Online activists Anonymous have recently turned their attention to Iran, posting more than 10,000 emails after hacking into Iranian government servers. The group has also said it might carry out future attacks, possibly around the anniversary of Iran's 2009 postelection violence this coming weekend. Anonymous has also announced plans to attack Syrian embassies around the world.
Trying to characterize Anonymous is tricky -- it's more an identity than a group (more on that here). But as an umbrella movement, Anonymous has many off-shoots and rival factions, many with very different ideas about operations and tactics. For instance, some support distributed denial of service (DDoS) attacks; others don’t.
More broadly there is a split between the “moralfags,” who tend to focus on more serious targets like Middle Eastern regimes or Scientologists. The “hatefags” are just in it for the “lulz” (the laughs) and look down on anyone trying to give a moral or ethical perspective to their digital troublemaking.
I spoke by email with Oxblood Ruffin, a Canadian hacker who is a member of the Cult of the Dead Cow (cDc), a hackers' group that coined the word "hacktivist." He is also the founder and director of Hacktivismo. I asked him about Anonymous's recent operations and the ethics and rules of engagement of hacktivism.
RFE/RL: How would you define "hacktivism"?
Ruffin: Hacktivism uses technology to improve human rights. It also employs nonviolent tactics and is aligned with the original intent of the Internet, which is to keep things up and running.
With regard to tactics, things like DDoS attacks, Web defacements, malware, and network breaches are off limits. These generally limit speech and are a violation of the First Amendment and contradict Articles 19 of the UNDHR [Universal Declaration of Human Rights] and ICCPR [International Covenant on Civil and Political Rights].
We may not like what certain people or organizations have to say but their rights are protected just as ours are. Justice [Louis] Brandeis put it neatly in Whitney v. California, "If there be time to expose through discussion the falsehood and fallacies, to avert the evil by the process of education, the remedy to be applied is more speech, not enforced silence."
RFE/RL: Anonymous has recently announced that it had stolen 10,000 email addresses and was planning a DDoS attack on Iran around the time of the anniversary of Iran's postelection unrest. But what is the purpose of such attacks? How can they help effect change?
Ruffin: Generally speaking DDoSing doesn't do anything except limit Web access, but only for a time. If used strategically and with proper media coverage it can highlight certain injustices. My understanding is that Anonymous Iran (which should be viewed as an autonomous operations group) is planning to DDoS a website collecting data on Iranian activists.
I don't think it would be unfair to characterize Iran as an Islamo-fascist state. Elections are a sham; basic human rights are vigorously denied; the judiciary is an extension of a corrupt government. DDoSing the media -- which are essentially government propaganda organs -- is not a violation of speech when it protects human rights and saves lives. This would be an exception to established hacktivist tactics but a justifiable one.
The precedent can be traced back to Jamie F. Metzl's concept of "information intervention" which has its roots in Rwanda's murder media. A brief overview can be found at this link.
RFE/RL: What is the best way hacktivists could help those struggling against repressive regimes around the world?
Ruffin: People claiming to be hacktivists should A, actually understand what the term means, then B, be strategic. And it is also important to understand that hacktivism doesn't just writing code and being a haxor [a sometimes derogatory term for an inexperienced hacker]. It's a bit deeper than that. It means using technology. All of it. At this point social media are more important tool than network hacks. If the objective is winning hearts and minds, then social media is the way to go. At least within the liberal democracies.
But when we're talking about dictatorships, then teaching activists to use anonymizing and privacy-enhancing technologies is the cornerstone. It's difficult to organize if you're being anticipated and arrested before you can put any plans into action. Back in the 60s Timothy Leary told the hippies to turn on, tune in, and drop out. That is much easier done these days with the proper technology and none of the same side-effects.
Anonymous is something everyone should be. It's the antidote to the commercial surveillance network otherwise known as the Internet.
RFE/RL: Turning to cyberattacks, the U.S. Defense Department is considering a strategy that might see certain cyberattacks as "acts of war."
