格雷格·霍格伦德（Greg Hoglund）的梦魇始于超级碗星期日。2月6日，这位高科技企业家正端坐于办公室，之前他在互联网上看到了一些不寻常的流量，因而想弄个水落石出。两天前，他就已经留意到有令人不安的活动在冲击HBGary Federal的网站，HBGary Federal是他于2009年协助成立的一家位于萨克拉门托的新创企业。他怀疑有某类黑客在发起攻击，于是利用这个周末来帮助维护该公司的系统。就在绿湾队与匹兹堡队比赛开球前几个小时，霍格伦德登录进入他在谷歌的企业帐号——他的担心被证实了！
He couldn't get in. Someone had changed the password and locked him out of his own e-mail system.
Stolen passwords and hackers are facts of life in the Internet Age. Twitter, Facebook, MasterCard (MA), the Washington Post Co. (WPO), the New York Stock Exchange (NYSE), the U.S. State Dept., and countless other organizations large and small have had to deal with cyber-assaults. More often than not, the security hole is plugged and, if the victims are lucky, the plague abates. Not this time. HBGary Federal is a spinoff of Hoglund's HBGary Inc., a cyber-security firm that offers protection to corporations and governments from cyber-attack. Hoglund built his career on the business of hacker-proofing—getting hacked meant HBGary failed at the very thing it's paid to get right.
Hoglund called Google's corporate technical support to shut down the account, but a representative told him that doing so would take time. It didn't matter. Intruders were already helping themselves to tens of thousands of internal documents and e-mails, some of them personal exchanges between Hoglund and his wife, Penny Leavy, president of HBGary. Then the hackers—who turned out to be members of the anarchic cyber-guerrilla organization that calls itself Anonymous—triumphantly posted their electronic booty on an online file-sharing service for all the world to see.
That's when Hoglund's real problems began, and the resulting controversy—involving a high-powered Washington (D.C.) law firm, the Justice Dept., and the whistle-blower site WikiLeaks—hasn't just been entertaining geek theater but a rare look into the esoteric realm of cyber-security. It's a world where only a select few understand the workings of the computers and networks we all use, where publicly antagonizing the wrong people can have disastrous consequences, and where some participants tend toward self-aggrandizement and flexible differentiations between right and wrong.
The HBGary Federal documents—to Hoglund's surprise, he says—revealed unethical and potentially criminal plans to build a digital-espionage-for-hire business. "They really showed how bad things are getting," says Bruce Schneier, a renowned computer security expert. "Blackmail, espionage, data theft. These are things that were proposed as reasonable things to do. And no one said, 'Are you crazy?' "
按霍格伦德所言，HGGary Federal的文档让他感到震惊，它们揭露了不道德的潜在犯罪计划——借此创立“数字间谍出租”的业务。“文档确实表明了情况有多糟糕，”著名计算机安全专家布鲁斯·谢内尔（Bruce Schneier）说道。“勒索、刺探、数据窃取，这些被当作合理的事情提议出来。而且竟然没人说，‘你疯了吗？’”
The plans were conceived in part by HBGary Federal's top executive, a former U.S. Navy cryptologist named Aaron Barr. Barr was working in conjunction with two other security companies. In a bit of cloak-and-dagger grandiosity, the firms dubbed their collaboration Team Themis, after a titan of Greek mythology who embodied natural law. (Forsaking Themis brings on Nemesis.) Team Themis proposed to electronically infiltrate grass-roots organizations opposed to the U.S. Chamber of Commerce, the powerful Washington lobbying organization. In a separate and even more legally dubious proposal intended for Bank of America (BAC), the group laid out a plan to infiltrate WikiLeaks and intimidate its supporters.
HBGary Federal的高级主管、前美国海军密码学家艾伦·巴尔（Aaron Barr）参与了该计划的设计。他是时在与另两家安全公司联手合作。带着对这项秘密行动的些许炫耀之情，这些公司将他们的合作命名为忒弥斯团队（Team Themis），忒弥斯是希腊神话中执掌自然法则的泰坦神。（抛弃忒弥斯，结果引来了复仇女神涅墨西斯。）忒弥斯团队建议以电子方式渗入那些对抗强大华盛顿游说组织——美国商会的民间组织。另一份为美国银行设计的建议书在法律上甚至更站不住脚，该组织在其中制定计划要渗入维基解密并恫吓其支持者。
Team Themis's machinations were exposed before they got past the proposal stage. But the schemes the security firms came up with were Nixonian in scope and Keystone Kops-like in execution. In a 12-page PDF sent to Hunton & Williams, the Washington law firm representing the U.S. Chamber, Team Themis suggested creating dummy documents and online personae, and scouring social networks such as Facebook for intelligence on their prospective client's most vocal critics. In the proposal for Bank of America, the security firms suggested hacking WikiLeaks itself to expose its sources.
