BLOG PAGES

Thursday, February 17, 2011

A Matter of Trust

V for Vendetta imagery persists around WikiLeaks-related stories. Image Source: Ars Technica.

Back in 1990, Hal Hartley directed a great little film called Trust, starring the late lamented Adrienne Shelley and Martin Donovan.  This dark comedy hinged on a critical moment where the heroine informs the hero that love depends above all on trust.  It's a social value that is also at the root of doing business.  Within the bounds of a contract, we expect that we can trust our partners.  But now, trust is changing. 

In a recent Piers Morgan CNN interview, this was the main point put forth by Cameron and Tyler Winklevoss about their former partner Mark Zuckerberg regarding the disputed origins of Facebook.  They maintained that within the bounds of a business agreement, there is nothing irrational about trusting your partner, while Morgan argued that in high-stakes business, people get stabbed in the back all the time.  Morgan said: lack of trust is normal.  You should expect that.

David Fincher's recent film The Social Network (2010) tended toward a negative depiction of Zuckerberg with regard to this dispute.  But that adaptaion has been questioned.  I find the comments of the film's screenwriter on the screenplay, adapted from the book The Accidental Billionaires (2009) to be telling:
The film's screenwriter Aaron Sorkin told New York magazine, "I don't want my fidelity to be to the truth; I want it to be to storytelling", adding, "What is the big deal about accuracy purely for accuracy's sake, and can we not have the true be the enemy of the good?"
Now, let's just break that down.  Sorkin evidently sees a 'solid story' as a social good that ranks above adherence to what really happened, at least as far as writing screenplays goes.  But everyone knows that people will watch The Social Network and most will instinctively assume that it is an accurate depiction of reality, not a creative adaption of reality.  That means Sorkin has a responsibility somewhere to that distinction.  It's hard to say.  Would we remember William Randolph Hearst to the extent we do and in the way we do, if Orson Welles had not made the highly disputed biopic Citizen Kane?  Theoretically, the 'true' story (or the closest approximation of it) about Welles and Hearst is left to the historians.  Everyone else just believes what they saw in the movie.

In a situation that pits one person's version of events against another's, the version that wins, even when the courts are involved, is the one that penetrates popular perception.  Real power lies not in the veracity of anyone's claim or anyone's account, but in the momentum generated by each version.  Somehow, we presume that the most compelling version of reality is 'true' and 'good,' even if we know it's neither. And we place our trust in that version of reality.  In theory, we should place our trust in the true and the good.  But trust migrates.

Needless to say, the internet is a fantastic tool for bending reality and building a momentum around that reality to inspire trust.  Take WikiLeaks, which I blogged about here.  Putting aside the debate about transparency in government, banks and corporations, I find it strange that the site's supporters would be so quick to trust WikiLeaksThe story of WikiLeaks reflects the story of the internet: in many ways, it is totally open, yet at every turn we are enjoined to trust no one.

Image Source: Twitter via Sophos.

Without commenting on whether WikiLeaks is in fact trustworthy, I'm curious to know why people are so keen to trust it.  On 15 February, Peter Bright posted a highly informative feature story at Ars Technica about how a pro-WikiLeaks group, Anonymous, recently hacked a security firm, HBGary Federal (subsidiary of the group HBGary).  They did this to retaliate against HBGary Federal's claims (reported on 4 February at the FT here, with a follow up at Ars Technica here) that the security firm was about to break the hacker group. Ars Technica confirms that HBGary's reputation prior to this withering humiliation was near the top in the security field:
HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors. On the software side, HBGary has a range of computer forensics and malware analysis tools to enable the detection, isolation, and analysis of worms, viruses, and trojans. On the services side, it offers expertise in implementing intrusion detection systems and secure networking, and performs vulnerability assessment and penetration testing of systems and software. A variety of three letter agencies, including the NSA, appeared to be in regular contact with the HBGary companies, as did Interpol, and HBGary also worked with well-known security firm McAfee. At one time, even Apple expressed an interest in the company's products or services.
The report gives the details of how Anonymous hacked HBGary Federal.  The turning point of the hack depended - ironically - on trust.  The hackers gambled correctly on the assumption that even a sysadmin will believe you are who you say you are.  Therein lies the human flaw in this mess of virtual tech - the sysadmin's first instinct is to trust, despite the fact that he or she would be the final, human gatekeeper in this kind of circumstance.  (I'm sure plenty of sysadmins would disagree.)

