A few thoughts on the “hacktivist” group Anonymous that came out of Josh Corman and Brian “Jericho” Martin’s keynote at the SOURCE security conference in Boston last week:
- Hacktivist is a sloppy term. A small percentage of those who claim affiliation with the ideology, or movement, or brand, or whatever we wind up calling it, are hackers or activists (5 to 10 percent are skilled hackers or activists, while the lowest common denominators “don’t do much” and are “glorified cheerleaders, at best”, they said).
- We need a better, more efficient Anonymous.
Before we explore their rationale for Anonymous 2.0, it’s worthwhile to know why Corman – director of Security Intelligence for Akamai – and Jericho – a “hacker turned security mouthpiece” – care, and why they think we all should.
Here’s how Jericho explained it:
"Most problems on the Internet don't affect us. With Anonymous—and we're using Anonymous as an example for this presentation, but it could be anybody: Anonymous or a splinter group [such as LulzSec] or the next [group] that comes along—almost everyone is involved. Vigilantes, 'good guys,' analysts ... with civilians stuck in the middle. Those whose information is doxed, those people are getting affected more than anyone. If you're affected, you're involved. … Look at [Anonymous's] influence. From analysts, to law enforcement, to former members, to the media, to organized crime, to foreign nation states. "
Nobody in technology, nor in business, for that matter, can get away from fighting Anonymous or other similar groups, whether the fight transpires in media or anywhere else, he said.
So that’s why they care, and why we must. Beyond our own, personal involvement, a broader concern is that much of what we lay at the Anonymous doorstep may be branded as such merely as a smokescreen.
As Corman noted, this amorphous thing we call “Anonymous” has become the perfect scape goat. Anonymous members continually drop in and out of affiliation with, or actions taken on behalf of, the group.
Any attack can be labelled with the Anonymous brand, regardless of whether it was sincerely done under activist principles or is simply branded that way to cover the tracks of, say, a nation state (sound familiar? “Suspicious attack. Must be China!”).
For all the mayhem they’ve caused, much of what “Anonymous” has “done” (I use quotes because there’s often [usually?] no way to determine actual perpetrators) is to simply exploit low-hanging fruit, Jericho said, thus erecting worthwhile signposts to cyber security flaws.
As Corman put it:
"Anonymous has held up a mirror to our defects. [They've done] nothing really hard. They've just showed us how insecure we are [with regards to] basic Internet hygiene. If they turned up the heat, it would be even worse."
In a nutshell, if we can’t deal with the worst the Anonymous-affiliated have to offer, “we’re f*cked,” Jericho said. If that word offends you, “you have to get out of the industry,” because sooner or later, in one fashion or another, you’ll likely have to deal with Anonymous.
Which leads to why we we should wish for, or even need, a better, more efficient Anonymous.
As it is, Jericho said, Anonymous are “a crude, blunt weapon”. Why not a better Anonymous? One that’s more efficient and that gets stuff done with less collateral damage? One that doesn’t dox the personal information of innocent people and put them and their families at risk?
The steps for creating what they call a “a straw man of ‘organized chaos'”:
- Statement of belief, values, objectives, and first principles – i.e. WHY you have come together
- Code of conduct and operational parameters – i.e. HOW you conduct your pursuit of your common goals
- A plan for streamlining success, increasing potency, and mitigating risks – i.e. WHAT will make you more successful
Would such codification cause the group to splinter? Hopefully. The group needs to specialize, Corman and Jericho said. An Anonymous splinter devoted to free-speech issues would be a boon if it could devote itself to the task at hand, for example.
Does Anonymous agree with the proposals? Anonymous has no unified voice, the keynoters said, so it’s a moot question — it is, after all, a composite, rather than a singular, monolithic group, and there are any number of levels of allegiance and reasons for participating.
But some regular actors in the movement have agreed with the tenets – one plus of a codified Anonymous is the ability to disavow a given action that goes against the stated objectives of the group.
Jericho pointed to the recently announced MalSec (Malicious Security) group as an example of how new splinter groups might codify their beliefs. From their YouTube video:
"For many years we have watched as more unconstitutional laws are proposed and passed and as censorship, disinformation, and corruption have become the norm."
"In an attempt to bring these acts to a halt, we are targeting the very people that have attempted to do us harm. We do, however, fervently believe in free speech. Everyone should be able to express themselves freely, even if others disapprove. As such, we have decided never to remove the original data, when a website of an enemy is defaced."
That’s a start. That’s a statement of a belief – free speech – and a practice – refraining from removing original data. Thus the group can disavow fraudulently labelled MalSec actions.
Now, regarding the term hacktivist: I’ve used it. Lots of journalists have used it. I’m not going to use it anymore.
When Corman and Jericho polled the audience to ask how many thought that the law was winning in its fight against Anonymous, only one hand went up.
That only shows that Anonymous has won the media, Jericho said, whereas the law has failed to engage our attention.
The keynoters’ research has shown that some 184 Anonymous actors have been arrested and charged in 14 countries. Only one in three Anonymous-branded actions make the news, one in five make the news on tech sites, and only one in 30 make the mainstream news.
These are guestimates. The point is, law enforcement is making busts. They need to rattle their sabers more, and we journalists need to pay attention.
We also need a better term than hacktivist, which embodies the romantic type of Robin Hood image that Hollywood, journalists and the public adore.
“The Anonymous affiliated” is kludgy. But perhaps we won’t be able to come up with a better term until Anonymous itself draws its boundaries, making it possible for a given action to be rightfully branded or justifiably disavowed.
If you can think of a better term to use in the meantime, please share it in the comments section.
And kudos to Corman and Jericho for opening up such a thoughtful discussion about a topic that’s too easily simplified and romanticized.