Book Read Free

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency

Page 25

by Parmy Olson


  He believed it was important to keep throwing out teasers, so then tweeted: “The show starts in a few hours, folks! This one is quite interactive with a finale you’ll appreciate. We, we, we so excited! :3.”

  If Sabu had been doing this his way, he would have dumped all the Fox data they had when they were ready, whether that was Friday or at some point during the weekend. But Topiary figured that news outlets were more likely to pick up on stories on a Monday than on a Friday, when many were winding down for the week. It seemed to make sense that if something was released on Monday, it got more attention.

  The teasers kept coming on Monday morning: “LulzSec hashtag of the day: #FuckFox—let’s give it another hour or so, tell your friends. ^____^”

  Then: “30 minutes…#FuckFox”

  Twenty-eight minutes later: “You ready?! #FuckFox.”

  When the moment arrived, Topiary didn’t post a long document of information but tweeted a series of URL addresses for the LinkedIn accounts of employees at a Fox TV affiliate in San Diego, California. The first said: “Meet Karen Poulsen, Marketing Consultant at Fox 5 KSWB.” Clicking on the link showed Poulsen’s LinkedIn account now had the LulzSec monocled man as her profile photo. Topiary did the same for Jim Hill, an account executive at Fox, and six other members of management at the media company.

  There were seven more managers who got their LinkedIn accounts hacked and Tweeted, including Marian Lai, vice president of Fox Broadcasting. In between, Topiary gave a shout-out to his old constituency still hanging out on AnonOps: “Hey, AnonOps I hear you guys are having a rough time—let’s cheer you up. Anonymous wants to join in? You can very soon!”

  There were more tweets to a second press release, all wrapped up in offbeat humor, using the instrument of hash tags at the end of each tweet as a kind of quasi punch line. This was definitely not your ordinary hacking group. After three days, Topiary had posted thirty-five tweets, and he continued with confident profligacy.

  Soon Topiary had tweeted a more damaging “phase 2” leak from Fox: a spreadsheet of more than eight hundred Fox.com users and details of the inner workings of the company’s servers.

  Moving quickly, he posted a spoofed link to “Secret LulzSec IRC logs,” a nod to the #HQ leak and the eagerness in hacker circles to spy on others’ chats. The post contained no logs, only the images of black-and-white pirate ships made out of asterisk symbols, along with spoofed dialogue between nicknames like Bottle of Rum (the nickname for Tflow), Kraken (Kayla), Seabed (Sabu), and Whirlpool (Topiary). Topiary had decided with the others that pirates and boats would be LulzSec’s theme.

  “What gives guys, that boat looks like it belongs in my bath,” Whirlpool says. Then Kraken uses twelve lines of the chat log to create a larger battleship, followed by a mushroom cloud. Whirlpool then claims to be “beaten,” “destroyed,” and “forever alone.” Topiary’s ditty made it clear that LulzSec was not taking any of this, or itself, seriously. “Don’t tell the FBI about these pl0x,” the page’s subtitle said. “We will get in trouble and might be grounded.”

  He released another document of ATM information for British cashpoints, none of it particularly harmful but a demonstration that they could get stuff. He linked the release to a YouTube video of the Love Boat theme song and pasted his own lyrics that ended, “Yes LULZ! Welcome aboard: it’s LULZ!”

  After a few days, most of @LulzSec’s two hundred and fifty Twitter followers were from the Anonymous community. People had heard something was going on and wanted to keep track. Very few people, outside of a few regulars on the Anonymous IRC channels, had any idea that these were the same hackers who had hit HBGary, the same ones who had suffered from Laurelai’s reckless #HQ log leak.

  Then Topiary noticed the LulzSec Twitter feed had a new follower: Aaron Barr. He couldn’t help but be thrilled at this and immediately started badgering him on Twitter. “We have the legendary AaronBarr following us…we hear he had a great time with #Anonymous, so great in fact that he quit his job. #ouch. We better watch out now,” he added. “AaronBarr is going to check our Tweet times with every single Facebook account login.”

  Then: “We’re following 0 people. if we follow one person, does that mean the e-detectives will pounce on them? Should we follow AaronBarr?.…Okay, we’re now following AaronBarr—he is our leader. He stole those Fox databases, he compromised over 3,000 ATM machines. Wait…shit.”

