Conference DEFCON 19. Anonymous and we. Part 1
You see the phrase “Who Fights the Monsters” on the screen, and I am the moderator of this presentation, Paul Roberts, editor of threatpost.com, a computer security news portal. We have a large group of speakers, which I will introduce in a couple of seconds, but for now I’ll tell you about the main rules of our discussion. We also have slides that relate to what each discussion participant will tell.
After the speech, we are going to answer questions, but we have only an hour, so I ask you to take notes with questions out at that door, there we will have a Q & A question and answer room, and then your questions will be passed on to the speakers.
So, I'm Paul Roberts, presenting the story of well-known Anonymous and Aaron Barr, an employee of the HBGary company, who stated that he revealed the leaders of this hacker group, after which Anonymous attacked the company's servers. Our portal threatpost.com, like many others, covered this story.
I am personally acquainted with Aaron, he addressed me after I wrote an editorial entitled “Win the war, but lose my soul” (the current link to threatpost.com/rsa-2011-winning-war-losing-our- soul-022211/74958 ).
This article was written during the annual RSA security conference this February. If you remember, HBGary was hacked literally at the last minute of this conference, and soon Aaron turned to our editorial board. You can find this information in google.
I was probably one of the few journalists who expressed their sincere sympathy to Aaron about the fact that he had to endure as a result of the Anonymous attack, and as you know, we were all wrong! Most of us do not have our own Stephen Colbert, who would ridicule our mistakes, which, unfortunately, Aaaron could have done for him. Therefore, Joshua and I thought that speaking at Defcon was an excellent chance to return, as I had hoped, with this case to Aaron and find out what happened then. To be honest, Aaron also really wanted to take part in our discussion, but HBGary lawyers put an end to this plan. They contacted Aaron and threatened him with a lawsuit that if he agreed to participate in today's conversation, they would inform his new employers about it and generally try to ruin his life.
Aaron is a guy who has a wife, children, a mortgage, and we know how such threats work, so Aaron was forced to refuse to participate in our conversation. However, before the start of the discussion, I still want to express to him my favor for the fact that he, at least, had the courage to accept our proposal, and if it had not been for the onslaught of the lawyers, he would have certainly come here.
So let me introduce the members of our group. The one on my left is Joshua Corman, he is the director of the Akamai Corporation Security Service.
If you have plans to attack him, just in case, I will say that he also heads the practical security unit in the regional group Defcon 451. His group has existed for more than ten years, and Joshua himself has vast experience in providing network security and software development, being also the chief strategist of IBM's Internet security systems.
Jericho is sitting on his right; he has been involved in hacker security for about 18 years, of which 12 have constituted the formation of such valuable skills as healthy skepticism and tolerance to drinking. This year, he was testing how a hacker could deal with security. This is a great prospect for creating negative feedback on the work of any security system, Jericho is a great specialist in this matter and today we will talk about it.
He thinks that the very idea of some kind of progressive thinking is outdated, because a person must think all the time. No degree, no certificate, he does not want to talk about himself and remains a champion of good faith in security. “Fair and balanced” is the motto of an incomprehensible little creature posted on the main page of his website attrition.org.
Baron von Aaarr sits to the right of Jericho. He has been a security professional for 13 years and has collaborated with IT companies such as IBM. Baron deals with incident response systems, computer forensics and security audit of a leading aerospace company.
His expertise includes the ethics of pentesting, social engineering, information security audits, open source systems research, and the like.
On the screen you see a list of our discussion participants and their Twitter accounts. And now I hand over the word Jericho.
Jericho: please raise your hands to those who do not consider themselves a jerk. I see only one hand! Leave the hall, we do not need cheaters here! Now let those who do not benefit from their work in the field of security raise their hands. Great, someone raised their hand. Finally, let those who are familiar with the background story of HBGary, or at least a half of the Anonymous saga, raise their hands. One hand is probably another deceiver! So, none of you are going to admit that you work at HBGary?
Paul Roberts: or HBGary Federal, these are different companies!
Jericho: Yes, I know that these are different companies.
Voice from the audience: I have the email address of this company!
Jericho: are they paying you?
Voice from the audience: no, they do not pay!
Paul Roberts: probably this email address was created just in February!
