The victory of the PBS attack had left Topiary in a daze of newfound fame and hubris. He knew he wasn’t leading the hacks or really even partaking in their mechanics, but acting as the mouthpiece for LulzSec certainly made it seem to him, and sometimes to the others in the group, like he was steering the ship. That meant speaking on behalf of LulzSec when he got into verbal tiffs with some often impassioned enemies on Twitter.
The PBS hack had ushered a blast of attention from the media and earned the group a sudden wave of fans, with even the administrators of Pastebin, the free text application that LulzSec was using to dump its spoils, apparently happy with the extra web traffic they got with each release. But in a world already steeped in trolling, drama, and civil war, there were plenty of eager detractors. Jennifer Emick flung a few diatribes at the LulzSec Twitter feed, as did the Dutch teenager Martijn “Awinee” Gonlag, who had been arrested in December of 2010 when he used the LOIC tool against the Netherlands government without hiding his IP address.
Awinee and many other “Twitter trolls” appeared to align themselves with The Jester, the ex-military hacker who had DDoS’d WikiLeaks in December of 2010, then taken down the Westboro Baptist Church sites in February. He was never as dangerous as the actual police, but he was certainly a source of drama and distraction. The Jester hung out in an IRC channel called #Jester, on a network aligned with the magazine 2600: The Hacker Quarterly.
The name 2600 came from the discovery in the 1960s that a plastic toy whistle found inside certain boxes of Cap’n Crunch cereal in the United States created the exact 2,600 hertz tone that led a telephone switch to think a call was over. It was how early hackers of the 1980s, known as phone phreaks, subverted telephone systems to their desires. Unlike AnonOps IRC, on the 2600 IRC network, any talk of illegal activity was generally frowned upon. If people talked about launching a DDoS attack, they were discussing the technological intricacies of such an attack. If 2600 was a weapons store where enthusiasts discussed double- and single-action triggers, AnonOps was the bar in a dark alley where the desperadoes talked of who they’d like to hit next.
After hitting PBS, LulzSec’s founders decided that as attention to LulzSec grew, they would eventually need their own IRC network just like AnonOps and 2600. Sabu also wanted to create a second tier of supporters, a close-knit network beyond the core six members that could help them on hacks. The team had decided from the beginning that their core of six should never be breached or added to, and when Topiary heard Sabu’s plans, he felt skeptical. Just look what had happened in #HQ when Kayla had invited Laurelai. But Sabu argued they needed at least a fluid secondary ring of supporters. These were people that Sabu already knew from the underground and trusted 100 percent or they weren’t in. Sabu had started talking to some of his old crew and he invited them into an IRC chat room they had created for these new supporters, called #pure-elite, named after a website he had created for his hacking friends in 1999. These were genius programmers and people with powerful botnets, veteran hackers from the 1990s who had gotten into the networks at Microsoft, NASA, and the FBI. The combined skills of the group were almost frightening. Topiary reminded Sabu that he wasn’t comfortable with all the new people—it seemed risky. Who knew; one of these people might leak logs, as Laurelai had done so devastatingly in #HQ. It also brought up the question of why Sabu even needed him anymore.
All the same, he could hardly believe the company he was now in. He focused on picking up tips from the others. If they used hacker terminology he didn’t understand, he would Google it: jargon like virtual machines, hacking methods like SQL injection, various types of attack vectors and programming terminology. If he hit a brick wall, they could give him a quick summary.
Soon there were eleven supporters in #pure-elite to learn from, plus the original six. Sabu was still the main person to ask about finding exploits; Kayla about securing yourself. AVunit and Tflow were still the experts in infrastructure. For Sabu, the extra supporters weren’t there to teach him anything—he believed he and LulzSec were training them. Sabu tended to think of everyone in the subgroup as a student and he told Topiary privately that he hoped this could lead to the start of another anti-security, or Antisec, movement. The last time Antisec had been in the headlines was the early 2000s, when the Web’s disrupters were a few hundred skilled hackers, as opposed to the thousands of Internet-savvy people joining Anonymous today.
By now Kayla and the others who had been scanning for big-name websites with security vulnerabilities had hundreds to work from. But each one had be checked out, first to see if it could be exploited so that someone could enter the network, and second to see if there was anything interesting to leak from it. All these things took time and were often done sporadically without roles being assigned. People would volunteer to check a vulnerability out. LulzSec now had a raft of much bigger targets beyond PBS and Fox that they could potentially go after, some with .mil and .gov web addresses. None of them corresponded to any particular theme or principle; if hackers found a high-profile organization that looked interesting, they would go after it and explain their reasoning later. Knowing that Sabu had a tendency to inflate his rhetoric about targets, Topiary did not yet understand what hitting some of these websites actually meant.