  Topiary thought for a moment about what all this attention on Barr would look like: anyone who knew about the HBGary attack would know the same hackers were now LulzSec. He threw caution to the wind and preemptively put it all out there: “Hey e-detectives: we’ve taken a lot of interest in Mr. Barr, therefore we must be the HBGary hackers. Right? Of course.”

  The team spent the next few weeks working through data they already had to plan their next stunt. Topiary, Sabu, and Kayla now had a small clutch of potential leads to work with. In the background was always Infragard, for which they could leak the details of about three hundred usernames and deface the home page.

  In the meantime, Topiary’s relationship with Kayla was shifting; he was going from being her friend to being her student. Knowing that he was getting into serious activity with LulzSec, he asked her about her setup for staying so incognito. Kayla taught Topiary how to run a virtual machine, then suggested he run Linux as a virtual operating system and a chat client called X-chat through that virtual machine, which he did.

  He also began to store his operating systems on a microSD card inside his encrypted MP3 player: a 32 GB SanDisk microSD, inside an 8 GB SanDisk MP3, inside an encrypted volume. Opening it now required a password and several key files, which were five MP3 songs out of thousands on his player. He had learned this entire setup from Kayla.

  Despite many hours of conversations, he was still mystified by Kayla. She would sign off at around four or five a.m. U.K. time most nights, suggesting that was when she was going to bed. She had told Topiary she was not in the United States or the U.K. But in conversation she often made references to things like Lemsip, a cold and flu medicine found in British stores, and beans on toast, a very British snack favored by debt-ridden students.

  On another occasion, when Kayla had agreed to meet online for an interview on U.K. time, she missed it, and then apologized that she had “got the time zones mixed up.” In May, Kayla also created a Twitter account, under the name @lolspoon, and it served as another way to confuse people about her true whereabouts. At 2:00 p.m. U.K. time, she would tweet, perhaps tongue in cheek, “Just woke up, early morning XD.”

  Topiary had seen screenshots of her desktop, which featured a clock saying 8.41, GMT -8 hours. She had claimed it was a virtual install, which meant the clock wasn’t set up properly. Topiary’s virtual OS was also set to GMT -8 hours. Kayla’s desktop had been very girlie. She had colorful stars as one background for her host operating system; rainbows for her virtual OS; and an anime girl as another one for a terminal window. It may have been too girlie to be girlie—but then Topiary’s desktop was arguably too manly: it featured one collage of comics about sharks and another of a large Slenderman character—a mythical creature spawned on an image board a few years prior—in a black suit and red tie.

  The online world has plenty of elaborate liars. Topiary recalled a girl on an old IRC network who fooled everyone online into thinking she was skinny by providing fake photos and acting defensively when talk turned to eating disorders. Once, she told a group of people in an IRC channel that she was going out to get a tattoo. Three hours later she came back online and uploaded a photo of a skinny human back completely covered with tattooed wings.

  “This is it,” she said.

  Topiary was immediately suspicious. He uploaded it to a website called tineye.com and did a reverse-image search to see where else the image had appeared on the Web. The tattoo was already all over the Web, so it wasn’t real. Eventually it led him to a video site and an account that included another image avatar (a painting) that the gir
l had used on her Skype account. One of its videos featured an obese girl playing the ukulele. The voice and alias details matched up.

  Topiary had laughed a little but didn’t reveal the details. He didn’t want to destroy her online life.

  Though he knew it could make his arrest more likely, Topiary started thinking about bringing his nickname back onto the public Web by using it on Twitter and on AnonOps IRC. But he needed some convincing, in the same way Sabu had needed convincing to get the team back together.

  “Why have you kept ‘Kayla’ after all this time?” Topiary asked her.

  “No one has ever doxxed me,” she replied. “It makes sense to just keep it.” People were always going to try to dox the nickname Topiary, she added. “But if your dox aren’t known you should just be Topiary and say ‘fuck you’ to all the haters.” Kayla’s mantra was to do all you could to be technically secure, then go out there and dismiss anyone who doubted you.

  “Kayla’s words had really sunk in that day,” Topiary later said. “I loved her simplistic yet compelling argument: nobody knew who she was, so why should she feel pressured into changing her name? It was a sassy kick in the teeth to the doxers. A kind of ‘Yes, I’m still here, bitches, what of it?’ I was inspired.”

