Threat Level

It’s hard to report on Anonymous.

It’s a non-organization of pranksters-turned-activists-turned-hackers-turned-hot-mess-of-law-enforcement-drama — a story that is hard to get, and hard to write.

To work with a secretive and hunted group requires making many non-obvious choices. One of the unnamed but extensively quoted hackers in Forbes London bureau chief Parmy Olson’s new book on the group, titled We Are Anonymous, told me once that anons were “by nature deceptive” — and they are. (How do I know it’s the same person? I recognized their way of talking. Then I asked.)

Anons lie when they have no reason to lie. They weave vast fabrications as a form of performance. Then they tell the truth at unexpected and unfortunate times, sometimes destroying themselves in the process. They are unpredictable. The nihilistic fury that Olson describes in the lifestyle of young anons goes in every direction, including inward, and it often spills over onto people like Olson and me for no obvious reason.

You can’t follow the money in Anonymous, or look at the power structures, or hunt for a greater rationale in a collective that on most days doesn’t have one. But we still have to make the choice about what we believe, why, and how it fits into a larger picture. We use circumstances, gut instincts, and plenty of what hackers call social engineering to tease out the evidence we need to write about the collective, to fulfill our role in the story.

Make no mistake, we have a role. You just can’t not join. It’s impossible to not be part of the thing, when the thing uses the media to talk to itself.

So what makes Parmy Olson’s We Are Anonymous so frustrating is that it plays the narrative straight, as if these issues don’t exist at all.

But Olson and I, like professor Biella Coleman and former CNN correspondent Amber Lyon, documentary filmmaker Brian Knappenberger, and even Gawker’s Adrian Chen, cannot avoid shaping the thing and having it shape us. We are the medium the collective uses to define itself, and we end up owning some of what it becomes. We are, no matter what rules we’ve set up to avoid it, an organ of the Hive Mind. It is Schrödinger’s media landscape, and our observations always affect the outcome.

For this reason it’s vital that we expose our methods and internal rules. Who do we name, and more importantly, who do we not? I avoided this particular ethical issue by publicly refusing to name anyone who is not, as they say in Anonymous, namefagged already. Olson plunges through hundreds of pages without even a nod in the issue’s direction.

How has Olson chosen who she trusts and when? Her methods are hidden, her notes not referenced in the text, and she appears nowhere in her book. While that’s a traditional choice for journalism, in this strange case it harms Olson’s credibility. In an environment where all your sources lie to you, you must tell the world how you came to believe the story you’re telling.

The social systems of the internet, of which Anonymous is a highly evolved example, disrupt the established pathways of consequence. Instead of looking for the expert or person in charge for quotes, the heart of the story may be almost anywhere. Searching for the right source in Anonymous is often more like investigating a murder than crawling up the chain of command looking for an interview.

Anonymous made us, its mediafags, masters of hedging language. The bombastic claims and hyperbolic declarations must be reported from their mouths, not from our publications. And yet still we make mistakes and publish lies and assumptions that slip through. There is some of this in all of journalism, but in a world where nothing is true and everything is permitted, it’s a constant existential slog. It’s why there’s not many of us on this beat.

Journalism is part of a world of institutions, hierarchies, and social traditions codified by nation states and organizations. We create laws and rules to control who gets to do things that matter, so we can concentrate power where we want it. It’s meant to create a predictable world we can inhabit within Nature’s capricious grasp. The tools of journalism were built for this world, it’s what shaped our rhetoric and narrative. It’s partly why we’re always so keen on printing people’s titles, or age, or race, placing them within a hierarchy, telling you how important they are. The techniques of contemporary journalism are the Big Man theory of history, writ small and fast.

Anonymous breaks all that, and it’s a huge headache. But for reporters who had to file stories on the group, the rise of Lulzsec, an exclusive club of hacker elites that acted just like the normal world from within the larger collective, was a godsend. It finally provided a fast way to tell an outrageous and popular story, and we responded with predictable enthusiasm.

Continue Reading “In Flawed, Epic Anonymous Book, the Abyss Gazes Back” »

Pages: 1 2 View All

This excerpt of Parmy Olson’s We Are Anonymous features the story of Lulzsec’s most fearsome hacker talent, Kayla. “Kayla” is the nick of the purportedly 16-year-old girl who was instrumental in the hacking of HBGary. The story here takes place long before the rise of Lulzsec or the HBGary attack, with the 2010 database hack of Gawker, which exposed 1.3 million registered users’ logins and passwords. The Gawker attack propels Kayla into greater and riskier hacking, but she’s not hacking for who she thinks she’s hacking for.

According to the UK Guardian, two men, aged 20 and 24, were arrested and charged with crimes committed as Kayla last fall.

Parmy Olson is the London bureau chief for Forbes Magazine.

