We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency
Page 21
Emick told Byun about her plan. Anonymous had become an almost unstoppable mob. “Someone needs to stop them before something bad happens,” she told him. He was game. For a few years, Emick and Byun had talked about starting a digital security company that used Byun’s technology expertise and Emick’s investigative skills. Now they had something to work with, what Emick was calling a “psychological operation.”
Byun reached out to friends in the cyber security industry, gathering about six people who were willing to help their research. Among them was Aaron Barr.
“Right away after helping the [FBI] investigation I wanted to understand the group even more,” he later explained. “Especially the ones that attacked us.”
They needed to act quickly. Anonymous was being riled up to attack Sony, and to make matters worse, HBGary had made them feel they were unstoppable.
They decided to call their group Backtrace Security, a name that came straight out of the 4chan-meme machine. It referred to the Jessi Slaughter incident, when /b/ users had viciously trolled a young girl who had been posting videos of herself on YouTube, leading her mustachioed father to launch a tirade into her webcam—which she then uploaded. Choice quotes such as “I know who it’s coming from! Because I backtraced it!” along with “Ya done goofed!” and the “cyber police” all became memes. Sarcastically using the word backtrace was meant to infuriate Anonymous because it was reclaiming one of their inside jokes.
Emick got everyone connected to a spreadsheet that they could all edit. A chat bar ran alongside it for discussing their work in real time. She provided a long list of nicknames from AnonOps IRC that they would dox. Everyone picked nicknames at random, then delved into finding their true identities. Sometimes someone in the group would get a tip-off that would lead him to add a new name to the list. Barr joined in the online discussions too, sharing general information about Anonymous that he had gleaned from his research. The most time-consuming task was sifting through the compiled data. Emick and the others downloaded reams of information, but picking through it took days.
Once her kids were out the door and on the school bus, Emick was rooted to her desk, sometimes for the next eighteen hours or until her concentration flagged. She skipped lunch and often got the kids to cook dinner. They ate a lot of pizza. Emick said her kids were supportive, though she didn’t let them know what she was up to most of the time. She raised them to be self-reliant. Emick was the oldest of five kids, and her father and stepmother had been alcoholics who largely left her to cook, do laundry, and pay household bills. Although her dad sometimes cooked, her stepmom rarely left the couch.
Emick worked from a seven-foot-wide custom-built desk that was tucked in a corner of her divided living room. On it were her phone, notebooks, files, lamps, a box of Christmas cards from the last holiday season, and two computers. One was a laptop that ran on Linux, the open-sourced operating system, which she used for chatting on IRC. She needed two PCs for when she was pretending to be two people in chat channels at the same time or tweeting on more than one Twitter account. Her main one was @FakeGreggHoush. When she snooped on AnonOps and tried to weed out information, eagle-eyed operators noticed her nickname and attempted to identify her IP address. Each computer worked off a proxy server that put her in two different time zones to prevent them from getting a location match.
Many names on Emick’s list only took about ten or twenty minutes to track down. Some Anons were reusing their nicknames on sites like Facebook, Reddit, YouTube, and Yelp, where some of them were openly discussing their locations or talking on a public IRC without hiding their IP address behind a VPN. Instead, their IP addresses were “naked,” and linked to their home addresses. In a few cases, Emick and her crew would use different names, claim to be from Anonymous, and talk to the Anons on IRC, sometimes even convincing them to do a video chat.
The investigation really took off when her old friend Laurelai fell for the intimidation tactics that Emick was using through @FakeGreggHoush. When Laurelai handed over the 245-page log of chats from the HBGary hackers’ #HQ channel, Emick couldn’t believe her luck. On top of implicating the nicknames Sabu, Kayla, Tflow, and Topiary in the HBGary attack, the log gave her something even more revealing.
A tiny snippet of the chat log showed Sabu telling the other hackers that they could still log into a backdoor account he had created on HBGary Federal’s server—something that could allow them to snoop on the company’s e-mails again if they wanted. But when he typed out the web address, he accidentally gave away the name of his private server: www.google.com/a/prvt.org.
