by Parmy Olson
Details of the discussion of Aiplex on /b/ and then the creation of an IRC channel to coordinate a raid were sourced from an online interview with the hacker Tflow in April of 2011, and from the TorrentFreak.com article “4chan DDoS Takes Down MPAA and Anti-Piracy Websites.” I gleaned some context on the attacks from a timeline of events that was posted on the Partyvan.info website. The story that Anonymous supporters were herded between IRC networks, along with the names of the main IRC channels, was also sourced from the interview with Tflow. Extra details about Aiplex and MPAA attacks come from other online articles, such as TechCrunch’s “RIAA Goes Offline, Joins MPAA As Latest Victim of Successful DDoS Attacks,” from September of 2010, and a blog post by IT security firm Panda Labs entitled “4chan Users Organize Surgical Strike Against MPAA,” published on September 17, 2010.
Details about Tflow’s alleged real age and location come from the later announcement (in July of 2011) of his arrest by the U.K.’s Metropolitan Police. The description that he was quiet and “never talked about his age or background” comes from discussions with other hackers as well as from my own observations of Tflow in interviews, in chat rooms with others, and in leaked chat logs. Details of the way Tflow approached people in IRC channels with more technical knowledge than he, and the way that group turned Copyright Alliance into a repository for pirated material, come from an interview with Tflow as well as from a September 2010 news article entitled “Wave of Website Attacks Continues—Copyright Alliance Targeted” on Skyck.com. Details of the attacks on Gene Simmons and other DDoS attacks come from various online news reports, while the notion that the campaign “went into hiatus” comes from testimony by Tflow and Topiary. Tflow claimed that the SQL injection attack on copyrightalliance.org was the first of its kind under the banner of Anonymous, though it is possible that similar attacks were carried out during Chanology.
Among the technical remarks that Tflow saw in the #savethepb channel that led him to collaborate with more skilled individuals was, verbatim, “LOIC does not overwhelm its targets with packets. It’s a matter of flooding port 80. Most web servers can not handle a vast amount of open connections.”
The account of the creation of the AnonOps IRC network comes from interviews with Jake Davis, Tflow, and one other key organizer of AnonOps, as well as from the “History” page on the AnonOps website: AnonOps.pro/network/history.html. There, organizers describe the original “cunning plan” of late 2010, adding that they had wondered, “How about a ship for Anons, by Anons?”
Testimony from Topiary about first “checking out” Operation Payback, and then hearing about the suicide of his father, come from interviews with Topiary himself.
References to WikiLeaks and the leaking of 250,000 diplomatic cables come from a wealth of mainstream news reports that were published in November and December of 2010, such as a November 28 article in the Guardian entitled “How 25,000 U.S. Embassy Cables Were Leaked,” as well as the New York Magazine story “Bradley Manning’s Army of One,” published on July 3, 2011. The assertion that State Department staff were barred from visiting the WikiLeaks website came from my discussions with an anonymous State Department source. The description of the attack by The Jester on WikiLeaks comes from various news reports, such as “The Jester Hits WikiLeaks Site with XerXeS DoS Attack,” by Infosec Island, published on November 29, 2010, as well as from testimony by Topiary and references in leaked chat logs. The account of the subsequent nixing of funding services by PayPal, MasterCard, and Visa to WikiLeaks comes from a range of mainstream news reports.
Details throughout this chapter about the discussions that took place in the #command channel on AnonOps—e.g., first going after PayPal to stoke up publicity; operator names like Nerdo, Owen, and Token; or the collaboration with botmasters Civil and Switch—were originally sourced from Topiary, who had been invited into the channel and was friends with several AnonOps IRC operators. Much of this information was corroborated by news reports as well as by blog posts written by Panda Securities researcher Sean-Paul Correll, who closely tracked the PayPal attacks. Though Correll has been on sick leave from Panda Securities for much of 2011 and was unavailable for interviews, one of his colleagues e-mailed me additional, never-before-published details of his conversations with the botmaster Switch on IRC. The operator names Nerdo, Token, and Fennic were associated with real names and faces when the four young men accused of cyber crimes under these names appeared in Westminster Magistrates Court on September 7, 2011: Peter David Gibson (accused of computer offenses under the nickname Peter), Christopher Weatherhead (accused of offenses under the name Nerdo), and Ashley Rhodes (Nikon_elite). Because he was a minor, the real name of the seventeen-year-old known as Fennic could not be revealed for legal reasons. Further details, such as the nickname BillOReilly, came from screenshots of AnonOps IRC published on Encyclopedia Dramatica.
