> CHAPTER 11

> MIXTER, MUENCH, AND PHINEAS

WHILE JAKE APPELBAUM provided one example of the Cult of the Dead Cow’s negative influence, he was not the only one. Edward Snowden had pulled back the veil and showed the symbiosis between Western intelligence agencies and big technology companies. cDc blood had infused both sides of that relationship, and both had lost moral luster. But soon cDc’s descendants would be playing on all sides of an increasing complex struggle among spies in many countries, their technology suppliers, and the enemies of those suppliers—both those opposed for moral reasons, like the Citizen Lab, and those opposed for geopolitical reasons. Then, too, there would be anonymous vigilantes with motives hard to discern. For the most part they remained hidden, protected either by the technological sophistication of the very best hackers or by the tools provided by a nation-state.

The root cause of all this mess was the deeper integration of the nearly indefensible internet into all major economies during the tech industry’s amoral drift of the 2000s. As that happened, it was inevitable that big governments would use security weaknesses to their advantage. It did not have to follow that they would ignore basic defense research, but they did that too. So what cDc had called out as a looming disaster at the turn of the millennium—shoddy software, uneducated buyers, and disengaged officials—had gotten much worse over the next decade. Instead of acting, perhaps in concert, to improve the security of what was driving economic growth for everyone, governments were supporting a dark market for knowledge about specific software flaws and techniques for exploiting them in order to spy. For some governments, the top targets were human rights advocates, journalists, and minority-party politicians. The people Laird Brown and his ilk had set out to protect were now in a much worse position than a decade before. “When I was young, there was something fun about the insecurity of the internet,” complained Signal inventor Moxie Marlinspike. It opened up possibilities for anyone inventive enough to take advantage, despite their underdog status. Now “internet insecurity is used by people I don’t like against people I do: the government against the people.”

Of course, many of those who ended up supplying tools to the wrong people began with good intentions, including an early supporter of Laird’s Hacktivismo project named Martin Muench. As German hacker Kemal Akman, called Mixter, was writing the Six/Four proxy system for Laird, the latter-day cDc member had landed a job at a Munich start-up called Ciphire Labs, which was trying to develop an encrypted email system. Kemal helped get Laird a job there as well, and he looked for colleagues at the company who might volunteer for Hacktivismo. Kemal thought he’d found a perfect candidate in Muench, an intense and brilliant teenager. Kemal added him to the Hacktivismo mailing list, which had about twenty steady contributors and ten times as many quiet readers who lurked and learned. Kemal also introduced the young man to others he knew in the Berlin scene centering around the Chaos Computer Club.

“Martin was an idealist,” Kemal said. “He had my full trust.” But Muench “wanted to be a rock star,” and that also influenced his trajectory. Muench told Kemal that he wanted to help the police catch the worst of the worst, the makers of child pornography, and he left Ciphire to go work on software that he said would help. Because he had recruited and mentored Muench and introduced him to human rights–oriented hackers around Berlin, Kemal felt guilty for what happened next. “I put Martin on there. I am partly responsible for his career,” Kemal said. “I personally found him a bit strange.” Laird said he still regards Muench as a friend, one who lost control of a project due to a struggle inside the company he started, not because he had chosen an immoral path.

Whatever the reason, Muench’s system became the next flashpoint in the fight over hacking, security, and privacy. As with WikiLeaks, the debate would go beyond professionals and engage the media and general public in a discussion about the balance of power between governments and average citizens. Though hunting from behind blinds, Russia has been driving a significant chunk of that debate, probably with Muench, and definitely with the dumping of hacking tools used by the National Security Agency. While cDc had started blending political motives and security work with the Hong Kong Blondes, two decades of increasing geopolitical influence on hacktivist causes since then have made it hard to tease apart the real actors and purpose behind many public hacks.

Muench’s modest program developed into spyware called FinFisher or FinSpy. In Kemal’s thinking, Back Orifice 2000 inspired the project, and Muench might have adapted some code from that open-source effort. But Christien Rioux was aiming only at Windows computers. Muench’s FinFisher targeted Windows and Apple computers, Android and Apple phones, other devices, and most operating systems. There were other differences too. Anybody could use Back Orifice 2000, but those users needed to find a working exploit, or a gullible victim, to get it installed. The company selling Muench’s FinFisher, called Gamma Group, also provided the tricks to get it installed on the devices. Muench headed product development and Gamma’s Munich office. Gamma also had a headquarters in the UK and affiliated companies in Singapore and other countries, which ostensibly sold only to established government agencies.