Jericho: OK, that narrows the search, there’s already one member in our group, Anonymous. So, think about my questions, because if you honestly raised your hand, answering at least one of them, you can safely get out of this audience. Because the task of our group is to objectively consider the position of both sides and the accusations made against Aaron, since there was too much criticism in this case, but at the same time we forgot to look at ourselves and admit that we ourselves are half way before becoming monsters.
Joshua Corman: on this slide you see information for those who do not know our philosophy - the one who does not fight monsters does not necessarily become one of them. In this sense, I observe cognitive dissonance in the behavior of those who want to join the NonOps group and the Fortune 50 guys who want to fight them. I think it is useless to talk about all these white, gray and black hats, clearing the dungeons Dungeons & Dragons.
This is not just a struggle between good and evil. I mean, some people represent Aaron by some Robin Hood, a good Arab spring that liberated the oppressed. Others see him as an evil Joker who dreams of burning the whole world. You know, when we tried to find out the truth, our conversation did not move forward, assuming a chaotic character, because we wanted to give an objective assessment of the incident without labeling good and evil. Most of all we were confused by the romanticization of the positive aspects of his act, but at the same time we were not fully aware of the roles that we would like to play ourselves. I think the point of Paul’s article is that fighting monsters like Aaron did, we lose a bit of our own soul. Aaron is the living embodiment of how you can break your personal ethics by committing such actions. As a result, we do not control the situation, but rather become a victim of circumstances provoked by us. Therefore, trying to understand this conflict, think about how you would behave when you were in the position of one or the other side. Try on the roles of both parties to the conflict, because in the pursuit of improved security, we can get to something even worse than the 2001 Patriot Act.
We can force influential, but not informed people to make powerful, but ill-considered steps.
Jericho: and pretty quickly, and Aaron probably didn't take that into account. You see these boxes with hats, and if none of these hats are right for you, try to find one of the other six cells for yourself. Baron, what do you think about this?
Baron von Aaarr: I am in the middle of all this, because on the one hand there is a government, special services and other organizations involved in such activities, especially Aaron’s company, and on the other hand, people who began to disclose how the authorities misinform people gather personal information and the like. Aaron just crossed the line, telling his company or a law firm, which is ready to pursue people in a way that even the CIA does not allow itself.
One of Anonymous also crossed this line, trying on a Black Hat, but as Jericho said, all of us are Gray Hats. One person is a terrorist, another person is a freedom fighter, and you need to know what place you yourself are in order not to be trapped in a vice.
Paul Roberts: thanks, those were good thoughts. I think you first need to ask the question of who these Anonymous are and where they come from.
Joshua Corman: I will take a hit and express the opinion that several people from this group are present in this room, and maybe even on this stage. This is not just a group, and we all know about it; it’s like a fashion brand, like a franchise. I mean some people who decided to call it that because they are doing something like “the Arab Spring” at the local level, something like the anonymous project PostSecret. This is a way to do something without fear of being caught, maybe as a whistleblower, and such people can form a very valuable part of our culture. I think that this is a kind of hijacking of ideas from small groups, and now it can either act in favor of society or pose a threat to it depending on who you are. Personally, I will be very disappointed if you really think that you can improve security by demonstrating its failures.
What the Fortune 50 did with Cisco in no way made security better and did not increase it.
Jericho: wait, do you want to say that the coverage of failures and vulnerabilities does not contribute to improving security?
Joshua Corman: No, no, let's look at it from another point of view. I mean that any intervention will have an effect, another thing that often is not the effect that we want to achieve. I do not want these processes to create chaos, but I do not want to eliminate those who do, just let us somehow organize our game. Why not direct LulzSec activity, for example, to sites that exploit children, or why people don’t bother to find jihadi sites. We have the opportunity to cause not just chaos, but to cause deliberate chaos, so to speak.
But if in reality we feel powerless over the fact that PCI-hijacking has seized our industry, if in reality we don’t know how to do our work responsibly, because the management doesn’t want to listen to us, then there could be more constructive ways others.
