The State vs The Internet
Esquire, Feb 2014
As the struggle intensifies between those who would limit access to information and those who believe the internet should remain entirely unregulated, the cyber war has gone offline: in bedrooms and boardrooms, in the streets, in court, even in prison, hackers, trolls and associated free speech activists are fighting against governments and corporations over the digital world’s greatest resource – data.
Esquire went inside the Internet Underground – Anonymous, Lulzsec and other groups of pranksters and protestors, to find that as the authorities harden their stance, the hackers are regrouping, wounded but defiant. And the battle has only just started.
[Also read this story at Esquire]
On July 10th, 2011, in a secret chatroom in cyberspace, a 20 year old hacker called “Lolcat” waits by his laptop for the stroke of midnight. He’s joined by 10 others, several of whom he’s hacked with before, though he only knows them by their tags—according to “OpSec” (the group’s internal rules of operational security), they are not to meet, Skype, reveal real names or key biographical details. Some have voice-chatted and as a result Lolcat reckons he can guess the age and home town for four of them, and the country for two. But that’s about it.
What he knows for certain, however, is that these hackers make headlines. Several members of Anonymous are here, as are some key members of Lulzsec, the elite hacker group that broke away from Anonymous earlier in the year. And at this point, Anonymous and Lulzsec could scarcely be more notorious. It’s as though Wikileaks, which burst onto the scene in 2010, passed a baton to its irreverent anarchic cousins, and now no one’s safe. Whether pulling pranks like hacking Google’s Hot Trends list and placing a Swastika at number one or stoking the Arab Spring revolutions by taking down government websites in the Middle East, and releasing the email addresses and passwords of government officials, Anonymous has managed to genuinely pique the powerful at a time when the spirit for protest is high, but the old methods, the chants and marches, feel stagnant. At this point its targets have included the Church of Scientology (for trying to force Gawker to take down some ‘crazy’ footage of Tom Cruise); Visa, Mastercard and Paypal (for refusing to process donations to Wikileaks); the CIA (just because); the governments of Tunisia, Egypt, Iran, Libya, Bahrain, Jordan, Morocco, Zimbabwe, Australia, New Zealand, Malaysia and Italy; and sundry other victims including the Arizona Police, the NHS and more than once, Sony.
Tonight they’re about to add Rupert Murdoch to the list, even though officially, Lulzsec retired the month before, on June 26. The group called it quits after a blistering hacking spree which it christened “50 Days of Lulz”. But then a vulnerability was discovered at News International, and the temptation was too great.
It all started a week ago when one of their number—who may be as young as 17—became enraged by the Millie Dowler scandal, the revelation that News International had been hacking into the voicemail of a 13 year old Surrey girl who’d been abducted – and murdered, it turned out – simply to break new stories about the case. He started looking for a way into The Sun. “Just sailing around and poking at it,” is how Lolcat puts it.
“Then he found a vulnerability called a local file inclusion bug,” he says, “but we had to wait till midnight for it to work. So I told [fellow Lulzsec member] Topiary and we decided to pwn the Sun.” (Pwn means ‘perfectly own’ or take control of a website completely).
A gang was assembled, eleven strong, and once the clock struck 12, the attack was on—a breach so easy that the 17-year-old performed it alone. Lolcat popped out for a cigarette and by the time he got back, they were in.
“First thing we did was build a ‘shell’,” he says. “That gives you basic control over a web site and allows you to browse through files and execute commands via your web browser. Then we backdoored everything. It’s like if we went through the building rigging all the locks and leaving the windows open. So if one breach is found, at least there are 9001 others.”
They couldn’t get root access, which would mean total control because the passwords were too difficult to decrypt. So they tried a ‘local root exploit’, a piece of code that, from Lolcat’s description, is akin to using dynamite to blow a safe rather than cracking the combination.
“They sometimes work, but they can be dangerous, and often mess up,” he says. “In this case, it did. We crashed the whole server!”
So much for the stealthy midnight operation – surely News International’s IT people cottoned on at this point?
“That’s what we thought. We were like: ‘shit, it’s all over’! But it was hilarious—the admins just rebooted it and restored our shell. So our backdoors were still in effect!”
As they rummaged, they discussed what kind of mischief they could make. “I thought a fake story where the Queens corgis were kidnapped would be kinda funny,” says Lolcat. “I also sketched up a deface for News of the World—a comic explaining how to hack voicemail. But Murdoch’s suicide was the clear winner from the start. That was Topiary’s idea.”
Topiary is the group’s writer and publicist of sorts, the one who coined the name “Lulzsec” and has since written all the press releases and tweets, building the Twitter page to over 340,000 followers. While others do the hacking, Topiary’s role is more “front office” – he creates the sensation and builds the brand. More than anyone, he gives the group its outlaw personality, that of a band of fuck-you pirates on the cyberseas, wreaking merry havoc as they go.
When the American public broadcasting giant PBS ran a critical story about Julian Assange, for instance, it was Topiary who wrote the story that appeared on the PBS site: “Tupac Alive and Well and Living in New Zealand”. It was Topiary who designed the group’s mascot – ASCII art [comprised entirely of typeable characters] of a pirate ship, the “Lulzboat”, with the banner above reading “Set Sail For Fail!” And when Lulzsec attacked an FBI-affiliated cybersecurity firm called Unveillance – following NATO’s announcement that hacking could constitute an act of war – it was Topiary who named the release “Fuck FBI Friday”, ending it with the challenge: “We accept your threats, NATO. Game on, losers. Now we are all sons of bitches.”
He later explained the reference: “Someone said ‘now we are all sons of bitches’ to Robert Oppenheimer after the first atomic bomb went off. I was referencing our cyber atomic bomb as causing the end of the world.”
For Topiary the whole enterprise was a piece of hacking art. “LulzSec, to me was a character in a play,” he wrote. “It was a challenging acting role, a sea-savvy pirate theme. A way of expressing energy through the artful spreading of illicit cybermaterial.”
