We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency
Page 8
“Guys, what we are doing today is going to change the world,” he said.
The others in the group stopped for a moment and then laughed, Housh later recalled.
“Gtfo,” wrote one. “Quit your jibber jabber.” But the French Anon was unrelenting. Tens of thousands of people were going to watch the video they were making. This was the start of something major, “and we just don’t know what it is yet.”
Housh and the others shrugged and carried on, according to Housh. They called the video Message to Scientology, published it on January 21, and posted links all over the chans and Digg. Having worked on the video through the night, most of them went to sleep.
The next morning, Housh’s girlfriend at the time nudged him awake. “You need to get back onto your computer,” she said. “Stuff is blowing up.”
Housh fell out of bed, fumbled for his glasses, and stared at his screen. The Partyvan IRC network was crashing as thousands of new people tried piling into #xenu.
“We had DDoS’d ourselves,” he later recalled in an interview. The video had been picked up by Gawker and another tech site called The Register, and thousands had seen it. Later that day, around ten thousand people were trying to get into #xenu, and the IRC network hosts on Partyvan kicked everyone off the network. Housh and the others tried to get everyone to move to another IRC network, which immediately went down. Fortunately, the Partyvan admins came back, saying they had added five more servers so that the horde could return. Most communication for Anonymous was now taking place on Partyvan IRC servers.
It was a whirlwind for Housh and the others. Waking up and realizing that thousands of people wanted to take part in this prank, they suddenly had it dawn on them that people were paying attention and they couldn’t just do something silly.
Over the next forty-eight hours, #press began filling up with a few more people who liked setting agendas. Realizing that the chat room was starting to turn into an organizational hub, the group, who hadn’t known one another before these last few days, changed the channel’s name to #marblecake. By picking a random name, their room was more likely to remain private, allowing them to avoid the distraction of visitors and focus on organizing. For the first couple of days they were stumped on what to do next and argued about how the masses should proceed.
“We had no clue what we were doing,” Housh remembered. Should they hit Scientology with more DDoS attacks? Prank them in some other way? They decided the first port of call was to stop #xenu from collapsing. They asked the IRC operators to limit the channel to a hundred people so that any more than that would be automatically kicked out. They then directed people to join channels based on the city nearest to them, such as #London, #LA, #Paris, or #NY. Over the next six hours, the legion self-segregated.
The first DDoS attacks on Scientology had been carried out using simple Web tools like Gigaloader and JMeter. Within a few days, though, they were usurped by what would become the two most popular weapons in the Anonymous arsenal: botnets and the Low-Orbit Ion Cannon (LOIC).
Botnets would not be used significantly by Anonymous for a few more years, but they were easily the more powerful of two key weapons. These were large networks of “zombie” computers usually controlled by a single person who gave them commands from a private IRC channel. It’s rumored that botnets were used just once or twice during the first Anonymous attacks on Chanology, though few details are known. Often botnets are made up of between ten thousand and one hundred thousand computers around the world. The biggest botnets, ones that have the power to take out the servers of small governments, have upward of a million computers. The computers belong to average people like you and me, oblivious to what is going on—often we’ll have joined a botnet by accidentally downloading infected software or visiting a compromised website. Perhaps someone sent us a spam e-mail with a link promising free photo prints or a cash prize, or we clicked on an interesting video that disguised malicious code.
Nothing appears to be amiss after such software downloads. It installs itself quickly and quietly and for the most part remains dormant. When the botnet controller issues commands to a network of “bots,” a signal is sent to the infected computer, and the small program that was downloaded starts up in the background without the owner’s realizing it. (Who knows—your computer could be taking part in a DDoS attack right now.) The network of thousands of computers will act together, as if they were one single computer. Typically, botnets will use their bots to send spam, find security vulnerabilities in other websites, or launch a DDoS attack on a corporate website while the controller demands a ransom to stop. In underground hacker culture, larger botnets translate to greater street cred for the controllers, or botmasters.
It’s unclear how many computers in the world have been assimilated into botnets, but the number is at least in the tens of millions, with the greatest number of bot-infested computers in the United States and China. In 2009 the Shadowserver Foundation reported that there were thirty-five hundred identified botnets in the world, more than double the number in 2007. In March 2010 Spanish police arrested three men behind a botnet called Mariposa, Spanish for “butterfly.” Discovered by white-hat hackers (cyber security specialists) and law enforcement agents in 2008, the monster botnet was made up of as many as twelve million zombie computers and had been used to launch DDoS attacks, send out e-mail spam, and steal personal details. The ringleaders made money on the side by renting it out.
Renting a botnet was far less risky than making one yourself, and with the right skill set and contacts, they were surprisingly easy to come by. A 2010 study by Web infrastructure company VeriSign showed the average rate for renting a botnet from an underground marketplace was $67 for twenty-four hours and just $9 for one hour. Renting a botnet that could take out the servers of a small government might cost around $200 an hour. Botnets used by Anonymous in both the Chanology attacks of 2008 and Op Payback in 2010–11 were both rented and self-created, and sources say there was also a range of botnet sizes. But it was the super botnets, controlled by a small handful of people, that could do the most damage.
