home

The Purpose of the Stratfor Hacking and Potential Consequences

You may remember Barrett Brown from the recent dust-up over the plan by some members of Anonymous to out those believed providing assistance to the Mexican drug cartels. The plan was off-again, on again, with Barrett being the major spokesman.

He's back, now weighing in on the Stratfor hacking of its subscriber and e-mail databases. He says the purpose of the attack was not to obtain the credit card info, but the email database. [More...]

Stratfor was not breached in order to obtain customer credit card numbers, which the hackers in question could not have expected to be as easily obtainable as they were. Rather, the operation was pursued in order to obtain the 2.7 million e-mails that exist on the firm's servers. This wealth of data includes correspondence with untold thousands of contacts who have spoken to Stratfor's employees off the record over more than a decade. Many of those contacts work for major corporations within the intelligence and military contracting sectors, government agencies, and other institutions for which Anonymous and associated parties have developed an interest since February of 2011, when another hack against the intelligence contractor/security firm HBGary revealed, among many other things, a widespread conspiracy by the Justice Department, Bank of America, and other parties to attack and discredit Wikileaks and other activist groups.

Since that time, many of us in the movement have dedicated our lives to investigating this state-corporate alliance against the free information movement. For this and other reasons, operations have been conducted against Booz Allen Hamilton, Unveillance, NATO, and other relevant institutions. The bulk of what we've uncovered thus far may be reviewed at a wiki maintained by my group Project PM, echelon2.org. (My emphasis.)

Since supposedly no one speaks for Anonymous because it is decentralized and has no leaders or individuals who can speak for it, it's unclear whether those who conceived of and conducted the Stratfor attack -- who identify themselves as members of Anonymous -- agree with Barrett or even had a voice in the selection of Stratfor as a target. Then again, with OpCartel, Barrett said the group voted on the idea.

After it was cancelled we got to talking about it, and the video got a whole lot of views. [Members of Anonymous] had a vote amongst themselves and decided to go ahead."

More interesting to me, as a defense lawyer, is that Barrett Brown is so willing to use his real name and associate himself with the Stratfor hack. It's one thing to approve of it, it's another to speak of it as a part of an ongoing joint effort. Even if he's just expressing his endorsement of the act, given his direct communication with those involved, you'd think he'd at least be wary of a subpoena. He's not. He said days ago, about a different subpoena effort,

Reminder: If you get a subpoena or anything of the sort, we have free, high-caliber legal aid for you.

Brown is also, reportedly with the approval of those who conducted the attack, trying to submit a proposal to Stratfor to minimize the collateral damage of exposure of credit card details of "innocents".

I've been authorized by @AnonymouSabu and others involved in #Stratfor hack to begin dialog with the firm. We'll see if they agree.

The feds are not going to take this attack lying down. There are several pending indictments of Anonymous and Lulzsec members in various federal districts. Lulzsec is frequently described as a splinter group or off-shoot of Anonymous. For example, Anonymous, in denying it was involved in the Sony Play Station hacking effort, issued a release stating:

"If a legitimate and honest investigation into the credit card is conducted, Anonymous will not be found liable. While we are a distributed and decentralized group, our 'leadership' does not condone credit card theft. We are concerned with erosion of privacy and fair use, the spread of corporate feudalism, the abuse of power and the justifications of executives and leaders who believe themselves immune personally and financially for the actions they undertake in the name of corporations and public office."

LulzSec later took credit for [a different] Sony hack. Similarly, Barrett Brown wrote in the Guardian about the Sony [Play Station] hack:

But those observers who are most familiar with who Anonymous is – such as the dozens of journalists who have been free to watch us at work in our operational venues – tend to agree with us that the circumstances of this incident are highly suspicious, and that any investigation into the crime in question must take into account the natural question of who might benefit from such an act – in other words, a party or parties who would have an interest in smearing Anonymous.

