 This is the He Who Fights Monsters panel, and I'm your host, Paul Roberts. I'm the editor at threatpost.com. We're a security news blog. And we have a great panel today, who I'm going to introduce in a second. Just a couple seconds on the ground rules or how we're going to frame this. I'm going to introduce our panel members. We have a few slides germane to what each of the panel members are going to say. And then we really want to take questions from you, but we only have an hour. So actually, what we're going to do is hold questions for there's a Q&A session after this in Pavilion 4, which is two doors down on the right I hear. And we're going to take questions there in the Q&A room afterwards. OK, and I know there are a lot of you who have questions that you want to ask. But the time for our panel is short. OK, so I'm Paul Roberts. My introduction to this to, well, Anonymous and Aaron Barn, HB Gary obviously came as a reporter and threatpost covered this story as it was breaking, as did a lot of other folks. I got to know Aaron personally. He reached out to me after I wrote a kind of an editorial piece called Winning the War and Losing Our Souls, which was written at the time of the RSA conference. And if you remember, HB Gary kind of pulled out of that conference at the last minute after all of this stuff broke. And Aaron reached out to me after that editorial and you can Google it. I think because I was probably one of the few journalists who actually expressed sympathy for him and what he had to endure as a result of the attack by Anonymous. And we all fuck up every once in a while, right? But most of us don't have Stephen Colbert kind of riffing on our fuck ups in life. And Aaron unfortunately did. And he, at that time, myself, and I know Josh, thought about DEF CON as a great way to kind of come back to this issue, hopefully with Aaron in our midst, to figure out what it all meant. And Aaron also, to his credit, very much wanted to do that. Unfortunately, attorneys got involved, in particular attorneys for HB Gary, which put the kibosh on that plan. And they contacted Aaron. They basically threatened a lawsuit. If you were to appear in this panel, they called his new employer and let them know that they would be pursuing legal action. And Aaron's a guy who's got a wife and kids and a mortgage. And we all know how that works. But I want to, just in the beginning of the panel, give props to Aaron Barr for having at least the courage to put himself out there and propose to come up here, even if the lawyers kept him from doing it. OK, let me introduce our panel members. Starting from the left, Josh Corman is the director of security intelligence for Akamai Corporation. He says, unless you have plans to attack him, in which case he is the research director for the enterprise security practice at the 451 Group. Josh has more than a decade of experience with security and networking software for real, it's a real decade, not an eight-year decade. And most recently serving as before enterprise security practice, a research director for the enterprise security practice before that, principal security strategist at IBM internet security systems. His research cups across sectors to the core challenges of the industry and drives evolutionary strategies, yada, yada, yada. Jericho, to his right, has been poking around the hacker security scene for 18 years. That's a real 18 years, not the kind of 18 years that are only 12 years, building valuable skills such as skepticism and alcohol tolerance, which he's put to the test at this year's show. As a hacker turned security whore, he has a great perspective to offer unsolicited opinion on just about any security topic. He's a longtime advocate of advancing the field, sometimes by any means necessary, so we're going to talk about that. And he thinks the idea of forward thinking is quaint. We're supposed to be thinking that way all the time. No degree, no certifications, this is a willingness to say things the most industry is thinking but unwilling to say themselves. He remains the champion of security industry integrity and then small, misunderstood creatures and you can find him at attrition.org. All right, yeah, it's here for attrition. To his right, Baron Von R. He's worked as a security professional for 13 years. That's a real 13 years, Baron, both for and with IT firms, including IBM and Command Systems. He's currently working in incident response forensic security auditing at a leading aerospace company. Baron's expertise includes ethical hacking, pen testing, social engineering, information security audits, computer forensics, stenography, open source intelligence and the like. Okay, so he's ready to weigh in on our panel as well. And who is Baron Von R? I don't know, maybe you're gonna find out. Okay, here's our Twitter handles. That Baron Von R Twitter handle isn't real so don't try and follow him. Okay, I'm gonna pass the mic over to my esteemed panel member, Jericho. Yeah, so to put this in perspective, raise your hand if you're not an asshole at some point in your career. I see one hand, go ahead and leave please. We prefer no liars. How about if you don't profit from your security work? Yeah, okay. Does somebody raise their hand back there? Nothing more, yeah. And so how about if you think the whole story behind the HB Gary saga, or if you think you even know half of the anonymous saga? Oh, one hand. Yeah, let's go ahead and get the hell out, liar. Or wait, is that Aaron Bourne? Those are the threat post readers, actually. Okay, Aaron, do you wanna come up and be a panelist? Make sure you go to the room after this, let's talk. Okay, so after that, does anyone