For Hoglund and his 30-person company, the fallout from the revelations continues to grow. Employees of HBGary and their families have been besieged with hostile phone calls and e-mails, including some death threats, and the company canceled its presentations at the annual RSA cyber-security conference in February. News sites that cover computer security have plumbed the document dump, turning HBGary and Barr into objects of ridicule. Barr resigned on Mar. 1 and declines to speak publicly about the ordeal.
All of it makes Greg Hoglund furious. "These individuals are not hacktivists, they are criminals," he tells Bloomberg Businessweek, referring to his Anonymous adversaries. "If you let a gang of cyber-thugs hack into systems with impunity and get away with it, what kind of precedent does that set for cyber-security?"
Hoglund, 38, is widely respected in the computer security world for his expertise with "rootkits," software that facilitates privileged access to a computer while evading detection. The HBGary chief executive officer never went to college and learned his trade on the fly, spending time with other hackers and writing his own security software. He co-founded HBGary in 2004, providing corporations with tools to detect, analyze, and combat sophisticated malware attacks from hostile foreign governments. (The firm's name is derived from Hoglund and his two original partners, Shawn Bracken and Jon Gary.) Among the companies HBGary has worked with are Morgan Stanley (MS), Sony (SNE), and Walt Disney (DIS).
霍格伦德现年38岁，因其对“rootkit”（该软件可在避开侦测的同时轻松获取计算机的访问权限）的了如指掌而在计算机安全领域里广受尊敬。这位HBGary首席执行官从未上过大学，生意也是即学即用，他喜欢与其它黑客呆在一起，并编写自己的安全软件。他于2004年联合创立了HBGary，为企业提供工具来侦测、分析和抗击来自敌对外国政府的复杂恶意软件攻击。（该公司得名于霍格伦德及另两位初始合作伙伴肖恩·布莱肯（Shawn Bracken）与乔·加里（Jon Gary））。HBGary服务的公司包括摩根斯坦利、索尼与迪斯尼。
Fifteen months ago, Hoglund decided to branch out into a new market and spun off HBGary Federal to perform classified work for the U.S. government. Employees of the subsidiary would have military experience and top security clearances. To run the operation, Hoglund tapped Barr, then an engineer in the Intelligence Systems Division of military contractor Northrop Grumman (NOC).
"Aaron has a very high IQ. He's a very smart individual," says Hoglund. "He also has an incredibly good reputation, or he did at the time."
In the year after he was hired, Barr had little success building HBGary Federal's business. The firm initially attempted to break into the "incident response" market, selling its spycraft to government agencies so they could shut down leaks and identify cyber-attackers. That field is competitive, and paying work sparse for startups. By October 2010, in the e-mails that later became public, Hoglund warned Barr that HBGary Federal was "out of money and none of the work you had planned has come in." In his reply, Barr agreed.
巴尔上任之后的一年里，他在HBGary Federal的业务开拓上收效甚微。公司起初试图打入“事件响应”市场，销售间谍工具给政府机构使其能阻止信息外泄和识别网络攻击者。但这一领域竞争十分激烈，对新创企业来说利润空间不大。据后来公开的邮件显示，到了2010年10月，霍格伦德警告巴尔说，HBGary Federal“财政捉襟见肘，而你所计划的工作了无成效。”在回复中，巴尔对此予以承认。
Barr did have one possible lifeline. On Oct. 19, Palantir Technologies, a Palo Alto (Calif.) cyber-security company whose terrorism analysis software is used by the Pentagon and the CIA, reached out to HBGary Federal and another security firm, Virginia-based Berico Technologies, with a tempting offer. Palantir said it had been approached by Hunton & Williams, a century-old firm with ties to the Republican Party and the defense industry. The firm needed investigative services on behalf of a high-profile, deep-pocketed client.
Barr and representatives from the other companies discussed the project via e-mail and visited Hunton & Williams in November to meet with Richard Wyatt, co-head of the firm's litigation group. A person who was at the meeting says Wyatt wore suspenders, smoked a cigar, and propped up his cowboy boots on his desk—a cartoonish vision of a D.C. power broker. But the security professionals were impressed when they learned the identity of the prospective client: the U.S. Chamber of Commerce, which had just backed a wave of successful conservative candidates for Congress.
The Chamber, it seemed, had a public-relations problem: Activist organizations such as U.S. ChamberWatch, Velvet Revolution, and Change to Win were accusing it of financial improprieties and using foreign donations for political purposes. The Chamber believed all these grass-roots organizations were working in concert with the surreptitious backing of major unions. According to the e-mails released by Anonymous, Hunton & Williams was already amassing reams of information, including union rosters, and needed expert help in digesting the data. The security firms' mission, should they choose to accept it: Infiltrate the activist groups and their leadership, compile dossiers, and help the law firm "truly understand and eliminate emerging threats that could cause harm to their clients," according to a Team Themis document.
