Last week, hacker collective LulzSec returned with a bang, attacking a series of websites owned by Rupert Murdoch's News International in apparent response to the ongoing phone hacking scandal.
For 50 days between May and June, the tight-knit, six-strong group made headlines across the world, rising to almost instant notoriety after perpetrating a series of audacious cyber attacks on high-profile government and corporate websites, before abruptly announcing that they would disband. Among just a few of LulzSec's targets: Sony, the US Senate, the CIA, the FBI and even the UK's Serious Organised Crime Agency.
The authorities continue to try to track them down, and on Tuesday 20 suspected hackers were arrested in the UK, US and Netherlands as part of an ongoing international investigation. In a joint statement with an affiliated network of hackers known as Anonymous, LulzSec responded to the authorities directly. "We are not scared any more," they wrote. "Your threats to arrest us are meaningless as you cannot arrest an idea."
Earlier this month, two weeks after they had announced their apparent split, I managed to track down "Topiary", a founding member of LulzSec and self described "captain of the Lulz Boat". The interview was long - almost three hours - and covered lots of ground. But a great deal of what Topiary told me never made it in to the final write up, published by the Guardian, due principally to restrictions of space.
It was troublesome, deciding what to include and what to omit; the entirety of the interview was valuable. So rather than let the sections that were not printed disappear into the ether, the most sensible thing to do, I felt, was to have the full transcript published here in its entirety.
In the sections that were until now unpublished, Topiary explains how he first became involved in hacktivism and pays credit to his fellow hackers. He details the basis for extortion claims levelled against LulzSec by one US security company; reveals that he recently engaged in a bout of philanthropy, donating thousands of dollars to organisations including WikiLeaks; and also takes time to talk politics - blasting the US government, who he says are "scared of an uprising"...
Ryan Gallagher: I'd like to ask you, firstly, how have you been filling your days since LulzSec disbanded?
Topiary: Just before we cut off the public face of "LulzSec", I wrote out the original [anti-computer security movement] AntiSec statement and got the ball rolling. I jumped off the entire hacking scene for a break, and when I returned was delighted to see AntiSec propelling itself. Since LulzSec, I've been involved briefly in donating around $2000 in [digital currency] BitCoins to AnonOps/WikiLeaks/others.
In the future I'll be involved in a project to spread the word of AntiSec through media, videos, images, etc.
RG: Yes, I noticed on your Twitter feed that you'd been donating to various organisations. You also donated to [pro-US government hacktivist and one-time LulzSec adversary] the Jester?
Topiary: Yes. I gave around $100 worth (around 6.5 BitCoins at the time) to Jester from my personal fund. I assume those funds will go towards the Wounded Warriors project he supports.
RG: Was it a peace offering of sorts? I note that he was a major foe during the LulzSec days...
Topiary: Nothing of the sort - before LulzSec, Jester and I had a meeting or two and we worked together [by perpetrating cyber attacks] against [the notoriously anti-gay] Westboro Baptist Church. In fact, there was a brief window where Jester and Anonymous were allied due to a common enemy. But we have to remember that Jester isn't a real person, Jester is a Twitter visage with a set ideology. I gave him the BitCoins because I support something he supports.
RG: OK. Back to LulzSec. Why do you think it took off the way it did? You garnered over a quarter million followers in little over a month. What was it about LulzSec that attracted such popularity?
Topiary: Good question. I like when people ask that. I think it's because we were such a unique group, "exciting and new" as our pseudo-theme suggests. What we did was different from other hacking groups. We had an active Twitter (controlled by me), cute cats in deface messages, and a generally playful, cartoon-like aura to our operations. We knew when to start, we knew when to stop, and most of all we knew how to have fun.
Admittedly our Twitter followers did explode drastically when we wrote that fake Tupac story on PBS. That's the point that it blasted off.
RG: How much thought did you put in to the whole ‘public image’? It was obviously very important, as you say, to the popularity of LulzSec. Did you spend time thinking a great deal about presentation?
Topiary: We made it up as we went along. We were originally @LulzLeaks on twitter, but I forgot the password so we became @LulzSec. My first name was The Lulz Train, then The Lulz Cannon, then The Lulz Boat. I had no idea what "The Love Boat" was, it was a complete accident. It was only because of an Infosec Daily podcast (I believe #382) pointing it out that we adopted the boat theme.
I wrote every press release in notepad without planning. That's what made us unique, we just came out and made stuff up out of nowhere.
We hacked, we wrote, we dumped our results on pastebin, mediafire, and [peer-to-peer download website] The Pirate Bay, then we acted like pirates on twitter. That is literally all we did. We spent $0 until people started giving us donations.
Important: the team of six holds itself together, we all have skills, we all have a role. It was smooth and persistent, and it worked.
RG: One thing that really interested me was the way you seemed to evolve from being solely about "Lulz" to engaging in more explicitly political acts... such as the Arizona Police leaks. Was this a planned progression?
Topiary: No, the original Arizona Police leak "Chinga La Migra" was to kick off the Anonymous/LulzSec teamwork with momentum. With that one release and a couple of tweets directing to the Anonymous twitters and servers, we launched Anonymous back into the spotlight with our cannonfire.
Interestingly the Arizona leak was the only one I didn't write the press release for. When allied with Anonymous, we let an unnamed Anon write that one.
RG: How much of an influence was/is WikiLeaks on the work of LulzSec and Anonymous?
Topiary: WikiLeaks was the reason Operation Payback took off last November/December and is probably the reason why AnonOps got so big. We, as LulzSec, support all their work, but they don't directly influence our releases.
RG: Do you think that WikiLeaks / LulzSec / Anonymous and other groups are part of the same narrative? By that I mean, are all these groups an example of how the internet has ‘changed the game’ in the modern world, so to speak...?
Topiary: I'd say they're the biggest three, yes. But if we're talking about aspects of the Internet that change the world, I'd say Facebook has done a fine job of that.
RG: Many of your leaks with LulzSec involved posting personal passwords etc. on the internet for download, e.g. the Sony leaks. I read that some of the leaked info has since been used in various scams. What do you think about this?
Topiary: While this response will cause pretentious commenters to engage in a lengthy back-and-forth with horrible analogies involving open doors and burglary, I'd have to voice that it's Sony's fault for not defending - and encrypting - its customers' data. Similarly, in a perfect world, we'd have dumped said data and nothing would have happened. These scams simply prove that other people (our fans/spectators) are more evil than us.
Nobody can excuse poor password usage and try to blame it on others by using technical jargon. [Former CEO of technology and security consulting firm, HBGary Federal, and Anonymous target] Aaron Barr is the worst culprit.
RG: OK. I'd like to go a little bit deeper for a second. How did you get in to hacking/hacktivist culture? And what motivates you to do it?
Topiary: I'm motivated by bursts of imagination and creativity, and I'm motivated by inspiring and teaching others. My main goal with Anonymous was to spread the word of revolution to those who might be seeking something new. Anonymous has been a great way for the younger generations to get involved through methods they understand, like utilizing the internet. As a teenager myself, I can relate to this.
RG: Revolution can mean a lot of things. What does it mean to you?
RG: Do you feel that what you are doing is a part of a generational thing? A big shift in how the world works?
Topiary: I think we all take part in a big shift, just some more than others. The internet population changes the world every day from sites like Twitter. Amalgamations of the media and the internet influence the entire planet. Anonymous has especially brought attention to the idea that actions taken online can have major effects in real life, linking the two realities while sending an important message. So the short answer to that question is "yes".
RG: And do you think that more regulation of the internet is inevitable? It seems to me that governments, both in the US and the UK, are pushing for more control of cyberspace...
Topiary: The US government would take control of all ISPs in the entire world if they could. It's not that they're pushing laws to defend citizens, it's that they've wanted to push laws for years, but they just couldn't justify it without risking revolt. They're scared of an uprising so they sneak in a small law now and again, building them over time. It's not hard to see that the US wants to control not only its own Internet, but the Internet of countries such as Libya.
RG: So you think it is creeping on us already? Control and censorship on the internet?
Topiary: It's been creeping for some time. The governments are simply using groups like Anonymous as a political goldmine to push more insane laws they've probably had stored away in the back of their minds and/or filing cabinets for years.
"Hacking is an act of war"; I highly doubt they came up with that on the fly. It's likely been lingering as an idea for possibly decades, waiting on the right time to drop it.