At any rate, the hack ironically proved that that fund of trust, one of the core values of our society, has  not been depleted.  But don't worry, we're getting there.  Anonymous partially hacked the HBGary system, with a little help from digging around in outside systems, until they could pose as a HBGary founder and CEO Greg Hoglund (in the aftermath, his e-mails are being released on sites like this).  As the fake Greg, they contacted Jussi Jaakonaho, 'Chief Security Specialist' at Nokia, who had root access to HBGary's system, for Greg's username and password; they also asked him to drop HBGary's firewall:

From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop open up
firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to
88Scr3am3r88 ?
thanks-------------------------------------

From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowed
-------------------------------------

From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
no i dont have the public ip with me at the moment because im ready
for a small meeting and im in a rush.
if anything just reset my password to changeme123 and give me public
ip and ill ssh in and reset my pw.
-------------------------------------

From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
ok,
it should now accept from anywhere to 47152 as ssh. i am doing
testing so that it works for sure.
your password is changeme123
i am online so just shoot me if you need something.
in europe, but not in finland? :-)
_jussi
-------------------------------------

From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
if i can squeeze out time maybe we can catch up.. ill be in germany
for a little bit.
anyway I can't ssh into rootkit. you sure the ips still
65.74.181.141?
thanks
-------------------------------------

From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
does it work now?
-------------------------------------

From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
yes jussi thanks
did you reset the user greg or?
-------------------------------------

From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
nope. your account is named as hoglund
-------------------------------------

From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
yup im logged in thanks ill email you in a few, im backed up
thanks
-------------------------------------
Ars Technica: "Thanks indeed. To be fair to Jussi, the fake Greg appeared to know the root password and, well, the e-mails were coming from Greg's own e-mail address. But over the course of a few e-mails it was clear that 'Greg' had forgotten both his username and his password. And Jussi handed them to him on a platter."

This reminds me of a line in a movie I saw once, roughly: You can get into any building in the world with a pen, a confident nod, and a clipboard. Half the battle is looking like you belong there. Inspiring trust.

Speaking of what WikiLeaks supporters are seemingly trusting, there is a video purportedly from Anonymous to HBGary Federal here, although I can't confirm where this message originated. Its statement runs:
Greetings HBGary (a computer "security" company),

Your recent claims of "infiltrating" Anonymous amuse us, and so do your attempts at using Anonymous as a means to garner press attention for yourself. How's this for attention?

You brought this upon yourself. You've tried to bite at the Anonymous hand, and now the Anonymous hand is bitch-slapping you in the face. You expected a counter-attack in the form of a verbal braul (as you so eloquently put it in one of your private emails), but now you've received the full fury of Anonymous. We award you no points.

What you seem to have failed to realize is that, just because you have the title and general appearence of a "security" company, you're nothing compared to Anonymous. You have little to no security knowledge. Your business thrives off charging ridiclous prices for simple things like NMAPs, and you don't deserve praise or even recognition as security experts. And now you turn to Anonymous for fame and attention? You're a pathetic gathering of media-whoring money-grabbing sycophants who want to reel in business for your equally pathetic company.

Let us teach you a lesson you'll never forget: you don't mess with Anonymous. You especially don't mess with Anonymous simply because you want to jump on a trend for public attention, which Aaron Barr admitted to in the following email:

"But its not about them...its about our audience having the right impression of our capability and the competency of our research. Anonymous will do what every they can to discredit that. and they have the mic so to speak because they are on Al Jazeeera, ABC, CNN, etc. I am going to keep up the debate because I think it is good business but I will be smart about my public responses."

You've clearly overlooked something very obvious here: we are everyone and we are no one. If you swing a sword of malice into Anonymous' innards, we will simply engulf it. You cannot break us, you cannot harm us, even though you have clearly tried...

