This is the first installment in a two-part interview. Read the second part.
Computer hackers worldwide have launched what they call a "cyberwar" in defense of WikiLeaks and its embattled founder Julian Assange. The loosely knit collective of hackers is known as Anonymous, a shadowy circle of activists who have been launching cyberattacks and cyberpranks for numerous years on organizations such as the Church of Scientology to the Motion Picture Association of America.
One of the earliest followers of Anonymous, Gregg Housh, is intimately aware of, but claims no participation in, the latest Anonymous offensive, titled "Operation Payback." It managed this week to take down the websites of MasterCard, Visa, and the Swedish government over their refusal to support WikiLeaks or Mr. Assange.
Mr. Housh sat with the Monitor on Dec. 10 – in what he said was his 37th interview of the day – to explain how, and why, a couple thousand kids have crippled some of the world's most prominent companies' websites. They have done so with an unprecedented voluntary botnet, a network of thousands of computers working in tandem to simultaneously bombard a website with hits.
CSM: Why was Operation Payback launched by Anonymous?
GH: Anonymous doesn’t exist. I hate having to say that, but it really doesn’t. If someone says they are Anonymous, they are. That means there is no centralized group. As a very ethereal, kind of amorphous, fluid thing, it exists. But in reality there is no one Anonymous that you can be a part of. You could just be Anonymous yourself. And if you’re acting with others, well, then sure there is an Anonymous group at that point doing something, but it’s not an ‘Anonymous group.’ You aren’t members of it. There is a bunch of Anons together doing something. It’s a different way of looking at it because Anons really hate the idea of membership, the idea of anything even resembling structure when it comes to that stuff. If there is a hierarchy, if there is someone in charge, they get angry. I get attacked if any of you guys [the press] say the word "member" in an article when talking about me.
GH: ... This cause showed up and [Anonymous was] already pretty well organized and switching targets was not that hard of a thing for them to do. While there’s no leaders, there’s no hierarchy, what happens after months and months and months of being together in an Anonymous group is there will be that guy who has a slightly louder voice than a few of the other people. And while not saying that person is more intelligent, he seems to organize things a little better. When the next target needs to be chosen, he’s usually the first one to help try and chose it. After months and months of that, people will stand out a little. Even if they’re switching their [nicknames], you do get used to ‘that’s probably that same guy.’ There will be people in these Anonymous groups, even if there’s a hundred of them, there will be four or five of them who stand out from the crowd a little in your eyes. They’re not openly telling people what to do, but they just become the movers and shakers of the area.
CSM: How many of those "movers and shakers" are there?
GH: Out of the 3,000 [on the Operation Payback channel on the chat platform 4chan], there’s actually a couple hundred.
CSM: How does Anonymous choose a target like Visa or MasterCard?
GH: They haven’t had to. The best part for these Payback people for the last few days is they haven’t had to choose an enemy. Everyone that they’ve attacked has literally walked out in front of the bus and just been waiting to be hit. They’ve raised their hand and said ‘please attack me.’
CSM: But you have to pick one. You haven’t attacked EveryDNS, the company that dropped the domain name WikiLeaks.org. Why not them?
GH: Not big enough. Quite honestly, I'll tell you the real goal here, and one reporter I was talking to said, ‘Maybe I don’t want to cover it then,’ after I told her this. The only reason these DDoS’s actually work so well is because the press comes running every time they do it and ask for tons of articles. If they’re not doing the DDoS’s [distributed denial of service attacks], they’ll get an article a month maybe about them if they're lucky on the back page of some blog. When they DDoS something like Visa, then I end up on the front page of The New York Times and on CNN that day. The DDoS’s are happening because of the coverage. There’s a secondary reason to it, and there is a purpose, but in all honesty it gets the media coverage on the points, on the messages.
CSM: How do you pick a time to launch an attack?
GH: Visa stepped up and volunteered [when it refused to process financial transactions for WikiLeaks]. And then people start looking at the website. ... They were talking about this one [IP address] that seemed to be the actual central one and if you were to hit that, then maybe the whole thing might come down. Boom. They change the target to it. Everyone’s bots, or everyone’s copy of LOIC [Low Orbit Ion Cannon software], switched to that, and that site just dropped quick. So whoever figured that out is quite the intelligent guy.
