A Sociologist looks at AnonOps
Like most Computer Security people, I've been following the Wikileaks responses from Anonymous with interest. As I've watched Anonymous recruit their activist army, I've been thinking more and more about lynch mobs, so I asked Dr. Sloan to come up to the lab and help me understand how mobs work. I made my best pitch to him, explaining how "AnonOps" as the Anonymous Operations group calls themself, calls to mind a mob that was a cross between the angry villagers storming Dr. Frankenstein's castle, and childhood memories of Detroit fans burning cars in the streets.
Dr. Sloan explained that the public (like me) have a lot of misconceptions about mobs. He said what we are dealing with in the Anonymous DDOS attacks are actually instances of "Diffuse Crowds." In the case of Anonymous, Sloan says that "Convergence Theory" explains this type of crowd. Its not that a group of people spontaneously erupted into acts of cyber vandalism, but rather that people who share similar passions come together with an intention to "make a difference" but without a clear agenda on how to do so. Some of the people who come to these online gatherings are bystanders, some followers and some leaders, but these roles are not set in stone. When the crowd has gathered - in this case on an IRC channel - various members of the crowd propose courses of action. When one of the proposals is adopted by the group, that person, whether or not they intended to be, is suddenly, and perhaps only temporarily, a leader.
The earlier prominent theory of crowd behavior was called "Contagion Theory" and proposed that membership in a crowd results in "irrational, emotionally charged behavior."
My early suggestions to Dr. Sloan was that it was because of being Anonymous that the crowd was choosing to participate in DDOS attacks. Perhaps the leaders of the group also counted on that affect. Their instructions for how to volunteer your computer to participate in the DDOS attacks against Mastercard said "if you get caught, don't admit to anything and tell the authorities that your computer must have a virus!" The belief of the general public is that mob behavior, such as that which lead to race riots and lynchings in previous generations, counts on the anonymity and the irrational frenzy of the mob for its success.
Crowds that take action are "Expressive Crowds" or "Mobs" if those expressions lean towards violence towards a target or "Riots" if those expressions lean towards generalized violence and lawlessness. Expressive Crowds gather around strong emotions, such as joy, excitement, anger, or fear.
While Dr. Sloan said that Convergence Theory also says that groups come together along strongly felt emotions, that they should be seen as "rational" with individuals understanding their decisions and acting by choice, not due to some "mass hysteria" or "frenzy."
Expressive Crowds in Cyberspace
As we look at previous expressive crowds that turned towards cyber attacks in the past we see that this seems to be a correct characterization.
In 2008, when Russia invaded the area of Georgia known as South Osettia, the interest was nationalism. As online chatrooms and forums discussed the rightness of the Russian cause, the idea was planted and began to spread that individuals could help with a DDOS against Georgian government and media computers.
August 19, 2008 - Evidence that Georgia DDOS Attacks are Populist in Nature
In 2009, when the Iranian government cracked down on the process of a free election, Facebook and Twitter users colored their profile pictures green to show solidarity with the oppressed voters. As more Twitter followers started watching the "#IranElection" hashtag, some began providing information on how to DDOS the Iranian government. The number of participants in the group grew, with some reading the tags (bystanders), some choosing passive signs of response (green profile pictures), and some choosing active measures (DDOS Attacks).
June 16, 2009 - Armchair Cyberwarriors: Twitter and #IranElection
This past summer Islamic activists, already in chat rooms and forums to communicate about proselytizing the Islamic way of life in the west, began sharing information on how to attack Facebook by downloading an attack tool.
June 1, 2010 - Virtual Jihad Against Facebook
Anonymous and Operation Payback
Operation Payback takes its name, and its tactics from a company that claims to have been contracted by the Motion Picture industry to shut down websites that are trading in pirated movies. Girish Kumar, the managing director of Aiplex Software, explains that the Film industry hires cyber hitmen to take down internet pirates. He claimed that his company is hired "to launch cyber attacks on sites hosting pirated movies that don't respond to copyright infringement notices sent to them by the film industry."
The die was cast in September 2010 when AIplex pointed its attention at the greatest source of pirated movies on the internet, The Pirate Bay. In response, one of the /b/rothers from 4chan pointed a botnet under his own control at AIPlex, taking the company's website offline while other members of the channel were still talking about the best way to do so.
Almost immediately, the 4chan buzz began looking for a new target. TechCrunch ran a story that contained the original call to arms:
How fast you are in such a short time! Aiplex, the bastard hired gun that DDoS’d TPB (The Pirate Bay), is already down! Rejoice, /b/rothers, even if it was at the hands of a single anon that it was done, even if ahead of schedule. now we have our lasers primed, but what do we target now?
We target the bastard group that has thus far led this charge against our websites, like The Pirate Bay. We target MPAA.ORG! The IP is designated at “184.108.40.206″, and our firing time remains THE SAME. All details are just as before, but we have reaimed our crosshairs on this much larger target. We have the manpower, we have the botnets, it’s time we do to them what they keep doing to us.