The Murdoch suicide story may be Topiary’s finest moment. The timing alone. They broke into The Sun on July 10, spent a week digging around the website undetected, and then planted the story two days before Murdoch faced a humbling parliamentary committee on Tuesday July 19. So, first thing on Monday morning, visitors to the Sun’s home page were greeted with: “Media Moguls Body Discovered… [Rupert] Murdoch, aged 80, has [sic] said to have ingested a large quantity of palladium before stumbling into his topiary garden late last night…” (Palladium is the hacker who inserted Topiary’s story.)
“You can call it a heist, but we didn’t steal anything,” says Lolcat, laughing. “Apart from Murdoch’s dignity!”
The arrests began the very next day. Murdoch’s embarrassment proved something of a watershed for Anonymous and its offshoots. To date, almost every member of Lulzsec has been arrested and convicted, as have scores of Anons on both sides of the Atlantic. And the way in which it happened revealed not only the true nature of the movement but also the determination of the authorities, who have asserted control to such a degree that, in the US at least, the freedom of the internet itself may be at stake.
The first sting was on July 19th 2011, a coordinated effort by the FBI and Scotland Yard (since both American and UK targets had been hit). In the US, sixteen Anons were arrested, largely in connection with the hack of PayPal, and in south London, the first member of Lulzsec was brought in – a quietly adept hacker named T-Flow, who turned out to be a 16 year old student named Mustafa Al Bassam. A week later, plain clothes police descended upon a small home in Lerwick, in the Shetland Isles, to arrest Topiary, aka Jake Davis, 19, a loner with a lazy eye who lived alone. He was a revolutionary online, but by day he worked part time at a garage, just about getting by.
Then on March 6th 2012, another devastating transatlantic sweep, this time also involving Irish law enforcement, who were investigating Anonymous’ attack on the political party Fine Gael. Pwnsauce and Palladium were arrested – aka Darren Martyn (19), a student from Galway who ran a non-profit web security firm, and Donncha O’Cearrbhail (19), a student at Trinity College Dublin. Lulzsec’s most skilled hacker, Kayla – arrested in South Yorkshire – turned out to be not a 16 year girl as his persona suggested, but a 24 year old former soldier in the British army named Ryan Ackroyd (whose younger sister was called Kayleigh).
Meanwhile, the day before, the FBI struck twice. In Chicago, agents arrested a hacker named Anarchaos, aka Jeremy Hammond, an old school anarchist with a rap sheet, and in Dallas, the journalist Barrett Brown home was raided. Brown, 30, was arrested in September and currently awaits sentencing. Hammond, 28, was recently sentenced to 10 years. The name that rang out that day, however, was “Sabu” – real name Hector Xavier Monsegur, 27. A Puerto Rican programmer from New York’s lower east side, Sabu was widely considered Lulzsec’s leader and yet the FBI revealed that he’d been working with them for almost a year. He’d been arrested on 27th June 2011, a month before the Sun hack. And by the 28th, he was an informant.
Right now there’s a war underway between the authorities and what one might call “the internet underground.” The former are the traditional forces of government and big business – the centers of power, the pillars of the status quo. The latter is a more unruly sprawl of rebels and disruptors who have been unleashed by the Internet.
Some of these rebels we know – public figures like Julian Assange, Edward Snowden and Chelsea (formerly Bradley) Manning, whose leaks have reshaped global politics. But they’re outliers, at one extreme of a spectrum. At the other end is the seedbed from which Snowden and his ilk sprang, the ferment of Internet culture where the underground is still very much underground. Many are traditional hackers – that is, they break into systems and manipulate them to a new purpose. Others are dedicated trolls who manipulate people online and whip them up into a state. But distinctions in this world are seldom neat – many hackers are trolls, and vice versa, and so it goes for the others that swim among with them, the anarchists, punks, whistleblowers and political firebrands. One thing they all share, however – perhaps the only thing – is a firm belief in free speech and the free exchange of information online. Any perceived encroachments upon these freedoms, and the underground tends to retaliate. And from 2009 to 2012, its activities went more or less unanswered. Not anymore though. The conflict has taken a sobering turn.
It’s fitting that the Sun hack should be so pivotal in the Anonymous story. It captures the spirit of the hacktivist underground perfectly. It was both a hack and a troll, and a piece of political theater all at once – a prank executed not for profit, but for “the lulz”. And lulz is a core concept for internet culture, albeit an often misunderstood one. While “lol” is benign, lulz is subversive and often cruel, it requires a victim. It’s the cackle of the troll who delights in the torment of others. It’s Schadenfreude with bells on. The internet anthropologist, Gabriella Coleman describes it as “a deviant, dark species of humor which embodies the pleasures of transgression”. But typically, Encyclopedia Dramatica, an online compendium of lulz, says it best: “Lulz is engaged in by Internet users who have witnessed one major economic/environmental/political disaster too many, and who thus view a state of voluntary, gleeful sociopathy over the world’s current apocalyptic state, as superior to being continually emo.”
Anonymous was born of lulz. Though it has since evolved into a serious protest movement with brazenly populist aspirations – if it’s not exposing corporate and state corruption, it’s rallying to some hot button public outrage like child porn or the Westboro Baptist Church – the group emerged from the aggressively juvenile website 4chan, a series of image boards, on which anonymity is mandatory. The most famous board is known as “/b”, for “random” subjects – aficionados are known as b-tards. It’s where lolcats came from (the meme of cat pictures with daft captions), and Rickrolling (tricking people into clicking on a video of Rick Astley’s ‘Never Gonna Give You Up’). Anonymous is so steeped in lulz that back in the old days – all of two years ago now – worthy, political Anons were decried as “moralfags” specifically for their lack of lulz. This was partly why Lulzsec was formed – to restore Anonymous’ troll spirit.
Since the Sun hack, however, the moralfags are firmly in the ascendant. In these serious times, the lulz has largely left the building, just another casualty of war.
Sabu’s treachery not only hurt the group by putting Anons behind bars. It also wounded Anonymous’ idea of itself. And at its heart, this is what Anonymous is: an idea.