***

Gawker had once been in Anon’s good books. It had been the first news site to boldly publish the crazy Tom Cruise video that helped spark Chanology. But then the site’s famously snarky voice turned on Anonymous, reporting on major 4chan raids as examples of mass bullying. After Gawker’s Internet reporter Adrian Chen wrote several stories that poked fun at Anonymous, mocking its lack of real hacking skills and 4chan’s cat fights with Tumblr, regulars on /b/ tried to launch a DDoS attack on Gawker itself, but the attack failed. In response, Gawker writer Ryan Tate (ed. note: Tate now works for Wired) published a story on July 19, 2010, about the failed raid, adding that Gawker refused to be intimidated. If “sad 4chaners have a problem with that, you know how to reach me,” he added. Kayla, at the time, had bristled at the comment and felt her usual urge to punish anyone who underestimated her, and now Anonymous.

“We didn’t really care about it till they were like, ‘lol you can’t hack us no one can hack us,’” Kayla later said in an interview. Though Gawker had not said this literally, it was the message Kayla heard.

She decided to go after the site. Kayla and a group of what she later claimed was five other hackers met up in a chat channel called #Gnosis, on an IRC network she had set up herself called tr0lll. Anywhere from three to nine people would be on the network at any given time. Kayla actually had several IRC networks, though instead of hosting them herself she had other hackers host them on legitimate servers in countries that wouldn’t give two hoots about a U.S. court order. Kayla didn’t like to have her name or pseudonym on anything for too long.

People close to Kayla say she set up tr0ll and filled it with skilled hackers that she had either chosen or trained. Kayla was a quick learner and liked to teach other hackers tips and tricks. She was patient but pushy. One student remembered Kayla teaching SQL injection by first explaining the theory and then telling the hackers to do it over and over again using different approaches for two days straight.

“It was hell on your mind, but it worked,” the student said. Kayla understood the many complex layers to methods like SQL injection, a depth of knowledge that allowed her to exploit vulnerabilities that other hackers could not.

On tr0lll, Kayla and her friends discussed the intricacies of Gawker’s servers, trying to figure out a way to steal some source code for the site. Then in August, a few weeks after Gawker’s “sad 4chaners” story, they stumbled upon a vulnerability in the servers hosting Gawker.com. It led them to a database filled with the usernames, e-mail addresses, and hashes (encrypted passwords) of 1.3 million people who had registered with Gawker’s site so they could leave comments on articles. Kayla couldn’t believe her luck. Her group logged into Nick Denton’s private account on Campfire, a communication tool for Gawker’s journalists and admins, and spied on everything being said by Gawker’s staff. At one point, they saw the Gawker editors jokingly suggesting headlines to each other such as “Nick Denton [Gawker’s founder] Says Bring It On 4Chan, Right to My Home,” and a headline with a home address.

They lurked for two months before a member of the group finally hacked into the Twitter account of tech blog Gizmodo, part of Gawker Media, and Kayla decided to publish the private account details of the 1.3 million Gawker users on a simple web page. One member of her team suggested selling the database, but Kayla wanted to make it public. This wasn’t about profit, but revenge.

On December 12, at around eleven in the morning eastern time, Kayla came onto #InternetFeds to let the others know about her side operation against Gawker, and that it was about to become public. The PayPal and MasterCard attacks had peaked by now, and Kayla had hardly been involved. This was how she often worked—striking out on her own with a few other hacker friends to take revenge on a target she felt personally affronted by.

“If you guys are online tomorrow, me and my friends are releasing everything we have onto 4chan /b/,” she said. The following day, she and the others graced the “sad 4chaners” themselves with millions of user accounts from Gawker so that people like William could have fun with its account holders.

Gawker posted an announcement of the security breach, saying, “We are deeply embarrassed by this breach. We should not be in a position of relying on the goodwill of hackers who identified the weaknesses in our systems.”

“Hahahahahahha,” said an Irish hacker in #InternetFeds called Pwnsauce. “Raeped [sic] much?” And that was hacker, “SINGULAR,” he added. “Our very own Kayla.” Kayla quickly added that the job had been done with four others, and when another hacker in #InternetFeds offered to write up an announcement on the drop for /b/, she thanked him and added, “Don’t mention my name.”
Gnosis, rather than Anonymous, took credit for the attack. Kayla said she had been part of Anonymous since 2008 and up to that point had rarely hacked for anything other than “spite or fun,” with Gawker being her biggest scalp. But after joining #InternetFeds, she started hacking more seriously into foreign government servers.

Kayla had not joined in the AnonOps DDoS attacks on PayPal and MasterCard because she didn’t care much for DDoSing. It was a waste of time, in her view. But she still wanted to help WikiLeaks and thought that hacking was a more effective means of doing so. Not long after announcing the Gawker attack, Kayla went onto the main IRC network associated with WikiLeaks and for several weeks lurked under a random anonymous nickname to see what people were saying in the main channels. She noticed an operator of that channel who seemed to be in charge. That person went by the nickname q (presented here as lowercase, so as not to be confused with the hacktivist Q in #InternetFeds). Supporters and administrators with WikiLeaks often used one-letter nicknames, such as Q and P, because it was impossible to search for them on Google. If anyone in the channel had a question about WikiLeaks as an organization, he or she was often referred to q, who was mostly quiet. So Kayla sent him a private message.

