We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency
Page 46
Details about the way LulzSec attacked Karim Hijazi come from interviews with Topiary and Kayla, as well as from chat logs released by both LulzSec and Hijazi. Further details come from telephone interviews with Hijazi in the days after his attack was announced and from interviews with his press spokesman.
Details about the ~el8 hacking group were sourced from their four e-zines, which are still available online, and from the 2002 Wired article “White-Hat Hate Crimes on the Rise.”
Details about Andrew “weev” Auernheimer’s disclosure of a security flaw for iPad users on AT&T’s website were sourced from interviews with Auernheimer, from the Gawker story “Apple’s Worst Security Breach: 114,000 iPad Owners Exposed,” dated June 9, 2010, and from the CNET article “AT&T-iPad Site Hacker to Fight on in Court,” published on September 12, 2011. In July 2011, a federal grand jury in Newark, New Jersey, indicted Auernheimer on one count of conspiracy to gain access to computers and one count of identity theft. From September 2011 and as of mid-April 2012, he was on bail, and reportedly banned from using IRC or consorting with people from his hacking group.
The statement that the AnonOps IRC was “a mess, everyone was on edge” was sourced from my own observations of the chat network and from interviews with Topiary.
The assertion that a few white hats “secretly wished they could be part of the fun” was sourced from my observations of comments made by white hat security specialists on blogs and on Twitter, which often professed admiration for LulzSec and expressed gratitude that the group had demonstrated the necessity of the Internet security profession. A good example is the article by Australian security expert Patrick Gray on his risky.biz blog entitled “Why We Secretly Love LulzSec,” posted on June 8, 2011. The post quickly went viral on Twitter.
Regarding Ryan’s DDoS attack on LulzSec’s public IRC channel—he had been sending the same message to anyone who was an operator in the IRC channel.
Chapter 21: Stress and Betrayal
Details about Kayla’s side operation were sourced from interviews with Kayla and Topiary, while dialogue in this chapter was sourced from the leaked #pure-elite logs. Further context on the InfraGard hack, #pure-elite discussions, and Bitcoin donations comes from interviews with the founding members of LulzSec. Some dialogue, such as the reaction to the $7,800 BitCoin donation, was also sourced from interviews.
NATO’s draft report on Anonymous can be found on the organization’s website here: http://www.nato-pa.int/default.asp?SHORTCUT=2443. It was first mentioned on tech blogs, such as thinq, in early June.
The deleting code rm -rf/* is well known among Web trolls, who at one time made a practice of telling Mac and Linux users to type the code into their copy of Terminal, the application that allows users to engage with their computers using a command-line interface. This can lead users to inadvertently wipe out their hard drives. According to KnowYourMeme.com, the trolling scheme against PC users has been around since the early 2000s, but became popular through its promulgation on 4chan around 2006. Users of /b/ would post digital flyers or start discussion threads saying, for example, that Microsoft had included a folder called system32 on all PCs and that this folder held 32 gigabytes of “worthless crap.” They added that the company did this to sell more system-cleaning software, and that the way to get back at money-hungry Microsoft was to delete the file. This was, of course, completely untrue.
Here is a translation of the UNIX code rm -rf/* itself: “rm” is the command short for remove; a blank space then indicates the end of the command. The “-” begins the options, with “r” meaning “recursively delete all directories” and “f” meaning “override file permissions.” “/*” means that everything after the root of the tree (“/”) is to be affected. The entire command means “remove everything forcefully.”
The assertion that “many news outlets bought this line”—i.e., the line that LulzSec had hacked InfraGard in response to the Pentagon announcement—was sourced from a number of news reports. Among them is the digitaltrends.com story “LulzSec Hacks FBI Affiliate, Infragard.”
Details about the arrest of Sabu were sourced partly from Fox News reports, including the one entitled “Infamous International Hacking Group LulzSec Brought Down by Own Leader,” and partly from an interview with an anonymous source who had knowledge of the arrest and FBI investigation. Further details about Sabu’s arrest and his later appearance in a secret court hearing are laid out in chapter 26.