wanna admit that they're part of HB Gary? Or HB Gary Federal, they're different companies. Yeah, I know different companies, so I know it, huh? Do they pay you? No. So, okay. When was that email address created exactly? I've had an email address here since February. So that narrows it down. We do have one member of Anonymous in the group confirmed. Well, he says, I have an email address at HB Gary and I don't get paid by them. So think about those questions because a lot of what we're, as a group and as an industry or leveling accusations at Aaron, you know, that was really kind of a lot of the criticism and we kind of forget to look at ourselves and say, you know, I'm basically halfway to the monster that we claim he is. Okay. Mr. Corman. All right, is this thing on? All right, so for those who don't know philosophy, the rest of the whoever fights monsters is that should see to it, he himself does not become one. And I saw quite a bit of cognitive dissonance over, geez, you know, that 17-year anarchist in me wants to join Anonymous. And you know, the guy protecting a Fortune 50 network or so wants to fight them. And I basically thought it was useless to talk about white hats and black hats and gray hats. And you know, you dust out your advanced Dungeons and Dragons and essentially it's not just a good versus evil thing. I mean, some people see Anon as Robin Hood, right? Keata Good, Arab Spring, freeing oppressed people, transparency for the wind, right? Other people see it as the Joker, Keata Evil. They just want to see the world burn. You know, so what we tried to figure out is the conversation wasn't moving forward, so I just dusted this thing out and the real defining characteristic isn't good or evil. It's their chaotic, right? So we have a rise of the chaotic actor, so to speak. And most of the confusion or debate is we're romanticizing about the positive or attractive aspects of this, but we're not being very deliberate about which roles we want to play. And we're gonna get to some of that searching in your soul. I mean, that was a point in your article as we're fighting this, are we losing our soul? And Aaron's a living embodiment of even, he even violated his own personal ethic in some of his actions. And we just get so caught up in the activity that we're not in control of it, but rather a victim of it. So try to figure out through the course of this where you fit on here, but more importantly, where do you want to fit on here? Because in our pursuit to raise security awareness or improve security, we may actually be driving something far worse than the Patriot Act, right? We may cause powerful and uninformed people to act in powerfully, powerfully uninformed ways. And real quick, he didn't realize it when he made the slide, but the boxes that actually have a hat, those are off limits. None of you in this room fit any of those bills. So figure out which of the other six boxes you are. Great. Baron, any thoughts? Well, I'm kind of in the middle of the whole thing. From a perspective of the government and the intelligence agencies, all of this kind of activity, especially on Aaron's part, is a part and party of what we've been doing since the beginning, since the forming of this nation, disinformation, intelligence gathering. So what Aaron did, yes, it kind of crosses the line when you start to talk to a company or an authority, in this case, a law firm, that's going to go after individuals within our own country. Even the CIA wasn't charged to do that. So yeah, in my book, he crossed it, but as Richard Thiem said in his black hat tutorial, it's all gray. One man's terrorist is another man's freedom fighter. You just have to know where you sit and you have to come to grips with it. Okay, thanks. Good thoughts. I think I'm going to start just with a, I think probably a question that the answer, which will maybe help us understand where each of you guys come from, but who is anonymous in your minds? Whether that's who they are literally or who they are kind of symbolically? I'll take a stab, but I think people think anonymous, well first of all, there's probably several participants in the room, maybe even on the stage. And it's not a group, right? I mean, we know this, but just to tell you things you already know, anonymous is not a group. Essentially, it's like tailor rental branding. It's a franchise. I mean, some people that took the name were doing things like Arab Spring or something locally. It was just a way to, it was almost like a post secret, right? It was a way to do something without getting caught, maybe as a whistleblower. And it can form a very valuable part of our culture. I think it was kind of hijacked by smaller groups and now it's become something that's maybe well done from public benefit to public menace, depending on who you are. I think my personal disappointment is if in fact you think this is going to make security better by showing failure, I doubt it, right? Anybody that's done work with Fortune 50, Fortune 100 Sissos, they're not going to make, they're not going to do better security. They're going to do more security. Wait, wait, wait. So you're saying that pointing out failures is not going to help security? No, no, no, no, no, no. All right, let me refocus to my actual point. Any cause will have an effect. It just may not be the desired effect. And if we're going to do this, hey, if we're going to have chaotic actors, I don't think we're going to eliminate, nor do I want to eliminate participants throughout that grid. I would like to challenge that if we're going to do something like this, let's up our game. Why don't we have a low-sec that targets child exploitation sites? Anybody