Unmasked - Ars Technica [5]
In the end, Barr determined that three people were most important. A figure called Q was the “founder and runs the IRC. He is indead in California, as are many of the senior leadership of the group.” Another person called Owen is “almost a co-founder, lives in NY with family that are also active in the group, including slenaid and rabbit (nicks).” Finally, CommanderX can “manage some significant firepower.” Barr believed he had matched real names to each of these three individuals.
He wasn’t doing it to actually expose the names, though. “My intent is not to do this work to put people in jail,” Barr wrote to others in the company. “My intent is to clearly demonstrate how this can be effectively used to gather significant intelligence and potentially exploit targets of interest (the other customers will read between the lines).”
He then revealed himself on Facebook to the person he believed was CommanderX. “I am not going to release names,” Barr said on February 5, using the alias Julian Goodspeak. “I am merely doing security research to prove the vulnerability of social media.” He asked for Anonymous to call off its DDoS attack on HBGary Federal, an attack that had begun earlier that day.
Some of the responses from CommanderX were a bit chilling. Late in the conversation, CommanderX warned Barr “that your vulnerabilities are far more material. One look at your website locates all of your facilities. You might want to do something about that. Just being friendly. I hope you are being paid well.”
Then came an IRC log that Barr sent around, in which a user named Topiary tried to recruit him (under the name CogAnon) for “a new operation in the Washington area” where HBGary Federal has its headquarters. The target is “a security company.”
By late afternoon on the 5th, Barr was angry and perhaps a little scared, and he asked his PR person to “help moderate me because I am getting angry. I am planning on releasing a few names of folks that were already arrested.” It’s not clear that Barr ever did this, however; he admitted in another e-mail that he could get a bit “hot” in private, though he would generally cool down before going public.
Hours later, the attack escalated from some odd DDoS traffic to a full-scale break-in of HBGary Federal systems, one that showed tremendous skill. “What amazes me is, for a security company - you had such a basic SQL vulnerability on your website,” wrote one Anonymous member later.
Days afterward, the company has still not managed to restore its complete website.
“Danger, Will Robinson!”
Throughout Barr’s research, though, the coder he worked with worried about the relevance of what was being revealed. Barr talked up the superiority of his “analysis” work, but doubts remained. An email exchange between the two on January 19 is instructive:
Barr: [I want to] check a persons friends list against the people that have liked or joined a particular group.
Coder: No it won’t. It will tell you how mindless their friends are at clicking stupid shit that comes up on a friends page. especially when they first join facebook.
Barr: What? Yes it will. I am running throug analysis on the anonymous group right now and it definately would.
Coder: You keep assuming you’re right, and basing that assumption off of guilt by association.
Barr: Noooo….its about probabilty based on frequency...c’mon ur way smarter at math than me.
Coder: Right, which is why i know your numbers are too small to draw the conclusion but you don’t want to accept it. Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.
Barr: [redacted]
Coder: [some information redacted] Yeah, your gut feelings are awesome! Plus, scientifically proven that gut feelings are wrong by real scientist types.
Barr: [some information redacted] On the gut feeling thing...dude I don’t just go by gut feeling...I spend hours doing analysis and come to conclusions that I know can be automated...so