CSM: So give me a better sense of that. You’ve got these botnets, and there’ll all voluntary?
GH: Yes. This is the first voluntary botnet in the world to actually be exercised, the first one. You get on the IRC [Internet Relay Chat, which is done on the Anonymous channel of 4chan] and one of the first things you see in the initial message is if you want to join go to this channel on the chat channels named "setup," and they give you a link to download the executable, and there's people there willing to help you install it if you don't know how, and they just say minimize it when it's installed and we'll do the rest.
CSM: To launch a DDoS that’s actually going to bring down MasterCard, how can that be done with just voluntary botnets?
GH: Thousands and thousands of people. ... You would think MasterCard was better than that. But did you see PayPal fall today? They were hit by the same botnet and they didn’t go down. PayPal did not fall. Amazon did not fall. It slowed a little but only a little, it was still usable. Amazon didn’t slow down at all. MasterCard died quick. When they went after MasterCard, it was down in five minutes. This is somewhat a talk about the power of the voluntary botnet, but it’s also at some point a talk about just how bad their setup was. Visa went down in 30 seconds.
CSM: Was the Amazon attack just as big as Visa and MasterCard?
GH: No. The thing about the Amazon attack today is it was one of those Anonymous ideas that didn’t actually get taken up. You know, people throw out these ideas and they either happen or they don’t. Well, that one really didn’t. The whole voluntary botnet was not turned on Amazon. A bunch of people said it was a great idea and tried to turn their copies on it. But there were a few of them; if there were more than a hundred I’d be surprised. The channel that controls the voluntary botnet on that chat server did not change its IP to point on the Amazon line. It was still pointed at PayPal.
CSM: Why wasn’t there as much interest in attacking Amazon?
GH: Because they won’t be able to take it down. There were enough smart people in there to say this site isn’t going to go down, let’s not waste our time.
CSM: How did they know Visa or MasterCard would go down?
GH: Very simple look at the website structure: How many IPs does the distributor cross? Are those all sitting in the same data center? Are they all sitting on the same rack? … You can get a feel for the fact that most of the servers are sitting in the same basic general geo-located area. ‘Oh crap, these people were stupid.’ Take out one of those routers along the way and all of it falls. Amazon is multi-homed. They’re in every data center you can imagine. You take down one and it doesn’t matter because their requests get rerouted to one of the others in other states, other countries. Their system is really resilient.
CSM: So there are no involuntary bots operating with Anonymous?
GH: None that we know of. I mean, you can’t promise that there aren’t, but none that we know of. And honestly, when you see the IP change in the chat channel for what they’re going to hit, and 30 seconds later Visa is down, you know the voluntary botnet did that. That IP is switched and all the bots switched their target. Someone else didn’t have time to get onto his botnet, set it up to go somewhere, and you know, do all that other stuff. It was the voluntary botnet that did it, because it was automatic with the change of the IP in the chat channel. … You can see proof of it sitting there. They changed the command that told the voluntary botnet what to do and 30 seconds later the thing goes down. Right when they sicked the voluntary botnet on it, boom, everything goes down. It’s easy to watch.
CSM: There are suspicions that the voluntary botnet is merely a ruse, and an involuntary botnet is really behind the attacks.
GH: The one thing I have to say about that is we will never know the truth there. I can’t give you an answer on that one because I don’t know. Unless someone steps up and says ‘I did that,’ how am I supposed to know? We know about the voluntary botnet. That’s all we see, and we know that when we point it at things, things go down. ‘We’ is a strong word, but, you know, Operation Payback. I am still not taking part in this. I still do not have a computer in the botnet. I am not doing anything. But as a whole, that server, when it gets switched, down everything goes.
Now, there could be someone sitting there watching like a hawk waiting for it to happen and sicking his "real" botnet on it. We can’t say ‘yea’ or ‘nay.’ And you know that Visa or MasterCard is not going to release any of the real numbers on what hit them. If they released it, and it turned out that it was just the voluntary botnet that hit them, well, then they’ve got egg on their face. That was, in some respects, their fault.