“Oops,” he had said. “Wrong domain.” He then typed out www.google.com/a/hbgary.com. “There you go.”
But Sabu’s server address had remained in Laurelai’s log. Emick quickly highlighted it and, knowing that she was onto something, pasted it into Google. Sure enough, she came across a subdomain called ae86.prvt.org. The name ae86 was important. The subdomain linked to cardomain.com, a site for car enthusiasts, where Emick found photos and a video of a souped-up Toyota AE86. With that model number, it had to be Sabu’s car. Cross-referencing the information on the car site with the YouTube video of the AE86, she eventually found a Facebook page with the URL, facebook.com/lesmujahideen, and the name Hector Xavier Montsegur. She had slightly misspelled his last name, but this was the closest anyone had ever gotten to doxing Sabu. Emick could not get his address in the Jacob Riis housing complex, but she did figure out that he lived on New York’s Lower East Side.
She did some more research on Sabu’s online exploits. She found that, years before, he had hacked into an obscure porn site called ChickenChoker.com and, oddly, defaced it with a message about being Puerto Rican:
“Hello, i am ‘Sabu’, no one special for now…lately i’ve been seeing ALOT of Brazilian and asian defacers just come out a leash their skills, i didn’t see any Puerto Rican hacker’s, or well: ‘defacer’s’, show up, so i guess i’ll be your Puerto Rican defacer for now huh? elite…”
“It was political, but pointlessly political,” Emick later said. Sabu went to the top of her most wanted list. He was “megalomaniacal,” and “not very bright,” she added.
Eventually Emick and her team pulled together research on seventy identities and were dropping hints on Twitter and to the media that a large group of Anons would soon be exposed. When she finally wrote her stinging profile on Sabu, published on the Backtrace Security website, she concluded that he was Puerto Rican, close to thirty, and hailed from New York’s Lower East Side. He’d had a “troubled” high school career and was relatively intelligent but resentful of authority and “success of people he perceives to be less worthy than himself…After suffering humiliations a decade ago following his posting of rambling, incoherent manifestos on defaced websites, he fell into obscurity until publicly associating himself with the Anonymous protest group.” She got ready to announce his real name to the world.
Sabu, the notorious, well-connected hacker who had rooted national domains, had just been discovered by a middle-aged mom from Michigan.
By mid-March, Emick had organized her list of seventy names into a four-page PDF file she named Namshub. In it she listed Kayla as Corey “Xyrix” Barnhill, and Sabu as Hector Xavier Montsegur from New York’s Lower East Side. Anyone who was a senior Anonymous member was listed in red. She and Byun contacted a few journalists and offered to send them the list. They offered the #HQ chat logs, naturally, to Adrian Chen, the Gawker reporter known for writing skeptically about Anonymous. Since it would be difficult to corroborate the list of names and Chen didn’t want to out innocent people, he latched onto the #HQ logs. They were bursting with juicy tidbits about the inner workings of Anonymous hackers. On March 18, he published an article titled “Inside the Anonymous Secret War Room,” featuring choice quotes from the #HQ channel. It showed Sabu lambasting Laurelai, the group presumptuously congratulating one another after the resignation of Egypt’s president, and the suggestion that this was a leading grou
p for Anonymous with Sabu as its head honcho.
Sabu, meanwhile, was seething.
“I’m going to drive over to his house and mess him up,” he told the others. Topiary and Kayla tried to calm him down. Sabu was referring to Laurelai, noting angrily that he had always suspected that “he/she/it” would betray their trust. What was worse for Sabu, and what he wasn’t telling anyone, was that Backtrace had noticed his “oops, wrong domain” comment that led to “Hector Montsegur.” With a close approximation of his real name and his prvt.org server address now out in the open, Sabu had a potentially big problem. If the police followed up on Backtrace’s findings, they could come to his door any day now.
