Site icon Liquidmatrix Security Digest

The Chicago Way


“You wanna know how to get Capone? They pull a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue. *That’s* the *Chicago* way! And that’s how you get Capone. Now do you want to do that? Are you ready to do that? I’m offering you a deal. Do you want this deal?” – The Untouchables


A late night could-not-sleep-twitter-stroll brought me to an interesting article on Anonymous and their recently announced Operation Cartel, the anti-sec contribution to the ever escalating Mexican drug war. For those not keeping score at home, here’s the summary: Operation Cartel (OpCartel) is a planned retaliatory doxing against the ever not charming Los Zetas gang – most recently known for their kidnapping and murdering of bloggers and hacktivists, including kidnapping one of Anonymous’s own. The credible threat in this planned operation was the release of thousands of names of cops, lawyers and others that are on the Los Zetas payroll.

Exposing corruption is a great tool to induce action, but here is where the story get’s interesting; part of Anonymous is concerned that disclosing these names could result in the fairly immediate death of the named individuals at the hands of rival gangs; others members are concerned that it might result in their own deaths. Being the conscientious sort that they are, one faction of Anonymous has announced that OpCartel is off. Of course, this is Anonymous, so the snake has many heads and none of them agree on much,which means OpCartel is also still on (and anyone who’s on that list knew what bed they were getting into, so too bad for them).

It also turns out that the Los Zetas aren’t technical neophytes (that’s n00bs to you) and they’re allegedly starting to track Anonymous. While I think this is at best informed speculation, given the cartels track record of murdering and kidnapping, this just got very real, especially when you consider the most recent spate of anti-narco blogger killings. There have long been anecdotal stories of drug cartels possessing technological prowess when it comes to supply chain management; they act as shadow governments and have more money than your favourite billionaire. So like any functioning business, they could buy access to expertise so solve the problem (consultants) but unlike businesses they have no moral qualms about how to solve the problem (or maybe that they’re not bound by the law is the more plausible explanation here). Here’s hoping they haven’t borrowed a lesson from the European cartels and developed skills in writing malware – can you imagine an anti-narco tracking worm (think Stuxnet meets Staatstrojaner)?

“anyone who is not properly protected should immediately and publicly disassociate themselves from this operation.”  – Quote from the NY Times article

In what I’m sure is jest, some infosec folk have identified the threat of violence and a murderous drug cartel as the solution to anti-sec. Personally I’m not convinced that Anonymous is really holding back because they care about the cartels ability to execute violence. While the governments they have recently tangled with weren’t completely without scruples, the capacity for violence and threat of reprisals (in some devastating form – physical or legal) was always there. More importantly, the very design of Anonymous means that there’s a certain amount of dissociative thinking when it comes to the potential for meat space harm to a small facet of their participants. If they did actually want to call off OpCartel, they would need to make sure that all copies of the data was permanently secured (especially from any internal factions that had less scruples than the average) both within their own organization and externally including the original source (nothing stops you from stealing data twice). So, in short, OpCartel is still on unless Anonymous suddenly demonstrates an amazing amount of cohesion and organizational structure which is antithetical to their nature (it’s still on).

I think the only material difference between OpCartel and the operations against governments/corporations is that cartels have a notion of pride or personal honour. More importantly, they like to make very public examples (bad governments tend to prefer secrecy). While governments will arrest/harass a few folks and call it a day, I speculate that the cartels are not likely to rest till they feel that any disrespect has been redressed, so someone (or multiple someones) will die.

My take aways on this are:

  1. The second you give someone a loaded gun, just assume it will be used. Information fights (successfully) to be free regardless of it’s original purpose, intended use or controls around it. Once it’s out don’t wait for the badness to occur before enacting your contingency, be proactive – but no murdering please.
  2. Choose you bed fellows carefully when it comes to data protection. If you get into bed with anyone that has anything less than a perfect and consistent track record in data handling, be prepared for the worst. This applies to everyone – criminals, anti-sec and business alike.
  3. True anonymity (and implicitly true security) requires a special type of care that just isn’t present in the majority of the population. Don’t ever assume you aren’t leaving a trail behind. If you’re going to participate in Anonymous, make sure you are anonymous – put your security ahead of absolutely everything including convenience (multiple anonymizers, use a burn laptop, do it on cafe wifi in a neighbouring town, use cash, wear a disguise etc…).

…and here’s a catchy pop song about Narcos.

Exit mobile version