We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency
Page 26
It was Labor Day, a slow day for news, and mainstream outlets like the New York Times and the Wall Street Journal picked up on the Tupac spoof and the hacker group Lulz Security for the first time. By 10:30 a.m. on Monday in London, Google News showed that it had logged fifty-three articles about the hack. It was unclear what the group was officially called at this point, and some reporters referred to it as Lulz Boat and later, in a misreading of the autocue on Rupert Murdoch’s Sky News on TV, the Louise Boat. When one news outlet reported that the hacker group was Anonymous, Topiary posted a tweet saying, “We aren’t Anonymous you unresolved cow-shart.” An hour or so later, that tweet alone made the news, with the respected tech news site Venture Beat posting a story with the headline “PBS Hack Not Anonymous.” To Sabu’s surprise, the members of the press weren’t that interested in the leaked user data or the fact that the hack had been done in retaliation for the Assange documentary. They were mostly enthralled by the fake Tupac Shakur story.
LulzSec gave a single interview after the attack, to Forbes, saying they had gone after PBS for two reasons: “Lulz and justice. While our main goal is to spread entertainment, we do greatly wish that Bradley Manning hears about this, and at least smiles.”
“Some people would say that you went too far in attacking a media company—not to mention a public service broadcaster,” Forbes said in the interview with Topiary, who was answering questions under the nickname Whirlpool. “What’s your response to that?”
“U mad bro.”
In a moment of candor afterward, Topiary said that LulzSec wasn’t after fame as much as they wanted to make people laugh.
He started taking requests on Twitter for pages to add to the PBS site, the same way he had taken random numbers from people during his drunken night on TinyChat. One Twitter user requested a web page showing unicorns, dragons, and chicks with swords. All this was possible because the team still had admin access to the site.
“Sure thing,” the LulzSec feed said. “Wait a sec.” Topiary and Tflow scrambled to put together an image, and about half an hour later posted the link to the gaudy-looking new web page, pbs.org/unicorns-dragons-and-chix-with-swords.
Topiary wanted to respond to some of the group’s detractors who were accusing it of using simple SQL injection techniques to get into PBS. He wrote up a note explaining how the hack was done and published it to Pastebin with a tweet saying, “Dear trolls, PBS.org was owned via a 0day we discovered in mt4 aka MoveableType 4.” It went on to describe in detail how the hack had been carried out with a shell site and how the hackers had gained root control of the PBS servers. They had been able to take over the network because a number of staffers at PBS with access to its most secure parts had used their passwords more than once. He had then pasted a list of those fifty-six staffers. They could have permanently destroyed the site’s entire contents and defaced its home page, but they didn’t.
Topiary felt exhilarated. He was uninterested in food, sleep, or anything beyond the bubble he now inhabited with Sabu, Kayla, Tflow, AVunit, and Pwnsauce, a team more elite than any he had been part of before. With the help of Topiary’s prodigious communiqués to the outside world, LulzSec was starting to look less like a hacker team and more like a rock band. Topiary began monitoring LulzSec’s Twitter followers and press mentions on a website called IceRocket and saw everything suddenly shoot up after PBS. The following day, LulzSec appeared in most major printed newspapers for the first time. A group of hackers had taken over “the U.S. public-television broadcaster’s website and posted an article claiming the late rapper Tupac Shakur had been found alive in New Zealand,” the Wall Street Journal reported. “The group posted a string of Twitter messages in which it took credit for the breach.”
Topiary started requesting donations for LulzSec and used Twitter and Pastebin to provide the thirty-one-digit number that acted as the group’s new Bitcoin address. Anyone could anonymously donate to their anonymous account if he converted money into the Bitcoin currency and made a transfer. Bitcoin was a digital currency that used peer-to-peer networking to make anonymous payments. It became increasingly popular around the same time LulzSec started hacking. By May, the currency’s value was up by a dollar from where it had been at the start of the year, to $8.70. A few days after soliciting donations, Topiary jokingly thanked a “mysterious benefactor who sent us 0.02 BitCoins. Your kindness will be used to fund terror of the highest quality.”
