Hacker News new | past | comments | ask | show | jobs | submit login
Anonymous intercepts confidential conference call between FBI and Scotland Yard (wsj.com)
262 points by tmrhmdv on Feb 3, 2012 | hide | past | favorite | 96 comments



The most likely explanation is that they didn't 'intercept' the call but simply dialed into the conference call system and recorded the call.

The question then becomes how did they get the conference call dial in information? Perhaps they managed to get into the email of one of the participants. That would seem to be even more worrying than the interception of this single call.

Also, on many conference systems I've used standing meetings use the same dial in information from week to week. If this is a regular meeting it's possible that Anonymous has been listening in every week.


What's interesting is that the sophistication of the attack is immaterial to the fact that they achieved a significant security disclosure. You don't have to be a sophisticated hacker to perpetrate meaningful hacks, you just have to be more sophisticated than the target of your attack.

This is what makes the Anonymous movement so fascinating to me. In Anonymous culture, being "dox'd" is a big deal. That's kind of end-game stuff for hackers. Once you're outed, you're out. Coincidentally, the same rules apply for espionage.

What makes this doubly interesting is that Anonymous is made up of young, tech-savvy individuals. The establishment (government, large corporations, etc) increasingly rely on tools that are created, or at least well understood, by their attackers. It's a classical asymmetric battlefield problem. The attackers aren't big, but they have some very specific domain knowledge, and are increasing in sophistication over time.

That previous paragraph is probably way to generous in my evaluation of the skill level represented inside Anonymous, but that's a large part of the problem. We don't really know much about the insides of Anonymous by design. As the establishment pushes harder and harder (SOPA, PIPA, ACTA) to enforce the status quo, who will turn? There's a tipping point at which the establishment can no longer wage the battle. Acquiring the talent becomes too expensive and breaks their business model.


The attackers aren't big, but they have some very specific domain knowledge, and are increasing in sophistication over time. -> ideal pathway to terrorism analogy


No, not even close. While it is difficult to come up with a concrete definition of terrorism, let's at least acknowledge that it involves some form of fear/terror among the general public.

I am confident that I have nothing to fear from Anonymous. Do you?

Rather, the description (attackers aren't big...specific domain knowledge) sounds a hell of a lot more like classic guerrilla tactics. It's also worth noting that guerrilla tactics are most successful when used in defense of home territory, and I think that fits the analogy as well. The government, big media, and others are invading "the internet" which is, for all intents and purposes, anonymous's home territory.


> I have nothing to fear from Anonymous. Do you?

Thanks to whoever was calling themselves "Anonymous" one particular day, my full name, physical and email address, and credit card number was posted publically on the Internet, merely for being a customer of a company who some misguided "Anon" thought was working for The Man (not even close by the way). This means that anyone I have ever given my address to will now be able to find out my precise address and full name. For me it is an annoyance, but I have been exceedingly careful not to associate anything controversial online with my real-life identity. Someone who had enemies, or even expressed opinions online that were controversial--to ANY segment of the population--would have a lot of reason to fear for their lives thanks to that irresponsible act.

"Anonymous" are criminals who directly target random civilians and use them as pawns to try to scare those who are in power. The people in power are sure that "Anonymous" will never tilt the balance of power away, but that doesn't stop them from trying, and leaving a devastating trail of identity theft in their wake.

Furthermore, the fact that they are so antisocial they won't show themselves means there can be no accountability for them, so the true good idealists among them are operating in an opaque cloud of others who have proven to have no insight, no judgment, and no sense of ethics or fairness (a phenomenon that anonymity often leads to in humans). These bad seeds use the public perception of "Anonymous" as a force for "Good" and "Openness" in order to commit petty crime such as charging things on other people's credit card for purely selfish reasons. We will probably see the same people exploiting "Anonymous" to commit more and more serious crimes.

Sorry for the novella. My point was just that the public has a great deal to fear from these people.

EDIT: I agree with a lot of things ascribed to that group -- I've marched with OWS before. However, their apparent mission that no one, no country, no company should have any privacy or confidentiality ever, coming from a group that refuses to identify themselves, is just making them look like hypocrites.