following the gesture, why don't we have more people doing things to map out or GDAS, Jihadist websites? We have an opportunity to not just cause chaos, but cause directed chaos, which is kind of an oxymoron, but if in fact we feel powerless that PCIs hijacked our industry, if in fact we don't feel like we can actually get our jobs done because management won't listen, there might be more constructive ways to channel that angst. I think that was an excuse, though. I think they just took that up after originally saying that they just wanted to smash things. So to make it have some sort of legitimacy, and to maybe when they do get caught, have some sort of case to make in court, saying we were doing this because we believe in this. I don't believe that's the case. I think it's been hijacked completely now, all the way up to the nation state level. So we have actors in many countries attacking many different things, and they could be just red cells that are working within other government's intelligence groups because they're anonymous. And even after a qualification, I kind of disagree. I mean, how many of us have been in the industry for long enough? And it's like, you work 40 to 80 hours a week and you're banging your head against the wall and you're getting paid to do it and they're still not listening. How long do we have to go through this before we actually affect change? You can do pen test for 15 years and go back and like every six months you retest and it's like, wow, you still didn't fix this remote service. You still didn't sanitize input here. You're not learning your lessons. So maybe it is time for anonymous or lol sec to come in, take these companies, bend them over and fist them and wake them up. I would agree with you. It's kind of anonymous as a business model, right? I would agree there's a need, but I think that the companies will just go back to their some nambulism. The C levels will just go back to playing with their iPads and their new toys and they'll go right across the policies and say, it's not for me, I'm a C level. So no matter how scared you make them, they're just gonna fall back into old bad patterns. It's not gonna make a change. I'm not gonna for a second say that there isn't the opportunity for something, some way to change the game. What we're doing clearly isn't working. I've seen the reaction of victims of lol sec and they're not getting smarter. I guess that's my point. It's that I think there's the opportunity here to catalyze a different conversation, to drive things forward instead of just banging your head against them for 15 years. I'm just not seeing that message sent equals message received. In fact, you look at the Sony thing because of the earthquake happening and costing them far more damage and financial loss than the punishment campaign and to stain raping of what 23 on your last count on your website. Best timeline of the Sony Pwnage campaign is on the nutrition site, but that almost made us go from, just think of a timeline. We went from unmotivated and ignorant of the chaotic actors or of exploitation to aware and the motivated straight past that to hyper aware and numb. We've gone from inaction of one kind to inaction of another. It's actually not really hurting Sony that bad. As much as we felt like, yeah, yeah, rah, rah, we showed the weakness in their security posture, this is a rounding error on the losses they had from the earthquakes. It's a rounding error. And my fear is that, again, powerful and uninformed executives are gonna look at this as a highly acceptable loss. So I'm not saying don't do this. I actually like lots of aspects of this. I think it could be channeled into a catalyzing event, but if it's simply some reason to ignore our entire industry, then we fucked up. Well, you say that these companies aren't learning and for the most part, you're right, but just as an example, so Sony, they get bent over in all kinds of creative ways and that's right after they fired all kinds of security staff. Well, are they learning? Well, maybe. There was someone very high up in the Sony security job line that was a black cat. Why would they send that person here if they had fired security staff and didn't care? Maybe now they are saying, well, okay, it might be worth this security thingy that we hear so much about. Now, I mean, this is gonna take people like myself and others to help control the narrative. I hope the press helps control a responsible narrative, but a good lesson that anonymous and most that could have done with Sony. And I'm trying to focus away from how were they poined because who cares, there's a million ways to poem them. Here's a good takeaway. If you sue a researcher who finds a vulnerability on your platform, you're gonna get raped, right? I mean, if you haven't figured out the ideas behind a coordinated disclosure or that those kinds of actions have negative consequences, we've now upped the ante. So one thing they may learn is don't fricking sue researchers. So if we can steer the lesson instead of just hope that attacking them teaches them something, we have to follow that up. Right, so I mean, obviously there's a long and proud history of hacktivism and you can look at, you know, you can look at groups like Electronic Disturbance Theater, Legions in the Underground, Cult of the Cow, Federation of Random Action, you know, many of the hacktivist incidents that have been documented or that we can point to are in support of political causes, human rights and so on. I mean, I think that's sort of what Josh was getting at when he was talking about building a better anonymous. You know, there are certainly no shortage of issues