Kemal heard about Muench’s connection to Gamma in 2008. In 2011, activists infiltrated the trade shows known as the Wiretapper’s Ball and emerged with a sixty-page Gamma catalog. “FinFisher is the cutting edge offensive IT intrusion portfolio on the market today,” it declared. The portfolio included impressive spy programs aimed at smart phones. Those were very hard to detect, could be operated remotely, and would not only capture voice calls and electronic contact lists but also turn the phones into constant surveillance recorders. The same year, during the Arab Spring, Egyptian rebels discovered a similar pitch was given to the brutal State Security Investigations Service. Gamma said that the deal hadn’t gone through, that it complied with export laws, and that it only sold to governments targeting criminals.

But activists suspected repressive regimes, including those under widespread sanctions, like Sudan, were using FinFisher against law-abiding dissidents. In 2012, Bloomberg News obtained suspected infected emails sent to Bahraini activists and handed them off to the Laird-inspired Citizen Lab. A Citizen Lab team led by a Google security expert dove deep. For the first time, they established that the infections were connected to Gamma, how the infections worked, and that data from the victims would be sent to the Bahraini government’s telecommunications company. Citizen Lab found FinFisher servers in dozens of countries, including the UAE, Ethiopia, and Vietnam, where bloggers were being targeted. Technological tricks used by the company included intervening in software update processes and using exploits for Adobe’s Flash video software.

Two years later, someone hacked Gamma, badly. The hacker opened a parody Twitter account, @GammaGroupPR, and tweeted links to stolen files with source code, client lists, and other damaging information, including a chart showing that the largest number of visitors to the company’s customer-support pages had shifted from the Netherlands, France, and China in 2009 to China and the US in 2014. The tech press had a field day, activist researchers rejoiced, and nonprofits filed complaints with authorities that severely hurt the company.

In 2015, @GammaGroupPR came back to life to announce that it had also hacked Gamma’s best-known rival, Italian company Hacking Team. As LulzSec had with HBGary Federal’s Aaron Barr, the hackers delighted in pointing out the company’s poor security. Once more they dumped source code, client lists that showed apparent sanctions violations, and embarrassing emails. Hacking Team tools had been used against Ethiopian journalists and other innocents, including some inside the US. The person controlling the @GammaGroupPR account, who referred to himself as Phineas Fisher, said in a later interview with VICE that he had gone after both companies out of moral outrage. “I just read the Citizen Lab reports on FinFisher and Hacking Team and thought, ‘That’s fucked up,’ and I hacked them,” he explained. “Hopefully it can at least set them back a bit and give some breathing room to the people being targeted with their software.” In that interview, conducted over electronic chat in July 2016, Phineas used informal English and alluded to the Antisec movement from years earlier. Describing himself as an “anarchist revolutionary,” Phineas published tutorials and a manifesto encouraging others to hack their oppressors.

In another interview a month earlier, Phineas admitted to hacking a Catalan police union, in the Spanish region that includes Barcelona, and posting the home addresses of more than five thousand officers. He called it a “small strike against power” and denied being Spanish or speaking either Spanish or Catalan. All the same, that very local target fueled speculation that Phineas was a politically minded hacker from the region.

