Black Code: Inside the Battle for Cyberspace (28 page)

The movement remained obscure until the WikiLeaks saga and then the Arab Spring, when it unleashed a spree of overtly political AnonOps targetting what the amorphous mob claimed were foes of Internet freedom. It began with defacing and breaching attacks against websites and servers of a bewildering and sometimes confusing array: the Tunisian, Egyptian, Zimbabwean, Malaysian, Libyan, and other governments; private companies like Sony, accused of censorship in the guise of protecting its intellectual property; financial services companies like Mastercard, PayPal, and Visa (for boycotting donations made to WikiLeaks); and the CIA, NSA, FBI, U.S. Department of Justice, and police forces around
the world. Twitter accounts with the prefix “Anon” proliferated, and at one point in the fall of 2011, it appeared that Anonymous and the Occupy movement would consolidate into a powerful social force threatening the elites of the industrialized world – a more mature, digitally empowered next-generation version of the 1990s anti-globalization movement.

But then a series of dragnet-style arrests took place. Beginning in July 2011, and coordinated across the U.S., U.K., and the Netherlands, twenty people were detained. This was followed in February 2012 with Operation Unmask, coordinated by law enforcement agencies in Chile, Argentina, Colombia, and Spain, and resulting in the arrest of twenty-five people, followed by another wave of arrests in March 2012. Confirming at least some of my suspicions, the FBI had quietly arrested and then turned over a prominent member of LulzSec in 2011, who helped secure the arrests for the police. Nicknamed “Sabu,” Hector Xavier Monsegur was charged with twelve counts of criminal conspiracy, and faced a maximum sentence of 124 years in prison. He secretly pleaded guilty and agreed to operate as an informer for the FBI to build cases for future arrests. The arrests (and later revelations about the turning of Sabu) dropped a poison pill into the networked well of Anonymous, and as 2012 rolled onward the number of AnonOps began to decline.

In analyzing Anonymous it is tempting to focus on salacious details: Who are the members? The ringleaders? What drives them to do what they do? The general impression might be white, nerdy, middle-class teens, a neat template for the Hollywood image of the “hacker.” Some do, in fact, fit this image: for example,
Ryan Cleary, a nineteen-year-old member of LulzSec living at home with his parents, was arrested in June 2011 during the Scotland Yard and FBI probe. His counsel told the court that Cleary suffered from both Asperger’s syndrome and agoraphobia. He was subsequently given
bail, under the condition that he stay off the Internet. But twenty-eight-year-old Sabu, who is of Puerto Rican descent and an unemployed foster parent of two children, clearly does not. Nor did the twenty-five individuals, mainly Latin Americans, arrested as part of Operation Unmask. The truth is, anyone can become part of Anonymous – that’s the point, and there will be future Operation Unmasks and future iterations of Anonymous: Expect it.

•  •  •

Anonymous’s methods
fall into two general categories: breaches of computer systems and DDOS attacks. Breaches of computer systems are undertaken either by using malicious code that exploits a vulnerability in a server, or by fooling someone into giving you access to data, a technique known as “social engineering.”
Anonymous’s breaches are typically followed by the exfiltration of data from targeted victims, and the publication of private, embarrassing, and/or incriminating information, like the massive Stratfor breach, which led to Anonymous turning over tens of thousands of proprietary company emails and email credentials of Stratfor subscribers to WikiLeaks. (At the time, WikiLeaks noted: “The material shows how a private intelligence agency works, and how they target individuals for their corporate and government clients.”) Typically these are posted to sites like Pastebin, a resource primarily used to share bits of computer code but repurposed for Anonymous-style disclosures of data and announcements of successful attacks.

Most Anonymous DDOS attacks employ a crowd-sourced piling-on against targeted websites, using their preferred Low Orbit Ion Cannon (LOIC), a DDOS attack application that sympathetic users are encouraged to download and employ against a chosen victim. When used in numbers (i.e., in a “distributed” way), the LOIC
makes repeated requests to servers from so many users that the servers are overwhelmed, taking them offline for a period of time. In cases where financial firms and retailers are involved, the DDOS attacks can result in significant losses of revenue. In 2012, Neustar, an Internet analytics
company, surveyed IT professionals from twenty-six different industries to understand what was at stake during a DDOS attack. Over half of the companies surveyed reported that a DDOS outage would cause substantial financial damage, with 82 percent of financial firms estimating losses at more than $10,000 per hour, and 67 percent of retailers at $100,000 per hour. Beyond financial losses, companies also reported fears of damage to brand reputation and customer service experiences.

The DDOS attacks employed by Anonymous, though higher in profile than many others in recent years, are certainly not new. DDOS attacks have been going on for decades on the Internet, mostly launched by cyber criminals for extortion or other nefarious purposes. I first heard about politically motivated DDOS attacks in 1998, with reference to those organized by
the New York-based hacker and artist collective, the Electronic Disturbance Theater (EDT). Led by the charismatic Ricardo Dominguez (now a professor of media studies), the EDT organized DDOS attacks against Mexican government servers in support of the Zapatista movement for autonomy in the Mexican province of Chiapas. Dominguez and his group openly advocated widespread participation in the DDOS attacks not only against Mexico but also against the U.S. Defense Department and other targets seen as sympathetic to Mexico. The attacks combined art and digital activism, loading up their DDOS tool with requests for non-existent content and sending these requests to Mexican government servers. When network administrators looked over their logs after the DDOS attacks, they saw results like “Ana Hernandez: Not Found,” she being one of many Chiapan dead. The computers used by Dominguez and
his group became the object of a counterattack by American law enforcement, one of the first active defence initiatives that are now so prevalent.

(At the time of the Zapatista cyber resistance, I was still formulating ideas for the collaborative research effort that would later become the Citizen Lab. Also living in Toronto at the time was Oxblood Ruffin, the self-appointed “foreign affairs minister” of one of the world’s oldest, most respected, and principled hacker collectives, The Cult of the Dead Cow, or cDc. Oxblood and others were forming a politically charged subgroup of cDc called Hacktivismo, and we had discussions about the limits of acceptable political action online and the philosophy that would underpin Hacktivismo and the Citizen Lab. We agreed that DDOS attacks were unjustifiable except in extreme circumstances and that they were contrary to human rights because they infringe upon free speech. We still share that view.)

Some have tried to downplay DDOS attacks, even legitimize them. The Internet pundit Evgeny Morozov, for instance,
has likened them to picket lines and sit-ins, the electronic equivalent of civil disobedience. But even Morozov recognizes the analogy only goes so far. Picket lines, sit-ins, and civil disobedience, as traditionally understood, all entail accepting the possibility (even the probability) of considerable personal consequences in the name of some higher moral good. DDOS attacks, on the other hand, can be carried out anonymously, usually without participants accepting legal consequences, and they involve little effort or cost. They are more akin to armchair activism, which raises the question: “Can an act of disruption undertaken without getting out of your seat and that has no likely legal repercussions be considered a legitimate form of civil disobedience?” (Such activism, however, can have serious unintended consequences, generally not for the armchair activists but for others. For instance, after
Anonymous’s Operation
Tunisia – largely mounted by hacktivists in North America and Europe – it was
Tunisian
bloggers and activists who were the ones arrested and had their computers confiscated).

More importantly, with the tools to cause havoc so cheap and readily available, and the consequences so potentially low,
is it wise to actually encourage DDOS attacks as a form of political protest? Yale University’s Yochai Benkler thinks so: “Except in extreme cases akin to the real-world burning of cars and smashing of windows (e.g., had PayPal’s payment systems been disrupted and customers lost money, rather than the company’s homepage being unavailable), they should simply be absorbed as part of the normal flow of the Internet. When addressed, these actions should be treated as a disruption to the quality of life, similar to graffiti.” And yet, it is not unrealistic to imagine a kind of mass vigilantism in which any person with an axe to grind and a cheap laptop could seriously pollute, even bring to a halt, the free exchange of ideas through the global Internet. Don’t like what someone says online? Blast them offline with a Low Orbit Ion Cannon. I cannot imagine any serious advocate of liberal democracy welcoming that prospect and, for that reason, I don’t see this form of political action as justifiable. At the same time, it is not something that should be treated as a national security threat.

Putting aside the “who” and the “how” of Anonymous, the deeper question is why? Why has Anonymous erupted now, and what does this phenomenon represent?
One of the few to study this question in depth is McGill University anthropologist Gabriella Coleman (who admits that after years of analyzing Anonymous she still has trouble answering the question, “Who is Anonymous?”). Anonymous is not an organization, Coleman believes, it’s a name adopted by a range of groups to describe a wide array of actions linked in spirit and that share a certain disdain for authority. The few figureheads that have been arrested are not, for Coleman,
emblematic of what Anonymous as a social movement represents: “They have tapped into a deep disenchantment with the status quo as concerns censorship, privacy, and surveillance … and they dramatize the importance of anonymity and privacy in an era when both are rapidly eroding.” For Coleman the central, most interesting, point is the deep well from which Anonymous has emerged: “Irreverent dissent on the Internet is not going to go away with Anonymous,” she asserts.

Is Anonymous a spontaneous reaction to growing controls over cyberspace, a crude affirmation of the human desire for freedom, and a reflexive, almost unconscious, self-protective mechanism against stifling constraints? Is it a kind of autoimmune response by cyberspace itself? A rage against the machine? If so, will it end up being counterproductive: the rage provoking, even infuriating the machine?

•  •  •

What is a hacker?
For many the term conjures up images of a young, hoodie-wearing criminal bent over a keyboard, connecting remotely to an unwitting person’s computer, siphoning off money from a bank account in some far-off jurisdiction or engaged in untoward cyberspace activities meant to upset the order of things or simply to embarrass some powerful person or entity, somewhere. Like Anonymous itself, rarely, if ever, is computer hacking considered benign, let alone useful. In the FBI’S intelligence assessment of Anonymous a
hacker
is defined as someone who “conducts cyber intrusions to obtain trade secrets, financial information, or sensitive information,” while a
hacktivist
is “someone who conducts a cybercrime to communicate a politically or socially motivated message.” Either way, according to the FBI, to hack is to break the law.

It was not always thus: indeed computer hacking once had
positive connotations. Its origins date back to the late 1950s at the Massachusetts Institute of Technology (MIT), first surfacing among the engineers of MIT’S Tech Model Railroad Club, who playfully referred to themselves as hackers. When the first mainframe computers were introduced at MIT soon thereafter, the hackers turned to fiddling with the machines in the same way as they did with trains. The term gradually embedded itself into the MIT computer science and engineering community by way of describing a curiosity about technology. A hacker was someone who did not accept technology at face value, and who experimented with technical systems, exploring their limits and possibilities: that is, a hacker opened up technical systems and explored their inner workings.

This original positive idea of hacking is what I had in mind in setting out to create a research hothouse that would bring together computer and social scientists. Hacktivism by my definition is the combination of social and political activism with that original hacker ethic, and this captures the gist of what I was hoping for in founding the Citizen Lab. Oriented around a specific set of values that would inform our research, as I saw it (and still do) hacktivism has a lot in common with a philosophical tradition stretching back to the ecological holism of Harold Innis, the pragmatism and experimentalism of William James and John Dewey, and the yearning for a return to a polytechnic culture of the early Renaissance articulated by Lewis Mumford. These thinkers all shared a particular view of technology as something that should be seen not as a thing or product, but as a
technic
, a craft, that was inherently political and essential to a healthy, democratic, and public life. Just as Mumford saw Leonardo da Vinci as the paradigmatic proto-citizen of a polytechnic society, I saw him as a prototypical hacktivist: interdisciplinary and experimentalist.

To my ongoing frustration, the term
hacker
has been corrupted and redefined, in part because of the actions of some hackers themselves. Irreverence towards authority has always been an element of
the hacker spirit and ethic, and those who defined themselves as hackers would regularly find ways to step over acceptable limits, mostly for humorous ends.
MIT Museum Hack archivist Brian Leibowitz notes that in the 1960s students on campus began to use the word as a noun to describe a great prank, and by the late 1960s the meaning included activities that “tested limits of skill, imagination, and wits.” By the mid-1980s, the term was primarily being used at MIT to describe “pranks” and “unapproved exploring” of parts of the Institute or inaccessible places on campus.