He used Twitter to drop hints about whom LulzSec would hit next. “Poor Sony,” he said innocuously on May 17. “Nothing is going well for them these days.” The papers picked up on this immediately, saying that Sony looked like the group’s next target.
On Twitter, Backtrace founder Jennifer Emick publicly criticized LulzSec through her @FakeGreggHoush account, and was joined increasingly by other online colleagues who didn’t like Anonymous or this apparent splinter group. A day after the PBS hack, one of these detractors tweeted the yank up as a vital obituary phrase in the faked Tupac article. It was “an anagram for ‘Topiary, Kayla, Sabu, AVunit,’” they added. “What did [Topiary] mean by that? Taking credit? Red herring?” Very few people outside of the LulzSec team and a few of their closest online friends knew that LulzSec was made up of the old HBGary hackers, and the anagram question was quickly drowned out. Hundreds of people on Twitter were talking excitedly about this new hacking group and its audacious swoop on PBS. Many more started following the @LulzSec Twitter feed to hear communiqués directly from Topiary. Almost at once, he was getting tens of thousands of followers.
Chapter 19
Hacker War
The victory of the PBS attack had left Topiary in a daze of newfound fame and hubris. He knew he wasn’t leading the hacks or really even partaking in their mechanics, but acting as the mouthpiece for LulzSec certainly made it seem to him, and sometimes to the others in the group, like he was steering the ship. That meant speaking on behalf of LulzSec when he got into verbal tiffs with some often impassioned enemies on Twitter.
The PBS hack had ushered a blast of attention from the media and earned the group a sudden wave of fans, with even the administrators of Pastebin, the free text application that LulzSec was using to dump its spoils, apparently happy with the extra web traffic they got with each release. But in a world already steeped in trolling, drama, and civil war, there were plenty of eager detractors. Jennifer Emick flung a few diatribes at the LulzSec Twitter feed, as did the Dutch teenager Martijn “Awinee” Gonlag, who had been arrested in December of 2010 when he used the LOIC tool against the Netherlands government without hiding his IP address.
Awinee and many other “Twitter trolls” appeared to align themselves with The Jester, the ex-military hacker who had DDoS’d WikiLeaks in December of 2010, then taken down the Westboro Baptist Church sites in February. He was never as dangerous as the actual police, but he was certainly a source of drama and distraction. The Jester hung out in an IRC channel called #Jester, on a network aligned with the magazine 2600: The Hacker Quarterly.
The name 2600 came from the discovery in the 1960s that a plastic toy whistle found inside certain boxes of Cap’n Crunch cereal in the United States created the exact 2,600 hertz tone that led a telephone switch to think a call was over. It was how early hackers of the 1980s, known as phone phreaks, subverted telephone systems to their desires. Unlike AnonOps IRC, on the 2600 IRC network, any talk of illegal activity was generally frowned upon. If people talked about launching a DDoS attack, they were discussing the technological intricacies of such an attack. If 2600 was a weapons store where enthusiasts discussed double- and single-action triggers, AnonOps was the bar in a dark alley where the desperadoes talked of who they’d like to hit next.
After hitting PBS, LulzSec’s founders decided that as attention to LulzSec grew, they would eventually need their own IRC network just like AnonOps and 2600. Sabu also wanted to create a second tier of supporters, a close-knit network beyond the core six members that could help them on hacks. The team h
ad decided from the beginning that their core of six should never be breached or added to, and when Topiary heard Sabu’s plans, he felt skeptical. Just look what had happened in #HQ when Kayla had invited Laurelai. But Sabu argued they needed at least a fluid secondary ring of supporters. These were people that Sabu already knew from the underground and trusted 100 percent or they weren’t in. Sabu had started talking to some of his old crew and he invited them into an IRC chat room they had created for these new supporters, called #pure-elite, named after a website he had created for his hacking friends in 1999. These were genius programmers and people with powerful botnets, veteran hackers from the 1990s who had gotten into the networks at Microsoft, NASA, and the FBI. The combined skills of the group were almost frightening. Topiary reminded Sabu that he wasn’t comfortable with all the new people—it seemed risky. Who knew; one of these people might leak logs, as Laurelai had done so devastatingly in #HQ. It also brought up the question of why Sabu even needed him anymore.