Ruffin: I find this rather troubling because theoretically anyone can attack a U.S. military network. In the late 1980s some cDc members (mostly 15/16 year old guys) did this till they got bored and moved on to more interesting security projects. But hacking .mil and .gov networks is still considered a rite of passage in the computer underground.
I suspect that individuals caught tampering with anything mildly "official" in the current climate could be arrested as enemy combatants. A military, not civilian court. Guantanamo.
Anonymous is free to do whatever they want but I would caution them to consider the downside of fussing with NATO and the U.S. arsenal.
RFE/RL: With most cyberattacks, establishing a link between governments and attackers is often difficult. But if, for example, Anonymous attacks Iranian government targets, isn't the risk that these actions would just be connected by the regime to direct actions by the U.S. government? The Iranian regime isn't going to see the difference between Stuxnet and an Anonymous hack on a government department, for example.
Ruffin: You never know what bizarre reactions the Iranian government might have. I suspect that the Iranian people will pay the price as they always have.
Having said that, I feel that this particular op should be left to Iranian Anons. They're a talented and motivated crew and if they need any support then they'll ask for it. And this, BTW, is hacktivism. Not that middle-class, bull**** Sony hack nonsense.
RFE/RL: How do you see the future of "hacktivism"? Surely there are smarter tactics than DDoS?
Ruffin: As I said earlier, hacktivism uses all of technology. It's not necessary to be deeply technical. Almost anyone can make a video and upload it to YouTube. Creating networks of like-minded people has never been easier. Everyone can be a hacktivist, and that's really the key. To make hacktivism inclusive and not a coterie of the technical elites.
Right now I'm having a lot of love for Anonymiss. They're an operations group within Anonymous that focuses on women's issues in the emerging economies. Many of the supporters are women but there are also men involved in this op. And almost all of the work is being done on Twitter and Facebook and a few key blogs. I'd say Anonymiss is part of the future of hacktivism. Totally support these folks.
RFE/RL: Do you see DDoS as a form of civil disobedience?
I've heard DDoSing referred to as the digital equivalent of a lunch counter sit-in, and quite frankly I find that offensive. It's like a cat burglar comparing himself to Rosa Parks. Implicit in the notion of civil disobedience is a willful violation of the law; deliberate arrest; and having one's day in court. There is none of that in DDoSing. By comparison to the heroes of the civil rights movement DDoSing tactics are craven.
RFE.RL: Are there significant splits within the "hacktivst community," if it can even be called that?
Ruffin: Not by my definition. But I have the comfort of knowing that hacktivism was invented by the Cult of the Dead Cow, not Wikipedia.
RFE/RL: Is there a significant drive within the hacker community to hack more responsibly or ethically (of course ethics and responsibility mean different things to different people)?
Not especially. Socially conscious hackers have generally been characterized as moralfags. Even when the cDc started the whole thing back in the day we were ridiculed. My attitude is **** the hacker community. They can either come along or not. It doesn't make any difference to me. Hacktivism is a lot bigger than hacking.
RFE/RL: You say that DDoS is mostly off limits, but there are exceptions. You use the example of Iran where media is just a government mouthpiece. I see the Rwanda intervention argument, but those are lives in mortal danger. Just playing devil's advocate and, not of course for a minute would I want to support the Iranian regime, but isn't it a bit of a slippery slope to say DDoS is mostly bad, but there are exceptions. For good or bad, there are lots of people who rely on Iranian state media. If you prevent access to their sites, through DDoS, isn't it violating their right?
Ruffin: Everything is on a case by case basis. With regard to Anonymous Iran, they've specifically targeted a government website that asks people to submit data on suspected subversives. It's no big secret that such people are arrested, tortured, and even disappeared. So in this case I have zero problem with DDoSing the site to make a point.
I'm not suggesting that every media outlet in Iran be DDoSed, even though they're pretty much just government propaganda organs.
RFE/RL: You mentioned Iranian Anons. What successes have they had with their ops?
Ruffin: They did manage to do a pretty large government email hack. That was in the news recently.
RFE/RL: And why are the Sony hacks "middle-class bull****"?
