by Parmy Olson
November 5, 1994—In one of the first known acts of hacktivism and cyber disobedience, a group called the Zippies launches a DDoS attack on U.K. government websites, taking them down for a week starting on Guy Fawkes Day.
1999—The Anti Security movement is spawned, as a post on the anti.security.is website calls to end the full disclosure of known website vulnerabilities and exploits.
September 29, 2003—Christopher “moot” Poole registers 4chan.net. (It is now 4chan.org.)
March 15, 2006—Jake Brahm, twenty years old, posts fake threats on 4chan about detonating bombs at NFL stadiums; two years later he is sentenced to six months in prison.
July 12, 2006—Users of 4chan’s /b/ raid Habbo Hotel, a virtual hangout for teens. They join the online game en masse and flood it with avatars of a black man in a gray suit and an Afro hairstyle, blocking the entrance to the virtual pool and forming swastikas. This spawns the “pool’s closed” meme.
January 2007—Controversial blogger and radio show host Hal Turner tries and fails to sue 4chan after users on /b/ launch a DDoS attack on his website.
June 7, 2007—Partyvan’s /i/nsurgency site is founded as an information hub on raids and, later, communications through the establishment of the Partyvan IRC network.
July 2007—A Fox News affiliate in Los Angeles describes Anonymous as “hackers on steroids” and an “Internet hate machine.”
January 15, 2008—Gawker posts a video of Tom Cruise that the Church of Scientology has been trying to suppress. The church issues a copyright violation claim against YouTube. In response, an original poster on /b/ calls on 4chan to “do something big” and take down the official Scientology website. Using a web tool called Gigaloader, /b/ users manage to take down Scientology.org, keeping it down sporadically until January 25, 2008.
January 21, 2008—A handful of Chanology participants publish a video on YouTube of a robotic voice declaring war on Scientology. The following day thousands more people join in the IRC channel where Chanology attacks are being discussed.
January 24, 2008—Anonymous launches a bigger assault on Scientology.org, taking the site offline.
February 10, 2008—Anonymous supporters don masks from the film V for Vendetta and hold protests outside Scientology centers in key cities around the world, such as New York, London, and Dallas, Texas.
Late 2008—Protests and cyber attacks against the Church of Scientology wind down as supporters lose interest in the cause.
January 25, 2010—Anonymous supporter and engineering student Brian Mettenbrink pleads guilty to downloading and using the Web tool LOIC to attack Scientology as part of Project Chanology and is sentenced to a year in prison.
September 17, 2010—Supporters of Anonymous launch a DDoS attack on Indian software company Aiplex after it admits to launching its own DDoS attacks on BitTorrent site The Pirate Bay. Anonymous launches several more attacks against copyright companies under the banner Operation Payback. Supporters collaborate on an array of IRC networks.
October 2010—The FBI starts looking into the Anonymous attacks on copyright companies ahead of what will become a full-blown international investigation.
November 3, 2010—Anonymous supporters with server resources set up AnonOps IRC, a more stable chat network to host discussions about Operation Payback and other Anonymous operations.
November 28, 2010—Five newspapers begin publishing U.S. diplomatic cables that have been fed to them exclusively by whistle-blower organization WikiLeaks. Over the next few days, a hacktivist known as The Jester launches a DDoS attack on WikiLeaks.org, taking it offline.
December 3, 2010—Online payment giant PayPal announces on its blog that it is cutting off funding services to WikiLeaks, which relies on donations. Shortly thereafter, a few organizers in the #command channel on AnonOps IRC coordinate a DDoS attack on the PayPal blog.
December 4, 2010—An announcement posted on Anonops.net states that Anonymous plans to attack “various targets related to censorship” and that Operation Payback has “come out in support of WikiLeaks.”
December 6, 2010—Organizers on AnonOps launch a DDoS attack on postFinance.ch, a Swiss e-payment company that has also blocked funding services to WikiLeaks. Roughly 900 people join in the #operationpayback chat room on AnonOps and around 500 join in the attack by using LOIC.
December 8, 2010—AnonOps launches a DDoS attack on PayPal.com, using 4,500 volunteers with LOIC but only becoming successful when one person using a botnet takes the site fully offline. Some 7,800 people have now joined the #operationpayback chat room. Later that day they hit MasterCard.com and Visa.com, which have also nixed funding services for WikiLeaks, taking both sites offline for about twelve hours.