According to a source who was close to the situation, Kayla told q that she was a hacker and dropped hints about what she saw herself doing for WikiLeaks: hacking into government websites and finding data that WikiLeaks could then release. She was unsure of what to expect and mostly just wanted to help. Sure enough, q recruited her, along with a few other hackers Kayla was not aware of at the time. To these hackers and to q, WikiLeaks appeared to be not only an organization for whistleblowers but one that solicited hackers for stolen information.
The administrator q wanted Kayla to scour the Web for vulnerabilities in government and military websites, known as .govs and .mils. Most hackers normally wouldn’t touch these exploits because doing so could lead to harsh jail sentences, but Kayla had no problem asking her hacker friends if they had any .mil vulnerabilities.

Kayla herself went into overdrive on her hacking sprees for q, one source said, mostly looking for vulnerabilities. “She’s always been blatant, out-in-your-face, I’m-going-to-hack-and-don’t-give-a-shit,” the source said. But Kayla did not always give everything to q. Around the same time that she started hacking for him, she got root access to a major web-hosting company—all of its VPSs (virtual private servers) and every normal server— and she started handing out the root exploits “like candy” to her friends, including people on the AnonOps chat network.

“She would just hack the biggest shit she could and give it away,” said the source, dropping a cache of stolen credit card numbers or root logins then disappearing for a day. “She was like the Santa Claus of hackers.”

“I don’t really hack for the sake of hacking to be honest,” Kayla later said in an interview. “If someone’s moaning about some site I just have a quick look and if I find a bug on it I’ll tell everyone in the channel. What happens from there is nothing to do with me. :P.” Kayla said she didn’t like being the one who defaced a site and preferred hiding silently in the background, “like a ninja.”

“Being able to come and go without leaving a trace is key,” she said. The longer she was in a network like Gawker’s, the more she could get in and take things like administrative or executive passwords. Kayla liked Anonymous and the people in it, but she ultimately saw herself as a free spirit, one who didn’t care to align herself with any particular group. Even when she was working with AnonOps or the people in #InternetFeds, Kayla didn’t see herself as having a role or area of expertise.

“I’ll go away and hack it, come back with access and let people go mad,” she said. Kayla couldn’t help herself most of the time anyway. If she was reading something online she would habitually start playing around with their parameters and login scripts.

More often than not, she would find something wrong with them.
Still, working for q gave Kayla a bigger excuse to go after the .gov and .mil targets, particularly those of third-world countries in Africa or South America, which were easier to get access to than those in more developed countries. Every day was a search for new targets and a new hack. Kayla never found anything as big as, say, the HBGary e-mail hoard for q, but she did, for instance, find vulnerabilities in the main website for the United Nations. In April 2011, Kayla started putting together a list of United Nations “vulns.” This, for example:

http://www.un.org.al/subindex.php?faqe=details&id=57

was a United Nations server that was vulnerable to SQL injection, specifically subindex.php. And this page at the time:

http://www.un.org.al/subindex.php?faqe=details&id=57%27

would throw an SQL error, meaning Kayla or anyone else could inject SQL statements and suck out the database. The original URL didn’t have %27 at the end, but Kayla’s simply adding that after testing the parameters of php/asp scripts helped her find the error messages.

Kayla eventually got access to hundreds of passwords for government contractors and lots of military e-mail addresses. The latter were worthless, since the military uses a token system for e-mail that is built into a computer chip on an individual’s ID card, and it requires a PIN and a certificate on the card before anyone is able to access anything.

It was boring and repetitive work, trawling through lists of e-mail addresses, looking for dumps from other hackers, and hunting for anything government or military related. But Kayla was said to be happy doing it. Every week or so, she would meet on IRC with q and pass over the collected info via encrypted e-mail, then await further instructions. If she asked what Julian Assange thought of what she was doing, q would say he approved of what was going on.

It turned out that q was good at lying.

Almost a year after Kayla started volunteering for WikiLeaks, other hackers who had been working with q found out he was a rogue operator who had recruited them without Assange’s knowledge. In late 2011, Assange asked q to leave the organization. Kayla was not the only volunteer looking for information for what she thought was WikiLeaks. The rogue operator had also gotten other hackers to work with him on false pretenses. And in addition, one source claims, q stole $60,000 from the WikiLeaks t-shirt shop and transferred the money into his personal account. WikiLeaks never found out what q was doing with the vulnerabilities that Kayla and other hackers found, though it is possible he sold them to others in the criminal underworld. It seemed, either way, like q did not really care about unearthing government corruption, and Kayla, a master at hiding her true identity from even her closest online friends, had been duped