The team's members spent much of November working up their proposal. They highlighted how they would funnel their gleanings through Palantir Technologies' military-grade terrorist-tracking software. "We need to blow these guys away with descriptions of our capabilities," wrote Matthew Steckman, an engineer at Palantir, in one of the e-mails in the published documents. "Make them think that we are Bond, Q, and money penny [sic] all packaged up with a bow."
Then there was the matter of price. Such private online espionage was hardly common practice, and there was no industry-standard pay scale. Team Themis landed on $2 million. For that sum, the client would get a "daily intelligence summary," "link diagrams," and "target impact analysis," among other services. Hunton & Williams, on behalf of the Chamber, balked at the price, so the security companies agreed to do a pilot on spec. (The law firm has not commented on the matter.)
Hunton & Williams clearly saw potential in Team Themis. On Dec. 2, in a message with the subject line "Urgent: Opportunity," a partner at the firm asked the group to come up with a new plan, this time to combat WikiLeaks on behalf of a different prospective client—Bank of America, which believed WikiLeaks was about to publish a cache of its documents. (The Justice Dept., the e-mails suggested, had recommended that Bank of America hire Hunton & Williams.)
Barr took the lead in crafting what would become an infamous 24-slide PowerPoint presentation that called for a cyber-campaign of disinformation against WikiLeaks. The document analyzes WikiLeaks' server infrastructure, talks about planting news stories about the exposure of its confidential informants, and proposes online attacks. Some of the language is comical, like a verbal version of an old Spy Vs. Spy cartoon from Mad magazine: "Speed is crucial!" blares one slide. "The threat demands a comprehensive analysis capability now." A person familiar with the creation of the presentation said it was the result of late-night brainstorming, and that the security firms knew Bank of America would likely reject the most aggressive tactics.
As with the Chamber of Commerce scheme, the WikiLeaks proposal never got a final hearing. While HBGary Federal and the other security firms awaited a formal go-ahead from Hunton & Williams and its clients, Barr decided to deploy his new research techniques on Anonymous.
Anonymous has had a busy winter. The group, which appears to be less a formal organization than a loose coalition of tech-savvy radicals, attacked government websites in Egypt and Tunisia. It launched denial-of-service attacks on Amazon.com (AMZN), PayPal, MasterCard, and Visa (V) after those companies declined to do business with WikiLeaks. Barrett Brown, an unofficial spokesman for the group, says its goal is "a perpetual revolution across the world that goes on until governments are basically overwhelmed and results in a freer system."
Barr had come to believe that companies would have to defend themselves against this anarchic sensibility using the same tactics as the mischief makers. He also believed he had the skills and experience to join the battle. His principal weapon was a method he developed to associate the real identities found in social networks such as Facebook and LinkedIn with the anonymous profiles of hackers. So while Hunton & Williams weighed Team Themis's proposals, and with the ultimate fate of HBGary Federal hanging in the balance, Barr figured the time was right to demonstrate how social networks could yield an intelligence bonanza.
Barr began by hanging out in an online forum called Internet Relay Chat (IRC), using a fake identity. At the same time, on social networks, he "friended" people thought to be senior members of the Anonymous collective. Barr then compared the times that suspected hackers logged into IRC chat rooms anonymously and into their own identifiable social networking accounts.
The exposed HBGary e-mails would later reveal that Barr's own employees thought he was overreaching and that they feared retribution from the vengeful Anonymous. But Barr plunged ahead. He proposed a talk at the RSA conference in San Francisco titled "Who Needs NSA when we have Social Media?" Then he promoted the talk by suggesting he would expose the identities of the primary members of the group.
On Feb. 4, a Friday, Barr bragged to the Financial Times about his upcoming talk and claimed he had obtained the identities of the group's de facto leaders. Bad idea. As Stephen Colbert summed it up, lampooning the HBGary affair on his TV show, "Anonymous is a hornet's nest. And Barr said, 'I'm gonna stick my penis in that thing.' "
When hackers taunt, they often use the term "pwned"—as in, "I so pwned you, newbie." No one seems to agree where the word came from. Google it, and you'll find claims that it's a corruption of "owned," or that it's from a computer game, or maybe it's just a shortened form of the chess term "pawned." Whatever its origins, the term connotes humiliating domination by another person or group.
That's roughly what happened next to Barr, Hoglund, and HBGary. Responding to Barr's public claims, the Anonymous hackers exploited a vulnerability in the software that ran HBGary Federal's website, obtained an encrypted list of the company's user names and passwords, and decoded them. Barr and some of his colleagues, Anonymous then discovered, had committed computer security's biggest sin: They used the same password on multiple accounts. The hackers commandeered Barr's Twitter and LinkedIn accounts, lacing both with obscenities. One of the passwords also opened the company's corporate Google account. Jackpot. In less than 48 hours after Barr's Financial Times interview appeared, the hackers had the keys to the kingdom.
