Ep. 82: Anonymous and LulzsecThere's a fundamental social shift occurring in the hacker culture and in media. Activists are disrupting major corporate and government Web sites, stealing and leaking sensitive data, and changing how we all use the Web. Join me, Elinor Mills, and Jennifer...
Hi everyone welcome to reporters' roundtable I am a needle in the San Francisco this is our weekly show we talk about single tech topic each time and today we're talking about. Anonymous and -- sick and the changing. Hacker culture and the changing culture on the Internet and how the fear of being hacked or attacked -- out -- or exploited or fished. Or spear fished or whatever is changing the way people use the Internet. Whether you call these people at these operations. Vandals terrorists or just those darn kids in -- really changing the way I think people feel about the net and I I wanna talk about that day. And by late is also a change in late journalists do their jobs take it for me it's really interest and com. -- get into that today where anonymous and all -- came from. Who or what is going to follow in their footsteps. And I've got two great very smart people here to talk about what's happening. First from CNET news' Elinor mills joining us again on the roundtable on -- thanks to make the time I know you're busy covering this. You were just updating your your your tech tracker chart right there and easily. EM and that's the thanks again and also joining us from the Internet focused law firm -- -- will -- Jennifer -- -- I thanks for having me thanks -- Jennifer was. Until. That thing about six months ago -- some months ago come. Civil liberties director at the electronic frontier foundation -- to something such a fascinating organism and it's -- greatly. And before that -- worked at the Stanford law school's cyber law clinic and she has written for wired thank you again for coming -- It so I wanna get started here. To fill people in kind of the history of anonymous and where -- anonymous come from. And what was their stated mission -- -- you wanna just give us a little background on and who and what we're talking about here. -- it well it seems like they've been around since media I don't know there was references. In 2003. Because this started out slow. Taking on different causes. And then they really ratcheted things up last year with that the DDoS or denial of service attacks in support of Wiki -- Ended the origin it seems like they may have come from the four Chan. Bulletin board. Kind of sort of an edge you know fringe group online where they. Do a lot of crazy antics that -- aren't you know. PG thirteen. But they have political events and you know they've gone after you know I'd done. -- -- cyber attacks and and protests against. The Church of Scientology Internet -- that that's -- our first heard about anonymous. -- 1006 maybe weren't out yet it -- attacking Scientology's website. -- a win win this Church of Scientology and they're all about free expression in an Internet you know. Against. You know attempts to us stop. Sharing information pirating things like that the -- against censorship and so they took took. Issue with feature to -- -- trying to remove from the Internet for copyright purposes clips of Tom Cruise speaking you know. From a bit internal video so anonymous attacks. Big organizations. Churches governments corporations write yeah they put on a -- had come. And attacks in dairy -- against Libya Egypt Indonesia Malaysia. The -- one this week with kind of interesting against the city of Orlando. To protest the arrest of -- volunteers for a food. Not bombs program. Who were arrested for a feeding the hungry in public Nadine have a permit for police arrested a -- in the volunteers. -- -- And they've gone after an Arizona police so its political activism brought on line -- and then we've got the new kids or aren't in -- -- Now what now that's different right -- what's lol so it will I -- from what I understand from you know. Talking to people what what. Apparently. Happened is that there was. Around the time of in the spring when H. -- Borer. From HB -- I'm came out that it be Gary federal it's -- and computer security bank specializing in federal contracts and also like. -- -- in China you know date information on. Came out and said the CEO of this group this company can mount said we're gonna -- anonymous and then I'm going after you know the leaders of this group. And that. Prompted them to go after him and his company unique audience in got a lot of information you know emails and documents and a lot of very sensitive and private and personal embarrassing information and also information about how they work it working -- trying it contracts. With companies to. You know going in you know trying plants get information about. Other. -- consumers who are opposed to companies say it it goes kind of -- but anyway so they they -- basically these operation that we're going on inside HB. -- And then. From then they you know it's so it's so basically the -- sect members. Are believed to be the group that might have been behind but the -- also -- as I understand it works differently. I -- won't win win. Anonymous. Attacks. Goes on the attack and the attack a corporation and me and it'll take down a corporation website -- Seemed to be doing. A little bit more consumer focused -- is that right. Consumer I mean they were they were unveiling. Users' names. Were -- -- Yeah well they and not not I mean users in the sense of if if -- in an organizational things started out okay so they started out in -- on May acting. With -- Fox. The network and yes consumers. Contestants for an ex -- on contest -- tank and they went is something with it you United Kingdom ATMs in the UK. -- then they went after Sony music Japan. And so the -- -- releasing information. From those sites inundated -- to prove that they actually had compromised the -- -- on so they showed up shortly after. Anonymous did the