December 9, 2010—Botnet controllers who had previously helped take down PayPal.com, MasterCard.com, and Visa.com turn on the operators of AnonOps and start attacking the IRC network, upsetting a planned attack on Amazon that day.
December 11, 2010—Dutch police arrest nineteen-year-old Martijn “Awinee” Gonlag for using LOIC to participate in an Anonymous DDoS attack, among the first of scores more arrests in Europe and the United States over the next year.
December 15, 2010—A member of PayPal’s cyber security team gives a USB thumb drive to the FBI that contains the IP addresses of 1,000 individuals who had used LOIC to attack PayPal.
Mid-December 2010—AnonOps administrators grapple with maintenance as their network is continually attacked, leaving them unable to oversee strategy. As a result, Operation Payback splinters into several side operations, such as Operation Leakspin, Operation OverLoad, and an attack on Sarah Palin’s official website.
Mid-December 2010—A few technically skilled supporters of AnonOps create a private IRC channel off the network called #InternetFeds, where about thirty black hat hackers—such as Sabu, Tflow, and Kayla, along with other interested Anons who have been offered invitations to the channel—can discuss future operations.
Early January 2011—The hackers in #InternetFeds discuss raids against websites of repressive Middle Eastern regimes like Tunisia, where popular democratic uprisings are currently taking place. The hacker Tflow writes a Web script that allows Tunisians to circumvent government Web snooping, while Sabu hacks and defaces the website of the Tunisian prime minister with a message from Anonymous.
Mid- to late January 2011—Members of #InternetFeds continue to collaborate on hacking and defacing the websites of other Middle Eastern governments, including Algeria and Egypt.
January 27, 2011—British police arrest five men in connection with the Operation Payback attacks on PayPal, MasterCard, and Visa, including AnonOps operators nicknamed Nerdo and Fennic.
February 4, 2011—A small group of hackers from #InternetFeds meets in another private IRC channel to discuss an attack on IT security firm HBGary Federal, after its CEO is quoted in the Financial Times that day as saying that he was investigating Anonymous and had uncovered the true identities of its core leaders.
February 6, 2011—News breaks that “Anonymous” has stolen tens of thousands of Aaron Barr’s corporate e-mails, as well as those of two executives at sister company HBGary Inc.; it also takes over his Twitter feed and DDoSes and defaces his site.
Early to mid-February—The same group from #InternetFeds publishes Aaron Barr’s private e-mails on an e-mail viewer. Journalists and supporters discover Barr had been proposing controversial cyber attacks on WikiLeaks and opponents of the U.S. Chamber of Commerce. Barr resigns.
February 24, 2011—Anonymous conducts a live hack and deface of a website belonging to the controversial Westboro Baptist Church, while Anonymous supporter Topiary confronts a Westboro representative on a radio program. The resultant YouTube video receives more than one million hits.
Mid- to late February 2011—Jennifer Emick, a former supporter of Chanology turned anti-Anonymous campaigner, decides to investigate the true identities of key Anonymous hackers and supporters and uncovers details about Sabu, aka Hector Monsegur.<
br />
Mid-March 2011—Emick and a handful of colleagues publish a list of seventy names, including Monsegur’s, under the guise of a cyber security company called Backtrace. Soon after, Emick is contacted by the FBI.
April 1, 2011—Supporters of Anonymous publish a digital flyer declaring war on Sony after the company sues a hacker named George “Geohotz” Hotz. They follow this up with a DDoS attack on Sony websites and the Sony PlayStation Network, greatly upsetting gamers.
April 7, 2011—Organizers with Anonymous call off the DDoS attacks on Sony, saying they do not wish to disrupt the PlayStation Network, but the network remains offline for the rest of the month.
April 2011—Topiary and Sabu discuss breaking away from Anonymous, then decide to get the team of attackers behind the HBGary assault back together to collaborate on more raids. The hackers Tflow and Kayla rejoin Topiary and Sabu, along with another Anonymous supporter named AVunit and, later, an Irish hacker nicknamed Pwnsauce. The group of six forms a hacker splinter group that is not constrained by even the loosest principles of Anonymous—such as not attacking media companies. They call the group LulzSec. They begin scouring high-profile websites for vulnerabilities that “rooters” like Sabu and Kayla can then exploit to steal and publish data.