All the same, he could hardly believe the company he was now in. He focused on picking up tips from the others. If they used hacker terminology he didn’t understand, he would Google it: jargon like virtual machines, hacking methods like SQL injection, various types of attack vectors and programming terminology. If he hit a brick wall, they could give him a quick summary.
Soon there were eleven supporters in #pure-elite to learn from, plus the original six. Sabu was still the main person to ask about finding exploits; Kayla about securing yourself. AVunit and Tflow were still the experts in infrastructure. For Sabu, the extra supporters weren’t there to teach him anything—he believed he and LulzSec were training them. Sabu tended to think of everyone in the subgroup as a student and he told Topiary privately that he hoped this could lead to the start of another anti-security, or Antisec, movement. The last time Antisec had been in the headlines was the early 2000s, when the Web’s disrupters were a few hundred skilled hackers, as opposed to the thousands of Internet-savvy people joining Anonymous today.
By now Kayla and the others who had been scanning for big-name websites with security vulnerabilities had hundreds to work from. But each one had be checked out, first to see if it could be exploited so that someone could enter the network, and second to see if there was anything interesting to leak from it. All these things took time and were often done sporadically without roles being assigned. People would volunteer to check a vulnerability out. LulzSec now had a raft of much bigger targets beyond PBS and Fox that they could potentially go after, some with .mil and .gov web addresses. None of them corresponded to any particular theme or principle; if hackers found a high-profile organization that looked interesting, they would go after it and explain their reasoning later. Knowing that Sabu had a tendency to inflate his rhetoric about targets, Topiary did not yet understand what hitting some of these websites actually meant.
The associates were hackers like Neuron, an easygoing exploit enthusiast; Storm, who was mysterious but highly skilled; Joepie91, the well-known and extremely loquacious Anon who ran the AnonNews.net website; M_nerva, a somewhat aloof but attentive young hacker; and Trollpoll, a dedicated anti–white hat activist. In the most busy periods of LulzSec, both the core and secondary crew were in #pure-elite or online for most of the day and sometimes through the night. Some were talented coders who could create new scripts for the team as their own side projects; Pwnsauce, for instance, had been working on a project to create a new type of encryption.
In the end, Topiary never invited anyone he knew into #pure-elite, and while Kayla had recommended a few friends, Sabu wasn’t comfortable with letting them in either. According to Topiary, about 90 percent of the hackers who ended up in #pure-elite were Sabu’s friends or acquaintances from the underground. The #pure-elite chat room was an invite-only hidden command center, but the original founders would occasionally retreat to an even more secretive core channel to talk about the new recruits, the enemies, and, on rare occasions, strategy. The atmosphere in #pure-elite was often buzzing as the crew celebrated over the latest attack and resultant media attention. When M_nerva entered the room, he seemed to be noticing this for the first time.
“Lots of news coverage,” he said on the evening of May 31.
Topiary showed him a photo of the front page of the Wall Street Journal’s Marketplace section. The lead story had the headline “Hackers Broaden Their Attacks” and the subtitle: “Almost Anyone Is a Target.’“ Underneath it was a large image of the cartoonish Nyan Cat image they had uploaded to the PBS website, and the LulzSec monocled man. Above the rainbow emanating from Nyan Cat’s butt as it flew through space was the Internet meme “All your base are belong to LulzSec.” It was a most surreal combination of old media and Internet subculture.
“Fucking Wall Street Journal printed a Twitter name and a fucking cat in space,” said Topiary, incredulous.
The group was shooting the breeze mostly, chatting about the technical intricacies of Internet browsers, while Topiary would drop updates on the group’s Bitcoin donations. Participants would report on leaks they were being offered by other hackers outside the group and, increasingly, on what LulzSec’s enemies were up to. These antagonists were made up of online colleagues Backtrace and hackers like The Jester; both camps often chatted together on the 2600 IRC network. There was no requirement to being invited into the #pure-elite room and no rules other than the obvious one to keep everything that was said there secret. The channel topic, set by Sabu, always said: “NO LEAKS—RESPECT EACH OTHER—RESEARCH AND EXPLOIT DEV!” The one policy of #pure-elite was that no one was to store chat logs from the channel.