Baron von Aaarr: I think they came up with this after they first said that they just wanted to crack these things in order to give some legitimacy to their actions. They wanted to catch someone, which would then sue him in court, saying: "We did it because we believed in it." I do not believe that this is the point. I think that this practice is widespread up to the highest state level, so we have actors in many countries that attack various things, and they can fulfill the role of red blood cells, who work within other government intelligence groups, because they are Anonymous !
Jericho: I disagree with this definition. I mean that we, working in this industry for a long time, 40 to 80 hours a week, beat our heads against the wall, because we are not listened to. How many of us have gone through the fact that the result of our work can cause physical changes in the detected problem only after, say, 15 years? At the same time, every six months we return, recheck the results of our pentesting and see that absolutely nothing has been fixed! They did not fix remote services, did not clean the software, they did nothing of what we recommended them to do. So maybe now it is the turn of Anonymous or LulzSec to take on these companies, to “bend” them, thereby awakening them from hibernation? (audience laughter)
Baron von Aaarr: I agree that Anonymous could act as a business model. I would agree that there is a need for this, but I think that even after this, the bosses of the companies will simply return to their somnambulism, to games with their iPads and other new toys, while continuing to ignore the security policy, thinking: “this does not concern me, because I belong to the level "C". So no matter how frightened they are, they will still return to the old unfit pattern of behavior, and nothing will change.
Joshua Corman: I absolutely do not think that hacker attacks can serve as an opportunity to somehow change the existing situation in favor of strengthening security. I saw the reaction of the victims of the LulzSec attacks and I assure you that this did not make them smarter. This is my point of view, but I think that here there is an opportunity to initiate another conversation in order to move the matter forward. Instead of just standing still for 15 years, until our work takes effect. I just do not see such messages reach their goals. Look at Sony. Its leadership believes that the earthquake brought them much more destruction and financial damage than hacker attacks - if I'm not mistaken, there were 23 attacks on Sony on the Jericho website.
Let's just think about temporary changes - we have moved from unmotivated and ignorant chaotic behavior of the actors to their conscious and motivated actions, but at the same time, we have simply simply moved from the inaction of one kind to the inaction of another kind. In fact, I'm very sorry for Sony. Yes, we have shown vulnerability in its security systems, however, it is impossible to compare losses from an earthquake with losses from attacks, and I am afraid that powerful, but ignorant leaders will find the losses of the latter kind quite acceptable. I don’t say “do not do this”, I just think that there are many aspects that allow us to direct these events in the right direction, because if this serves as another reason to ignore our entire industry, it means we screwed up.
Jericho: you say that companies are not learning anything, but as an example, I’ll say that after LulzSec was “hacked” by Sony in not very sophisticated ways, they immediately dismissed all Internet security personnel. So they study well, but it may be that someone in their own security service was Black Hat. If they had all this security staff, who didn’t care, it was possible that this person decided to provoke such a situation so that they would understand what the neglect of safety recommendations would cost them?
Joshua Corman: maybe it makes sense to attract people like me, for example, to the press, to control the situation in this area? Because what Anonymous and LulzSec could do with Sony is a good lesson. I try not to focus on exactly how they did it, nobody cares that there are a million ways to do this.
If you ignore the Pentester, who discovered the vulnerability of your platform, then you should be ready for what you have "will have". I believe that if you don’t try to understand what is behind what is happening, then these actions will have even more negative consequences for you, so I just hope that such attacks will be able to teach the company something.
Paul Roberts: I think you know that hacktivism has a long history, just look at the Electronic Disturbance Theater group, founded in 1997, a whole legion of underground groups calling themselves the Cult of Dead Cow federation, the “Cult of a Dead Cow” and so on. You know that many hacktivist incidents, and this is documented, were provoked by political reasons, such as the struggle for human rights. I think Joshua meant it when he talked about creating a better Anonymus. I just want us to try to find some kind of link, similarities between hacktivist operations in Tunisia and Egypt, attacks on Sony, anonymous Anonymous attacks on HBGary and pentesters' activities, so that we try to figure out what binds us together and what we can to do.
Baron von Aaarr: I would like to go back a little. It is not by chance that insurance against hacking rises in price. Many companies, in particular, I heard about it yesterday, but I will not mention the names, fired a bunch of people from the security service and bought insurance against hacking.
Jericho: I'll pay you $ 100 right now if you call them!