denial of service attack on Sony that had started up -- -- Jennifer how. All illegal is what anonymous -- all -- are doing a New York your role here by the way it its interest -- we are talking before. You both defend people who are accused of hacking. As well as the companies who -- come come under attack right so it discuss the legal framework that you work under here. Writes -- it I mean it's interesting and there are -- there's a very broad federal law in the United States and -- each state has its Omaha. That prohibits unauthorized access to computers. And -- also interfering with the normal operation of computers and causing damage. And and then there are also laws that require companies to you -- -- inside their customers and certain kinds of personal information. Is and breached -- accessed by an intruder in an have to let their customers now so there's a lot of responsibility. And on the part of victim companies. And then and my firm counsels people on that as well but you know in terms of that anonymous while sex -- the attacks on computers. You aren't a lot not very -- you're getting unauthorized access to computer. Then you're breaking the federal and probably the -- whatever state you're in in the state that the servers that your attacking Marion. And -- Theres not much in -- on the part of the -- discriminating between. People who hack for political reasons urged his people act for the fun of it vs people who -- for your financial benefit. And you know that may go to sentencing. -- -- Discretionary stuff about how the prosecution cheats you but it's still the fundamental thing is only now. So where are we now when it comes to anonymous -- secretary who is. Come under the thumb of the law would have there been arrests and what is the state of the the legal. Repercussions that -- these hackers and activists are facing. Yeah out -- to give the Akron -- -- back started doing a lot of things and for the for the -- you know well flat panel out. But they kind of said that -- -- gonna call quit after 58 spree last weekend. They've merged back with anonymous from what I can tell and they anonymous and -- -- A week or two ago had said we're gonna joint forces to target government entities. And big companies and financial. -- -- -- Sites -- You attack -- -- basically. And so they're kind of done that under the under the umbrella of anti anti security at the new campaign they're doing things snap together under that umbrella. And an -- that they're giving. Was an. Art it's so that the arrests of -- Okay so. There have been -- and it's started on in December there was a Dutch guy arrested. As part of anonymous for attacks last year on a DDoS attacks on visa and PayPal MasterCard in support of WikiLeaks. There were -- earned the -- in search warrants in the US. Forty search warrants but I I -- -- anything from of those. As far as you know a restaurant in -- in five people in Britain. For this you know anonymous activity. In Australia and -- early in June. Three people in Spain and 32 people -- our main jail. That's into question item and -- had any fine. These people -- mailed anonymous while second -- all this a bunch of this is a -- ma above of hackers. There's no leader as far as we know it seems rather. How are they run and -- they find these guys. Well attended two different questions yet -- Patti did the investigation and and the second is what -- -- -- telling -- about the group if indeed a group that is. And and and in and I think. There's that sort of people can do you think it's under the name anonymous they call themselves anonymous the we don't really now whether there is any kind of centralized leadership whether there's an eye hand coordination or anything like that same thing at wells that we don't really know. And if it's an organization. That mean we think of organizations -- -- affiliation. Of people are just individuals who acting call themselves. By that name because they have some sort of affinity -- then -- with your -- Michener enactment and in and that is good influence how the investigation scam because. Once you find somebody the -- the question is can that -- -- -- to somebody -- how do you find people in the first place. And you know we say we used to say on the Internet nobody knows -- -- -- well now we know -- now we don't actually almost everything you do on the Internet track of all. -- at the addresses that the computers used to exchange information. Once they find your IP address they can Trace that IP address to back to servers and from those servers to other servers and it actually takes a bit of sophistication and knowledge to really hide your tracks -- snow and it -- People are -- -- ball and I think that hoping is you find somebody somebody who made a mistake or somebody. Low level and -- news. You know could be caught and didn't cover their tracks and then hopefully that person knows enough. And that either their computers will shadow or interviewing men and questioning them will show -- other people who are involved in the projects -- This is gotta be a -- a global enterprise two. Protect businesses and companies and governments against. Against hackers. Not just the US thing in your US offer right right so how do you deal with the fact that you know you might have. One person you're -- you think you're. Trying to find -- in Pennsylvanian another one in Iraq I mean how do you deal with. Well the US government and FBI has relationships -- lot of Palestinians and many many other countries we have treaties with other countries that sharing -- -- and and and we casts and some liver malady with the way that our investigations can go in we're dealing with people learn on United States citizens -- It is much more difficult to do investigations when they involve international conspiracy it's. And and it is possible. And you know once they find somebody -- -- it go from there. I think that it may be the diverse geographical feature -- -- suggests that