接下来在巴尔、霍格伦德与HBGary身上发生的事情和这没什么差别。为了回击巴尔的公开声明，“匿名”黑客利用了HBGary Federal网站运行软件中的一个漏洞，获取了该公司用户名与密码的加密列表，并对之进行了解密。“匿名”随后发现，巴尔与他的一些同事竟然犯了计算机安全的大忌：对多个账号使用相同密码。黑客劫获了巴尔的Twitter与Linkedln账号，用下流话在里面灌水。其中一个密码同时可打开该公司的谷歌企业账号。中了头彩了！就在巴尔的《金融时报》专访刊出不到48小时，黑客就拿到了进入这一王国【译注：指HBGary Federal】的钥匙。
They immediately started downloading HBGary's e-mails. All told, Anonymous got hold of 60,000-plus—about 4.7 gigabytes worth, including attachments—and quickly put them all online in conveniently searchable form. The material details online security holes at HBGary clients and prospects such as Sony, Johnson & Johnson (JNJ), Disney, ConocoPhillips (COP), and dozens of others. The e-mails showed that DuPont (DD) was breached in 2009 (by the same hackers who hit Google) and again in late 2010. DuPont employees on a business trip to China even found that their laptops had been implanted with spyware while the hardware was supposedly locked inside a hotel safe.
In the ensuing days, Barr and Leavy, HBGary's president, took to IRC channels to plead with Anonymous for mercy. None was forthcoming. Members of the group and their supporters gleefully defaced and posted photos of Barr, published personal details about his family, tweeted his Social Security number, and generally gloated about pwning a professional adversary. They said the "ninja team" that hacked HBGary included a 16-year-old girl named Kayla. (Rumors online suggest that "Kayla" is actually a 26-year-old man living in New Jersey. Who's right? Not even Anonymous may know.) "We have no choice but to defend ourselves and defend WikiLeaks by these means," says Brown, the unofficial Anonymous spokesman. "This has just begun. We're absolutely at war now."
Meanwhile, the other members of Team Themis deny they wanted to push the operations as far as Barr did—despite the volumes of incriminating e-mails. Palantir Technologies CEO Alex Karp blames HBGary for conceiving the plot, decries any attempt to develop "offensive cyber capabilities," and has placed on leave Steckman, the engineer who coordinated with Team Themis. Palantir also issued a public apology to Glenn Greenwald, a Salon.com journalist who was singled out in a Themis proposal as a WikiLeaks defender and thus a possible target. In a statement, Berico Technologies says it "does not condone or support any effort that proactively targets American firms, organizations, or individuals." At the same time, it cut ties with HBGary.
与此同时，虽然受牵连的邮件如雪片般飞来，忒弥斯团队的其他成员还是否认了他们打算像巴尔一样开展业务。Palantir科技的CEO阿历克斯·卡普（Alex Karp）怪罪HBGary设计了这个阴谋，谴责任何开发“攻势性网络功能”的企图，并安排斯特克曼，那个与忒弥斯团队协调的工程师休假。Palantir还向格伦·格林沃尔德（Glenn Greenwald）发布了公开道歉，他是Salon.com的一名记者，在忒弥斯建议书中被选出来作为维基泄密的拥护者，由此成为可能的目标。在一份声明中，Berico科技说它“不会容忍或支持任何主动瞄准美国公司、组织或个人的尝试。”同时，它还与HBGary断绝了来往。
The U.S. Chamber of Commerce said in a press release that it's "incredulous that anyone would attempt to associate such activities with the Chamber," adding that it had not seen the incendiary proposals before they were made public. Morgan Stanley dropped HBGary as a security contractor. Barr never delivered his speech and when he tendered his resignation three weeks after the Anonymous attack, he said he was confident HBGary would be able to "weather this storm."
As for Hoglund, even his friends in the security industry wonder how long HBGary can survive amid the onslaught of negative publicity. But the CEO claims his company has undergone a rigorous security review and is back on track. He says the hackers "made a hole-in-one from 200 yards away" and that it will never happen again. "They are nowhere near as sophisticated and scary and large as they would like people to think they are," he says.
And while the lesson of the HBGary saga may be that it's not always easy to tell the black hats from the white hats in the ambiguous game of computer security, Hoglund has no doubt which is which. "It will get worse," he says. "This whole event has only emboldened them. I hope this isn't the way the Internet has to be. Right now it's a domain of lawlessness. This is bigger than HBGary, than my company. Right now, the pendulum has swung way over to the bad guys' side."