The associates were hackers like Neuron, an easygoing exploit enthusiast; Storm, who was mysterious but highly skilled; Joepie91, the well-known and extremely loquacious Anon who ran the AnonNews.net website; M_nerva, a somewhat aloof but attentive young hacker; and Trollpoll, a dedicated anti–white hat activist. In the most busy periods of LulzSec, both the core and secondary crew were in #pure-elite or online for most of the day and sometimes through the night. Some were talented coders who could create new scripts for the team as their own side projects; Pwnsauce, for instance, had been working on a project to create a new type of encryption.
In the end, Topiary never invited anyone he knew into #pure-elite, and while Kayla had recommended a few friends, Sabu wasn’t comfortable with letting them in either. According to Topiary, about 90 percent of the hackers who ended up in #pure-elite were Sabu’s friends or acquaintances from the underground. The #pure-elite chat room was an invite-only hidden command center, but the original founders would occasionally retreat to an even more secretive core channel to talk about the new recruits, the enemies, and, on rare occasions, strategy. The atmosphere in #pure-elite was often buzzing as the crew celebrated over the latest attack and resultant media attention. When M_nerva entered the room, he seemed to be noticing this for the first time.
“Lots of news coverage,” he said on the evening of May 31.
Topiary showed him a photo of the front page of the Wall Street Journal’s Marketplace section. The lead story had the headline “Hackers Broaden Their Attacks” and the subtitle: “Almost Anyone Is a Target.’“ Underneath it was a large image of the cartoonish Nyan Cat image they had uploaded to the PBS website, and the LulzSec monocled man. Above the rainbow emanating from Nyan Cat’s butt as it flew through space was the Internet meme “All your base are belong to LulzSec.” It was a most surreal combination of old media and Internet subculture.
“Fucking Wall Street Journal printed a Twitter name and a fucking cat in space,” said Topiary, incredulous.
The group was shooting the breeze mostly, chatting about the technical intricacies of Internet browsers, while Topiary would drop updates on the group’s Bitcoin donations. Participants would report on leaks they were being offered by other hackers outside the group and, increasingly, on what LulzSec’s enemies were up to. These antagonists were made up of online colleagues Backtrace and hackers like The Jester; both camps often chatted together on the 2600 IRC network. There was no requirement to being invited into the #pure-elite room and no rules other than the obvious one to keep everything that was said there secret. The channel topic, set by Sabu, always said: “NO LEAKS—RESPECT EACH OTHER—RESEARCH AND EXPLOIT DEV!” The one policy of #pure-elite was that no one was to store chat logs from the channel.
The secondary crew generally knew their place, aware that directions would come from Sabu, Topiary, and Kayla, and they were meant to be followed. Overall, they were happy to be coming along for the ride, though a few were shocked at the backlash LulzSec was getting.
“By the way,” Storm said one evening. “FailSec? WTF is this shit?” He was referring to another Twitter account with a few hundred followers that had been set up to publicly heckle LulzSec with messages like “Load fail cannons!” and ominous hints that the team would soon be in jail.
“Storm, we’ve had stalkers like that for months,” said Topiary. “They follow us everywhere we go. They monitor everything we do. They make parodies of our accounts.” He thought for a moment then added, “We’re kind of like a rock band.” With stardom came infamy. Some of their detractors were so obsessed with heckling LulzSec that when Topiary blocked one on Twitter, the detractor would create two or three more accounts to keep talking.
Kayla pointed out that Adrian Lamo, the hacker who claimed to have outed the WikiLeaks alleged mole, Private Bradley Manning, had even registered the web address LulzSec.com to stop the team from using it as a website. Lamo, age thirty and diagnosed with Asperger’s syndrome, had been called the “world’s most hated hacker” for passing information on Manning to military intelligence.
Storm offered to find a different URL, but Topiary declined. He and Tflow were already designing a simple-looking official site for LulzSec in their spare time. Naturally, the background would be of the Nyan Cat flying in space and would borrow the design template of HBGary.com.
“Night guiz,” M_nerva suddenly said.
“Night,” said three of the others. M_nerva signed off. It was nighttime in the United States, but LulzSec and its supporters were bored and looking for things to do.
“Wanna find something to hit?” Topiary asked the room.
“Sure,” said Storm.
“There’s a shit cool site, FBI.gov,” said Topiary jokingly. There was a pause.
“Are you really that open to just going to jail?” Storm said.
“I suppose we could piss off some IRC for lulz,” said Topiary, pointing to a less risky target.
