I’ve always been a geek at heart, and I also try to keep one eye on cyber issues because they’re so important to national security. So lately I’ve been reading numerous books about networking, computer hacking, and hacktivism.
One of the most intriguing books in this collection is We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency by Parmy Olson. Despite a string of 1-star reviews on Amazon by disgruntled Anonymous members (all curiously posted within a two-day spread shortly after the book’s publication), I thought the book was absolutely riveting. It is a tour through the digital underground: the IRC chat rooms where attacks are planned and botnets are controlled, message boards where virtual flash mobs are born, and the dark basements where socially alienated teenagers become world-famous hackers. The exploits themselves are fascinating: social engineering and exploitation, network penetration, data theft, d0xing, denial of service attacks, and many more. For a nonfiction book, it has plenty of suspense. I was constantly looking forward to learning what the next attack would be, and enjoyed the progressive revelation of the identities of Anonymous and LulzSec leaders–a subject about which I knew nothing.
The book is also fascinating from a national security and defense standpoint. It forced me to do some deep thinking about how networks and headless organizations conduct themselves, and how to fight them. Here are a few of my observations, with the caveat that they are based mostly on this one book.
The author challenges the idea that Anonymous has a powerful hive mind. In the author’s view, the spread of this belief is one of Anonymous’ greatest feats of social engineering. In actuality, Anonymous is a brand under which almost anyone can rally, and which has been subject to bitter infighting, splits, and even FBI informing by key members. Any apparent hive intelligence is less the result of the crowds, and more a result of key leaders or teams within Anonymous. For example, although hundreds of people participated in some key DDoS attacks, nearly all the computing firepower came from one or two botnet owners.
Following from this, even decentralized networks need leaders. It’s hard to get anything done otherwise. It’s interesting that after a period of creative anarchy, some key members of Anonymous broke off to form their own hacking group, LulzSec, which was smaller, more structured, and more disciplined. Without this kind of centralized structure, groups are mostly limited to lone wolf or one-off attacks.
The very atmosphere of paranoia and anonymity is easy to exploit. In a virtual environment where nobody knows your real identity, it’s easy for white hat hackers and government officials to roam freely. The hackers know this, so groups are constantly jumping between communication networks and methods and new, tighter circles of trust are constantly being established and re-established. As circles slowly expand and trust erodes, new circles form again. It isn’t easy for groups to function like this.
The author highlights the extent to which core Anonymous hackers manipulated eager wannabes. During large DDoS attacks, for example, core members encouraged Anons to use free, downloadable software that would allow them to participate in the attacks. However, they downplayed the legal dangers and didn’t do much to help these less technologically adept recruits mask their identities. The fun and games were over when the FBI knocked down their doors with arrest warrants.
I had no idea how banal and sordid Anonymous’ beginnings were. The media plays up the “hacktivist” and libertarian spirit of Anonymous, so I was surprised to hear about the organization’s beginnings on 4chan–within subcommunities that essentially celebrated depravity as a means of escaping boredom. That included everything from taunting pedophiles, to exploiting and blackmailing young women into sending nude pictures, to swapping photos of appalling violence. When a new generation of members wanted to steer the hive efforts towards moral or civic goals, they were treated with disdain. When LulzSec was born, it deliberately rejected crusading and focused on hacking/exploiting for the mere thrill of it.
It’s hard for decentralized organizations to have a coherent vision and mission. Different individuals and subcommunities came to anonymous with different goals, and these subcommunities could fight bitterly over what they were trying to achieve. As stated above, libertarian hacktivists collided with those who just hacked to lift themselves out of despair and boredom.
We should be careful when we claim, “it takes a network to fight a network.” That’s true, but in the defense world, we should only go so far in trying to emulate decentralized networks. They are fluid and responsive, but they also have severe handicaps. We should seek hybrid models that allow rapid information sharing and decision-making, but still have strong executive “deciders” who can steer the organization towards a common purpose.
It only takes one mistake to blow your cover. The Internet is designed in such a way that masking your identity is relatively easy, and a savvy hacker can count on anonymity. For these reasons, attribution of attacks can be extremely difficult. However, virtually everything on the net is logged and stored somewhere for future reference, and it only takes the tiniest slip to permanently expose your identity. In the case of Sabu, one of the core members of LulzSec, a single logon to IRC without his anonymizing software momentarily exposed his IP address. That’s all it took. So for persistent hackers, it seems like it’s just a matter of time. Everybody is going to screw up sooner or later.
What you’d expect: many Anons are socially alienated young males living in their mother’s house. Not all of them, but enough that we can make some hypotheses about why people join groups like Anonymous. For some it’s really about libertarian ideals and the commitment to the free flow of information, but for others it’s probably not.
Finally, I constantly found myself comparing Anonymous to al-Qa’ida and other jihadi groups. Not because they pose the same level of threat, but because so many of the organizational dynamics appear to be similar.