So as part of my PhD research, I recently came across a very interesting academic article on philosophical perspectives on the Internet and its potential to democratize and distort dominant mechanisms of social control (http://www.ladeleuziana.org/wp-content/uploads/2019/02/Melville.pdf).
In essence, for those who, for some inexplicable reason, did not get an M.A. on Applied Philosophy or are not experts in Deleuzean thought, the article attempts to contest the popular view of the Internet as a rhizome (a potential decentralized network of communications and knowledge exchange independent from traditional hierarchical and highly controlled mechanisms of information acquiring). Simplifying, this is the way in which Wikipedia, Wikileaks, the Pirate Party or most Western hacker collectives see the web – and the way they are fighting to maintain it: a free, open source and easily accessible space capable of democratizing society by, among other things, preventing citizens to be blatantly lied by government, multinationals, lobbies, etc.
Although, as also defended in the article, this perspective seems to be misleading (if you are interested, I could also prepare another post dealing with this issue), what I find interesting is the way in which the author conceptualizes resistance towards state and corporate attempts to control and make profit out of our use of the Internet. The text (in my opinion, rightly) charges against the apparently practical effects of DDoS attacks as a hacktivist strategy and proposes a way of resistance against data commercializing and intelligence gathering mechanisms based on adopting as much anonymity as possible. The aim, as the author points out at the end of the text, is:
“to open up the internet, on the side of use, not onto a well-maintained, profitable matrix of points with reasonably well-defined, cohesive identities (regardless of how rhizomatically these may be connected), but onto a chaotic digital space of forces and intensities in which digital identity cannot thrive, and to which digital capitalism cannot consistently cater.” (pg. 160)
Of course, total anonymity is impossible in technical terms but, as a recent post in 0x00sec coherently states, “your goal is to be anonymous enough to make the amount of resources required to find you too high a price to pay for your adversaries” (Hacking Anonymously - Anonymity - 0x00sec - The Home of the Hacker). Thus, through the regular use of proxy chains, TOR, invisible-transparent proxies and any other anonymizing mechanism (and, yes, also an anonymous behavior), we would already be avoiding the most effective results of contemporary online surveillance. Essentially, it would be economically inviable for companies or states to monitor who in the world likes pistachio ice-cream if they would have to trace back all the tor nodes or proxies through which all users’ information has gone through.
Ok, so collective anonymity can become an emancipatory strategy of dissent if performed properly, but, as an act of activism, seems incredibly passive (one is just avoiding been identified but this does not encourage agencies and corporations to stop attempting to do it). So what if, in this sea of (non)anonymity, one would introduce another variant: the always unpopular but definitely not illegal botnets. I do not mean using bots the way some lobbies and groups use them (for instance, creating and spreading fake news so they manipulate election outcomes), but to employ them in random or unreal ways so they have a deep impact in statistics, big data, etc. If properly used, this would diminish the validity of any data or intelligence (and, as a result, of any user-targeted commercial or political campaign based on that data).
As an example of how chaotic this may turn out, think in HTB’s OSINT challenges. A recent comment in “We Have a Leak”’s discussion asserts that the mail domain associated to the fake company in the challenge has been registered. This is not only going to confuse (even more) new users wanting to get flags in “Breach” and “We Have a Leak”, but will also create some issues when trying to extract data from the real company, its clients and employees.
As cybersecurity connoisseurs (if not experts), I wonder what the thoughts of the HTB community are on the matter of hacktivism and the different modes in which we can articulate it (IN LEGAL WAYS!!! I DIDN’T WRITE THIS TO ENCOURAGE ANYONE TO COMMIT ANY LEGALLY PUNISHABLE ACTIVITY). Also, what other LEGAL hacktivist strategies do you think would enrich the anonymity approach?