Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous

CHAPTER 8 LulzSec

LulzSec—a crew of renegade Anonymous hackers who broke away from Anonymous and doubled as traveling minstrels—appeared a few months after the infamous HBGary Federal hack. Crewed by the same individuals who had vindictively hacked Aaron Barr, LulzSec’s startling fifty-day catalytic run began in early May 2011 and abruptly ended on June 25, soon after one of their own, Sabu, was apprehended and flipped in less than twenty-four hours by the FBI. Among their targets were Sony Music Entertainment Japan, Sony Picture Entertainment, Sony BMG (Netherlands and Belgium), PBS, the Arizona Department of Public Safety, the US Senate, the UK Serious Organised Crime Agency, Bethesda Softworks, AOL, and AT&T. Despite the avalanche of activity—and numerous intrusions—LulzSec, when compared to Anonymous, was more manageable and contained, at least from an organizational perspective. Its members hacked with impunity, finally making good on the 2007 Fox News claim that Anonymous was comprised of “hackers on steroids.”

LulzSec members played their role knowing full well they were performing for a diverse audience. Even the haughtiest of security hackers who had earlier snubbed Anonymous cheered on LulzSec. Some old-school black hats lived vicariously through LulzSec, in awe of its swagger, its fuck-you-anything-goes attitude, and its bottomless appetite for exposing the pathetic state of Internet security. Journalists could not get enough of their antics, nor could they really keep up. With so many intrusions, exfiltrations, and data dumps, LulzSec blew out the usual three-day news cycle. For much of its reign, LulzSec taunted journalists with the lure of information and then gave them the silent treatment—with one notable exception: Parmy Olson of forbes.com. These hackers (almost) exclusively fed her info about their dealings and, to retain her privileges, she was discreet about the arrangement.¹

Although they gave Parmy Olson enough information to write her stories, LulzSec’s main gateways to the world were their website, their Twitter account, and the website pastebin.com, where all their dumps were mirrored and their proclamations released. Pastebin is typically used by programmers to post small snippets of text, source code, or configuration information. It generates a unique URL that can then be pasted elsewhere, like IRC, for others to view. Instead of pasting multi-line text into IRC channels—something that will get you kicked out of a channel for “flooding”—you can simply provide the link. Typically, these generated links are unmemorable random characters and expire after some time. Pastebin is only one among a multitude of such sites, so why LulzSec chose this medium is a bit of a mystery. Regardless, it freed LulzSec from the need to host infrastructure for their missives. Their Twitter account amassed followers in bulk, sometimes twenty thousand per week. Penned by their resident trickster, Topiary crafted delightful updates, often maintaining a maritime character.

The LulzSec team was sailing the high seas—venturing deep into international waters with a pirate flag hoisted high, putting on a show for others to watch. During an interview I conducted with David Mirza, a retired black hat, he observed:

LulzSec hit the Internet with a much more potent—and instantly recognizable as authentic—black hat attitude than the fabric of Anonymous they jumped out of. They got it right with the swagger and style. They were owning things up, pulling dox, dispensing justice. Nobody could catch them and they knew it. Their campaign became a great saga that made some of those who’d lived that adventure before feel like teenagers again.

With one tweet, the hacker zine and organization 2600 captured the general sentiment felt by the community at large: “Hacked websites, corporate infiltration/scandal, IRC wars, new hacker groups making global headlines—the 1990s are back!”²

No respectable pirates can sail without a vessel, and LulzSec’s crew helmed a boat christened “Louise.” The name was provided by a reporter’s misreading—and resultant mispronouncing—of LulzSec. And since the quarters were infinitely spacious, they decided to bring along a mascot. The classic pirate parrot was swapped for a colorful feline beast: an affable gray cat named Nyan Cat who has been known, among heavy Internet users, to brighten up even the drabbest gray sky by effusing, eternally, a stream of rainbows straight out of its ass. This playful absurdity was tempered by LulzSec’s virtual spokesman and logotype: a stick man sporting a well-oiled, French-style, villainous mustache, replete with monocle, top hat, and three-piece suit—and sipping, naturally, a glass of fine wine. This refined gent first appeared in a Spanish-language rage comic (a popular meme-comic among Internet geeks), before being adopted by LulzSec in March 2011. Fans referred to the unnamed character as being “like a sir”; eventually, he was known simply as the “sir.” All of this added up to provide LulzSec with a chimeric mixture of depth, mystique, and memetic mythology previously unseen in Anonymous hacker groups. One Anon, who had also been active in the black hat scene, put it this way in an interview with me: “LulzSec seemed to have a sort of fully formed mythos straight out of the gate while other hacker groups like Cult of the Dead Cow took decades to achieve that.”

Returning to reality for a moment—later we will explore questions of fantasy—we should note that these hackers congregated on their own private IRC channel, where they were shielded from the drama engulfing AnonOps at the time. Unbound by the categorical imperative of moralfaggotry, they could also hack whomever they pleased—for whatever whimsical reason took their fancy.

It may be surprising to hear that LulzSec sprang, fully formed, from a single, unremarkable IRC conversation. It is less surprising when one learns that these hackers were a bit bored with Anonymous and—some of them, at least—had grown tired of working on other people’s ops. Idle tricksters will do anything necessary to end boredom. It also helped that they had a cache of data stolen from Fox News just waiting to be unloaded, and that AnonOps was, at that point, in increasing disarray.

Hell Hath No Fury Like Scorned Gamers

For most of March and April of 2011, AnonOps had not slowed down from where we last left them, but the network was plagued by a mounting litany of problems. Small fires started to break out, and the wear and tear of putting them out began to drag the group down.

Even if Anonymous’s crucifixion of Aaron Barr had turned him into the 2011 laughing stock of the Internet, his mission to seek out and reveal the legal identities of Anons did not die with him. Backtrace Security (its name is a humorous reference to an infamous 2010 Anonymous trollscapade against a preteen, Jessi Slaughter, whose father claimed to have “backtracked” Anonymous) made this end its singular purpose and pick up where Barr left off. The organization’s most vocal member, Jennifer Emick, had once been an Anonymous warrior herself during Project Chanology’s fight against Scientology, but grew critical of the more questionable tactics subsequently used by AnonOps (the very ones LulzSec would later seize upon as its primary toolkit). A self-proclaimed fan of law and order, she declared that “One cannot fight for justice and democracy by using unjust, anti-democratic tactics.”³ A good point, but one which failed to account for the questionable ethics of her own brand of vigilantism: in mid-March 2011, Backtrace released a chart with the “identities” of seventy Anonymous participants and affiliates. As was the case in Barr’s attempt, many of the names were either wrong or already public, all except one. You have to give it to Backtrace. It was the one name that mattered the most at that moment: Hector Xavier Monsegur, the notorious hacker Sabu. (The Backtrace document had a slightly misspelled version of Sabu’s last name: Montsegur.)