May 2, 2011—Sony announces an intrusion to its network in mid-April, which has compromised the personal and financial details of more than 75 million PlayStation Network accounts. Though Anonymous has not taken responsibility, Sony later claims that the hackers left a file marked with the words “Anonymous” and “We Are Legion.”
May 9, 2011—A former operator within AnonOps goes rogue, publishing a list of 653 usernames and IP addresses, which, if not protected with VPNs or other proxies, could identify the people behind them.
May 7, 2011—LulzSec announces on Twitter, via the new account @lulzsec, that it has hacked Fox.com and published a confidential database of potential contestants in the TV talent show The X Factor.
May 30, 2011—LulzSec hacks into the computer network of PBS after its PBS NewsHour program broadcasts a documentary on WikiLeaks that the group claims to dislike. LulzSec publishes a list of e-mail addresses and passwords for PBS employees, while Topiary writes a spoof news article about the murdered rapper Tupac Shakur being found alive, publishing it through the PBS NewsHour website. The group’s founders discuss forming a second-tier network of trusted supporters, many of them hacker friends of Sabu’s.
June 2, 2011—LulzSec announces its hack on SonyPictures.com and says that the group has compromised the personal information of more than one million of the site’s users.
June 3, 2011—LulzSec defaces the website of Atlanta InfraGard, an FBI affiliate, and publishes a list of e-mails and passwords for 180 users of the site, some of whom are FBI agents.
June 6, 2011—LulzSec receives a donation of 400 Bitcoins, worth approximately $7,800 at the time.
June 7, 2011—Two FBI agents visit Hector “Sabu” Monsegur at his home in New York and threaten to imprison him for two years for stealing credit card information if he does not cooperate. Monsegur agrees to become an informant while continuing to lead LulzSec.
June 8, 2011—The LulzSec hackers notice that Sabu has been offline for twenty-four hours and worry he has been “raided” by the FBI. Later that night, U.K. time, Topiary makes contact with Sabu, who claims that his grandmother has died and that he will not be active with LulzSec for the next few days.
June 15, 2011—LulzSec claims responsibility for launching a DDoS attack on the official website of the CIA. The attack has been carried out by former AnonOps operator Ryan, who wields a botnet and now supports LulzSec.
June 16, 2011—A representative of WikiLeaks contacts Topiary to say that core organizers want to talk to LulzSec. He and Sabu eventually hold an IRC discussion with a WikiLeaks representative and someone purporting to be Julian Assange. The representative “verifies” Assange’s presence by temporarily uploading a YouTube video that shows their IRC chat happening in real time on a computer screen, then panning to show Assange on his laptop. The group discusses ways in which they might collaborate.
June 19, 2011—LulzSec publishes a press release encouraging the revival of the Anti-Security (or Antisec) movement and advocating cyber attacks on the websites of governments and their agencies.
June 20, 2011—Galvanized by the surprisingly large response to the Antisec announcement, Ryan uses his botnet to DDoS several high-profile websites, including Britain’s Serious Organised Crime Agency. Later, at 10:30 p.m. that evening in the U.K., he is arrested in his home.
June 23, 2011—LulzSec publishes sensitive documents stolen from Arizona law enforcement, including the names and addresses of police officers. Feeling that they have gone one step too far, LulzSec members, including Topiary and Tflow, discuss ending the group.
June 24, 2011—Topiary and Tflow tell AVunit and Sabu that they want to end LulzSec; a heated argument ensues.
June 26, 2011—LulzSec announces it is disbanding after “50 Days of Lulz.”
July 18, 2011—LulzSec comes back for one more hack, uploading a spoof article about the death of News International owner Rupert Murdoch on the home page of his leading British tabloid, The Sun.
July 19, 2011—British police announce they have arrested a sixteen-year-old male who they claim is LulzSec hacker Tflow.
July 27, 2011—Police arrest Shetland Islands resident Jake Davis, whom they suspect of being LulzSec’s Topiary.
