I Don't Trust HBGary, and Neither Should You

Remember HBGary, the security firm that was publicly spanked by Anonymous, given a nuclear wedgie, and stuffed inside its own gym locker? They're baa-aack. And they want you to like them.

I got an interesting email last night from Jim Richards, Learning Programs Manager for HBGary. It appears his employer wants to untarnish its reputation by offering free security tools to the public "as part of HBGary's ongoing initiative to give back to the community."

The first tool was made available today: AcroScrub, a utility that scans enterprise networks looking for old and vulnerable copies of Adobe Acrobat Reader. A couple of quick thoughts:

1) The name. Did they really have to make it sound like a teen acne cleanser?

2) Maybe this is a useful tool for enterprises, I don't know. As for me, my various copies of Acrobat update themselves at least every other day. It's kind of maddening. I'd rather have a utility that updates Acrobat without nagging me all the time.

[ See also: Did Anonymous hack Sony? Baloney. ]

It gets better - or worse, depending on your point of view. To get AcroScrub you must first set up an account with HBGary. That means giving them your name, corporate affiliation, location, email, and cell phone number. They use the cell number to send you a confirmation code via text, which you have to enter into the Web form before you're given access.

All just to download a free software utility so HBG can "give back to the community."

OK, pop quiz: How many of you out there have ever had to hand over your mobile number, a relatively static ID unique to your person, just to get a piece of free software? Anyone? I didn't think so.

Did I mention that HBGary has no published privacy policy governing how they'll use this information? (Maybe Anonymous took it along with all their email.) Heck, even a silly site like eSarcasm has a friggin privacy policy.

HBGary is saying essentially, "we're good guys, trust us." If you've followed the whole HBGary/Anonymous saga, you know why that's a bad idea. Here's a quick recap.

* Last February, HBGary Federal CEO Aaron Barr boasted to the Financial Times that he had identified key members of "Anonymous," that shadowy band of Internet prankster vigilantes. One of his techniques: befriending the Anons using fake Facebook profiles.

* It turns out Barr was completely wrong. He mistook benign Internet activist Ben DeVries for "Commander X," alleged leader of the Anons, and was preparing to rat him out to the FBI. (Also: Commander X denies being anything more than a peon in Anonymous.)

* Anonymous took some exception to Barr's claim and responded by thoroughly and completely hacking HBGary's servers, exposing some 70,000 private email messages, which it proceeded to butter all over the InterWebs. According to some reports, HBGary was undone by a 16-year-old hacker named Kayla. For a company touting itself as a bigtime security firm, HBG proved as porous as Lady Gaga's fishnets.

* Those emails uncovered a mountain of dirty laundry, including HBGary's participation in a plan to take down Wikileaks (in part by targeting reporters sympathetic to it), its plan to help the US Chamber of Commerce infiltrate progressive political groups, and its work on developing network backdoors and rootkits that could be used by government agencies to spy on enemies and prevent security software from detecting malware infections.

In an Open Letter published last month, HBGary tried to justify its actions by leaning heavily on the "rogue employee" defense. That argument was thoroughly demolished by Ars Technica's Peter Bright, who used HBGary's own emails as evidence against them. That letter has since mysteriously disappeared from HBG's site.

Now HBGary -- maker of rootkits and network backdoors -- wants us to hand them our identities and install their software on enterprise networks. Right. This is either a honeypot or one of most brain-dead PR schemes ever hatched. Possibly both.

For the record, I did not give them my mobile number or download the software. That software might be fine; HBG might plan to do nothing with my personal info. But they haven't earned my trust yet, and at this rate they're not likely to. Just visiting their site makes me want to take a bath.

When not bathing, TY4NS blogger Dan Tynan tends his snark empire at eSarcasm and says inane things on Twitter: @tynan_on_tech.

This story, "I Don't Trust HBGary, and Neither Should You" was originally published by ITworld.

Shop Tech Products at Amazon