Backtrace did not dox Sabu through a feat of shrewd reconnaissance. They simply got lucky when one Anonymous participant, who went by the name “Laurelai” and had spent time on the more secretive channels, foolishly handed Emick her chat logs. The slab of text—over two hundred pages of logs—included a single clue leading straight to the Nuyorican living in Manhattan’s Lower East Side. While chatting with his compatriots, Sabu had accidentally typed out or pasted a web address which included the domain of his personal server: prvt.org. Once Backtrace plugged this web address into Google, they discovered one of his sub-domains, which included other personal data, which, inevitably, funneled down to his Facebook page.

The Backtrace document, named “Namshub” (Sumerian for “incantation”) was dissected to pieces by Anonymous, but most people, of course, could only realistically assess the veracity of their own outing. Sabu—and perhaps a few of his closest hacking associates from days long past—knew he had been exposed. By doxing him, Backtrace acted as the force of Eshu, the trickster of crossroads, plopping the powerful figure down at the crossroads. Sabu/Monsegur had a big decision to make. Upon seeing his name, he could have wiped everything from his computer, gone dark, and returned years later as a hacker hero. It is true that he could not have vanished right away. Doing so would have made “it obvious that he got doxed,” as tflow reminded me. But he could have left a month later after accusations had died down. He was already larger than life, and in his absence his prominence would only have grown. In the words of one Anon, he was “legend.” Had Monsegur opted to vanish for a period and reemerge after the statute of limitations expired, he could have returned to his beloved isla del encanto (Puerto Rico), safe to entertain his friends and family with tales of his exploits. Calling it quits would have been the smart thing to do, but Sabu was not short on hubris.

Instead, he sought out Emick and bombarded her with false information to seed confusion; one of his hacker mates explained that “when Backtrace released their dox table he tried to trick them into thinking he was a double agent working for an ISP trying to infilitrate Anon, but they didn’t buy it.”

Although Sabu was well known among his peers, he generally kept a low public profile, until being doxed by Backtrace. Soon after he tweeted for the first time:

hai! I go by the name of Sabu these days. I made this account to clear some things up, especially after the leaks by #backtraceinsecurity.

He continued to saunter down Trickster Lane, even more public than before, convinced he was untouchable, until he was ultimately outed as an informant a year later. (Then upon his release from prison, Sabu would be reborn as the scourge of Anonymous. The day of his outing, a formerly close hacker compatriot declared with no reservations on IRC: “its better 500y of prison than look yourself on the mirror and know u suck.”)

I asked a few of the hackers how they responded to doxing attempts like Namshub. One of the few core LulzSec hackers who was never identified or nabbed provided a four-part rationale, which aligned with sentiments I had seen expressed by others:

<Avunit>: A) You trust others [to] protect themselves enough so it doesn’t matter

<Avunit>: B) Everything is going well and you want to stick together because it works

<Avunit>: C) You don’t care about the names

<Avunit>: D) It could still be the wrong name, right?

On April 1, 2012, shortly after Backtrace’s viperous Namshub doxing, AnonOps rolled out Operation Sony. “Prepare for the biggest attack you have ever witnessed, Anonymous style,” declared one video.⁴ They began overwhelming Sony’s PlayStation Network with a wallop of a DDoS campaign, disrupting the service and the gamers who used it. To understand why AnonOps launched this attack, we need to backpedal to January 2011, when Sony sued a boisterous and precocious American hacker named George Hotz, better known by his handle, “geohot.” His hacking specialty is what is called “jail-breaking”—freeing consumer devices like iPhones and gaming consoles from their proprietor’s grip so they can be modified as an owner desires. Usually, this involves some clever analysis of the device, the writing of software that disables copy and access controls, and the release of documentation for the whole process so others can follow suit. This type of hacking converts single-purposed devices back to the preferable state of a general-purpose computer. Although a single-purpose device is useful for people who do not want to deal with complexity, many technologists see this confinement as an arbitrary abridgment of their fundamental right to use their property as they choose. They also see jailbreaking as an appealing challenge, as if the company created a special puzzle for them to solve.

Hotz first earned the accolades of hackers and some digital rights advocates in 2007 as the first hacker, at the age of seventeen, to carrier unlock the iPhone. Then, in late 2009, he put Sony’s popular PlayStation 3 (PS3) on his technical agenda. Hotz and an anonymous team called “fail0verflow” (unassociated with Anonymous) managed to break the lock in just five weeks. On January 26, 2011, he spread the love by posting jailbreaking instructions for the PS3 on his website, bringing waves of attention to himself. Jailbreaking the PS3 allows the owner of the game console to do a number of things one could not do on a normal PS3: play pirated games, perform backups, play games directly from the hard drive (vastly speeding up the loading time), play videos, install GNU/Linux, and, perhaps most importantly, create, innovate, and learn in a multitude of ways. When interviewed about this feat by the BBC, Hotz rephrased a classic hacker motto into his own words: “[PS3] is supposed to be unhackable, but nothing is unhackable.”

Of course, corporations have mottos of their own—one of which might be formulated as: “You hack, we sue.” Soon after Hotz released the jailbreaking instructions, Sony sued him for copyright infringement and violation of the Computer Fraud and Abuse Act. Known for speaking his mind, Hotz did not take the news sitting down; he spoke up very loudly. Well, technically he was sitting—and he didn’t speak, he rapped (and since its release on YouTube, his response has been viewed over two million times). Sitting in a chair in a well-worn blue sweatshirt in his nondescript bedroom, he began: “Yo, it’s geohot, and for those that don’t know, I’m getting sued by Sony.” He thrashes his body in synch with the beat, his boyish brown curls bobbing as he describes Sony as “fudge packers” and ends with: “But shit man / they’re a corporation / and I’m a personification / of freedom for all.”⁵

Sony’s civil suit not only named Hotz and several other hackers, but also one hundred “John Does”—some of whom, they suspected, to be members of Hotz’s anonymous hacker team. Sony even targeted those who merely viewed Hotz’s jailbreaking instructions. A legal notice to his web provider demanded the IP addresses of visitors to Hotz’s website between 2009 and 2011. YouTube was asked to release information on those who had viewed Hotz’s jailbreak video or posted comments about it. Many Internet geeks were appalled at Sony’s lawsuit; this sentiment was captured well by the science fiction writer and Internet advocate Cory Doctorow, who opined that it was “absurd and unjust for a gargantuan multinational to use its vast legal resources to crush a lone hacker whose ‘crime’ is to figure out how to do (legal) stuff with his own property.”⁶

Anonymous was thrown into a tizzy. The fact that Hotz never sought aid (actually, he wanted nothing to do with Anonymous) is irrelevant. Anonymous’s first announcement read:

Dear Greedy Motherfuckers SONY,

Congratulations! You are now receiving the attention of Anonymous. Your recent legal actions against fellow internet citizens, GeoHot and Graf_Chokolo, have been deemed an unforgivable offense against free speech and internet freedom, primary sources of free lulz (and you know how we feel about lulz). You have abused the judicial system in an attempt to censor information about how your products work. You have victimized your own customers merely for possessing and sharing information, and continue to target those who seek this information. In doing so you have violated the privacy of thousands of innocent people who only sought the free distribution of information. Your suppression of this information is motivated by corporate greed and the desire for complete control over the actions of individuals who purchase and use your products, at least when those actions threaten to undermine the corrupt stranglehold you seek to maintain over copywrong, oops, “copyright.”⁷

Very quickly, the operation went south. DDoSing Sony’s PlayStation Network (PSN) did not earn Anonymous any new friends, only the ire of gamers who foamed with vitriol at being deprived of their source of distraction. Amidst the DDoSing, a splinter group calling itself “SonyRecon” formed to dox Sony executives. This move proved controversial among Anonymous activists and their broader support network.