  For the past two months, Topiary had been constantly changing nicknames to things like Slevin and Mainframe and trying not to say anything that would make people think he was the original Topiary. He was tired of the stress; maybe it would be nice for his online name to get some of the credit for what was about to go down, and he didn’t like people thinking that Topiary had been arrested and had turned snitch.

  So he opened up his old personal Twitter account, called @atopiary, and posted a single tweet. People in the #anonleaks chat room on AnonOps IRC went into a frenzy. Some suggested that the person behind the account was a spy. It was classic Anonymous. Topiary knew the rumors would die down soon enough. They always did.

  In mid-May, the PBS news program Frontline showed a documentary about WikiLeaks that Sabu didn’t like one bit. It painted Julian Assange in a bad light. When he talked about it to the group, everyone else agreed. By chance, Kayla had found a vulnerability in one of PBS’s websites a few weeks earlier with her auto-scanning bot. Now Sabu asked the team if they agreed to make PBS their next big target. Never mind that it was America’s public broadcasting service and home to Sesame Street. There was no question—everyone was up for it.

  As usual, Sabu entered the PBS network through a security hole Kayla had found, and then he started removing user data—a database of thirty-eight staffers here, hundreds of pressroom users there. Sometimes it was hard to know what was being taken. It didn’t matter. They’d publish it anyway. The team used a tool called Havij to more quickly download the databases for easy viewing. While Sabu and Kayla did the grunt work of hacking, Topiary and AVunit worked on some dramatic calling cards, something that would make Anonymous laugh. The group worked through the night, adding several new pages to the PBS website, starting with www.pbs.org​/lulz/, which went to a page with a giant picture of Nyan Cat. This was a cartoon image of a cat flying through space and pooping a rainbow, one of the most famous Internet memes of all time.

  They made another page, www.pbs.org/ShadowDXS/, featuring the photo of a fat man eating an enormous one-foot-tall hamburger with the caption “LOL HI I EAT CHILDRENS.” This was a shout-out to another Anon nicknamed ShadowDXS, a man of ample proportions who looked like Hugo from the TV series Lost. (Topiary went on to tweet something about Hugo from Lost, but then deleted it, thinking it was too silly. The Jester came to believe this signified a cover-up, that Sabu was someone actually named Hugo.)

  Before the PBS hack, Topiary, Shadow, Pwnsauce, and about fifteen Anons whom they knew from AnonOps had all gone on TinyChat on Saturday night and gotten drunk while chatting via text, with a few on voice and even fewer on webcam. Topiary ended up posting a series of drunken tweets to several thousand followers through his personal account, including, “dudd, you have no idea how uch hotgowg repeat the same proces as the nigger behing barry shadow exx rainbows ubunche fa…” People kept sending him telephone numbers, hoping for a good show, and Topiary kept prank-calling them.

  The next morning Barrett Brown woke up to several voice mails from Topiary saying he was “pursuant to being pursuant” as well as messages from a few raunchy transvestites who’d been given Brown’s number and promised a “booty call.” Topiary slept through most of Sunday, then, out of curiosity, dialed one of the many random U.S. numbers on his call history from the night before. He got an angry man with a Southern accent who said, “If you call me again you stupid Indian prick I’ll chop your fucking head off.” Topiary couldn’t remember the man at all but figured he’d had a good time with him. The fun that night seemed to overlap with LulzSec itself. Booze had put Topiary on a high when he was doing prank calls. LulzSec’s small audience and the team’s capabilities did the same when they were hitting PBS.

  To Sabu’s later annoyance, Topiary’s Nyan Cat page seemed to say that this hack wasn’t about Assange but about lulz. To drive the point home, in the early hours of Monday British time, Topiary got into NewsHour’s content management system, essentially the system PBS used for publishing stories to its website, and realized he could publish a legitimate-looking news story directly on the PBS NewsHour website.

  At first he wanted to make it about Obama choking on a marshmallow. But when he suggested it to the others in the group, they decided a better story would be about Tupac Shakur, the American rapper who had been fatally shot in Las Vegas in 1996 but who in death had enjoyed Elvis-like rumors that he was still alive. In about fifteen minutes Topiary had written up an elaborate story, paragraph by paragraph, in the IRC chat, titled “Tupac Found Alive in New Zealand”:

  Prominent rapper Tupac has been found alive and well in a small resort in New Zealand, locals report. The small town—unnamed due to security risks—allegedly housed Tupac and Biggie Smalls (another rapper) for several years. One local, David File, recently passed away, leaving evidence and reports of Tupac’s visit in a diary, which he requested be shipped to his family in the United States.

