by Parmy Olson
Begin Reading
Table of Contents
Copyright Page
In accordance with the U.S. Copyright Act of 1976, the scanning, uploading, and electronic sharing of any part of this book without the permission of the publisher constitute unlawful piracy and theft of the author’s intellectual property. If you would like to use material from the book (other than for review purposes), prior written permission must be obtained by contacting the publisher at [email protected]. Thank you for your support of the author’s rights.
For Avó
Before you read this book
Names
Most of the real names and online nicknames used in this book are real, but a few are not. All fabricated names in this book relate to “William,” a young man living in the UK whose nightly attempts to prank and harass people give us a peek into the world of 4chan’s most popular discussion board, /b/. His name and the names of his victims have been changed.
Sourcing
Most of the information and anecdotes in this book are sourced directly from interviews with those who played key roles in the story, such as Hector “Sabu” Monsegur and Jake “Topiary” Davis. However, hackers are known to occasionally share nicknames to help obfuscate their identities or even flat-out lie. As such I have attempted to corroborate people’s stories as much as time has allowed. When it comes to personal anecdotes—Sabu’s stop-and-search experience with the NYPD, for example—I have indicated that this is the hacker’s own testimony. In my year of gathering research for this book, certain hackers have proved themselves more trustworthy than others, and I have also leaned toward the testimony of sources I deem most reliable. Notes on the sourcing of key pieces of information, media reports, and statistics are found at the back of this book.
Spelling
To help maintain story momentum, I have cleaned up spelling and some grammar for quotes that were sourced from chat logs and have been used for dialogue between characters. In cases where I have interviewed people on Internet Relay Chat, I have also cleaned up spelling; however, if a source skipped a word or two, I have framed brackets [ ] around the implied words.
People
A few of the people featured in this book are figureheads in Anonymous, but they are not representative of Anonymous as a whole. It is worth saying that again: they are not representative of Anonymous as a whole. Some key characters, like William or Sabu, have volatile personalities, and in hearing their extraordinary stories, you, the reader, will come to learn about social engineering, hacking, account cracking, and the rise of the online disruptor perhaps more engagingly than if you read about these techniques alone. There are many people in Anonymous who are not the subject of police investigations like the ones featured in this book, and they also seek to uphold genuine standards of legality and political activism. For other perspectives on Anonymous, keep an eye out for work by Gabriella Coleman, an academic who has been following Anonymous for several years, and a book on Anonymous by Gregg Housh and Barrett Brown, due out in 2012. The documentary We Are Legion by Brian Knappenberger also gives more focus to the political activism of Anonymous.
Part 1
We Are Anonymous
Chapter 1
The Raid
Across America on February 6, 2011, millions of people were settling into their couches, splitting open bags of nachos, and spilling beer into plastic cups in preparation for the year’s biggest sporting event. On that Super Bowl Sunday, during which the Green Bay Packers conquered the Pittsburgh Steelers, a digital security executive named Aaron Barr watched helplessly as seven people whom he’d never met turned his world upside down. Super Bowl Sunday was the day he came face-to-face with Anonymous.
By the end of that weekend, the word Anonymous had new ownership. Augmenting the dictionary definition of being something with no identifiable name, it seemed to be a nebulous, sinister group of hackers hell-bent on attacking enemies of free information, including individuals like Barr, a husband and a father of twins who had made the mistake of trying to figure out who Anonymous really was.
The real turning point was lunchtime, with six hours to go until the Super Bowl kickoff. As Barr sat on the living room couch in his home in the suburbs of Washington, D.C., dressed comfortably for the day in a t-shirt and jeans, he noticed that his iPhone hadn’t buzzed in his pocket for the last half hour. Normally it alerted him to an e-mail every fifteen minutes. When he fished the phone out of his pocket and pressed a button to refresh his mail, a dark blue window popped up. It showed three words that would change his life: Cannot Get Mail. The e-mail client then asked him to verify the right password for his e-mail. Barr went into the phone’s account settings and carefully typed it in: “kibafo33.” It didn’t work. His e-mails weren’t coming through.
He looked down at the small screen blankly. Slowly, a tickling anxiety crawled up his back as he realized what this meant. Since chatting with a hacker from Anonymous called Topiary a few hours ago, he had thought he was in the clear. Now he knew that someone had hacked his HBGary Federal account, possibly accessing tens of thousands of internal e-mails, then locked him out. This meant that someone, somewhere, had seen nondisclosure agreements and sensitive documents that could implicate a multinational bank, a respected U.S. government agency, and his own company.
One by one, memories of specific classified documents and messages surfaced in his mind, each heralding a new wave of sickening dread. Barr dashed up the stairs to his home office and sat down in front of his laptop. He tried logging on to his Facebook account to speak to a hacker he knew, someone who might be able to help him. But that network, with his few hundred friends, was blocked. He tried his Twitter account, which had a few hundred followers. Nothing. Then Yahoo. The same. He’d been locked out of almost every one of his Web accounts, even the online role-playing game World of Warcraft. Barr silently kicked himself for using the same password on every account. He glanced over at his WiFi router and saw frantic flashing lights. Now people were trying to overload it with traffic, trying to jam their way further into his home network.