But there was some upside. No one had heard of Backtrace till now, and it was possible that no one would take the doxers behind it seriously. Besides, Sabu thought, his last name had been spelled wrong; his real address had not been found; and there were probably several Hector Monsegurs on New York’s Lower East Side. (This was true.) Sabu contemplated whether he could laugh this off like everyone else and continue hacking with this new team of people that seemed to get on so well. Despite all the dangers, he was tempted to keep hacking.
“All wrong,” said Topiary in an IRC channel with the others after he’d read the four pages of names from Backtrace’s document. Emick had named him as Daniel Ackerman Sandberg from Sweden. “I’ve never even been to Sweden and have no idea who Daniel Sandberg is,” he said. He, Kayla, Tflow, and AVunit had met again in a new IRC room to discuss the “exposé” and get some light relief.
“They all still think im Xyrix!” said Kayla.
“It’s as if Aaron Barr is working with them ;),” Tflow quipped. The group had long suspected (correctly) that Barr was secretly collaborating with Backtrace to try to take down the people who had attacked him.
“They got literally nothing right on me,” said AVunit, who had been described in Emick’s document as a “coder” named Christopher Ellison from Ipswich, Britain. “Well, I suppose ‘coder’ is right.”
“I’m also a paypal scammer,” Tflow joked; he had not been given a name in the document. “The only part they got right about me is ‘Tflow’ and ‘php coder.’ But yeah, I feel flattered. My name is in red.”
“Is this a new trend :D to see who can make the worst dox file ever?” asked Kayla. The group was feeling confident. Aaron Barr’s research had been wrong; Backtrace’s appeared to be wrong. People were trying, yet no one could catch them.
What they didn’t know was that while Backtrace had been wrong on many names, a few, including Sabu, had been spot-on. One hacker who spotted his real name on the spreadsheet immediately stopped everything he was doing with Anonymous and lived in terror over the next few months that the FBI was coming to arrest him.
“I still get heart palpitations,” he said during a face-to-face meeting about half a year later. “It’s the not-knowing that kills you, whether you’ll have nothing, or twenty-five years, up in the air all the time.”
Incidentally, Emick had shown no mercy for her mole, Laurelai, who also appeared on her list under her old real-world name, Wesley Bailey, and who was described as “transgender” and a “former soldier from Duncan, Idaho.” Laurelai still did not believe (or at least did not want to believe) that Emick was the driving force behind Backtrace or that Emick had betrayed her. No one had proof yet of who was behind this anti-Anonymous group. That was fine with Emick. Once the spreadsheet of names and HQ logs were leaked, she continued to offer a sympathetic ear to Laurelai as the “former soldier” complained about the whole experience and about how deeply she regretted passing the chat logs to the person on Twitter named @FakeGreggHoush.
It wasn’t until many months later, at the annual hacker conference DEF Con in Las Vegas, that Emick gave a speech and outed herself as the Backtrace co-founder.
“I was so pissed off [at Emick],” said Laurelai after watching the video of Emick’s speech on YouTube. “Believe me, I think about this daily.”
Later that year, in October, Francois Paget, an analyst at IT digital giant McAfee, would do a study on Anonymous and the effectiveness of investigative attempts by people like Backtrace’s members, Aaron Barr, and The Jester, who set out in late December to unmask people in Operation Payback. His conclusion was that these attempts were largely unsuccessful, even a hindrance to the police. At the time of his study, anti-Anonymous groups like Backtrace had released about 230 names for pseudonyms, while police around the world (excluding Turkey) had made 130 arrests. In those arrests, police came up with thirty names, yet there was hardly any overlap between the names released by vigilante doxers and those discovered by the authorities.
“I imagine they were more confusing than useful,” Paget wrote.
Sometimes, though, you needed just one good name. A few weeks after Backtrace’s release, the FBI contacted Emick and asked for her assistance in their investigation. They were interested in the name she had discovered for Sabu, but they needed to corroborate their evidence with hers to see if this Hector Monsegur was definitely the right guy. What Emick had found so far wasn’t enough to make an arrest, and the FBI wanted to make sure they didn’t scare the real Sabu away. He could prove useful.