Phineas’s stunts took the original Antisec movement and HBGary breach in exactly the direction that previous hacktivists who were willing to break the law would have gone. He used his knowledge of how the world really works to make it harder for technology to be applied for oppression. After Phineas came leaks of purloined material from Cellebrite, an Israeli tech forensics company that breaks into phones for law enforcement, and from the makers of FlexiSpy, spyware used by parents to track children and by romantic partners to snoop on each other. (Cellebrite had been reported by some publications as the company that helped the FBI finally break into the Apple iPhone of a terrorist who killed public employees in San Bernardino, California, after Apple refused to do it.) The FlexiSpy hackers paid tribute to Phineas and published an updated security and how-to-hack guide for fans. “If you’re a hacker, hack back,” they wrote. “If you’re an ordinary person, stay safe. Watch how things progress, and see what people are saying about how to detect FlexiSpy and protect yourselves.… If you’re a spouseware vendor, we’re coming for you. Stop, rethink your life, kill your company, and be a better person. Otherwise, you’ll be seeing us soon.” Gabriella Coleman, the Anonymous chronicler teaching at McGill University, called the trend the birth of “public interest hacking,” and it is likely that at least some of what grew to more than a half-dozen spyware breaches stemmed from moral objections to the vendors’ conduct.

All the same, it is worth taking another look at instigator Phineas in the wake of the hack of the Democratic National Committee and publication of NSA tools. The basics of the DNC breach and others against Democratic Party officials during the 2016 US elections have been clearly established by US investigators, including those working for special counsel Robert Mueller. One DNC breach came shortly after the publication of a Pulitzer-winning series of articles about the leaked Panama Papers, which showed that Putin’s friends were stashing billions of dollars overseas. Putin blamed Clinton for the underlying leak of an offshore law firm’s files. Given that US intelligence had indeed debated exposing Putin’s corruption, he may have been right that it was a CIA operation. Though Assange tried to cast doubts about who provided WikiLeaks with stolen emails, Russian intelligence clearly drove the attack on the DNC and related hacks. The persona Guccifer 2, which shopped some stolen DNC data while claiming to be Romanian, once forgot to use a virtual private network to connect and revealed his true location at the GRU, Russia’s military intelligence service. Russia also arranged for the publication of emails and other documents by WikiLeaks and others.

The major NSA breach has not been tied up as neatly. In August 2016, just weeks after Phineas stopped bragging, a group calling itself the Shadow Brokers appeared on Twitter and began dropping not only vulnerabilities in Microsoft’s Windows, Cisco routers, and other programs but also working exploits, all of which had been held by the NSA. Most of the information came from late 2013, after Edward Snowden had left the agency, meaning that there was another mole, or a hack of agency hardware, or a careless employee who had been hacked. Shadow Brokers kept going for months. Some of the tricks it disclosed were then used by others, including the presumed North Korean distributors of badly crafted ransomware called WannaCry, which shuttered hospitals and other facilities around the planet in 2017. Eventually, two NSA employees were charged with bringing classified files home. At least one of them had been running Kaspersky antivirus on his personal computer.

That was cause for special concern, because the Israelis had broken into Kaspersky’s networks in 2015. Inside, they had seen that the software was used to search for classified US documents, and they had warned the Americans. The consensus in the intelligence agencies was that the Russians had obtained at least some of the Shadow Brokers information in that manner. The disclosures badly hurt Kaspersky, which had enjoyed a remarkable run publicly exposing high-end US malware, starting with the Stuxnet virus, which had knocked out Iranian nuclear centrifuges. Kaspersky admitted it had taken some secret files from a US government employee, though it claimed that it had deleted them. The US banned it from federal government use.

The Russians had the motive to steal US hacking tools, the means to do it, and the opportunity. Russia was also one of the few suspects with so many of its own tools that it could afford to dump those of the US instead of hoarding them for its own use. The timing is particularly interesting, since the NSA dumps began in August 2016, two months after the DNC breach was disclosed. Russia created chaos and distraction inside the agencies best able to find the source of the DNC hack and strike back, helping to paralyze the Obama administration and mute its response.

With that history in mind, it is worth revisiting the identity of Phineas Fisher. Missing from virtually all of the mainstream media coverage was the fact that Gamma Group and Hacking Team generally did not sell to Russia or its closest allies. They sold hacking tools to the West, and Phineas stole them and dumped them in public, just as the Shadow Brokers would do starting weeks later with the NSA. In addition, Gamma Group held special interest for Kaspersky. Two former Kaspersky employees told me that the company had lifted inactive code from a Gamma computer after someone there foolishly installed their antivirus software.