out there that technically adapt and inform people can support or encourage. I guess the question is, is anonymous this? I mean, if you look across, you know, we're talking about both Tunisia and Egypt, those operations, but also Sony, okay, so Sony was really about Geohot, HB Gary was about them being pissed off that they might get doxxed. You know, what is the connecting threat? What is the ideal that ties us all together beyond we could do it and we did? And what's first crack? Baron? Well, I'd just like to go back to the last point for a second, it's no coincidence that hacking insurance is up. So I think a lot of companies, and I did hear about one in particular yesterday, I'm not gonna mention them, but they laid off a bunch of people in security and they bought hacking insurance. Give you $100 right now if you name them. How many people have hacking insurance in the audience? So back to, what was the question again? There's the business we need to do. I forgot, no, the question was, look, again, we can look back historically and see incidents of ideologically motivated hacktivism. Again, whether it's in opposition to China in support of Myanmar against the Republican Party, God bless him, or what have you. But when you look at Anonymous, when you look at Anonymous and Lulsak, it's harder to discern what the message is. Certainly, operation, Tunisia and Egypt seem like pretty straightforward hacktivist examples of hacktivism. Sony, I don't know, and H.B. Gary almost certainly not. Well, I would say that in the genesis of Anonymous, you had the fight against Scientology. They actually had people who were involved in the groups who were involved in Scientology. They had friends, they had family who were getting taken away. Scientology, right, right. So that was the start of it. They fought a giant entity with a lot of money and a lot of lawyers with an Anonymous attack. That led on to this whole era of spring. They're trying to do something good. They're trying to set up comms in places that are shutting down the internet. But when it started to diverge into anti-Sek, Lulsak, whatever you wanna call it right before H.B. Gary, it became something completely different. And I'm not sure completely of the motivations to start. I know that Aaron had said things. He had said them publicly on the news and they didn't like it and they just took him down. His fault, frankly. After the school came out and everything started to come out about what they were doing, yeah, a lot more people jumped on the bad wagon. But after that, Lulsak really seemed to kind of lose its aegis. Now they're just hitting the Phoenix PD because they don't like the way the Phoenix laws are on immigration. Well, you know, I don't like them either. But outing law enforcement officers who were bound by duty to actually carry out legislation that a legislator has put together. They have no say over. I mean, other than one vote per person, you're just putting them in danger. A CI list recently came out evidently too. I haven't seen it yet. But, you know, there could be people in danger now because their names are known as CIs. I also know there's a lot of practitioners in the room. You know, we like to break stuff in part of our persona. And he mentioned Richard Dean. I mean, he's gonna present again today, I believe. But if you haven't seen him present before, first of all, you can see him present at the second. He's really resonating with a lot of the themes that went in the preparation of this panel. But in your day job, right, you've been working really, really hard to try to make sure you can accomplish your mission. And when you see these really high profile, high visibility, noisy attacks, it's going to cause the shift of focus there, right? Now, guess what? I don't really give a crap if they stole a bunch of credit cards. You know, there's been very little negative consequence to the loss of a highly replaceable credit card. What I really care more about is losing intellectual property. It's the irreplaceable. So this is actually distracting you from your core mission, just like PCI is distracting you from your core mission. So your executives are distracted from risk management to PCI, now they're distracted from risk management to loud, noisy DDoS attacks. What's actually gonna put your organization out of business or cause layoffs, it's the loss of those irreplaceable assets. So we now have a new noisy thing that distracts us from the actual mission we have. Now, we didn't bring it up yet, but I mean, there were groups that were taking down child exploitation sites. Anybody in here like child exploitation? It's okay. Not really. But anybody in here, that's something we could all get behind, right? But there was a group, at least one group that I knew of. Ehab. Back in the day. Let's up the game, right? There's some bad people doing bad things. I don't know, raise your hand if you dislike FUD in our industry. Oh, come on, more hands on that. Wake up, guys. Now, have you ever encountered a vendor that was totally full of shit? Hell, let's just have a medium-grade nobility of a chaotic group. How about we have a published treatise that if you do any of the following definitions, three definitions of FUD, that the cause of these three things will lead to the effect of a three-day DDoS campaign. And we will basically have a disincentive and deterrent for bullshit vendors spreading fear and certainty and doubt. In short, Anonymous needs to make a menu, you know? For the appetizer, I'll take a two-day DDoS, you know? Then the breach. And I'm not even advocating vigilantism, right? But I don't think it's gonna go away. It's more a matter of, if