Read Cybersecurity and Cyberwar Online
Authors: Peter W. Singer Allan Friedman,Allan Friedman
In October 1989, administrators at the Department of Energy and NASA sat down to their computers to find that they had been “WANKed.” Instead of letting them log in, their screens blasted a message from “WANK: Worms Against Nuclear Killers” that said, “You Talk of Peace for All, and Then Prepare for War.”
The WANK worm had actually been placed by young hackers from Australia (explaining both the double entendre of the nameâto “wank” is Aussie slang for masturbatingâand the origin of the message, which were lyrics from the Australian antinuclear band Midnight Oil). The youth wanted to protest a new program of nuclear energy research, but rather than travel to the United States to stand with other protesters holding posters outside the Kennedy Space Center, they spread their message from within their target's computers. As it was early in the age of networked computers, the worm they built now seems fairly simple. It targeted accounts that had the same password as their username (remember these good old days?) and was easily cleared from the system. But WANK is still significant. A few young hackers WANKing off had carried out one of the first examples of “hacktivism.”
Hacktivism is a term often credited to the Cult of the Dead Cow, a hacker group founded in a former Lubbock, Texas, slaughterhouse. They were among the first to argue that access to online information was a universal human right (among their early efforts was an effort to hack Chinese government agencies and Western companies cooperating with them) and so organized Hactivismo, a project to fight Internet censorship and provide technical help to those living under oppressive governments. The idea is exactly what the mash-up of the words “hacker” and “activism” might suggest: the idea of promoting or resisting some kind of political or societal change through nonviolent but often legally questionable cyber means of protest. Just as Martin Luther once harnessed the revolutionary power of the printing press to spread his message, and Martin Luther King, Jr. similarly used the new venue of television, hacktivists are simply tapping into the latest technology to aid their own civil disobedience, agitation, and protest. But unlike in the past, this technology offers the ability to operate instantaneously, transnationally, and anonymously.
Much like other actors in cyberspace, hacktivists can range from single individuals to loose coalitions like Anonymous, which come together around a common target, to tightly organized groups. As a result, the scale of action includes small protests against a single target that barely make a ripple in cyberspace to what the
New York Times
somewhat erroneously called “
World Wide Web War I
” in 2001. After a US Navy P-3 surveillance plane and Chinese fighter jet collided, anger in China skyrocketed and some one hundred thousand Chinese hackers worked together to knock the White House website offline with a denial-of-service attack, plant viruses in the Justice Department's network, and even deface the home pages of some
Ohio high schools
. Groups of American hackers then responded by changing various Chinese websites to display American flags and messages like “Slouching Tiger, Hidden Dragon.”
One of the big misconceptions about hacktivists is that they are all bona fide hackers with a real understanding of their actions. Actually, the vast majority are what are known as “script kiddies.” That is, they use “scripts,” or programs made by others, that allow them to download attack software from a website and then join in with the click of a button, no expertise required. Expert hackers tend to look down on them, hence the notion of a “kid” or juvenile. As a report for the US Defense Department explained, script kiddies are the “more immature but unfortunately often just as dangerous exploiter of security lapses on the Internet. The typical script kiddy uses existing and frequently well known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internetâoften randomly and with little regard or even understanding of the
potentially harmful consequences
.”
These politically motivated “hactions” therefore usually aren't as complex or even sophisticated as many other types of cyberthreats. Typical incidents involve defacing websites, such as changing the front page of a company or government agency's website into something embarrassing, and “Virtual Sit-ins.” Much like the sit-ins at college campuses in the 1960s, the idea is to use the power of the crowd to block traffic and hinder work. Now it is Internet traffic rather than long-haired hippies that block the corridors of power. One of the first of these occurred in 1997. The Electronic Disturbance Theater, a group that crossed hacktivists with performance artists, organized a virtual sit-in that flooded Pentagon and Mexican government websites
with messages to try to bring attention to the Chiapas conflict. Recent sit-ins have targeted physical location, such as a specific government building, by trying to overwhelm the networks and devices at that site with large geotagged files, such as YouTube videos.
More sophisticated hactions tend to involve efforts along the lines of cyber espionage. They penetrate a network, find valuable information, and then extract it. In this case, though, they usually target information that is more embarrassing than valuable and then display it to the world. Examples range from the hacking of former US vice presidential candidate Sarah Palin's Yahoo e-mail account to WikiLeaks' posting of internal memos from the Stratfor private intelligence firm, which showed that a firm charging others for supposedly super-sophisticated strategic analysis was actually fairly clueless. When an attack focuses on an individual's personal information, it's referred to as “doxing,” as in revealing personal documents publicly. Often, doxing requires minimal network penetration, relying more on careful research to link public but hidden personal or embarrassing data to the victim. The Chinese expression
Rénròu SÅusuÇ
describes this practice and translates as “human flesh search engine.”
The most complex operations, however, are those that ironically circle back into the real world, combining both new hactivism and old-school civil disobedience. For example, in 2004 an undercover video showed a variety of acts of animal cruelty at the Huntingdon Life Sciences testing lab, including employees punching beagle puppies in the face. So a hacktivist group called
Stop Huntingdon Animal Cruelty
(SHAC) organized a campaign. They gained access to the company's networks, and through them, the firm's entire life cycle, including the names and home addresses of all its employees, shareholders, customers, and business partners. They published all these names and addresses online, even those of the firm's
caterers and cleaners
. Many of these individuals and companies were subsequently targeted in a strategy to undermine “
every critical relationship
of a company necessary to thrive.” Neighbors were told embarrassing facts about employees. Investors who thought themselves anonymous were sent letters at home, while an entire New York yacht club was covered in red paint after it was revealed many of its members traded shares in the beagle-punching firm. These actions extended to more violent attacks, such as when the
firm's marketing director opened his front door only to be
sprayed in the eyes
with a stinging chemical (the activists claimed to be simulating what was done to test animals). The campaign proved somewhat successful; so many investors and partners were spooked that the company ended up being delisted from the New York Stock Exchange. But, in turn, several of the SHAC hactivists were convicted for various crimes, including Internet stalking and using their websites to incite violence.
