Those familiar with Anonymous know that media portrayal of the group is often exaggerated and inaccurate. You can’t really blame the media; Anonymous is a difficult thing to define, especially as more and more people identify themselves with the Anonymous community. A recent press release from the group tries to take the heat off of its own potential involvement with the recent crippling hacker intrusion into PSN and refocus on Sony’s own mistakes, while explaining just what the group is really about.

Sony’s PlayStation Network has been down since the April 20, 2011 with no revealed official timeline for return. Sony had said last week that service was going to return by the end of the week, but then put up a post on their PlayStation Blog not long later confirming that PSN wasn’t going to be up for the weekend. Worse, this time Sony didn’t give any kind of timeline for the recovery, suggesting that the gaming giant simply wasn’t sure how long it would take to restore services and still isn’t.

Naturally, those affected by the services being down are looking for someone to blame in the matter. The FBI has become involved with the historic data theft in an effort to bring the perpetrators to justice. Sony on the other hand, has refused to point fingers at anyone but those individuals responsible. During a report to congress last week, Sony mentioned that a file titled “Anonymous” was left on their services which contained only the text, “we are legion,” but they chose to not blame the group directly, knowing any hacker could have left such a file and laying such blame may lead to retaliation on their networks.

Meanwhile, members of Anonymous are not happy with recent media portrayal of their group and its intentions, so a group of Anonymous members have taken it upon themselves to help clarify a number of points. Written in response to recent allegations that seemed to come from within the group, this press release outright denies the notion that Anonymous was responsible for the attack while trying to explain just what the group actually is.

Anonymous PR Logo

For Immediate Distribution
Press Release
May 7th, 2011
A ‘HiveMind Effort’ from
Anonymous Holdings LLC (Bermuda)

Yesterday, an article appeared in Financial Times, alleging Anonymous’ involvement in the data and identity theft of some hundred million users of Sony’s Playstation Network and Sony Online Entertainment. This crime is now being investigated by the Homeland Security Agency (HSA), the Department of Justice (DOJ), and other legal entities.

Once again Anonymous has been blamed for a security breach, this time by the journalist Joseph Menn, in his article “Hackers point finger over Sony incursion” [1]. Here, Anonymous wishes to lay out our case against these allegations and false assumptions:

First, let us consider a different article by Menn published on the Financial Times website and entitled “Hackers Warned of Arrest” [2]. This poor piece of journalism has already been extensively referenced in the Sony matter and is being used by many people who oppose Anonymous as proof of guilt. The only quoted source used by Menn was the now infamous Aaron Barr, former CEO of the humiliated HBGary. Barr made the claim that a chat room called #anonymous, founded by the identity “Q”, was irrefutable proof that this “Q” began the movement known as Anonymous. Confident in his assertion, he attempted to sell this and other pieces of so-called “intelligence” about the nature of Anonymous to the U.S. FBI.

His information, however, was incorrect. It would be considered common knowledge that Anonymous began as a “meme”, or shared belief, at the turn of the century and later developed to become a “global collective conscience” in 2006. But it was not until 2008 that Anonymous became a true display of “power in numbers”. Organised protests against the “Church” of Scientology were staged in over 140 cities around the world, forever associating the Guy Fawkes mask and the right to protest with the movement.

Second, just like Anonymous, John Doe and Joe Bloggs are placeholders, rather than proper names, and are available for free use without repercussions. However because of this, there is no membership to Anonymous and anyone can claim to be a “member”. It could be said that “Anonymous is anonymous to Anonymous”.

Barr and Menn did not pause to protect the integrity of their professions, but instead made clearly misinformed assumptions, and accordingly published a factually incorrect article. The article was highly scrutinized as being blatantly biased against Anonymous and its participants, and many readers pointed out obvious inconsistencies in the technicalities, and the physical time line.

Third, in the primary article, Menn claims that a “member” of Anonymous, Kayla, made comments as an apparent admission of guilt from the “leaders”. Kayla reportedly said, “If you say you are Anonymous, and do something as Anonymous, then Anonymous did it”. This statement is inherently weak; an equivalent statement would be that “I confess to being human. Humans performed the attack”. Andy Greenburg at Forbes [3] got it right.

Finally, Menn’s reference to “technical details” [1] regarding a vulnerability in Sony’s network without revealing actual content isn’t useful. Until the forensics reports are released we don’t know which exploit was used. The forensic investigators need to conclude their work, and speculation in articles, blogs and comments brings the factual results no closer.