we think this industry is dysfunctional or we don't think we're being heard, let's have a more strategic and intelligent approach to it. If you don't do these three things, you will never hear from us. If you do these three things, here's exactly what will happen to you. I think you may have more chance of random chaos motivating stupid fear to very targeted cause and effect may actually modify behavior. Go ahead. I'll go ahead and advocate vigilante justice in some cases, I'm fine with it, you know? Once again, if Anonymous is taking request, attrition, we keep a list of companies that have legal threats against researchers, you know? So someone finds a vulnerability or some new cool bypass, and the company swoops in and says, you know, if you publish, we're gonna sue you. Well, there you go. There's your top 10 list of companies that really need to be bent over one way or another. And the same goes again for HB Gary. They need to be taught another lesson, you know, threatening to file an injunction against Barr for talking here. Something about free speech comes to mind, but I don't know the exact quote, you know? So HB Gary now, not only are you a bunch of assholes that said, oh wait, no, that's HB Gary Federal, not us. You know? So yeah, they laid all the blame on Aaron Barr. Oh, he's the mega asshole, but wait a minute. Now that he's gone, you turn around and you show that you have, you know, I wanna say a more evil streak by trying to limit him. And you know, again, Paul covered this. I understand why Aaron backed out. And the kind of neat part is that originally, there's two times he tried to back out of the panel. The first time he resolved it. You know, he talked to his new employer and he still made the effort to get on the panel. And that was really cool of him. And then the second one was, you know, it's too much. Like I said, wife, kids, mortgage, he's got too much to lose now. So, you know, just take it all into account and consider the entire picture as much as we know of it. Yeah, and I wanna talk about HB Gary because I definitely don't wanna reward them for suing Aaron off our panel and trying to, you know, squelch discussion of what was revealed by the hack of that company and what came out of those emails. So we are gonna talk about that. And we're not gonna let HB Gary kind of get away with stifling that discussion. But just to follow up, I'm wondering when you're talking about it, you know, anonymous or something like it as a tool to enforce best practice, I guess, in a way. Drink. Huh? You said best practice. Okay, so. Oh. Yeah, sorry. But, you know, isn't what we're really, isn't what you're sort of sketching out a kind of vigilanteism. So, you know, it's like, you know, as somebody said to me yesterday, it's like the, you know, the Clint Eastwood movie, you know, sort of Clint Eastwood comes into town. But of course, you never know what town Clint Eastwood's gonna come into, you know. You never know where he's gonna choose to, you know, enforce order or enforce his version of order. And you may not agree with his version of order. But I guess I'm acknowledging that this is happening. And I'm being, putting my big boy pants on and saying it's not gonna go away. I mean, just look at what's happening within a non-opster lull sack. I mean, they're turning on each other. We now have topiary and custody, if you believe it's topiary. And there's good evidence that it is. They're gonna lean on him. They're gonna squeeze him. He's gonna turn. I mean, some of the doxing events we saw were basically rifts within the group. So when you don't have an organizing principle, when you don't have a mission or a goal, you're just kind of doing shit, it self-destructs to a certain extent. So I think there's an opportunity here that if the real driving force was that you think security sucks and you wanna make it better, that's an F, right? It's a conditional statement. I'm not so sure that the current 1.0 or 2.0 is working. Do you think the information that came out of the attack on HB Gary, including the plans, Team Themis, and the back and forth with Hunt and Williams and the Chamber of Commerce, did the transparency that we as a community gained about those types of dealings justify the attack? And a second question might be, do any of you think that the harsh light of daylight that was shown on those types of dealings have curtailed those types of contracts, projects, negotiations, discussions, either within the Beltway or anywhere else? It's been going on for a very long time in the private sector. Private sector intelligence is a very, very big business before Z, before Blackwater. Many former intelligence operatives go into business for themselves and do Black Ops type of work for companies inside and outside of this country. So it's nothing new. It's just somebody got their hand caught. That's all. Well, I guess the real question for the audience then is the whole HB Gary Sago when we learned what they were doing, who was actually surprised at anything they were doing, proposing or just spitballing? Who was honestly like, wow, I've never heard a company do this. I think I saw one hand and that's good. Because like you said, this has been, you know, a multi-million, if not a billion dollar business. The thing is, we just don't know all the companies that have been doing it. They just haven't hit the news. You're all so tired of all. Yeah, we were in a hurry. Yeah, so the question is, why do we listen to this guy if he's not willing to show his face? Shall I unmask myself? Are you a thought, are you a bet? Well, wait. Wait. Okay, so we have two different opinions, but then the question becomes, you