We are anonymous inside the hacker world of lulzse

More documents

Recommendations

Info

Minions.” Another helpful source for corroborating personal details on Monsegur was the New York Times story “Hacker, Informant and Party Boy of the Projects,” published on March 8, 2012, in which reporters spoke to Monsegur’s neighbors to piece together a picture of the man. Interviews with sources close to Hector Monsegur and the FBI investigation also contributed to the information in this chapter. Details about the incident at Monsegur’s high school with the head of security were sourced from an essay purporting to be written by Sabu on August 14, 2001, and bearing all his usual stylistic and verbal hallmarks. It was published via Pastebin on June 7, 2011 (the day of his arrest), and also sent to me via e-mail by a source. Full essay here: http://pastebin.com/TVnGwSmG. The details about Monsegur’s internships as a teenager were sourced from a web archive of the iMentor website from August 2002, which listed Monsegur as a member of the staff and provided a short biography that mentioned his stints at the NPowerNY Technology Service Corp and the Low-Income Networking and Communications Project (LINC) at the Welfare Law Center. Text for The Hacker Manifesto by the Mentor can be found here: http://www.mithral.com/~beberg/manifesto.html. I have exchanged emails with Lloyd “the Mentor” Blankenship to corroborate details about his writing of the 1986 essay. Sabu/Monsegur provided me with links that still showed the deface message he published on the Puerto Rican government websites. Further details on the U.S.-China cyber war that Sabu involved himself in were corroborated by news reports such as Wired’s “It’s (Cyber) War: China vs. U.S.,” published in April of 2001, and CNN’s “China-U.S. Cyber War Escalates,” published on May 1, 2001. Further details about Monsegur and his attempts to start a group for local programmers in 2002 also come from a “dox” file posted by a security researcher nicknamed Le Researcher, who pasted a variety of screenshots of e-mails, deface messages, and forum posts on http://ceaxx.wordpress.com/uncovered/. Sabu’s message on AnonOps, in which he asks how to find Wired’s John Abell, came from the online database http://blyon.com/Irc/. Details about the anticorruption protests in Tunisia were widely reported in late December of 2010 and early January of 2011, and details of the government’s phishing campaign, aimed at spying on potential dissenters, were published by Al Jazeera and Ars Technica. Censored sites would typically say “Error 404: page not found.” An officially blocked site will usually say “Error 403,” so the use of 404 suggested unofficial censorship. One journalist and blogger, Sofiene Chourabi, had reportedly been blocked from accessing his Facebook account; his 4,200 friends were also hacked. Other journalists claimed that their entire blogs were deleted of content, and suspected the Tunisian Internet Agency was behind it. Many Tunisians also claimed they were unable to change their Facebook passwords. The phishing operation was sophisticated, hitting several high-profile targets in a single day, and was carried out by a malware code, according to Al Jazeera, which cited “several sources.” The TechHerald’s Steve Ragan reported seeing examples of the embedded script and new source code injected in Gmail, Yahoo, and Facebook, confirming with four different experts that the embedded code was “siphoning off login credentials” and that “code planting of this scale could only originate from an ISP (Internet Service Provider).” Details of the antiphishing script developed by Tflow are available on the script-sharing website http://userscripts.org, under the user name “internetfeds.” Sabu, Topiary, and one other senior figure in Anonymous said that Tflow originally wrote the script. Tflow had written a browser JavaScript plug-in that effectively stripped the government’s added Java code and redirected Tunisian Internet users away from its phishing servers (essentially fake Gmail, Yahoo, and Facebook sites) and back to the original, true hosts. Tunisian Internet users first had to install the Greasemonkey add-on for Firefox. Then it was just a matter of opening Firefox and going to Tools, then to Greasemonkey and New User Script, to paste in the code. Having clicked “Okay,” Tunisians could within a minute or two access Facebook, Twitter, Blogger, Gmail, and Yahoo without exposing their login details. I have sourced the story about Sabu remotely controlling a Tunisian man’s computer to deface the website of the country’s prime minister from interviews with Sabu himself, conducted in April of 2011. It’s still not clear exactly how Sabu hit the Tunisian DNS, but one expert who knew him suggests he may have used a so-called smurf attack to bring down the domain servers of the Tunisian government. This refers to a unique type of denial of service (DoS, without the d for “distributed”) attack that can be carried out from a single computer. Instead of using a botnet, it uses servers with significant space and speed to transfer the junk data. A smurf attack, specifically, needs broadcast servers. It sends a ping request to one or more of the servers, communicating (falsely) that the return IP address is the target. In hackerspeak, they are sending “spoof packets.” The broadcast server then tells its entire network to respond to the target machine. One computer by itself can send perhaps 500 megabytes worth of packets at most, but a smurf attack allowed Sabu to amplify 40 gigabytes worth. A screenshot of the deface message that was uploaded to Prime Minister