You think you've gathered full names and home addresses of the "higher-ups" of Anonymous? You haven't. You think Anonymous has a founder and various co-founders? False. You believe that you can sell the information you've found to the FBI? False. Now, why is this one false? We've seen your internal documents, all of them, and do you know what we did? We laughed. Most of the information you've "extracted" is publicly available via our IRC networks. The personal details of Anonymous "members" you think you've acquired are, quite simply, nonsense.

So why can't you sell this information to the FBI like you intended? Because we're going to give it to them for free. Your gloriously fallacious work can be a wonder for all to scour, as will all of your private emails (more than 44,000 beauties for the public to enjoy). Now as you're probably aware, Anonymous is quite serious when it comes to things like this, and usually we can elaborate gratuitously on our reasoning behind operations, but we will give you a simple explanation, because you seem like primitive people:

You have blindly charged into the Anonymous hive, a hive from which you've tried to steal honey. Did you think the bees would not defend it? Well here we are. You've angered the hive, and now you are being stung.

It would appear that security experts are not expertly secured.

We are Anonymous.
We are legion.
We do not forgive.
We do not forget.
Expect us - always.


Video Source: Youtube.

On 7 February, Anonymous apparently released a video press release about its initial humiliation of HBGary, replete with V for Vendetta images. The transcript of the press release is:
ANONYMOUS PRESS RELEASE

For Immediate Distribution

February 7th, 2011

Recently, the head of internet security firm HBGary Federal, Aaron Barr, sought to elevate his investigation of the Anonymous movement by providing the Financial Times with what he claimed to be accurate and useful information about those who allegedly drive our activities.

In yesterday's release we inferred that the information presented was easy to undermine by any of the millions of people around the world with a cursory understanding of internet culture. Not only was the information provided by HBGary Federal woefully inaccurate, it provided no incriminating evidence against any of the persons named.

Today, Anonymous learned that HBGary Federal intended to sell to the FBI a large document (it can be found at http://hizost.com/d/zjb) that allegedly detailed the identities of dozens of our participants.

Within hours of learning this, Anonymous infiltrated HBGary Federal's network and websites. Anonymous acquired the document with supposed personal details of anons, along with 50,000 company e-mails (~4.71GB) - all of which have now been distributed on the internet. Additionally, his associated websites and social media accounts were hijacked and manipulated to stress how poorly this 'security expert' handles matters of his own security (http://imagebin.org/136490). Woe to his clients and others who invested in his confidence.

The lack of quality in Aaron Barr's undertaken research is worth noting. Aaron Barr missed a great deal of information that has been available online, and in fact failed to identify some of those whose identities were never intended to be hidden. People such as DailyKos' diarist blogger Barrett Brown, and the administrator of anonnews.org, joepie91, whose identities could have been found in under a minute with a simple Google search.

It is also worth noting that Aaron Barr was also providing this documentation as an example of investigation protocol. This would introduce a systematic flaw to the FBI's investigative woodwork. The risk of institutionalising a flawed procedure exponentiates a problem, and it does so at the taxpayers expense in every sense. Had the FBI indeed bought this information from HBGary Federal, it would have been paid for by taxpayers money, and many innocent people would have been marked as leaders in actions they may not even have been associated with.

Unlike you, Aaron, we did our research, we know who you are, and now, so will everyone else. Although you have managed to ruin your credibility in an attempt to further it, you did provide us with entertainment, albeit very briefly.

Anonymous does not have leaders. We are not a group, we are not an organization. We are just an idea. What we have done today will appear harsh. It is harsh. We will respond to those who seek to threaten us. We understand that our participants have been concerned about recent FBI raids and companies such as HBGary Federal lurking and logging our chats, so we've given all of Anonymous a message: we will fight back.

We are Anonymous.
We are legion.
We do not forgive.
We do not forget.
Expect us - always.

Yours faithfully,

Anonymous.
Forbes is linking Anonymous negatively to WikiLeaks' 'battle for hearts and minds.' I wish someone would interview David Lloyd and Alan Moore about the use of their comics character as the mascot for this turbulent corner of internet culture.


All DC Comics stories, characters and the distinctive likenesses thereof are Trademarks & Copyright © DC. ALL RIGHTS RESERVED.

No comments:

Post a Comment