the that the movement's really -- that meat -- -- coordination between nine otherwise imagine the them and buy it you know once they -- people's computers they're gonna go through those with the nineteenth comment. It's not surprising that there's been search warrants. Executed. And nothing's come of it yet consultants can take quite a while for -- forensic investigation to be completed. Very prosecutors -- -- proceed so they had. Brian Cleary in nineteen year old in the UK and capacity for about a -- over a week just recently I think he was released last week. On what happened during that week he think I mean I'm not beyond the UK little air and let you know they are probably trying to figure out. What his role -- is who does he now. -- and can they get that information from him. Either you know because he's scared and he wants to -- -- because they -- dealing give -- some benefit order for it in exchange for. Avenue in the United States system that's a very common way of trying to find the conspirators as you catch somebody and you get content to -- -- -- -- You know. The covering this -- -- -- are talking Cuba covering this and Jennifer you before when we just came in its kind of like. From a journalist's perspective covering the mob. Cause you real it's fascinating and you're covering something it's really interesting and an extremely important. But it scares of Jesus had anything to go and write a story about anonymous. Because you worry that you're gonna come under attack itself. So is covering this do you think. That coverage of these. Of -- -- anonymous other hackers we can -- the center is getting a fair shake journalistically because of that -- and very natural fear of a being the target of reprisals from its. Bouncing -- question. It it goes with the territory you know you used you may suffer reprisals. And the hackers you know I'm talking collectively but they're all individuals with their own you know perspectives and and you know frustrations and whatnot. On it -- -- if they don't like most sources of you know I -- storing them and unlike -- and I gave on it like. You know unlike any email or whatever but here you -- on get a -- threatening you know to. I don't know -- ever you know hack me -- you know -- -- information or whatever if they don't like my story so. That there is a fear of you don't you want to be really fair. But you still have to report the news you -- U cant not report things -- -- Give a fair you know full perspective so there is a fine line to walk yet it's something -- in -- -- for sure and I think -- little's idea. Yeah Matt -- NASA -- just as as a news consumer I think what it thinks it's been so interesting is that. And it first of all there's this feeling like these guys can do anything but it you know what we really actually -- is that. A lot of the major companies that they've been able to break into -- they've broken into youth through. And vulnerability is that we've known about him for years and vulnerabilities that -- -- how to fix for years. And I think their Amber's an -- of that -- and that. And you know kind of in our little world of -- less -- lawyers who do security insecurity researchers and people are knowledgeable about it. On the one hand we understand that there are some real people out there aren't getting hurt and -- -- their passwords -- being distributed and stuff. An end and that but then we also have this kind of we think it's wrong but we have this mixed feeling like it's partially the fault of the people who -- in disclose this sensitive information online. Let's partially the fault of the large company -- who didn't fix their sequel vulnerabilities. And -- our storing people's passwords in the clear right. The thing is the peoples -- passwords are being stored in clear are the innocence and they're -- -- -- that's right so how is the the existence of these groups. Changing not just the way that we as as professional to cover this stuff and or prosecuted -- against the stuff you'll have -- consumers. Palace is changing you think the the tenor of the way people use the -- what they do online. Yeah I mean it's -- question will people actually change their behavior. And and I think we know sort of from those of us who are stronger privacy advocates have long lamented that people don't do enough to take care on privacy and and that the question is I guess is this reading it missed trust even -- major companies that you expect to have the resource protector -- at the at. And are people doing things differently and think about whether to sign up when it. In various kinds of service providers. Give her credit card is something credit card if you now maybe hopefully they're learning not to use the same password on multiple accounts. Mean that's just kind of learning is this -- -- Let it out well yes I keep saying but so then you see the emergence of companies like last past the business like last -- which is a password manager and then guess what. It looks like -- it probably currently possibly the last -- itself -- -- so this there's this this. I believe that consumers are are being. The learning helplessness like there's nothing you can do this they say so what does that do to the Internet how to businesses who rely. Aren't consumers trusting them deal with this. Growing feeling that we're helpless when it comes to doing anything -- -- But they come companies are not helpless and that's the -- -- -- negligence here that they're not even. Doing basic software patches and updates that old holes you for years that that should that were -- years ago are still open. And that's how hackers are getting -- -- -- -- dying due diligence companies as big as Sony and and governments. That are protecting our data so I think really there is an onus on. They'll website administrators and owners to do more to protect our data and that's what I think that's -- big message of what the hackers have here. They're trying to say is look you know. Really you know you can't trust -- marketing. I wish they would I think it's it's one thing to report that there is a vulnerability but. I wish they would redacted the personal information you know send a message prove that the company didn't do enough to protect your data and that it at this glaring -- but don't. Don't let you know consumers suffer. Com that's -- person I wish I site kind of support. Then the idea of holding companies accountable but when it when you know when you have all these other -- thing that's that the problem Jennifer. I think you know we've kind of new producer turned a blind guy known that sites are insecure but nobody is really you know done anything about it and now there's sort of this message like the Internet is unsafe at any speed and and that's not actually true -- and -- -- with enough resource is. Probably anybody can get hacked but -- -- in some low lying fruit here. And there is a lot of very basic stuff that companies can do it's -- protect their customer's data and now I think maybe what we'll see as something that. Privacy advocates have wanted for a really long time which is customers. Taking self help measures and using services that encrypt it taking -- care about their passwords enactment in order to try to protect. -- Some of the you know the biggest repositories of information in the hands of governments state federal other countries' governments. What -- the government response and this I saw a story this morning that them only slightly related this that Canada has set up they WikiLeaks war room. -- what other responses are we -- to this. Growing perceptions that you know if you upset some civil rights group. That you're gonna get attacked by a bunch of people that you can put your thumb on. Wouldn't put people what -- government still. Well you know this is and something I know some people talk about it is this all just in IBM noted -- -- and the United States government to -- even stricter. And anti hacking laws with even stronger -- penalties them. And which I think it's unnecessary -- -- -- very -- penalties are already very high. And you know that it's really. I don't think that -- going to be the thing it -- security. And -- think that. And -- Companies -- countries and baker street at I think -- this as a separate problem from from the WikiLeaks is -- the without the answer basic computer security and WikiLeaks is about. And -- role of open instant and secrecy in in democracy. I do wanna touch briefly on the connection between anonymous and WikiLeaks and -- or you mention that -- the confidential and anonymous had supported WikiLeaks. In in some ways how are these these concepts and these organizations. Linked to each other. Anonymous. Is they they support you know free expression on the Internet especially in your network freedoms so they took on the Wiki -- -- there. And that's that's. How -- that's about it yet that will mean and in it's it's there you know move against the man to there there are up frustration with you know the status quo. But also. They recently have the anti -- Campaign that is very you know exposing of public and government corruption. Like that the sup and that this is anonymous animal -- anti second they -- revealed a lot of information from -- on emails and documents from Arizona state department of public. Safety not exposing corruption sounds like a WikiLeaks mandate not a hacker -- I mean elite commanding not a Haberman. It is they also I want to mention -- just also this week released. What are they calling it. Hacker -- leaks and locally studies -- to whistle blower. Sites that people -- for local leaks it's kind of like a -- -- WikiLeaks on the local level you to have. Information or evidence of local corruption. You can. You know submit information anonymously -- and assisted anti sect and then also then hack leaks is just for you know dumping -- it's stolen. So that the WikiLeaks concept. And getting data and leaking it is that's it -- that. That concept has taken root on it in and from various sources not just the WikiLeaks groups -- other groups as well. -- I mean that's that's what they're printed trying to do you -- on you know -- another level. I I do not see good things happening on the Internet. In terms of openness and security and the free flow of information. In reaction and asked companies re activists do you mean it seems like this could cause people to really lock down. Well you know it's interesting because we want companies to be very locked down when it comes to protecting their user's information. And we want governments to be open and transparent and responsive to their citizens. And -- you know it there's. The disk we have a different expectation for private industry leading for government and I think that's right. And where there is a responsibility to keep information secured new companies need to do that and I think -- we see. Better security practices. In industries where the companies are the ones that suffer the financial damage as a result of the -- That we think what we've seen is that companies are a little bit -- of people who suffered that damage -- that users and that the company itself. In your question the -- as well. Will there be a backlash against us companies as -- -- guess what I'm not gonna participate in the Sony networker I'm not gonna get my information over to the fox and contest or something like that. And I made -- you know I I I I think there's kind of a collective action problem Arab attachment that's how it's going to be that I hope that. -- bad publicity is going and make companies. Be more careful. And I think that there -- -- sound you know maybe there should be some best practices on the part of security vendors are people who are in the business of data protection. To some very basic things about you know what the standards are written -- building a secure system because we know how not to do it and a lot of these places did -- exactly that