But no one should think that hactivism is solely antibusiness. Recently, private firms have grown more involved in various hacktivist endeavors. For example, during the 2011 “Arab Spring” popular uprisings, firms like Google, Twitter, and Skype provided technical support to protesters and various workarounds to the government Internet censorship. When the Egyptian government tried to shut down Internet access during the mass protests, the firms provided a service called “Speak to Tweet,” whereby voicemail messages left by phone were converted to text tweets and downloadable audio files, so that news could still get out.
An interesting issue for hacktivism moving forward, however, turns the notion of Internet freedom of expression on its head. Many see hactivism as a new form of civil disobedience that echoes back to past generations of activists, whether it be Thoreau's essays in the 1840s or the Chicago Eight's use of TV in 1968, just now on a new medium. Others note that the tactics, like denial of service or altered websites, involve some attack on the other party's use of the Internet, effectively undermining their freedom of speech. Moreover, as the SHAC example illustrates, the anonymous nature of hactivism and the frequent posting of private information can inspire or provide cover for more nefarious, even violent actions. Thus, hactivism faces the same constant question as traditional activism: Do the ends justify the new cyber means?
Aaron Barr made a terrible mistake.
On February 5, 2011, the CEO of the computer security firm HB Gary Federal announced that his company had infiltrated the Anonymous hacktivist group and would reveal its findings to the media at a major conference in San Francisco. It wasn't to be. As
Wired
magazine reported, instead of the acclaim and profits he expected, Barr and his firm walked into “
a world of hurt
.”
HG Gary Federal's website was quickly compromised by Anonymous, which posted its own message on the firm's very own site: “Your recent claims of âinfiltrating' Anonymous amuse us, and so do your attempts at using Anonymous as a means to get press attention for yourself.⦠What you have failed to realize is that, just because you have the title and general appearance of a âsecurity' company, you're nothing compared to Anonymous. You have little to no security knowledge.⦠You're a pathetic gathering of media-whoring money-grabbing sycophants who want to reel in business for your equally pathetic company. Let us teach you a lesson you'll never forget: you
don't mess with Anonymous
.”
The group then made a complete mockery of the firm's claims to offer its clients security. Besides taking over the website, it also seized control of HB Gary's e-mail system and dumped more than 68,000 private messages and memos onto the public Internet. All sorts of
embarrassing laundry
were aired, from the company's offer to clients to target journalists and donors to the WikiLeaks organization (a business proposal that many considered not just a bad idea, but potentially illegal), to the CEO's discussion of logging onto teen chat rooms and posing as a sexy sixteen-year-old girl with the handle of “Naughty Vicky.” Anonymous also carried out doxing attacks, taking control of Barr's personal Twitter account and then using it to post his Social Security number and home address.
HB Gary's reputation as a security firm was destroyed in what
Wired
magazine described as an electronic version of a “
beatdown
.” By the end of the month, a congressional committee was investigating inappropriate contracts by the firm, and Barr had resigned in disgrace. As Anonymous concluded its message on HB Gary's website, “It would seem the security experts are not expertly secured. We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”
With exploits like this and its signature use of Guy Fawkes masks (in honor of the 1605 Gunpowder Plot, popularized as an antigovernment symbol in the movie
V for Vendetta
), Anonymous may be the most noted of the hactivist groups. Ironically, its notoriety is due to its anonymity. It is not a single, easily identifiable organization.
Instead, the best words to describe the soup reflect the Internet itself, “decentralized” but “coordinated.”
Anonymous is essentially composed of unidentified users from various Internet forums who gather to conduct organized protests and other actions using cyber means. As one member explained, “
Anyone who wants to can be Anonymous
and work toward a set of goals.⦠We have this agenda that we all agree on and we all coordinate and act, but all act independently toward it, without any want for recognition. We just want to get something that we feel is important done.”
With no single leader or central control authority, the group visualizes itself not as a democracy or a bureaucracy, but as a “do-ocracy.” Members communicate via various forums and Internet Relay Chat (IRC) networks to debate potential causes to support and identify targets and actions to carry out. If enough of a collective is on board for action, a date will be selected and plan put into action; one member described it as “
ultra-coordinated motherfuckery
.” The members then use various media such as Twitter, Facebook, and YouTube to distribute “attack posters” to announce the plans, further coordinate steps, and draw new volunteers from around the world into the attacks, building up the ranks of an “Anonymous” army of hactivists. The paradox is that for such a
supposedly secretive group
, most of Anonymous's planning and action takes place in the open.
There is no exact date linked to the founding of Anonymous, but most accounts credit its formation to the mid-2000s, merging early hacker communities dating back to the 1980s with a new generation of hactivists, who congregated around online bulletin boards like 4chan. For the next few years, the group would rarely pop up outside of the computer security world media. One of the first mentions came in 2007, when Canadian news reported the arrest of a fifty-three-year-old child predator who had been tracked down and turned into the police by a “self-described
Internet vigilante group
called Anonymous.” This was notable not just because of the revelation of the group, but also because it was the first time a suspected online predator was arrested by the police as a result of “Internet vigilantism.”