short answer to both of these questions is no, But I think there are many within the group that believe they are doing good (thats the positive). There seems to be two main thrusts of activity within the movement. One is to expose poor security practices and charlatan security companies, the other is to expose and oppose government and corporate corruption and oppression of citizens. I think Anonymous as a group has a poor understanding of the complexities of these issues and how we are all complicit in their existence. We all seem to work in a frenzy to adopt new technologies into our lives without much regard to the problems they create. Those of us that work in the IT industry or have grown up with these technologies all around us also fail to recognize there are much larger portions of the population that interface with technology with discomfort and anxiety. One such issue that gets a lot of attention is weak and rampantly re-used passwords. This unfortuntaely is not an easily solved problem as some might believe. It is easy and humorous to poke fun at the person(s) that uses the password 123456 on all their most frequented websites, but its not constructive in dealing with the issue that passwords are a failed mechanism for security. Anonymous would like everyone to think they are doing us a favor by exposing the poor security practices within all these companies, yet they don't address at all how complicit they are in adding to the #1 reason why most systems are compromised, which is some crafty person puts together an email that compels the user to click a link or open an attachment. By exposing masses amounts of email addresses and passwords Anonymous is making it easier for phishing attacks to be effective.
To the last issue of the opposition to governments and corporations I am not in complete opposition. There are a lot of nasty regimes and government practices that need to be opposed and I believe we need an increase in scrutiny and pressure on government organizations to do more to make continued oppressive practices difficult. That said, Anonymous and other groups fail in many cases to understand or recognize the complexity of foreign diplomacy and cultural tensions. It is a reality that sometimes the devil you know is better than the devil you don't. We will likely see cases of this as we watch the outcomes of the Arab Spring, removing agreeably ruthless leaders such as Khadafi and Mubarak in the short term are a success but if not followed through by committed and organized democratic movements will likely be replaced by the likes of the Muslim Brotherhood or worse groups that will likely instill a rule of law that will set back personal freedoms, especially for women, by decades. It's easy to stand in opposition to something, its far more difficult to work cooperatively to build a better tomorrow.
Subscribe to:
Posts (Atom)