“Sure,” Storm said. Topiary and Kayla decided that, high on their victory against PBS, it was time to go after their biggest detractor, The Jester. They would not just spam his channel #Jester and boot off his so-called Jesterfags but flood the entire 2600 chat network with junk traffic and take all of it offline. It may have housed hundreds of participants, but it was still The Jester’s hideout, and Topiary hoped that the result would be the 2600 admins getting angry not at LulzSec but at The Jester for provoking them. Topiary was sure that The Jester’s supporters included people like Emick and Byun from Backtrace and considered sending spies into his channel at some point to see what they were up to, maybe profile some of its members. If Jester’s people were trying to provoke, it was working. Topiary and the others had become increasingly irritated by The Jester over the past few days and now were set on attacking his crew for both fun and revenge.
“Best thing to do when bored,” said Kayla in #pure-elite, “go to 2600 irc and just cause drama :D.”
“Should we just go on over to 2600, flame them, and then packet it?” Topiary said, already getting ready for the action. He connected to the 2600 network to get a firsthand view of the network going down.
Storm’s role was to launch a Denial of Service (DoS) attack on the 2600 network. This was like a DDoS but without the extra D for “distributed,” since Storm was sending junk packets from a single computer or server, not from multiple machines. (It was a loose term in any case—if your computer was running a virtual machine, or VM, and you launched a DoS attack, that could be considered more than one computer and thus a DDoS attack.) How could one computer launch a DoS attack against an IRC network? It would need a server or two to help amplify the data transfer. Sabu had used a similar method for his attack on the Tunisian government, though to a much greater degree, with the help of broadcast servers that he’d claimed to secretly hijack from a hosting company in London. Storm rented a basic server, so while his attack wasn’t as powerful, it could easily take down a small IRC network. Many people in Anonymous and in hacker circles, particularly those who acted as operators for AnonOps IRC, rented or owned servers. Controlling a server was more common than controlling a botnet; it was like owning a nice car. You paid good money for it but were happy to let other people ride in what was a status symbol as much as a useful tool.
Storm could use his server to fling a hundred megabytes of junk traffic per second to a target. The process was not that different from uploading a picture or movie to Facebook or to a file-sharing site. In that case, you are uploading something useful at perhaps four megabytes a second. Storm’s extra server acted like an electric guitar amplifier, but increasing data speed, not sound.
Storm would use his server to aim junk packets at certain sections of the 2600 chat network, server nodes of the network known as leaves. If you’re sending junk packets instead of useful data, it can overload a server and take it offline. An IRC network was like a tree, and 2600 had three so-called leaves. Instead of attacking the whole network at once, Storm flooded each individual leaf. Using this plan, he could needle the hundreds of participants to scramble from one leaf to another instead of disconnecting altogether and waiting for the network to come back up. The ultimate goal was to annoy them as much as possible.
Through the IRC command map, the LulzSec group could watch how many users were on each of their enemy network’s leaves. Before Storm’s attack there had been about six hundred people on all leaves, and then the number started dropping. In just over ten minutes, one of the leaves went down.
“It’s nulled,” said Storm.
“Haha,” said Kayla.
After seven minutes, as the users were jumping around to stay connected, Storm took down another leaf and kept it down for about fifteen minutes. He let it up again for twenty minutes so participants would think everything was okay, and then he took it down again.
“I can’t even connect to 2600,” reported Kayla. Storm laughed.
“These guys are so fun to fuck,” said Topiary.
“Wait :D let us troll the shit out of them first :D,” said Kayla, “then we can PUSH/SYN/ACK/UDP them to oblivion hahahahahahaha.” That was a reference to different types of junk packets. Attacking an entire network to get back at one annoying clique didn’t seem to strike anyone in the group as an abuse of power or an act of bullying. Instead, with Storm now getting the limelight, Kayla couldn’t help but mention her own successful attacks of the days of Chanology, and she started reminiscing about how she had DDoS’d three Chanology sites for three weeks back in 2009—the incident where she had been stumbled upon by Laurelai.
“Ahaha that was you?” asked Topiary.
“Yes :D,” said Kayla.
“Gregg Housh was bitching about that.”
“A lot of people were bitching about it.”
“Sending packets of size 40…” Storm reported. Another server leaf was nulled. “Dude, they’re not gonna have anywhere to chat.” Now three key servers hosting the 2600 chat network were down. He and Topiary started trying to connect to the network and couldn’t.
“Lolz,” said Storm.
“We should do this everyday until they refuse to house Jester,” said Topiary. He pointed out the small clique of people communicating with Jester on Twitter, and Awinee, from Holland, was being especially vindictive. “These are the same guys who specifically went after Sabu and our crew back in February with HBGary,” Topiary added. “They’re a lovable bunch of scoundrels.”
Topiary sent some messages from the LulzSec feed: “What’s wrong with irc.2600.net AKA Jester’s hideout? Oops, I think we just fucked it. Sorry, Awinee and crew. Have fun explaining to the 2600.net admins that we just took down the entire network because of Jester people. Uh-oh!”
Back on #pure-elite, weapons were still firing at the 2600 servers. “Should I let it back up?” Storm asked Topiary.