Details about the numbers of people piling into AnonOps IRC during the PayPal and MasterCard attacks were sourced from Sean-Paul Correll’s research as well as from testimony by Topiary in the month or two after the attacks.
Dialogue from the public #OperationPayback IRC channel, such as “Do you think this is the start of something big?” came via an online database of AnonOps chat logs from December 8, 2010, searchable here: http://blyon.com/Irc/.
Content from the digital flyer that contains instructions for using LOIC was taken directly from the flyer, which is still available online. The LOIC message to PayPal servers was cited in the Ars Technica article “FBI Raids Texas Colocation Facility in 4chan DDoS Probe,” published in late 2010; the exact date is not shown on the online article, which cites log entries in a search request by the FBI.
The notion that operators probably did not want public attention focused on botnets because it could lead to heat from the authorities comes from a conversation with academic and Anonymous expert Gabriella Coleman.
Details about Ryan and the use of his botnet on OpItaly, and about the manipulation of numbers, come from testimony by Topiary. Information about the fourteen people arrested for using LOIC against PayPal comes from wide-ranging news reports, including the Financial Times story “FBI Arrests 14 Suspects in PayPal Attack,” published on July 20, 2011. The detail about Ryan’s mental health was sourced from the testimony of his lawyer, Ben Cooper, who told a court hearing on June 25, 2011, that his client had been diagnosed with Asperger’s syndrome since his arrest.
A note about lying to the press: did supporters of Anonymous lie to me in interviews? Sometimes, yes. Was I aware this was going on? Yes, though admittedly not always to start with. Over time, if I was not sure about a key point, I would seek to corroborate it with others. Such is the case with statements presented as fact in this book. My approach to Anons who were lying to me was to simply go along with their stories, acting as if I were impressed with what they were saying in the hope of teasing out more information that I could later confirm. I have signposted certain anecdotes in this book with the word “claimed”—e.g., a person “claimed” that a story is true. Not everyone in Anonymous and LulzSec lied all the time, however, and there were certain key sources who were more trustworthy than others and whose testimony I tended to listen to more closely, chief among them being Jake Davis.
Tflow created the #reporter channel for AnonOps, according to Topiary. Some dialogue that refers to the #over9000 channel comes from the leaked #HQ logs.
Chapter 8: Weapons that Backfired
Much of the detail in this chapter about the bugs inherent in LOIC comes from online and face-to-face interviews with a programmer and former supporter of Anonymous who does not want to be identified. Additional descriptions of IRC, such as the topics at the top of chat channels, come from my own observations when visiting the chat network and from rumors about “Feds” crawling the network, which were mentioned by Topiary and other Anons that I occasionally chatted with, as well as from online articles about the general usage of IRC and the role of operators, such as “The IRC Operato
rs Guide” on irchelp.org. Some dialogue about the legalities of using LOIC comes from the online database of AnonOps chat logs, http://blyon.com/Irc/. Extra statistics about the numbers using LOIC and about AnonOps IRC can be found on Pastebin (http://pastebin.com/qQgxtKaj) and in the section about Operation Payback on the website opensecuritylab.org. Further details come from the TorrentFreak article “Behind the Scenes at Anonymous’ Operation Payback,” published in late 2010 (the article does not give the exact date of publication).
There was a wide range of news reports on the arrest of Martijn “Awinee” Gonlag, including “They’re Watching. And They Can Bring You Down,” published in the Financial Times on September 23, 2010.
Regarding the sentence about using LOIC behind “anonymizing software”: users could not fire the tool from behind an http proxy because their “packets” would hit their own proxy, taking them offline; so it was VPN or nothing.
Details of the FBI’s initial investigation into Operation Payback were sourced partly from an article on Wired’s ThreatLevel blog entitled “In ‘Anonymous’ Raids, Feds Work from List of Top 1,000 Protesters,” published on July 26, 2011. Additionally, details about the initial contact between PayPal and the FBI agents, along with the passing over of one thousand IP addresses on a USB thumb drive, are sourced from an FBI arrest warrant filed on July 15, 2011, and available online.
Owen’s quote “Switch is basically under a shoot on sight watch list” comes from screenshots of the #InternetFeds chat room made by freelance journalist Matthew Keys, which were e-mailed to me by Keys in early 2011. Keys was invited to observe the goings-on in InternetFeds from December of 2010 to January of 2011. He used the nickname AESCracked.
Details of the DDoS attacks on AnonOps IRC, and the details about Operation Leakspin and Operation Leakflood, come from testimonies by Anonymous supporters, including Topiary, as well as from various blog posts and news reports. The account of splitting into operations, such as the DDoSes of Sarah Palin’s website and the Venezuelan government sites, comes from a variety of news reports on websites such as Panda Security’s blog, ABCNews.go.com, and KnowYourMeme.com.
Details about #InternetFeds gradually usurping #command as an organizational hub popular with Anonymous hackers come from Topiary, Kayla, and two other hackers who were in the channel. Further description of dialogue and content from discussions in the channel comes from scores of screenshots provided by Matthew Keys.
Chapter 9: The Revolutionary
At least two people have corroborated that Tflow first invited Sabu into #InternetFeds; Sabu also claimed this. Details about Sabu’s views come from dozens of online interviews I held with him both before and after his arrest by the FBI on June 7, 2011. My phone interviews with Monsegur provided insights into his accent, his way of speaking, the background sounds I heard when I was speaking with him, and his skills for lying and manipulation. At times they yielded little in the way of reliable insights since the phone interviews took place after he started working for the FBI and had been encouraged to feed misinformation to journalists. Further details about his life, upbringing, and address come from a series of court documents that were unsealed after the FBI revealed that he had been acting as an informant since soon after June 7, 2011. Additionally, I have sourced some details from a three-part series of Fox News stories about Monsegur published in March of 2012, one of which is entitled “Inside LulzSec, a Mastermind Turns on His Minions.” Another helpful source for corroborating personal details on Monsegur was the New York Times story “Hacker, Informant and Party Boy of the Projects,” published on March 8, 2012, in which reporters spoke to Monsegur’s neighbors to piece together a picture of the man. Interviews with sources close to Hector Monsegur and the FBI investigation also contributed to the information in this chapter.
Details about the incident at Monsegur’s high school with the head of security were sourced from an essay purporting to be written by Sabu on August 14, 2001, and bearing all his usual stylistic and verbal hallmarks. It was published via Pastebin on June 7, 2011 (the day of his arrest), and also sent to me via e-mail by a source. Full essay here: http://pastebin.com/TVnGwSmG.
The details about Monsegur’s internships as a teenager were sourced from a web archive of the iMentor website from August 2002, which listed Monsegur as a member of the staff and provided a short biography that mentioned his stints at the NPowerNY Technology Service Corp and the Low-Income Networking and Communications Project (LINC) at the Welfare Law Center.
Text for The Hacker Manifesto by the Mentor can be found here: http://www.mithral.com/~beberg/manifesto.html. I have exchanged e-mails with Lloyd “the Mentor” Blankenship to corroborate details about his writing of the 1986 essay.
Sabu/Monsegur provided me with links that still showed the deface message he published on the Puerto Rican government websites. Further details on the U.S.-China cyber war that Sabu involved himself in were corroborated by news reports such as Wired’s “It’s (Cyber) War: China vs. U.S.,” published in April of 2001, and CNN’s “China-U.S. Cyber War Escalates,” published on May 1, 2001. Further details about Monsegur and his attempts to start a group for local programmers in 2002 also come from a “dox” file posted by a security researcher nicknamed Le Researcher, who pasted a variety of screenshots of e-mails, deface messages, and forum posts on http://ceaxx.wordpress.com/uncovered/. Sabu’s message on AnonOps, in which he asks how to find Wired’s John Abell, came from the online database http://blyon.com/Irc/.
Details about the anticorruption protests in Tunisia were widely reported in late December of 2010 and early January of 2011, and details of the government’s phishing campaign, aimed at spying on potential dissenters, were published by Al Jazeera and Ars Technica. Censored sites would typically say “Error 404: page not found.” An officially blocked site will usually say “Error 403,” so the use of 404 suggested unofficial censorship. One journalist and blogger, Sofiene Chourabi, had reportedly been blocked from accessing his Facebook account; his 4,200 friends were also hacked. Other journalists claimed that their entire blogs were deleted of content, and suspected the Tunisian Internet Agency was behind it. Many Tunisians also claimed they were unable to change their Facebook passwords. The phishing operation was sophisticated, hitting several high-profile targets in a single day, and was carried out by a malware code, according to Al Jazeera, which cited “several sources.” The TechHerald’s Steve Ragan reported seeing examples of the embedded script and new source code injected in Gmail, Yahoo, and Facebook, confirming with four different experts that the embedded code was “siphoning off login credentials” and that “code planting of this scale could only originate from an ISP (Internet Service Provider).”
Details of the antiphishing script developed by Tflow are available on the script-sharing website http://userscripts.org, under the user name “internetfeds.” Sabu, Topiary, and one other senior figure in Anonymous said that Tflow originally wrote the script. Tflow had written a browser JavaScript plug-in that effectively stripped the government’s added Java code and redirected Tunisian Internet users away from its phishing servers (essentially fake Gmail, Yahoo, and Facebook sites) and back to the original, true hosts. Tunisian Internet users first had to install the Greasemonkey add-on for Firefox. Then it was just a matter of opening Firefox and going to Tools, then to Greasemonkey and New User Script, to paste in the code. Having clicked “Okay,” Tunisians could within a minute or two access Facebook, Twitter, Blogger, Gmail, and Yahoo without exposing their login details.
I have sourced the story about Sabu remotely controlling a Tunisian man’s computer to deface the website of the country’s prime minister from interviews with Sabu himself, conducted in April of 2011. It’s still not clear exactly how Sabu hit the Tunisian DNS, but one expert who knew him suggests he may have used a so-called smurf attack to bring down the domain servers of the Tunisian government. This refers to a unique type of denial of service (DoS, without the d for “distributed”) attack that can be
carried out from a single computer. Instead of using a botnet, it uses servers with significant space and speed to transfer the junk data. A smurf attack, specifically, needs broadcast servers. It sends a ping request to one or more of the servers, communicating (falsely) that the return IP address is the target. In hackerspeak, they are sending “spoof packets.” The broadcast server then tells its entire network to respond to the target machine. One computer by itself can send perhaps 500 megabytes worth of packets at most, but a smurf attack allowed Sabu to amplify 40 gigabytes worth. A screenshot of the deface message that was uploaded to Prime Minister Ghannouchi’s site is available online.
Chapter 10: Meeting the Ninja
Opening paragraphs of this chapter are sourced from online interviews with Topiary. His deface message on the government of Tunisia was until recently viewable here: http://pastehtml.com/view/1cw69sc.html. The point about cyber attacks on the governments of Libya, Egypt, Zimbabwe, Jordan, and Bahrain came from testimony by Topiary and was corroborated with various online news reports. I saw the deface of the Fine Gael website myself and confirmed it on the phone with a press spokesman for the Irish political party.
The description of Kayla’s style of writing, which includes “lol”s and smiley faces, is based on my own observations as well as those of Anonymous members. Her view of hacking as an addiction comes from a later, online interview.