by Parmy Olson
Sabu’s statement that he was “going to drive over to [Laurelai’s] house and mess him up” was sourced from Topiary’s testimony.
The origins of the word backtrace point to one of the most notorious 4chan and Anonymous operations ever conducted. It started in July of 2010, when 4chan’s /b/ users began trolling an eleven-year-old girl named Jessica Leonhardt. Online, she was known as Jessi Slaughter, and was a minor e-celebrity after uploading videos of herself onto a site called StickyDrama. When other StickyDrama users started bullying Slaughter, she filmed a series of tearful ripostes, including one in which her mustached father could be seen over her shoulder jabbing his finger at the webcam and shouting, “You bunch of lying, no-good punks! And I know who it’s comin’ from! Because I BACKTRACED it!” The broadside spawned a number of Internet catchphrases and memes, including “backtrace,” “Ya done goofed,” and “Consequences will never be the same!” By February of 2011, Jessi Slaughter had been placed under police protection and admitted to a mental institution. The following August, her father died of a heart attack at the age of fifty-three.
The dialogue among Topiary, Kayla, Tflow, and AVunit, starting with the quote “They all think i’m Xyrix!” was sourced from their March 21, 2011, discussion on a private IRC channel called Seduce. By this point, Topiary had introduced me to Kayla (with whom I had been communicating by e-mail) and it was in this room that I first spoke to AVunit, Tflow, and Sabu. From there I organized separate interviews with each of them. The group was already communicating with each other in their own separate channel, and #seduce was set up for the purpose of speaking with me and providing testimony for this book. The name Seduce came from the late-February revelation in the #HQ chat log that Kayla would be talking to me; she quipped that “She wrote good stuff about us so far…she talked with Topiary. he has her seduced I guess.” Later, when the group would switch to a different IRC server, they would create another channel, named #charmy, also for talking exclusively with me. I was later told that Sabu was extremely wary of talking to me in the #seduce channel in March, and I observed that he was rarely in the room or would make excuses to leave. On April 13, 2011, however, we held our first real interview on IRC and he became more forthcoming.
It is unclear if “Christopher Ellison,” the name associated with AVunit in Backtrace’s final document, was correct or not. There have been no press reports or police announcements related to the arrest of someone connected to the nickname, and no information about the whereabouts of the real AVunit as of mid-April 2012.
The study by Francois Paget was published on October 21, 2011, in a McAfee blog post entitled “The Rise and Fall of Anonymous.”
The detail about the FBI contacting Jennifer Emick comes from conversations with Emick. The additional point that the FBI needed to wait to corroborate Sabu’s identity and gather enough evidence to threaten him with a long sentence was sourced from the FoxNews.com report “Infamous International Hacking Group LulzSec Brought Down by Own Leader,” published on March 6, 2012.
Laurelai Bailey hadn’t been the only log leaker. Less damaging, though still embarrassing, was a leak from freelance television and Web journalist Matthew Keys, who had been given access to #InternetFeds from December of 2010 to January 6, 2011, when he was banned after the channel’s members suspected him of leaking information to the Guardian. Sabu later claimed that Keys had given away administrator access to the online publishing system of Tribune, his former employer, in return for the chance to “hang out in our channel.” Keys denies this.
A note on making IRC channels: generally, the person who comes up with the idea for a channel is the person who creates the channel. Creators can make channels more secure by adding commands like +isPu and +k to gain more control of who comes in. But sometimes the best way to make a channel secure is to make it completely open, with no invite policy at all, and to keep switching between different channels every day or two. Making a channel “invite only” is “like holding a red flag in front of a bull,” according to AVunit, who added that this was why he and his the team avoided invite-only policies. To find each other, team members would use normal IRC queries, check which channel was active, or just type in the relevant channel in IRC and rejoin the discussion.
It’s worth noting that Backtrace itself was the subject of numerous doxing episodes. From at least the spring of 2011, a number of Anonymous supporters unveiled its members as Jennifer Emick, Jin-Soo Byun, and John Rubenstein, publishing their home addresses, telephone numbers, some family details, and other online profiles on the web tool Pastebin.
Chapter 15: Breaking Away
The descriptions of “three ways to respond to a dox” were derived from my conversations with Topiary and my observations of the way Anonymous supporters, such as Ryan Cleary, reacted to having their true identities unveiled. Further details about “drama” in Anonymous and the culture bred through the morass of channels on IRC were sourced from my conversations with adherents of Anonymous and my own observations. The detail about Aaron Barr’s idea for getting into private coding channels, as well as the description in this chapter of “No,” come from Topiary’s testimony. The details of Renee Haefer’s FBI raid were sourced from an interview that Haefer gave to Gawker for an online story entitled “An Interview with a Target of the FBI’s Anonymous Probe,” published on February 11, 2011. Details on the five Britons arrested on January 27 are sourced from a Metropolitan Police announcement and from news reports.
