Hacker, Hoaxer, Whistleblower, Spy
Page 3
After listening, I was so startled I actually dropped the phone. I was overcome with excitement. But also fear. I picked the phone up, rapidly punched in a seemingly endless stream of numbers, listened to the message three more times, recorded it, and promptly went home, only to spend the rest of the evening brooding. I wished he had never called.
weev’s reputation obviously preceded him; despite my rudimentary research on trolls and my ongoing research on the activism of Anonymous, I had avoided him like the bubonic plague. Although trolling is often experienced and disguised as play, it is also shrouded in mystery, danger, and recklessness. weev is a past president of one of the most exclusive trolling cliques still in existence today, the offensively named Gay Nigger Association of America (GNAA). (Affiliates quiz prospective members on trivia about an obscure porn film called Gayniggers from Outer Space, which inspired the group’s name.) Reaching out to such a revolting troll might spell trouble. Trolls are notorious for waging so-called “ruin life” campaigns, in which they spread humiliating stories (regardless of truthfulness) about a chosen target, and leak vital information like addresses and Social Security numbers. The effect is akin to being cursed, branded, and stigmatized all at once. The psychological effects can be terrifyingly long lasting.1
But since I also ran a risk by ignoring his request—he did, after all, flag it as extremely important—I sent him an email a few days later. And, since I had already taken the plunge, I also figured it might make sense to acquaint myself with another genre of trolling. In contrast to weev’s boastful, elitist, self-aggrandizing style, Anonymous had historically demonstrated a far more self-effacing and populist mode of trolling. Like two sides of a coin, both belonged to the same “tribe” while also countering one another. For about two minutes I even entertained, with faint excitement, the prospect of detailing a troll typology. Just as my anthropological ancestors once categorized tribes, skulls, and axes, perhaps I could do the same with trolls and their horrible exploits, trollishly playing, all the while, with my discipline’s historical penchant for irrelevant and sometimes racist categorization. Quickly the excitement faded as I contemplated the ruinous reality this could bring down upon me if I got on the wrong side of these notorious trolls; I remembered that I had already decided to focus on the activism of Anonymous and not its trolling heyday for a very good reason. In the end, I hoped weev would ignore the email from me sitting in his inbox.
But, when he emailed me back, I realized there was nothing to do but commit. We finally connected via Skype chat. His handle was “dirk diggler,” after the porn star protagonist of the 1997 film Boogie Nights. Later, when we switched to IRC, he used “weev”:
His denunciation of “the repulsive order of the financiers” had the ring of truth, given the recent financial mess their recklessness had engendered, so I found myself, only minutes into my first bona fide conversation with a world famous troll, in agreement with him:
It is true: I had not spent time in Slab City. It was, in fact, the first time I had even heard about it. And so, as we chatted, I was also googling “Slab City,” which actually exists and is a fascinating Wild West campground/squatter haven in Colorado. I soon came to learn that even if weev often lies, he also often speaks the truth, and his knowledge of the strange, fantastical, and shocking is encyclopedic—he is a natural ethnographer of the most extreme and vile forms of human esoterica.
By dedicating much of his teenage and early adult years to hacking and trolling—and the consumption of large quantities of drugs, if he is to be believed—weev had amassed a vast catalog of technical and human exploits. His most famous coup, which won him a three-and-a-half-year jail sentence, was directed at AT&T, a beloved target among hackers because of its cozy information-sharing practices with the US government. (AT&T’s well-known activities in room 641A, a telecommunication interception facility operated by the NSA, now seem quaint given the news that most major telecommunications providers and Internet companies provide the US government generous access to customer data.) weev targeted AT&T with Goatse Security, the name given to GNAA’s impromptu security group. They discovered in June 2010 that the giant American telco had done something stupid and irresponsible: AT&T’s iPad customer data was posted on the Internet unprotected. Typically, a company with good security practices will encrypt things like customer names, email addresses, and the unique ID numbers associated with these iPads. But AT&T had not, at least in this instance, encrypt anything.
While they didn’t exactly leave the customer data sitting on a doorstep with a sign saying “Come and Get It,” the data was still unusually easy to access. Indeed, Goatse Security figured out an easy way to “slurp” the data using a script (a short, easy-to-use computer program), which was written by GNAA/Goatse member Daniel Spitler, aka “JacksonBrown.” The gray hat security crew called it, with uncanny precision, the “iPad 3G Account Slurper” and used it to harvest the data of 140,000 subscribers. The opportunity to expose shoddy security of this magnitude is irresistible to any hacker—even one like weev who, as he told me over dinner when we finally met in person, is not even that talented of a technologist (or, perhaps more likely, he is just too lazy to do the grunt work since he certainly grasps many of the finer technical points pertaining to security).
Whatever the case, Spitler wrote the script itself and has since pleaded guilty in court. And yet weev was also convicted in November 2012 for “hacking” AT&T’s system: a violation of the Computer Fraud and Abuse Act (CFAA). But the fact remains: since there was no security to speak of, there was nothing, technically, to “hack.” Daniel Spitler’s script did not compromise an otherwise secure system, and weev—who contributed minor improvements to the script—mostly acted as the publicist. He offered the vulnerability to news outlets for free. He was interested in exposing AT&T’s shocking lack of security in the public interest and boosting his public profile. The CFAA, it must be said, is a decidedly blunt legal instrument—so broad that it affords prosecutors tremendous power in any legal proceeding that relates, in virtually any way, to the vague notion of “unauthorized computer access.” The activities need not be hacking at
all. Some courts have interpreted “unauthorized access” to mean computer use that simply violates the terms of service or other rules posed by the computer’s owner.2
After his CFAA conviction, weev’s case attracted a trio of topnotch lawyers: Orin Kerr, Marcia Hofmann, and Tor Ekeland. They appealed his case, seeking to overturn what they, along with many security professionals, deemed a dangerous precedent capable of chilling vital future security research; the security industry relies on hackers and researchers discovering vulnerabilities, using the same methods as criminal hackers, in order to expose weakness and strengthen infrastructure for both private and public good. Finally, in April 2014—and only after he had served roughly twelve months of a forty-one-month sentence—his case was vacated. But not due to the the CFAA portion of the appeal—instead due to the question of venue. The court determined that New Jersey, where the original case was tried, was not the state where the offense was committed. Tor Ekeland explained the importance of this legal ruling to the Guardian: “If the court had ruled the other way, you would have had universal venue in … computer fraud and abuse cases, and that would have had huge implications for the Internet and computer law.”3 Still, although weev’s supporters were thrilled that he was now free and pleased that questions of venue had been clarified, many were disappointed that the proceedings left the broader CFAA issue untouched—the dangerous precedent remained.
