Are computer hackers just pranksters?
In July 2012, the world’s largest computer software company, Microsoft, made a horrible discovery: someone appeared to have stolen the top-secret design specifications for the new version of its hugely successful Xbox videogame console. An individual called FLaC* had posted a notice on an obscure gaming website offering an Xbox “development kit” for sale at $US10,000. As proof that the goods were authentic, FLaC had published a blurry photograph of a computer screen glowing with green programming script and the word “Durango”. Veteran gamers ridiculed the photo as a fake, but inside Microsoft’s Seattle HQ there was a different reaction, because Durango really was the code name for the new Xbox, and that photo looked alarmingly genuine.
Microsoft had sold 67 million Xboxes over the previous seven years, generating $56 billion in retail revenue. The Durango system wasn’t due for release until the following year, and the only people privy to it were company employees and videogame designers who’d signed secrecy agreements. A letter from Microsoft’s lawyers persuaded the gaming website to remove FLaC’s post, but within weeks he popped up again on the online auction site eBay, advertising the same Xbox kit. By mid-August he was leaking details of the Durango system to the website Eurogamer, having apparently sold the kit for $US20,100.
Who was FLaC and how had he pulled off this seemingly extraordinary heist? Eurogamer claimed to have traced him to Europe and his Twitter dispatches suggested he was in North Carolina, but Microsoft’s inquiries led to a suburban house 14,700km away in Perth, Western Australia. In mid-August, one of the company’s senior security executives, former police detective Miles Hawkes, flew to Perth and drove to the house for a “knock and talk” interview, as he later put it. The door was answered by a middle-aged woman with short hair. She was FLaC’s mum, and she said he’d be home from school after 4pm.
Microsoft’s nemesis turned out to be a slight, diminutive teenager with long dark hair that hung over his eyes, a wispy beard and the washed-out complexion of someone who spends too much time at a computer keyboard. In his parents’ living room that afternoon he freely admitted being part of a group of computer hackers who had penetrated Microsoft’s security wall and downloaded reams of programming code and hardware specifications for the new Xbox. But the whole thing had been a prank, the kid insisted – they hadn’t really sold an “Xbox kit” on eBay for $20,100; in fact, they’d be more than happy to help the corporate giant fix up its security problems.
After Miles Hawkes flew back to Seattle, FLaC shared news of the encounter with his followers on social media. “Bye bye Mr Microsoft man,” he tweeted. “I have a feeling I’ll be seeing more of you soon.” Those who follow FLaC’s Twitter feed will know that things have taken a darker turn since then: first came the FBI raid on his parents’ house last year, then a series of arrests across the US and the jailing of his fellow hackers amid allegations that they’d threatened to kill a magistrate, caused $200 million worth of damage and stolen US military secrets. FLaC himself is facing prosecution on a raft of hacking offences in the WA Children’s Court, which is why his real name and Twitter handle cannot be published in this magazine. That restriction hasn’t stopped him from chronicling the whole saga on Twitter, earning a devoted cult following.
On a recent afternoon at the WA university
where he is a student, FLaC turned up with a fat binder full of legal documents and proceeded to explain over several hours why he believes he will beat the charges. His hair is brushed back in a more stylish cut as he approaches his 19th birthday, and on social media these days he adopts the self-mocking persona of a high-roller who smokes fat cigars, drinks Moët and haunts the poker tables at Crown casino. More risky is his open taunting of the authorities, including his suggestion that the FBI fly him first-class to the US so he can “join the gang in prison”.
It’s not the usual gambit of someone about to face a judge, but then, not much about this case follows legal convention. Despite court suppression orders, FLaC has posted various legal documents online to accompany his running commentary. “I like transparency,” he explains, as we sit in a sun-dappled courtyard. “What I’ve done I admit I have done. If they’d charged me with something properly I would have pleaded.” There’s an unmistakeable echo of Julian Assange’s anti-authoritarian sangfroid in that statement. To hackers, the internet is a place with its own anarchic rules of conduct.
The way FLaC sees it, the Xbox stunt was not actually malicious. It began during Year 11, during his late-night explorations of the darker depths of the internet, when he discovered a way inside the private network of the US videogame company Epic Games. FLaC’s computer skills were already sufficiently advanced that his school had suspended him twice for infiltrating its IT system, but what struck him about the Epic hack and where it led was how easy it all was. A common “brute force” program that makes millions of random guesses at passwords got him into the account of an Epic staffer. “The password was Jelly6,” he recalls, sounding faintly incredulous that any IT professional would rely on such a basic word-and-number formulation. From Epic’s database he downloaded an unreleased new version of Gears of War, one of the world’s most popular videogames. That brought
him to the attention of a loose-knit network of hackers/gamers who went under names such as Sonic, AAmonkey, Animefre4k and Xenon7.