Ghannouchi’s site is available online. Chapter 10: Meeting the Ninja Opening paragraphs of this chapter are sourced from online interviews with Topiary. His deface message on the government of Tunisia was until recently viewable here: http://pastehtml.com/view/1cw69sc.html. The point about cyber attacks on the governments of Libya, Egypt, Zimbabwe, Jordan, and Bahrain came from testimony by Topiary and was corroborated with various online news reports. I saw the deface of the Fine Gael website myself and confirmed it on the phone with a press spokesman for the Irish political party. The description of Kayla’s style of writing, which includes “lol”s and smiley faces, is based on my own observations as well as those of Anonymous members. Her view of hacking as an addiction comes from a later, online interview. The online poll by Johnny Anonymous was described to me in a Skype interview with Johnny Anonymous himself, conducted on March 7, 2011. Descriptions of Kayla’s obsessive attempts to keep her identity hidden are sourced from interviews with Kayla, conducted largely by email, in March of 2011. I was first introduced to Kayla (and Sabu, Tflow, and the others who would later make up LulzSec) by Topiary. Details of Kayla’s life experiences and getting hacked by a man who “screamed” down the phone at her came from interviews also conducted in March of 2011. Kayla’s involvement in the Gawker hack, which has been reported by Gawker itself, was mentioned in an Internet Relay Chat interview with the hacker on May 23, 2011, in which she described in detail how she and a
was mentioned in an Internet Relay Chat interview with the hacker on May 23, 2011, in which she described in detail how she and a group of online friends in the IRC channel #gnosis carried out their hack over the course of several months. Confirmation of the existence of Kayla’s “tr0ll” IRC network came from archived web pages and Pastebin posts that mention the network, and a source who did not wish to be named. In addition to telling me about the “vulnerability in the servers hosting Gawker.com,” Kayla explained that she and the other hackers managed to obtain user and password details for the site’s root, MySQL. These are key features that gave them almost unfettered access to the website’s database. The vulnerability that Kayla found in the United Nations website was shown to me in an IRC chat with Kayla in the summer of 2011. Dialogue from #InternetFeds came from screenshots of the private IRC channel e-mailed to me by Matthew Keys. Regarding the WikiLeaks IRC network, where Kayla first met q, anyone could access it via a browser at chat.wikileaks.org. Several sources close to WikiLeaks confirm q (real name known but not disclosed here) had habitually lied to supporters, and that he and Assange were close, like a “stepson to Assange,” according to one. Chapter 11: The Aftermath The opening paragraphs of this chapter are sourced primarily from phone interviews with Aaron Barr. I have seen the comment about Barr’s children that prompted him and his wife to temporarily flee their home on Reddit. Details about HBGary Inc.’s hiring of law firm Zwillinger & Genetski are sourced from phone interviews with lawyers Marc Zwillinger and Jennifer Granick. The detail about Ted Vera’s and Greg Hoglund’s passwords came from interviews with Topiary. The subsequent quotes from Aaron Barr are sourced from a phone interview with Barr that took place early that Monday morning, just hours after the Super Bowl Sunday attack. HBGary's open letter was until recently viewable here: http://www.hbgary.com/openletter-from-hbgary. The hackers stored the social security numbers of HBGary employees and other data on a private Web text application called Pirate Pad, which anyone from the group could edit. The online document was later deleted. Stolen data like this often wound up gathering dust somewhere in the cloud, or on someone’s computer—forgotten until an arrest turned it into evidence. The account of Kayla informing Laurelai Bailey of the HBGary attack and then inviting her into the private IRC channel for the company’s attackers, #HQ, is sourced from interviews with Bailey. Those interviews were also the source for details about Barr’s controversial proposals to Hunton & Williams. In order to stumble upon Barr’s all-important WikiLeaks connection, Laurelai had to first port Barr’s published e-mails onto an e-mail client called Thunderbird, then transfer them to Gmail. This allowed her to search through the e-mails using key words like “WikiLeaks.” The notion that Topiary, Sabu, and Kayla didn’t know about the anti-WikiLeaks proposals in the days immediately after the attack were conveyed to me by Topiary, who I was interviewing at the time. I had also been following developments after the attack and noticing that his small group was trawling through Barr’s e-mails, looking for something controversial, before Laurelai spotted the motherlode. Dialogue between the group in the #HQ room comes from logs that were eventually leaked by Laurelai to Jennifer Emick (see chapter 14). Details about the publication of the HBGary e-mails and snippets of content were sourced from the HBGary viewer itself, http://hbgary.anonleaks.ru (now offline). Details about the investigation into HBGary, its partners, and their military contracts by U.S. congressman Hank Johnson were confirmed in a phone interview with Johnson on March 23, 2011. I first heard about the investigation on March 17, when, late that evening, Topiary saw a Wired story saying that Congressman Johnson had started investigating the U.S. military’s contracts with HBGary