Details about Cisco’s promotional tweet appearing on Twitter searches for LulzSec were sourced by my own observations and were corroborated by Cisco spokesman John Earnhardt, who said that LulzSec was a “term of interest” in the security industry. The day after I wrote a blog post on the promotion for Forbes, entitled “How Cisco Is Capitalizing on LulzSec Hackers’ Popularity” and published on June 15, 2011, the promotion disappeared.
Joseph K. Black, founder of the Black & Berg IT security company, most likely faked the attack on his own website. This assertion is based on interviews with Topiary, who said that no one in the group had hit or had planned to hit Black & Berg, and on interviews with Jennifer Emick, who spent some time investigating Black. I also base this conclusion on my opinion that Black is not a credible source. Cyber security and antivirus expert Rob Rosenberger wrote a column for SecurityCritics.org on February 15, 2011, in which he referred to Black as a “charlatan” whose activities until that point already “qualified as ‘unethical behavior’ done for shameless self-promotion.” The cyber security site attrition.org later wrote a damning indictment of Black on February 28, 2011, in an article entitled “Joseph K. Black: Social Media Experiment Gone Horribly Wrong,” which offered the prediction that Black would never obtain his professed dream job of “National Cybersecurity Advisor.” It posted screenshots of his Twitter feed from January of 2011, including tweets such as “I just did my 2nd line of coke and it’s only 4.15; WOW!” Another tweet, directed toward Attrition itself, said, “Your [sic] just jealous that the Feds haven’t taken you off the grid yet. Sucker.Im untouchable.I got the Feds in my pocket.Im comfy.” In October of 2011, Black was pursued by police in a thirty-five-minute car chase over four U.S. counties, after which he got out of his car holding a small dog and pointed his finger at the police, making shooting noises. He was promptly Tasered (source: “Omaha Man Caught after Early Morning Pursuit,” the North Platte Bulletin, October 31, 2011). By early 2012, Black & Berg had folded and Black had posted a photo of himself on an about.me Web page, where he listed himself as “Advisor to Anonymous and #Antisec operations.” In the photo, Black was standing in front of a mirror, wearing a hoodie, sunglasses, and a gold chain necklace. Black did not respond to a question e-mailed to him on the matter of his website’s defacement, or to an interview request. Ironically, in spite of the overwhelming evidence that the deface on Joseph K. Black’s website had been self-inflicted for publicity purposes, British prosecutors would later list an attack on Black & Berg among the charges against Jake Davis and three other young men associated with LulzSec.
Details about other copycat hacker groups, such as LulzSec Brazil and LulzRaft, were sourced from the groups’ own Twitter feeds, announcements, and press reports, and from interviews with LulzSec members.
Topiary’s statement “I’m starting to get quite worried some arrests might actually happen” was made in an interview with me.
Chapter 22: The Return of Ryan, the End of Reason
Details in this chapter about activities within LulzSec, dialogue about the disappearance of Sabu, and descriptions of Ryan were sourced from interviews with LulzSec’s founding members. Details about Topiary’s first call with Sabu were sourced from interviews with Topiary.
The name David Davidson comes from the widely panned 2000 comedy film Freddy Got Fingered, starring Tom Green. It has often been used online as a joke name, but perhaps not enough to be considered an outright Internet meme.
Ryan first rekindled his relationship with LulzSec’s members by off
ering to let the group house its IRC network on his servers. This was a welcome offer, although eventually the crew would be hopping between servers owned by AnonOps and the public IRC networks provided by EFnet, Rizon, and 2600.
Topiary did not believe that the dox released for Ryan earlier that year by Evo was real. He also believed that the real Ryan was relatively safe, since Ryan claimed, for instance, to have his neighbor receive all his packages, which were addressed to a fake name anyway, before passing them over to him, so that he never had to give out his real address.