They discovered that Epic was connected to another network, run by Microsoft, which allowed videogame producers to share access to the secret specifications of the forthcoming Xbox Durango system, in order to develop new games to coincide with its release. By late 2011, FLaC and his pals had hacked their way into Valve Corporation and obtained the unreleased game Call of Duty: Modern Warfare 3. “I was quite surprised when we found out that these people basically all had terrible security,” he says mildly.
Technology companies can be surprisingly forgiving towards hackers who expose security holes without committing vandalism, and so it proved with Epic. When FLaC contacted the company’s IT team to reveal what they’d done, Epic sent him an autographed Gears of War poster as a gesture of gratitude. But by then FLaC, Sonic and his cohorts were inside Microsoft itself, which is how they got their hands on the secret specifications for Durango and came up with the idea of playing a joke on the company.
Microsoft provided many game designers with a computer known as an Xbox “development kit” on which they could design new games for the Durango. FLaC and his mates hit on the idea of building a counterfeit kit using the Durango hardware specs they had obtained. The task was accomplished in a matter of days by Animefre4k – actually, 17-year-old Nathan Leroux of Bowie, Maryland, in the US – using store-bought parts. What he built wasn’t an actual Xbox, more like a custom-designed personal computer. According to FLaC, it didn’t contain any of the proprietary Xbox software. But sticking it up on eBay was a joke that quickly snowballed, as the bidders – many apparently joining in on the jape – ratcheted the purported selling price toward $20,000.
“We knew it was stupid idea to put it on eBay; we always knew that,” says FLaC, with a rueful laugh. “But that was the point of it. ‘Hey, let’s have some fun. Let’s piss Microsoft off ’.”
Which just goes to show – be careful what you wish for.
Back in the days when he was a teenager
infiltrating the Pentagon’s computer systems from his bedroom in the hills outside Melbourne, Julian Assange helped define the credo of the “ethical hacker” who is motivated not by money but by a spirit of exploration and political engagement. Assange gave the philosophy its cause célèbre when he created WikiLeaks, kickstarting a “hacktivist” movement that has since been taken up by such online dissidents as Edward Snowden, leaker of US intelligence files, and Aaron Swartz, the IT prodigy who committed suicide last year after being charged with data theft from an academic publisher.
Hacktivists see themselves as an essential brake on the growing power of corporations and the state; Snowden wanted to expose government surveillance and Swartz believed he was striking a blow against private ownership of publicly funded research. But that’s not a distinction police have much time for. Late last year US authorities charged the British hacktivist Lauri Love, an associate of the group Anonymous, with infiltrating thousands of US military and government networks, assisted by two unnamed Australian co-conspirators. In May, the Australian Federal Police charged another alleged Anonymous hacker, a Perth surf lifesaver, with breaking into the servers of the Indonesian government and telecommunications firm AAPT.
Penalties for such offences can be severe. Aaron Swartz was facing up to 35 years in prison and $1 million in fines when he killed himself; in Australia the charge of “unauthorised modification of data to cause impairment” carries a maximum jail term of 10 years. The manager of the AFP’s Cyber Crime Operations, Commander Glen McEwen, says this reflects the fact that hackers present an “enduring global threat” to society. “What people are doing in the online world is not harmless,” he says. “It may start off as defacement of a website but it can go to the other end of the spectrum where you are encoding malware and stealing millions of dollars.”
Late last month the Federal Government announced a review of internet security after revealing that “cyber incidents” targeting government agencies had increased 37 per cent in 2013. But the problem for police is that hacking can be the most opaque of crimes, perpetrated as it is by people hidden behind online aliases and operating in a virtual realm where evidence is easily erased or altered. The two Australian hackers who allegedly conspired with Lauri Love, for instance, still haven’t been charged more than year after his indictment. And as McEwen has discovered, any geek can sound like a gangster from the safety of a computer keyboard.
In April last year, McEwen made headlines when he announced that his team had arrested the possible leader of LulzSec, an infamous international hacker gang that once crashed the website of the US Central Intelligence Agency. The story appeared in hundreds of media outlets from the BBC to The New York Times, because LulzSec was at the time the subject of a major investigation following its attacks on the IT systems of Sony, Fox Broadcasting, the US Senate and several British banks. Unfortunately, the AFP had ignored a fundamental rule of the internet: don’t believe everything you read.