Terrorism: guerrilla warfare largely against civilian targets.


I'd say "political violence against civilians", in which case we're 0-for-2 with this being neither violent nor aimed at civilians.


How are Anonymous's typical shenanigans (dumping user databases and posting millions of people's personal data online in an attempt to "shame" the site owner) not aimed directly at civilians? It's like rigging the elevator cables in a building to fail. Sure, the company responsible for the elevator maintenance looks bad, but you also kill people.

Sure "Anonymous" has mostly remained nonviolent, but they regularly harm innocent people to attempt to acheive their goals.


Oh sure, this isn't terrorism, and calling it that is just silly.

"Political violence against civilians" isn't quite right, because "civilians" can nevertheless wage war. What happens when two nations fight against each other with the full backing of their "civilian" populations, who actively provide all of the funding and materiel to fight the war? Is it off-limits to attack civilians? Should that sort of warfare be lumped in with terrorism?


Has there been a war in history where civilians were not fair game?


Non-combattants should be off-limits imo, yes. However war and terrorism are completely different. It's generally accepted that there may be civilian casualties in a war zone, and that is clearly not terrorism (intimidation, maybe).

Unprovoked, unilateral attacks seem to be the more traditional form of terrorism (basically using fear to try and influence behavior), in particular when performed by groups not (officially) affiliated with a specific government.


Let's take an example from history. You have a country like Britain during WWII. It is a democracy, it has elected a government which has chosen to make war against Germany. There is widespread public support for the government and for the choice of making war against Germany. More so, the civilian economy is in high gear supporting the war effort (supplying food, clothing, arms, ammunition, vehicles, etc.)

I can understand being apprehensive about violence against non-combatants, but in the above situation what exactly is the justification for excluding attacking civilians?


Well, that's a bad example because there've been dozens of papers regarding strategic bombing in WWII, and almost all of them concluded it was a failure as far as affecting production capability of the bombee, and a worse failure as far as morale.

So on the efficacy front, it didn't make sense, and on the honor front it's on some pretty shaky ground. Of course, it happened, so there's that.


It's one thing to say that it's ineffective to bomb residential neighborhoods. It's another thing to say that it's always illegitimate. Also, what about factories staffed by civilians producing ball bearings or tires?


Or, in more recent conflicts, attacking truck drivers, weapons system maintainers, UAV operators, base entry point security guards, drivers/security for intelligence agencies, etc. At the very least, this forces the military to devote more resources to force protection for these contractors; it also limits operations out with the populace, and drives a wedge between the occupying military and the civilians in which the insurgents can survive.


And also there was a lot of resistance to targeting purely civilian areas especially early on. Later on Germany did specifically terror raids Coventry for example.

But even hamburg was a major center for the support of U boats so you can see why the threat of the later Elektroboote Tpe XXI boats would put them on the target list.

Oh and my Fathers house was hit by a bomb - but they where going for the Largest Spitfire factory in the UK so it wasn't his house they were trying to hit.


That definition doesnt make sense. Guerilla warfare by definition attacks an army. Terrorism has to do with fear and coercion. Plus i don't think terrorists make any distinction in their targets.


There are fundamental differences between civil disobedience and terrorism. It's much more efficient to find people after the fact than it is to prevent such attacks. However, there is also a tiny number of terrorists in the world and a huge reserve of people willing to disrupt systems so prevention is far more effective when dealing with anonymous than it is terrorists.

PS: Want to attack the FBI, just set them as your homepage. It costs them real money, and does not end up with you in jail. Thus the appeal. (Note: It also tells them who you are...)


>It costs them real money,

Actually, it costs us real money. They're financed from taxpayers just like every other federal agency :(


PS: Want to attack the FBI, just set them as your homepage. It costs them real money

First of all it's pennies, and second of all it's the taxpayer's money, it doesn't cost FBI a thing.


True, but to clarify. I was talking about the wide group of people living outside the US, that 'hate' the US, but don't exactly feel like blowing themselves up.

For someone living in the US direct attacks are largely meaningless activity. If you want to change the system start a movement, a mime, or even just a blog. People may notice something like 9/11, but it simply reinforces existing beliefs. Because change takes ideas not just loud noises and death.


