We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency
Page 13
Anons particularly disliked journalists who would come into the #reporter channel asking, “So who are you attacking next?” or pushing for a quick quote. A few would first exaggerate, saying that there were tens of thousands of people attacking a site. At one point an Anon told a magazine reporter that Anonymous had “colonies” all over the world, a physical headquarters, and that its name was based on a real man named Anonymous.
“So who is Anonymous?” a reporter asked about the supposed man.
“He’s this guy,” the Anonymous supporter said. “He lives in our headquarters in West Philadelphia.” That was actually an Internet meme: tell an elaborate story, then catch the person out by quoting the introductory rap to the sitcom The Fresh Prince of Bel Air.
Later in February 2011, Topiary would create an IRC channel called #over9000—in reference to another famous meme, which involved a few core Anons discussing a bogus hacking operation to mess with a journalist from the Guardian. The reporter had asked for access to “secret” inner channels.
“We need to troll her hard,” Topiary had told the others.
The group went on to spam the room with cryptic messages like: “Charlie is c85 on excess, rootlog the daisy chain and fuzz out dawn mode.”
Lying was so common in Anonymous that people were rarely surprised to hear different versions of events, or to find out that the nickname they thought they were talking to was being hijacked by someone else. There was a constant suspension of disbelief and skepticism about almost everything. Even when people professed genuine admiration for someone or for the ops that were taking place on PayPal and MasterCard, their opinions could change just days later. It wasn’t that people in Anonymous were shallow or that there was little value to their experiences—it was just that events and relationships on the Internet moved far more quickly and dramatically than in real life. The data input for Anons could be overwhelming, and often the result was detachment—from emotions, from morals, and from awareness of what was really going on. But there was one truth in particular that at least a dozen Anons would later regret ignoring. It was about LOIC. Not only was their all-important weapon useless against big targets like PayPal, it could lead the police straight to their doors.
Chapter 8
Weapons that Backfired
When nearly eight thousand people had rushed into the main AnonOps IRC channel on December 8, eager to avenge WikiLeaks, the dozen or so operators in #command were stunned and then overwhelmed. Hundreds had been clamoring for direction, and the obvious one was to download and use LOIC. The operators made sure that at the top of the main chat channels there was a link to downloading the program, along with a document explaining how to use it.
But no one knew for sure if LOIC was safe. There were rumors that LOIC was tracking its users, that the feds were monitoring it, or that it carried a virus. More confusingly, the LOIC that Anons were downloading in droves during Operation Chanology three years ago was very different from the LOIC that they were downloading now for Operation Payback. In the fast-moving world of open source software, developers were tweaking things all the time, and there was no one deciding if they should be helping or hindering Anonymous. One person who took a closer look at LOIC realized it was doing the latter.
Around the same time that the PayPal attacks were getting under way, a highly skilled software developer hopped onto AnonOps IRC for the first time. The programmer, who did not want to reveal his nickname or real name, had worked with WikiLeaks in the past and was keen to help attack its detractors. When he downloaded LOIC from the link at the top of the main chat channels, he thought to look at the program’s source code.
“I took it apart,” he said, “and it looked like shit.”
The big problem was that the application was sending junk traffic directly from users’ IP addresses. It did nothing to hide their computer in the network. This meant the people who used LOIC without also using anonymizing software or a proxy server were just asking to get arrested.
The programmer quickly sent private messages to a few of the operators and let them know his concerns, asking them to remove the LOIC link at the top of the channel. About half of them agreed—but the other half refused. According to the programmer, the operators who refused didn’t understand the technology behind LOIC. Making things more complicated was the range of operators, all offering different interpretations of LOIC on the chat network. AnonOps had different levels of operators—network operators at the top, and channel operators below them. The channel operators were like middle managers, with the ability to kick people out of channels with a few simple commands. One young female student who went by the nickname No managed to work her way up to channel operator by the time of the PayPal attacks, and she became known for banning people from the main #operationpayback channel if they tried to tell others not to use LOIC. (Ironically, police ended up tracking down No and arresting her a few months later because she had used LOIC.)
New volunteers and operators alike also assumed there was safety in numbers. Anonymous, as the saying went, was everyone and no one.
“Can I get arrested for doing this?” a person called funoob asked in the #setup channel on December 8.
“Nah, they won’t arrest you,” answered someone called Arayerv. “Too many people. You can say you have spyware. They can’t charge you.”
Another called whocares concurred: “If you get arrested just say you don’t know but it’s probably a virus.”
“I hope in a way to get arrested,” one called isuse joked. “The trial would be hilarious.” (Those who did go to trial for using LOIC later on most likely don’t agree.)
“They honestly believed that because of the amount of people it would be impossible to prosecute any single individual,” the programmer later remembered. “No one talked about prosecutions. They didn’t want to hear about your IP being exposed or anything like that.” And the overwhelming sense of camaraderie and accomplishment dominated reasonable argument. The world’s media were paying attention to Anonymous and its extraordinary hive mind; the last thing they needed was to start fiddling with the technology they were relying on and slowing things down.