“Whatever you want.”
When he saw more criticism from Jester’s people on Twitter, Storm switched to a different type of junk packet. And as Awinee kept up his rhetoric, LulzSec kept attacking. LulzSec was behaving like other hacker groups with its tit-for-tat behavior, except that more traditional hackers wouldn’t have been riled up by a few relatively unskilled hecklers on Twitter. Perhaps it was because LulzSec was so open and public, but it was the critics who spoke the loudest that seemed to get under the group’s skin the most.
Storm was proving a useful supporter with his DDoSing ability. In front of the crew, Topiary called him the LulzSec “cannonfire officer,” working in tandem with Kayla, who was the group’s assassin and spy. “We dock in ports and she immerses, and eliminates.”
“I also bake cookies,” she added.
Everyone was laughing. They were all game for more attacks when Sabu finally entered the room. By now it was early in the morning New York time.
“I wake up to Storm packeting, and Kayla excited,” he said. “What you niggas been doing without me?” There was a pause. His tone was lighthearted, but the crew knew about his hot temper from the #HQ channel with Laurelai and about his general tendency to blow up at others who disagreed with him. His presence made some a little anxious. If this had been real life, everyone might have been glancing at one another or at the floor.
“Owning 2600.net,” said Storm. “About it.”
“Lol, they’re going to end up losing some servers,” said Sabu. “I want to own 2600 servers themselves.”
“That would be awesome,” Topiary said.
“Topiary my brother, how are you?” Sabu asked.
“Good Sabu, what’s up?”
“Nothing broscope. Just woke up, tired as balls.” Sabu took a break from the discussions, and people went back to planning ways to mess with Jester’s crew or configuring software tools and scripts for future hacks.
Quickly the group was splitting into all manner of channels to find new leads for hacks or flush out spies. Hopping from channel to channel and network to network was no trouble for these guys, some of whom were used to jumping around twenty-five IRC networks at the same time.
When 2600 came back online, Topiary, Joepie91, and others started hopping over to the network to spy on its participants before coming back to report new gossip. Rather brazenly, they then set up their own #LulzSec channel on the 2600 network. Pretty soon it was teeming with dozens, then more than a hundred people. It was impossible to tell at first who they all were, but enough observation showed they were a mixture of Anons, script kiddies, general fans who had heard about LulzSec from media reports, and white hat hackers. Over time the LulzSec crew came to believe that around half the makeup of that channel, which anyone could access, was a mixture of spies from enemy groups like Jester’s and Feds. In their new, public #LulzSec chat room on 2600, the crew were disguised by their maritime-related names: Whirlpool for Topiary, Kraken for Kayla, and Seabed for Sabu.
As Sabu observed these developments, he grew concerned that the crew was getting too excited about having fun on the 2600 network—a place they had attacked but where they had also set up their own public meeting room. It was impossible to distinguish the real fans from the spies who wanted to manipulate the crew for information and access. At one point it looked like Kayla had gone back into Santa Claus mode and offered some stolen voucher codes from Amazon to someone outside the crew. When Sabu found out about the conversation, Kayla explained that she had merely given someone a few of the coupons so they could be tested and eventually sold on the black market. Sabu, who was already wary of Kayla’s connection to Laurelai, was perturbed.
“Ok guys,” he suddenly said. “I don’t have to say this more than once I hope. But people on 2600 are not your friends. 95% are there to social engineer you. To analyze how you talk and make connections. Don’t go off and befriend any of them.”
He didn’t mind that the reprimand pierced the lighthearted atmosphere. Four other secondary-crew members quickly insisted that they were being careful about hiding their identities, doing so by speaking in broken English so they would appear to be foreign. But Sabu added that if anyone gave them private info, they should log it and show it to the team. If they were sent a link, look at it from a secure connection.
“Be smart about shit,” he concluded. “If any of you get owned, I’ll LOL.”
Kayla then piped up, as if she wanted to show the others that she was on the same page with Sabu. “Another protip,” she said. “Even if you are American, don’t spell it ‘color,’ use ‘colour,’ which is wider used around the world. Just saying ‘color’ means you are American.”
Sabu didn’t seem to be listening and gave Kayla a new order. He wanted her to change the topic of the public #LulzSec chat room to say that anyone with 0days and leaks should message her new pseudonym in the channel.
“Make sure we take advantage of that,” he said. “See what niggers got access to.” Kayla signed out. Sabu enjoyed the banter that took place in #pure-elite between the organizational talk, but he was constantly reminding the group to stay focused on finding new exploits and keeping the group as tight-knit as possible. It made for a tense atmosphere, but it was necessary. The team’s profile was rising faster than they had ever expected. Googling the name LulzSec on June 1 had yielded twenty-five thousand mentions on the Internet. In less than twenty-four hours, that number had risen to two hundred thousand.