  “We were amazed to see what David left behind,” said one of [his] sisters, Jasmine, aged 31. “We thought it best to let the world know as we feel this doesn’t deserve to be kept secret.”

  David, aged 28, was recently the victim of a hit-and-run by local known gangsters. Having suffered several bullet wounds on his way home from work, David was announced dead at the scene. Police found the diary in a bedside drawer.

  “Naturally we didn’t read the diary,” one officer stated. “We merely noted the request to have it sent to a U.S. address, which we did to honor the wishes of David.”

  Officials have closed down routes into the town and will not speculate as to whether Tupac or Biggie have been transported to another region or country. Local townsfolk refuse to comment on exactly how long or why the rappers were being sheltered; one man simply says “we don’t talk about that here.”

  The family of David File have since requested that more action be taken to arrest those responsible for the shooting. “David was a lovely, innocent boy,” reported his mother. “When he moved to New Zealand, he’d never been happier.”

  His brother Jason requested that one part of David’s diary be made public in an attempt to decipher it. “Near the end,” Jason says, “there’s a line that reads ‘yank up as a vital obituary’, which we’ve so far been unable to comprehend.”

  David’s girlfriend, Penny, did not wish to make a statement.

  The final line in the elaborate story was a nod to HBGary’s Penny Leavy, while the phrase yank up as a vital obituary was another calling card: an anagram for Sabu, Kayla, Topiary, AVunit.

  PBS’s IT admins were scrambling in vain to reaccess their system; Sabu and Kayla were hitting them with a Denial of Service attack, so they were paralyzed. Topiary added a photo of Tupac Shakur to the story and clicked pub
lish. Then he tweeted links to a Pastebin post of passwords for almost every journalist who worked with PBS, then to a post of all login passwords for PBS affiliate stations, then to a post of MySQL root passwords for PBS.org (the root password for the database), so that people could hack into the site whenever they wanted, or at least until someone patched the security hole. There was more: login details for anyone who worked on PBS’s Frontline and a map of the PBS server network. For the most part, he didn’t want to push the idea that their hack had been motivated by WikiSecrets or that their fun was founded on politics. But he made the point at least once on Twitter. “By the way,” Topiary added, “WikiSecrets sucked.”

  Almost immediately, readers started sharing the Tupac story with their friends, posting it on Facebook and Twitter, and latching onto the rumor that Tupac was alive. PBS’s content management system might have been woefully unprotected, but it was still a reputable news source. Teresa Gorman, PBS NewsHour’s social media and online engagement worker, scrambled to reply to a dozen readers publicly asking her on Twitter about the story’s veracity: “No it’s a hack.” “No it’s a hack, thanks.” “It’s a hack.” Then to four people at once: “It is a hack, not a PBS story, apologies.” Within the same hour, @LulzSec had received a hundred and fifty tweets and re-tweets.

  “Dudes. Of course Tupac is alive,” the LulzSec account tweeted. “Didn’t you see that official @PBS article? Why would they lie to their 750,000+ followers?

  “u mad, Frontline?” he added.

  Within three hours, four thousand people had hit the Facebook Like button beside Topiary’s fake article. The PBS publishing system was so outdated that the hackers could make updates to content being stored on thirty different servers by interfacing with just one server. The result was that when the IT admins deleted the Tupac story, LulzSec deleted every single blog on the PBS NewsHour website. Fortunately for PBS, the admins had backed up the blog content elsewhere and could replace the deleted posts in a few hours. Until then, anyone who tried to click on another story got a 403 error—but the Tupac story was still showing up on the PBS home page. The hackers had deleted all of the site’s user and admin login data and declared themselves administrators, which made it almost impossible for the real admins to initially regain control. When the admins made changes, the hackers were always there to change things back. And when PBS Frontline posted an official statement about the hack on its website, LulzSec replaced it with a blank page saying only “FRONTLINE SUCKS COCKS LOL.”

 

‹ Prev