The secondary crew generally knew their place, aware that directions would come from Sabu, Topiary, and Kayla, and they were meant to be followed. Overall, they were happy to be coming along for the ride, though a few were shocked at the backlash LulzSec was getting.
“By the way,” Storm said one evening. “FailSec? WTF is this shit?” He was referring to another Twitter account with a few hundred followers that had been set up to publicly heckle LulzSec with messages like “Load fail cannons!” and ominous hints that the team would soon be in jail.
“Storm, we’ve had stalkers like that for months,” said Topiary. “They follow us everywhere we go. They monitor everything we do. They make parodies of our accounts.” He thought for a moment then added, “We’re kind of like a rock band.” With stardom came infamy. Some of their detractors were so obsessed with heckling LulzSec that when Topiary blocked one on Twitter, the detractor would create two or three more accounts to keep talking.
Kayla pointed out that Adrian Lamo, the hacker who claimed to have outed the WikiLeaks alleged mole, Private Bradley Manning, had even registered the web address LulzSec.com to stop the team from using it as a website. Lamo, age thirty and diagnosed with Asperger’s syndrome, had been called the “world’s most hated hacker” for passing information on Manning to military intelligence.
Storm offered to find a different URL, but Topiary declined. He and Tflow were already designing a simple-looking official site for LulzSec in their spare time. Naturally, the background would be of the Nyan Cat flying in space and would borrow the design template of HBGary.com.
“Night guiz,” M_nerva suddenly said.
“Night,” said three of the others. M_nerva signed off. It was nighttime in the United States, but LulzSec and its supporters were bored and looking for things to do.
“Wanna find something to hit?” Topiary asked the room.
“Sure,” said Storm.
“There’s a shit cool site, FBI.gov,” said Topiary jokingly. There was a pause.
“Are you really that open to just going to jail?” Storm said.
“I suppose we could piss off some IRC for lulz,” said Topiary, pointing to a less risky target.
“Sure,” Storm said. Topiary and Kayla decided that, high on their victory against PBS, it was time to go after their biggest detractor, The Jester. They would not just spam his channel #Jest
er and boot off his so-called Jesterfags but flood the entire 2600 chat network with junk traffic and take all of it offline. It may have housed hundreds of participants, but it was still The Jester’s hideout, and Topiary hoped that the result would be the 2600 admins getting angry not at LulzSec but at The Jester for provoking them. Topiary was sure that The Jester’s supporters included people like Emick and Byun from Backtrace and considered sending spies into his channel at some point to see what they were up to, maybe profile some of its members. If Jester’s people were trying to provoke, it was working. Topiary and the others had become increasingly irritated by The Jester over the past few days and now were set on attacking his crew for both fun and revenge.
“Best thing to do when bored,” said Kayla in #pure-elite, “go to 2600 irc and just cause drama :D.”
“Should we just go on over to 2600, flame them, and then packet it?” Topiary said, already getting ready for the action. He connected to the 2600 network to get a firsthand view of the network going down.
Storm’s role was to launch a Denial of Service (DoS) attack on the 2600 network. This was like a DDoS but without the extra D for “distributed,” since Storm was sending junk packets from a single computer or server, not from multiple machines. (It was a loose term in any case—if your computer was running a virtual machine, or VM, and you launched a DoS attack, that could be considered more than one computer and thus a DDoS attack.) How could one computer launch a DoS attack against an IRC network? It would need a server or two to help amplify the data transfer. Sabu had used a similar method for his attack on the Tunisian government, though to a much greater degree, with the help of broadcast servers that he’d claimed to secretly hijack from a hosting company in London. Storm rented a basic server, so while his attack wasn’t as powerful, it could easily take down a small IRC network. Many people in Anonymous and in hacker circles, particularly those who acted as operators for AnonOps IRC, rented or owned servers. Controlling a server was more common than controlling a botnet; it was like owning a nice car. You paid good money for it but were happy to let other people ride in what was a status symbol as much as a useful tool.