We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency
Page 28
Topiary didn’t have time to sit back and watch the fallout. He and Tflow were putting up the new LulzSec website, complete with a retro–Nyan Cat design and the soft tones of American jazz singer Jack Jones singing the theme song of The Love Boat in the background. The home page showed Topiary’s revamped “Lulz Boat” lyrics as plain black text in the middle. A link at the bottom offered viewers the option of muting it—when clicked, the link raised the volume by 100 percent. Sabu initially hated the website and yelled at Topiary and Tflow for creating something that had the potential to be DDoS’d, which would make the team look weak. Eventually Topiary convinced him that they should keep it.
They moved quickly to put the site in place, then worked to ensure it didn’t collapse under the weight of thousand of visitors and the inevitable DDoS attacks from enemy hackers. They also made sure the torrent file of Sony data stayed up, that there weren’t any more LulzSec Bitcoin donations (they totaled $4 so far), and that everything else was in check. The LulzSec Twitter feed now had 23,657 followers, and there were dozens more people pouring into the public #LulzSec chat room. Topiary would go to bed and find it difficult to sleep knowing that he was getting new tweets every two minutes. It was chaotic, but satisfying. He would go back onto Twitter with greater confidence each day, dismissing his detractors with withering put-downs and keeping the followers enticed. If LulzSec announced a new operation, it was now guaranteed to get on the news.
Often they didn’t need to go into the details of what they were about to do—the media and the public often assumed that LulzSec was causing more damage than it really was. But as people’s expectations rose, the stakes went higher.
“We don’t want to be the hacking group that just leaks once a week some little thing,” Topiary said at the time. “We will only do big things from now on…Unless we find someone we don’t like.”
One of those “big things” was imminent. The time had come for LulzSec to play its ace card and announce the hack on Infragard. “Welcome to FuckFBIFriday, wherein we sit and laugh at the FBI,” Topiary announced on Twitter. “No times decided, but we’ll cook up something nice for tonight. <3.”
As the group scrambled to prepare the Infragard drop, a few from the team decided to pay particular attention to one person in the database of usernames and passwords they’d taken from the FBI affiliate site: a digital security entrepreneur named Karim Hijazi. Hijazi was thirty-five and ran a start-up called Unveillance. When the team checked Hijazi’s Infragard password against Gmail and found a match, they started snooping around his e-mail account to see if they could expose some dirty laundry, as they had with Aaron Barr.
Sabu hated white hat security firms. That much Topiary knew. And now he was talking about the subject more than ever in private, particularly about a revival of the anti-security movement. Sabu’s beef with white hats went back a long way. Anti-security got going in 1999, when a vulnerability in widely used Solaris servers that was known to only a couple hundred hackers in the world led to their hacking into a wide range of companies and organizations. Then they started stealing e-mails from white hat security firms. The reason was they hated a new edict in cyber security called full disclosure. The idea was that if cyber security experts (white hats) publicly disclosed a website’s vulnerabilities quickly, they got fixed more quickly. But black hats preferred to keep the flaws hidden so that they would stay within the underground community and continue being exploited.
Antisec had seen its share of hacktivist groups like LulzSec, and one of the first was a notorious clique called ~el8. The shadowy hackers would target white hat security researchers and companies, steal their passwords and e-mails, and publish them in a regular e-zine. It was a single white page with el8 elaborately spelled out in symbols at the top, not too dissimilar from the Pastebin posts of LulzSec and filled with new web scripts, exploits, stolen e-mails, and jeering commentary. The group called its work project mayhem, or “pr0j3kt m4yh3m.” The phrase was borrowed from the movie Fight Club, and their e-zines heavily referenced the film. The bulletins never spelled out ~el8’s motivations, but project mayhem appeared to be a violent incarnation of the Antisec movement. Many in the white hat industry figured ~el8’s real motivation was to fight full disclosure so that black hats and gray hats would be the only people who knew about the Internet’s secret vulnerabilities.