The Skype number 1-614-LULZSEC was off at all times and redirected to another Google number, which was also offline and redirected instantly to the main Skype account that Topiary and Ryan were using. This account had been registered via a fake Gmail account on a random IP address.
I have sourced the assertion that Assange was “chuckling” to himself from interviews with Topiary, who said that when he was first talking to Assange on IRC, Assange claimed that he and others in WikiLeaks had “laughed” when they heard about the DDoS attack on the CIA.
Details about Julian Assange’s state of affairs in June of 2011, including his defense against extradition and the wearing of an electronic tag, were sourced from various press reports, such as “Julian Assange Awaits High Court Ruling on Extradition,” published by the Guardian on November 2, 2011.
Details about the IRC discussions within LulzSec (first between Topiary and Sabu, then among other members of the team) were sourced from interviews with Topiary and with one other hacker associated with LulzSec who does not wish to be named. I have also seen and taken screenshots of the video of Assange taken by q, which was temporarily uploaded to YouTube. The video showed the IRC discussion between LulzSec and a panning shot of Assange looking at his laptop. Dialogue from the discussion between Sabu and q is taken from the same video, which also featured text from the IRC channel they were both in at the time. Sources close to WikiLeaks confirm that q had organized meetings in the past between Assange and other third parties via IRC, and that q is from Iceland. Regarding the filename RSA 128: RSA is a cryptographic algorithm (by Rivest, Shamir, and Adleman). The 128 would refer to the key length, or the strength of encryption measured in bits.
Chapter 23: Out with a Bang
Details about 4chan’s reaction to LulzSec were sourced from interviews with William and Topiary. Ironically enough, LulzSecurity.com was at one point hosted in the same data center as 4chan, according to Topiary.
Regarding the release of 62,000 e-mails and passwords, Topiary had uploaded the database a second time to the file hosting site MediaFire.com. However, before it was again taken down, random users had downloaded it almost 40,000 times.
Further details about LulzSec’s instigation of a revived Antisec movement, and details about Topiary’s relations with Ryan, were sourced from interviews with Topiary; context for these details was provided by interviews with Sabu.
Details about someone from SOCA e-mailing the Metropolitan Police about a DDoS attack were sourced from prosecutor notes, which were passed on to the arrested LulzSec members.
Details about the arrest of Ryan were sourced from press reports, such as the Daily Mail article “British Teenager Charged over Cyber Attack on CIA as Pirate Group Takes Revenge on ‘Snitches Who Framed Him,’” published on June 22, 2011, and from interviews with LulzSec members. Soon after Ryan’s arrest, an Anon with links to Ryan Cleary approached Topiary on IRC and told him with dead seriousness that a photographer from the Sun was planning to fly to Holland to try to snap a photo of the “real Topiary.”
Details about the Arizona police leak, and dialogue from the discussion between LulzSec founding members about disbanding, were sourced from interviews with Topiary, with some added context provided by Sabu in later interviews.
Chapter 24: The Fate of Lulz
The analogy of “cavemen smearing buffalo blood” over rocks was drawn from a discussion with Topiary.
Details about the Script Kiddies hacking into the Twitter feed of Fox News were sourced from various news reports, such as “Fox News Hacker Tweets Obama Dead,” published by BBC News online on July 4, 2011. The group’s defacement of the Pfizer Facebook page was sourced from their posts on Twitter and from my own subsequent observations of the defaced Facebook page. Details about other hacker groups from countries such as the Philippines, Colombia, and Brazil were sourced from various stories on TheHackerNews.com.
The statement that there were more than six hundred people in the AnonOps chat room #Antisec after LulzSec disbanded comes from my own observations while on the IRC network.
Sabu’s statement “I’m doing the same work, more revolutionary” was sourced from my IRC interview with Sabu.
Details about Topiary’s “break” from Anonymous after LulzSec disbanded were sourced from interviews with Topiary.