One of the indictments (San Jose) is here. One of the charges of intentional damage to a protected computer in that case carries a maximum penalty of 10 years in prison and a $250,000 fine. Conspiracy to intentionally damage a protected computer carries a maximum penalty of five years in prison and a $250,000 fine.

From the DOJ Press Release:

Also today, a related complaint unsealed in the District of New Jersey charges Lance Moore, 21, of Las Cruces, N.M., with allegedly stealing confidential business information stored on AT&T’s servers and posting it on a public file sharing site. ... Moore is charged in with one count of accessing a protected computer without authorization.

According to the New Jersey complaint, Moore, a customer support contractor, exceeded his authorized access to AT&T’s servers and downloaded thousands of documents, applications and other files that, on the same day, he allegedly posted on a public file hosting site that promises user anonymity. According to the complaint, on June 25, 2011, the computer hacking group LulzSec publicized that they had obtained confidential AT&T documents and made them publicly available on the Internet.....

18 USC § 1030 prohibits Fraud and related activity in connection with computers. You can read the Moore Complaint here. The Arciszewski Complaint is here. According to the court docket on PACER, Arciszewski will be pleading guilty to a five year offense under 18 USC 1030 on Jan. 12, 2012.

Why do they do it? In a missive relating to the British charges against Lulzsec member Topiary (Jake Davis), they wrote:

Some still wonder why we are not worrying. It is bigger than us all. Individuals do not matter, #AntiSec will move on. We [really] are not scared anymore. Everybody involved knew exactly what [they were] getting into. And we will continue until all battleships are sunk.

"Yes, we steal data. From governments and their contractors. We know it's illegal but we honestly believe it is legitimate. We wish it was not so, but we HAVE to break the law to make a change. The laws need to change otherwise no dice. Should this account become silent, you, FBI, may book a victory. [Still], with every day that passes, we store more of your secrets."

LulzSec called it quits in June. There were more arrests in September. Here's the Cody Kretzinger indictment(aka Recursion), charged in the Sony Pictures attack. (Also arrested in another case were Christopher Doyon and Joshua Covelli of another hacking group, the People's Liberation Front.) And LulzSec member Kayla (who turns out to be a male) was also arrested in Britain in September.

Of the LulzSec members, only Sabu, who says on Twitter he is part of the Stratfor attack, and non-original member Avunit, reportedly from Britain, are still at liberty and uncharged.

Just last month, the Department of Justice told Congress it should make computer fraud/hacking a predicate offense under RICO (the organized crime act.) Here's the Prepared Statement of Deputy Section Chief Richard Downing Before the House Judiciary Subcommittee on Crime, Terrorism and Homeland Security:

We propose updating the Racketeering Influenced and Corrupt Organizations Act (“RICO”) to make CFAA offenses subject to RICO. As computer technology has evolved, it has become a key tool of organized crime. Indeed, criminal organizations are operating today around the world to: hack into public and private computer systems, including systems key to national security and defense; hijack computers for the purpose of stealing identity and financial information; extort lawful businesses with threats to disrupt computers; and commit a range of other cyber crimes. Many of these criminal organizations are similarly tied to traditional Asian and Eastern European organized crime organizations.

DOJ also wants to increase penalties for computer hacking.

some of the CFAA’s sentencing provisions no longer parallel the sentencing provisions for their equivalent traditional crimes. For example, the current maximum punishment for a violation of section 1030(a)(4) (computer hacking in furtherance of a crime of fraud) is five years, but the most analogous “traditional” statutes, 18 U.S.C. §§ 1341 and 1343 (mail and wire fraud), both impose maximum penalties of twenty years.

Indeed, for a serious computer crime offense, it is easy to imagine scenarios in which the appropriate sentence exceeds the current maximum. For example, were a criminal to steal a massive database of credit cards, the maximum penalty under section 1030(a)(2) for that crime is five years in prison, even though the United States Sentencing Guidelines might recommend a much higher sentence. In other words, in such situations, a federal judge would be prevented from sentencing a defendant to an appropriate prison term that will assure proper punishment and promote general deterrence.