know, who listens to LOLSEC? When they say we hack something, but they haven't actually released the information, who believes anonymous when they say something? Let's do a quick show of hands, though. Who thinks we shouldn't listen to a fucking thing he says because maybe he's a fed, maybe he has an agenda? We don't know who the fuck he is. Why should we listen to him? Who thinks he should unmask? Raise your hand. Come on, be more courageous. Only a couple people. Okay, just to make sure. Who thinks he should stay masked? I think this is what they call a self-selecting population. So real quick, that's an excellent question, but it goes back to why does someone need to show their identity if they're making good points or if they have relevant experience, you know? And now that we're a little ways into the panel, I'll say, we vetted him. We know his background. We know some of what he's done, some of which he can't talk about, and we know that he will add a certain perspective to the panel. So we were fine with him coming on, claiming to be anything he wanted to be. What then reason? I am a squirrel. New battle cry. As for the gentleman talking about being doxxed, I'm in the open. I've always been in the open. I'm not covert. I'm overt. So, with that. Okay, and now everyone in the audience is going, who the fuck is that anyway? We still don't know. I'm overt, but I don't have my picture out there that often. Raise your hand if you know who this is. Four, five, six. Yeah. You're still masked. Yeah, I'm still masked. So in short, and that's why it's such a great question, is mask or no mask, it doesn't really matter, you know? It's more about the message, the content. So now to introduce yourself to the audience. What's that? Do you wanna introduce yourself? Oh. I go by the name Kryptia. I have a blog on WordPress. I've been blogging about Lollsec and Anonymous for quite some time. They know who I am. I have treaded the line where I say to them, hey, you wanna out people for doing bad things? Cool. But do it right. Stop this crap where you're just, you know, SQL-ing, taking down, you know, data that's unimportant. Your last dump that I looked at, the ManTech dump, one SBU document. Seek, you know, sensitive but unclassified. You can get it with Google. In short, he's saying you're a bunch of pussies for that one. And I did say that in part. So learn your target. Know what they're doing. Really, one of my last posts, I said, look, the real dirt has only come out from insiders. You know, you have Panagon papers, you had Deep Throat, and now you got Manning. The source, not the movie. Yeah, not the movie. So you've got people in the know who have access to very dirty things, who decide to speak power to truth and release that information. Now, in Bradley's case, I think from the transcripts that I've seen, he was, is mentally unbalanced to a certain extent because of all the crap he's gone through. Going into the military was a bad idea with where he wanted to go with his life, with reassignment. So, he had a lot of pressure. And trusting that piece of shit, Lema was another royal screw up. However, the collateral murder thing, the video, very important to be out there because there's a lot of shit that's going on over in the med that we don't know about. And that's just one tidbit. But that, out of all the dumps, all the cables and stuff, that was the most important thing. The rest of it, unimportant to me. Sure, there's backbiting between the United States and other countries. We deal with people we don't like. We have to. That's just the nature of the game. So, if you're gonna do this, and you're gonna find the real dirt, then find the real dirt, vet it, and give it to the papers. What WikiLeaks wanted to do and did before the Cult of Julian. Real quick, building on that, and going back to the building of Better Anonymous, which, I wonder if we can do that as a consulting gig, you know? You know, releasing $250,000. I've already reserved the Better Anonymous domain, by the way, so. Okay, quick. Is there a lawyer to trademark this? Releasing 250,000 cables is really cool, but it's also kind of hurting your cause. There's so much noise there, and there's so many pointless documents. One of the better things they could have done is to actually go through and hand-pick the top 10, top 50 or whatever, put them out one a day or something. We used to have the HP bug of the day. Leaked cable of the day. Month of browser bugs, right? Yeah, exactly. And you turn it into this kind of campaign, but you also focus on the big ones, the collateral damage. Any of the other specific cables that really out terrible things happening that the public should know about. And here's the little key for you, all you lulzies who want to do this. How do you know you have the real dirt? Right. How do you know you're not getting disinformation? Yeah, we've already shown that companies are out there doing disinformation campaigns. You know, has Anon or Lulz fallen into one of their traps? Have we now been fed a bunch of shit made up by the companies that we think we know something about? Okay. But let us not let HB Gary off the hook here, right? So, you know, if... Hey, with friends like these, who needs enemies, right? I want to point out this. Wait, I mean, we feel so powerless against this nameless, faceless flash mob, right? That instead of focusing on, you know, the actual adversary community, we're fighting with each other because we can't, right? I mean, it's almost a stri-sand effect. The act of trying to intimidate Aaron offstage, such that you don't draw attention, has drawn so much more attention. I've had five people come up to me