RG: That's interesting. So how do you balance what you do/have done with Anonymous/LulzSec with the knowledge that it is resulting in greater government control of cyberspace?
Topiary: It only results in greater government control if we remain apathetic and let it happen. The goal with Anonymous is to brutally cut down the middle of that decision and shout "NO" to laws we don't agree with. Laws are to be respected when they're fair, not obeyed without question. We specifically - as Anonymous - fight copyright laws, and the corruption surrounding them.
When a record label claims [peer-to-peer file sharing program] Limewire owes 75 trillion dollars, you know something is wrong.
RG: This seems to tie in also with the aims of AntiSec? Which seems, in essence, to be opposed to security industry profiteering...? (Correct me if I'm wrong.)
Topiary: AntiSec, when first launched, focused on exposing corruption across a wide spectrum of organizations, including banks and governments. I believe it's focusing more on the security industry now, yes, but has also released data (as far as I can tell, note I haven't been involved) on police and military.
RG: I noticed a tweet from [LulzSec founding member] Sabu on the evening LulzSec disbanded. He wrote that LulzSec would "live on forever" under the banner of AntiSec. Is this the case?
Topiary: Not exactly, but he's on the right path. LulzSec is merely a public face, not a group. The group behind LulzSec is the same group that hacked HBGary and various government and copyright websites under the Anonymous banner. I think what Sabu meant is that the idea and legend of LulzSec will live on, not specifically its name. Though members of the LulzSec banner are still active within Anonymous.
RG: About the end of LulzSec... it seemed to happen very spontaneously. A few days before it happened you were talking about leaks you had lined up for the next week... then suddenly... you announced it was over. Why did this happen? Was it due to the huge pressure that I assume must have been building - both from the media and the authorities?
Topiary: I know people won't believe this, but we genuinely ended it because it was classy. The leaks we promised happened, and continue to happen, as promised, under the AntiSec banner. 50 days were reached, we just about hit 275,000 twitter followers, things were on a high, so we redirected our fans to Anonymous and AntiSec and wrapped it up neatly.
RG: So you decided to end on a high?
Topiary: Exactly. A high note, a classy ending, a big bang, then a sail into the distance.
RG: But it still seemed to be a fairly spontaneous decision... i.e. It wasn't planned for a long time in advance that you would disband after 50 days?
Topiary: We planned from the start to end it when the time was right. We all discussed that we didn't want to be another lame hacker group that went on and on, and we all agreed that it needed to be fresh at all times. So in a sense, yes, it was planned, but it was spontaneous in its timing.
Personally, I just went from the feel of things. It felt right. Others felt the same way.We released when it felt right, we tweeted what felt right, we wrote what felt needed to be wrote. We weren't burdened by plans or board meetings, we just did it.
Something I'd like to get out: LulzSec weren't media-hungry, the media was simply LulzSec-hungry. We didn't contact a single media outlet for at least the first 40 days, they just kept reporting on our humble tweets/pastebins.
Our style and leaks were consistent from zero followers to a quarter of a million. We didn't adapt, everyone else simply changed around us.
RG: On your media point: from the outside looking in, it appeared that you enjoyed the media attention (even although you may not have been contacting the media directly). It seemed to me that you were - as a group - to some extent thriving on the mad media frenzy that was whirling around you. Is this a fair observation?
Topiary: It's fair that the attention gave us more reasons to leak more. It was a thrill, sure, and it did play a role. We enjoyed occasionally confusing and pranking media with weird tweets, or giving exclusives to certain journalists to piss off other certain journalists. It was another aspect of the situation that helped us to leverage the entertainment.
RG: I remember there was a UK census hoax... that caused sheer panic on every level in the UK. Was the hoax itself anything to do with LulzSec?
In retrospect it would have been wise for us to make an actual pastebin account, but oh well.
RG: This is a Q I have to ask. What about the Unveillance thing... the extortion claims. Was there any substance to the allegations that members of LulzSec were trying to extort companies? Like I say... I have to ask that one.