Under the DOJ proposal, penalties would be increased to that currently provided for those found guilty of their second offense. More on the provisions of the current act here.

While The last thing we need in this country are increased prison penalties, the Stratfor Hack might just be the impetus Congress needs to adopt DOJ's proposal. Here's the latest totals on the data hack, according to Wired:.

860,000 usernames, emails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no card present transactions; and over 2.5 million Stratfor emails, internal Stratfor documents from the company’s intranet, and support tickets from it.stratfor.com.

There undoubtedly will be indictments from the Stratfor attack. It won't be the amorphous groups Anonymous, Antisec or Lulzsec that are indicted, it will be individuals who can be linked to the hacking effort, regardless of their affiliation. While Barrett Brown just tweeted he's received info that Homeland Security has made him a target, he still doesn't sound worried. While I can only guess based upon what he writes, it doesn't sound to me like he was involved in the attack -- only that he is inserting himself into events after the fact. If so, he's more likely to face a subpoena than an Indictment. While he can assert his 5th Amendment privilege to a subpoena, he'll lose that right if they decide to immunize him. If he's immunized and refuses to talk and name names, he'll face jail for the remainder of the grand jury's term. That's nothing to sneeze at, ask Susan McDougal.

As for AnonymousSabu, if as reported, he's been in hiding until recently, the Government will probably seek to detain him without bond if indicted.

All this raises the question, are the hackers brave or naive when it comes to the legal consequences of their acts? I'll let you decide.

Update and Clarification: Barrett Brown responds via Twitter to my quoting of his Guardian article on Sony:

Someone please tell this guy that there was more than one Sony hack and that I was discussing one in particular. http://www.talkleft.com/story....
Yes, his article was about the Sony Play Station Hack and there were multiple Sony hacks. (For examples, see here, here, here and here. Here's a Wired article on the first two Sony hacks.)

< Schapelle Corby May Lose Good Time for Skipping Mass | Guantanamo Commander Seeks Access to Attorney-Client Mail >
  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft


  • Display: Sort:
    I think STRATFOR is creepy (5.00 / 2) (#1)
    by Militarytracy on Mon Dec 26, 2011 at 11:43:03 PM EST
    They are private, and who they represent, who talks to them and gives them info off the record, and how they go where the money is is all creepy.  But I can't see how some of the most powerful people on the planet aren't going to want someone's arse in a huge way for this.  Particularly if they did get STRATFORs emails.  There have got to be people out there sweating bullets right now worrying about what the hackers have and know.

    You know (5.00 / 2) (#11)
    by Edger on Tue Dec 27, 2011 at 10:51:19 AM EST
    I've been a programmer/computer tech for nearly 40 years and the people who comprise Anonymous make me look like a kindergartner and an amateur - they quite obviously have some of the best network techs and programmers in the world as members. The only people who would come close would be working for the NSA or something like that.

    I think there are probably people in Anonymous and in Lulz and the other splinter groups with enough knowledge and network experience who working in sync could probably badly disrupt or completely crash the entire world economy in a hour, almost as easily as flipping a lightswitch.

    Imagine no banking, anywhere, all of a sudden.

    For days no credit card transactions, no clearing house transactions, no supplier orders made or fulfilled, no operating stock and commodity and security exchanges, and no telephones, all at the same time?

    Imagine no electricity?

    If I were the government, I'd be very, extremely, concerned, and I'd take their threats very seriously and start paying attention to what people want.

    The government should start paying attention to them as representative of most of the populace (310 million in America alone) - and if the PTB start trying to use the media companies to discredit Anonymous and the others, or come at them too strongly with FBI and police they will be digging their own graves (metaphorically speaking).

    But the government thinks too much of their own power (virtually non-existent as it really is without people believing them) to think straight.