A mime?


Probably he means "a meme".

(Else, he talks about disruption of the French status quo)


Nah, it's classic asymmetrical warfare, an unintelligent large adversary creates a situation where by fighting their smaller nimbler opponent they lose their advantage.

SEAL teams use OODA asymmetries to great effect to cause confusion which leads to the overwhelming force and structure of the opponent to become a disadvantage.

Terrorism is really independent of guerrilla / asymmetrical warfare as it can be used by large bureaucratic orgs (Manhattan Project) or smaller nimbler ones (IRA/Al Qaeda)


Also, the term doesn't apply exclusively to battlefields: the MPAA has been effectively waging asymmetrical warfare against the far larger technology industry in Congress for decades.


That's a point of view that law enforcement seem to hold. Illogical and yet never questioned in print media, except by the likes of Robert Fisk.


"ideal pathway to terrorism"

don't be an idiot.


When being a dick on the internet, it's generally best if you at least comprehend what you're being a dick about.

There is a significant difference between "ideal pathway to terrorism" and "ideal pathway to terrorism analogy".


You are correct. They managed to gain access to the email account of one of the participants and simply used the information in the email about the conference call to dial in.

This is the email http://pastebin.com/8G4jLha8 and at the beginning of the recorded call you can hear the conference call software asking for the access code. ( https://www.youtube.com/watch?v=pl3spwzUZfQ)


>"If this is a regular meeting it's possible that Anonymous has been listening in every week."

I find this to be one of the more beautifully hilarious things I have read in quite a while!

The idea that Anon has been slurping info from a regular conf call between two intelligence/LEO orgs is just downright amazing.

Imagine though if Anon had forgot to put themselves on mute at one point and were being addressed by others on the call:

"Whomever is working from home with the dog in the background, please mute. Thanks. Anyway - as I was saying, these Occupy Protesters need to go down...."

It would also be great if, at the end of these calls, when everyone is saying "thanks" and "bye" is Anon also said "thanks" and "bye" as they hung up :)


I have a feeling that they havent been tapping the call for weeks because if they had they'd probably be smart enough to shut up about it.


Or, perhaps the information being gathered from these calls wasn't too useful and embarrassing these agencies was judged more useful?

If they've gotten onto this phone call, one would imagine they can likely replicate this feat with regards to more detail-level meetings at one or more intelligence offices that were on the call.

And by exposing this call, they increase the level of doubt that any one agency IT team has that it was their network/phone system that was compromised. It's the ideal call to publicize.


The only reason anonymous's security operations aren't more frightening is due to their culture and goals. They just want quick wins and publicity (for themselves and for the material they unearth). However, their capabilities are top notch (limited mostly by their hesitance to do anything that requires physical presence). If they were, say, employed by a hostile government or were motivated by greed or specific political goals they would be scary.

Anonymous's MO is to spew their exploits to the world and move on. This minimizes the damage of their intrusions. If they kept quiet and spent time soaking up information or leveraging breaches to gain more and more access the things they could do would be jaw dropping.


There's no evidence, at least that I've seen, to suggest that "Anonymous" is anything approaching a cohesive organization. I think it's a mistake to refer to it that way.

Absent anything other than a common name, there's no reason to assume that the individuals compromising the "Anonymous" that recorded the FBI conference call has anything to do with the "Anonymous" who dumped Stratfor's credit card DB, or who leaked those Ron Paul emails.


Isn't the term we use for such actions "Grey hat"


That's probably closest, but I'm not sure any color of hat fits on anonymous' head.


There's no such thing as "cheating" when it comes to subverting security measures. If you have gained access to something that is supposed to be secure then you've compromised its security measures. It doesn't matter if you bribed someone, found the password in the trash, duplicated a key via a cell phone picture from across the street, or got conference call info from a compromised email account. In the end the result is the same. The weakest link in a chain determines its strength.

You better believe that this is how spycraft works with the big boys too. You attack security measures at the weakest point, period. Doing it any other way is just making a hobby of it.