And then there are the matters of Phineas’s choice of other targets and what we now know to be Russia’s strategy of sowing division in the European Union, in the US, and in other strategic countries. An attack on the Catalan police union would fit with pitting regions against the central Spanish government, which emerged as a Russian goal in 2017 when the Catalan government defied a Madrid court order and held a referendum on seceding. After Spain ordered the Catalan leader removed, the loyalty of the police was of enormous importance.

It would be surprising for a highly skilled, willfully lawbreaking, and morally driven hacker to take down both Gamma Group and Hacking Team and still get seriously involved with Spanish political issues. At a minimum, you would expect someone with that combination to be Spanish. But that is not all Phineas did. He also hacked the data of innocent Turkish citizens during a period of confrontation between Russia and Turkey and made that data public. Though this context was missing from most of the hack’s coverage, Russia and Turkey had been in an escalating confrontation since Turkey had shot down a Russian plane, killing its pilot, in late 2015. Over the next half-year, Putin increased pressure on Turkish president Recep Erdogan with sanctions on Turkish food imports and a ban on sales of Turkish tourist packages to Russians. At the same time, Erdogan was losing popularity in the West as he cracked down on the media and activists. Meanwhile, Russia and Turkey were pursuing different goals in neighboring Syria, Russia’s client state. Erdogan had to choose between Washington and Moscow, and he eventually opted for the latter. Even though the downed plane was believed to have been in Turkish airspace, Erdogan folded and wrote to Putin in June 2016: “I once again express my sympathy and profound condolences to the family of the Russian pilot who was killed, and I apologize to them.”

Erdogan had planned to purge the military, and that triggered a coup attempt in July 2016, it emerged later. Russia was the first outside nation to condemn the coup, suggesting that the alliance had been firmed up beforehand. But many pieces were in play at once, and it would make sense for Russia to have been interested in weakening Erdogan’s hand by exposing his party’s followers to scrutiny, in the same way that exposing the Catalan police officers’ personal information could have been useful in stirring the pot. Perhaps Russia was betting on both sides of the Erdogan-military conflict, so that whoever emerged victorious would be in its debt. In any case, it would make more sense for Russia to publish such information than it would for a politically minded hacker in Spain or elsewhere.

Phineas’s explanation for what he was trying to do and what went wrong, on the other hand, makes little sense. “I hacked AKP (the ruling party in Turkey) because I support the society [Kurdish] people are trying to build in Rojava and Bakur, and they’re being attacked by Turkey,” Phineas posted in July. He then added a complex story for why sensitive information was published about ordinary people. According to Phineas, he had hacked into the party’s servers and shared a historical file of emails with people in the restive regions, asking them what he should do with the access. The emails themselves were not interesting. They included people asking for potholes to be fixed or for help finding work. There was nothing from Erdogan or his inner circle. Then, “there was a miscommunication between some of them,” Phineas wrote, and one of the people gave the dump to WikiLeaks. He said that even though the person who had relayed the files realized the mistake and asked WikiLeaks not to publish, it did so anyway.

But Phineas then published more files himself, including a database of ordinary AKP members and, worse, a database of almost all the adult women in Turkey, along with cell phone numbers and addresses for many of them. Those databases were copied and reposted by people like UK security activist Thomas White, who tweeted as @CthulhuSec and had won a measure of controversial fame by posting the fruits of many large hacks. WikiLeaks tweeted links to those databases, which allowed millions of women to be reached by stalkers, further angering previous admirers of Phineas, such as Electronic Frontier Foundation activist Eva Galperin. “Who’s that behind the not-so-great leak of Turkish emails?” Galperin wrote on Twitter. “It’s @GammaGroupPR, whose previous work I have enjoyed.” Three months later, White stopped posting links to leaked data, complaining that the motives of the hackers had gotten more crass. Three months after that, Phineas told VICE he was retiring his moniker and that he would take a break from all hacking.

So now we have a hacker who is extraordinarily skilled, ethically driven, and broad enough in his thinking to go after both the rank-and-file regional police in Barcelona and the Turkish ruling party, yet sloppy enough to expose the phone numbers of millions of women in a patriarchal society to the general public, along with those of ordinary party members just as they become uniquely at risk if exposed. It seems unlikely. Even without the relationship with WikiLeaks, an equally logical explanation would be that Phineas is a Russian intelligence project. Indeed, that was Washington’s private conclusion. Within US intelligence, “it’s generally assumed to be Russians,” said Jim Lewis, a well-connected longtime senior State Department official and negotiator on global internet issues. “It’s consistent with Russian activities in other areas.”