Prior to the arrests, I chatted with Anons in the IRC chatrooms where they hung out (Internet Relay Chat is a social networking protocol that allows for live group conferencing, all the messages appearing in a long streaming conversation). They would insist that this was a leaderless and populist movement, without a hierarchy, and yet we now know that a small cadre of hackers led by Sabu did most of the damage. They’d also describe the classic Anonymous attack – the distributed denial of service attack or DDoS (“dee-doss”) – as the ultimate manifestation of the group’s hivemind nature. It made for a convincing story. DDoSing involves tethering many computers together into a ‘botnet’ and using them to send thousands of small packets of information to a server until it is overwhelmed and shuts down. Anons would volunteer their computers for these attacks using a program called a Low Orbit Ion Cannon (LOIC), in the belief that they were joining the good fight (as opposed to just appearing on the FBI’s radar).
But we’ve since learned that the biggest DDoS attacks were largely the work of one or two individuals who had already built up illicit botnets of their own over the years by using viruses to harness computers without the owners’ knowledge. (Ryan Cleary, 19, from Essex was one such operator – his botnet comprised over 100,000 computers, and he’d rent it out to spam operators and phishing sites among other things. He offered it to Anonymous as a way of gaining influence in the group.)
We also know that despite its lulzy roots, Anonymous wasn’t nearly as much fun on the inside. Chatting to me over Skype in September 2013, Davis (Topiary) recalled feeling relieved on the day of his arrest. “I wasn’t having a very pleasant time online and it was nice to be thrown out of it for a while,” he said. He’d been half-expecting a visit from the law, anyway. Even though he used long, randomized passwords (over 50 characters, alphanumeric), he wasn’t as security-cautious as other members of Lulzsec. “It’s not my world at all, this ‘cyber security’ or ‘policing’ system. I’m just some artsy, lefty nerd that’s been dragged through it all.”
On May 14th, 2013, Davis was sentenced to 24 months. But he was credited for wearing an electronic tag prior to sentencing, so it only amounted to 37 days in jail. Now he lives in Islington, writing a book based on his prison diary, and working with a marketing company. He’s back on Twitter and appears to be enjoying the notoriety he acquired as Topiary. But he doesn’t speak fondly of the old days.
“There’s nothing stimulating about waking up to 500 emails claiming they’ve found your identity and would eat your children, 500 emails praising you for things that you weren’t too proud of, and 500 emails asking you to get involved with 500 more things you’d probably regret later,” he says. His cocksure persona was an act. In truth, he was an isolated kid on a bleak, windswept island where he found school so miserable he left at 14 – the other kids teased him for his lazy eye. The Internet was a place where he could swagger and inspire awe. But eventually the act became a straitjacket.
“My persona was a prankster, on top of the world. But you can’t turn around while under that persona and say ‘this inconsistent pseudo-political mumbo-jumbo has deviated greatly from its original promise to simply defend one’s personal freedoms.’ Because this is the Internet. You have to be a badass on the Internet at all times. Or at least that’s what people think and accept.”
And yet he holds onto that badass persona today, just a bit. His Twitter account bubbles over with wit and sarcasm as he mocks David Cameron, GCHQ and the surveillance state. It’s as though he misses Topiary. But what about the others? Did Sabu’s betrayal hurt?
“I don’t particularly care either way, and I didn’t care on the day I learned about it,” he says. “I’ve never met him, and I don’t feel emotion towards lines of text in a chatroom.”
It’s a strikingly cold response, but not unusual given the culture of Anonymous. This is a world of acute paranoia, rife with spats and squabbles – the perfect conditions to produce a snitch. In fact, with hindsight, it’s surprising that Sabu didn’t switch sides earlier. Three months earlier, to be precise. Because that was when he was publicly “doxed” (outed) by an ex-Anon, Jennifer Emick of Backtrace Security in Michigan.
I met Emick at Defcon in 2011, a huge hacker convention in Las Vegas. A mumsy figure in her late 20s, she had turned angrily against the group following its first major operation in 2008, against the Church of Scientology. And on that day, she was giving a talk about how Anonymous is actually a mob of bullies and thieves who sell information and destroy innocent reputations. But the crowd wasn’t having it. A room full of men in black T-shirts and utilikilts were shouting down her allegations of boorish behavior, oblivious to the irony. “Show us your tits!” they yelled.
Emick told me why she turned. Apparently she’d objected when “the leaders” instructed members to shun a certain person, so the group turned on her. “They used my name on every forum on the internet to say ‘I hate niggers,’” she said. “They put my picture in all kinds of porn. You name it. And if anyone protested, they went after them too. They impersonated one guy and went on to kids cartoon forums and made sexual remarks to little girls. Then they called his wife and said, ‘your husband is a pedophile, look at the comments he’s making.’”
Emick doesn’t explicitly say who “they” are, but her Twitter handle, @fakegregghoush, offers a clue. Gregg Housh is an affable SEO specialist from Boston, who has been one of Anonymous’ key contacts for the media. Naturally, Housh denies her charges, calling her “utterly discredited”, and citing the time in March 2011, when she provided a list of 70 names of alleged Anons to journalists, and much of the information was wrong – she’d put many innocent people onto the FBI’s radar.
But at least one of those names was right – she even located Sabu on the lower east side. The FBI didn’t cotton on, however, until Sabu himself slipped up, months later, on 7th June 2011 when he accidentally logged into an Anonymous chat forum without using the Tor system which masks his data connections. Hours later, two FBI agents were in his apartment offering him a stark choice – either face a potential 124 year maximum sentence or become a snitch.
Sabu is a hated figure among Anons today. But consider his predicament at this point. His mother had deserted him as a boy and his father and aunt were heroin dealers, in and out of prison all through his youth. So his grandmother raised him, along with his two nieces, at least until she died in 2010, leaving Sabu to raise the girls himself. But he couldn’t support them all on his income, so he started selling weed and hacking for profit, even exploiting stolen credit-card numbers. Life was already a matter of survival for Sabu, by the time the FBI showed up. And since he couldn’t afford bail, the facts were simple – if he wanted to fight this case, he’d have to condemn his nieces to foster care.
