Hacker, Hoaxer, Whistleblower, Spy
Page 26
Combining this simplified picture with a recognition of InfoSec’s historical derision of Anonymous allows us to more fully appreciate why the security community’s adoration of LulzSec is all the more remarkable. The following 2011 Halloween photo might best sum it up:15
Dressed as LulzSec, these New York City–based hackers were not only living large and having a grand time—they were also giving mad props to the rebel, misfit hackers. While all the characteristics of the LulzSec mythology are represented, there is one additional element that may not be so obvious: the lack of pants. Many considered LulzSec to be pointing, in badass Internet style, to the fact that the Emperor Has No Clothes. Since forever, security professionals have been yelling from the top of a lonely, wind-swept, barren mountaintop about the dire need for organizations to invest more resources, energy, time, and personnel toward better security. LulzSec, it seemed, had finally found a way to get people to listen.
One may wonder why security is so weak in a sector so large and profitable. After all, cyber (fear) sells.16 Not only does the industry regularly sell software scams (such as out-of-the-box software solutions that cannot be configured to address the risk profiles unique to an institution), or products intended to replace a dedicated security team that can do more harm than good, but the initial desire for security itself remains a low priority for many firms, even well-funded ones. A New York City–based security hacker explained: “One of the challenges in security is how to get people to take it seriously because at the executive level it just looks like an expense.” The fact that Sony—a multinational corporation—could get pillaged with such impunity in 2011 is an indicator of the depth and nature of the problems. Cases like these make hackers who create secure systems completely furious.
LulzSec, more than any other person, report, or group in recent memory, managed to convey a message that many security professionals had been unsuccessfully pitching for over two decades. The effects were similar to the antagonistic antics of L0pht Heavy Industries, a loose association of hackers who regularly met in person. In 1998, during a group conversation, a couple of them coined the term “gray hat” to describe hackers who are ambiguously—and deliberately—situated between the black and white labels that had come to distinguish malicious hackers from more benevolent ones. “Gray hat” hackers are not above acting illegally, but typically they do so only to identify, and publicize, vulnerabilities. LOpht became so successful that in May 1998, seven of its members were invited to testify (in semi-theatrical fashion) to the Committee on Governmental Affairs chaired by Republican Senator Fred Thompson. With his refined, somber, and heavy Tennessee accent, Senator Thompson introduced the “hacker think tank” and explained that “due to the sensitivity of the work done at the L0pht, they will be using their hacker handles: Mudge, Weld, Brian Oblivion, Kingpin, Space Rogue, Tan, and Stefan.”17 Muffled laughter rippled through the chambers, likely because hacker handles were superfluous: C-SPAN recorded the testimony and the hackers were unmasked. Their remarks addressed numerous topics, but the claim that they could take down the entire Internet in thirty minutes jumped out from the rest. This was meant not as a threat. It was a plea to improve the abysmal state of Internet security in 1998.
L0pht’s testimony to Congress was deferential; many of the participants wore suits, and an effort was made to present broadly intelligible explanations. LulzSec was not invited to visit Congress—nor could they take down the Internet—but in the course of their errant questing they managed to deliver a similar message. They made people pay attention to the sordid state of Internet security—not by offering a carefully constructed testimonial, but in the mere course of their travels in search of adventure (which happened to include over a dozen high-profile hacks along the way). They did so in the face of US laws, like the CFAA, that were designed to punish any hacker who got caught, regardless of motivation. LulzSec’s gutsy hacks against corporate giants and government agencies, now the stuff of legend, were quite effective—maybe even necessary—to get people to wake up.
Many security experts I interviewed directly cited LulzSec’s role in making high-level executives heed their messages, at least for a short while (2013 saw a string of massive data breaches: Adobe, Target, Neiman Marcus, LivingSocial, the Washington State Administrative Office of the Courts, Evernote, Drupal.org, the US Federal Reserve, OKCupid … the list goes on).18 A 2011 blog post by security researcher and journalist Patrick Gray entitled “Why We Secretly Love LulzSec” was widely read among security professionals and captured their prevailing mood. He explained to me the impact of his piece: “It picked up more buzz than anything I’d ever written, including pieces for ZDNet/CNet, The Sydney Morning Herald, The Age, Wired … I’ve written plenty of news stories that went big globally, but this was something entirely different.” In the piece, Gray wrote:
It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts … The mainstrem media are having fun criticizing Sony for its poor security, but do we honestly think for a second that the XBox Live network can’t be similarly pwnt? (I know the PSN breach hasn’t been pinned on LulzSec, but the point stands.) Is there any target out there that can’t be “gotten”?19
Even if the innumerable security problems plaguing the Internet could not be magically fixed, it was still satisfying to call out the “elephant in the room,” as Gray tagged it.
LulzSec’s spectacle also revealed the hypocritical charade of many firms, as they performed strange acrobatics to shift blame. A New York City–based security researcher who prefers to remain anonymous explained:
One thing I think is interesting is that these people [corporations] are getting owned every day, but their info isn’t getting splattered all over the Internet. It’s usually getting owned by people doing it for profit. The irony is that when people are stealing intellectual property for financial advantage, they won’t do anything about it … I think it’s ironic now that LulzSec is making people eat their vegetables.
