To introduce the name “LulzSec,” tflow whipped out a timeless Internet classic—ASCII art:
For some reason, tflow’s proposal did not immediately catch on. I asked him why and he could not recall. Perhaps there were not enough people online to form a consensus, or perhaps those logged into IRC were distracted with other tasks. There are times when IRC conversations are hard to explain, even in the moment, and it is best not to impute too much linear reasoning to them after the fact. So I’m not even going to try, at least with this one. What we do know is that tflow temporarily quit Anonymous following a fight with a temperamental operator who was about to turn on the AnonOps network. And tflow wasn’t the only one. Others also took short leaves of absence, only to return on May 4:
Reunited and it felt so good—but wouldn’t it feel even better if they had a reason to dump the Fox data? By now the Sony debacle made it doubly clear that random hacks could incur the ire of Anonymous at large, so there was even more pressure not to release the data under the collective name. They contemplated releasing it to 4chan, to “leak it under lowercase-anonymous,” as tflow phrased it. Sabu raised the idea of handing the info to Forbes reporter Parmy Olson, hoping that “maybe it will push her to write her book.” As we writers know, there is nothing like a huge corporate data dump of passwords and emails to put you in the right frame of mind for a bout of writing. (Had they only given me the dump, this book would have come out at least a year earlier.) But none of these ideas were really taking hold. Eventually Topiary, who for the last month had kept quiet on AnonOps but was on the secret channels, logged into IRC under the name Falcon. While Sabu suggested leaking it to Olson, Topiary suggested leaking it via the LulzLeaks Twitter account:
tflow once again raised the name LulzSec, this time a little more forcefully since it hadn’t caught on before:
Sabu was impatient:
[…]
Others objected, again, making a distinction between ethical and unethical leaking:
After proposing a few other possible names, like “Ninjasec,” they ultimately settled on LulzSec. With a name in place, they began discussing the release and artwork:
When something is new and shiny, it makes sense to trot out an introduction:
In three minutes, Topiary whipped one out. Then he celebrated with … cookies:
Topiary and Sabu offered prescient predictions:
All the hype, however, was for naught. The first dump yielded little in the way of media response. LulzSec was still totally unknown; it was Friday after all, a terrible day to release something to the media. And so the hackers, secure in their newfound identity as LulzSec, could turn to the juicy gossip about an AnonOps operator named Ryan Cleary, who had recently gone rogue.
Cleary, who commanded a large botnet, was one of the most unpopular and powerful operators on the AnonOps IRC network. On numerous occasions, I heard complaints about his erratic behavior, like randomly banning participants on the private and public channels. Soon after LulzSec formed, news broke that Cleary had DDoSed the AnonOps network that he once helped administer. He also dropped over six hundred names and IP addresses of IRC network users. (AnonOps had a policy of not retaining IP
addresses after someone disconnected, but during the connection, AnonOps had access to the users’ IP addresses of all those not cloaked by a VPN.) Why did he do this? After one too many fights with other operators, he had decided to take his revenge. At the same time, according to one of his Anonymous hacker associates, he wanted to impress an underground hacker group called Hack the Planet, better known as simply HTP. From 2011 to 2013, according to a hacker who followed the group, HTP were quite active and in possession of “a large, and impressive, list of stuff.” The group has since gone into retirement but HTP had little love for Anonymous, a sentiment made clear in the final sentence of their final zine: “Here’s to two years of HTP, everyone. Remember; relax, have fun, be the best, and DDoS Anonymous on sight.”13
What better way to impress a respected underground hacker group that loathes Anonymous than by sacrificing Anons, some of them your friends? (Later Cleary recanted and was, according to tflow, “jealous of LulzSec and desperately tried to get in, which is why he offered us his botnet.”) Petty hacker wars have long been a great asset to law enforcement investigations. Unsurprisingly, after Cleary’s dick move, someone loosely affiliated with Anonymous doxed him right back. Nobody knew for certain if the revealed name was correct, but, as with Sabu, time would prove that it was. LulzSec, referenced explicitly in HTP’s newsletter, reflected upon the recent events:
The remaining AnonOps operators, livid at what Cleary had done, released an apologetic statement to the broader Anonymous community and encouraged people to stay the hell away for a while as they went to work assembling a more secure system. This cooldown set the perfect stage for LulzSec to walk into the restless media spotlight.
LulzSec Proper
LulzSec set sail with a cargo hold full from the Fox data dump, a newly minted Twitter account, and bounteous, absurd Internet meme art and statements, as exemplified by the justification given when they ultimately released the Fox data: “You know who we defend? Common. Fox called him a ‘vile rapper’; we call Fox common scum. You think we’re done? The fun has only just begun.”14 The team was already well accustomed to each crewmember’s distinctive rhythms and quirks. They had become so close, in fact, that everyone knew, roughly, where everyone else was logging in from (though real names were never shared). Most were headquartered in or around the UK, except Sabu. Some had even foolishly spoken over Skype, which is how Topiary had determined that Cleary’s voice was “annoying.”
OpSec, short for operational security, is the art of protecting your group’s human and digital interactions. One of the foundations of good OpSec is an awareness of the security level of one’s computer and network. Depending on proprietary software packages—opaque in both source code and business practices—can compromise that knowledge. The use of free software, such as GNU/Linux, and the avoidance of tools like Skype (commonly understood to have government backdoors) are necessary measures in the never-ending journey of vigilant OpSec. Keeping personal information private is also a central pillar of OpSec. If you volunteer this information, it doesn’t matter how secure your software and hardware might be. All of these considerations, and more, need to be managed before any hacker rampage—anything less is simply asking to be caught. Which is to say (with a few exceptions), OpSec was not one of LulzSec’s strongest points. In fact, following the eventual spate of LulzSec arrests, their practices would become a model, for other hackers and activists, of just what not to do.
