In the first part of this story, we spent a lot of time on HBGary and HBGary Federal - computer security companies whose website and network were destroyed by internet attacks by some members of the group called Anonymous. They were fighting back when they found out that HBGary was using them to get publicity. In the process, the world found out what else HBGary was doing for their high profile client, the Bank of America.
A few years ago, we all found out how the Bank of America caused a crisis in the banking system. When the truth came out, they didn't really face any long term penalty from either the government or the public.
Still, the Bank of America was worried about being caught making bad loans so they went further to try and fix their any potential damage to their public image. This is where HBGary finally comes in. When the group Anonymous read their internal emails, they found out that HBGary was doing more than just computer security. They were using their computers to invent false identities on the internet... a large number of false identities whose job it was to loudly and publicly defend the Bank of America. Using their software, one person could write an opinion that would get multiplied and posted around the internet under many different users on a wide variety of websites for public view. The HBGary product was careful enough to make the identities different and realistic sounding. Even the comments were composed to not sound like they came from the same template. They hoped a fake grassroots campaign of support from a large number of seemingly indepenent people would drown out any public outcry against them.
This strategy is based on a phenomenon called "social proof." In short, if one person criticizes the Bank of America but thirty or forty reply to defend the bank, the average person will ignore the facts and instead try to go along with the majority.
It was really a good strategy. People generally trust and accept what corporations do. So a large amount of public support is all they needed to ignore the facts and let the bank do what it wanted to do. It was a lot of work and expense for the bank, but obviously worth it. As we have already seen, there is a large market for spamming on the internet. Using web links as citations has become useless to prove your claims.
So the outcome of the story is overall positive for the Bank of America. Even though Anonymous exposed this story, it will probably just end up attracting more customers because of the large number of positive comments supporting the bank on internet discussion forums. But what about competitors or consumer advocates who might catch on? HBGary is thinking ahead one step. They are now building a counter-attack system to fight anyone who might try to expose their spam service. Their strategy includes infecting their opponent's computers with viruses and targetting their family members.
It is an attractive total package – improve your public opinion without having to worry about the public. And if anyone doesn't like it, destry their computer to silence real public opinion. HBGary Federal COO Ted Vera and Maria Lucas had already sold a package to Jesse van Nevel of Bank of the West and Peter Lam and Morian Eberhardt of Union Bank. They were also signing a contract with Tony Plachy of Zion Bank for a whole set of software including segments called Responder Pro, Active Defense, On Demand and EndGames
But now that their whole plan is exposed, some customers are definitely scared away from HBGary. The Chamber of Commerce, Bank of America, Palantir Technologies and Berico Technologies have disassociated themselves from the security company.
Aaron Barr got caught because he started a poorly conceived, highly public project to attract business. He took this risk because his company badly needed sales and he thought he could offer a very attractive service. But now, banks and groups like the Chamber of Commerce will probably just go to go to other companies that sell the same service, but kept a lower profile and haven't been caught yet.
For example, HBGary was reselling software from Endgame Systems -- a Virginia computer security firm -- through their subsidiary called IP Trust. Thomas Zebley of IP Trust was quoting a price of either 20 thousand or 48 thousand dollars a year for one of their services, depending on the volume they needed. But despite the large potential profit motive, Endgames CTO Chris Rouland was especially interested in keeping their partnership a secret, saying explicitly to keep the name of his company out of any HBGary press releases. We haven't yet heard why.
We know the HBGary Federal subsidiary was formed to provide these same services to the US government. We haven't even yet talked about what government clients they had. So, how long has the federal government been astroturfing their own propaganda to the American public? We can probably assume that the seemingly widespread public opposition to WikiLeaks over releasing the Iraq War documents mostly comes from the US government itself.
But on a more ordinary level, can we trust online surveys and reviews now? Or have they already become platforms for companies to buy popular support? Even though we have learned a lot from HBGary's leaked emails we don't know how much social proof is going on right now and how bad things are going to get, now that more banks and companies know about it.