Menn’s anonymous source claims that “a few ops disappeared” but so has a solid chunk of software infrastructure including NickServ and channel bots over attacks during the PSN outages. Menn’s other quotes are a vague mixture of assertions and denials. During the PSN downtime, Anonymous closed #opsony and put “sony” on the automatic kick list as ‘profanity’ last week.

Is all of this attention on Anonymous acting as a distraction from other problems, and overhyping the nature of the DDoS attacks? Sony’s recurring issues are beyond providing free game credits:

In order to process credit cards, every company needs to be PCI compliant. “If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard” [4]. Since Sony’s network was “unpatched and had no firewall installed” [5], that is a clear violation of the PCI standards and ongoing reviews [4], thus likely to be criminal negligence [see Further Reading]. More importantly, “I can’t think of a major data breach where the company was PCI compliant,” said Ira Rothken, the lead attorney handling the class action lawsuit [6].

Sony has been accused of false billing, especially in the repairs department: customers who provided credit card details for an MMORPG are charged $150 for repairs to PS3s that they don’t own; repairs are double billed and then referred to retailers; equipment is charged $150 multiple times (2-4) for repairs that aren’t performed. [7 and Further Reading]

A decent credit card transaction gateway includes recurring billing as an option. Data mining by corporations has a profit motive, but as Sony has demonstrated it can be a massive liability. Why not start a discussion about corporate responsibility to protect user information, especially since they didn’t need it to begin with?

Sony’s response to the U.S. Senate [8] is to request more laws and further the myth of “best practices.” Since Sony was warned of security holes months in advance [5], one of those “best practices” would be to accept the advice of the experts. In Sony’s passing the blame there is no justification for the collection and retention of personal information they didn’t need.

Outraged about the blatant coverup and shameful misdeeds, other internet hacker groups will apparently proceed with attacks [9] over Sony’s mishandling of the matter. These reactions prove that requesting legislation to cover up corporate crimes and the abuse of law is frowned upon by all online communities, not just the Legion of Anonymous. Apparently Sony will have to learn the hard way that corporate malfeasance will not go unpunished. When the dust settles Sony may have more to fear from a massive class action lawsuit by their user base than the brief actions of the Global Hacker Nerd Brigade, Anonymous… Let THE GAMEs begin. :>

Knowledge is free.
We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
Expect us.

A quick note: all the annotations are references to articles the press release sources. If you’d like to read those, you can find the press release in our source at the bottom of the page.

At the end of the press release is a bit that was included just for the press, but as it seems to better highlight the nature of the Anonymous community, I’m going to share it with all of you as well.

“There is no membership to Anonymous, ie. anyone can participate. “We are Legion” implies both “the masses” and that anyone can be a “member”. Anonymous laughs at the “search for a leader”. Our press releases are peer written, peer reviewed, and peer edited. Even that process is democratic with anyone present able to contribute. This isn’t restricted even to “members” since anyone present has edit abilities. (Case in point, during the drafting process for this someone rewrote the entire draft with profanity. lulz)

IRC channels or ‘chat rooms’ are created with a topic. Anonymous allows anyone to join, and anyone can create a chat room. Operations are aimed at a specific target, and an operation has a chat room. Thus, anyone can create a chat room and an Op. If there are duplicate chat rooms, someone goes around and suggests they merge. If there are discussions for illegal activities, the users are kicked/banned. Influencing Anonymous is like herding lolcats. No Operation chat room directed Anonymous to steal customer data from Sony. Hence, it wasn’t “sanctioned” with a chat room and stealing credit cards has never been collectively condoned. Exposing crimes by corporations and governments is collectively condoned.”

Definitely less serious than the press release, this section of the PR does seem to clarify previous Anonymous statements that theft of personal data and credit card information from Sony’s PSN servers was not sanctioned by the group. The main point is that any portrayal of Anonymous as a group with an heirarchy is innaccurate. By nature of the group’s structure for something to be condoned by the group, it must be supported by enough members while being opposed by few.

Do you think Anonymous was responsible for the attack? Do you think that Anonymous can claim this wasn’t their doing if one of their members takes responsibility for it?

Source: Anonymous PR (via lo-ping)

tags: PS3, PSN, Sony