Spurred by the operation’s immediate unpopularity, Anonymous released the following statement: “We realized that targeting the PSN is not a good idea. We have therefore temporarily suspended our action until a method is found that will not severely impact Sony’s customers.” They hoped that this would put out the fire.

Throughout the month of April, however, PSN continued to experience downtime. Since Anonymous had originally called the operation, many naturally assumed that the masked horde of activists was responsible for the ongoing problems. But while there were a few scattered claims of responsibility, Anonymous eventually and unambiguously insisted, “For once we did not do it.”

With no official word from Sony, rumor and innuendo continued to swirl. After weeks of silence, on April 26, Sony finally released an official statement: “We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.”⁸ Millions of credit card numbers were compromised, prompting Sony to encourage its customers to change their passwords and stay alert for signs of fraud. And things only got worse with the announcement that PSN would remain inaccessible. Colin Milburn, an academic and avid gamer, wrote a riveting account of the infamous PSN hack from the perspective of scorned gamers like himself; in the essay he noted, “At this point, the emotional tide turned to outrage—much of it directed at Sony for its lax security measures, much more directed at the hackers who had perpetrated the intrusion.”⁹ Ultimately, the downtime lasted an excruciating twenty-three days.¹⁰

By the end of May, Sony claimed that this hack had put them $171 million in the red.¹¹ Though Sony never provided data about the financial losses, these events constituted a fiasco, costing Sony money, time, and reputation. Sony executives, eventually called to testify to the US Congress, were reprimanded for their organization’s reprehensible security practices and the delays in customer notification. In the UK, Sony was fined nearly £250,000 by the Information Commissioner’s Office, which pointed a clear finger of responsibility at the corporation itself:

If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted—albeit in a determined criminal attack—the security measures in place were simply not good enough.¹²

In the midst of the turmoil, Sony executives attempted to deflect blame onto Anonymous, claiming to have found a file left on the group’s server identifying it as the responsible party. But no Anonymous or LulzSec hacker has ever admitted or been charged for this crime (and five of them, along with two associates, have been found guilty of scores of hacking crimes that involved their hard drives being trucked away for forensic analysis). The PSN hack, a mystery in 2011, is still unsolved today.

“Laundering money, funneling bitcoins, PPI
scaming, botnets, database dumping”

The drama that surrounded OpSony’s fouling of the PlayStation Network provided the immediate context for LulzSec’s germination. In mid-April, a few of the hackers on #internetfeds managed to weasel their way into fox.com and steal a sales database. Alongside personal information on Fox employees and journalists, it included over seventy thousand email addresses and passwords for people who had signed up to receive updates about auditions for Fox’s forthcoming TV talent show, The X Factor. The data also enabled Anons to commandeer a few Fox News Twitter accounts. Since Fox had not done anything egregious recently—aside from continuing to exist—these hackers felt they were in a bind. Dropping dox and corporate data under the aegis of Anonymous would likely draw invective from the rank and file of the collective, which prompted the Anons who had procured the database to think about alternatives. The youngest of the bunch, tflow, was ready with a suggestion, loosely inspired by weev’s trolling/ security outfit Goatse Security, which had released data shaming AT&T:

<tflow>: We should make a competitor to Goatse Security

<tflow>: that hax for the lulz

<tflow>: Lulz4u Security

<pwnsauce>: LOL yes

<pwnsauce>: tflow have you log from last night??

<tflow>: which one?

<pwnsauce>: We needs get shell back

<pwnsauce>: uhm

<tflow>: ask X

<pwnsauce>: i think hes using his phone on this

To introduce the name “LulzSec,” tflow whipped out a timeless Internet classic—ASCII art:

Images

<tflow>: “We did it for the lulz” ~LulzSec

<pwnsauce>: NAICE

<pwnsauce>: make deface page?

<pwnsauce>: BTW, I was thinking today

<Palladium>: haha

<tflow>: LulzSec, lulz division of the InternetFeds

<Palladium>: i’m more for polictically orintated hacks

<tflow>: yeah

<tflow>: but

<tflow>: what can we do with fox.com?

<tflow>: except for deface it for the lulz?

<tflow>: there’s nothing political about it

<tflow>: it’s not like when we defaced pm.gov.tn

<pwnsauce>: lol

For some reason, tflow’s proposal did not immediately catch on. I asked him why and he could not recall. Perhaps there were not enough people online to form a consensus, or perhaps those logged into IRC were distracted with other tasks. There are times when IRC conversations are hard to explain, even in the moment, and it is best not to impute too much linear reasoning to them after the fact. So I’m not even going to try, at least with this one. What we do know is that tflow temporarily quit Anonymous following a fight with a temperamental operator who was about to turn on the AnonOps network. And tflow wasn’t the only one. Others also took short leaves of absence, only to return on May 4:

<Sabu>: tflow’s fine ass is back

<Falcon>: good times

<tflow>: what’s new?

<Falcon>: quite a bit tflow, good to see you back

<pwnsauce>: YAY

<Falcon>: this is Topiary by the way

<Sabu>: ;p

<Sabu>: good news is tflow is back

Reunited and it felt so good—but wouldn’t it feel even better if they had a reason to dump the Fox data? By now the Sony debacle made it doubly clear that random hacks could incur the ire of Anonymous at large, so there was even more pressure not to release the data under the collective name. They contemplated releasing it to 4chan, to “leak it under lowercase-anonymous,” as tflow phrased it. Sabu raised the idea of handing the info to Forbes reporter Parmy Olson, hoping that “maybe it will push her to write her book.” As we writers know, there is nothing like a huge corporate data dump of passwords and emails to put you in the right frame of mind for a bout of writing. (Had they only given me the dump, this book would have come out at least a year earlier.) But none of these ideas were really taking hold. Eventually Topiary, who for the last month had kept quiet on AnonOps but was on the secret channels, logged into IRC under the name Falcon. While Sabu suggested leaking it to Olson, Topiary suggested leaking it via the LulzLeaks Twitter account:

<Falcon>: wait, let’s leak it under @LulzLeaks

<Falcon>: our twitter

tflow once again raised the name LulzSec, this time a little more forcefully since it hadn’t caught on before:

<tflow>: we should establish a pseudo-lulzsec brand imo

<tflow>: like

<Sabu>: also someone contact parmy

<tflow>: Lulz4u Security

<Sabu>: tell her we got a new leak for her

<Sabu>: exclusive

<tflow>: Goatse Security

<pwnsauce>: YES

<pwnsauce>: tflow—I like

<Falcon>: Parmy’s sleeping

<Sabu>: wake her ass up

<Sabu>: hahaha

<Sabu>: think of a cool name guys

<Sabu>: quick

<tflow>: Lulz4u Security?

Sabu was impatient:

<Sabu>: well

<Sabu>: why dont we just do this under the anonleaks banner

<Sabu>: ?