He reached over and unplugged it. The flashing lights went dead.
Aaron Barr was a military man. Broad shouldered, with jet-black hair and heavy eyebrows that suggested distant Mediterranean ancestors, he had signed up for the U.S. Navy after taking two semesters of college and realizing it wasn’t for him. He soon became a SIGINT, or signals intelligence, officer, specializing in a rare assignment, analytics. Barr was sent abroad as needed: four years in Japan, three in Spain, and secondments all over Europe, from Ukraine to Portugal to Italy. He was stationed on amphibious warships and got shot at on land in Kosovo. The experience made him resent the way war desensitized soldiers to human life.
After twelve years in the navy he picked up a job at defense contractor Northrop Grumann and settled down to start a family, covering over his navy tattoos and becoming a company man. He got a break in November 2009 when a security consultant named Greg Hoglund asked Barr if he wanted to help him start a new company. Hoglund was already running a digital security company called HBGary Inc., and, knowing Barr’s military background and expertise in cryptography, he wanted him to start a sister company that would specialize in selling services to the United States government. It would be called HBGary Federal, and HBGary Inc. would own 10 percent. Barr jumped at the chance to be his own boss and see more of his wife and two young children by working from home.
He relished the job at first. I
n December 2009, he couldn’t sleep for three nights in a row because his mind was racing with ideas about new contracts. He’d get on his computer at 1:30 a.m. and e-mail Hoglund with some of his thoughts. Less than a year later, though, none of Barr’s ideas was bringing in any money. Barr was desperate for contracts, and he was keeping the tiny company of three employees afloat by running “social media training” for executives, bringing in twenty-five thousand dollars at a time. These were not lessons in how to maintain friendships on Facebook but in how to use social networking sites like Facebook, LinkedIn, and Twitter to gather information on people—as spying tools.
In October 2010, salvation finally came. Barr started talking to Hunton & Williams, a law firm whose clients—among them the U.S. Chamber of Commerce and Bank of America—needed help dealing with opponents. WikiLeaks, for example, had recently hinted at a trove of confidential data it was holding from Bank of America. Barr and two other security firms made PowerPoint presentations that proposed, among other things, disinformation campaigns to discredit WikiLeaks-supporting journalists and cyber attacks on the WikiLeaks website. He dug out his fake Facebook profiles and showed how he might spy on the opponents, “friending” Hunton & Williams’s own staff and gathering intelligence on their personal lives. The law firm appeared interested, but there were still no contracts come January 2011, and HBGary Federal needed money.
Then Barr had an idea. A conference in San Francisco for security professionals called B-Sides was coming up. If he gave a speech revealing how his social media snooping had uncovered information on a mysterious subject, he’d get newfound credibility and maybe even those contracts.
Barr decided that there was no better target than Anonymous. About a month prior, in December 2010, the news media exploded with reports that a large and mysterious group of hackers had started attacking the websites of MasterCard, PayPal, and Visa in retaliation for their having cut funding to WikiLeaks. WikiLeaks had just released a cache of thousands of secret diplomatic cables, and its founder and editor in chief, Julian Assange, had been arrested in the U.K., ostensibly for sexual misconduct.
Hackers was a famously imprecise word. It could mean enthusiastic programmer, it could mean cyber criminal. But people in Anonymous, or Anons, were often dubbed hacktivists—hackers with an activist message. From what anyone could tell, they believed all information should be free, and they might just hit your website if you disagreed. They claimed to have no structure or leaders. They claimed they weren’t a group but “everything and nothing.” The closest description seemed to be “brand” or “collective.” Their few rules were reminiscent of the movie Fight Club: don’t talk about Anonymous, never reveal your true identity, and don’t attack the media, since they could be purveyors of a message. Naturally, anonymity made it easier to do the odd illegal thing, break into servers, steal a company’s customer data, or take a website offline and then deface it. Stuff that could saddle you with a ten-year prison term. But the Anons didn’t seem to care. There was strength and protection in numbers after all, and they posted their ominous tagline on blogs, hacked websites, or wherever they could:
We are Anonymous
We are Legion
We do not forgive
We do not forget
Expect us.
Their digital flyers and messages featured a logo of a headless, suited man surrounded by U.N.-style peace branches, supposedly based on the surrealist painting of a man with a bowler hat and apple by René Magritte. Often it included the leering mask of Guy Fawkes, the London revolutionary embellished in the movie V for Vendetta and now the symbol of a faceless rebel horde. Anonymous was impossible to quantify, but this wasn’t just dozens or even hundreds of people. Thousands from all over the world had visited its main chat rooms in December 2010 to take part in its attacks on PayPal, and thousands regularly visited Anonymous-related blogs and new sites like AnonNews.org. Everyone in the cyber security field was talking about Anonymous, but no one seemed to know who these people were.
Barr was intrigued. He had watched the world’s attention to this mysterious group grow and seen reports of dozens of raids and arrests in the United States and Europe. Yet no one had been convicted, and the group’s leaders had not been tracked down. Barr believed he could do better than the Federal Bureau of Investigation—maybe help the FBI, too—with his social media snooping expertise. Going after Anonymous was risky, but he figured if the collective turned on him, the worst they could do was take down the website of HBGary Federal for a few hours—a couple of days, tops.