September 2, 2011—British police arrest twenty-four-year-old Ryan Ackroyd, whom they believe to be Kayla.
December 24, 2011—Anonymous announces that it has stolen thousands of e-mails and confidential data from the U.S. security intelligence firm Stratfor under the banner of “Lulz Christmas.” Sabu, who claims to be still at large while other LulzSec members have been arrested, keeps tabs on the operation from private chat channels and feeds information about the attack’s organizers to the FBI.
March 6, 2012—News breaks that Hector Monsegur has been acting as an informant for the FBI for the past eight months, helping them bring charges against Jeremy Hammond of Chicago and five people involved with LulzSec.
Notes and Sources
Part 1
Chapter 1: The Raid
The opening pages, including descriptions of Aaron Barr’s early career, home, and family life, are based on interviews with Barr conducted both on the phone and in a face-to-face meeting in London. Further details about his work with HBGary Federal came from an investigative feature article on Wired’s ThreatLevel blog, which dug through his published e-mails and pieced together a picture of his plans for the company along with the proposals he was making to Hunton & Williams. The article was entitled “Spy Games: Inside the Convoluted Plot to Bring Down WikiLeaks,” by contributor Nate Anderson. The Financial Times article in which Aaron Barr revealed his forthcoming research was entitled “Cyberactivists Warned of Arrest,” by San Francisco reporter Joseph Menn, and was first published Friday, February 4, 2011, then updated the following day. Further details on e-mails between Barr and Greg Hoglund of HBGary Inc. prior to the attack came from the HBGary e-mail viewer published by the hackers in mid-February.
The details about Sabu hacking computers as a teenager come from interviews with the hacker conducted via Internet Relay Chat in April 2011, two months before he was arrested and became an FBI informant. Further details about being born and raised in New York come from court documents after his arrest later that year.
Throughout the book, personal details claimed by Kayla stem from interviews with the hacker conducted between March and September of 2011 via e-mail and Internet Relay Chat. The rumor about stabbing her webcam with a knife came from an online interview with Topiary. Also throughout the book, details about Topiary come from online, phone, and face-to-face interviews with him (Jake Davis) between December of 2010 and the summer of 2012. Details about Tflow come from interviews with Topiary and Tflow himself; the information that Tflow
had invited Sabu and Topiary into the secret IRC channel come from Topiary, one other hacker who wished to remain anonymous, and Sabu himself. Details of how the hackers planned the HBGary attack, including how they used the website HashKiller to crack the company’s passwords, came from interviews with Topiary conducted via IRC and Skype (voice only).
Details of Barr’s research on Anonymous, including the “hasty notes like ‘Mmxanon—states…ghetto,’” came from his research notes, which were posted online by the hackers.
Dialogue between Barr and the hackers, including with CommanderX, comes from chat logs that were published online—partly via the Web tool Pastebin, and also on the Ars Technica article “(Virtually) Face to Face: How Aaron Barr Revealed Himself to Anonymous,” by Nate Anderson. The dialogue between Barr and Topiary, which ends “Die in a fire. You’re done” comes from a snippet of the chat log that was cut and pasted to a Skype conversation between me and Topiary a few days after the attack. Further details about the attack came from interviews with Jake Davis, as well as online interviews with Sabu, Kayla, and other hacker sources. Details of the February 2011 Super Bowl come from various news reports and from my viewing of the actual game while I was following online developments of the HBGary Federal attack. Although I had already been interviewing Topiary on a regular basis, the attack led to my being introduced to others in the group—first Kayla, then Sabu, then Tflow.
SQL reads like a stream of formulas. An example is: “Select creditcard from person where name=SMITH.” If someone were to perform an SQL injection attack, they might inject code saying, “Select a from b where a=SMITH.”
How did the hackers know that Barr was CogAnon? Topiary later explained that, almost immediately after seeing the Financial Times story and breaking into the HBGary Federal network, one of them had seen that his internal e-mail headers listed the IP address of his VPN (virtual private network). Barr had used this same VPN connection to log into an Internet Relay Chat network used by Anonymous, known as AnonOps. The hackers only had to hand over the IP address to one of the chat network operators, who ran a quick search. Sure enough, the name CogAnon popped up.