The LulzSec team was sailing the high seas—venturing deep into international waters with a pirate flag hoisted high, putting on a show for others to watch. During an interview I conducted with David Mirza, a retired black hat, he observed:
LulzSec hit the Internet with a much more potent—and instantly recognizable as authentic—black hat attitude than the fabric of Anonymous they jumped out of. They got it right with the swagger and style. They were owning things up, pulling dox, dispensing justice. Nobody could catch them and they knew it. Their campaign became a great saga that made some of those who’d lived that adventure before feel like teenagers again.
With one tweet, the hacker zine and organization 2600 captured the general sentiment felt by the community at large: “Hacked websites, corporate infiltration/scandal, IRC wars, new hacker groups making global headlines—the 1990s are back!”2
No respectable pirates can sail without a vessel, and LulzSec’s crew helmed a boat christened “Louise.” The name was provided by a reporter’s misreading—and resultant mispronouncing—of LulzSec. And since the quarters were infinitely spacious, they decided to bring along a mascot. The classic pirate parrot was swapped for a colorful feline beast: an affable gray cat named Nyan Cat who has been known, among heavy Internet users, to brighten up even the drabbest gray sky by effusing, eternally, a stream of rainbows straight out of its ass. This playful absurdity was tempered by LulzSec’s virtual spokesman and logotype: a stick man sporting a well-oiled, French-style, villainous mustache, replete with monocle, top hat, and three-piece suit—and sipping, naturally, a glass of fine wine. This refined gent first appeared in a Spanish-language rage comic (a popular meme-comic among Internet geeks), before being adopted by LulzSec in March 2011. Fans referred to the unnamed character as being “like a sir”; eventually, he was known simply as the “sir.” All of this added up to provide LulzSec with a chimeric mixture of depth, mystique, and memetic mythology previously unseen in Anonymous hacker groups. One Anon, who had also been active in the black hat scene, put it this way in an interview with me: “LulzSec seemed to have a sort of fully formed mythos straight out of the gate while other hacker groups like Cult of the Dead Cow took decades to achieve that.”
Returning to reality for a moment—later we will explore questions of fantasy—we should note that these hackers congregated on their own private IRC channel, where they were shielded from the drama engulfing AnonOps at the time. Unbound by the categorical imperative of moralfaggotry, they could also hack whomever they pleased—for whatever whimsical reason took their fancy.
It may be surprising to hear that LulzSec sprang, fully formed, from a single, unremarkable IRC conversation. It is less surprising when one learns that these hackers were a bit bored with Anonymous and—some of them, at least—had grown tired of working on other people’s ops. Idle tricksters will do anything necessary to end boredom. It also helped that they had a cache of data stolen from Fox News just waiting to be unloaded, and that AnonOps was, at that point, in increasing disarray.
Hell Hath No Fury Like Scorned Gamers
For most of March and April of 2011, AnonOps had not slowed down from where we last left them, but the network was plagued by a mounting litany of problems. Small fires started to break out, and the wear and tear of putting them out began to drag the group down.
Even if Anonymous’s crucifixion of Aaron Barr had turned him into the 2011 laughing stock of the Internet, his mission to seek out and reveal the legal identities of Anons did not die with him. Backtrace Security (its name is a humorous reference to an infamous 2010 Anonymous trollscapade against a preteen, Jessi Slaughter, whose father claimed to have “backtracked” Anonymous) made this end its singular purpose and pick up where Barr left off. The organization’s most vocal member, Jennifer Emick, had once been an Anonymous warrior herself during Project Chanology’s fight against Scientology, but grew critical of the more questionable tactics subsequently used by AnonOps (the very ones LulzSec would later seize upon as its primary toolkit). A self-proclaimed fan of law and order, she declared that “One cannot fight for justice and democracy by using unjust, anti-democratic tactics.”3 A good point, but one which failed to account for the questionable ethics of her own brand of vigilantism: in mid-March 2011, Backtrace released a chart with the “identities” of seventy Anonymous participants and affiliates. As was the case in Barr’s attempt, many of the names were either wrong or already public, all except one. You have to give it to Backtrace. It was the one name that mattered the most at that moment: Hector Xavier Monsegur, the notorious hacker Sabu. (The Backtrace document had a slightly misspelled version of Sabu’s last name: Montsegur.)
Backtrace did not dox Sabu through a feat of shrewd reconnaissance. They simply got lucky when one Anonymous participant, who went by the name “Laurelai” and had spent time on the more secretive channels, foolishly handed Emick her chat logs. The slab of text—over two hundred pages of logs—included a single clue leading straight to the Nuyorican living in Manhattan’s Lower East Side. While chatting with his compatriots, Sabu had accidentally typed out or pasted a web address which included the domain of his personal server: prvt.org. Once Backtrace plugged this web address into Google, they discovered one of his sub-domains, which included other personal data, which, inevitably, funneled down to his Facebook page.