If the Russians did try to ruin Gamma Group and Hacking Team, they had their own tools for spying on citizens and enemies and were merely making life harder for governments in the West. That doesn’t necessarily mean that those companies didn’t deserve exposure. Kemal, for one, didn’t hesitate before applauding the leak, even if it came from the Kremlin and hurt his old friend Muench. “I’m really happy about it,” he said of the exposed Gamma tools. “They should be leaked, and they should be burned.”

Even if Phineas isn’t Russian, a look at the bigger picture is warranted. We have to accept that hacktivism is often polluted by geopolitics—as in fact, it was with Laird—and that such influence can be impossible to detect. If that weren’t alarming enough, there is a deeper realization. The great powers of the world contest each other in public and in secret, using arms and money, diplomacy and spying, false activism and public relations. At the same time, most governments have similar interests against their own people. None of them want their citizens to be able to communicate in secret, not even the United States. In 2018 the FBI was still railing against the ability of people to use encryption that vendors cannot break, and congressional allies were still threatening legislation to outlaw such security.

Kemal saw the trend toward greater government power against the individual as so dispiriting that in 2011 he left the security industry for years. Like others in cDc, he felt the best remaining hope for preserving individual freedoms lay with the biggest vendors, like Apple and Google, who could in theory play the major governments off one another and protect users in the process, and with private start-ups like Signal that feel they are chasing things more important than money.

Apple was clearly a battlefront. It was home to @stake veterans Window Snyder, David Litchfield, and Rob Beck, along with many more cDc kindred spirits. Some of them helped stave off the FBI’s attempt to force it to crack the San Bernardino iPhone. Apple argued that the government could probably find a way to break the phone on its own and that making it write a new program would be compelled speech, which has been found unconstitutional. The FBI was losing when it suddenly found an unnamed contractor with a zero-day that could do the job and dropped the case. Google was another war zone stocked with cDc members and admirers. It had realized the NSA was the enemy after Snowden documents showed the agency had been breaking into its networks overseas, where it did not need court approval. Google moved to encrypt far more deeply, even if it maintained the ability to recover all users’ emails. The two companies also fought against proposed government-mandated back doors and bans on end-to-end encryption, which by 2018 were popping up around the globe.

There was still fighting to be done inside the big companies. But leading lights in the encryption fight were also spending more time helping the start-ups. Others were beginning to think more about the meaning of free speech when the immediate problem in many countries was not the inability to speak but the propensity to get drowned out by manufactured voices directed by governments and big economic forces. Laird and the others in cDc were appalled at the likes of Gamma Group and sorry to have played any role in Muench’s rise. But while they may have cheered Phineas on, they were not interested in breaking the laws themselves. As the hacktivist battlegrounds evolved toward hacking, leaking, and information warfare, they had to find other ways to help.

After Laird returned from India to Germany, he went back to work for the former CEO of Ciphire, the now-failed encrypted email provider that had also employed Kemal and Muench. The ex-CEO, Errikos Pitsos, had an idea for a platform for serious debate he called Kialo. The software guided discussion by showing decision trees that listed which followers had agreed with which points. Moderators rejected unhelpful comments. Pitsos funded the project himself, aiming to create a “collaborative reasoning tool,” and Harvard and other universities tried out private versions for classrooms. It wasn’t going to get rid of the bots and trolls on Twitter, but at least it was positive. On the side, Laird began writing a book on information warfare.

Some sympathetic to US cyberoperations, including Mudge, also saw a clear ethical case for authorized offensive work. They decided that hacking in order to spy, to prepare the battlefield in case of further conflict, and to conduct highly targeted destructive attacks, as with Stuxnet, was vastly preferable to sending in bombs and troops. Others in cDc, looking at the mixed motives as geopolitical priorities ascended, opted to go back to basics on defense. By making the internet safer for everyone, they could chip away at the unfair advantage the net had been giving to attackers since the beginning.