    I, too, been in IT more (5.00 / 2) (#14)
    by sj on Tue Dec 27, 2011 at 12:45:17 PM EST
    years than I will say here.  I am very, very competent.  And I, too, am an amateur compared to these people.

    Parent
    Of course it's ridiculously embarrassing (5.00 / 1) (#23)
    by sj on Tue Dec 27, 2011 at 01:40:25 PM EST
    But I'm pretty sure that Edger wasn't referring to this specific instance.  I know that I wasn't.  So pretty much your whole comment is irrelevent to what Edger was saying.

    Parent
    Let me try this another way (5.00 / 1) (#27)
    by sj on Tue Dec 27, 2011 at 02:38:10 PM EST
    I was speaking in general.  And I am partly speaking in general because I see no reason to re-look up the events that led me to this personal conclusion.  I know my skill set* and I know my level of competence.  I've made this personal and subjective analysis over time.  Your focus on particular events is somewhat annoying, actually.  Go ahead and analyze those specific events.  But don't do it in response to me because that has nothing to do with what I am saying.

    ------
    * and skill orientation, btw.  A business orientation rather than a security orientation takes a different tack.

    Parent

    Not amateurs... (none / 0) (#24)
    by Edger on Tue Dec 27, 2011 at 01:48:19 PM EST
    Anonymous hacks NATO

    And I think there are now probably some former Stratfor IT employees...

    Parent

    And this is why programmers (5.00 / 1) (#28)
    by sj on Tue Dec 27, 2011 at 02:39:29 PM EST
    are so often parodied as brilliant but clueless.

    Parent
    Where did what's his name's comments go? (5.00 / 1) (#33)
    by Edger on Tue Dec 27, 2011 at 08:23:45 PM EST
    You didn't hack him did you, sj? ;-)

    Parent
    who was it? (none / 0) (#34)
    by Jeralyn on Tue Dec 27, 2011 at 08:48:09 PM EST
    Seems like something is missing but I thought I only deleted spammers today. If I deleted a real commenter, I'm sorry.

    Parent
    I think his username was "notoy" (none / 0) (#35)
    by Edger on Tue Dec 27, 2011 at 08:58:21 PM EST
    or something like that...

    Parent
    my mistake (5.00 / 2) (#36)
    by Jeralyn on Tue Dec 27, 2011 at 09:02:19 PM EST
    I thought he was a spammer -- foreign country registration with a spam-like email host. I just unbanned him but I can't bring back his comments, they were zapped.

    Parent
    Stuff happens. (5.00 / 1) (#38)
    by Edger on Tue Dec 27, 2011 at 09:38:42 PM EST
    You should see the stuff I've accidentally deleted on occasion - including backups. ;-)

    I'm glad you were able to find his comments, Jeralyn.

    Parent

    foreign (none / 0) (#39)
    by notoy on Fri Dec 30, 2011 at 01:05:26 PM EST
    apologies for being from a foreign country, and our mail host shouldn't really be spam like, although we had blacklisting issues a few weeks ago due to some fools.

    Parent
    I got his comments back (5.00 / 2) (#37)
    by Jeralyn on Tue Dec 27, 2011 at 09:09:37 PM EST
    from google cache

    hrm (none / 0) (#22)
    by notoy on Tue Dec 27, 2011 at 01:34:15 PM EST

    "Anonymous (...) have some of the best network techs and programmers in the world as members. The only people who would come close would be working for the NSA or something like that."