The hacker they had arrested was Matthew Flannery, a lanky 24-year-old who worked on the help desk of an IT firm called Content Security, which rented office space in the Microsoft building in North Ryde, Sydney. Flannery had spent a fair chunk of his adolescence exploring hacker forums, where he adopted the persona of a foul-mouthed, big-talking “troll” called Aush0k. “Listen here, nigga, I’m the f..kin’ boss of the internet. The FBI are raged they can’t get @ me,” was one of his typical boasts. In one stunt on an online chat-forum he pretended to hack into the Californian telephone system and summon a SWAT team to a hotel in Ventura.
It was all just talk, Flannery says now, the kind of flim-flam that’s the lingua franca of underground networks. “Hey, it’s the internet – a lot of people have different personalities on the internet,” he says with a shrug one recent afternoon at home in western Sydney. “When I was trolling people, I played that role really well. I came to be seen as this upper-echelon guy and I guess I liked the notoriety.”
To say that Aush0k made enemies would be stating the obvious. In February last year someone hacked the website of the Narrabri Shire Council in north-west NSW, creating a new page which featured a webcam photo of Flannery, along with an obscene caption and the heading: “I’m gay – Hacked by grand wizards of LulzSec, Sabu and Aush0k.” LulzSec actually had nothing to do with the attack, and neither did Flannery; it was all a dumb joke perpetrated by an online rival who had created a “back door” into the council’s IT system. A couple of months later, Flannery did something he would quickly regret: using the same back door, he tried to load a new page onto the council website. Having failed, he asked another hacker to post an image on the site of a naked man with an iPad covering his genitals. Flannery then alerted a Facebook friend to the prank by sending him a jocular note: “Now I’m the leader of LulzSec!”
Two weeks later, the federal police turned up in force at his work to arrest him. “I honestly thought it was a joke – I thought I was being punk’d,” he recalls. Led from the building in handcuffs – a scene police filmed and released to the media – Flannery was charged with hacking offences that carried a total penalty of 12 years’ jail. The following morning, McEwen and Superintendent Brad Marden of the AFP held a press conference in which they described Flannery – without naming him – as the “self-proclaimed leader” of LulzSec and “a considerable risk to national security”. Flannery, said Marden, was a “well-respected” member of LulzSec who had hacked a “government agency”, which police declined to name. Journalists quickly identified Flannery, and Content Security fired him shortly afterwards.
McEwen defends the AFP’s handling of the case and bristles at any suggestion that it overreacted to what was essentially internet graffiti. “I hear from journalists that it’s just graffiti and this and that – it’s nonsense,” he says. “You can’t play down the seriousness or capabilities of these people. What they can do is potentially catastrophic.”
When Flannery finally faced Gosford Local Court in October for sentencing, police were no longer attempting to link him with LulzSec. But their search of his laptop had uncovered stolen bank account details which a hacker once sent him as proof of his prowess. That resulted in an additional charge of dishonestly obtaining financial information, which carries a maximum fiveyear jail term. The 15 months’ home detention he’s now serving seems light by comparison, but his lawyer slammed the AFP for its “ludicrous” overreaction. The case also raised a red flag to internet activists who are alarmed by the federal government’s data-surveillance policies and its reported plans to give the AFP overall jurisdiction of homeland security.
Flannery says he made it clear to police from the start that he had no association with LulzSec. “Looking back, I think it may have been a publicity stunt to get the same status as the US and British agencies,” he says.
The AFP remains unrepentant. “He’s like the boy who cried wolf,” McEwen says. “He should take some personal responsibility and realise he was wrong instead of suggesting he was a mere bystander… Maybe his bottom wasn’t smacked by his mum. You can quote me on that.” law enforcement has ratcheted up since the death of Aaron Swartz and Edward Snowden’s revelations about mass-surveillance of the internet. The FBI’s tactics have come in for particular attention since it was revealed, in July 2012, that one of the founders of LulzSec, Hector Monsegur, had been an FBI informant since being secretly arrested in 2011. Thanks to an elaborate sting operation, at least six members of LulzSec have since been indicted or jailed for hacking crimes carried out, at least in part, with Monsegur’s encouragement and on servers provided by the FBI.
Even before FLaC was visited by “Microsoft Man” in August 2012, the Xbox hackers talked openly about the spectre of being busted. “I need your help. I’m going to get arrested,” Xenon7 messaged one of the group in July 2011. “I need to encrypt some hard drives.” Xenon7 was David Pokora, a long-haired 19-year-old computer science student who lived with his parents in Mississauga, Canada. Only later would he realise that the hacker he was asking for help – identified only as “Person A” in US court documents – was a federal informant.