Still, he took to his new role with alacrity. Sabu made a first class grass. He had the clout to lure in other Anons, and the skills of what hackers call “social engineering” – the art of adopting a new online personality in order to manipulate others. It also suited his personality. While Davis was more of a lulz guy, Sabu was always the loudest and angriest of Anons, inflaming the younger members to fight the power. For Sabu, power was part of the appeal of hacking. And now here he was, working for the FBI.
When Lulzsec fell apart, Sabu formed Antisec, a new group that served as a honeypot to lure hackers into informing him of leaks and vulnerabilities. According to Parmy Olson’s book, “We Are Anonymous”, the Assistant US District Attorney estimates that he helped to plug 150 holes in computer systems this way. It’s also believed that at one point, Sabu almost sold Wikileaks some hacked emails which would have greatly helped the federal government’s case against Julian Assange.
But his most notorious achievement involved the hack of a Texas-based private security firm called Strategic Forecasting (Stratfor). A 28 year old hacker named Jeremy Hammond was convicted of the crime – he began a 10 year sentence in November 2013. But Hammond’s supporters believe – and they are many, the Free Jeremy campaign snowballed in the run up to his sentencing – that Sabu was engaged in entrapment. The California attorney Jay Leiderman, who has represented several Anons in the past, explains it this way: “All the information that I’ve been privy to, was that the FBI was creating and importuning criminality and suggesting targets. Via Sabu they were … getting people to do things that they weren’t otherwise willing or able to do.”
This isn’t conjecture. By the prosecution’s own account, Hammond knew nothing of Stratfor’s vulnerability until Sabu told him about it. Another hacker had approached Sabu to say that he’d gained initial access to the company’s servers, so Sabu invited him to share his information with more skilled hackers like Hammond. And when Hammond decided to continue the job, the FBI (through Sabu), merely looked on rather than prevent the crime, allowing him to acquire 60,000 credit card numbers, 5.2 million emails and several gigabytes of documents, all of which he stored on servers that Sabu provided. Hammond defaced the Stratfor website with the announcement that he’d used the credit cards to donate $1 million to charity (the FBI confirmed $700,000 in charges). And all of the hacked documents were then leaked to Wikileaks, making it the first time that Anonymous and Wikileaks have collaborated.
At his sentencing Hammond revealed that Stratfor was just the start – that Sabu kept feeding him with fresh vulnerabilities, always insisting that he upload whatever information he hacked onto the same FBI-monitored server. He claimed that the targets included “several foreign government websites… Brazil, Turkey, Syria, Puerto Rico, Colombia, Nigeria, Iran, Slovenia, Greece, Pakistan, and others.” The specific websites he recalled included that of Governor of Puerto Rico, the Crown Prince of Kuwait, and the Internal Affairs Division of the Military Police of Brazil, among others.
The specific countries aren’t mentioned in the court record because the Judge, Loretta Preska, demanded that they be redacted. But the list was widely reported anyway, as was Preska’s own apparent conflict of interest – her husband, a lawyer, is a victim of the Stratfor hack (his email and password were exposed). The National Lawyers Guild filed a motion requesting that she recuse herself, but she refused. Instead, she handed Hammond the maximum possible sentence and opined about a “need for adequate public deterrence.”
There’s little doubt where the power lies between the hacktivists and the authorities at present. Given all the arrests and lengthy sentences, the concern is now that the state has gone too far – the phrase that’s often heard is “prosecutorial overreach”.
But this is more of an American problem than a British one. In the UK, most of the convicted Anons are either free or well on their way. Topiary is out; Kayla (Ryan Ackroyd) will likely only serve 15 months; T-flow (Mustafa Al Bassam) was given a suspended sentence as a minor; and the two Irish hackers weren’t even charged with the majority of their crimes.
In the US, however, it’s a different story. Hammond’s sentence is more than four of the English Lulzsec members received put together. And already this overreach has created a martyr in Aaron Swartz, a prodigy who co-created the enormously popular social entertainment website Reddit, the web feed technology RSS and Creative Commons, an organization that allows for the free and legal sharing of creative content. Swartz’s crime was to leak academic papers from the network at the Massachussett’s Institute of Technology (MIT), known as JSTOR, in the belief that information should be free. Neither MIT nor JSTOR wanted to file charges, but the federal government prosecuted him anyway, threatening him with 35 years unless he pleaded guilty and accepted six months. Swartz committed suicide before trial, at the age of 26.
Now all eyes are on Barrett Brown, the new face of American judicial severity. One of hacktivism’s more eccentric figures, Brown is a heroin user from a wealthy district in Dallas, who works more as a reporter than a hacker. Even today, from jail he writes the occasional article for Vice magazine. And like Hammond, Brown’s crime also relates to the Stratfor hack – he posted a link to the uploaded documents in a chatroom and encouraged others to wade through them. This is the most serious of the 17 counts with which he is charged, and yet, the proposed punishment if he’s found guilty, is extraordinary. Brown could face 105 years.
“Barrett’s crime is hard to discern,” says Hanni Fakhoury, an attorney at the Electronic Frontier Foundation, an advocacy group which campaigns for digital rights. “He didn’t hack or leak anything – he posted a link to documents that had already been hacked and leaked. And the US Supreme Court has established there’s a first amendment protection to disclosing information that you obtained legally, even if the person you obtained it from obtained it illegally.”
So why the outlandish sentences? “There’s a hacker scare,” says Fakhoury “It’s like reefer madness. And these hacktivists are political. In the old days hacking was a crime of profit. Now it’s one of ideas. Anonymous opened the floodgates by providing people with a model for disrupting and challenging political power. And I think there’s a real fear that the chaos of the internet, the vigilantism almost, could expose corporate and governmental wrong doing.”
The fear is well founded. Whistleblowers like Chelsea Manning and Edward Snowden have already exposed many of the sins of empire – war crimes, mass surveillance programs and the seamless collusion between government and corporate power. And Anonymous poses a similar threat, as Barrett Brown well knows.
When Anonymous hacked the private security firm HB Gary in 2011, it was Brown’s group Project PM that combed through the information. Among its discoveries was the CEO Aaron Barr’s offer to covertly discredit the pro-Wikileaks journalist Glenn Greenwald on behalf of Bank of America. Barr was forced to resign as a result, and for a while there were even calls for a congressional investigation (though that never transpired). And now the Stratfor hack is proving to be even more damaging – it has revealed that Dow Chemical monitors Bhopal activists, Coca Cola monitors PETA, and, most damning of all, there was yet another plan by a private security firm to covertly target an individual member of the press. The independent journalist Alexa O’Brien, was involved with a movement called Days of Rage, which advocated for campaign finance reform during the Occupy Wall Street protests. Emails show that Stratfor actively tried to connect Days of Rage with al-Qaeda – specifically, “any Saudi or fundamentalist Islamic movements” – presumably to subject the non-violent democratic movement to anti-terrorism statutes.
“The judiciary does nothing to respond to those crimes,” says Chris Hedges, a Pulitzer-prize winning journalist, and the author of “War is a Force That Gives Us Meaning”. “And yet it delivers draconian sentences to Hammond, Manning and Brown. And it’s because the corporate state is frightened. It’s lashing out like a wounded animal. This is what totalitarian systems do when they lose credibility and legitimacy. They overreact.”
There is however a more prosaic reason for the heavy sentences, one that might even have a solution: The legislation is simply out of date. In the US, the Computer Fraud and Abuse Act (CFAA), with its severe sentencing guidelines, was drafted in 1986, the era of the Commodore 64, when the first hacker scare was sweeping the nation, inspired in part by the movie War Games starring Matthew Broderick.
If this law were updated, it would be something – a piece of progress in an otherwise bleak picture. And on this front, at least, there may be hope, albeit from an unlikely source. Here he is now, on a chilly rooftop in Jersey City, bragging. It’s March 17, 2013.
“I’ve been in plenty of fucking prisons already. Like in Jalisco [Mexico], fucking Hyderabad, India, I’ve been in the federal transfer center in Oklahoma, multiple county jails for various drunk and disorderlies. I told a cop to ‘suck my dick’ and he gave me an obstruction of government operations charge!”
Known as Weev online, Andrew Auernheimer, 27, is the Internet’s most notorious troll. A short and stocky man with a black hoodie, red beard and glasses, he gives the impression of a Marxist agitator, or in his words, “a fucking prophet” – angry, loud and ferociously intelligent. In a day’s time, he’ll be sentenced to 41 months in federal prison, so a handful of supporters have come to share his last day of freedom with him. But for Weev, it’s all about the appeal – whichever way it goes, it will be a legal milestone in America. Because Weev’s case attacks the CFAA more robustly than ever before.
“In Oklahoma, this US Marshal was accusing me of faking a limp, so I said, ‘dude, why do you have to be such a prick about it? Is it because your wife gets a train run on her by niggers every time you leave town. And every prisoner in earshot starts uproariously laughing.” He’s laughing uproariously himself now, a cartoonish yucking laugh. “So he punches me, then I go down. Then he kicks me, and three other US Marshals join in. It was pretty funny!”
No one else is laughing. There are a few polite smiles, but this is a polite crowd, broadly liberal at a guess – there’s an Occupy Wall Street guy, a prankster who drives a fake Wikileaks news truck, a couple of other “Internet freedom” activists and a documentary film crew from LA. Not people who use the word “nigger” quite so freely, or who sit in New York restaurants, as Auernheimer did last night, just a couple of blocks from Wall Street, railing angrily against the Jews for looting the economy and controlling the media.
But this is Weev’s thing – he offends people and torments polite society. At a time when lulz looks to be on its last legs, Weev is a reprieve. He’s known for trolling Amazon (specifically getting all gay and lesbian book titles struck off as pornography), for assailing users of Livejournal (a free blogging platform), and now – the case that will land him in prison – for trolling the phone company AT&T. Like many trolls, he loves the word “nigger” for its power to offend. He’s especially proud of his presidency of a trolling group called the Gay Niggers Association of America (GNAA) – his mission, he says, was to “spread faggotry and niggertude across the planet”. And today, he’s exacerbating the unease by loudly defending the scientist James Watson who posited that black people have lower IQs.
“That’s just fact,” he says. “The IQ distribution of blacks is very fucking clear. I can show you the scatter plot of the data.”
It goes quiet for a moment. Then someone mentions that it really is a bit cold up here, so one by one we head back downstairs into the loft apartment where, soon enough, Weev’s “going to jail” party will get underway. The plan is to stay up all night and march to the courthouse in the morning. And the guests are just arriving.
As you read this, Weev is in prison in Pennsylvania, spending much of his time in “administrative segregation” (a version of solitary). But his days there may be numbered. He has a dream team for his appeal, all working pro-bono. And a victory would make him the Larry Flynt of the internet, strengthening our online freedoms, just as Flynt strengthened freedom of speech.
Like Flynt, Weev is coarse, polarizing, and frankly hard to champion. He’s also defiantly working class, “from a trailer park in Arkansas”, as he keeps saying – the kind of guy who fights in bars and takes ketamine and likes to show off about it. But stretching the limits of a free society isn’t for everyone – it may take a certain type of character to endure the long haul of court battles and brickbats without buckling. A certain surliness might be useful as might a sense of destiny or mission, a fanatic’s willingness to lose it all for the cause.
In any case, Weev seems ready and unafraid. For a dedicated troll and provocateur, this case is unquestionably the highlight of his career.
It all started in May 2010, when his small, independent computer security firm, Goatse Security – which grew out of the GNAA – discovered that AT&T had inadvertently left the email addresses of its iPad subscribers exposed on a website. His colleague, Daniel Spitler, 26, found that by inserting the correct URL – containing the serial number of the SIM card on the iPad – the site would reveal the user’s email address. So he wrote some basic code, called an “account slurper”, to harvest roughly 120,000 of these addresses, including those of some of iPad’s high powered early adopters like Michael Bloomberg and Diane Sawyer. A delighted Auernheimer then sent the addresses to Gawker, which duly reported that Goatse Security had discovered AT&T’s leak.
For Weev, this was pure lulz. He’d not only exposed AT&T’s lax security, but he’d got thousands of people to Google “Goatse”, a well known internet meme of a man opening his anus about as wide as bowling ball. As he told Huffington Post, “I made Goatse an inexorable part of AT&T’s corporate history by revealing a series of flaws in their infrastructure under the name Goatse Security – motto of course, gaping holes exposed.”
Six months later, however, the FBI arrived, guns drawn. Spitler was arrested in Newark, and Auerhnheimer at his home in Fayetteville, Arkansas. Both were charged, but while Spitler pleaded guilty, Auernheimer resolved to fight. At his trial in November 2012, prosecutors produced chat logs that indicated his motivation was to humiliate AT&T and even profit by shorting the company’s stock. No stock was shorted and Auernheimer insists the logs were fabricated, but prosecutors still won the day – they made so much of his toxic reputation as a troll, his presidency of the GNAA, and his unrepentant attitude, that sure enough, the jury found him guilty.
“What Weev did was normal computer behavior,” says Tor Ekeland, his Brooklyn-based defense attorney. “You’re talking about typing in a URL and accessing a publicly available server that’s not password protected – and that’s a fucking felony?”
No matter how offensive Auernheimer’s rhetoric may be, the fact is he didn’t hack anything, or profit from it. He didn’t publish the emails he found, or even keep them, he just sent them to Gawker as proof of the breach. It’s arguable that he provided a public service – in fact, the website TechCrunch, which celebrates the best in tech, awarded Goatse Security a “Crunchie” Award. But at trial, AT&T argued that Auernheimer still took information that didn’t belong to him, even though it was unprotected. They claimed it incurred costs of over $73,000, in informing its customers of the “breach”.
“The government’s argument was ‘Just because the bank vault door is open doesn’t mean you can go in and steal all the gold bars,’” says Ekeland. “But these physical analogies are bullshit. That’s not how computers work. If anything it’s more like me reading the address off the side of your house when I’m walking down a public street. But the courts don’t see it because there’s a generation gap – a lot of judges don’t understand computers, they weren’t raised with them.”
If the government wins, the implications are grim. “It destroys the incentives for security on both sides,” says Ekeland. “Companies will be free to put out allegedly confidential information for everyone to find without being responsible for it. And who in their right mind would go and report a security flaw after that? Just typing in the wrong URL could land you in prison.”
An Auernheimer victory, on the other hand, would clarify what “unauthorized access” means and constrain the CFAA. It would also complete the ridicule of a major corporation by one of the Internet’s cockiest mischief-makers. In the sixties Abbie Hoffman was the protest movement’s prankster in chief. He too mocked the powerful, whether throwing dollars on the floor of the stock exchange to watch the traders scramble for them, or securing an official permit to levitate the Pentagon using the psychic energy of a huge crowd of protestors (the permit allowed levitation by three feet, but no more). Weev isn’t nearly as artful or theatrical, but for those who are fighting for a free internet, he is similarly fearless. And this may be the greatest threat he poses.
“Weev showed that you could mess with them, these giant corporations,” says Peter Ludlow, a philosopher from Northwestern University, who writes regularly about cyberspace. “As the American empire becomes more concerned that it’s starting to unravel, it’s clamping down on anyone that pierces the veil of invulnerability. It’s about image. But the thing about Weev is, he doesn’t look afraid. Sometimes people need to see that.”
Certainly, for the entire weekend before his sentencing, Auernheimer seems full of confidence. Sitting on a sofa, waiting for the party to start, he grins and says, “Dude, just imagine if the CFAA gets flipped at the Supreme Court and I get to walk out and raise my fist and say, ‘let’s hack everything!’ Because there’ll be no fucking law!”
It’s that laugh again. Yuck yuck yuck.
Two days earlier, I’m at a restaurant in the financial district with Auernheimer and his friend Jaime Cochrane (Twitter handle @asshurtmacfags). Cochrane is a softly spoken transgender troll from the group Rustle League, so-called because “that’s what trolling is, it’s rustling people’s jimmies.” They’re explaining to me their version of what trolls do.
“It’s not bullying,” says Cochrane. “It’s satirical performance art.” Those cyberbullies who drive teenagers to suicide, they’ve crossed the line. Trolling is the more high-minded business of “aggressive rhetoric”, a tradition that goes back to Socrates, Jesus and the trickster god Loki, from Norse myth. Auernheimer likens himself to Puck. Cochrane aspires to the likes of Lenny Bruce and Andy Kaufman. They talk of culture jamming, the art of disrupting the status quo to make people think. They talk of Abbie Hoffman.
“I try to provoke people into revealing their true nature,” says Cochrane. “Like I went on an Australian TV show about cyberbullying, and just by appearing as a troll, I got people to react with so much vitriol that in the comments section on the website, they became exactly what they said they hated.”
Auernheimer’s style is more abrasive and technical. He likes to hack things. So the highlights of his trolling career are principally of interest to nerds, that limited demographic who can appreciate the beauty of a parse tree differential attack. For instance, in the case of Amazon in 2009, he wrote a script that isolated gay and lesbian titles and then persuaded thousands of strangers to click on a link that would automatically register a complaint, so that the titles were ultimately removed. The following year, as the President of the GNAA, he wrote a script that tricked members of an IRC network called Freenode into banning themselves from their own network – which is hilarious, says Cochrane, because “Freenode is full of butthurt faggots”.
It all sounds a bit marginal, a bit in-the-bubble. It seems the AT&T scandal was his first breakthrough hit, as it were. In fact, even the GNAA became more relevant after Weev left in 2011. During Hurricane Sandy, it faked the Twitter story of #SandyLootCrew, a series of twitpics of black people gleefully stealing televisions and even cats – the Daily Mail fell for that one. The Mail also fell for the GNAA’s #cutforbieber hoax, encouraging fans to show their love for Justin by cutting themselves. None of Weev’s pranks made for Mail headlines.
But Auernheimer doesn’t see himself as marginal, far from it – he believes he’s rescuing western civilization. “Read up on Eris, the Goddess of Discord,” he instructs. “She brings ironic punishment to people who think they’re better than they are. It’s always a tale of hubris. Read The Principia Discordia. What I do is bring discomfort to people’s comfort zones. And that’s what we need. Because western culture is sick, Sanjiv, it’s diseased.”
His rationale for trolling is that we’re too coddled and we need to toughen up. So trolls can help us develop callouses, the way hack attacks can strengthen security systems. But where are the lines drawn? Just as graffiti spans the spectrum from Banksy to tagging a penis drawn on a toilet stall wall, trolling too goes from Swiftian satire to plain abuse. And it’s not clear whether anyone, much less Auernheimer, knows what separates the two.
I tell him that his lofty rhetoric doesn’t jive with the common perception of trolls – people who say “you’re ugly” on a comment thread, just to sit back and laugh at the reaction. The example comes from a speech Auernheimer gave in 2006 with a hacker called Mischa Spiegelmock who explained how to send exactly this message to large numbers of random AOL instant messenger users. “People have these long conversations, they go on for hours,” he said. “It’s really really funny to read.”
Auernheimer sees nothing wrong with that kind of thing.
Esq: It seems so cowardly online. In person that behavior would be unacceptable.
AA: No it wouldn’t.
Esq: So if a stranger approach you at this table and said, ‘you’re disgusting’…
AA: That’s his fucking right as an American! It’s perfectly acceptable to walk up to someone and call them a faggot or a nigger or a kyke. People should learn to be confronted with words they don’t like. Because we have a first fucking amendment in this country. We protect words that hurt. And if you don’t like it, then get the fuck out of my country.
Esq: What about civil society?
AA: This is where civil society has got us – the upcoming collapse of the dollar and the transformation of America into a third world country. Civil society is the end of civilization. We have to do away with it.
And off he goes on a rant, making the apocalyptic plea of the far right: We’re all doomed unless we revert to the values that made America great, a classical education and the Darwinian realities of the market. Abolish the nanny state. Teach the western canon in schools. “We’re literally trying to bring back the enlightenment,” he says, forgetting what he said about hubris earlier.
“I call him the troll’s troll,” says Gabriella Coleman, the internet anthropologist. “He’s so extreme that even other trolls are disgusted by him, or they’re not sure if he’s being serious. In a world of extremity, Weev wants to be the most extreme of all. That’s why he’s so interesting.”
For instance, in 2007 he came to believe that Kathy Sierra, a programmer and author, was using a piece of legislation called DMCA (the Digital Millennium Copyright Act) to take down the blogs of anyone who negatively criticized her books. To Auernheimer, this was a suppression of speech, pure and simple. And as he reminds me, “If you suppress free speech, the internet has defense mechanisms to make sure you get punished. It’s entirely reasonable. In fact it’s healthy.”
So he wrote an essay about her, calling her a prostitute, and memorably, a “cockholster chugged full of cum”, and then revealed her address and social security number. She’d already been getting threats (though none from Auernheimer). And now that her attackers knew where she lived, she signed off the web for six years, left the tech industry and even fled her home in fear. Auernheimer concluded his message with: “It has been an honor welcoming you to the Internet, Kathy.”
This is the Internet culture which spawned Auernheimer – not the playful b/ boards at 4chan so much as the darker, lulzy swamp of Encyclopedia Dramatica, where free speech fundamentalism reigns, and where offence is a fence to keep the sensitive out. That’s partly what the racism is about, and the grossout memes like Goatse, funnel girl, tub girl, and other images you can’t unsee – images that Auernheimer was yucking merrily over on Saturday night, at dinner no less.
There’s a punk rock value to all this, says Coleman. “Tricksters push the envelope of what’s morally acceptable and so revitalize culture,” she says. But it’s an ugly world to inhabit, all that Goatse and racism. And it begs the question – at what point does the relentless use of racist language cease being satire and become actual racism?
“I’m not a bigot,” he tells me, in a quieter moment. He says he uses the N-word to rattle those “who want the appearance of propriety but don’t care about actual discrimination.” And he’s not an anti-semite because “I have Jewish friends, I’ve loved Jewish women.” He just assails Jews because they’re the ones in charge. “They run everything! And they want to be a Protected Class that nobody can say anything about.”
Which was why he showed up at Occupy Wall Street with a sign that read “Zionist Pigs Rob Us All”. It created an almighty ruckus. “The Occupy people were totally split – half were like, yeah free Palestine, and the other half were like, no, he hates Jews, he’s terrible! The trolling was beautiful!”
Yuck yuck yuck.
When I first called Auernheimer, he said he was “coming out of a K-hole” [a ketamine trip] and planned to go and see the opera on acid soon. He then talked about his recent conversion to Mormonism. It’s hard to see how these things go together. But then, fact and fiction aren’t easily distinguished with Auernheimer.
He tells me that he’s working with a hacker group that owns a plane “for radio frequency work”; that he got high off cobra bites in Delhi; that a hot female FBI agent tried to seduce him into talking about Mao Tse Tung. But it’s all so unverifiable, he could well be trolling me. What I can piece together is this – he grew up in Fayetteville, Arkansas, the son of two church going parents, now realtors in Virginia, whom he hasn’t spoken to since 2006. Prodigiously bright, he enrolled at university at 14, but dropped out a couple of years later. And at 19, he moved to California where, according to the New York Times he was part of a hacking group that made $10 million a year, and traveled by Rolls Royce.
“That Times piece was bullshit,” he says, as we trudge back to the house he’s been sharing in Jersey City. Certainly, he’s not rolling in money anymore. The kitchen is fetid, the rooms are dark and grim and it’s sleeting outside – a tableau of misery. Standing in his bedroom doorway, throwing some clothes in his bag, he says quietly that he wants to take a bath. “It’s my last chance before prison.”
But the party’s not happening here. For someone whom Gawker called “a reviled master troll”, Weev is not without friends. Clark Stoeckely, a jovial art professor and prankster – the one with the fake Wikileaks news truck – has offered up his huge loft downtown, overlooking the Hudson. It’s big enough for a pool table, a ping pong table, an indoor garden and well over a hundred guests. As it is, about 40 show up, at its peak, a motley sampling of the Internet protest movement – hackers, artists, and other misfits. The booze is flowing and we’re all singing along to Queen’s “Don’t Stop Me Now”. Then come midnight, we’re gathered around the piano where a transgender Google engineer called Serene plays some plaintive Chopin. That’s two transgender people at the party, including Cochrane. One of the paradoxes of the hacker scene is that it’s a tremendously tolerant community that happens to throw ‘faggot’ and ‘nigger’ around a lot.
Weev is having a lovely time. He told me the day before that he wanted to hurry up and do his sentence. “I’ll have plenty time to write in prison,” he said. “My best trolling is yet to come.” He has sought notoriety throughout his career, and here it is – martyrdom, a landmark court case and intense media attention.
Come the morning, he’s in higher spirits than anyone else outside the courthouse. He gives a manic sermon for the cameras, rambling about the decline of America and how “we could have laptop batteries that last 100 fucking years but the NRC [National Research Council] says no”. And his swagger continues in the courtroom where his supporters fill the gallery and gather in the corridor outside. When he attempts to send a tweet the Marshals roughly haul him away, making his pretty Persian girlfriend Sara burst into tears. Meanwhile, Cochrane is feeling the pressure out in the corridor. Every time the door opens, she calls out “dongs” until she too is escorted out.
Weev’s final statement to the judge is typically unrepentant. He informs her that “the court should be making amends to me for the harm and the violence inflicted on my life.” This is the same judge he’d described to Gawker as a “a mean bitch”. So it comes as no surprise when he’s given the maximum possible term. For Weev, this was always about performing to his fans, and then preparing for his appeal.
“Hail Eris!” he yells as they lead him away. Wasn’t Eris the Goddess who punished hubris?
On the face of it, it looks as though the internet underground is losing the war. The scores of arrests, the heavy sentences, the forced exile of the most pivotal figures like Snowden, Assange and the journalist Glen Greenwald – these cold facts have rattled some of the movement’s supporters.
“We can complain all we want, about Jeremy Hammond and Barrett Brown,” says Hanni Fakhoury. “But they’re all in jail and Aaron Schwartz is dead. The government is winning.”
But the spirit of Internet culture is far from broken. Weev remains as unbowed as ever. Somehow managing to send tweets from prison, he seems as at home there as he said he would be. In September he tweeted that “I gave a “’ Jews did WTC’ sermon to my fellow convicts on 9/11.’” Later that month, he managed to post a letter on Pastebin, a text-storage site frequented by hackers, again assailing Kathy Sierra. It opens with, “Firstly, Trayvon [Martin] got what he deserved.” Martin was the unarmed black teen who was shot in Florida earlier in 2013, and whose killer walked free, sparking a wave of protests across America. So this is classic Weev – still mean and racist; still making his supporters uncomfortable.
Jeremy Hammond is also facing his time without apology. In his final statement to the judge, he made the case for civil disobedience and encouraged his supporters to “stay strong and keep struggling.”
And Anonymous appears to be rising once more from the wreckage of Sabu. Even as arrests continue for previous crimes – 13 more indictments came in October, related to the attacks on Visa and Mastercard in 2010 – new hacks keep coming to light. An FBI memo in November revealed that Anons had hacked into the US Army, NASA and the Missile Command Agency – only one of the hackers, an English man named Lauri Love, has been arrested.
Gabriella Coleman, who spent years infiltrating the group, maintains that Anonymous was only ever just sleeping. “Even in Lulzsec, not every member was caught,” she says. “And the way Anonymous is set up, for sure it will rise again. It’s event based, it requires skills that thousands of people have, and they can always turn to an idea that’s very powerful. Topiary’s last tweet before his arrest was ‘you cannot arrest an idea.’ And I think he was right.”
There’s also the matter of what the authorities have lost in these battles. According to Chris Hedges, the panic shown by what he calls “the corporate state” – the sheer scale of its overkill – has been telling. “It hasn’t lost control, but it has lost a tremendous amount of democratic credibility. America is already well on its way to becoming a police state. The espionage act is being used to persecute whistleblowers, so no one in the national security apparatus will talk to journalists anymore. And when your traditional means of investigating centers of power are shut down, that’s when hacktivism comes in. It’s symptomatic of a failed system. And the state is terrified. The systems of power keep all their information electronically, and hackers have the skills to break down the walls. That’s why the state is working overtime to prosecute anybody who has the combination of those skills and a conscience.”
In the long run, the aggressive prosecutions may paradoxically have an upside for hacktivist culture itself – a variation on “that which doesn’t kill you.” The arc of Anonymous is one of maturity, ultimately. “At the beginning Anonymous was about just lashing out at everything,” says Peter Ludlow. “Now, they’ve grown up, politically. They’re starting to understand the real priorities. It’s not about lulz and pranks anymore. And the infighting has stopped. All those who criticized Barrett Brown for representing Anonymous to the media say, they’re standing behind him now. This is something that Assange pointed out when he was talking to the CEO of Google. There’s a process called simulated annealing whereby you strengthen a metal by putting stress on it. To make a sword, you bang the metal, bend it, and bang it some more, and the molecules all line up. The same thing’s happening with hacktivists – they’re more unified, focused and ultimately stronger.”
Assange is famously a pessimist about the internet. He believes that in the end, it will provide an exceptionally effective form of control and monitoring, “the greatest spying machine the world has ever seen”. But the war’s not over yet.
“I’ve been in touch with individuals who were involved in a lot of the big hacks but were never caught,” says Coleman. “And they’re still active. They talk about doing what Edward Snowden did – inserting themselves in situations so that they can access information.”
At the time of going to press, Anonymous released a new video declaring war on the US government for the collected crimes of the NSA, the death of Aaron Schwartz, the imprisonment of Jeremy Hammond.
The old promise may yet hold: Expect them.