    I'm sorry but that's bollocks, at least this particular incident didn't require that. If you're in the tech business for 40 years (!), you'll know that even for a tiny web shop, not to mention a security firm like stratfor, such an incident is ridiculously embarrassing. The fact that they stored cc's including cvv codes and expiry dates together with names in full length and unencrypted (against all regulations from cc issuing companies), passwords, etc. again all unencrypted (md5 hashes haha) is a clear indication that it most likely didn't require rocket science to break in. They folks pulling this stunt had enough time to brag online while they were rm -rf'ing stratfor's servers once they were done, and post screenshots of it ... The fact that after days now, stratfor still didn't manage to get at least something back up (like an smtp server accepting inbound emails, or a website with more than "under maintenance") hints into the same direction. (I'm a sysadmin too. Sh*t happens. But if something even remotely similar like this happened under my watch, I'd offer my resignation the same hour.)

             nato and stratfor (none / 0) (#26)
            by notoy on Tue Dec 27, 2011 at 02:26:42 PM EST

           neither stratfor not some random NATO site are particularly good examples. I was impressed with stuxnet though.

            not necessarily amateurs (none / 0) (#25)
            by notoy on Tue Dec 27, 2011 at 02:22:01 PM EST

           but no need to bask in awe.

     

    Parent
    The secret is all in (none / 0) (#29)
    by Edger on Tue Dec 27, 2011 at 02:48:21 PM EST
    Very interesting (5.00 / 3) (#13)
    by NYShooter on Tue Dec 27, 2011 at 12:32:13 PM EST
    I remember reading on one of the hacking sites a list they had constructed of many "highly secure" systems worldwide. The list was composed chronologically , from the least to the most difficult to crack. Only one system was deemed impossible to breach (for now).... America's military, nuclear program and their launch codes.

    Since these hacking groups are decentralized, without a recognized hierarchy, they resemble OWS in that regard.

    The part that is interesting to me is that both groups have similar goals, to shed light on the worldwide attempt by a small group of Billionaires and Corporatists to establish a permanent society comprised of a ruling Plutocracy on one end, and the remaining 99% relegated to Serfdom.

    So far, Governments, as captive instruments of the 1% , have focused only on the illegality of the two group's activities. I think it's fair to say that our "leadership" fears them a whole lot more than the diversionary, trumped up issue of "terrorism."


    Should be repeated (5.00 / 2) (#15)
    by sj on Tue Dec 27, 2011 at 12:46:54 PM EST
    So I will.
    So far, Governments, as captive instruments of the 1% , have focused only on the illegality of the two group's activities. I think it's fair to say that our "leadership" fears them a whole lot more than the diversionary, trumped up issue of "terrorism."


    Parent
    I think that (none / 0) (#16)
    by Edger on Tue Dec 27, 2011 at 12:49:01 PM EST
    all governments that lose legitimacy in the eyes of their people fall, eventually.

    To use a Robert Jensen quote in this context...

    "We are told that it is "realistic" to capitulate to the absurd idea that the systems in which we live are the only systems possible or acceptable because some people like them and wish them to continue.
    ...
    Let me offer a different view of reality: (1) We live in a system that, taken as a whole, is unsustainable, not only over the long haul but in the near term, and (2) unsustainable systems can't be sustained.

    How's that for a profound theoretical insight? Unsustainable systems can't be sustained."



    Parent
    Frankly (5.00 / 1) (#18)
    by CST on Tue Dec 27, 2011 at 01:04:49 PM EST
    it's things like this that make it impossible for 1984/Brave New World/Farenheit 451 to ever really happen.  George Orwell didn't understand future technology.  Also, it would require the smartest people to always work for the government.  In a world with billions of people, there will always be cracks.

    I'm not going to make a moral judgement about whether what they are doing is a good thing or a bad thing ultimately because I just don't know enough about it or understand it very well.

    But I think that the fact that there are people who are able to do this - is a very good thing, and a very scary thing.  And it's not just scary for the government, it's scary for everyone.  But I would be much more afraid of my government if it weren't for the fact that these people exist.  It is a balance of power.  It's important to remember though that we don't really know who these people are, and we don't know if we can trust them with that power.  In fact, I'm 100% positive we can't trust them.  But we also can't trust our government with that power.  So I'll take the split.