The HBGary hackers meanwhile had some hard decisions to make about how to approach the Backtrace drop. They predicted (correctly) that there would later be other groups trying to outdo Emick’s work, in the same way she had tried to outdo Barr’s. If they really wanted to avoid handcuffs, Topiary and the others had to think very carefully about what they did next.
Chapter 15
Breaking Away
In Anonymous there were three ways to respond to a dox:
(1) You could outright deny it. This was a common tactic but didn’t always work. If the information was true, most people would nonetheless deny it. It was also dangerous. The worst thing to do was state honestly what was right and wrong about the information, since that would point an investigator in the right direction.
(2) Go back to the doxers and bombard them with a stream of false information and conspiracy theories, making them think you have come around to their side while confusing their research. This is along the lines of what Sabu did. Not long after the Backtrace drop, Sabu hopped over to the chat network where Emick and her colleagues sometimes hung out and pretended to offer her a private chat of the HBGary crew. Sabu pasted all the logs of his own chat with Emick back to the crew showing how they had become friendly. The team had a good laugh.
(3) Say nothing and exit stage left.
Topiary decided that the Backtrace drop had provided the perfect excuse for a clean break from Anonymous. Once again, he was feeling the urge to learn and experience something new. In the three months he’d been with Anonymous, from December to February, he’d seen every corner of Anonymous: from writing deface messages, flyers, and press releases to watching a botnet take down PayPal.com; from humiliating a federal security contractor and watching that turn into an international exposé involving a major bank and WikiLeaks to fronting a live-on-air hack of the Westboro Baptist Church.
Though Topiary had learned and experienced so much, he was restless. Anonymous was starting to become boring. What had begun as one major operation had splintered into too many side operations. It felt milked. He couldn’t tell if he was growing up or getting bored with having destroyed so much in a short period of time. And he was tired of having people expect Topiary, Sabu, or Kayla to be at the forefront of everything.
Topiary had quit his part-time job in a bike and auto shop after tiring of his boss and had signed up for welfare checks, which he was now fully reliant on. He was keen to get out of the house more and go back to school. He toyed with applying to a course at his local college in Lerwick that could lead to taking a full psychology degree. In the meantime, the government housing authority was ready to offer him a new place to live in England. In a few months, he planned to move off the remote Shetland Islands, find a new job, maybe study at college.
/> He wasn’t the only one who wanted to break away. Sabu had talked to Topiary about wanting to go dark after Backtrace and get away from all the heat. Even Tflow had recently moved away from the AnonOps network. The small clique they had formed was the one thing Topiary wanted to take with him. He not only enjoyed their company but learned from them. Kayla taught him how to hide himself online, and Sabu taught him about what was wrong with the world—from the rumors in Anonymous that Facebook spied for the CIA to the corrupt practices of white hat cyber security executives like Barr. Pressure from Backtrace and other enemies had brought them closer together and increasingly made them isolated from the rest of Anonymous.
Their group now consisted of Topiary, Sabu, Kayla, Tflow, AVunit, and occasionally the hacktivist called Q—a concentrated group of elite Anons. AnonOps had been a gathering of the elite in Anonymous; #InternetFeds a group of even more elite; and #HQ was a distillation of that. This was the elite of the elite, Topiary thought. Sabu had once used the phrase outside Anons to describe Anonymous supporters in the main IRC channels and the words stuck in Topiary’s mind now.
The small group was now permanently based on a small IRC network on Sabu’s own server. They rarely went on AnonOps IRC anymore, a network now swarming with cantankerous operators and what they assumed were undercover Feds. Besides, their team was tight-knit. Relationships between Anons could be more important than the circumstances that brought them together when it came to deciding how successfully they would go after big targets. It didn’t matter how popular a target was or how easily it could be attacked. If a group worked together well, they were more likely to achieve a good hit against an outside party. If they squabbled, they might recklessly attack one another instead, sometimes through a war of words or through doxing each other or perhaps even by trying to DDoS one another’s IRC networks.