Ruffin: Hacking Sony doesn't do anything to improve human rights anywhere. I'm not even sure why it was started in the first place.
Follow @lukeallnutt
Trying to characterize Anonymous is tricky -- it's more an identity than a group (more on that here). But as an umbrella movement, Anonymous has many off-shoots and rival factions, many with very different ideas about operations and tactics. For instance, some support distributed denial of service (DDoS) attacks; others don’t.
More broadly there is a split between the “moralfags,” who tend to focus on more serious targets like Middle Eastern regimes or Scientologists. The “hatefags” are just in it for the “lulz” (the laughs) and look down on anyone trying to give a moral or ethical perspective to their digital troublemaking.
I spoke by email with Oxblood Ruffin, a Canadian hacker who is a member of the Cult of the Dead Cow (cDc), a hackers' group that coined the word "hacktivist." He is also the founder and director of Hacktivismo. I asked him about Anonymous's recent operations and the ethics and rules of engagement of hacktivism.
RFE/RL: How would you define "hacktivism"?
Ruffin: Hacktivism uses technology to improve human rights. It also employs nonviolent tactics and is aligned with the original intent of the Internet, which is to keep things up and running.
With regard to tactics, things like DDoS attacks, Web defacements, malware, and network breaches are off limits. These generally limit speech and are a violation of the First Amendment and contradict Articles 19 of the UNDHR [Universal Declaration of Human Rights] and ICCPR [International Covenant on Civil and Political Rights].
We may not like what certain people or organizations have to say but their rights are protected just as ours are. Justice [Louis] Brandeis put it neatly in Whitney v. California, "If there be time to expose through discussion the falsehood and fallacies, to avert the evil by the process of education, the remedy to be applied is more speech, not enforced silence."
RFE/RL: Anonymous has recently announced that it had stolen 10,000 email addresses and was planning a DDoS attack on Iran around the time of the anniversary of Iran's postelection unrest. But what is the purpose of such attacks? How can they help effect change?
Ruffin: Generally speaking DDoSing doesn't do anything except limit Web access, but only for a time. If used strategically and with proper media coverage it can highlight certain injustices. My understanding is that Anonymous Iran (which should be viewed as an autonomous operations group) is planning to DDoS a website collecting data on Iranian activists.
I don't think it would be unfair to characterize Iran as an Islamo-fascist state. Elections are a sham; basic human rights are vigorously denied; the judiciary is an extension of a corrupt government. DDoSing the media -- which are essentially government propaganda organs -- is not a violation of speech when it protects human rights and saves lives. This would be an exception to established hacktivist tactics but a justifiable one.
The precedent can be traced back to Jamie F. Metzl's concept of "information intervention" which has its roots in Rwanda's murder media. A brief overview can be found at this link.
RFE/RL: What is the best way hacktivists could help those struggling against repressive regimes around the world?
Ruffin: People claiming to be hacktivists should A, actually understand what the term means, then B, be strategic. And it is also important to understand that hacktivism doesn't just writing code and being a haxor [a sometimes derogatory term for an inexperienced hacker]. It's a bit deeper than that. It means using technology. All of it. At this point social media are more important tool than network hacks. If the objective is winning hearts and minds, then social media is the way to go. At least within the liberal democracies.
But when we're talking about dictatorships, then teaching activists to use anonymizing and privacy-enhancing technologies is the cornerstone. It's difficult to organize if you're being anticipated and arrested before you can put any plans into action. Back in the 60s Timothy Leary told the hippies to turn on, tune in, and drop out. That is much easier done these days with the proper technology and none of the same side-effects.
Anonymous is something everyone should be. It's the antidote to the commercial surveillance network otherwise known as the Internet.
RFE/RL: Turning to cyberattacks, the U.S. Defense Department is considering a strategy that might see certain cyberattacks as "acts of war."
Ruffin: I find this rather troubling because theoretically anyone can attack a U.S. military network. In the late 1980s some cDc members (mostly 15/16 year old guys) did this till they got bored and moved on to more interesting security projects. But hacking .mil and .gov networks is still considered a rite of passage in the computer underground.