The paragraphs detailing Topiary’s elaborate getaway were sourced from interviews with Topiary himself. I have edited the faked log substantially for brevity; the log had mentioned that Topiary’s wireless router had been left on. This was meant to cause further confusion among the hundreds of regular users on AnonOps, because routers were the number one item that was looked for in a raid. The ruse almost got too elaborate. One online female friend was already freaking out so much that she had tried contacting Topiary’s then-girlfriend, a Canadian girl he had met online about three years prior. Problematically, this friend then let slip to others that Topiary’s girlfriend existed. Until then, he had been trying to insulate his girlfriend from his activities with Anonymous, so that she would not be roped in as a co-conspirator if he were ever arrested. To fix this problem, he wrote up another faked message, this time from his girlfriend, hinting that she was suddenly jealous of the worried female friend. The suggestion distracted the girl enough from suspecting the truth: that Topiary had not been arrested but had broken away from Anonymous.
Quotes from the Anonymous press release directed at Sony were sourced from the press release itself, which is still available on AnonNews.org. Details of William’s involvement in OpSony come from interviews with him. William also e-mailed me a link to some of the handiwork of SonyRecon, including Sony CEO Howard Stringer’s old and current home addresses in New York, his wife’s name, the names of his children, and the name of his son’s old school. The post is still online at JustPaste.
The details about Sony’s lawsuit against George Hotz come from various mainstream news reports.
“Angering millions of gamers around the world” is my interpretation of myriad angry comments on forums for gamers as well as on the official PlayStation Network website, which contains statements showing that the PSN is used by tens of millions of people.
Sony’s eight-page letter to the U.S. House of Representatives dated May 3, 2011, is viewable on Flickr.
The publication of 653 nicknames and IP addresses on AnonOps was pasted in a public document online, which I have seen and which was brought to light by various news reporters, including by Forbes’s Andy Greenberg. His story “Mutiny Within Anonymous May Have Exposed Hackers’ IP Addresses” was published on May 9, 2011. I made the point that “AnonOps IRC became a ghost town” as a result of my own and Topiary’s observations of the network. The statement by various AnonOps operators that they were “profoundly sorry for this drama” was posted and reposted on various blogs. T
he original post also mentioned that AnonOps would “stage a comeback and return to full strength eventually.” Ryan Cleary, who was behind the IP leak, gave an interview to the tech blog thinq_, saying that the operators behind AnonOps were “publicity hungry” and had “begun engaging in operations simply to grab headlines” and “feed their own egos.” “They just like seeing things destroyed,” thinq_ quoted Ryan as saying.
I saw the dox file about Ryan when it was first posted online. It included his real address in Wickford, Essex, his cell phone number, and the names and ages of his parents. The dox page said that Ryan had been “owned” by Evo, adding “Who’s the ‘pet’ now, bitch?” The document also gave “shouts,” or acknowledgments, to Sabu, Kayla, Owen, #krack, and all of AnonOps.
The assertion that Anonymous was “starting to look like a joke” comes from my own observations as well as discussions with supporters.
Chapter 16: Talking About a Revolution
Most of the details and descriptions from this chapter were derived from interviews with Topiary and Sabu over the course of several months, including Internet Relay Chat interviews, discussions by phone, and face-to-face meetings.
The point about New York mayor Rudy Giuliani increasing the city’s police force to 40,000 was corroborated by the April 11, 2000, Congressional Record for the House of Representatives and by press reports.
The details about COINTELPRO were corroborated by information on the FBI’s own website, which states that the project was “rightly criticized by Congress and the American people for abridging first amendment rights and for other reasons.” See http://vault.fbi.gov/cointel-pro
The point that Kayla, Tflow, and AVunit had been on “breaks” before the formation of LulzSec was corroborated by Sabu and at least one other LulzSec supporter.
The quote “Most professional and high-level hacks are never detected” comes from an interview with a hacker supporting Anonymous who did not wish to be named.
Chapter 17: Lulz Security
The majority of details in this chapter were sourced from interviews with Topiary, Sabu, and Kayla. Additional details, including dialogue from Pwnsauce, was derived from my observation of discussions among Topiary, Kayla, Tflow, AVunit, and Pwnsauce in the IRC channel #charmy, which was set up for discussions that I could repeat in this book. I also held interviews with some in the group, such as Pwnsauce, in this channel.
The assertion that it “took a week for Fox’s IT administrators to notice the breach” was derived from interviews in #charmy.
Regarding the original Twitter feed for LulzSec, @LulzLeaks: the original account that contains that first tweet is still online.
I corroborated that LulzSec had indeed posted a database of potential contestants for The X Factor by speaking to a spokesman from Fox about twenty-four hours after the hack was first announced. I also saw the published database on Pastebin.
Chapter 18: The Resurrection of Topiary and Tupac
Details about the PBS hack were sourced from interviews with the hackers involved, as well as from a post that Topiary had put on Pastebin that gave details about what sort of tools, such as Havij, the group had used. According to a March 2012 article on darkreading.com, the tool “favored by hacktivists” was created by Iranian hackers, and its name is derived from the Persian word for “carrot,” also a nickname for the male sexual organ.
The statement that “people in the #anonleaks chat room on AnonOps IRC went into a frenzy” when Topiary posted something on Twitter from his personal account was sourced from interviews with Topiary after he visited the chat network.