saying, guess who my next target is? It's HB Gary. Now, I'm not suggesting that, but people are already thinking it, right? So, you know, they just put a big target on themselves in the effort to suppress good guys talking about good guy stuff. Or even going after Raphilos at Black Hat for taking a picture of somebody who had the anonymous mask near their booth. You know, they freaked out, chased him down. That's right, that's right. Okay, let me ask you, I mean, I think what we've heard you say is, look, what came out in the HB Gary emails was business as usual within the Beltway or elsewhere, the stuff that's been going on for years. It's actually a big industry. Should we conclude from that then that there was nothing untoward that HB Gary and Aaron Barr hadn't crossed the line or were not proposing to cross the line? If you're not pissed off about it, there's a problem. Yeah, they definitely crossed the line. I think I am pissed off about it. You know, that's funny, because when Aaron was on the panel, we weren't gonna go there, but he's not here anymore. Yeah, no, so HB Gary and Aaron Barr, they crossed the line, but my point is that, yeah, that's business as usual for dozens of companies out there, you know, and even then, how many companies unrelated to that entire field of, you know, information gathering and open intel, how many of these other companies have ethical lapses? You know, if you need to be reminded, once again, Atrish and Arata, we keep a list of shit like that. And when you start going down this list and you realize it's like, page down, page down, page down, what the fuck is this, you know? And it goes back a long way. And that represents literally 10 minutes of work a week because we're busy doing other stuff. What happens if we actually built a real timeline? Every company that you do business with, they've done something shady in the past. And odds are, they've done something shady in the past three months. So, but just in case people don't know, you're the journalist in the room with all the facts. So, Paul, it was the Chamber of Commerce thing that really torqued people, right? So can you give like a 30, 60 second overview of what was perceived across the line? What happened with the Chamber of Commerce or the emails that came out is that the law firm of Hunt and Williams, which was representing a Chamber of Commerce, okay, we have 10 minutes, the law firm representing a Chamber of Commerce was working with Themis, which was Team Themis, which is a name that represented Palantir, HB Gary and Barrico, to research what the Chamber of Commerce thought was basically a corrupt organization that the SEIU and Think Progress and Change to Win were engaged in criminal activity, basically, to try and undermine some of the Chamber of Commerce's members. And they wanted to use the tools of Palantir, kind of data correlation tool and HB Gary's open source intelligence and Barrico to try and reveal that. Of course, they're not the Justice Department, so even if they had figured out that it was a Rico violation, I'm not sure it was up to them to prosecute it. But that was what they brought to Aaron and brought to these companies to say, we have a problem when we're looking for your help with it. But I'd like to remind you that October Surprise some of the things that Karl Rove pulled are en masse in our mainstream government. So, and these are against the other party. Okay, so we understand the Chamber of Commerce thing. I guess, did the mainstream media get it wrong? I mean, did we in the press, were we too willing to buy anonymous's interpretation of what was in those emails? Were we, and would we have felt differently if instead of the Chamber of Commerce, it was a plan by a politically left leaning or progressive group to investigate Koch Industries and Americans for Prosperity and some of the groups that have, probably this audience, generally more up in arms. I mean, was our feelings about this tempered or colored by who was behind the law firm, who was paying for this and what the mission was? Because Aaron has always said, I would have done it for anyone. Yeah, sure, Chamber of Commerce, but I would have done it for Greenpeace or PETA or it didn't matter. I mean, it was just, they were a customer. He's client agnostic. Client agnostic, right. Everybody's, their money's all green. Does it matter? Did the press get it wrong? I think you can generically say yes and no. You know, the press is kind of a nebulous group like anonymous. Some of the journalists, I think, at least got it right and put a fair perspective on it and some of them, you know, sensationalized it. You know what, I think he's right. I mean, 60 Minutes is doing a long piece on the whole thing right now. It's gonna come out in the fall. Hopping Post is doing some investigative journalism on this. There's a couple stories being done and I personally, there's two scary things here. I've personally seen evidence that they've been manipulated on the narrative. They're being socially engineered trivially. So the press is becoming an asset of the lowl sack and the anti-sack. I've also seen that if you are trying to be an anonymous, a true, the word truly anonymous source to the press, I accidentally socially engineered out their sources without trying, right. So I think right now it's probably asymmetrically in favor of anonymous because the press doesn't have the filter or the, some press do. Some of the better journalists in this trade space do. But for the most part, they're being played like a fiddle. Do organizations have a right, you know, just kind of step into the Chamber of Commerce's shoes. Do they have a right to protect themselves