The Cybersecurity Canon: We Are Anonymous

For the past decade, I have had this notion that there must be a cybersecurity canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion.

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency (2012) by Parmy Olson

The Anonymous franchise really hit its stride between the years of 2010 and 2011. Hacktivism began earlier than that of course (1994 was the first documented case that I could find), but it did not strike fear into the hearts of CEOs, CSOs and government officials until that two year run.

It was the perfect storm of technology, disenfranchised young-ish people, “Internet Pranks as an Art Form” empowerment and the hacking culture that came together into a gigantic hairball of activity and energy that caused governments from around the world to double-clutch on some of their more severe policies and caused business leaders to actually fear the impact to their bottom line.

Trying to understand that phenomena is quite the task and Parmy Olson, in her 2012 book, “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency,” is an apt guide. Through unprecedented access to some of the core players on many of the more infamous operations, Olson is able to capture the essence of how the hacktivist movement got started in earnest, to describe the inevitable drama between competing factions and to provide insight into how this franchise operates. I think this will absolutely stay relevant; hacktivism is once again in the headlines, as we saw in the early November attacks on Asian government websites.

I call it a franchise because “Anonymous” is not a club. You do not pay dues. You do not register your name, e-mail account and twitter handle with anybody in power. There is no singular power. Anonymous is more of an idea than an organization. Hacktivists use that idea to get attention in the media and to get a reaction from the target they are pursuing.

For example, if I wanted to protest the US Senate’s inability to pass gun-control legislation this year (2013), I might write a scathing blog pointing out the dwarf-like physical characteristics of some of the key senators involved (if I was a law-abiding white-hat citizen). On the other hand, I might choose to go the other way and organize a Distributed Denial of Service (DDOS) attack against a few key senators’ web pages or compromise a senator’s email accounts and publish his or her messages on a public site somewhere (if I was willing to live on the lawless side wearing a black hat).

I could do those things, but nobody on the planet really knows who I am and all of those activities (white hat and black hat) would just register as part of the noise. But, if I wrap myself around the trappings of the Anonymous franchise – the imagery, the youtube videos with Matrix-like voiceovers and the Twitter public relations campaigns – I amplify the importance of my cause both to the general public and clueless media outlets. The Anonymous franchise has heft.. By claiming to be a leader in the group, regardless if I am or not, I get instant recognition and have all the assumed powers that the public thinks the group has. Genius!

How Anonymous Arrived

Ms. Olson walks the reader through the history of how this franchise was built and does a really good job explaining the culture. She does a good job walking through concepts such as 4Chan, troll bait, LOIC and SQL injection attacks. Along the way, she also scuttles a few of the Anonymous myths. The main one is that not all contributors are elite hackers. In fact, most are not. Many of the operation’s leaders are, for sure, and some of them are quite skilled. But most contributors that consider themselves part of the Anonymous movement are enthusiastic activists with a lot of Internet savvy. They can run circles around the average Joe in terms of Internet communication, but as Ms. Olson notes, not many have ever slung any real code.

Olson describes how the leaders of the more infamous operations (Chanology, Payback, Freedom Ops, etc) understood this and leveraged it. They treated these enthusiastic activists as trolls, in some kind of perverse recursive prank, and made them think they were more important than they really were. In the early days, leaders even provided the masses a tool, the Low Orbit Ion Cannon (LOIC), which allowed them to easily participate in a DDOS raid of choice. Of course, the developers of the LOIC did not initially protect the users from prying eyes like the FBI, and law enforcement did made many arrests. But the Anonymous PR machine kept churning; proclaiming the success of the hacktivist masses against evil governments and commercial empires.

The dirty secret though was that as the targets got bigger (PayPal, MasterCard, Visa), the effectiveness of the Low Orbit Ion Cannon, even with thousands of contributors, did not put a dent in the defenses of these targets. It was not until the leaders leveraged their own BotNets that these web sites were brought to their knees. Of course, that was not the message the PR machine generated. In order to completely leverage the Anonymous franchise and get the attention of the media and the intended targets, they had to proclaim that the damage was being done by the Anonymous masses. Olson calls this  “… a mirage of power and scale.”

At the end of the book, Olson lists a comprehensive timeline of significant Hacktivist events, from a group called the Zippies launched a DDoS attack on UK government websites in November 1994, to the coining of the hacktivism term in 1996 to Operation Payback in 2010 and the LulzSec 50-day hacking spree in 2011.

She also lists core LulzSec members and other anonymous supporters, and does a really good job explaining some of the technology used by Anonymous members, including Hashkiller.com, Gigaloader/JMeter, HideMyAss and the use of Second Life gaming worlds to launder money.

Conclusion:

This book is a must read for all cybersecurity professionals. It does not cover the entire Anonymous movement, but by focusing on the evolution of the Anonymous Franchise and the rise and fall of the LulzSec hacking group, Ms. Olson captures the essence of the hacktivist culture and what motivates its supporters. I would put this in my list of essential Cybersecurity books, especially for historical context.