REPEAT: AIPLEX IS ALREADY DOWN THANKS TO A SINGLE ANON. WE ARE MIGRATING TARGETS.
(The original Anonymous image, according to EncyclopediaDramatica.com's Anonymous entry)
They were able to knock offline, at least temporarily, the Recording Industry Association of America, the Motion Picture Association of America. Later in the month, the Low Orbit Ion Cannon, or LOIC as the chosen 4chan attack tool is called, was pointed at AFACT - the Australian Federation Against Copyright Theft. Nearly 8,000 other websites were casualties of that attack which overwhelmed the hosting platform. Many major organizations that deal with copyright and the protection of intellectual property have been attacked as part of Operation Payback at one time or another, including:
Australian Federation Against Copyright Theft
Ministry of Sound
Ministerio de Cultura (spain)
Sociedad General de Autores y Editores
Federation of the Italian Music Industry (FIMI)
United Kingdom Intellectual Property Office
Associação do Comércio Audiovisual de Portugal
US Copyright Office
Irish National Federation Against Copyright Theft
Anonymous went after RIAA again in late October after the RIAA achieved a court order to terminate the LimeWire file sharing network.
Wikileaks and AnonOps
While a group may have leaders of the moment, there are permanent roles assigned by the "true" leaders of AnonOps, as well as "talent-based" roles. As AnonOps tries to move through its paces, it needs developers to improve and modify its attack tools, graphic artists to create its images. Video editors to create its YouTube videos, and network designers to help it build stable infrastructure.
But mostly, it needs a cause that the public supports. Those causes go back to the basic emotions upon which Diffuse Crowds converge. Wikileaks stirred up the passion of the press and the public as it began releasing revelation after revelation.
AnonOps recognized such an opportunity with Wikileaks. While the early "Operation Payback" was exactly what it said: "You DDOSed our website, so we are DDOSing your website" the new act is to convince the public that this was all about Internet Censorship from the beginning. "We fight censorship and stand up for truth" is a much more stable platform upon which to base a group, as opposed to the original "We pirate movies and break the law."
However, breaking the law, and getting away with it, is a great attractor of media. Dr. Sloan explained that this reminded him of the 1960s Vietnam War protests on college campuses. The more the media covered the protests, the more likely it was that your neighborhood college campus was going to have a protest.
Cyber attacks => Media Coverage => New like-minded individuals "converge" into the group => New skills and ideas => New missions and leadership
The question that is yet to be determined is, has the AnonOps groups reached a stable form? It is clear that the illegal activity is getting out of hand, and threatening the existence of their group. This weekend's attacks on Paypal, Mastercard, and Visa demonstrated the group's online power, and attracted more hackers. The targeting this evening was sporadic and approaching "riot" stage as various participants shouted out target names in the AnonOps chatrooms and watched as they fell. Established leaders were shouting things like "WHAT ARE YOU DOING?!?!? WHY ARE YOU ATTACKING AIRLINES!?!?! WHAT DOES THAT HAVE TO DO WITH WIKILEAKS OR CENSORSHIP?!?!" Meanwhile, Delta.com, AA.com, United.com, and others all suffered brief outages.
Some of the leadership are attempting to distance themselves from the DDOS attacks and are encouraging an alternative approach of encouraging people to read the leaked cables and write about them as a way of "uncensoring" them. Others are encouraging a new form of cyber attack, asking members to DDOS companies that are found to have been involved in, or believed to be involved in, atrocious acts described in the classified cables. Remember above that members are attracted to groups that share their same strongly held feelings and attitudes. When AnonOps revealed today that US taxpayer dollars were used by a defense contractor to pay for sex with young boys, they were playing perfectly to this theory of the crowd. EVERYONE would be outraged by some of these actions, if they occurred the way AnonOps describes them. That's a powerful tool for enlarging your group, and lowering the barrier to otherwise illegal action. It may be difficult to convince a member to DDOS their own credit card company, but the moral barrier to DDOSing "sex slave brokers" as one AnonOps post described the company, may be lower.
One attempt at legitimacy was to engage the Electronic Freedom Foundation. Leaders reasoned in the AnonOps chatrooms that a partnership with EFF would bring legitimacy to their cause, and EFF responded positively to the approach with their new Say No To Online Censorship campaign.
The new campaign within AnonOps uses the name "truthisrevolutionary.org" which comes from a George Orwell quote:
“During times of universal deceit, telling the truth becomes a revolutionary act” - George Orwell
I guess my big takeaway from my discussions with Dr. Sloan was the new sociological theories on crowds and gatherings. Crowds can be rational. And, according to one Sociology text:
...Crowds themselves do not impair judgment. The actions of individuals at gatherings also illustrate that individuals remain independent, sometimes responding to solicitations, sometimes ignoring them, sometimes interacting with their subgroup, and sometimes acting spontaneously.
I hope the members of Anonymous will remember that while they are Anonymous, they are also individuals, and responsible for their individual behavior and decisions.