1. My attempt to summarise the unfolding HBGary / Wikileaks story

    Posted February 16, 2011 in comment  |  2 Comments so far

    You might not have heard of HBGary Federal before. I certainly hadn’t, or at least not until February 4th when their CEO Aaron Barr boasted to the press that he had unmasked members of Anonymous and was going to pass their details to the FBI. This was presumably in retaliation for Anonymous having slowed down the servers of Visa, Mastercard and Paypal for a few hours back in December 2010, a crime that will no doubt live in infamy.

    As it turns out HBGary Federal is a computer security consultancy that does a lot of work for the US government, trading on a reputation as experts in the field. Their CEO was obviously looking to generate headlines with his Anonymous story. And he succeeded, but not quite in the way he was expecting.

    Within a few hours of his boasting to the press about having “infiltrated” Anonymous, Anonymous struck back. And they struck back hard. The HBGary Federal website was compromised and defaced, Aaron Barr’s Twitter and Facebook profiles were hijacked, and – most damagingly for HBGary – the company’s email server was breached, the emails extracted and put into the public domain via BitTorrent.

    At this point, the damage done to HBGary was already severe. How could “experts” in information security be so thoroughly compromised, so quickly, and in such a humiliating manner? As Aaron Barr put it, soon after the attack took place:

    I knew some folks would take my research as some kind of personal attack which it absolutely was not. I thought they might take down our Web site with a DDoS attack. I did not prepare for them to do what they did…

    But the worst was yet to come. It took a few days for the contents of the email dump to be reviewed, and what it revealed was even more damning – not just for HBGary Federal, but for the shady culture of impunity it portrayed among firms contracting for the US government.

    The new twist in the tale came when a project proposal was discovered among the emails. The proposal, titled “The Wikileaks Threat” (link to the full presentation), had been created by HBGary Federal in conjunction with two other companies for Hunton & Williams, a law firm that works with Bank of America. It outlined a systematic plan of attack against Wikileaks and its supporters which included tactics ranging from DDoS attacks, falsification of information, and what could be seen as extortion of prominent free-speech supporters such as Salon writer Glenn Greenwald. The exact quote about people in this category was that they could be pushed to “choose career preservation over cause”.

    Slide from the Palantir, HBGary and Berico proposal

    If you want to know more without reading the whole thing, this Tech Herald article has a good overview, but you should definitely read Glenn Greenwald’s response over at Salon:

    The very idea of trying to threaten the careers of journalists and activists to punish and deter their advocacy is self-evidently pernicious; that it’s being so freely and casually proposed to groups as powerful as the Bank of America, the Chamber of Commerce, and the DOJ-recommended Hunton & Williams demonstrates how common this is. These highly experienced firms included such proposals because they assumed those deep-pocket organizations would approve and it would make their hiring more likely.

    To put it mildly, the tactics outlined in this proposal are indefensible and the other companies involved have since apologised to the proposed victims and distanced themselves from HBGary Federal. Indeed the chief of Berico has called the proposal “reprehensible” (PDF link to company statement).

    But this doesn’t bring the matter to a close. The leaked proposal is almost certainly the tip of a very large iceberg, giving us a glimpse of a corporate culture surrounding the US government that has grown accustomed to operating outside the law. As Glenn Greenwald puts it:

    The exemption from the rule of law has been fully transferred from the highest level political elites to their counterparts in the private sector. “Law” is something used to restrain ordinary Americans and especially those who oppose this consortium of government and corporate power, but it manifestly does not apply to restrain these elites.

    The story began with a so-called security expert bragging to the media and has ended with the disgrace of his company. Andy Greenberg at Forbes:

    Rarely in the history of the cybersecurity industry has a company become so toxic so quickly as HBGary Federal …many of the firm’s closest partners and largest clients have cut ties with the Sacramento startup. And now it’s cancelled all public appearances by its executives at the industry’s biggest conference in the hopes of ducking a scandal that seems to grow daily as more of its questionable practices come to light.

    These questionable practises, which are still being uncovered, are too many to list here, but this timeline over at Ars Technica is worth a read if you want to know more about Aaron Barr’s techniques.

    It’s a shame that this story isn’t getting more press attention, because it reveals a lot about what’s happening on the front line of the struggle for internet freedom – and by “front line” I mean the hand-to-hand trench combat as opposed to the high-profile court cases taking place in the US and in the UK.

    But it’s unlikely to get much coverage because it’s a messy, data-intensive, and fast-changing story; in other words, the type of story that is extremely difficult to get across within the constraints of traditional news media forms. Traditional media seems to be more comfortable talking about Julian Assange’s personal hygiene or Downing Street’s new cat than covering this sort of thing.