The day after the anti-SOPA/PIPA protests (the largest coordinated protest in the history of the Internet), the Department of Justice took down Megaupload. It would seem hard to argue that the timing of this takedown was happenstance. Not to be outdone, the loose collective called Anonymous struck back in the largest coordinated distributed denial of services (DDoS) attack in the history of the Internet. Targeted were the websites of the MPAA, RIAA, BMI, Universal and several federal law enforcement websites.
Hacktivism is a growing topic in computer and social sciences. Part of the thorny nature of hacktivist groups like Anonymous is that it’s hard to pin down precisely who is part of the group. I spoke to Josh Shaul, Chief Technology Office at Application Security about this phenomenon. “There’s a picture of Anonymous, but it’s fuzzy the whole way, especially round the edges,” he explains. “Anyone can do something and claim to be Anonymous.”
There are, however, three basic layers of the organization, according to Shaul: The hard core of Anonymous who figure out how to carry out attacks, create propaganda, recruit and run hacking schools. Shaul estimates this number to be about 100. The next layer are supporters who might draw a picture or get involved in a DDoS. Shaul estimates there are thousands of these supporters. The third layer could be termed sympathizers or fellow travelers and are -- with apologies to an Anonymous slogan -- legion, numbering in the hundreds of thousands. Shaul explains that “especially after the Arab spring, Anonymous collected a lot of good will among the people,” referring to the hacktivist group’s role in attacking Arab dictatorships during last year’s uprisings.
Still, by some definitions what Anonymous did to the MPAA and other groups last week isn’t even hacking. While Shaul says that hacking can be broadly defined as “doing naughty stuff with your computer,” adding that “DDoS attacks fall within that definition,” both he and Bill Pennington, a co-founder of WhiteHat Security, agree that a DDoS is little more than a digital sit-in. When I spoke to Pennington he stated that “if you’re doing corporate espionage, you don’t want a DDoS. You want to be able to access the site you want with as little disruption as possible.”
It’s worth taking a second to explain what a DDoS attack is: Rather than invading a website, a DDoS attack uses legitimate Internet traffic to bring a website down. In the earlier days of the Internet, this might have been as easy as refreshing a page over and over again. Today, it means finding a data weakness on a page and exploiting it. For example, DDoS attackers might use a specific search term repeatedly to bring a site down. The point is that there’s nothing illegitimate about what DDoS attackers do. They’re not doing anything that a normal Internet user might do in the course of interfacing with a website. They’re just doing the right (or wrong) thing intentionally and repeatedly until the site crashes.
DDoS attacks can be legitimately criminal: For example, extorting money from a gambling site by threatening to take a site down for two weeks before the Super Bowl. But the Anonymous attacks on the entertainment and law enforcement websites fit well within the “digital sit-in” paradigm. No one was trying to turn a profit from the attacks. Rather, the movement seems to want to send a message to both law enforcement officials and the entertainment industry that there’s a price to be paid for targeting websites in an attempt to harass and intimidate Internet users following a totally lawful and ethically unambiguous protest like the anti-SOPA/PIPA blackouts.
Perhaps the most fascinating thing about Anonymous is speculation over who they might be. “They hacked the CIA’s website for crying out loud,” says Shaul, “and they haven’t gone to jail for it. That takes skill.” When speaking of who might be in the inner circle of Anonymous, Shaul state that “there are obviously very senior-level technologists with serious skill sets in their organization. I’d be shocked to find that there aren’t people who are in charge of security for major banks or head programmers at major technology firms.”
While hard answers might be difficult to tease out, one thing is certain: The future is going to be an interesting place to live.