But these worries were far on the horizon, and the sea appeared vast—even infinite. Over the next month and a half, LulzSec’s accomplishments would prove riveting. One might assume that I am referring to its technical inventiveness. In fact, with a few clever exceptions, LulzSec hacks were most notable for their audacity and style, and not for their rocket science.
LulzSec’s true importance came in its ability to force a much deeper recognition and debate about a range issues from the pathetic state of Internet security to the insatiable appetites of media sensationalism.
“Why we secretly love LulzSec” (Not So Secretly, Actually)
Not all hackers held warm and fuzzy feelings for Anonymous. Its interventions were often too technically unsophisticated to garner craft respect. Some hackers felt that its tactics damaged the larger cause of Internet freedom, while others viewed its antics as puerile. And for some hackers the general style of disruptive activism, however interesting, was simply not their cup of tea. But with LulzSec it was a different story. A surprising number of hackers, especially security hackers, adored the new group, or at least held an ambivalent respect. To understand why, allow me to offer a portrait of this subset of hacker by recounting my own introduction to the type.
Before the rise of LulzSec, I became acquainted with the InfoSec community in New York City, largely through force majeure. Apparently I had offended some security hackers by anointing, in writing, open-source developers—programmers who release their source code with permissive licenses—as hackers. In the wake of such a debasing “mistake,” security researchers, who also call themselves hackers, reached out to me in various ways—from constructive suggestions and discussion invitations, to creepy jeers and intimidating threats. They wanted to educate me about what “real” hackers were: themselves. You think a DIY, remote-controlled toaster running on a twenty-five dollar, open-source computer called Raspberry Pi constitutes hacking? Nope, sorry. Or how about programming LED blinky throwies, which you plan on distributing at a rave? Nope again. These may be cool and useful gadgets that require technical proficiency—and they certainly might be blinky—but they are not HACKING. Hacking, they would tell me, is digital trespass: breaking into a system, owning it hard, doing what you want with it. I had recently published my book on free software “hackers,” Coding Freedom: The Ethics and Aesthetics of Hacking, and it seemed that these InfoSec word warriors thought I had a narrow understanding of the term, one that omitted their world. But, my understanding of the term is much more nuanced than they realized. My definition includes free software programmers, people who make things, and also people who compromise systems—but that doesn’t mean they have to all be talked about at the same time. My first book was narrowly focused.
Interestingly, while each microcommunity claims the moniker “hacker,” some always refute the attempts of other microcommunities to claim the term. So when InfoSec people started yelling at me that free software “hackers” weren’t “hackers,” I wasn’t surprised. I actually appreciated the productive discussions—much more than the veiled threats.
Sometime in 2010 an email arrived in my inbox from a respected hacker encouraging me to attend NYSEC, the informal New York City gathering of security professionals and hackers held monthly at a bar. Or as their Twitter bio describes it, “A drinking meet-up with an information security problem.” I figured why not. This was the cordial way of telling me: get real, start hanging out with real hackers. Others were less amicable. One of these “hackers” contacted me by email to generously offer me his entire collection of the hacker zine 2600 for my research. I was excited to add the zines to my personal library, and we met at a tiny New York City cafe. Upon broaching the subject of my book, he became agitated, huffing that “configuring Linux is not hacking.” This gentleman, who was probably almost forty-five years old, was so upset that he abruptly got up and left. Gentle, compared to the time when a hacker found me online and warned me that he had just witnessed a slew of hackers scheming over IRC to hack into my computer—to teach me a lesson about what real hackers do. Nothing like a show-and-tell hack to make a point. Freaked out, I locked down my systems enough to secure myself and I suspect that the acquaintance who warned me might have convinced the zealous hackers to cool their loins.
Of course, not every security hack
er is diametrically opposed to extending the label to free/open-source software developers. Many hackers who deal in matters of security use and write open-source software themselves. One such hacker based in Montreal, David Mirza, has spent countless hours teaching me about the complicated aesthetics and politics of the hacker underground. Formerly in the black hat scene, he now runs an InfoSec company and is an unflagging proponent of open-source software.
But there are differences, important ones. Many of these hackers who work as contractors or on security for governments or corporations constantly face Herculean challenges when securing software applications, operating systems, servers, and networked systems. To truly secure a system means, at a minimum, to occupy the mindset of every possible infiltrator. Often this means engaging in intrusion oneself. This is why many of the best security hackers are former black hats who still might, on occasion, dabble in activity residing in legal gray zones. InfoSec hackers tend to be a touch paranoid, and it is no wonder why. You would be too if you spent most of your waking hours refining your own intrusion capabilities while simultaneously fending off credit card scammers, Russian Business Network associates, Bulgarian virus writers, Chinese state hackers, and the hundreds of other bad actors who actively seek to access valuable systems. Hackers whose ensure security bear the burden of paranoia so the rest of us can sleep a little better at night. (But don’t rest too soundly; their advice is often not heeded.)
Anyone who has hung out with hackers knows that when it comes to technology, all types of hackers are unabashed snobs. This stance is not unique to security hackers vs. free software evangelists, nor is it unique to hackers more generally. Vocational arrogance is common to craftspeople—doctors, professors, academics, journalists, and furniture makers. It is simple: the fine art of haughtiness pushes one to do better. However (and for reasons that still mostly elude me), when compared to other activities that might also be considered “hacking,” security specialists take elitism to incomparable heights. Praise does not flow easy from the lips of these InfoSec men and woman.
Hacker, Hoaxer, Whistleblower, Spy Page 25