With law enforcement officials claiming that LulzSec has been decapitated, what does this mean for Anonymous?
The web is awash with hydra metaphors, but the truth is that no-one can say exactly what the effects are likely to be. Not for a while, anyway.
It’s always been clear that the number of Anonymous members with real hacking skills is a small core. Most ‘Anons’ are little more than camp followers – happy to download and use DDoS tools such as LOIC and Slowloris, but with little real clue as to how they work.
The dangers inherent in that ignorance have been made only too clear lately. In South America and Spain, law enforcement officials arrested 25 alleged Anonymous members as a result of analysing IP addresses contained in the logs of attacked websites. Most Anons, it seems, are unaware that the tools they use to further their cause does nothing to hide their identities.
And many Anons have managed to infect their own machines with the Zeus trojan after downloading a version of Slowloris that had been maliciously altered by cyber-criminals unknown. It’s not beyond the bounds of possibility that the people responsible for exploiting these clueless hacktivists might themselves be members of Anonymous. After all, the botnet formed by the infected machines would prove a useful weapon in the group’s activities. And it’s quite possible that at least a portion of the Anonymous movement are also engaged in criminal activities: DDoS attacks are a useful way of masking other crimes.
The thing is, Anonymous is such an amorphous grouping, spanning many countries and embracing so many ideologies and political viewpoints, that it’s almost impossible to rule out anything. And while Sabu and the others indicted in the most recent arrests were clearly the key players in LulzSec and AntiSec, and formed a hacking corps within Anonymous, there are other hackers out there happy to wave the Anonymous banner.
We can expect more arrests as the paranoia levels rise and hackers turn on each other. But we can also expect more attacks. For example, the take-down of Sabu, Anarchaos, Topiary, Pwnsauce, Palladium and Kayla will have no effect on the Anonymous hackers in India responsible for leaking Symantec source code. And there will be others in the US, UK and elsewhere rash enough (or stupid enough, depending on your viewpoint) to think they’ll be able to take Sabu’s place and get away with it. Confidence verging on arrogance is the hallmark of many of these hackers – and the source of their downfall.
It’s a cliche, and a fallacy, to characterise hackers and hacktivists as teenagers. But it is demonstrably true that much of their professed ideology is, to put it politely, somewhat naive. And then there’s the attitude – those hilariously portentous videos and the ‘you can’t catch us, copper’ taunting. (Untrue, as it happens.) Anons may span a range of ages (at least one of those 25 recently arrested was 40 years old), but much of the movement shares an immature view of the consequences of their actions.
(As a side note, the part of the brain that allows us to foresee consequences doesn’t fully develop until we’re in our early 20s, which explains the high accident rate among teenage drivers.)
And so hacktivism will continue. Anonymous will continue – largely ineffective but scoring occasional hits. And while Anonymous has never really represented anything more than a noisy and self-aggrandising nuisance, that’s not to say it isn’t a danger to the security and reputation of the organisations on whom it turns its attention.
The problem with the arrests of the people accused of being the LulzSec chiefs is that some companies might think the threat has passed. It hasn’t. A lesson has been taught to those who might take their place, but experience shows that such lessons are usually ignored. Anonymous has already branded the arrested people as losers: it has thrown them overboard.
The self-important posturing that is so intrinsic to the Anonymous style of hacktivism means that Anons will keep attacking, and will keep being arrested. This is the new reality of the net.
[This post is based on the editorial in the March issue of Computer Fraud & Security]