Like many supporters of the ongoing global wave of networked resistance against the corporate state — The Pirate Bay, Wikileaks, Anonymous and its subsidiaries’ doxing attacks on corporate and government villains, the Arab Spring, M15 and Syntagma, Occupy — I was disheartened by the early March arrest of Sabu and other hackers from LulzSec.
My reaction, though, was one of guarded optimism. I doubted the arrestees had a monopoly on the hacking skills needed for attacks like those on HBGary, BART, Texas law enforcement or Stratfor, or that the FBI had permanently disrupted Anonymous’s human capital. I figured — hoped, anyway — that surviving members loosely associated with AntiSec or LulzSec would eventually regroup and renew the attacks on an even larger scale.
If the FBI wasn’t dead certain they’d captured or cowed most of those capable of waging cyber warfare, they had reason to be very afraid. The FBI’s aging and unevenly secured computer networks would be quite vulnerable if some successor organization emerged with a vendetta. Imagine the fun hackers could have with doxing attacks involving (say) participants in the Witness Protection Program.
So for the past several weeks, I’ve been watching hopefully to see if a successor organization to AntiSec and LulzSec would emerge. And here it is.
Malicious Security (MalSec) announced itself on April 11. After the arrest of Sabu and his circle, Anonymous was paralyzed by fear that the movement was riddled with informers and its communications networks were compromised. Some members, accordingly, spun off to a new chat network as their communications platform. MalSec emerged from this group.
MalSec departs from the practices of AntiSec and LulzSec in two ways. First of all, it disavows attacks that harm innocent people. MalSec promises to protect the free speech rights of even the bad guys, by not destroying original data even when they deface websites. And it promises an end to indiscriminate distribution of personal credit and other information in ways that may hurt ordinary people not associated with the leadership of targeted institutions.
Regarding this first departure, I had some personal misgivings about such things as the release of Stratfor subscriber credit information, because such over-broad attacks included people who may have been following Stratfor’s analysis for any number of reasons. I just hope MalSec doesn’t go too far in the other direction and fail to thoroughly expose all damning corporate emails and other internal documents. I dare to hope again, as I did before, that there will eventually be an HBGary- or Stratfor-scale doxing of a Fortune 500 corporation or government agency every week.
Fortunately, it seems unlikely that MalSec will be deterred from effective action by misguided scruples. They’ve been carrying out attacks since mid-February (long before their announcement) involving SQL injections and leaking information about targets including banks, a police department in New Jersey and Chinese government entities.
MalSec returns to the original roots of AntiSec and LulzSec in Anonymous, as a leaderless and distributed organization. The high profile of a handful of charismatic figures like Sabu and his close associates, and the cult of personality built around them, created a concentrated target profile with tremendous vulnerabilities. MalSec affiliates, many of them formerly associated with LulzSec, learned an important lesson from the would-be decapitation attack. Never again will so many eggs be concentrated in one basket.
This last is an illustration of the principle stated by Ori Brafman and Rod Beckstrom, in The Starfish and the Spider: Authoritarian institutions, when attacked, respond by becoming even more centralized, authoritarian and brittle. But distributed networks respond to attack by becoming even more distributed.
The corporate state and its jackboots had better savor their recent victory over LulzSec while they can — which won’t be for long. The authoritarian institutions of the old world present an extremely target-rich environment. And in the words of MalSec’s announcement, they’d do well to expect us.