He had started by lurking in the online chat rooms where Anonymous supporters congregated and creating a nickname for himself, first AnonCog, then CogAnon. He blended in, using the group’s lingo and pretending to be a young new recruit eager to bring down a company or two. On the side, he’d quietly note the nicknames of others in the chat room. There were hundreds, but he paid attention to the frequent visitors and those who got the most attention. When these people left the chat room, he’d note the time, too. Then he’d switch to Facebook. Barr had created several fake Facebook personas by now and had “friended” dozens of real-world people who openly claimed to support Anonymous. If one of those friends suddenly became active on Facebook soon after a nickname had exited the Anonymous chat room, Barr figured he had a match.
By late January, he was putting the finishing touches on a twenty-page document of names, descriptions, and contact information for suspected Anonymous supporters and leaders. On January 22, 2011, Barr sent an e-mail to Hoglund and HBGary Inc. co-president Penny Leavy (who was also Hoglund’s wife) and Barr’s second in command, Ted Vera, about his now forthcoming talk at B-Sides on Anonymous. The big benefit of the talk would be the press attention. He would also tell a few people in Anonymous, under a false persona, about the research of a “so-called cyber security expert” named Aaron Barr..
“This will generate a big discussion in Anonymous chat channels, which are attended by the press,” Barr told Hoglund and Leavy. Ergo, more press about the talk. “But,” he added, “it will also make us a target. Thoughts?”
Hoglund’s reply was brief: “Well, I don’t really want to get DDoS’d, so assuming we do get DDoS’d then what? How do we make lemonade from that?” Hoglund was refering to a distributed denial of service attack, which described what happened when a multitude of computers were coordinated to overwhelm a site with so much data that it was temporarily knocked offline. It was Anonymous’s most popular form of attack. It was like punching someone in the eye. It looked bad and it hurt, but it didn’t kill you.
Barr decided the best thing to do was reach out directly to the press before his talk. He contacted Joseph Menn, a San Francisco–based reporter for the Financial Times, offering an interview about how his data could lead to more arrests of “major players” in Anonymous. He gave Menn a taste of his findings: of the several hundred participants in Anonymous cyber attacks, only about thirty were steadily active, and just ten senior people managed most of the decisions. Barr’s comments and the story of his investigation suggested for the first time that Anonymous was a hierarchy and not as “anonymous” as it thought. The paper ran the story on Friday, February 4, with the headline “Cyberactivists Warned of Arrest,” and quoted Barr.
Barr got a small thrill from seeing the published article and e-mailed Hoglund and Leavy with the subject line, “Story is really taking shape.”
“We should post this on the front page, throw out some tweets,” Hoglund replied. “‘HBGary Federal sets a new bar as private intelligence agency.’ The pun on bar is intended lol.”
By the end of Friday, detectives from the FBI’s e-crime division had read the article and contacted Barr asking if he wouldn’t mind sharing his information. He agreed to meet them Monday, the day after the Super Bowl. At around the same time, a small group of hackers with Anonymous had read the story, too.
They were three people, in three different parts of the world, and they had been invited into an
online chat room. Their online nicknames were Topiary, Sabu, and Kayla, and at least two of them, Sabu and Topiary, were meeting for the first time. The person who had invited them went by the nickname Tflow, and he was also in the room. No one here knew anyone else’s real name, age, sex, or location. Two of them, Topiary and Sabu, had only been using their nicknames on public chat rooms for the last month or two. They knew snippets of gossip about one another, and that each believed in Anonymous. That was the gist of it.
The chat room was locked, meaning no one could enter unless invited. Conversation was stilted at first, but within a few minutes everyone was talking. Personalities started to emerge. Sabu was assertive and brash, and he used slang like yo and my brother. None of the others in the room knew this, but he was a born-and-bred New Yorker of Puerto Rican descent. He had learned to hack computers as a teenager, subverting his family’s dial-up connection so they could get Internet access for free, then learning more tricks on hacker forums in the late 1990s. Around 2001, the nickname Sabu had gone underground; now, almost a decade later, it was back. Sabu was the heavyweight veteran of the group.
Kayla was childlike and friendly but fiercely smart. She claimed to be female and, if asked, sixteen years old. Many assumed this was a lie. While there were plenty of young hackers in Anonymous, and plenty of female supporters of Anonymous, there were very few young hackers who were female. Still, if it was a lie, it was elaborate. She was chatty and gave away plenty of colorful information about her personal life: she had a job in her salon, babysat for extra money, and took vacations in Spain. She even claimed Kayla was her real name, kept as a “fuck you” to anyone who dared try to identify her. Paradoxically, she was obsessive about her computer’s privacy. She never typed her real name into her netbook in case it got key-logged, had no physical hard drive, and would boot up from a tiny microSD card that she could quickly swallow if the police ever came to her door. Rumor even had it that she’d stabbed her webcam with a knife one day, just in case someone took over her PC and filmed her unaware.