from damaging or illegal activity in the same way that nations do, the United States? So we're not gonna argue that the United States has the right to have cyber offensive capabilities. Do corporations have the same right? This is why I'm really pissed off that H.B. Gary, federal lawyer to Aaron off the stage because he had a couple really cutting questions. He had a couple really excellent points and there is a chance now to finally have a discussion about what is lawful for defending your own interest? You know, how far can you take it? If someone breaks into my home physically, in my state, I can shoot and kill them. We are, we have almost no ability to fight back to hack back to do any sort of forensics. We don't have the laws have not caught up with that yet. So I liked the forcing function of this particular case because it asks us and it might start challenging the discussion of what is lawful hack back? You know, and because there aren't laws, there's a lot of gray area and ambiguity and maybe if you consult with your own internal counsel, maybe you should start stretching that ambiguity right now because we cannot withstand an attack on pure passive defense. We are getting our asses kicked. Others? Nation states have rules that they've set up. Corporations are corporations, but they've recently, I don't know how recently the ruling was, but they're considered personal entities, a single entity that can be treated as a person. You know, that whole thing with the Supreme Court recently about money and advertising and all that. So if you as a person are hacked and you hack somebody back and you're caught, you're just gonna say, well, you know, they attacked me, not virtual castle law. It's not gonna work. So no, they didn't have the right to do that. Take a look at offensivecountermeasures.com, some of the stuff Paul.com is doing, John Strand's been doing. They're not saying these things are legal, but we're going from purely only defense to maybe unlawful offense, and there's a continuum there of active defense, and there's some things where there's a lot more you probably could do. And if you get some legal coverage in advance, you could probably stretch that a little further. Then also, let me reiterate for the people who came in later, we are doing a question and answer session immediately following this in Pavilion Room 4. Also, I'm looking on Twitter for questions. I think the hashtag is T-Panel. Thanks for breaking it, Jack. Twitter's broken again. Well, if it comes back up, T-Panel is a hashtag and just send me your questions. I will be checking it between here and the Pavilion 4. Let me ask you, is anonymous protecting us? Is anonymous standing up for us? Or is anonymous terrorizing us? And I guess one question I would ask to the audience is how many people here feel like they would feel safe taking a public position in a blog post quoted in a news article, being critical of anonymous, being critical of their actions? And how many people would feel safe doing that? Like that wouldn't result in them getting attacked? Are you sure you're not sticking your penis in a hornet's nose? Right. Sorry. Well, safe meaning, you don't feel like you would, you don't worry that you would be retaliated against. Yeah. Okay. Respect them. Okay. What if you choose not to respect them? Well, as an example, I don't know. And real quick, that's what I mean. Some of the stuff that I've written has been like that where I say, hey, overall, they're doing some good, but this is where they need to improve. This was like really lame. And it turns into constructive criticism and they haven't attacked us. And like, for example, Lulsec, they were retweeting one of my articles saying, oh, look, this is a good ride up. So I think that while many people say, oh, well, they're just wild crazy kids, they have perspective too. They understand that what they're doing could be better and they're not gonna lash out just at anyone. They're probably gonna go after the people that attack them needlessly or say something that's just really stupid. Yeah. And when I had that thing up there, I'm not saying we shouldn't have this role at all. I'm not saying that at all. There's a real opportunity that if wielded properly, this power could do a lot of good. There's also the opportunity that if wielded poorly, it's gonna cause the very things we claim we don't want. So it's a complex system and when you poke here, something happens. The question is, are you poking here to cause the right things to happen or are you gonna end up in bad places? Okay. It wasn't about eliminating anonymous. It was about building a better one. Right. And I ask that as an open question. I mean, I've certainly written about anonymous and I've written critically about anonymous and I haven't been attacked and I think a lot of journalists could say the same thing. So I'm not saying it because I have an opinion about what the answer is to that question, but... Right. Right. And that goes back to my point. They'll go after the ones that say really stupid things and the rest, it's like, well, yeah, that's how journalism works. Right. Right. Right. Right. Well, and to the point here, you know, we've only, sorry, they've only attacked two news organizations. You know, it's kind of like, you know, if you're Armenian, you know, we've only attacked two Armenians and one was this guy and the other was that guy. And you know, so if you're Armenian, you probably don't have to worry. You know, an attack's an attack. But I think I'm getting the big DEF CON X, which means we're out of time. But I thank you very much for coming today and question and answer panel follows in Pavilion 4.