Baron von Aaarr: no, thank you!
Paul Roberts: Who among those present in this audience have burglary insurance? Baron von Aaarr: let's go back to your question, did I forget how it sounded?
Paul Roberts: he referred to the fact that historically hacktivism was ideologically motivated, whether it was opposition to China and support for Myanmar or speaking out against the Republican Party, God bless her. Но если посмотреть на Anonymous или LulzSec, то довольно трудно понять, что же они пытаются донести обществу своей деятельностью. Операции хактивистов в Тунисе и Египте выглядели однозначными, и было понятно, что они пытались доказать, но в случаях с Sony и HBGary мне было не понятно, чего они добивались.
Барон фон Ааарр: я бы сказал, что в генезисе у Anonymous была борьба с саентологией. У них были люди, вовлеченные в сайентологию, у них были друзья, были семьи, которые поддерживали это течение, и началом деятельности Anonymous было создание сайтов, критикующих Церковь сайентологов. Они вступили в борьбу с гигантом, у которого было много денег и много адвокатов. Они постарались организовать настоящую «арабскую весну», они старались сделать что-то хорошее и противостоять посягательствам на интернет. Но когда движение «Анонимус» начало ветвиться на AntiSec, LulzSec и всё то, что возникло прямо перед HBGary, стало понятно, что это нечто совершенно другое. И я уверен, что их мотивацией начать атаку стало то, что Аарон рассказал о них публично в новостях, чем разрушил их анонимность, и именно за это они его наказали. Его вина состоит в том, что правда о том, что они делали, стала выходить наружу. Но после этого LulzSec стали выглядеть утратившими конкретную цель — теперь они просто нападают на полицию Феникса, штат Аризона, потому что им не нравится местное иммиграционное законодательство.
Мне оно тоже не нравятся, но сотрудники правоохранительных органов, которые обязаны по долгу службы блюсти законы, принятые законодательным органом, и которые не имеют никаких рычагов влияния на законы, кроме собственного голоса избирателя, не заслуживают, чтобы их подвергали опасности. Говорят, что недавно был опубликован список CIS, я его ещё не видел, но находящиеся в нем люди также могут подвергнуться опасности, потому что их имена известны как CIS.
Джошуа Корман: я знаю, что в этой аудитории присутствует множество практиков, желающих изменить положение вещей в свою пользу. Мы ежедневно тяжело трудимся ради того, чтобы убедиться, что можем выполнить свою миссию, но когда происходят подобные показательные, шумные, хорошо всем видные атаки, внимание общества переключается именно на них
Мне не наплевать на то, что они украли кучу номеров кредитных карт, но я знаю, что у этого факта очень мало отрицательных последствий по сравнению с последствиями от кражи интеллектуальной собственности, которую никак нельзя восполнить. На самом деле это отвлекает нас от нашей основной миссии, так же как PCI отвлекает нас от основной миссии, потому что наши руководители отвлекаются от управления рисками на заботу о защите стандарта платежных карт. И последствием факторов, отвлекающих от управления рисками, стали шумные DDoS атаки, ставящие под угрозу целые организации и приводящие к увольнениям, утрате этих незаменимых активов.
Так что теперь мы имеем новую шумную вещь, которая отвлекает нас от истинной миссии. Мы все знаем о группах, раскрывающих случаи эксплуатации детей. Никому из нас не нравится эксплуатация детей, и мы знаем, что существуют плохие люди, делающие плохие вещи, такова специфика интернета. Однако с ними можно бороться менее вызывающим образом.
Пусть поднимут руки те, кому не нравится тактика манипуляции покупательским спросом FUD в нашей индустрии. Ведь наверняка кто-то сталкивался с поставщиком продукции, которая была полным дерьмом.
Как известно, существует три составляющих FUD — Fear, Uncertainty, Doubt, страх, неуверенность и сомнение, способные вызвать такой же эффект, который вызывает трехзвенная DDoS- атака или DDoS кампания, так что мы получим возможность удерживать продавцов от распространения всякого дерьма, распространяя среди них страх, неуверенность и сомнение.
Джерико: короче говоря, Anonymous должны разработать меню, например, двухдневной DDoS атаки на недобросовестных продавцов.
24:55 мин
Конференция DEFCON 19. Anonymous и мы. Part 2
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until spring for free if you pay for a period of six months, you can order here .
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
After the speech, we are going to answer questions, but we have only an hour, so I ask you to take notes with questions out at that door, there we will have a Q & A question and answer room, and then your questions will be passed on to the speakers.
So, I'm Paul Roberts, presenting the story of well-known Anonymous and Aaron Barr, an employee of the HBGary company, who stated that he revealed the leaders of this hacker group, after which Anonymous attacked the company's servers. Our portal threatpost.com, like many others, covered this story.
I am personally acquainted with Aaron, he addressed me after I wrote an editorial entitled “Win the war, but lose my soul” (the current link to threatpost.com/rsa-2011-winning-war-losing-our- soul-022211/74958 ).
This article was written during the annual RSA security conference this February. If you remember, HBGary was hacked literally at the last minute of this conference, and soon Aaron turned to our editorial board. You can find this information in google.
I was probably one of the few journalists who expressed their sincere sympathy to Aaron about the fact that he had to endure as a result of the Anonymous attack, and as you know, we were all wrong! Most of us do not have our own Stephen Colbert, who would ridicule our mistakes, which, unfortunately, Aaaron could have done for him. Therefore, Joshua and I thought that speaking at Defcon was an excellent chance to return, as I had hoped, with this case to Aaron and find out what happened then. To be honest, Aaron also really wanted to take part in our discussion, but HBGary lawyers put an end to this plan. They contacted Aaron and threatened him with a lawsuit that if he agreed to participate in today's conversation, they would inform his new employers about it and generally try to ruin his life.
Aaron is a guy who has a wife, children, a mortgage, and we know how such threats work, so Aaron was forced to refuse to participate in our conversation. However, before the start of the discussion, I still want to express to him my favor for the fact that he, at least, had the courage to accept our proposal, and if it had not been for the onslaught of the lawyers, he would have certainly come here.
So let me introduce the members of our group. The one on my left is Joshua Corman, he is the director of the Akamai Corporation Security Service.
If you have plans to attack him, just in case, I will say that he also heads the practical security unit in the regional group Defcon 451. His group has existed for more than ten years, and Joshua himself has vast experience in providing network security and software development, being also the chief strategist of IBM's Internet security systems.
Jericho is sitting on his right; he has been involved in hacker security for about 18 years, of which 12 have constituted the formation of such valuable skills as healthy skepticism and tolerance to drinking. This year, he was testing how a hacker could deal with security. This is a great prospect for creating negative feedback on the work of any security system, Jericho is a great specialist in this matter and today we will talk about it.
He thinks that the very idea of some kind of progressive thinking is outdated, because a person must think all the time. No degree, no certificate, he does not want to talk about himself and remains a champion of good faith in security. “Fair and balanced” is the motto of an incomprehensible little creature posted on the main page of his website attrition.org.
Baron von Aaarr sits to the right of Jericho. He has been a security professional for 13 years and has collaborated with IT companies such as IBM. Baron deals with incident response systems, computer forensics and security audit of a leading aerospace company.
His expertise includes the ethics of pentesting, social engineering, information security audits, open source systems research, and the like.
On the screen you see a list of our discussion participants and their Twitter accounts. And now I hand over the word Jericho.
Jericho: please raise your hands to those who do not consider themselves a jerk. I see only one hand! Leave the hall, we do not need cheaters here! Now let those who do not benefit from their work in the field of security raise their hands. Great, someone raised their hand. Finally, let those who are familiar with the background story of HBGary, or at least a half of the Anonymous saga, raise their hands. One hand is probably another deceiver! So, none of you are going to admit that you work at HBGary?
Paul Roberts: or HBGary Federal, these are different companies!
Jericho: Yes, I know that these are different companies.
Voice from the audience: I have the email address of this company!
Jericho: are they paying you?
Voice from the audience: no, they do not pay!
Paul Roberts: probably this email address was created just in February!
Jericho: OK, that narrows the search, there’s already one member in our group, Anonymous. So, think about my questions, because if you honestly raised your hand, answering at least one of them, you can safely get out of this audience. Because the task of our group is to objectively consider the position of both sides and the accusations made against Aaron, since there was too much criticism in this case, but at the same time we forgot to look at ourselves and admit that we ourselves are half way before becoming monsters.
Joshua Corman: on this slide you see information for those who do not know our philosophy - the one who does not fight monsters does not necessarily become one of them. In this sense, I observe cognitive dissonance in the behavior of those who want to join the NonOps group and the Fortune 50 guys who want to fight them. I think it is useless to talk about all these white, gray and black hats, clearing the dungeons Dungeons & Dragons.
This is not just a struggle between good and evil. I mean, some people represent Aaron by some Robin Hood, a good Arab spring that liberated the oppressed. Others see him as an evil Joker who dreams of burning the whole world. You know, when we tried to find out the truth, our conversation did not move forward, assuming a chaotic character, because we wanted to give an objective assessment of the incident without labeling good and evil. Most of all we were confused by the romanticization of the positive aspects of his act, but at the same time we were not fully aware of the roles that we would like to play ourselves. I think the point of Paul’s article is that fighting monsters like Aaron did, we lose a bit of our own soul. Aaron is the living embodiment of how you can break your personal ethics by committing such actions. As a result, we do not control the situation, but rather become a victim of circumstances provoked by us. Therefore, trying to understand this conflict, think about how you would behave when you were in the position of one or the other side. Try on the roles of both parties to the conflict, because in the pursuit of improved security, we can get to something even worse than the 2001 Patriot Act.
We can force influential, but not informed people to make powerful, but ill-considered steps.
Jericho: and pretty quickly, and Aaron probably didn't take that into account. You see these boxes with hats, and if none of these hats are right for you, try to find one of the other six cells for yourself. Baron, what do you think about this?
Baron von Aaarr: I am in the middle of all this, because on the one hand there is a government, special services and other organizations involved in such activities, especially Aaron’s company, and on the other hand, people who began to disclose how the authorities misinform people gather personal information and the like. Aaron just crossed the line, telling his company or a law firm, which is ready to pursue people in a way that even the CIA does not allow itself.
One of Anonymous also crossed this line, trying on a Black Hat, but as Jericho said, all of us are Gray Hats. One person is a terrorist, another person is a freedom fighter, and you need to know what place you yourself are in order not to be trapped in a vice.
Paul Roberts: thanks, those were good thoughts. I think you first need to ask the question of who these Anonymous are and where they come from.
Joshua Corman: I will take a hit and express the opinion that several people from this group are present in this room, and maybe even on this stage. This is not just a group, and we all know about it; it’s like a fashion brand, like a franchise. I mean some people who decided to call it that because they are doing something like “the Arab Spring” at the local level, something like the anonymous project PostSecret. This is a way to do something without fear of being caught, maybe as a whistleblower, and such people can form a very valuable part of our culture. I think that this is a kind of hijacking of ideas from small groups, and now it can either act in favor of society or pose a threat to it depending on who you are. Personally, I will be very disappointed if you really think that you can improve security by demonstrating its failures.
What the Fortune 50 did with Cisco in no way made security better and did not increase it.
Jericho: wait, do you want to say that the coverage of failures and vulnerabilities does not contribute to improving security?
Joshua Corman: No, no, let's look at it from another point of view. I mean that any intervention will have an effect, another thing that often is not the effect that we want to achieve. I do not want these processes to create chaos, but I do not want to eliminate those who do, just let us somehow organize our game. Why not direct LulzSec activity, for example, to sites that exploit children, or why people don’t bother to find jihadi sites. We have the opportunity to cause not just chaos, but to cause deliberate chaos, so to speak.
But if in reality we feel powerless over the fact that PCI-hijacking has seized our industry, if in reality we don’t know how to do our work responsibly, because the management doesn’t want to listen to us, then there could be more constructive ways others.
Baron von Aaarr: I think they came up with this after they first said that they just wanted to crack these things in order to give some legitimacy to their actions. They wanted to catch someone, which would then sue him in court, saying: "We did it because we believed in it." I do not believe that this is the point. I think that this practice is widespread up to the highest state level, so we have actors in many countries that attack various things, and they can fulfill the role of red blood cells, who work within other government intelligence groups, because they are Anonymous !