<tflow>: because

[…]

<pwnsauce>: I like LulzLeaks and Lulz4u Security

Others objected, again, making a distinction between ethical and unethical leaking:

<tflow>: anonleaks is for ethical leaks

<lol>: :D

<tflow>: :P

<Falcon>: http://twitter.com/#!/LulzLeaks

<lol>: nah :D

<lol>: does it matter?

<Falcon>: LulzLeaks!

<lol>: no hacking and dumping data is ethical xD

<pwnsauce>: we have the LulzLeaks twatter xD

<Falcon>: here’s what we should do:

<Falcon>:—upload DB

<Falcon>:—dump on LulzLeaks

<Falcon>:—retweet from official Fox News twitters

After proposing a few other possible names, like “Ninjasec,” they ultimately settled on LulzSec. With a name in place, they began discussing the release and artwork:

<Sabu>: Lulz Security / lulzsec

<Falcon>: kind of want to put Batman fucking up a shark as the picture

<Falcon>: but I already burned that one

<Sabu>: lol

<Sabu>: well lets hold onto those for a week or so

<Sabu>: let the x factor leak get attention

<Sabu>: then we’ll abuse fox managers/sales

<Sabu>: then we’ll embarrass fbi with infragard

<Falcon>: someone get @lulzsec everywhere

<Falcon>: news, /b/, somewhere where it will spread

<Falcon>: AnonOps

When something is new and shiny, it makes sense to trot out an introduction:

<tflow>: write a statement?

<Falcon>: Not sure what we’d write… hmm.

<Falcon>: I guess we could introduce ourselves.

<Falcon>: As LulzSec.

In three minutes, Topiary whipped one out. Then he celebrated with … cookies:

<Falcon>: Hello, good day, and how are you? Splendid! We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calender year. As an introduction, please find…

<Falcon>: …below the X-Factor 2011 contestants’ contact information. Expect more to come, and if you’re like us and like seeing other people get mad, check out our twitter! twitter.com/LulsSectwitter.com/LulsSectwitter.com/LulsSectwitter.com/LulsSec

<tflow>: perfect

<Falcon>: though that’s @LulzSec

<Falcon>: shit son I wrote that off the top of my head in 2 minutes, BRB getting a cookie

Topiary and Sabu offered prescient predictions:

<Sabu>: oh man lol

<Sabu>: this is going to be fun

<Falcon>: LulzSec at its finest

<Falcon>: laundering money, funneling bitcoins, PPI scaming, botnets, database dumping

<Falcon>: the lulz they do go on

All the hype, however, was for naught. The first dump yielded little in the way of media response. LulzSec was still totally unknown; it was Friday after all, a terrible day to release something to the media. And so the hackers, secure in their newfound identity as LulzSec, could turn to the juicy gossip about an AnonOps operator named Ryan Cleary, who had recently gone rogue.

Cleary, who commanded a large botnet, was one of the most unpopular and powerful operators on the AnonOps IRC network. On numerous occasions, I heard complaints about his erratic behavior, like randomly banning participants on the private and public channels. Soon after LulzSec formed, news broke that Cleary had DDoSed the AnonOps network that he once helped administer. He also dropped over six hundred names and IP addresses of IRC network users. (AnonOps had a policy of not retaining IP addresses after someone disconnected, but during the connection, AnonOps had access to the users’ IP addresses of all those not cloaked by a VPN.) Why did he do this? After one too many fights with other operators, he had decided to take his revenge. At the same time, according to one of his Anonymous hacker associates, he wanted to impress an underground hacker group called Hack the Planet, better known as simply HTP. From 2011 to 2013, according to a hacker who followed the group, HTP were quite active and in possession of “a large, and impressive, list of stuff.” The group has since gone into retirement but HTP had little love for Anonymous, a sentiment made clear in the final sentence of their final zine: “Here’s to two years of HTP, everyone. Remember; relax, have fun, be the best, and DDoS Anonymous on sight.”¹³

What better way to impress a respected underground hacker group that loathes Anonymous than by sacrificing Anons, some of them your friends? (Later Cleary recanted and was, according to tflow, “jealous of LulzSec and desperately tried to get in, which is why he offered us his botnet.”) Petty hacker wars have long been a great asset to law enforcement investigations. Unsurprisingly, after Cleary’s dick move, someone loosely affiliated with Anonymous doxed him right back. Nobody knew for certain if the revealed name was correct, but, as with Sabu, time would prove that it was. LulzSec, referenced explicitly in HTP’s newsletter, reflected upon the recent events:

<Sabu>: but we need to own ryan

<Sabu>: he violated anonymous very seriously with this

<Falcon>: or something

<lol>: well we got his dox [n]ow

<Falcon>: his voice annoys me

The remaining AnonOps operators, livid at what Cleary had done, released an apologetic statement to the broader Anonymous community and encouraged people to stay the hell away for a while as they went to work assembling a more secure system. This cooldown set the perfect stage for LulzSec to walk into the restless media spotlight.

LulzSec Proper

LulzSec set sail with a cargo hold full from the Fox data dump, a newly minted Twitter account, and bounteous, absurd Internet meme art and statements, as exemplified by the justification given when they ultimately released the Fox data: “You know who we defend? Common. Fox called him a ‘vile rapper’; we call Fox common scum. You think we’re done? The fun has only just begun.”¹⁴ The team was already well accustomed to each crewmember’s distinctive rhythms and quirks. They had become so close, in fact, that everyone knew, roughly, where everyone else was logging in from (though real names were never shared). Most were headquartered in or around the UK, except Sabu. Some had even foolishly spoken over Skype, which is how Topiary had determined that Cleary’s voice was “annoying.”

OpSec, short for operational security, is the art of protecting your group’s human and digital interactions. One of the foundations of good OpSec is an awareness of the security level of one’s computer and network. Depending on proprietary software packages—opaque in both source code and business practices—can compromise that knowledge. The use of free software, such as GNU/Linux, and the avoidance of tools like Skype (commonly understood to have government backdoors) are necessary measures in the never-ending journey of vigilant OpSec. Keeping personal information private is also a central pillar of OpSec. If you volunteer this information, it doesn’t matter how secure your software and hardware might be. All of these considerations, and more, need to be managed before any hacker rampage—anything less is simply asking to be caught. Which is to say (with a few exceptions), OpSec was not one of LulzSec’s strongest points. In fact, following the eventual spate of LulzSec arrests, their practices would become a model, for other hackers and activists, of just what not to do.

But these worries were far on the horizon, and the sea appeared vast—even infinite. Over the next month and a half, LulzSec’s accomplishments would prove riveting. One might assume that I am referring to its technical inventiveness. In fact, with a few clever exceptions, LulzSec hacks were most notable for their audacity and style, and not for their rocket science.

LulzSec’s true importance came in its ability to force a much deeper recognition and debate about a range issues from the pathetic state of Internet security to the insatiable appetites of media sensationalism.