Chapter 19: Hacker War
Regarding Pastebin’s boost in traffic, the website’s controllers would later show their appreciation for LulzSec by retweeting @LulzSec’s July 13, 2011, announcement that “If @pastebin reaches 75,000 followers we’ll engage in a mystery operation that will cause mayhem.” (This was one of the rare tweets from @LulzSec after the group officially disbanded.) Hours later, @Pastebin tweeted, “The # of followers @pastebin is growing very rapidly since @lulzsec is sending their love,” followed by “The twitter madness continues thanks to @lulzsec.” That same day, Topiary exchanged e-mails with Pastebin owner Jeroen Vader, a twenty-eight-year-old Dutch entrepreneur, in which Topiary requested a “unique green crown” icon next to his personal “Topiary” account on Pastebin, which, when highlighted, would also say “CEO of consuming pie.” Vader agreed, saying, “I’ll be sure to fix you up with a very special crown. Many thanks for trusting Pastebin with your ‘special’ releases.” Pastebin statements from LulzSec and Anonymous rank among the top-trafficked posts on Pastebin, along with LulzSec’s final “50 Days of Lulz” release on June 25, 2011, which clocked 411,354 page views as of April 3, 2012. (Pastebin hosts ads on its site, so the extra traffic will have aided its bottom line.) Ironically, Vader said in early April of 2012 that he would hire more staff to help police “sensitive information” that got posted onto the site, according to BBC News.
Details about The Jester’s hangout on 2600 and the other people who frequented it were sourced from LulzSec’s leaked #pure-elite chat logs, from interviews with Topiary, and from my own observations of the 2600 IRC network. The points about the origins of 2600: The Hacker Quarterly were sourced from various Web articles, including the PCWorld feature story “Hacking’s History,” published on April 10, 2001.
The information about the creation of a secondary ring of LulzSec supporters was sourced from conversations with Topiary and Sabu. The detail about Antisec and its original adherents comprising “a few hundred skilled hackers” was sourced from my conversations with Andrew “weev” Auernheimer, who was a hacker during the early days of the Antisec movement, and from various Web articles, including the 2002 Wired story “White-Hat Hate Crimes on the Rise.”
The nicknames of “secondary crew members” of LulzSec, such as Neuron and M_nerva, were sourced from the #pure-elite chat logs that were first leaked online by Pastebin on June 5, 2011, in a post entitled “LulzSec Private Log.” The logs were republished by The Guardian three weeks later, on June 25, which garnered more mainstream media attention. Further descriptions about the room and its members, and the context of their discussions, were sourced from interviews with Topiary and with one other hacker, who did not wish to be named.
The detail that Adrian Lamo was diagnosed with Asperger’s is sourced from the Wired article, “Ex-Hacker Adrian Lamo Institutionalized, Diagnosed with Asperger’s,” published May 20, 2010.
Chapter 20: More Sony, More Hackers
Regarding LulzSec and Sony: a couple of days before the PBS attack, LulzSec had already published two databases of internal information from the website of Sony Japan. It failed to cause a stir, since Topiary had simply pasted specific Web addresses that were vulnerable to a hack by simple SQL injection. One of them, for example, looked like this: http://www.sonymusic.co.jp/bv/cro-magnons/track.php?item=7419 (no longer available). Topiary announced the finds with a press release, telling other hackers, “Two other databases hosted on this boxxy box. Go for them if you want.” He added that the “innards” were “tasty, but not very exciting.” Details about the way LulzSec’s core and secondary members gathered and explored website vulnerabilities within the network of Sony and elsewhere were sourced from discussions with Topiary, as well as with Sabu and Kayla. Dialogue among the hackers was also sourced from interviews with the trio. Most of the data that LulzSec stole from Sony came from the websites SonyPictures.com, SonyBMG.nl, and SonyBMG.bg—but 95 percent of the hoard came from SonyPictures.
Descriptions of Topiary’s style of writing are based on my own observations of the press releases he wrote and the Twitter feed he manned.
Context on the extent of the cyber attacks on Sony was sourced from the cyber security website attrition.org and its article “Absolute Sownage: A Concise History of Recent Sony Attacks.” It includes what is probably the most comprehensive table of cyber attacks on the company that took place be
tween the months of April and July 2011.
The rumors about the PlayStation Network hack involving a disgruntled employee and the sale of a database for $200,000 come from press reports and from one source within Anonymous who does not wish to be named. It was unclear if the PSN hackers had sold it all on a carders’ market or in chunks. But in certain online markets it was possible to make $1,000 selling a six-year-old database containing the names of 300,000 users—the price in the market at large depended on the age of the database, according to people familiar with the matter. This meant that more than 100 million fresh logins from Sony would easily have been worth tens of thousands of dollars. A June 23, 2011, Reuters article cited a lawsuit against Sony that claimed that the company had laid off employees in the unit responsible for network security two weeks before the data breach occurred, and that while the company “spent lavishly” on security to protect its own corporate data it failed to do the same for its customer data. The lawsuit, filed in a U.S. District Court, cited a “confidential witness.”