“One of these days, these kids are going to have to pay a mortgage and get a job,” said Eric Hines, an executive of one of the white hat firms that was attacked, in a Wired article. “And they’re not going to become lawyers or doctors—they’re going to do what they’re good at. And that means getting a career in the security industry.”
Sabu had nurtured a dislike for white hats even after the 1999 Antisec movement dwindled. Emick believed Sabu was simply resentful after getting turned down for a job in IT security. Either way, the sentiment was rubbing off on Topiary as the two had more one-on-one discussions. Sabu would point out that white hats charged $20,000 for penetration testing, stuff that the LulzSec crew could do for free. He explained that Topiary himself could have done what HBGary was charging $10,000 for. The message was that white hats were like unscrupulous car mechanics, tricking people into believing they needed to pay thousands when the real cost was much lower.
This line of reasoning was very different from the original Antisec argument over full disclosure. That’s because a decade later, the Web was now so chock-full of websites, data, and vulnerabilities that white hats weren’t pushing for full disclosure anymore. The view had flipped, and fully disclosing server flaws was veering into a criminal offense. The notorious Internet troll Andrew “weev” Auernheimer, who had come up with the meme “Internets is serious business,” had learned that the hard way. In 2010, he and a few hacker friends from their trolling group Goatse Security poked around in AT&T’s website and found a security hole that led to internal data on 114,000 iPad users. Weev “fully disclosed” it, albeit through mainstream media and not a cyber security newsletter. The following January, six months after journalists at Gawker did an exposé on the AT&T security flaw for iPad users, the U.S. Department of Justice announced that it was charging weev with fraud and conspiracy to access a computer without authorization.
A successful revival of Antisec could keep the authorities busy with more people like weev. Sabu wanted to keep the focus on white hats, like the old days, so it was crucial to find some real dirt on Hijazi’s tiny firm Unveillance. The company made money by hunting for malicious botnets, but digging around in its e-mails, Sabu and the others thought they found evidence that he was working with others to snoop on Libyan web users. They decided to confront him on IRC under different guises to let him know they had all his e-mails and that they could do worse. On May 26, they e-mailed him his password, with the subject line, “Let’s talk,” and said they wanted to see his botnet research.
Hijazi immediately picked up the phone and called the FBI. When he finally got through to someone and tried to explain what was happening, Hijazi got the impression the people on the other line weren’t interested, or perhaps didn’t understand what he was talking about. They referred him to an agent in his local office. When he called that number and told a local staffer that malicious hackers were trying to access his botnet research, he was surprised when that individual replied, “What’s a botnet?”
Eventually, an agent advised Hijazi to start logging all of his conversations with the group and to play along to see if he could get any information on them. On the other side of the fence, Sabu, Topiary, and Tflow were trying to position Hijazi to admit that he wanted to hire the hackers to attack his competitors. Both sides ended up lying to each other to obtain information, which made for a confusing encounter filled with misinterpretation.
“The point is a very crude word: extortion,” Topiary had told Hijazi under the name Ninetails, adding that Hijazi would be paying for their silence. “You have lots of money, we want more money.”
The team kept
offering to help Hijazi by attacking his corporate competitors. Playing along like he was supposed to, he eventually replied: “I can’t ask you to get someone and stay a ‘legit’ firm. Agreed?” When Topiary read this he believed that Hijazi was falling into their trap and that it was proof of yet another corrupt white hat, just as Sabu had predicted.
“Can I take a guess at who you are?” Karim had later asked.
“Karim, we’ve been expecting you to be secretly guessing since day one,” Topiary replied under a second nickname, Espeon. “Do share.”
“808chan.”
Sabu burst out laughing. “Are you serious bro?” he asked, using the nickname hamster_nipples. “How dare you call us a fucking chan.”
“Then tell me,” replied Karim, who was keeping his responses as measured as possible while playing their game.
“If we tell you who we are, you will shit yourself and shut the fuck up,” Sabu said. “But yes we are very well known.” The group kept prodding Hijazi, calling him dense and warning him about what they could do with his e-mails. But Hijazi had to pretend to be oblivious—he knew just as well as Sabu and the others that playing stupid was one of the most effective ways to social-engineer someone. It could sometimes trick him into revealing facts about himself.
“Why be hostile? Just curious,” Hijazi said.
“We’re not a chan,” replied hamster_nipples, who seemed to have an issue with status. “Don’t refer to us as a chan. We are security researchers.”
“No worries,” said Hijazi. “You’re not a chan.”
“Heh,” hamster_nipples said. “You’re testing my patience.”
Though Sabu came across as menacing in the resulting chat logs (released by both LulzSec and Hijazi himself), Hijazi’s press officer later said in an interview that the most aggressive hacker in the team had been Ninetails, the alias of Topiary. “He is very blunt,” Michael Sias said, “and forceful about the extortion.” Hijazi, he added, had been trying to do the right thing.
“It was tough, not pleasant,” Hijazi remembered a few weeks later. “I’m not sure what their motivation is. They’re just name-calling, which seems very juvenile. I thought at minimum there would be some belief system and there didn’t seem to be anything behind it. It was petty.”
Of course none of that struck Topiary and Sabu, who figured they were gradually picking up proof that white hats were bad, and black hats were their avengers.
“There are a lot of companies that overcharge and abuse the fact that people know nothing,” Topiary said excitedly in an interview after a recent conversation with Sabu on the topic of Antisec. “Computers aren’t our intelligence. Buy a book or two and learn it yourself. That’s what I find.” The message Topiary was getting from Sabu was the same: that the white hat security industry was keeping regular people in the dark about how to navigate the Internet, undermining and emasculating the public when they could easily learn things on their own, just as he had.
With LulzSec unveiling these apparently new and hitherto unspoken corruptions, Anonymous was starting to look irrelevant. LulzSec had quickly racked up fifty thousand Twitter followers and was gearing up to spread the Antisec message. AnonOps IRC was a mess; everyone was on edge. There was no thrilling atmosphere anymore, no humor. Where there had once been eight hundred regular participants in a chat room like #OpLibya, there were now fifty or a hundred at most. The hot-tempered operators had gone back to fighting one another and kicking out participants on a whim. Feds were crawling all over the network. It wasn’t friendly, or safe. Topiary and Sabu figured they were creating a far better world in LulzSec and its public chat network.
As Sabu nursed ambitions to revive a crusade against white hats, he encouraged the group in #pure-elite to seek leads from black hat hackers in the public LulzSec chat room, now being hosted on a new IRC network called luzco.org. The crew were still getting ready to drop Infragard, and in the meantime Topiary, Joepie91, and others were hopping over to their channel to suss out some of its visitors. Later that day, a hacker named Fox came in the room and approached Topiary. It seemed he had some leads for future hacks.
“You got a messenger?” Fox asked. “I’d be happy to toss exploits and business back and forth.” Topiary had never heard of the guy but figured it could lead to something.
“We got people offering us exploits,” Topiary announced to the team when he came back to the #pure-elite channel. “He’s legit, but not so sure we can trust him.” There was no chance Fox would be invited into their channel, unless Sabu said the words 100 percent trusted. Instead, the team invited Fox into a new, neutral channel where the others could feel him out. It was hard not to be paranoid.
“He’s probably a spy,” Topiary told the others. Sabu suggested he might be Jester himself. “If he is then we can throw them off course. If he isn’t, free exploits.”
Often when the group started talking to a new contact, they used it as a chance to practice their banter and have some fun. When Sabu joined in the chat with Fox, he pretended to be a LulzSec hacker from Brazil. The team members were hopping back and forth, from chatting in the neutral channel to chuckling over their antics back on home base, particularly at Sabu’s Brazil act.
“Have you guys ever talked to a real hardcore Brazillian hacker?” Sabu quickly asked the crew. Sabu knew many Brazilian hackers, to the extent that he could impersonate the way they spoke, in very basic English mixed with hacker slang, and in text chat rather than voice.
“HEUHEAUEHAUHAUEHAHEAUEHUHheuheushHUAHUehuuhuUEUue.” Sabu had quickly typed out a typical Brazilian online laugh.
“Fox, a gentlemen never tells,” Sabu had told the new hacker, still playing the part of a Brazilian.
“Ah, I love that answer,” Fox had replied.
The LulzSec crew seemed to fall over laughing. “Sabu, you are a god,” said Neuron.
“Thanks, sir,” Sabu replied. “Consider yourselves lucky no one really gets to see me work in action. No one is trustable outside our crew. Remember that, Neuron.”
The crew kept jumping from the public #LulzSec to the private #pure-elite where they would report more openly (though never completely openly) about what was happening. New participants could instantly tell who was important to talk to because the LulzSec crew all had operator status, teetering at the top of the long list and with special symbols prefacing their names.
At one point Joepie was privately approached in the teeming room by someone named Egeste, a name that was familiar to anyone who had been on Kayla’s #tr0ll IRC channel. “So, I want to play with you guys and this channel is like, gayer than gay and full of newfags,” Egeste said. It was true that LulzSec now had more participants than all of the 2600 network. “Where’s the real lulzsec?”
“Play in what sense?” answered Joepie, who was using the name YouAreAPirate.
“You know what I mean. I know you guys don’t know me, but you probably know people that do. Xero, venuism, e, insidious, nigg, etc etc.” Then he added, “Kayla.”
Joepie reported all of this verbatim back to the crew in #pure-elite. Those nicknames were very well known, pointed out a secondary-crew member called Trollpoll. Another laughed.
“He’s just name dropping,” said Sabu. Neuron, a friendly and analytical Anon, suggested asking Egeste to provide a zero-day as proof of his skills. Also known as a 0day, this referred to an as-yet-unknown server vulnerability, and finding one meant big kudos for any hacker, white hat or black hat.
Sabu asked Kayla if she’d heard of Egeste, and it turned out the new guy had also been in the #Gnosis channel when she had coordinated the hack on Gawker, but “he did not do shit,” she said. For all the names he had mentioned, Egeste was just another distraction. Soon the encounter was just a drop in the ocean of dozens of others with potential supporters and trolls.
Once in a while the #LulzSec chat room was graced with the presence of a disgruntled company employee who was eager to leak some internal data via a charismatic new group. Not more th
an a day after LulzSec’s first attack on Sony made headlines, a new visitor to the #LulzSec chat room approached secondary-crew member Neuron, offering what appeared to be source code for the official website for Sony developers. Neuron reported it to home base.
“Just looked at this guy’s source for ‘sonydev.net,’” he said. “It seems ligit. php file etc. Still investigating.”
“Neuron, that source you got,” said Sabu. “[Post it on] pastee.org so we can analyze also.” Neuron sent the others a link to the fifty-five-megabyte file along with a thirty-three-digit password to access it.
“Downloading,” said Sabu. “Which site is this for? Sonydev.net?”
“Aye,” said Neuron. “I’m sure we can find the pass somewhere on Sony.”
“Analyzing ‘scedev’ source codes now,” said Sabu. Neuron checked in about ten minutes later.
“What’s the word on that source?” Neuron asked.
Sabu seemed to approve of it. “Should we just leak the source code?” he asked Topiary and Neuron.
“I wouldn’t suggest it just yet,” Neuron replied. “We could use more of his shit. He’s a Sony developer.”
“You serious?” asked Sabu.
“If we keep quiet we can get more,” said Neuron, who took the view that it was better to lurk than dump everything at once like a script kiddie.
“So tell him to give us access into [the] Sony network.”
“I’ll see. He said he was an ex-Sony developer but has access.”
“Social engineer him into that shit,” said Storm, who was listening in.
“Ok,” said Sabu. “So bro. What are you doing here talking to us? Social his ass. Haha.” Neuron had gone to try to talk to the source again but it was already too late.
“He logged off,” said Neuron.
“Gay,” Sabu said, a little disappointed. “So he messaged you, gave you source, logged off?”
“Yeah,” said Neuron. “He likes us or something.”