“Why we secretly love LulzSec” (Not So Secretly, Actually)

Not all hackers held warm and fuzzy feelings for Anonymous. Its interventions were often too technically unsophisticated to garner craft respect. Some hackers felt that its tactics damaged the larger cause of Internet freedom, while others viewed its antics as puerile. And for some hackers the general style of disruptive activism, however interesting, was simply not their cup of tea. But with LulzSec it was a different story. A surprising number of hackers, especially security hackers, adored the new group, or at least held an ambivalent respect. To understand why, allow me to offer a portrait of this subset of hacker by recounting my own introduction to the type.

Before the rise of LulzSec, I became acquainted with the InfoSec community in New York City, largely through force majeure. Apparently I had offended some security hackers by anointing, in writing, open-source developers—programmers who release their source code with permissive licenses—as hackers. In the wake of such a debasing “mistake,” security researchers, who also call themselves hackers, reached out to me in various ways—from constructive suggestions and discussion invitations, to creepy jeers and intimidating threats. They wanted to educate me about what “real” hackers were: themselves. You think a DIY, remote-controlled toaster running on a twenty-five dollar, open-source computer called Raspberry Pi constitutes hacking? Nope, sorry. Or how about programming LED blinky throwies, which you plan on distributing at a rave? Nope again. These may be cool and useful gadgets that require technical proficiency—and they certainly might be blinky—but they are not HACKING. Hacking, they would tell me, is digital trespass: breaking into a system, owning it hard, doing what you want with it. I had recently published my book on free software “hackers,” Coding Freedom: The Ethics and Aesthetics of Hacking, and it seemed that these InfoSec word warriors thought I had a narrow understanding of the term, one that omitted their world. But, my understanding of the term is much more nuanced than they realized. My definition includes free software programmers, people who make things, and also people who compromise systems—but that doesn’t mean they have to all be talked about at the same time. My first book was narrowly focused.

Interestingly, while each microcommunity claims the moniker “hacker,” some always refute the attempts of other microcommunities to claim the term. So when InfoSec people started yelling at me that free software “hackers” weren’t “hackers,” I wasn’t surprised. I actually appreciated the productive discussions—much more than the veiled threats.

Sometime in 2010 an email arrived in my inbox from a respected hacker encouraging me to attend NYSEC, the informal New York City gathering of security professionals and hackers held monthly at a bar. Or as their Twitter bio describes it, “A drinking meet-up with an information security problem.” I figured why not. This was the cordial way of telling me: get real, start hanging out with real hackers. Others were less amicable. One of these “hackers” contacted me by email to generously offer me his entire collection of the hacker zine 2600 for my research. I was excited to add the zines to my personal library, and we met at a tiny New York City cafe. Upon broaching the subject of my book, he became agitated, huffing that “configuring Linux is not hacking.” This gentleman, who was probably almost forty-five years old, was so upset that he abruptly got up and left. Gentle, compared to the time when a hacker found me online and warned me that he had just witnessed a slew of hackers scheming over IRC to hack into my computer—to teach me a lesson about what real hackers do. Nothing like a show-and-tell hack to make a point. Freaked out, I locked down my systems enough to secure myself and I suspect that the acquaintance who warned me might have convinced the zealous hackers to cool their loins.

Of course, not every security hacker is diametrically opposed to extending the label to free/open-source software developers. Many hackers who deal in matters of security use and write open-source software themselves. One such hacker based in Montreal, David Mirza, has spent countless hours teaching me about the complicated aesthetics and politics of the hacker underground. Formerly in the black hat scene, he now runs an InfoSec company and is an unflagging proponent of open-source software.

But there are differences, important ones. Many of these hackers who work as contractors or on security for governments or corporations constantly face Herculean challenges when securing software applications, operating systems, servers, and networked systems. To truly secure a system means, at a minimum, to occupy the mindset of every possible infiltrator. Often this means engaging in intrusion oneself. This is why many of the best security hackers are former black hats who still might, on occasion, dabble in activity residing in legal gray zones. InfoSec hackers tend to be a touch paranoid, and it is no wonder why. You would be too if you spent most of your waking hours refining your own intrusion capabilities while simultaneously fending off credit card scammers, Russian Business Network associates, Bulgarian virus writers, Chinese state hackers, and the hundreds of other bad actors who actively seek to access valuable systems. Hackers whose ensure security bear the burden of paranoia so the rest of us can sleep a little better at night. (But don’t rest too soundly; their advice is often not heeded.)

Anyone who has hung out with hackers knows that when it comes to technology, all types of hackers are unabashed snobs. This stance is not unique to security hackers vs. free software evangelists, nor is it unique to hackers more generally. Vocational arrogance is common to craftspeople—doctors, professors, academics, journalists, and furniture makers. It is simple: the fine art of haughtiness pushes one to do better. However (and for reasons that still mostly elude me), when compared to other activities that might also be considered “hacking,” security specialists take elitism to incomparable heights. Praise does not flow easy from the lips of these InfoSec men and woman.

Combining this simplified picture with a recognition of InfoSec’s historical derision of Anonymous allows us to more fully appreciate why the security community’s adoration of LulzSec is all the more remarkable. The following 2011 Halloween photo might best sum it up:¹⁵

images

Dressed as LulzSec, these New York City–based hackers were not only living large and having a grand time—they were also giving mad props to the rebel, misfit hackers. While all the characteristics of the LulzSec mythology are represented, there is one additional element that may not be so obvious: the lack of pants. Many considered LulzSec to be pointing, in badass Internet style, to the fact that the Emperor Has No Clothes. Since forever, security professionals have been yelling from the top of a lonely, wind-swept, barren mountaintop about the dire need for organizations to invest more resources, energy, time, and personnel toward better security. LulzSec, it seemed, had finally found a way to get people to listen.

One may wonder why security is so weak in a sector so large and profitable. After all, cyber (fear) sells.¹⁶ Not only does the industry regularly sell software scams (such as out-of-the-box software solutions that cannot be configured to address the risk profiles unique to an institution), or products intended to replace a dedicated security team that can do more harm than good, but the initial desire for security itself remains a low priority for many firms, even well-funded ones. A New York City–based security hacker explained: “One of the challenges in security is how to get people to take it seriously because at the executive level it just looks like an expense.” The fact that Sony—a multinational corporation—could get pillaged with such impunity in 2011 is an indicator of the depth and nature of the problems. Cases like these make hackers who create secure systems completely furious.

LulzSec, more than any other person, report, or group in recent memory, managed to convey a message that many security professionals had been unsuccessfully pitching for over two decades. The effects were similar to the antagonistic antics of L0pht Heavy Industries, a loose association of hackers who regularly met in person. In 1998, during a group conversation, a couple of them coined the term “gray hat” to describe hackers who are ambiguously—and deliberately—situated between the black and white labels that had come to distinguish malicious hackers from more benevolent ones. “Gray hat” hackers are not above acting illegally, but typically they do so only to identify, and publicize, vulnerabilities. LOpht became so successful that in May 1998, seven of its members were invited to testify (in semi-theatrical fashion) to the Committee on Governmental Affairs chaired by Republican Senator Fred Thompson. With his refined, somber, and heavy Tennessee accent, Senator Thompson introduced the “hacker think tank” and explained that “due to the sensitivity of the work done at the L0pht, they will be using their hacker handles: Mudge, Weld, Brian Oblivion, Kingpin, Space Rogue, Tan, and Stefan.”¹⁷ Muffled laughter rippled through the chambers, likely because hacker handles were superfluous: C-SPAN recorded the testimony and the hackers were unmasked. Their remarks addressed numerous topics, but the claim that they could take down the entire Internet in thirty minutes jumped out from the rest. This was meant not as a threat. It was a plea to improve the abysmal state of Internet security in 1998.