The Backtrace document, named “Namshub” (Sumerian for “incantation”) was dissected to pieces by Anonymous, but most people, of course, could only realistically assess the veracity of their own outing. Sabu—and perhaps a few of his closest hacking associates from days long past—knew he had been exposed. By doxing him, Backtrace acted as the force of Eshu, the trickster of crossroads, plopping the powerful figure down at the crossroads. Sabu/Monsegur had a big decision to make. Upon seeing his name, he could have wiped everything from his computer, gone dark, and returned years later as a hacker hero. It is true that he could not have vanished right away. Doing so would have made “it obvious that he got doxed,” as tflow reminded me. But he could have left a month later after accusations had died down. He was already larger than life, and in his absence his prominence would only have grown. In the words of one Anon, he was “legend.” Had Monsegur opted to vanish for a period and reemerge after the statute of limitations expired, he could have returned to his beloved isla del encanto (Puerto Rico), safe to entertain his friends and family with tales of his exploits. Calling it quits would have been the smart thing to do, but Sabu was not short on hubris.
Instead, he sought out Emick and bombarded her with false information to seed confusion; one of his hacker mates explained that “when Backtrace released their dox table he tried to trick them into thinking he was a double agent working for an ISP trying to infilitrate Anon, but they didn’t buy it.”
Although Sabu was well known among his peers, he generally kept a low public profile, until being doxed by Backtrace. Soon after he tweeted for the first time:
hai! I go by the name of Sabu these days. I made this account to clear some things up, especially after the leaks by #backtraceinsecurity.
He continued to saunter down Trickster Lane, even more public than before, convinced he was untouchable, until he was ultimately outed as an informant a year later. (Then upon his release from prison, Sabu would be reborn as the scourge of Anonymous. The day of his outing, a formerly close hacker compatriot declared with no reservations on IRC: “its better 500y of prison than look yourself on the mirror and know u suck.”)
I asked a few of the hackers how they responded to doxing attempts like Namshub. One of the few core LulzSec hackers who was never identified or nabbed provided a four-part rationale, which aligned with sentiments I had seen expressed by others:
t could still be the wrong name, right?
On April 1, 2012, shortly after Backtrace’s viperous Namshub doxing, AnonOps rolled out Operation Sony. “Prepare for the biggest attack you have ever witnessed, Anonymous style,” declared one video.4 They began overwhelming Sony’s PlayStation Network with a wallop of a DDoS campaign, disrupting the service and the gamers who used it. To understand why AnonOps launched this attack, we need to backpedal to January 2011, when Sony sued a boisterous and precocious American hacker named George Hotz, better known by his handle, “geohot.” His hacking specialty is what is called “jail-breaking”—freeing consumer devices like iPhones and gaming consoles from their proprietor’s grip so they can be modified as an owner desires. Usually, this involves some clever analysis of the device, the writing of software that disables copy and access controls, and the release of documentation for the whole process so others can follow suit. This type of hacking converts single-purposed devices back to the preferable state of a general-purpose computer. Although a single-purpose device is useful for people who do not want to deal with complexity, many technologists see this confinement as an arbitrary abridgment of their fundamental right to use their property as they choose. They also see jailbreaking as an appealing challenge, as if the company created a special puzzle for them to solve.
Hotz first earned the accolades of hackers and some digital rights advocates in 2007 as the first hacker, at the age of seventeen, to carrier unlock the iPhone. Then, in late 2009, he put Sony’s popular PlayStation 3 (PS3) on his technical agenda. Hotz and an anonymous team called “fail0verflow” (unassociated with Anonymous) managed to break the lock in just five weeks. On January 26, 2011, he spread the love by posting jailbreaking instructions for the PS3 on his website, bringing waves of attention to himself. Jailbreaking the PS3 allows the owner of the game console to do a number of things one could not do on a normal PS3: play pirated games, perform backups, play games directly from the hard drive (vastly speeding up the loading time), play videos, install GNU/Linux, and, perhaps most importantly, create, innovate, and learn in a multitude of ways. When interviewed about this feat by the BBC, Hotz rephrased a classic hacker motto into his own words: “[PS3] is supposed to be unhackable, but nothing is unhackable.”