I suspect that individuals caught tampering with anything mildly "official" in the current climate could be arrested as enemy combatants. A military, not civilian court. Guantanamo.
Anonymous is free to do whatever they want but I would caution them to consider the downside of fussing with NATO and the U.S. arsenal.
RFE/RL: With most cyberattacks, establishing a link between governments and attackers is often difficult. But if, for example, Anonymous attacks Iranian government targets, isn't the risk that these actions would just be connected by the regime to direct actions by the U.S. government? The Iranian regime isn't going to see the difference between Stuxnet and an Anonymous hack on a government department, for example.
Ruffin: You never know what bizarre reactions the Iranian government might have. I suspect that the Iranian people will pay the price as they always have.
Having said that, I feel that this particular op should be left to Iranian Anons. They're a talented and motivated crew and if they need any support then they'll ask for it. And this, BTW, is hacktivism. Not that middle-class, bull**** Sony hack nonsense.
RFE/RL: How do you see the future of "hacktivism"? Surely there are smarter tactics than DDoS?
Ruffin: As I said earlier, hacktivism uses all of technology. It's not necessary to be deeply technical. Almost anyone can make a video and upload it to YouTube. Creating networks of like-minded people has never been easier. Everyone can be a hacktivist, and that's really the key. To make hacktivism inclusive and not a coterie of the technical elites.
Right now I'm having a lot of love for Anonymiss. They're an operations group within Anonymous that focuses on women's issues in the emerging economies. Many of the supporters are women but there are also men involved in this op. And almost all of the work is being done on Twitter and Facebook and a few key blogs. I'd say Anonymiss is part of the future of hacktivism. Totally support these folks.
RFE/RL: Do you see DDoS as a form of civil disobedience?
I've heard DDoSing referred to as the digital equivalent of a lunch counter sit-in, and quite frankly I find that offensive. It's like a cat burglar comparing himself to Rosa Parks. Implicit in the notion of civil disobedience is a willful violation of the law; deliberate arrest; and having one's day in court. There is none of that in DDoSing. By comparison to the heroes of the civil rights movement DDoSing tactics are craven.
RFE.RL: Are there significant splits within the "hacktivst community," if it can even be called that?
Ruffin: Not by my definition. But I have the comfort of knowing that hacktivism was invented by the Cult of the Dead Cow, not Wikipedia.
RFE/RL: Is there a significant drive within the hacker community to hack more responsibly or ethically (of course ethics and responsibility mean different things to different people)?
Not especially. Socially conscious hackers have generally been characterized as moralfags. Even when the cDc started the whole thing back in the day we were ridiculed. My attitude is **** the hacker community. They can either come along or not. It doesn't make any difference to me. Hacktivism is a lot bigger than hacking.
RFE/RL: You say that DDoS is mostly off limits, but there are exceptions. You use the example of Iran where media is just a government mouthpiece. I see the Rwanda intervention argument, but those are lives in mortal danger. Just playing devil's advocate and, not of course for a minute would I want to support the Iranian regime, but isn't it a bit of a slippery slope to say DDoS is mostly bad, but there are exceptions. For good or bad, there are lots of people who rely on Iranian state media. If you prevent access to their sites, through DDoS, isn't it violating their right?
Ruffin: Everything is on a case by case basis. With regard to Anonymous Iran, they've specifically targeted a government website that asks people to submit data on suspected subversives. It's no big secret that such people are arrested, tortured, and even disappeared. So in this case I have zero problem with DDoSing the site to make a point.
I'm not suggesting that every media outlet in Iran be DDoSed, even though they're pretty much just government propaganda organs.
RFE/RL: You mentioned Iranian Anons. What successes have they had with their ops?
Ruffin: They did manage to do a pretty large government email hack. That was in the news recently.
RFE/RL: And why are the Sony hacks "middle-class bull****"?
Ruffin: Hacking Sony doesn't do anything to improve human rights anywhere. I'm not even sure why it was started in the first place.
Follow @lukeallnutt