L0pht’s testimony to Congress was deferential; many of the participants wore suits, and an effort was made to present broadly intelligible explanations. LulzSec was not invited to visit Congress—nor could they take down the Internet—but in the course of their errant questing they managed to deliver a similar message. They made people pay attention to the sordid state of Internet security—not by offering a carefully constructed testimonial, but in the mere course of their travels in search of adventure (which happened to include over a dozen high-profile hacks along the way). They did so in the face of US laws, like the CFAA, that were designed to punish any hacker who got caught, regardless of motivation. LulzSec’s gutsy hacks against corporate giants and government agencies, now the stuff of legend, were quite effective—maybe even necessary—to get people to wake up.

Many security experts I interviewed directly cited LulzSec’s role in making high-level executives heed their messages, at least for a short while (2013 saw a string of massive data breaches: Adobe, Target, Neiman Marcus, LivingSocial, the Washington State Administrative Office of the Courts, Evernote, Drupal.org, the US Federal Reserve, OKCupid … the list goes on).¹⁸ A 2011 blog post by security researcher and journalist Patrick Gray entitled “Why We Secretly Love LulzSec” was widely read among security professionals and captured their prevailing mood. He explained to me the impact of his piece: “It picked up more buzz than anything I’d ever written, including pieces for ZDNet/CNet, The Sydney Morning Herald, The Age, Wired … I’ve written plenty of news stories that went big globally, but this was something entirely different.” In the piece, Gray wrote:

It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts … The mainstrem media are having fun criticizing Sony for its poor security, but do we honestly think for a second that the XBox Live network can’t be similarly pwnt? (I know the PSN breach hasn’t been pinned on LulzSec, but the point stands.) Is there any target out there that can’t be “gotten”?¹⁹

Even if the innumerable security problems plaguing the Internet could not be magically fixed, it was still satisfying to call out the “elephant in the room,” as Gray tagged it.

LulzSec’s spectacle also revealed the hypocritical charade of many firms, as they performed strange acrobatics to shift blame. A New York City–based security researcher who prefers to remain anonymous explained:

One thing I think is interesting is that these people [corporations] are getting owned every day, but their info isn’t getting splattered all over the Internet. It’s usually getting owned by people doing it for profit. The irony is that when people are stealing intellectual property for financial advantage, they won’t do anything about it … I think it’s ironic now that LulzSec is making people eat their vegetables.

This position was echoed by Chris Wysopal, one of the original members of L0pht, who now runs a well-respected security firm:

Corporations take public embarrassment more seriously than stolen intellectual property. The Sony attacks sent chills down the spines of Fortune 100 CISOs and their boards. We had customers come to us and literally say, “I don’t want to be another Sony.” They scanned thousands of websites and remediated hundreds of critical vulnerabilities so that didn’t happen to them. In this way, LulzSec made the Internet more resilient. In some ways it is like an immunization giving your immune system a taste of the virus that would otherwise kill you and force your immune system to work to build protection.

Now, not all hackers adored the crew. HTP, the group that loved to pwn Anonymous, extended its loathing to LulzSec. As one LulzSec member who went by the name pwnsauce put it, “HTP saw us as attention-whoring fucknuggets, basically.” HTP’s viewpoint reflects a long-held ethos in the hacker underground, one that drives some hackers to snub those seeking attention from the mainstream press (attention is anathema to staying out of the “clink”—and LulzSec’s failure proved the wisdom of this folk ethos). Even if LulzSec hackers did not do many interviews, they were nevertheless doing everything possible to land major stories by drawing as much attention to themselves as possible. They once did so by attacking the media itself.

Media

Anonymous may not ever have (readily) nominated any individuals to speak on its behalf, but it hosted an IRC channel, #reporter, where dozens of journalists interviewed participants. LulzSec was more secretive, offering no public channel for journalistic access and giving almost no interviews in general (except to Parmy Olson and, occasionally, Steve Ragan). There was no celebrity to showcase, except the group itself. Nevertheless, by the end of June 2011, LulzSec had become something like hacker rock stars. This foray into celebrity territory drew some furrowed eyebrows from the broader Anonymous community, but, for the most part, there was enough distance—LulzSec repeatedly confirmed its autonomy—that even the pseudonymous collective from which LulzSec broke away could enjoy the show without feeling that it affected its own mores and ethical sensibilities.

LulzSec, unlike AnonOps, clawed at the media. Its major hack against the press was directed against PBS in retaliation for its Frontline film on WikiLeaks, WikiSecrets. The documentary drew the ire of LulzSec members, notably Sabu, who disliked the film for how it skirted the pressing political issues raised by Cablegate in favor of a sensationalist psychoanalyzing of the “dark” inner life of Chelsea Manning. LulzSec launched a two-pronged campaign. They dumped the personal data of PBS staff and defaced its website, leaving a clever article that could almost pass as real (see figure overleaf).

Even if the article was destined (and designed) to be understood as a fake, it worked as a hoax. Perhaps because the scenario was hypothetically plausible, Topiary (its writer) sprinkled the article with giveaways. The proposed source of information—a hand-written diary—was absurdly quaint by today’s standards. And the most unbelievable nugget was the suggestion that law enforcement was in on the arrangement—not only because privacy is in short supply for celebrities, but because privacy itself has been nonexistent for a long time. Just in case you were fooled, the story’s kicker jolts you back to reality with the nonsensical statement “yank up as a vital obituary” (an anagram of the handles of the LulzSec members who participated in the hack, Topiary, Sabu, Kayla, Avunit), and a reference to the diary-writer’s girlfriend, Penny—named after none other than HBGary’s president.

While some were disturbed by an attack directed at the media, the Twitter frenzy as the story spread mostly showed adulation. The allure of this act can be explained if we turn to an anthropological definition of defacement provided in Michael Taussig’s striking book on the topic: “Defacement works on objects the way jokes work on language, bringing out their inherent magic nowhere more so than when those objects have become routinized.”²⁰ LulzSec laid bare the subject of celebrity by defacing a media object—the journalistic article—with a strong dose of humor.

Every major Western news establishment ran a piece about the bogus article, and most skimmed over the part about the ethically questionable data breach. The political motivation behind the hack received only cursory treatment, even though LulzSec published an explicit statement rationalizing its actions. This was a further (and ironic) demonstration of the mainstream media’s proclivity for sensationalizing issues—the very behavior exhibited by the WikiLeaks documentary that prompted the operation in the first place.

