Following in the footsteps of Obama's promise to fight hackers with guns, General Rapporteur Lord Jopling has issued a long and sternly-worded statement to NATO, warning them of the threat hackers pose to the security of the allied nations. The draft details Anonymous' involvement with both Wikileaks and HBGary along with with a rundown of recent hacktivist activity in the Middle East and Africa.
Jopling's paper is thorough and fairly well-balanced, although it includes some troubling statements about governmental transparency:
[T]he Rapporteur believes that even if one is in favour of transparency, military and intelligence operations simply cannot be planned and consulted with the public. Transparency cannot exist without control. The government, and especially its security agencies, must have the right to limit access to information in order to govern and to protect. This is based on the premise that states and corporations have the right to privacy as much as individuals do and that secrecy is required for efficient management of the state institutions and organizations.
In addition, transparency can be misused on several levels – by providing unprofessional or poor-quality interpretation of information or documents, by conducting superficial or biased analysis, by lack of experience on the topic or by pursuing a political agenda. Thus, not everything carried out under the “transparency label” is necessarily good for the government and its people.
While he makes a good point that full transparency can often lead to faulty conclusions, the fact is that this sort of thing (poor-quality interpretations of information, biased analysis, pursuit of political agendas) is happening already, and increased compartmentalization and secrecy will only exacerbate the problem. The information will still get out somehow, but at this point, nearly every government in the world is showing an unhealthy distrust of its citizens. Rather than working towards more transparency and openness, they seem to be looking to lock up as much information as possible.
Not only that, but the claim that "states and corporations have the right to privacy as much as individuals do" is flat-out laughable. If this were true, these states and corporations would be an open-book, especially here in the U.S. where warrantless wiretaps and searches have become just another ho-hum tool of the FBI and local law enforcement. On one hand, the government is pressuring Google and Apple to protect the privacy of their users, while on the other hand, it's demanding that said private information be harvested and retained indefinitely.
But this is merely retreading arguments long-familiar with Techdirt readers. It's the point where NATO explicitly calls out Anonymous that it gets interesting. While acknowledging Anonymous' positive "hacktivism" efforts in aid of foreign rebellions, the draft also explicitly warns the group that NATO is willing to take them on and prosecute if necessary:
Today, the ad hoc international group of hackers and activists is said to have thousands of operatives and has no set rules or membership. It remains to be seen how much time Anonymous has for pursuing such paths. The longer these attacks persist the more likely countermeasures will be developed, implemented, the groups will be infiltrated and perpetrators persecuted.
It didn't take long for Anonymous to respond. Or rather, Anonymous would have responded if they weren't already tied up disrupting services in Iran, harvesting thousands of government emails and publishing Iran embassy email account information. LulzSec (whose week has already been busy, what with hacking PBS and Sony Pictures), took it upon themselves to go head-to-head with both the FBI and NATO:
It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base.
In addition to taking Infragard offline (it was still down as of 7PM Sunday), LulzSec acquired the gmail address of Karim Hijazi, who runs Unveillance, a "white hat" company specializing in data breaches and botnets. Hijazi released a statement on Friday confirming their attacks. His post also included an IRC chat transcript of a conversation with members of LulzSec, in which they claim they are after his money:
(KARIM) So did we wrong you in some way, let’s get to the point?
(LULZ) <@Ninetales> If you wronged us, all of your affiliates would be crushed. Don’t worry, you’re in the good books. The point is a very crude word: extortion.
(LULZ) <@Ninetales> And what we’re both willing to agree upon that you sacrifice in return for our silence.
(LULZ) <@Ninetales> While I do get great enjoyment from obliterating whitehats from cyberspace, I can save this pleasure for other targets. Let’s just simplify: you have lots of money, we want more money.
Hijazi claims to have protected any sensitive client data from LulzSec and states that he "refuses to comply with their requests." However, LulzSec's statement claims that they're not interested in Hijazi's money, but simply wish to expose his company's involvement with U.S. attacks on Libya's communication systems:
We call upon journalists and other writers to delve through the emails carefully, as we have uncovered an operation orchestrated by Unveillance and others to control and assess Libyan cyberspace through malicious means: the U.S. government is funding the CSFI to attack Libya's cyber infrastructure.
Further twists developed Saturday when a post appeared on Pastebin from someone claiming to have infiltrated LulzSec. According to the anonymous (but not Anonymous) poster, an IRC chat had led to a postive ID of four LulzSec members, naming Adrian Lamo of 2600.com as the registrar of lulzsecurity.com. A rebuttal of sorts followed shortly thereafter, claiming these supposed "unmaskings" to be nothing more than names thrown into the IRC-mix for trolling purposes:
sabu, avunti, topiary, kayla, tflow, entropy, marduk and joepie91
these are some of the lulzsec guys, distanced from anonops, keeping the heat low
sailing the lulzyboat
if you are lucky enough to be invited to their private channel
be aware it is one of many for trolling the trolls :)
yo dawg we herd j00 leik lulzsecs so we put an adrian lamos and kevin mitnicks in your lulzsecs
so you can lulz while you lulz
So, where does that leave everything? Who knows? LulzSec apparently took a joyride through Nintendo's servers, prying free a server configuration file but leaving everything else untouched, out of love for Nintendo according to their tweet:
Re: Nintendo, we just got a config file and made it clear that we didn't mean any harm. Nintendo had already fixed it anyway. <3 them!
With both the U.S. and NATO pledging to fight back against cyberattacks, it remains to be seen how much collateral damage will be needed to justify the use of something stronger than sternly worded statements. LulzSec has made it clear that others are willing to step in for Anonymous proper, if it/they are otherwise detained. While it's certainly conceivable that anti-Anonymous actions are going on behind the scenes, the events of this weekend wouldn't seem to bode well for governmental agencies worldwide.