Of course, corporations have mottos of their own—one of which might be formulated as: “You hack, we sue.” Soon after Hotz released the jailbreaking instructions, Sony sued him for copyright infringement and violation of the Computer Fraud and Abuse Act. Known for speaking his mind, Hotz did not take the news sitting down; he spoke up very loudly. Well, technically he was sitting—and he didn’t speak, he rapped (and since its release on YouTube, his response has been viewed over two million times). Sitting in a chair in a well-worn blue sweatshirt in his nondescript bedroom, he began: “Yo, it’s geohot, and for those that don’t know, I’m getting sued by Sony.” He thrashes his body in synch with the beat, his boyish brown curls bobbing as he describes Sony as “fudge packers” and ends with: “But shit man / they’re a corporation / and I’m a personification / of freedom for all.”5
Sony’s civil suit not only named Hotz and several other hackers, but also one hundred “John Does”—some of whom, they suspected, to be members of Hotz’s anonymous hacker team. Sony even targeted those who merely viewed Hotz’s jailbreaking instructions. A legal notice to his web provider demanded the IP addresses of visitors to Hotz’s website between 2009 and 2011. YouTube was asked to release information on those who had viewed Hotz’s jailbreak video or posted comments about it. Many Internet geeks were appalled at Sony’s lawsuit; this sentiment was captured well by the science fiction writer and Internet advocate Cory Doctorow, who opined that it was “absurd and unjust for a gargantuan multinational to use its vast legal resources to crush a lone hacker whose ‘crime’ is to figure out how to do (legal) stuff with his own property.”6
Anonymous was thrown into a tizzy. The fact that Hotz never sought aid (actually, he wanted nothing to do with Anonymous) is irrelevant. Anonymous’s first announcement read:
Dear Greedy Motherfuckers SONY,
Congratulations! You are now receiving the attention of Anonymous. Your recent legal actions against fellow internet citizens, GeoHot and Graf_Chokolo, have been deemed an unforgivable offense against free speech and internet freedom, primary sources of free lulz (and you know how we feel about lulz). You have abused the judicial system in an attempt to censor information about how your products work. You have victimized your own customers merely for possessing and sharing information, and continue to target those who seek this information. In doing so you have violated the privacy of thousands of innocent people who only sought the free distribution of information. Your suppression of this information is motivated by corporate greed and the desire for complete control over the actions of individuals who purchase and use your products, at least when those actions threaten to undermine the corrupt stranglehold you seek to maintain over copywrong, oops, “copyright.”7
Very quickly, the operation went south. DDoSing Sony’s PlayStation Network (PSN) did not earn Anonymous any new friends, only the ire of gamers who foamed with vitriol at being deprived of their source of distraction. Amidst the DDoSing, a splinter group calling itself “SonyRecon” formed to dox Sony executives. This move proved controversial among Anonymous activists and their broader support network.
Spurred by the operation’s immediate unpopularity, Anonymous released the following statement: “We realized that targeting the PSN is not a good idea. We have therefore temporarily suspended our action until a method is found that will not severely impact Sony’s customers.” They hoped that this would put out the fire.
Throughout the month of April, however, PSN continued to experience downtime. Since Anonymous had originally called the operation, many naturally assumed that the masked horde of activists was responsible for the ongoing problems. But while there were a few scattered claims of responsibility, Anonymous eventually and unambiguously insisted, “For once we did not do it.”
With no official word from Sony, rumor and innuendo continued to swirl. After weeks of silence, on April 26, Sony finally released an official statement: “We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.”8 Millions of credit card numbers were compromised, prompting Sony to encourage its customers to change their passwords and stay alert for signs of fraud. And things only got worse with the announcement that PSN would remain inaccessible. Colin Milburn, an academic and avid gamer, wrote a riveting account of the infamous PSN hack from the perspective of scorned gamers like himself; in the essay he noted, “At this point, the emotional tide turned to outrage—much of it directed at Sony for its lax security measures, much more directed at the hackers who had perpetrated the intrusion.”9 Ultimately, the downtime lasted an excruciating twenty-three days.10
By the end of May, Sony claimed that this hack had put them $171 million in the red.11 Though Sony never provided data about the financial losses, these events constituted a fiasco, costing Sony money, time, and reputation. Sony executives, eventually called to testify to the US Congress, were reprimanded for their organization’s reprehensible security practices and the delays in customer notification. In the UK, Sony was fined nearly £250,000 by the Information Commissioner’s Office, which pointed a clear finger of responsibility at the corporation itself:
If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted—albeit in a determined criminal attack—the security measures in place were simply not good enough.12
In the midst of the turmoil, Sony executives attempted to deflect blame onto Anonymous, claiming to have found a file left on the group’s server identifying it as the responsible party. But no Anonymous or
LulzSec hacker has ever admitted or been charged for this crime (and five of them, along with two associates, have been found guilty of scores of hacking crimes that involved their hard drives being trucked away for forensic analysis). The PSN hack, a mystery in 2011, is still unsolved today.
“Laundering money, funneling bitcoins, PPI
scaming, botnets, database dumping”
The drama that surrounded OpSony’s fouling of the PlayStation Network provided the immediate context for LulzSec’s germination. In mid-April, a few of the hackers on #internetfeds managed to weasel their way into fox.com and steal a sales database. Alongside personal information on Fox employees and journalists, it included over seventy thousand email addresses and passwords for people who had signed up to receive updates about auditions for Fox’s forthcoming TV talent show, The X Factor. The data also enabled Anons to commandeer a few Fox News Twitter accounts. Since Fox had not done anything egregious recently—aside from continuing to exist—these hackers felt they were in a bind. Dropping dox and corporate data under the aegis of Anonymous would likely draw invective from the rank and file of the collective, which prompted the Anons who had procured the database to think about alternatives. The youngest of the bunch, tflow, was ready with a suggestion, loosely inspired by weev’s trolling/ security outfit Goatse Security, which had released data shaming AT&T:
Hacker, Hoaxer, Whistleblower, Spy Page 24