Topiary: We were playing characters in those chatlogs. I was Ninetails and Espeon, two entirely different people from an outside perspective. This man, Karim, wasn't a target for us - we found him by accident from an FBI-related website, he just happened to have used one password for every account he used. We simply went in for a bit of improvisation. That improvisation was "hey guys, let's leak his stuff, but first let's scare him to embarrass him more", so I put on my "extortion" persona (Ninetails) and began intimidating him. Personally I had no intentions to take anything from him, just to drive him into a position where he'd be willing to do it. That way it's more amusing to leak his stuff.
He bigs himself up too much. His statements focus on why we chose him, and why he was a target. It kind of speaks for itself: a big list of FBI-related users, and his passwords get us into an entire company. He won't comment on password reuse, just like Aaron Barr. In both cases it's the only reason we leaked any emails at all.
If Aaron Barr used a slightly different password for his own company, and the email account of an affiliated company, the whole HBGary hack would be nothing.
We just want them to accept their failures, but they hide behind rare press statements and large words. Our spotlight burned their eyebrows off. Hence Aaron Barr quit his job. Anyway...
RG: But at the time the man, Karim, wouldn't have known you were improvising, right? So he thought he was actually being extorted?
Topiary: Exactly. So if he'd agreed to give us money, we would have ended it there and exposed him as both a moron and a coward. Thanks to his bravery, he's only marked as one of these.
RG: You mentioned at the start of this chat that you'd been giving away $2k in donations. Is that money that was donated to LulzSec while you were still active?
Topiary: Some of it. I took charge of accounting with LulzSec and there were some carefully-planned hacktivism ventures planned with certain funds. I began donating funds from a pile I like to call "shadow coins", which is a little stash made of a few stashes.
The coins I gave to Jester were my own coins. I was just being ironic or something. (Mainly because I support some of what he supports.)
RG: You mentioned that you'd recently taken a break from hacking and aren't currently involved with AntiSec. Do you ever worry that the authorities will catch up with you? And does this have anything to do with why you have taken a break?
Topiary: I've been at this non-stop for a while: it's a big time sink. Some people can handle it for years on end, and I respect those people. I just needed some air and a new page in the Anonymous/LulzSec era. As for the authorities, well, if they have their claws in, they have their claws in, there's not much I can do about it. But I can only hope that they haven't pinned any of us, especially my friends from LulzSec.
RG: This is a hypothetical question: If you were caught one day, and you were given the option of working for the government in return for immunity, or jail - which option would you take?
Topiary: I would never snitch on anyone involved in Anonymous or LulzSec.
RG: But what about working for government security - so long as it involved no snitching?
Topiary: Not sure I'd have a place in government security, unless they enjoy bizarre tweets... but again, no, I wouldn't accept a job that would fight against the things I've fought for. Though I would make some ASCII art for Obama for a slice of diplomatic immunity. Perhaps pimp his statements with some LulzSec humour.
RG: OK. So, in answer to my hypothetical, you'd take the jail time?
Topiary: Pretty much.
RG: And how about the future? What does the future hold for Topiary?
Topiary: The future... hmm... The future holds many things. I don't plan, I just let it flow. It floats back to me. The project I'll be assisting will be using images/video/writing and other forms of art to spread the word, kind of like Operation Paperstorm with Anonymous. The project will be called "Voice". There's a little exclusive for you.
RG: So you're taking a step back from any hacking?
Topiary: Yes. I'm skimming the edges of the AntiSec banner and helping to boost its public face. This is on-and-off as I'm taking a step back from this type of scene. Much respect to all those who've been at it for years, though.
It's teamwork that gets this stuff done, so again I'd like to point out that LulzSec did so well because of every person involved and every person that assisted us.
RG: Here's another quick question for you: how do you classify yourself? Are you an anarchist? An anti-capitalist?
Topiary: I just classify myself as an internet denizen with a passion for change.
RG: A change from what to what?
Topiary: Sometimes a change from boring to fun, sometimes a change from sad to happy, mainly a change from oppression to freedom.
RG: Do you believe in democracy? And by that, I mean the principles of democracy.
Topiary: I believe in some principles, but I think this ties back into what I said earlier about the younger generation and learning from common ground (the internet). Most of us aren't in too deep with politics, we have a lot to learn and experience to gain, so I don't want to take a complete side. Maybe if we're both still going in a year or two, we'll go over the same questions.