“We futurescan”

One might think that the corporate response to LulzSec, and by extension Anonymous, was wholly negative. In reality, it was a little more complicated. Starting in the fall of 2011 and peaking in 2012, various individuals and institutions situated in and around the highest echelons of the corporate world began to contact me. I spoke with the founding partner of a venture capitalist firm in New York City, the head of European security for Vodafone, and a senior vice president from TTI/ Vanguard (self-described as “a unique forum for senior-level executives that links strategic technology planning to business success”). I gave two talks (one virtual) for an NYU global risk and security group that included chief security officers (CSOs) and other executives from major corporations. Finally I participated at an event run by “World 50,” an organization that convenes events for senior executives of mostly Fortune 500 companies.

The list would be incomplete without mentioning my 2012 talk at TEDGlobal in Edinburgh, Scotland. While TED’s online videos reach a popular audience of millions, the conference itself is primarily attended by wealthy elites—with the exception of some of the speakers, such as myself, and select attendees who receive financial aid from TED. The privilege of attending TED costs roughly $6,000. Of course, one has to be chosen first (you have to apply). This does not include the costs of travel or accommodations, but it does grant access to some fancy parties featuring copious food and drink, concerts, highly curated TED talks, and the opportunity to converse with some famous and fascinating people (or their assistants, at least). After my talk, Will Smith’s personal assistant struck up a conversation with me, making a vigorous attempt to convince me that his boss, who is rumored to be a Scientologist, is actually an avid fan of Anonymous. Was he social-engineering me in an attempt to protect his boss from a potentially career-damaging attack by Anonymous, or did we really just randomly bump into each other?

That was pretty tame compared to another memorable encounter. While sampling the delicious snacks during one of the breaks, a Fortune 500 executive snuck up on me, clutched my arm—rather too tightly, I felt—and, clearly projecting his anxiety onto me, whispered loudly into my ear: “You are sooooooo brave to study Anonymous.” Just the day before, I had visited a local Anon and his partner. The highlight was touring their garden, where I saw their beehive, followed by a very tasty home-cooked meal of pheasant and sweet potato mash. Afterwards, we watched the documentary We Are Legion: The Story of the Hacktivists and his partner was rather floored to learn that there was actually some political substance to Anonymous. All this time, she had thought he had been messing around on his computer engaging in purely juvenile acts. After this gentle experience with a “dreaded” Anon, I found it hard to roll over for this executive’s praises of bravery and courage. I guess I could have been stung by a bee? I thought to myself.

At one level, these men and women struck me as regular folk. They complained about their spoiled sons and daughters, the exorbitant cost of higher education in the United States, and (some of them, at least—a naturalized Canadian, now that I remember) the lack of universal health care in the United States. Many even engaged in a time-honored workplace pastime: railing against their immediate overseer. Of course, in this milieu, that usually happened to be the CEO of a mega corporation. But make no mistake: during the World 50 event held at the Contemporary Jewish Museum in San Francisco, I heard two twenty-something caterers mutter to each other, not caring that I could plainly overhear, that “it is a different world in there.” Take the name tags were were given at the event. These weren’t some piece-of-paper-shoved-in-a-plastic-sleeve-with-some-kind-of-branding lanyards. These looked like they came straight out of Restoration Hardware (a high-end American furniture store). Made of metal, the clasp was powered by a magnet. In a pinch, you could probably use one as a ninja throwing star. Sadly, I only used mine to identify myself. After acquiring my name tag and a lunch of seared tuna and other delicacies, we were moved upstairs to an airy, sun-drenched private room decked out with plush chairs for talks, which ranged in subject from massive open online courses (or MOOCs) to Anonymous (mine, of course). In the audience were executives from AstraZeneca, Cargill, Hewlett-Packard, Hilton Worldwide, Huawei Technologies, Hyatt Hotels, Juniper Networks, Monsanto, Rio Tinto, The Coca-Cola Company, and Tiffany & Co. Even though lunch had just been provided, there was an impressive ensemble of snacks and drinks, including beautiful glasses full of M&Ms and ten beverage choices. After the talks, everyone was whisked away to a dinner at a restaurant overlooking the Bay Bridge, which started with an intimate talk by Steve Martin.

Not surprisingly, corporate executives, especially from blue chip companies, wanted nothing more than for someone to wave a wand and make both Anonymous and LulzSec disappear. Executives from technology companies seemed curious and, if nothing else, at least familiar with Anonymous’s involvement in a range of political movements. Sometimes they were even interested to learn about Anonymous’s role in the Arab Spring. Executives from financial and energy firms tended to be frosty, while those from other industries showed curious mixtures of disgust and fear. One head of communications for a low-cost airline jokingly wished Anonymous would hack her company—the free publicity would be stellar.

What was less expected was a query that I received about Anonymous’s potential contribution to the corporate world. TTI/Vanguard approached me to assess whether I could give a talk along these lines to its clients, such as Royal Dutch Shell, Northrop Grumman, Toyota, FedEx, and Expedia. I discovered that TTI/Vanguard was primarily involved in “futurescanning.” Apparently, “TTI/Vanguard heightens thinking about technological possibilities. We futurescan. We focus on unanticipated sources of change and evaluate their transformative promise. In dynamic, highly interactive sessions, debate is stimulated and breakthrough ideas flourish.”²¹

This is the culture that adopts “disruptive” strategies for the attention economy, for capital gain. Anonymous and LulzSec disrupted in the classical way—without clarification. Sometimes they even fucked shit up. They also demonstrated the importance of art, expression, autonomy, and creation through unalienated labor. Most multinational companies are not compatible with these ideals; they cannot implement these lessons, at least not in a fulfilling and honest way.

TTI/Vanguard’s mission statement marked my first exposure to “futurescanning,” but then it started popping up everywhere. The most surprising of the bunch came during a phone call with Chris Anderson, the head of TED, prior to the summer event in Edinburgh. He asked whether my talk could include some practical insight for corporate management. Though his request was subtle, it was clear he wanted me to relay a (hyper-inspirational, astonishing, disruptive) lesson from the trenches of Anonymous that could upend conventional wisdom and embolden corporate thinking. Until then, I had worked mostly with TED’s other curator, Bruno Giussani. TED vets everything down to the word—he asked me to nix the word “homeland” since it was too politically charged. That said, Giussani was otherwise hands off, offering helpful suggestions that I could adopt or reject. Frankly, I was surprised by Anderson’s query. It was clear that if I adopted the corporate lingo, and came up with some whiz-bang way of packaging Anonymous using shallow, amazing-sounding, paradigm-shifting phrases combined with confusing technobabble, all delivered with breathless enthusiasm, I would have the perfect formula to inspire in these corporate drones the feeling of being in on some mind-blowing insights. And then I could make a lot of money running around bullshitting people until the next paradigm rolled over.

These exchanges gave me a fresh perspective on a contemporary vector of co-optation. Academics who write about the subject have often approached it from the angles of advertising, entertainment, and consumerism—the classic example being Dick Hebdige’s seminal analysis of the commodification of punk rock.²² Countercultural forces of critique, of which punk rock was emblematic, are devitalized when channeled through the corporate advertising apparatus, or turned into commodities through the processing mechanisms of Hollywood or the fashion industry. What I always found interesting about Anonymous was how it had, at least until recently,²³ resisted these forces for one primary reason: most corporations are wary of commodifying Anonymous because they know how direct the repercussions might be. In fact, the case of Anonymous is a curious one in which the opposite process more often occurs; though it is true that Time Warner makes a buck whenever someone buys an official Guy Fawkes mask (Time Warner holds the copyright to the V for Vendetta movie), Anonymous has taken a symbol popularized by Hollywood and made it revolutionary. It is a prime example of counter-commodification, a rare occurance.

But if there’s one lesson from the corporate execs, it’s this: even if they aren’t about to claim Anonymous’s imagery for their next advertising campaign, it doesn’t mean they can’t, or won’t, find some way to appropriate something about Anonymous. If someone can find an uncapitalized, exploitable, futurescanned, innovative, disruptive idea that can flourish in corporate boardrooms, they will. This move, while distinct from more familiar forms of co-optation—since the knowledge transfer may not (necessarily) alter the phenomenon being scrutinized—is still worth understanding a little better. There is a pervasive cottage industry (in the form of think tanks, organizations, and motivational speakers, many from academia, especially pundits who love to inflate the promise of technology) that exists to capture wisdom from every corner of the globe (from gang culture to the Arab Spring) and convert it into a formula for corporate success. This is done so that corporate executives can keep abreast of global challenges, feel great about what they do, strengthen corporate cultural machinery, and make a lot of money off of culture that they don’t have to invest in. I suspect in some instances, when corporate executives hone in on a phenomenon like open source, they not only harvest insights for their corporations, but have the power to recalibrate public opinion on the topic. We know very little about the reach of these networks and the possible effects that “futurescanning” might aggregate. It is a subject that would certainly be worth understanding better. Maybe we need to “futurescan” futurescanning ourselves.

“I tell you: one must still have chaos within
oneself, to give birth to a dancing star”

LulzSec was not only embraced and celebrated by hackers. It was also widely popular among Internet geeks, political activists, and academics, along with a host of other unmarked spectators. To understand why, it helps to look to the nineteenth-century German philosopher Friedrich Nietzsche, whose investments in questioning truth and morality, elevating pleasure over reason, and embracing cunning and hyperbole can be used (playfully and experimentally) to form the intellectual scaffolding for the work LulzSec and Anonymous did 150 years later. (Indeed, had Nietzsche been teleported into the future and developed a knack for hacking, I suspect he just might have joined LulzSec.)

Nietzsche took the Enlightenment project of critique so much to heart that he turned out to be one of its unremitting critics—helping to inaugurate a more general project of radical philosophy, which would be expanded upon in the twentieth century by a cohort of writers, most famously Gilles Deleuze, Félix Guattari, and Michel Foucault. We might even think of Nietzsche as the Enlightenment’s trickster. The objects of his critique were rationality, progress, God, science, and the way that ideas or systems based on absolutist tropes—whether proclaiming truth in science or God—become, in earning wide adoption, more resistant to critique and more capable of binding humans in their grips. For Nietzsche, nothing should be de facto granted or a priori assumed: neither good and evil, nor true and false. Every piece of knowledge that humans conceive of, make, or even discover by looking at the world is, according to Nietzsche, provisional, rooted in judgment, and, though often seeming timeless or natural, understandable only within a specific historical moment.

Nietzsche sought to dismantle the ideological stronghold of truth, rationality, and conventional moral systems for complex reasons. Suffice to say, for our purposes, that he wanted to highlight how the mantle of truth exerts a monopolistic force. Truth implies right, better, and good. Anything sanctioned as truth then works to devalue other domains of creation and experience, like art and myth, which lie outside the orbit of “truth” and are thus slotted in the category of “falsehood.” In this ideological binary, art becomes a second-class citizen in the public life of ideas, while fantasy and myth are hardly even allowed to join the party.

Nietzsche was attuned to the vitality of sensuality, myth, and art. Music, poetry, and even the mad laughter of the trickster Dionysus, who he championed, offer an aesthetic life of pleasure.²⁴ They are pursuits through which humans can overcome their limits and the tragic condition of life: “Not by wrath does one kill but by laughter. Come, let us kill the spirit of gravity!”²⁵

More than any other political movement in recent times, Anonymous, and especially its LulzSec offshoot, gives forceful social shape to a number of these Nietzschean philosophical themes. If Nietzsche argued that nothing is sacred, and advocated for a life of enchantment, then LulzSec and Anonymous lived these maxims out. They dared to subvert and break formal law, etiquette, and mores, and experimented with the art of transgression. They reminded us: to make life into art, and art into life, you sometimes need to break rules.

And breaking rules is a difficult task. Back when I taught a course in Communication and Culture, I used to have my undergraduate students violate a norm in public and report back on their experiences. With the exception of one or two eccentrics, who rather enjoyed the assignment (one of them recounted gleefully that her mother walked her by leash and collar, like a dog, on the streets of New York City—and barely anyone batted an eye), it was an extraordinarily hard, even painful, exercise. In fact, a good quarter of the class broke rules in ways that hardly constituted “daring” at all, like asking someone at a cafe whether they could sit at their table.

The pressure to conform to conventions and accept given wisdom is enormous—and often for good reason. Much of Nietzsche’s corpus laid bare this tendency and warned of its pernicious effects, which is what the trickster myths address, time and again, albeit in different form. Indeed, one of Nietzsche’s most famous characters, Zarathustra, is a tricksterlike figure. Living as a hermit for a decade in the mountains, he comes to the realization that one can overcome social mores in favor of self-defined desires and ideas. He descends to share this insight, advocating a process he calls “self-overcoming.” Anonymous and LulzSec have existed as instantiations of Zarathustra. LulzSec went a step further than Anonymous, breaking even the rules that had inadvertently taken root in Anonymous itself, thus posing a challenge to even this emergent order.

It is rare for something actually resembling the trickster myth to come into being in the midst of our contemporary reality, much less with such panache and public presence. These hackers, in their sacrifice (and sacrifice of others), served to remind many of the necessity, pleasure, and danger of subversion.

The awe many felt toward Anonymous and LulzSec can be illuminated by Walter Benjamin’s insight regarding the great criminal who, “however repellent his ends may have been, has aroused the secret admiration of the public.”²⁶ This admiration stems from the fact that criminality reveals the limits of the state’s monopoly on violence and the force of the law. But LulzSec and Anonymous fundamentally exceeded the frame of criminality—even if they were unable to entirely escape its orbit. LulzSec and Anonymous, in contrast to criminal outfits, were not out for private gain, and in the case of Anonymous, there has been significant social pressure to mute self-interest, personal fame, and recognition. Anonymous performed the broader, Nietzschean lesson embodied in Zarathustra: to act out the secret desire to cast off—at least momentarily—the shackles of normativity and attain greatness—the will to power set to collectivist and altruistic goals rather then self-interested and individualistic desires. Anonymous and LulzSec’s artistic chaos, to paraphrase Nietzsche, gave birth to a dancing star. If you think I am overtly romantic about LulzSec and this era of Anonymous, you may be right. But the events that followed ensured this honeymoon phase was shortlived. We can now turn to the death of LulzSec and the rise of AntiSec, and see how this stunning mythos went awry when Anonymous was partially eclipsed by a cult of personality.

CHAPTER 8

LulzSec