way up but even when it's. -- caring they don't always follow it right and it's a minimum of -- of of requirements like that PCI -- card industry. You know a lot of times I mean it's it's it's not regulated it I mean it's not mandatory it's all voluntary. We still have you know credit card information gaining you know sold on the underground -- mean. It's crazy. -- -- you could argue for regulation that we need to force these companies that they're not gonna do it on their own if they're not worried enough about reputation -- losing customers. You know maybe they need to be required to. Regulation. -- Is another unit tort liability and all our you know there's been a lot of suggestions. About their insurance as an incentive Eisner and insurance companies ED -- diligent about checking for securities has been a lot of talk. And it has been for years about what we continued to it'd make the companies in accidents carry. Getting insurance companies' involvement putting big financial and some on and that's the smart way to do it. A -- in the chatroom asked. Is it really smart to allow anonymous and all -- to use social media. To communicate to their followers or would it be better to shut them down. I think the question a couple levels in -- take -- To shut them down that's that's censorship and I I don't think and I mean. No that's that's not a good idea so let them run rampant on Twitter and FaceBook and wherever you just just like. Just like the US for -- church and date you know can have their -- there. Activities and the Nazis can have their their rates in the us I mean it's that's free expression. And -- you don't have to subscribe to -- If you don't wanna hear it. I will also Angeles -- Remind you that. FaceBook and social networks are gold -- for law enforcement. People and prosecutors. To find networks affiliated people I mean -- so as much as a hacker group and can use a social network to rally its cause -- -- that network can also be used against them. And we'll tip off yeah I mean one of that unit one of the pieces of this puzzling is imminent -- -- angered and summit that hackers as then -- yet that. Investigators would be looking at who visited certain blogs satan SC who is asked where. Various that security people. What we think it's going to happen next are we. At the beginning the middle -- the end of of -- change and in the way people attack business is the way security is handled the way consumers view. The Internet. What's the trend that we're looking at here in a close with. I have to say that this is just sort of -- A wave. But not -- teachings. The business just you know and intensity right now because you have the anonymous and -- -- spin -- Being feeling inspired -- -- powered by WikiLeaks. So there is a sense of you know we do ourselves to you know we can't trust -- government and we don't like what's happening. Let's take to the net and and band together collectively I can understand the frustration that they might have. But I think that you know we're gonna we're gonna continue to see that. And we saw -- activism in the ninety's you know in an in the early two thousands as well -- it's just taking on it's more intense now because of WikiLeaks. You know this -- this is not news it's just sort of right now there's a lot going. I primadonna that the security staff isn't new it's -- -- -- I do think there's a sea change in the way we deal in information. And and I think that that's because of digitized nation and you look at. Comparing Bradley demanding new leaked that WikiLeaks staff that's you know really in the news now we -- Daniel Ellsberg and the Pentagon papers and Bradley demanding. Had the ability to transport. Truckloads. Of information what would've been truckloads of information in the paper the which Ellsberg just really didn't and so you have a very different situation you have. And people do or not. You know necessarily inculcated -- -- culture of secrecy with access to an unbelievable. Amount of information. Which as because it's digitized is readily transportable across borders. And in a way -- just -- and industry be able around the world people. In just a manner that they -- was -- -- not. Physically possible. When we were dealing Adams and tonight I think that is key chains and what will be the effect of that. A year five years from -- My hope is that and you know with regards to government transparency that we will all look back on and think of it as a very good thing a good thing for democracy. And -- -- he -- that would -- spraying and seeing some that would answer transparency in our own government in learning more about. You know our practice and am in -- post Edmonton and activities that and that's my and I think level and probably actually teachers will see it a little bit of a mixed bag they'll be -- -- -- -- look at will be Michael I wish that. And you know that didn't happen in a lot of things will look at will be like you know I'm glad that the public got a chance to. -- -- -- -- -- -- -- That the Jennifer gonna thank you so much for joining -- thank you Jennifer is an attorney at does will -- and work and we find your work is he right from outside as well I -- that it's this will -- blog dot RZWILLG. Ian. BL EG dot -- dot com check out Elinor mills of course rights the CNET insecurity complex. Security coverage here at CNET news. Thanks everyone for coming in. Thank Stephen for producing another great show coming up a week from today Friday. The seventh. The -- is a first. The eight. 88 accredited whatever next Friday don't miss it it. There's we have a lot of great -- that a lot of really interesting news coverage on this whole topic and I will be putting links. To that including this great chart we have all that recent hacks and who's behind them and what the outcomes are. The -- tracker chart a little link that in the show notes that on reporters' roundtable on CNET news so check it out thanks have -- for watching -- weak but.