Jericho: I disagree with this definition. I mean that we, working in this industry for a long time, 40 to 80 hours a week, beat our heads against the wall, because we are not listened to. How many of us have gone through the fact that the result of our work can cause physical changes in the detected problem only after, say, 15 years? At the same time, every six months we return, recheck the results of our pentesting and see that absolutely nothing has been fixed! They did not fix remote services, did not clean the software, they did nothing of what we recommended them to do. So maybe now it is the turn of Anonymous or LulzSec to take on these companies, to “bend” them, thereby awakening them from hibernation? (audience laughter)
Baron von Aaarr: I agree that Anonymous could act as a business model. I would agree that there is a need for this, but I think that even after this, the bosses of the companies will simply return to their somnambulism, to games with their iPads and other new toys, while continuing to ignore the security policy, thinking: “this does not concern me, because I belong to the level "C". So no matter how frightened they are, they will still return to the old unfit pattern of behavior, and nothing will change.
Joshua Corman: I absolutely do not think that hacker attacks can serve as an opportunity to somehow change the existing situation in favor of strengthening security. I saw the reaction of the victims of the LulzSec attacks and I assure you that this did not make them smarter. This is my point of view, but I think that here there is an opportunity to initiate another conversation in order to move the matter forward. Instead of just standing still for 15 years, until our work takes effect. I just do not see such messages reach their goals. Look at Sony. Its leadership believes that the earthquake brought them much more destruction and financial damage than hacker attacks - if I'm not mistaken, there were 23 attacks on Sony on the Jericho website.
Let's just think about temporary changes - we have moved from unmotivated and ignorant chaotic behavior of the actors to their conscious and motivated actions, but at the same time, we have simply simply moved from the inaction of one kind to the inaction of another kind. In fact, I'm very sorry for Sony. Yes, we have shown vulnerability in its security systems, however, it is impossible to compare losses from an earthquake with losses from attacks, and I am afraid that powerful, but ignorant leaders will find the losses of the latter kind quite acceptable. I don’t say “do not do this”, I just think that there are many aspects that allow us to direct these events in the right direction, because if this serves as another reason to ignore our entire industry, it means we screwed up.
Jericho: you say that companies are not learning anything, but as an example, I’ll say that after LulzSec was “hacked” by Sony in not very sophisticated ways, they immediately dismissed all Internet security personnel. So they study well, but it may be that someone in their own security service was Black Hat. If they had all this security staff, who didn’t care, it was possible that this person decided to provoke such a situation so that they would understand what the neglect of safety recommendations would cost them?
Joshua Corman: maybe it makes sense to attract people like me, for example, to the press, to control the situation in this area? Because what Anonymous and LulzSec could do with Sony is a good lesson. I try not to focus on exactly how they did it, nobody cares that there are a million ways to do this.
If you ignore the Pentester, who discovered the vulnerability of your platform, then you should be ready for what you have "will have". I believe that if you don’t try to understand what is behind what is happening, then these actions will have even more negative consequences for you, so I just hope that such attacks will be able to teach the company something.
Paul Roberts: I think you know that hacktivism has a long history, just look at the Electronic Disturbance Theater group, founded in 1997, a whole legion of underground groups calling themselves the Cult of Dead Cow federation, the “Cult of a Dead Cow” and so on. You know that many hacktivist incidents, and this is documented, were provoked by political reasons, such as the struggle for human rights. I think Joshua meant it when he talked about creating a better Anonymus. I just want us to try to find some kind of link, similarities between hacktivist operations in Tunisia and Egypt, attacks on Sony, anonymous Anonymous attacks on HBGary and pentesters' activities, so that we try to figure out what binds us together and what we can to do.
Baron von Aaarr: I would like to go back a little. It is not by chance that insurance against hacking rises in price. Many companies, in particular, I heard about it yesterday, but I will not mention the names, fired a bunch of people from the security service and bought insurance against hacking.
Jericho: I'll pay you $ 100 right now if you call them!
Baron von Aaarr: no, thank you!
Paul Roberts: Who among those present in this audience have burglary insurance? Baron von Aaarr: let's go back to your question, did I forget how it sounded?
