I read Parmy Olsen’s ‘We Are Anonymous’ over the weekend. It is the story of the infamous hacker collective that brought down the Church of Scientology, Pay Pal, Master Card, Visa, Sony, the FBI and CIA among their numerous conquests. It’s a fascinating read about a group based on a contradiction: A few very talented, capable, creative people performed truly heinous acts because they thought their lives were pointless. This nihilistic perspective drove them until they were caught.
The participants were young. The oldest was 28, the youngest 16. Uniformly, they were the socially awkward. They were bullied and marginalized for most of their lives. Most left the education system in middle school because they were bored or mistreated. All of them lived with parents or relatives, reeking havoc on some of the largest organizations in the world from their bedrooms.
Anonymous was more of accident than a movement. The book details how the hacker collective transitioned from a chaotic, leaderless group looking for lulz (fun at other people’s expense) to very small team that stole the private information of millions of people only to give it away to secure fame and respect from the hacking community. Without recounting the book, because it’s worth reading to understand hacker culture and the underworld of the internet, I was struck by several points:
1. Most people use the same password everywhere. This practice made it easy for Anonymous to access private information. Because they got so much information to cull through, they went for the easy marks, which is most of us. Those who didn’t reuse their passwords were generally spared.
2. The hackers got a majority of their information from ‘social engineering’, conning people through chats, e-mail and phone conversations, to get access to their private data.
3. There is a HUGE underground market for private data that ranges from criminals that want to use the information for financial gain to disaffected teenagers that just want to make someone’s life a living hell.
4. Most corporations have no clue how to protect your data. Sony Pictures was hacked through the Ghostbusters page leading to a data base of 200,000 records that was stored completely unencrypted.
5. While the people involved were rock stars online, known by their monikers to tens of thousands of people and by their actions to millions, most rarely left their homes. One almost never left his room, having his meals left outside his bedroom door by his mother.
6. The press over-hyped the group, which in turn caused them to do ever-bigger exploits, creating a feedback loop that increased the damage. That’s why security firms tell their clients not even to acknowledge a hack if they can avoid it.
7. Because no one actually knew anyone else’s identity, a lot of nasty stuff was done in their name. Some exploits, like the Sony Playstation network hack, were actually hijacked by criminals.
8. No matter how careful you are, you can never, ever, hide your true identity completely.
Let’s unpack that last point a little more. Each one of the core members of Anonymous (which went on to become LulzSec), used incredibly sophisticated techniques to hide their identities. They routed their traffic through multiple servers on multiple continents, used aliases, never linked their true identity to the internet in any searchable way. Still each was undone through betrayal, hubris, court orders to the very people they paid to hide them and two cases, a single failure of a piece of equipment that exposed their real IP addresses.
There is NO privacy on the internet. This is probably no surprise to anyone, although some people’s actions would make you think otherwise. In the book, countless people were victimized when hackers gained access to private Facebook pages or Flicker accounts by using social engineering, not code, to get to compromising photos or information. E-mails containing sensitive and embarrassing information were used to extort people. The private accounts that people relied on might as well sat out in the open, they were so easily compromised. This brings me to the last two points:
9. Treat any communication on the internet like a conversation in a public place.
10. The people that protect you go home at the end of the day and have real lives; The people that hack you live to hack you.