This position was echoed by Chris Wysopal, one of the original members of L0pht, who now runs a well-respected security firm:
Corporations take public embarrassment more seriously than stolen intellectual property. The Sony attacks sent chills down the spines of Fortune 100 CISOs and their boards. We had customers come to us and literally say, “I don’t want to be another Sony.” They scanned thousands of websites and remediated hundreds of critical vulnerabilities so that didn’t happen to them. In this way, LulzSec made the Internet more resilient. In some ways it is like an immunization giving your immune system a taste of the virus that would otherwise kill you and force your immune system to work to build protection.
LulzSec’s popularity among security types exceeded its practical role of forcing executives to “eat their vegetables.” Its rich but accessible visual vocabulary incarnated the subversive pleasure and magic of hacking, so often left invisible. You may think that making or breaking, exploiting or building, securing and pen-testing cannot involve artistry, creative expression, and pleasure—but this is exactly what these technologists experience: bliss (along with the type of agonizing frustration that only makes the bliss doubly potent in its overcoming). Conveying the nature of this gratification to outsiders is next to impossible, because the technical craft is so esoteric. LulzSec’s publicized antics are the most accurate representation I have ever seen of the look, feel, and sensibilities that attend the pleasures of hacking. And each piece of LulzSec’s iconography symbolizes the sensual and ideological sides of this world: the boat (standing for the pirate freedom of the high seas), the man with the monocle and suit (snooty l33t hacker), the cat (because if it is related to the Internet, there must be felines), the music (hacking to music is always preferable to doing the deed in silence), manifestos (free expression, dammit!), and law breaking (because rules, fuck them). LulzSec embodied the pleasure of hacking and subversion like no other group. LulzSec also represente
d a site of longing and fantasy. What the team did so blatantly was something many hackers wished they were doing. Some had certainly experienced the same illicit pleasures in days gone by, when the world of computing first opened up to them through exploration and tinkering—but this was typically done without a massive global audience.
Now, not all hackers adored the crew. HTP, the group that loved to pwn Anonymous, extended its loathing to LulzSec. As one LulzSec member who went by the name pwnsauce put it, “HTP saw us as attention-whoring fucknuggets, basically.” HTP’s viewpoint reflects a long-held ethos in the hacker underground, one that drives some hackers to snub those seeking attention from the mainstream press (attention is anathema to staying out of the “clink”—and LulzSec’s failure proved the wisdom of this folk ethos). Even if LulzSec hackers did not do many interviews, they were nevertheless doing everything possible to land major stories by drawing as much attention to themselves as possible. They once did so by attacking the media itself.
Media
Anonymous may not ever have (readily) nominated any individuals to speak on its behalf, but it hosted an IRC channel, #reporter, where dozens of journalists interviewed participants. LulzSec was more secretive, offering no public channel for journalistic access and giving almost no interviews in general (except to Parmy Olson and, occasionally, Steve Ragan). There was no celebrity to showcase, except the group itself. Nevertheless, by the end of June 2011, LulzSec had become something like hacker rock stars. This foray into celebrity territory drew some furrowed eyebrows from the broader Anonymous community, but, for the most part, there was enough distance—LulzSec repeatedly confirmed its autonomy—that even the pseudonymous collective from which LulzSec broke away could enjoy the show without feeling that it affected its own mores and ethical sensibilities.
LulzSec, unlike AnonOps, clawed at the media. Its major hack against the press was directed against PBS in retaliation for its Frontline film on WikiLeaks, WikiSecrets. The documentary drew the ire of LulzSec members, notably Sabu, who disliked the film for how it skirted the pressing political issues raised by Cablegate in favor of a sensationalist psychoanalyzing of the “dark” inner life of Chelsea Manning. LulzSec launched a two-pronged campaign. They dumped the personal data of PBS staff and defaced its website, leaving a clever article that could almost pass as real (see figure overleaf).
Even if the article was destined (and designed) to be understood as a fake, it worked as a hoax. Perhaps because the scenario was hypothetically plausible, Topiary (its writer) sprinkled the article with giveaways. The proposed source of information—a hand-written diary—was absurdly quaint by today’s standards. And the most unbelievable nugget was the suggestion that law enforcement was in on the arrangement—not only because privacy is in short supply for celebrities, but because privacy itself has been nonexistent for a long time. Just in case you were fooled, the story’s kicker jolts you back to reality with the nonsensical statement “yank up as a vital obituary” (an anagram of the handles of the LulzSec members who participated in the hack, Topiary, Sabu, Kayla, Avunit), and a reference to the diary-writer’s girlfriend, Penny—named after none other than HBGary’s president.
While some were disturbed by an attack directed at the media, the Twitter frenzy as the story spread mostly showed adulation. The allure of this act can be explained if we turn to an anthropological definition of defacement provided in Michael Taussig’s striking book on the topic: “Defacement works on objects the way jokes work on language, bringing out their inherent magic nowhere more so than when those objects have become routinized.”20 LulzSec laid bare the subject of celebrity by defacing a media object—the journalistic article—with a strong dose of humor.