Even when Dutch police swiftly arrested sixteen-year-old AnonOps IRC operator Jeroenz0r and nineteen-year-old Martijn “Awinee” Gonlag on December 8 and 11, 2010, people on AnonOps initially didn’t believe it.
“BS, no one is getting arrested,” said a user called Blue when links to the arrest stories started getting passed around. Then, when more articles about the arrests started appearing online, a flood of new Dutch supporters poured into AnonOps. There were so many that a new channel was started to host them all, called #dutch.
Around December 13, a rare digital flyer was released warning anyone who had recently used LOIC that they were at “high risk” of arrest and needed to delete all chat logs. The organizer shitstorm said: “Ridiculous. This is an obvious ploy to try and scare people away.”
“It’s a troll,” another organizer told Panda Security’s Correll.
The operators, including one who went by the name Wolfy, continued to encourage people to use LOIC even as Correll reported on the Panda Security blog around December 9 that LOIC didn’t mask a user’s IP address.
“People were so excited,” the programmer recalled. “They were in the Christmas spirit and were going crazy.”
The programmer wasn’t giving up. He decided to help build a new tool to replace LOIC. He started asking around on AnonOps for any interested volunteers who could prove they were developers. After gathering a team of eight from all over the world, they met on a separate IRC server and spent the next three weeks doing nothing but rewriting LOIC from scratch. It was the fastest program making he had ever experienced, fueled by a sense of justice against corporations and the governments and the idea of contributing to the wider collective. The programmer was at his computer all day including during work at his day job, skipping meals and drinking alcohol at the same time as his new colleagues
in other parts of the world.
The team added new features to the program, which was like LOIC but let users fire junk packets at a target through Tor, the popular anonymizing network. The tool was not only safer than LOIC but more powerful and far-reaching, too. The programmer claimed it got two hundred thousand downloads on AnonOps IRC when it was finally completed on December 23. When it was posted on a popular blog run by an AnonOps IRC operator named Joepie91, it was downloaded another 150,000 times. Still, many newbie Anons continued to download LOIC because it was so well known. The link to LOIC download was still everywhere on AnonOps IRC. And the programmer’s new tool was more complicated to set up. LOIC may have even acquired a veneer of legitimacy from frequent mentions in the mainstream press—from the New York Times to BBC News.
Later, in March 2011, the programmer and his crew disassembled LOIC again and found it had indeed been trojaned, or infected with a malicious program. “It had a code that would record what you sent and when you sent it, then send it to a server,” he said, adding it was possible that users’ IP addresses were being sent to the FBI.
As it happened, the FBI had been investigating Anonymous since the attacks on copyright companies in October and November 2011, and had also been working closely with PayPal since early December. Two days after the December 4 DDoS attack on the PayPal blog, FBI agents spoke on the phone to PayPal cyber security manager Dave Weisman. As the attacks intensified, the two parties kept in touch while a security engineer at PayPal’s parent company, eBay, took LOIC apart and analyzed its source code.
On December 15, a member of PayPal’s cyber security team gave a small USB thumb drive to the FBI. It was the mother lode. The thumb drive contained a thousand IP addresses of people who had used LOIC to attack PayPal, the ones who had sent the largest number of junk packets. Once the Christmas holidays were over, the FBI would start serving subpoenas to broadband providers like AT&T Internet Services to unmask the subscribers behind some of those IP addresses. Then they would start making arrests.
“Switch is basically under a shoot on sight watch list,” the operator Owen told other operators on December 20. The botmaster who had helped make the PayPal attacks happen in early December had gone AWOL after making trouble on the network and getting banned from a few of the main chat rooms, including #command. He had become aggrieved that his contribution to the attacks hadn’t led to more power.
Civil was said to be similarly bitter. After the Visa and MasterCard attacks, he told AnonOps operators like Owen that he was being used, and that they were pretending to like him for his bots. Though it wasn’t the case for all botnet masters who supported AnonOps, Civil and Switch were largely uninterested in the activism that Anonymous was publicly fronting, according to Topiary, and more keen to parade their power to the Anon operators, getting the wow factor with their ability to take down a major website on a whim.
Meanwhile, as their former allies started attacking the AnonOps network from December 13, its operators found themselves overwhelmed with extra maintenance work. With folks like Civil, Switch, The Jester, and God knows who else attacking the network, there was no time to dictate a central strategy from #command.
The result was that the masses of original participants started splintering off and starting their own operations. Often they were legal and coherent. One former operator called SnowyCloud helped start Operation Leakspin, an investigative op calling on people to trawl through the WikiLeaks cables and then post short summaries of them on YouTube videos that could be searched with misleading tags like Tea Party and Bieber. There was also Operation Leakflood, where Anons posted a digital flyer with the headquarters fax numbers of Amazon, Mastercard, PayPal, and others with directions to fax “random WikiLeaks cables, letters from Anonymous…” People were creating the flyers in #Propaganda, where Topiary was still spending much of his time. From #Propaganda a few spearheaded Operation Paperstorm, calling on Anon to take to the “real life” streets—not in protest this time, but to plaster them with printed logos of Anonymous on Saturday, December 18. Another channel called #BlackFax listed the fax numbers of several corporate headquarters and encouraged Anons to send them ink-draining black faxes.