    Donald, you're right (5.00 / 1) (#21)
    by Zorba on Tue Dec 27, 2011 at 01:32:18 PM EST
    And it is fueled by the Cold War mindset that has developed into the paranoia about radical Islamic terrorism.  But that mindset will always exist.  The "enemies" may change, but they always have to have an enemy of some kind.  If it's not the current crop of so-called terrorists (and yes, I do acknowledge that there are people out there who want to harm us; I just don't think that the perceived harm justifies the loss of our privacy and personal liberties that have been taking place on a massive scale), it will be something else.  They have the security and intelligence infrastructure in place, and they're going to use it.  Even if it means inviting even more retaliation against us.  Which will lead to ever-more draconian responses.  Which will lead to more retaliation.........and on and on and on.

    Absolutely correct, (5.00 / 2) (#31)
    by Zorba on Tue Dec 27, 2011 at 03:28:04 PM EST
    my friend.  The "safest citizenry is a well-informed and activist citizenry."  I only wish that our government would recognize this.  Be well, Donald.  Mahalo.

    Parent
    So, (none / 0) (#3)
    by lentinel on Tue Dec 27, 2011 at 07:02:51 AM EST
    what happened to the bit about this being stealing funds from media and corporations and redistributing the money to the poor?

    from what I understand (none / 0) (#4)
    by nyjets on Tue Dec 27, 2011 at 08:01:13 AM EST
    They also stole from little guys as well.
    Either way, stealing is stealing.

    Parent
    Yes, (none / 0) (#5)
    by lentinel on Tue Dec 27, 2011 at 08:27:31 AM EST
    stealing is stealing, but some stealing is worse than others. (See "Robin Hood".)

    Be that as it may, I was curious about the initial assertion that whatever they managed to steal was going to be distributed to the poor.

    I have always wondered how one would go about that.
    Who exactly are "the poor"? People living under bridges or in doorways? Are the representatives of the hackers going door to door looking for worthy recipients?

    A further question: Those programs that used to be on TV - "Farm-Aid" and the like. On the shows they gave absolutely no information about how they intended to get the money to the farmers. I have wondered whether they in fact did so, and if so, how.

    Parent

    they file annual reports (5.00 / 1) (#10)
    by Jeralyn on Tue Dec 27, 2011 at 10:21:05 AM EST
    Here is their website's report page and here is their 2010 report. They gave a few hundred thousand to farmers and did other stuff for them that cost money. Farm Aid has an A- Rating from the American Institute of Philanthropy -- it's one of the top listed charities.

    Parent
    I (none / 0) (#32)
    by lentinel on Tue Dec 27, 2011 at 05:45:01 PM EST
    was not making any allegations of malfeasance about Farm Aid.
    When I used to watch their fundraising telethons, I was surprised that I did not see any information about how they intended to disperse the money they collected.

    I think it would have been helpful.

    I admit I did not go to the computer to search 990 reports.

    My original question, however, was about the assertion that the hackers intended to spend the money they were stealing to "the poor". While I kind of liked that idea, I did wonder how they intended to go about it.

    That part of the story, however, seems to have been abandoned.

    Parent

    The legality is not the big issue. (none / 0) (#8)
    by observed on Tue Dec 27, 2011 at 09:21:43 AM EST
    I think the point is that eventually corporate privacy will disappear, as personal privacy already has. Government privacy will also go the way of the dinosaur. Is this good or bad? I don't know.

    If individual citizens have no privacy (5.00 / 2) (#9)
    by Militarytracy on Tue Dec 27, 2011 at 09:47:45 AM EST
    Then having corporations and governments with privacy, privacy they can affectively protect, is very dangerous IMO.

    Parent
    That's what I think. It's a balance of (5.00 / 1) (#12)
    by observed on Tue Dec 27, 2011 at 11:51:28 AM EST
    power issue. And right now, individuals have NO privacy whatsoever, at least in the electronic realm.

    Parent