The second weapon in the Anonymous arsenal was the Low Orbit Ion Cannon, whose acronym is pronounced “lo-ick.” In terms of power, it was piddling against a botnet—like the difference between a long-range missile and a handgun—but the software was free and easy for anyone with a computer to access. From the start of Chanology onward, LOIC started replacing Gigaloader in popularity. The origins of the software program are a little unclear, but it is widely thought to have first been developed by a programmer nicknamed Praetox, who was eighteen at the time, lived in Oslo, Norway, and enjoyed programming and “running in the woods,” according to his website.
Praetox made all sorts of things on his computer, including cheats for the online role-playing game Tibia and a program that would make windows on a computer desktop look transparent. He was also versed in chan culture and used the cartoon image of a “Pool’s closed” sign for his YouTube account. The name LOIC itself comes from a weapon in the Command & Conquer video game series, and of all his creations it would be Praetox’s legacy.
Praetox appears to have originally created LOIC as an open source project, which meant anyone could improve it. Eventually, a programmer nicknamed NewEraCracker made some tweaks that allowed LOIC to send out useless requests or “packets” to a server, making it what it is today. At the time, packets were part of everything one did on the Internet. Visiting a web page involved receiving a series of packets, as did sending an e-mail, with a typical packet containing 1–1,500 bytes. They can be compared to addressed envelopes in the postal service. “Packet sniffing” meant trying to figure out what was inside a piece of mail by looking at what was on the envelope. The data inside a file could be encrypted, but the packet itself would always identify the sender and receiver.
A DDoS attack was, in one way, like overwhelming someone with thousands of pieces of junk mail that they had no choice but to open. One defense was to
“filter the packets,” which would be like asking a doorman to not allow any mail from a certain sender. But DDoS protection costs money, and it was difficult to filter the junk packets from LOIC, since they were coming from many different users. Ultimately, if enough people used the program and “aimed” it at the same site at the same time, they could overload it with enough junk traffic to take it offline. The effect was similar to a botnet’s, except instead of having infected computers, the participants were voluntarily joining the network. A key difference was effectiveness. The effect of LOIC was far more unpredictable than that of traditional botnets, since popularity and human error came into play. You might need four thousand people to take the website of a major corporation down, in the same way you’d need four thousand people wielding handguns to destroy a small building. You’d need just a few hundred people to take down a tiny homemade website belonging to an individual. The upside was that downloading LOIC was free and easy—you could get it from a torrent site or 4chan’s /rs/ board.
One of the hundreds of people who downloaded LOIC and took part in some of the first impromptu Scientology attacks was a college student named Brian Mettenbrink. An Iowa State University student with a mop of brown hair and a beard, Mettenbrink, eighteen, was sitting in front of his desktop computer in a dorm room, browsing through his favorite website, 7chan, when he first saw posts about a Scientology raid in January 2008. He did not care about Scientology, but he was interested in exploring the world of IT security and reasoned that taking part in an attack like this was a good way to learn about the other side of the industry. Besides, with so many other people contributing to the attack, he wouldn’t get caught.
Mettenbrink, who had been regularly visiting 4chan since he was fifteen, went to the site’s /rs/ board and downloaded LOIC. The download took a few seconds, and it included a “readme” file to explain how to use it. The program gave the impression that it was connecting users to an army of rebel fighters. When Mettenbrink first opened LOIC, the main window that popped up had a Star Wars–themed design: dark and light green text boxes, and a Photoshopped mock-up of the Anti-Orbital Ion Cannon used in Star Wars: The Clone Wars, blasting a thick green laser beam toward a planet.
There were options to “Select a target,” by adding in a URL, and a button saying “Lock on.” Once you had a locked target, a large box in the middle would show its server’s IP address as the program geared up for an attack. Next came another big button labeled “IMMA CHARGIN MAH LAZER,” followed by options to configure the attack. During the first DDoS attacks on Scientology, the LOIC was always in “manual mode,” which meant users would decide where and when to fire and what type of junk packets to send out.
Once an attack was under way, a status bar at the very bottom would show the program as being Idle, Connecting, Requesting, Downloading, or Failed. If “Requesting,” a number would start rising rapidly. Once it froze, that meant the LOIC was stuck or the target was down. You could check by visiting the target website—if you got a “Network Timeout” error message, it meant mission accomplished.
There was no buzz or rush of feeling when Mettenbrink first fired LOIC at Scientology.org, especially since the program froze as soon as it started. He checked his configurations, and when the program got going again, he minimized the window and went back to wasting time on 7chan. Unlike Gregg Housh, Mettenbrink was a casual participant in Chanology. He did not bother joining an IRC channel like #xenu or finding out what Anonymous might do next. Instead, he kept LOIC running for several days and nights in the background of his computer, eventually forgetting he was running it at all. Only when he noticed that the program was starting to slow down his Internet connection did he switch it off—about three days after starting it.