Paul Roberts: he referred to the fact that historically hacktivism was ideologically motivated, whether it was opposition to China and support for Myanmar or speaking out against the Republican Party, God bless her. Но если посмотреть на Anonymous или LulzSec, то довольно трудно понять, что же они пытаются донести обществу своей деятельностью. Операции хактивистов в Тунисе и Египте выглядели однозначными, и было понятно, что они пытались доказать, но в случаях с Sony и HBGary мне было не понятно, чего они добивались.
Барон фон Ааарр: я бы сказал, что в генезисе у Anonymous была борьба с саентологией. У них были люди, вовлеченные в сайентологию, у них были друзья, были семьи, которые поддерживали это течение, и началом деятельности Anonymous было создание сайтов, критикующих Церковь сайентологов. Они вступили в борьбу с гигантом, у которого было много денег и много адвокатов. Они постарались организовать настоящую «арабскую весну», они старались сделать что-то хорошее и противостоять посягательствам на интернет. Но когда движение «Анонимус» начало ветвиться на AntiSec, LulzSec и всё то, что возникло прямо перед HBGary, стало понятно, что это нечто совершенно другое. И я уверен, что их мотивацией начать атаку стало то, что Аарон рассказал о них публично в новостях, чем разрушил их анонимность, и именно за это они его наказали. Его вина состоит в том, что правда о том, что они делали, стала выходить наружу. Но после этого LulzSec стали выглядеть утратившими конкретную цель — теперь они просто нападают на полицию Феникса, штат Аризона, потому что им не нравится местное иммиграционное законодательство.
Мне оно тоже не нравятся, но сотрудники правоохранительных органов, которые обязаны по долгу службы блюсти законы, принятые законодательным органом, и которые не имеют никаких рычагов влияния на законы, кроме собственного голоса избирателя, не заслуживают, чтобы их подвергали опасности. Говорят, что недавно был опубликован список CIS, я его ещё не видел, но находящиеся в нем люди также могут подвергнуться опасности, потому что их имена известны как CIS.
Джошуа Корман: я знаю, что в этой аудитории присутствует множество практиков, желающих изменить положение вещей в свою пользу. Мы ежедневно тяжело трудимся ради того, чтобы убедиться, что можем выполнить свою миссию, но когда происходят подобные показательные, шумные, хорошо всем видные атаки, внимание общества переключается именно на них
Мне не наплевать на то, что они украли кучу номеров кредитных карт, но я знаю, что у этого факта очень мало отрицательных последствий по сравнению с последствиями от кражи интеллектуальной собственности, которую никак нельзя восполнить. На самом деле это отвлекает нас от нашей основной миссии, так же как PCI отвлекает нас от основной миссии, потому что наши руководители отвлекаются от управления рисками на заботу о защите стандарта платежных карт. И последствием факторов, отвлекающих от управления рисками, стали шумные DDoS атаки, ставящие под угрозу целые организации и приводящие к увольнениям, утрате этих незаменимых активов.
Так что теперь мы имеем новую шумную вещь, которая отвлекает нас от истинной миссии. Мы все знаем о группах, раскрывающих случаи эксплуатации детей. Никому из нас не нравится эксплуатация детей, и мы знаем, что существуют плохие люди, делающие плохие вещи, такова специфика интернета. Однако с ними можно бороться менее вызывающим образом.
Пусть поднимут руки те, кому не нравится тактика манипуляции покупательским спросом FUD в нашей индустрии. Ведь наверняка кто-то сталкивался с поставщиком продукции, которая была полным дерьмом.
Как известно, существует три составляющих FUD — Fear, Uncertainty, Doubt, страх, неуверенность и сомнение, способные вызвать такой же эффект, который вызывает трехзвенная DDoS- атака или DDoS кампания, так что мы получим возможность удерживать продавцов от распространения всякого дерьма, распространяя среди них страх, неуверенность и сомнение.
Джерико: короче говоря, Anonymous должны разработать меню, например, двухдневной DDoS атаки на недобросовестных продавцов.
24:55 мин
Конференция DEFCON 19. Anonymous и мы. Part 2
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until spring for free if you pay for a period of six months, you can order here .
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
Source: https://habr.com/ru/post/436792/