Soon, AnonOps was splintering into all sorts of side operations, often under agendas completely different from WikiLeaks, but always as “Anonymous.” In mid-December, a few Anons hit Sarah Palin’s official website and Conservatives4Palin with a DDoS attack, and a group of about twenty-five attacked a Venezuelan government site to protest Internet censorship. Another operation called Operation OverLoad saw Irish hackers team together to map their government’s entire network in an effort to deface every .gov and .edu site they could.
Each time someone would produce a press release announcing an attack by Anonymous, the media would suggest it was coming from the same “group of hackers” that hit PayPal and MasterCard. Not only were these people not all from the same group, more often than not they weren’t even hackers and didn’t know the first thing about SQL injection. They were armed mostly with an ability to coordinate others and with access to free software tools they could get on 4chan’s /rs/ board.
Topiary had been dipping into some of the different operations that had briefly taken off after the PayPal and MasterCard attacks. In late December, while he was lurking in #operationpayback, he noticed a number of people talking to a participant called 'k. “So you’re THE Kayla?” someone asked. They asked about an incident on 4chan—someone had taken full control of the /b/ board and spammed it with repeated loops of “Kayla <3” in 2008. 'k said yes and added a smiley face. Another name, Sabu, was lurking among the participants, not saying anything, just listening.
Soon Sabu and Kayla had moved into another secret channel that was slowly replacing #command as a tactical hub for Anonymous: #InternetFeds. This channel was so highly classified that it wasn’t even on the AnonOps network but allegedly on the server of a hardcore hacktivist with Anonymous. About thirty people had found their way in, mainly via invitation. They included Sabu, Kayla, and Tflow, some of the original AnonOps operators, and a botmaster or two. Most were skilled hackers.
Here they could share flaws they had found in servers hosting everything from the official U.S. Green Party to Harvard University to the CERN laboratory in Switzerland. Sabu even pasted a list of exploits—a series of commands that took advantage of a security glitch—to several iPhones that anyone could snoop on. They threw around ideas for future targets: Adrian Lamo, the hacker that had turned in WikiLeaks’s military mole Bradley Manning, or defected botmaster Switch.
“If someone has his dox,” said Kayla, “I can pull his social security number and we can make his life hell.” To those who didn’t know her, Kayla came across as someone who was especially keen to dish out vigilante justice.
As the InternetFeds participants got to know each other more, they also saw that Sabu was the one with the loudest voice, the biggest opinions, and the strongest desire to coordinate others into action. Sabu, who was well connected to the underground hacker scene, wanted to relive the days of the so-called Antisecurity movement and would eventually realize he could do so with an elite group of Anons like Kayla, Topiary, and Tflow. What’s extraordinary is that, while his actions gradually betrayed the rhetoric, Sabu was gradually positioning himself as Anonymous’s most spectacular revolutionary hero.
Chapter 9
The Revolutionary
Sabu’s dramatic involvement in Anonymous might never have happened if it weren’t for an important introduction: around mid-December 2011, Tflow invited Sabu, who in real life was a twenty-eight-year-old New Yorker with a string of criminal misdemeanors behind him, into the #InternetFeds chat room. It was in this chat room that Sabu first met Kayla and other hackers who would help him attack myriad other targets with the mission of revolution in his mind. Until now, Anonymous raids had reacted to circumstance: Chanology because of Tom Cruise; Operation Payback because a few companies snubbed WikiLeaks. But Sabu wanted Anonym
ous to be more than just kids playing hacker. He wanted Anonymous to change the world.
Sabu was an old-time cyber punk. He did not use words like moralfag and lulz, and he did not go on 4chan. He conquered networks, then basked in his achievement. He was more interested in the cachet of taking over entire Internet service providers (ISPs) than pranking Scientologists. While 4chan trolls like William were looking for random fun, Sabu wanted to be a hero by taking figures of authority down a notch or two. He did not shy away from big targets or big talk. In his decade underground he claimed to have taken control of the domain-name systems of the governments of Saudi Arabia, Puerto Rico, the Bahamas, and Indonesia.
Sabu was known to exaggerate, and other hackers who dealt with him listened to his claims with some skepticism. Though he was highly skilled, Sabu would often lie about his life, telling people things he perhaps wished were true—that he came from Puerto Rico; that his real mother had been an upstanding member of the local political community; that in real life, he was married and “highly successful in his field.” The truth was that he was jobless, insecure, and struggling to support his family.
Sabu’s real name was Hector Xavier Monsegur. He lived in a low-income housing project on New York’s Lower East Side, and with help from government welfare, he supported his five brothers, a sister, two female cousins for whom he was legal guardian, and a white pit bull named China. Monsegur would refer to the two girls, who were seven and twelve, respectively, in 2012, as his daughters. He was of Puerto Rican descent and a stickler for left-wing activism. As a child, he listened to tales of the El Grito de Lares revolt and told his family that one day, he would launch his own revolution.