Every major Western news establishment ran a piece about the bogus article, and most skimmed over the part about the ethically questionable data breach. The political motivation behind the hack received only cursory treatment, even though LulzSec published an explicit statement rationalizing its actions. This was a further (and ironic) demonstration of the mainstream media’s proclivity for sensationalizing issues—the very behavior exhibited by the WikiLeaks documentary that prompted the operation in the first place.
“We futurescan”
One might think that the corporate response to LulzSec, and by extension Anonymous, was wholly negative. In reality, it was a little more complicated. Starting in the fall of 2011 and peaking in 2012, various individuals and institutions situated in and around the highest echelons of the corporate world began to contact me. I spoke with the founding partner of a venture capitalist firm in New York City, the head of European security for Vodafone, and a senior vice president from TTI/ Vanguard (self-described as “a unique forum for senior-level executives that links strategic technology planning to business success”). I gave two talks (one virtual) for an NYU global risk and security group that included chief security officers (CSOs) and other executives from major corporations. Finally I participated at an event run by “World 50,” an organization that convenes events for senior executives of mostly Fortune 500 companies.
The list would be incomplete without mentioning my 2012 talk at TEDGlobal in Edinburgh, Scotland. While TED’s online videos reach a popular audience of millions, the conference itself is primarily attended by wealthy elites—with the exception of some of the speakers, such as myself, and select attendees who receive financial aid from TED. The privilege of attending TED costs roughly $6,000. Of course, one has to be chosen first (you have to apply). This does not include the costs of travel or accommodations, but it does grant access to some fancy parties featuring copious food and drink, concerts, highly curated TED talks, and the opportunity to converse with some famous and fascinating people (or their assistants, at least). After my talk, Will Smith’s personal assistant struck up a conversation with me, making a vigorous attempt to convince me that his boss, who is rumored to be a Scientologist, is actually an avid fan of Anonymous. Was he social-engineering me in an attempt to protect his boss from a potentially career-damaging attack by Anonymous, or did we really just randomly bump into each other?
That was pretty tame compared to another memorable encounter. While sampling the delicious snacks during one of the breaks, a Fortune 500 executive snuck up on me, clutched my arm—rather too tightly, I felt—and, clearly projecting his anxiety onto me, whispered loudly into my ear: “You are sooooooo brave to study Anonymous.” Just the day before, I had visited a local Anon and his partner. The highlight was touring their garden, where I saw their beehive, followed by a very tasty home-cooked meal of pheasant and sweet potato mash. Afterwards, we watched the documentary We Are Legion: The Story of the Hacktivists and his partner was rather floored to learn that there was actually some political substance to Anonymous. All this time, she had thought he had been messing around on his computer engaging in purely juvenile acts. After this gentle experience with a “dreaded” Anon, I found it hard to roll over for this executive’s praises of bravery and courage. I guess I could have been stung by a bee? I thought to myself.
At one level, these men and women struck me as regular folk. They complained about their spoiled sons and daughters, the exorbitant cost of higher education in the United States, and (some of them, at least—a naturalized Canadian, now that I remember) the lack of universal health care in the United States. Many even engaged in a time-honored workplace pastime: railing against their immediate overseer. Of course, in this milieu, that usually happened to be the CEO of a mega corporation. But make no mistake: during the World 50 event held at the Contemporary Jewish Museum in San Francisco, I heard two twenty-something caterers mutter to each other, not caring that I could plainly overhear, that “it is a different world in there.” Take the name tags were were given at the event. These weren’t some piece-of-paper-shoved-in-a-plastic-sleeve-with-some-kind-of-branding lanyards. These looked like they came straight out of Restoration Hardware (a high-end American furniture store). Made of metal, the clasp was powered by a magnet. In a
pinch, you could probably use one as a ninja throwing star. Sadly, I only used mine to identify myself. After acquiring my name tag and a lunch of seared tuna and other delicacies, we were moved upstairs to an airy, sun-drenched private room decked out with plush chairs for talks, which ranged in subject from massive open online courses (or MOOCs) to Anonymous (mine, of course). In the audience were executives from AstraZeneca, Cargill, Hewlett-Packard, Hilton Worldwide, Huawei Technologies, Hyatt Hotels, Juniper Networks, Monsanto, Rio Tinto, The Coca-Cola Company, and Tiffany & Co. Even though lunch had just been provided, there was an impressive ensemble of snacks and drinks, including beautiful glasses full of M&Ms and ten beverage choices. After the talks, everyone was whisked away to a dinner at a restaurant overlooking the Bay Bridge, which started with an intimate talk by Steve Martin.
Not surprisingly, corporate executives, especially from blue chip companies, wanted nothing more than for someone to wave a wand and make both Anonymous and LulzSec disappear. Executives from technology companies seemed curious and, if nothing else, at least familiar with Anonymous’s involvement in a range of political movements. Sometimes they were even interested to learn about Anonymous’s role in the Arab Spring. Executives from financial and energy firms tended to be frosty, while those from other industries showed curious mixtures of disgust and fear. One head of communications for a low-cost airline jokingly wished Anonymous would hack her company—the free publicity would be stellar.