"Anonymous also published an e-mail purportedly sent by an FBI agent that gave details and a password for accessing the call."

That explains how they "intercepted" the call.


In many cases calls can be recorded by the conference call service provider. Couldn't it be that the recording of the call was later accessed? An anon need not have been listening in on the call live.


Or alternativly the Met did not learn the lessons from 15 years ago when they left the default passwords enabled on their main switch.

Huge bills where run up by phone preaks dialing in and then out again - I even got asked to post to alt.2600 as BT's official spokesman (the Met where claiming it was our fault) but BT Security stooped that.

worrying after the NI revelations I do wonder if its time for the UK to have a proper FBI style police force for serious crimes (and the Grunt end of CT work) and demote the Met to the same level as any other constabulary


This "default passwords on phone switches" is still a problem and common attack. Mostly because there's money in it. If you can route all your international calls through someone elses switch then you can save a fortune.


Looks like I was to hard on the MET in this case as more news has come out it looks like the FBI was the source of the break.


Anonymous is an amorphous collection of Internet enthusiasts, pranksters and activists whose targets have included the Church of Scientology, the music industry, and financial companies such as Visa and MasterCard.

First time I see a news outlet describing Anonymous in a somewhat suitable fashion.


I agree on the quality of the description, but only to a certain point. I think that neglecting to state that their actions are largely retaliatory could have been used to not-too-subtly tinge them as "pranksters" rather than "activists".

As far as I know most of them could well be within the former cateogory, but their most visible attacks were not enacted "just for the lulz"; rather, they were guerrilla tactics employed in response to perceived threats to their Internet homeland, as stated in above comments.


The group is a loose affiliation of hackers and activists with no formal structure or membership.

Indeed, this is the first time I actually read a proper description, and certainly didn't expect so from the WSJ! Kudos to the journalist, Evan Perez.


Emails: http://pastebin.com/8G4jLha8

Call: http://youtu.be/pl3spwzUZfQ


The BBC has an odd comment on this:

  It was unclear how Anonymous had managed to obtain the 
  recording but a lawyer for one of the suspects discussed 
  told the BBC it appeared to have been taken as an audiofile 
  from an intercepted email, rather than having been  
  eavesdropped on.
So how did he interpret that from the video plus the email? Odd.

http://www.bbc.co.uk/news/world-us-canada-16875921


Interesting, all of the 'subscribe' and 'login' buttons in the article area are served by the doubleclick network. So anyone with adblock enabled just sees a partial article with no indication that there is a way to access the rest.


Here's what I do:

1. Copy/paste the title into Google and hit search [1]

2. Click on the link from the SERP.

3. Profit?

[1] http://www.google.com/search?client=ubuntu&channel=fs...


Oops, didn't see that paywall. Here's one from Forbes: http://www.forbes.com/sites/davidthier/2012/02/03/hackers-st...


Ah, I was wondering why the article ended with "The recording's authenticity ..."


The article doesn't seem to address the obvious question: If Anonymous can spy on the people investigating them, why the heck are they making that fact public? Ok, taunting the FBI is probably worth something, but surely continuing to spy on them is worth more.


Anonymous's strategy for "defeating" the FBI etc. is to publicly humiliate them and expose them to be harmful and largely worthless[1] - that goal is better served by showing off the FBI's incompetence than by guarding their own rear ends.

[1] That's not to be interpreted as a claim on my part that they are. This sentence, however, may freely be interpreted as such.

(Firefox's spellcheck isn't working for me atm (nightly, so no surprise) - please accept my apologies for any embarrassing typos above.)


That will be their eventual downfall, unfortunately. Life is not a comic book; FBI and friends can withstand humiliation after humiliation, they'll still have their guns, dogs and PATRIOT acts to come after you.

Strategically speaking, it would have been much better to just keep listening. Now involved parties will do their best to lock down, and it will be harder for Anons to eavesdrop... but hey, we got some LULz, right?


I disagree.

The FBI, DHS, TSA and so on /can/ be defeated through humiliation - you just have to keep at it until enough voters get the message for a few politicians to use "regulate XYZ" and "abolish the ABC" as mechanisms for political gain.


I wouldn't expect so much. There is ample evidence for the ineffectualness of, say, the CIA. As a simple example, at the time of the fall of the USSR (pretty much their major goal) they had admitted they had no effective agents in Russia


Anonymous is existentially committed to "lols". They have the power to commit cyberwarfare on an amazing scale (think about China's intrusions into google, data breaches at RSA and ssl certificate authorities, as well as things like stuxnet). But that doesn't fit their goals and culture.


Psh. They have no goals other than basically, getting back at the bullies who made fun of them back in high school (or in some cases, are still making fun of them in high school).

Having other people be scared of and by them is very obviously their goal based on their rhetoric. They pick random "missions" and make demands, but it's about obtaining compliance based on fear, not about a "philosophy" or "culture."

This is typical because since they were abused and made fun of, and constantly in fear as children, they think that's how you "win"--to be bigger and badder and stronger. Now they have found a way to be seen as big and scary without having to be attractive, strong, and popular like their former enemies--all this takes is...fingers, very rudimentary knowledge of technology (or at least the ability to read and follow directions). They also exploit the fact that so many people are clueless about technology--even the ones entrusted with securing access to systems.


There are easier ways to stop Anonymous. You could try addressing their concerns for a start, and "not being total arses" couldn't hurt either.


Historically speaking, groups that are given everything they demand don't dissolve; they ask for more stuff. This is regardless of the "goodness" or "badness" of the demands.


Well, if you negotiate them stopping and they are centralized enough to respond to a negotiated agreement you can give in to some demands and that'll be that. Sometimes this works (the ends of most wars between nation states, the British agreement with the IRA), sometimes the other side decides to screw you over (see the vikings vs England, Hitler), and sometimes the other side isn't centralized enough that negotiating even makes sense (Al Qaeda).

So there are times when it works and times when it doesn't, but we can be pretty sure it won't work here.


Sometimes more than others. The civil rights movement largely dissolved after achieving most of its demands, for example. Many of the individual participants continued to campaign for additional causes, but the movement didn't continue with anything near its prior strength once the Civil Rights Act and Voting Rights Act were passed, because they couldn't hold together the broad coalition around a new series of demands.


I have to take issue with this statement. It didn't just "dissolve" bad things happened (what happened the Martin King and Malcolm X is well known but also look into the fate of the Black Panthers) to all of the leaders and the movement floundered without its stronger figure heads.

That's what is so vitally important about the amorphous collective form of Anonymous and even later Occupy Wall Street. Without a clear head to cut off or discredit the movement can continue with its goals even if it loses a few people.


I think that's part of it, but I do think satisfying some of the major demands dissolved the broad coalition; moderate liberals, especially white liberals, were largely satisfied by the civil-rights legislation, and dropped out of the movement, leaving a much smaller activist core. The SNCC took a huge nosedive in membership after 1965, for example, and even MLK found it harder to muster the same levels of support for his post-'65 causes (like desegregating Chicago, and ending poverty).


You mean they get stuff like ACTA?


Care to give any relevant examples of this from the history of which you speak?


I guess you could look at some unions as an example. They ask for things to the point where in some places people can't use a broom to sweep up their workspace because that's a 'union job' and it would take away a job from a union member.


forgive me for sounding trite, but isn't that the way it's supposed to work?


A few years ago this (phone hacking) would have been considered journalism by the British press.


And specifically that portion of the British press owned by the same company which own the WSJ.


Don't forget to google the article first and then click through there so you can see the full text on the WSJ site.


An interesting feature for HN to have: when there's a paywall of this sort, link to the google redirect instead.


Found the audio recording on youtube if anyone's interested http://www.youtube.com/watch?v=Ryq1v-cLHrk


It's odd to me that conferences between the FBI and Scotland Yard apparently happen on the same public telephone network used by the commercial and residential world, rather than on a completely separate system.


What a lapse. One would expect that the FBI and their international counterparts would be doing any conference call over a secure, classified network... not POTS.

Is this really par for the course?


Probably. As a taxpayer, do you want to pay for a brand new phone network and conference call service, or would you prefer that the government just contract that out?