“I am not responsible for how you use this tool,” LOIC programmer NewEraCracker had written as a disclaimer for the program when he uploaded his tweaked version to the Web. “You cannot blame me if you get caught for attacking servers you don’t own.” It was crucial for people who were using LOIC to run it through an anonymizing network like Tor to hide their IP addresses from the target or police. But there were plenty of oblivious supporters, like Mettenbrink, who ran LOIC straight off their own computer with no special software. This was often because they did not know how, or they didn’t realize that using LOIC was illegal.
On top of that, more Anons were communicating on IRC networks, which meant they had nicknames and reputations to uphold. Now there wasn’t just the attraction of being part of a mob—there was a sense of obligation to return and join in with future attacks. Some participants in a Chanology IRC channel knew, for instance, that returning to an IRC channel the following day also meant reacquainting themselves with a new stable of online friends, who might think less of them if they didn’t turn up. This wasn’t like /b/, where you could suddenly disappear and no one would notice.
Chanology was turning into a new community of hundreds of people, and it brought the collective to a point where communication was gradually splitting between image boards and IRC networks. Image boards like 4chan had been using LOIC for a couple of years; the /b/tards were forever declaring war on other sites that they claimed were stealing credit for their memes and content, such as eBaum’s World or the blogging site Tumblr. But now more Anons were starting to use IRC networks to coordinate and follow instructions for DDoS attacks. Beginning in January 2008, organizers had also started publishing announcements on Chanology and how-to guides on the Partyvan network so that the sudden influx of thousands of “newfags” from all over the world to these new online protests could learn about LOIC and IRC channels without having to ask.
The DDoS attacks on Scientology reached a pinnacle on January 19, when the church’s main website was hit by 488 attacks from different computers. Several media outlets, among them Fox and Sky News, reported that the online disruptions were being caused by a “small clique of super hackers.” This was a terrible misconception. Only a few Anonymous supporters were skilled hackers. Many more were simply young Internet users who felt like doing something other than wasting time on 4chan or 7chan.
When someone posted an announcement on Partyvan that there would be a third, bigger DDoS attack on January 24, about five hundred people are rumored to have taken part. But by then, Scientology had called in Prolexic Technologies, a specialist in DDoS protection based in Hollywood, Florida, to help shield their servers. Soon the LOIC-based attacks stopped having an effect and the Scientology sites were up and running as normal.
Scientology then hit back through the media, telling Newsweek in early February that Anonymous was “a group of cyber-terrorists…perpetrating religious hate crimes against Churches of Scientology.” The strong wording didn’t help Scientology’s cause, bearing in mind a famous phrase on the Internet: “Don’t feed the troll.” By appearing defensive, Scientology was inadvertently provoking more Anons to take part in the attacks. And because joining Anonymous was so easy—at minimum you had to enter an IRC channel, or /b/, and join in the conversation—hundreds of new people started looking in.
Then Anonymous found another way to cause a stir. Back in #marblecake, Housh had noticed one team member who had been quiet for the past four days. He asked him to figure out how many cities and countries were being represented on the chat network. When the scout came back, he reported that there were 140 to 145 different Chanology channels and participants in forty-two countries in total.
“What do we do with all these people?” one of the team asked. They started searching the Internet to see what opponents of Scientology had done in the past and stumbled across a video of anti-Scientology campaigner Tory “Magoo” Christmam, who was dancing and shouting in front of a Scientology center.
“This is hilarious,” a team member said. “We should totally make the Internet go outside.”
“We have to put them in the streets,” the French member who’d been studying for a PhD said. Housh didn’t agree, and he argued with the Frenchman for the n
ext three hours. Eventually, Housh relented, deciding that a real-world confrontation between Anons and the public could be rather amusing.
“We honestly thought the funniest thing we could do to Scientology was get in front of their buildings,” Housh later said.
The group started working on their next video, their “call to arms,” and then a code of conduct after a Greenpeace activist came on IRC and said they needed to make sure protesters didn’t throw things at buildings or punch cops. Housh started taking an increasingly organizational role, dishing out responsibilities and bringing discussions back on topic when they veered off into jokes of firebombing or Xbox games.
On January 26, someone calling himself “Anon Ymous” sent an e-mail to Gawker’s “tips” address, about a forthcoming protest outside the Church of Scientology in Harlem. “Wear a mask of your choosing,” it said. “Bring a boombox. Rickroll them into submission. We will make headlinez LOL.” There was also a tagline at the bottom, which was appearing on YouTube, blogs, and forum posts:
We are Anonymous
We are Legion
We do not forgive
We do not forget
Expect us.
This now infamous closing signature, reminiscent of Star Trek bad guys the Borg, comes from the 47 Rules of the Internet. After rules 1 and 2, which were to never talk about /b/, came:
Rule 3. We are Anonymous.
Rule 4. Anonymous is legion.
Rule 5. Anonymous never forgives.
Some say the twisting of rule 4 into “we” are legion comes from the Bible passage of Mark 5:9, wherein Jesus approaches a man possessed by demons. “And He [Jesus] asked the man, ‘What is thy name?’ And he answered saying, ‘My name is Legion: for we are many.’” The Message to Scientology YouTube video said: “If you want another name for your opponent, then call us Legion, for we are many.”