Federal, Palantir Technologies, and Berico Technologies. Soon after, at least ten Democrats from the House of Representatives had signed a petition to launch an investigation into Hunton & Williams and the three security firms. The “growing sense of unease” among the hackers comes from observations of their sometimes paranoid conversations in #HQ as well as from testimony by Topiary, who was also the source for the information about the regular phone calls with Sabu and the coded greeting “This is David Davidson.” Sabu’s mistrust of Laurelai is clear from his comments in #HQ, but was also corroborated by testimony from Topiary. Jennifer Emick has confirmed that she was behind the Twitter handle @FakeGreggHoush; this has been an open secret in Anonymous since Backtrace was doxed in the early summer of 2011. I relied on interviews with both Emick and Bailey to piece together how and why Bailey ended up passing her the #HQ logs. Part 2 Chapter 12: Finding a Voice The opening paragraph, describing Topiary’s popularity on AnonOps, including details such as the number of private messages he was regularly receiving, are sourced from interviews with Topiary as well as from observations of chat logs, IRC conversations, and statistics showing the number of times people were reaching out to him through Twitter. The detail about requests to hit various targets, such as Facebook, also comes from those interviews. According to Topiary, people sometimes directly e-mailed supporters in AnonOps or sent messages to certain representative blogs. It was difficult to track the way Anonymous chose its targets, since it was often done chaotically, spontaneously, and behind the scenes. However, for the most part, target requests that came from outside Anonymous were rarely pursued. Details about Westboro Baptist Church are sourced from various news reports as well as from Louis Theroux’s engrossing BBC documentary The Most Hated Family in America, first aired in 2007. The detail that Nate Phelps had accused his father, Fred, of abuse is sourced from a number of press reports including Nate Phelps’s official website, which in its “Bio” page refers to his father’s “extreme version of Calvinism” and “extreme physical punishments and abuse.”
Page 2 and 3:
Begin Reading Table of Contents Cop
Page 4 and 5:
his HBGary Federal account, possibl
Page 6 and 7:
culture and key figures within it.
Page 8 and 9:
dreadful fascination at his phone a
Page 10 and 11:
Aaron Barr would never have come fa
Page 12 and 13:
“nigger,” “faggot,” or just
Page 14 and 15:
owns my ass.” With his other hand
Page 16 and 17:
In 2008 he helped instigate Operati
Page 18 and 19:
death threats and threatened to bom
Page 20 and 21:
another poster described “Phase 2
Page 22 and 23:
though, they were usurped by what w
Page 24 and 25:
We are Legion We do not forgive We
Page 26 and 27:
day in federal prison. In the meant
Page 28 and 29:
Since childhood, Bailey had harbore
Page 30 and 31:
oughly three hundred regular chat p
Page 32 and 33:
1. Get the latest LOIC from github.
Page 34 and 35:
Asperger syndrome, rarely left his
Page 36 and 37:
“It’s a troll,” another organ
Page 38 and 39:
had joined mentoring program iMento
Page 40 and 41:
choose a unique nickname on AnonOps
Page 42 and 43:
time. Kayla actually had several IR
Page 44 and 45:
was headquartered and where Barr wo
Page 46 and 47:
“So are we going to focus on Anon
Page 48 and 49:
Starting in early January, many sup
Page 50 and 51:
“Well in my lifetime I’ve perfo
Page 52 and 53:
uh, actual intelligence.” There w
Page 54 and 55:
definitely unimpressed—the claims
Page 56 and 57:
nude photos. Four years later, an e
Page 58 and 59:
“Is this a new trend :D to see wh
Page 60 and 61:
network collapsed, they would move
Page 62 and 63:
large notice board with paperwork a
Page 64 and 65:
April 2011, while he and Sabu were
Page 66 and 67:
since they had a wider array of ski
Page 68 and 69: will get in trouble and might be gr
Page 70 and 71: passwords for almost every journali
Page 72 and 73: or online for most of the day and s
Page 74 and 75: a mixture of Anons, script kiddies,
Page 76 and 77: Sabu hated white hat security firms
Page 78 and 79: “Just looked at this guy’s sour
Page 80 and 81: otnets. Topiary shot back with a se
Page 82 and 83: wasn’t Sabu. “You got the wrong
Page 84 and 85: them that he was back. Topiary at f
Page 86 and 87: websites, bigger ones. He had a rap
Page 88 and 89: “Y’all were the inspiration I n
Page 90 and 91: LulzSec. Tflow created a torrent fi
Page 92 and 93: The Fate of Lulz LulzSec’s signif
Page 94 and 95: opposite of Kayla. And yet there wa
Page 96 and 97: one of the LulzSec accounts in resp
Page 98 and 99: on the network. He decided to try t
Page 100 and 101: morning of their meeting, William
Page 102 and 103: techniques like the Cain and Abel p
Page 104 and 105: hackers in private IRC rooms. It wa
Page 106 and 107: the open at the same time: the susp
Page 108 and 109: Kayla’s story had become more imp
Page 110 and 111: Stephane Fitch, who also introduced
Page 112 and 113: writes a spoof news article about t
Page 114 and 115: following twenty names in the ranki
Page 116 and 117: to websites that showed the steps o
Page 120 and 121: “extreme version of Calvinism”
Page 122 and 123: 2011, however, we held our first re
Page 124 and 125: that were first leaked online by Pa
Page 126 and 127: on the CIA. Details about Julian As
Page 128 and 129: Descriptions of Ryan Mark Ackroyd w
Page 130 and 131: Parmy Olson is the London bureau ch
show all

We are anonymous inside the hacker world of lulzse

Create successful ePaper yourself

Delete template?

Save as template?