This is going to make a great movie someday, but I fear in reality it's going to end up with another Bradley Manning (remember him rotting away?)


Well, didn't he commit a crime? Correct me if I'm wrong.


As far as I'm aware, he's been in solitary confinement for quite some time now without trial. He hasn't been convicted.


The real security gaffe here seems to be sending passwords in non-PGP encrypted email...


They'd be much more likely to use S/MIME than PGP, if they were going to use anything. The infrastructure for S/MIME is already deployed in much of the Federal IT space, while PGP is only used for some small niche applications as far as I'm aware.[1]

But that wouldn't have been a guarantee -- the message wasn't intercepted in transit, it was apparently intercepted by compromising the receiver's account. It's not clear how this was accomplished, but if it was by a trojan it could easily have end-run the message encryption, had it been in use.

Honestly, the security at most large organizations is so bad, they're not even at the level where their lack of email encryption presents the weakest link.

[1] Actually the only place I've ever seen a PGP key used in connection with a Federal agency, was by the NSA for reporting SELinux bugs / vulns. And that was a long time ago.


Kinda interesting they beeped out some names when the officers would say them.


They bleeped out names of alleged Anonymous members. Sort of protecting their own. Did they also bleep out FBI agents' names?


Perhaps it's a checksum/safeguard? You could prove you were the real recorder of the call by providing those names later.


Anonymous is a group of people who uses technology. Technology has tentacles. Tentacles can be located, observed and followed to the root. My guess is the FBI was monitoring them.


FBI's problem is that they assume that their 'victims' have worse tools than them..most of us HN readers probably have better mail encryption software than any FBI field agent. Not to mention software to encrypt a hard-drive.

Using encryption and Ciphers is not a crime FBI..just ask Phil Zimmermann


The FBI is using a 40 year old technology that can be hacked by whistling 2600 hz into a phone and get all bent out of shape when someone records it?

sounds like an agenda to setup the stage to get censorship back on the table. The FBI wants these breaches, then they can point to it and say "we need censorship to take down these videos because we cant be bothered with any security precautions".


The FBI is using a 40 year old technology that can be hacked by whistling 2600 hz into a phone and get all bent out of shape when someone records it?

No.


>The FBI is using a 40 year old technology that can be hacked by whistling 2600 hz into a phone and get all bent out of shape when someone records it?

Systems haven't been susceptible to that attack for years, and it doesn't matter anyways! They could have been using a fucking private satellite protected with three layers of the best ciphers known to man, it still would have been broken by them getting the conference number and password, like they did here.


The question is why did the call participants not use something your have in addition to username and password to access the call - you know like the RSA token thingy I use to log into my work network from home?


I'm not sure a conferencing system like that even exists. It's definitely a good idea, but I've never heard of enterprise gear with that kind of feature.


They absolutely exist and for a sensitive conference call such as this, each user should have had an individual pin and a role call should have been played (playback of each recorded name). Double logins would cause suspicion as well as non-recorded names. Also, all modern systems have a web interface that allows you to see the participants on you call. In some cases you can even bring up the phone number of each participant on your phone display. When it comes to telephony, it is nearly impossible to get important security measures enabled because people want everything to work the way it did for the last 15 years. Also, users absolutely refuse to educate themselves, it is just a phone, what is there to know. Yet look at all of the outrage over people logging into voicemail or performing theft of service due to trivial passwords, CLID spoofing and now simply dialing into a conference bridge.

There should be laws against people entitled to sensitive information sharing via indefensibly incompetent methods. That might make agents thing twice before doing something this stupid.


well it would be the obvious solution to securing conferencing systems and I cant see any reason you could not use the same hardware we use for VPN access to authenticate you to video conferencing system just ask for a second pin generated by the securid system on sign in.


Why are these two guys using a conference calling system for a 1-to-1 phone call? Why not just a direct call?


Because it was a conference call, not a 1-to-1 call!


This Anonymous story is interesting as well [Anonymous Hacks Neo-Nazis, Finds Ron Paul]: http://www.care2.com/causes/anonymous-hacks-neo-nazis-finds-...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: