Anonymous and LulzSec: Robin Hoods of the Web?
Hackers are usually shadowy, secretive figures. So why are Anonymous and LulzSec dancing in the lime light, painting themselves as charismatic outlaws?
The assault was sustained and brutal.
Over two weeks in late June and early July, the hacker groups known as LulzSec and Anonymous took turns tinkering with the websites of the Arizona Department of Public Safety (DPS) and the Fraternal Order of Police, releasing troves of personal information on local officers and taking both sites off-line temporarily.
In a series of communiqués issued by Anonymous, members of the organization explicitly linked the hack to Arizona's controversial anti-illegal immigration law SB 1070 and promised they would continue to target the DPS until the "racist Arizona police state" mended its ways. (The bill would criminalize being in the United States without immigration papers.)
The attack exemplifies a new breed of hacker, one skilled in both computer intrusion and public relations. While phone hacking has captured the media's attention in recent weeks, Anonymous and groups like it have shoved their way into headlines with increasing flair and frequency. For them, toppling networks equates to civil disobedience, something we know because LulzSec and Anonymous shout it from forums and message boards, wrapping themselves in the rhetoric of one of America's favorite folk heroes: the charismatic outlaw.
"Let [this] crushing blow against Arizona police send a strong message to the ruling class around the world," read one message. "You will no longer be able to operate your campaign of terror against immigrants and working people in secrecy. We will find you, expose you, and knock you off the Internet. Many lulz" – laughs – "have been had while we purposefully strung you along slowly and painfully for the past two weeks. We know exactly what we're doing, so think twice before considering crossing us."
The language used by Anonymous was strident, hyperbolic, witty, and purposeful – a rallying cry designed to appeal equally to computer geeks, members of the media, liberals disenchanted with Arizona immigration policy, and libertarians disenchanted with government's reach. By early July, hundreds of outlets around the globe had picked up on the Arizona story, and the question of how much had actually been accomplished in the attack was overshadowed by the billowing mythos of the attack itself.
'We are fighting evil governments'
Exuberant plaudits piled up on the Anonymous Facebook page, and bloggers from Boston to Bangkok breathlessly exchanged stories of the exploits of "Operation Anti-Security." This Anti-Sec campaign eventually included cyber-raids on defense contractor Booz Allen Hamilton; the Democratic Party of Orange County, Fla.; computer giant Apple Inc.; and a string of Turkish government sites.
"We are busy fighting evil governments, agencies, and corporations," Anonymous bragged on its public Twitter feed. In a second message, the group instructed its opponents to "give up. You don't want to battle the #AntiSec fleet of the Internet."
The roguishly charming hacker, of course, is not a particularly new conceit. For decades, so-called hacktivists have busted into all manner of websites, frequently spinning their exploits as the last-ditch efforts of freedom fighters in a corporate world gone bad. In turn, these hackers have been immortalized in popular media – consider the cyberpunk novels of William Gibson or the massively successful "Matrix" movies.
And why not? The late 20th and early 21st centuries have seen an unprecedented digitizing of daily life, from "intelligent" kitchen appliances to the omnipresent smart phone. Technology surrounds us, and yet so much of it remains nebulous, corporatized, and distant. It's no surprise that many of the denizens of the Web have sympathized with or cheered on hacker activists – they are digital Davids standing against modern-day Goliaths.
What is surprising is the alacrity with which today's hackers have warmed to, and sought to solidify, their image as latter-day Robin Hoods. Hacking, after all, is a shadowy science, usually practiced by computer experts in backrooms or basement hideaways. It is also a solitary pursuit – Anonymous is technically a coalition, but its members communicate mostly through the Web. Historically, hackers have never particularly wanted to get caught: By keeping their identities secret and their actions quiet, they stay out of the cross hairs of law enforcement or the crack teams of security pros employed by major corporations.
"This is the first time we've had hackers who want you to know who they are," says Chester Wisniewski, a senior adviser at Sophos, a computer security company. "These guys are awesome at PR. It's very impressive. They are inspirational to a lot of people. They get tons of feedback. They make people believe that they are standing up for the little man."
Indeed, the antics of the "Anti-Sec fleet" have almost always played out in direct view of the public. Speaking to Britain's Guardian newspaper in July, LulzSec spokesman "Topiary" described his interactions with the media as a visceral "thrill," and confessed that the public response gave LulzSec "more reasons to leak more." To look at it another way, the louder the response, the more aggressive the hacks. LulzSec was learning to perform for the crowd.
Wide spectrum of political views
Other hackers, however, are certainly in it for more than the "lulz." Gabriella Coleman, a professor of media and culture at New York University and the author of a forthcoming book on Anonymous, says the group's members represent a wide spectrum of political consciousness.
"Some are very involved in human rights activism – very ideologically driven," she says. "Some aren't."
Dr. Coleman points to that group's 2008 and 2009 assault on the Church of Scientology over the perception that the church uses legal action to stifle free discussion about Scientology's practices. Anonymous provoked a strong response from church leaders and a media firestorm. To a lesser extent, the hack of the Arizona DPS can also be judged a success, in that it embarrassed a major government organization and drew attention – however fleeting – to a political cause.
Still, Anti-Sec is a large and mutable campaign, and it's often hard to tell which attacks have been perpetrated for political reasons, and which have been perpetrated because the targets were simply vulnerable.
The "antigovernment and anticorruption stance is great cover to just cause random mayhem," says "Space Rogue," a security consultant and editor of the Hacker News Network who publishes under his Internet pseudonym. "I mean, you can attack almost anything, claim it was anticorruption or anti-big business or whatever and get away with it in the public's mind. This, of course, just perpetuates your 'brand' and garners more support."
Moreover, Space Rogue continues, the bluster of the Anti-Sec hackers helps disguise the fact that the exploits in question aren't necessarily the most proficient.
"What kind of upsets me is that there is little to no actual hacking going on here, at least not in the traditional sense of the word," he says. "I mean, if I spend 10 minutes Googling 'rootkit,' download a program, read the directions, and start infecting machines, have I really 'hacked' anything? Seriously, it is that easy. A caveman could do it.... But because people don't understand it, they fear it, and fear sells."
Riding off into digital sunset
Fear sells particularly well in the media, which worries analysts such as Mr. Wisniewski, of Sophos. Fans of Anonymous and LulzSec sometimes overlook the fact that they have become "collateral damage" in someone else's war, he says. Earlier this year, for instance, Anonymous aided an attack against Sony – a frequent Anti-Sec target – that exposed more than 100 million user accounts.
"Here you have a bunch of guys deciding your [ZIP] Code, your birthday, your Social Security number is just a disposable thing in a battle they perceive as having against corporate America," Wisniewski says. "You can be cast aside."
Meanwhile, in soaking up mainstream media attention, LulzSec and Anonymous have provided a distraction from more serious security concerns.
"We've got the Pentagon talking about cyberwar," Wisniewski says. "We've got mass fraud on Facebook. We've got credit card [numbers] being stolen. We've got literally billions of dollars bilked out of people by Russian cybercriminals, but we're not talking about that. It's disappointing."
In July, in an interesting postscript to the Arizona attacks, LulzSec revealed that it had decided to disband.
"I know people won't believe this, but we genuinely ended [LulzSec] because it was classy," Topiary told the Guardian. The group, he said, wanted to wrap things up on "a high note, a classy ending, a big bang, then a sail into the distance."
A less generous explanation might go something like this: A small and boisterous gang of hackers soaks up the spotlight for a couple of weeks and disappears before the public gets tired of their antics – and before police expose them, as occurred in a series of raids against alleged Anonymous members on July 19.
[Editor's note: The original version of this story used the wrong name when describing the hackers and their underdog fight. The correct allusion is David and Goliath.]