By taking this information to the media, weev demonstrated an intent beyond mere trolling. Any self-respecting hacker will cry foul in the face of terrible security; taking it to the press—which will generate a huge fuss about it—can be a responsible thing to do. Of course, to hear weev tell the story, it was clear that he also did it for the lulz. He would giggle whenever Goatse Security was mentioned in news reports about the incident. He imagined millions of people Googling the strange name of the security group, and then recoiling in horror at the sight of a vile “anal supernova” beaming off their screen.4 Goatse is a notoriously grotesque Internet image of a man hunched over and pulling apart his butt cheeks wider than you might think is humanly possible. Those who view it are forever unable to unsee what they have just seen—unable to forget even the smallest detail, their minds seared by the image as if the gaping maw, adorned with a ring, were a red-hot cattle brand. The immaturity of the joke would escalate weev’s giggles into tears, which spilled out the sides of his pinched eyes; he would hunch over, holding his stomach as his shoulders shook, his laugh like a demonic jackhammer.
Clearly, weev offended everyone, including law enforcement. The ultimate testament to his incendiary nature is, perhaps, the judge’s rather stiff sentence. After all, he was not even party to writing the script. The night before his sentencing, he wrote on reddit, a popular nerd website, that “My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won’t nearly be as nice next time.”5 To justify the sentence, the prosecution cited his reddit comments not once, not twice, but three times.
For weev, such incendiary behavior is par for the course. He has recorded hateful speeches railing against Jews and African Americans—“sermons,” as he calls them—which can be viewed on YouTube. They are so hateful that they even disgust other trolls.
We started chatting soon after his legal troubles relating to AT&T began. During the next five months we chatted often. There were some moments that can only be described as strange. Take, for instance, a conversation that occurred on December 12, 2010:
I was, I recall vividly, incredulous. But I still managed, barely, to type a response:
Then out of the blue, as is often the case with internet chatting—especially with weev—he hopped to another topic while I was in the midst of responding to questions of governance:
[…]
At the time he was under investigation. I know he was a troll and all but, let’s face it: jail sucks. I told him I would visit and expressed my sympathies:
It was natural, then, that weev, a gluten-free troll chatting with a gluten-free anthropologist, would seamlessly transition into a discussion of Pilates. Regrettably, I never did get a proper answer on the subject of troll governance. Many conversations followed this unpredictable, always entertaining, arc.
I was earnest with him for the most part, but I played along with his self-styled hoaxer role. At the same time, I couldn’t resist calling him out on his bullshit sometimes, even trolling him just a little:
As a social science professor, I had some insider knowledge of this “elaborate scheme.” I could not help but feed him some of my own lies:
He did in fact serve jail time in various states, ending up in New Jersey where he was released on bail February 28, 2011, to await trial. Since he was no longer allowed online, our chats came to an end. Instead, we continued to converse in person, over gluten-free food, in NYC. I footed the bill since he was really, really broke. Although he did teach me a fair bit about trolling, he never used his skills on me.
Although weev’s bail conditions banned him from using a computer, he still managed to practice his craft. weev, like many trolls, likes to dupe people in order to draw attention to himself. Putting oneself in the limelight feels great, especially if you don’t need to pay a PR person to post a fake sex tape. In May 2011, as summer finally descended on NYC, he excitedly texted me. “Google my name,” he wrote. I did as commanded, and hundreds of n
ews articles popped up on my browser. He had duped the media with an in-person hoax, claiming to be Dominique Strauss-Kahn’s neighbor immediately after rape charges were leveled against the wealthy French politician and former head of the International Monetary Fund. weev, then utterly destitute, managed to slip his comments into hundreds of newspapers; no journalist bothered to fact-check him:
Despite the prosecutor’s claims, however, Strauss-Kahn is already meeting his neighbors. An infamous computer hacker who lives in the corporate apartment building on Broadway claims he has already met the Frenchman—and he is ‘an OK guy’.
‘We’re all like one big Breakfast Club in there,’ Andrew Auernheimer, 26, was reported as saying in reference to the 1985 classic film about five high school students trapped in Saturday detention.6
In Lulz We Trust
So if weev, like so many trolls, dishes out his actions on mixed platters of truth and lies, is it possible to determine whether he was actually in the room when the “lulz” first whooshed off the tip of a tongue? To probe this question further, let’s turn to Encyclopedia Dramatica (ED), a stunningly detailed online compendium cataloging troll mechanics, history, gore, and lore. Despite bearing the title “Encyclopedia,” it strives neither for neutrality nor objectivity. ED is, indeed, encyclopedic in its detail—but it is also outrageous in tone and riddled with lies. What ED does well (and in this way it actually achieves a strange measure of objectivity) is display the moral kinetics of trolling. Is ED’s etymologizing of the lulz, a snippet of which is provided below, fact or fable?: