Although there are many different ways for a botnet to work, one classic method involves connecting it to a pre-configured IRC server and channel. Once this connection is made, the computer will wait patiently—unbeknownst to their owners—awaiting orders from the botnet herder (yeehaw!). The herder is the individual capable of directing the computers that make up the botnet. Typically, this is the person who infected the computers in the first place. Usually he or she is waiting in the designated IRC channel, grinning from ear-to-ear as more and more infected computers join the channel, like zombies awaiting orders. This is known as the command-and-control channel (C&C). A typical scenario might see a herder tabbing back and forth between regular chat channels and the hidden C&C channel as it grows more powerful by the moment.
A typical botnet might boast around twenty thousand computers, but larger botnets have been tracked to upwards of thirty million. (Though most botnets have a bad rap—and for good reason—some botnets are voluntary and participatory. The most famous of these is probably SETI@ home, the three-million-strong string of computers searching for alien life in outer space.) They hover on this C&C channel until the botnet herder gives them an order—usually authenticated—to perform some task. So for example, the botnet herder might simply say, “ddos 172.16.44.1,” and then all the connected bots will begin to attack that specified IP address.10
Another common task for botnets is to send mass amounts of unwanted email. Spam is often stopped by an algorithm which determines its unwanted nature and blocks the sending address—but when tens of thousands of different machines with different addresses are sending the spam, it is much harder to track down and stop. Often botnet herders assemble their network not for their own purposes, but in order to sell the services of their bots to a spammer.
To be able to control tens of thousands of computers from a central location is a powerful feeling. By simply issuing commands you can make thousands of computers do something for you, and the larger the number of computers participating, the more powerful those commands are. In the botnet world there is an ongoing struggle over who has the most bots, the most bandwidth, and the best-infected machines (university, corporate, and government computers tend to be on better bandwidth).
This competition is so fierce that botnet herders will often try to take over other botnets. On the other side of the fence, law enforcement agencies and individual organizations that are fighting spam also struggle to take over botnets in order to neutralize them. This is not a trivial thing to do. One has to first identify the C&C. If you can figure out where the bots get their commands from, you can join the IRC channel, masquerading as a compromised machine, and wait to receive a command from the botnet herder. If the botnet herder sends an authentication alongside the command, you may have the password necessary to issue commands to the entire botnet yourself.11
But, as Lola indicated, you can also access all that fun and power for a cheap “subscription fee.” People on the IRC server were not happy with all this talk of the underworld of botnets and DDoS. The IRC operators booted the pro-DDoS contingent from the server. They left undeterred, becoming Anonymous nomads.
It is perhaps ironic that golum, as one participant explained it to me, “was a central figure in the IFM movement, if not THE central figure.” golum may have spearheaded the initiative, but his influence waned as he clamored for the types of digital tactics firmly rejected by the majority of Anons driving Chanology. Effectively, this majority managed “to change the direction of the operation” so as to keep it entirely legal. Those wanting to use direct action techniques found themselves increasingly marginalized. But while golum’s random dice day vision may have seemed to them nothing more than, well, random, golum was actually an adept organizer with a keen feel for media dynamics. I had seen in him action many times, and he was one of the finest propagandists and organizers in all of Anonymous. golum left the IFM to form a new direct action–oriented wing, taking some Anons with him. One participant in the new militant enterprise, which would come to be known as AnonOps, described golum as having “a very, very good antenna for PR and propaganda, and he realized the (at the time) immense psychological impact of declaring that a website would vanish, and then taking it down.”
golum took his tactics, and his supporters, elsewhere. Strangely, given his announcement of random dice day, he had in fact erected a website with an ACTA protest timeline that differed from the one he had announced on the IRC channel. The site designated the crescendo of activities for November 5, the worldwide day of protests known as Guy Fawkes Day. golum had conceived of different groups divided by chat rooms (#bump, #newor, #op), each with distinct roles and responsibilities.
Confusion loomed large over the DDoS campaign’s start date—but in the end, thanks to the initiative of some unknown actors, it was, as golum predicted, to fall in the middle of September. A stunning and spectacular avalanche of DDoS attacks attracted over seven hundred individuals into the splinter group’s chatroom and continued for over two months. In the end, they did not target the Office of the US Trade Representative. Instead, in a defense of file sharing, they DDoSed the heck out of a number of pro-copyright associations, such as the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA). The media attention was significant and the new crew was hooked. Displaying the Pirate Bay’s ship logo—also adopted by Anons as their campaign symbol—the BBC reported: “Piracy activists have carried out coordinated attacks on websites owned by the music and film industry.”12 Anonymous listed every news story written about “Operation Payback”—as the group called it—on tieve.tk, which also became the go-to hub for information as Anonymous migrated from IRC server to IRC server before establishing one of its own in late October.
Drawing upon my experiences with Anonymous, I can confidently declare that had golum’s breakaway group simply rallied troops around a slogan like “ACTA sucks,” the unprecedented waves of support would never have materialized. Fortunately, the spirit of Puck delivered a delightful accident to this nascent Anonymous crew. It was as if the trickster of crossroads, Eshu, then appeared, urging them to make a decision. And, as we will see, their choice allowed the pod to sprout into one of the Internet’s biggest political sensations.
“At times, we have to go an extra mile and attack the site”
The game-changing piece of information first appeared in a technical news article published by an Indian media outlet on September 5, 2010. It took a full week for Western journalists to pick up the story, at which point it circulated along the boutique technical press. The story quotes the managing director of Aiplex, an Indian software firm purportedly hired by corporations to DDoS file sharing sites like the Pirate Bay:
The problem is with torrent sites, which usually do not oblige [when served with a written legal request to take down a movie]. In such cases, we flood the website with lots of requests, which results in database error, causing denial of service as each server has a fixed bandwidth capacity. At times, we have to go an extra mile and attack the site and destroy the data to stop the movie from circulating further.13
Ironically, given the target, that admission essentially provided evidence of a contemporary practice analogous to the privateering of yesteryear. Until outlawed in 1856, European powers routinely hired pirates to operate as their agents on the high seas—with the added advantage of being able to obscure their own involvement in whatever unsavory business they might require the pirates to perform. This was not the first time evidence surfaced that the copyright industries hired technologists to do their (illegal) dirty work. In 2005, the MPAA employed a hacker to break into the servers of TorrentSpy, a search engine for file sharing material, and search for confidential information they hoped would provide evidence of law breaking. During an exclusive interview with Wired.com, this hacker explained how the MPAA attempted to lure him with cash and other luxury goods: “We would need somebody like you. We would give you a nice paying job,
a house, a car, anything you needed … if you save Hollywood for us you can become rich and powerful.”14
But with Aiplex, it was the first time the admission was so frank and forthcoming.
The reaction from Anonymous and many other geeky quarters of the Internet was predictably swift and biting. For well over a decade, the copyright industry/lobby/trade associations poured millions of dollars into aggressively hunting down, and suing, file-sharers and hackers who ran peer-to-peer sites, like the Pirate Bay, which coordinate access to troves of copyrighted material. Now segments of the copyright industry were going the “extra mile” by hiring hackers to engage in illegal tactics of their own to curb illegal file sharing.
Geeks criticized Aiplex’s technical methods (it is common for geeks to take any and all opportunity to debate the merits of any piece of technology). They made fun of Aiplex’s terrible and asinine criminal-confession-as-PR strategy. And on TorrentFreak, a popular website dedicated to reporting news on file sharing, one commentator noted: “AiPlex is just asking … strike that I meant; _begging_ for trouble.”15
The writer was spot on. Revenge arrived in the form of—did you guess it?—a DDoS campaign. Someone took the initiative to take down Aiplex, almost certainly using a botnet. golum and the other Anons who had set their sights on protesting ACTA through the use of DDoS campaigns exploited this opportunity to shift their energies and attention toward this event. It is perhaps no wonder that golum and his followers had no qualms about ditching ACTA, switching targets, and finding a new start date thanks to another bit of opportunistic chance—just like that initial rolling of the dice.
In one of the first propaganda posters for Operation Payback, this new Anonymous cell admitted that the DDoS campaign was “ahead of schedule,” thanks to an unexpected strike made by a single individual. The activists then predicted, “This will be a calm, coordinated display of blood. We will not be merciful.” Anonymous boldly signed off: “GOOD HUNTING.”
So was the “hunting,” as the poster claimed, a calm, coordinated, tactical incision in which Anonymous would show no mercy? Sort of. But, as we will see in a moment, the first few weeks of the campaign were rather chaotic—partially because the influx of supporters was hefty, at least for standards of the time. With so many people, proceeding in a calm and coordinated fashion was difficult. The first campaign launched September 17, 2010, targeting the MPAA’s website and taking it offline for roughly eighteen hours.16 Over the next four days Anonymous hit, among other targets, the International Federation of the Phonographic Industry, Aiplex (naturally), the RIAA, and ACS:Law, a law firm in the UK that worked on behalf of the copyright industry. From the perspective of these renegade Anons, Operation Payback was a resounding, glorious success, and the media were squeezed for many articles.
One of the remarkable feats of Operation Payback was how AnonOps managed, using propaganda material alone, to convince both the media (and many of their own members!) that the MPAA had hired Aiplex; there is no evidence to support this claim. Instead it is now widely believed that Aiplex had been hired by the Bollywood movie industry. And yet on September 20, 2010, scores of reputable news outfits, including Reuters, published statements in the following vein, despite flimsy—nonexistent, really—evidence: “MPAA.org and the Web site of Aiplex Software, a company the MPAA hired to target sites where piracy was rampant, were incapacitated for much of the day, according to the piracy blog TorrentFreak.”17 Because it was covered extensively in the media, I myself repeated this fib on countless occasions. To this day I still cannot ascertain who first proposed it, and whether it was borne from honest confusion (so many of the core participants truly believed it) or conniving duplicity. Whatever the case, Anonymous would seize upon this new-found specialty in the art of duping the media.
After a few days of the operation, AnonOps found itself on the verge of its most successful attacks of the season—where it would, in fact, show no mercy. The targeted organization, ACS:Law, would be shamed into oblivion thanks to Anonymous’s first major leak.
“I have far more concern over the fact of my
train turning up ten minutes late … than them
wasting my time with this sort of rubbish”
For the ragtag team assembled under the auspices of Operation Payback, the MPAA became the obvious target of preference. But by September 21, Anonymous could no longer effectively take down the organization’s site—the MPAA had implemented sturdy DDoS protection by employing an outside firm. And so, on September 21, 2010, following vigorous internal debate, Anonymous set its sights on ACS:Law, a British law firm notorious for sending threatening letters at the behest of copyright owners to thousands of alleged file-sharers, demanding money and the cessation of ostensibly illegal downloading. It took Anonymous much more time to choose ACS:Law as its target (two hours) than it did to take down the law firm’s website (two minutes). After the hit, the firm’s head solicitor, Andrew Crossley, was so unimpressed by the attack that he hastily volleyed back with the following statement: “It was only down for a few hours. I have far more concern over the fact of my train turning up ten minutes late or having to queue for a coffee than them wasting my time with this sort of rubbish.”18
But, it turned out, these few hours of website downtime might have cost him his firm. ACS:Law’s web team was so incompetent that in restoring the site they accidentally made an entire backup, replete with emails and passwords, available for anyone with a modicum of technical ability to see and take. Anonymous noticed it, snatched it, and promptly threw all the emails on the Pirate Bay. It was the first in a string of stunning, Anonymous-led leaks that provided evidence of grave corporate misconduct.
By this time, Crossley’s firm was already under government scrutiny. Months earlier, technology journalist Nate Anderson reported on what he described as a “spirited debate” among members of the House of Lords. As they discussed an amendment called “Remedy for groundless threats of copyright infringement proceedings,” many lords were critical of ACS:Law’s methods.19 Lord Lucas, who had proposed the amendment, offered particularly harsh words to ACS:Law: “We must also do something about the quantum of damages that is being sought. In a civil procedure on a technical matter, it amounts to blackmail; the cost of defending one of these things is reckoned to be £210,000.”20
The emails obtained by Anonymous simply helped confirm, with a far more granular and damning level of detail, the firm’s relentless targeting of alleged copyright violators on behalf of copyright associations.21 One tactic involved writing married men with allegations that they had downloaded gay porn; many of these men paid five hundred to six hundred pounds to make ACS:Law go away.22 The leaked emails were a final decisive blow, and by February 2011, ACS:Law had closed down.23
It bears noting, again, that AnonOps’ decision to target ACS:Law was, like many of its decisions, made in the heat of the (chaotic) moment. Had the group voted otherwise, the operation would have never transpired. It’s worth looking into just how these voting mechanisms work, and the targeting of ACS:Law provides a prime example.
The public channel #savetpb (i.e., Save the Pirate Bay—later to become #operationpayback) hosted, at its peak, over one thousand participants. Many of them had come from 4chan, where news about Aiplex’s methods spread and roiled many into action. Those on the public channels were encouraged to use a tool called the “Low Orbit Ion Cannon” (LOIC for short), subtitled “When harpoons, air strikes, and nukes fail.” LOIC is an open-source application that allows users to individually contribute to a DDoS campaign from the comfort of their home by simply entering the target address and clicking the temptingly giant button marked “IMMA CHARGIN MAH LAZER.” By entering an IP address identified within a channel users could direct their computers to join a chorus of protesters in sending requests to a target. Alternatively, participants could set LOIC to “hive mode,” which allows computers to automatically contribute to the voluntary botnet.
Meanwhile, in the private chann
el first named #savetpbmods and soon after renamed #command, others were engaged in deep, often heated, and utterly confusing debate regarding strategy and targets. Most in the public channel were unaware of the existence of this private channel, unless they were one of the few eventually tapped to join. During an interview, one of the founders of the secret channel explained the selection criteria as follows: “You’re invited by another member of #command if you’ve proved yourself productive/ useful or trustworthy.”
Presented below are only a tiny number of excerpts from a truly convoluted—yet still semi-coherent—two-hour conversation that occurred in #command as participants decided to target ACS:Law. Decision-making often follows a liquid path. It opened with the participants noting the impressive number of individuals gathered on the public channel—awaiting, as it were, their orders:
[…]
As they conversed, numbers continued to climb, and they started to worry about momentum and morale:
Hacker, Hoaxer, Whistleblower, Spy Page 10