The assertion that “several mainstream press outlets’ ears perked in envy” at Sabu’s claim of granting certain media outlets access to News of the World e-mails was sourced from news reports such as “LulzSec Claims to Have News International E-mails,” published by the Guardian on July 21, 2011.
The detail about Rebekah Brooks’s husband dumping her laptop in a black garbage bag is sourced from the Guardian story “Police Examine Bag Found in Bin Near Rebekah Brooks’s Home,” published on July 18, 2011.
The assertion that police across eight countries had arrested seventy-nine people in connection with activities carried out under the names Anonymous and LulzSec was sourced from various news reports about these arrests and a tally on Pastebin. Details about the looming arrest of Topiary were sourced from Topiary, with certain facts, including that about the hiring of a private plane, corroborated by news reports, such as the Daily Mail’s “Autistic Shetland Teen Held over Global Internet Hacking Spree ‘Masterminded from His Bedroom,’” published on July 31, 2011.
Part 3
Chapter 25: The Real Topiary
Details about Topiary’s arrest, including descriptions of his encounter with the police, were sourced from later interviews with Jake Davis. The details about the police’s visit to Jake’s mother’s home in Spalding were sourced from discussions with Jennifer Davis. Descriptions of Ms. Davis walking into the Charing Cross police station are based on my own observations after visiting the station that day.
The assertion that the AnonOps chat rooms were “ablaze with rumors” are based on my own observations after visiting the IRC network; Sabu’s statement that he was “pretty fucking depressed” comes from my interview with him.
The statement that the name Jake had popped up in the AnonOps chat room after an error involving his VPN connection was sourced from my observations of the December 8 AnonOps public chat log database on http://blyon.com/Irc/. The rumor about the friend from Xbox forums posting “Jake from Shetland” was sourced from Sabu’s published chat log with Mike “Virus” Nieves (see chapter 26) and the Gawker story “How a Hacker Mastermind Was Brought Down by His Love of Xbox,” published on August 16, 2011.
Details about VPN provider HideMyAss responding to a U.K. court order to help identify a member of LulzSec were sourced from a blog post on HideMyAss’s website entitled “LulzSec Fiasco,” published on September 23, 2011. HideMyAss did not respond to repeated requests for interviews and did not list a phone number on its website.
The item about the Department of Homeland Security expecting more significant attacks from Anonymous was sourced from the department’s National Cybersecurity and Communications Integration Center bulletin published on August 1, 2011.
Details about and descriptions of Jake Davis’s court appearance were sourced from my observations while attending the hearing, with added context provided by later interviews with Davis.
The book Free Radicals: The Secret Anarchy of Science got a significant boost in its Amazon rankings after Jake Davis flashed its cover to the cameras, according to an interview with the book’s author, Michael Brooks.
Descri
ptions of the propaganda images and digital posters made of Jake Davis after his court appearance were sourced from my own observations after speaking to several Anonymous supporters on AnonOps, one of whom directed me to a growing repository of these images.
Details about Jake Davis’s fan mail and his life at home were sourced from interviews with Davis, which included visits to his home in Spalding, and from my own observation of some of the letters he received.
Details about the raid executed by William and other members of /b/ against a sixteen-year-old girl on Facebook named Selena (not her real name) were sourced from interviews with William conducted via e-mail and in person.
Davis’s meeting with William was arranged by me. I had thought for some time that it would be intriguing to observe what would happen if two people from Anonymous were to meet face-to-face. I had also wanted to arrange for an Anon and a victim of Anon—e.g., Jake Davis and Aaron Barr—to meet in person. Distance and time constraints made a meeting between Barr and Davis impractical, so the next best thing seemed to be a meeting between William and Topiary. I asked each of them if he was willing to meet the other, and after they agreed I set a date in February of 2011. On the appointed day, I met first with William before traveling with him by train to the meeting place with Davis. I accompanied them both to a restaurant, where we talked over lunch. As the two men discussed Anonymous, I asked questions and took notes.