According to FLaC, the group knew early on that the FBI was investigating them but, like explorers who’ve stumbled into a cavern of treasures, they apparently couldn’t resist the lure of further discoveries. After breaking into the internal network of the Seattle gaming company Zombie Studios, they discovered it designed not just videogames but also software for the US Army. By late 2012 they were inside the army’s virtual private network and had access to the
The rhetorical war between hackers and
simulation software for the Apache helicopter. According to FLaC, they were soon roaming through innumerable government and corporate systems thanks to sloppy security and interconnected networks.
“It was a huge breach of databases – I recall even Jet Propulsion Labs, NASA, those kind of things. It was all there. But what happened was that we never really accessed any of it.” Well, almost never – FLaC concedes they did download the Apache helicopter program, offering a justification of sorts: “The Apache simulator was barely useable unless you had $150,000 worth of hardware. In the wrong hands, what was it? It
was an old simulator for training Apache pilots that’s open to the public in the first place.”
Still, the euphoric buzz of it all caused some of the group to forget a few basic tenets of ethical hacking. “If we do this right, we will make a million dollars each,” Pokora bragged in one intercepted internet chat later released by the FBI. FLaC says he was aware that “Person A” had a history of online fraud, and when Nathan Leroux’s Xbox kit attracted actual bids on eBay, he allegedly built a second one to deliver to a private buyer. That was collected by Person A, who delivered it instead to the FBI.
Within days of the Apache simulator hack in December 2012, the FBI raided the New Jersey home of Sonic, aka 28-year-old Sanadodeh Nesheiwat. Three months later, WA police turned up at FLaC’s house accompanied by an FBI liaison officer, taking away all his computer equipment. This didn’t deter Pokora, who orchestrated a break-in at Microsoft’s HQ in August last year, supplying two people with fake credentials which enabled them to enter a secure office and steal three consoles for the unreleased Xbox One (as the Durango was now called).
Pokora was eventually arrested in March; he has since pleaded guilty, along with Nesheiwat, to hacking charges that could land both of them five-year jail terms. Leroux and another hacker, 18-year-old Austin Alcala of Indiana, have pleaded not guilty and are out on bail. The FBI seized bank accounts controlled by the US hackers, who it claims generated “hundreds of thousands of dollars per month” by providing unauthorised access to online games.
FLaC faces 25 charges, including failure to obey a data-access order, dishonestly dealing with personal financial information and unlawful use of a computer, which could land him in jail for years. His attitude to this is a curious mix of bravado and unnerving candour. Even before he was charged, he announced online that if he was arrested, a file containing all the data he’d obtained would be released via a “dead man’s switch” (his failure to log into his server after several days would automatically publish the file). On Twitter, he has issued obscene taunts to FBI agents and posted selfies of himself standing insouciantly in front of a police car or posing, fat-cat style, in a suit, hair swept back, smoking a cigar under the heading “I do enjoy my life”.
“It’s just a persona,” he says with a laugh. “Someone said on Twitter that FLaC sounds like some kind gambling-addicted drug dealer with a ‘f..k the police’ attitude. Which is not far off. FLaC has always been the kind of guy to do crazy things. It’s an alter-ego.”
In the real world, the guy who plays FLaC on Twitter is a 19-year-old student facing a $45,000 legal bill to defend himself against serious criminal charges. A year ago he was hospitalised for a panic attack and he now takes anti-anxiety medication. But his hostility towards the police is genuine, because he says much of what the authorities claim is untrue. The US indictment alleges he opened credit card accounts using stolen identities, but he says this was orchestrated by Person A, who wasn’t charged. An FBI agent testified that the hackers talked about soliciting the murder of a magistrate and federal agents, but FLaC insists any such talk was just absurdist banter. He emphatically denies a charge of possessing child porn, saying WA police may mistakenly believe that images on a server he hosted belonged to him. As for the hacking itself, he disputes whether he committed any offence under Australian law. “What’s my view on that?… Um, it’s illegal here, it’s illegal in the US. It’s not illegal in other countries. Where I was at the time, there were no hacking laws, really.”
Back in 2012, after Microsoft’s Miles Hawkes came to Perth for his “knock and talk” with FLaC, one of the hacker group breezily emailed Hawkes to suggest that perhaps Microsoft could provide them with references so they could get legitimate IT security jobs. This doesn’t seem like an option anymore, and even FLaC concedes that some of his confreres got greedy as their exploits became more audacious. It was only from reading the indictment, he says, that he realised one of them had amassed hundreds of thousands of dollars from online fraud.
Still, FLaC harbours ambitions, once his trial is over, to join the long list of hackers who have crossed over to the white-hats. Kevin Mitnick was once the most wanted computer criminal in the world, but after five years in jail he’s now a leading light of internet security. Owen Walker, the 18-year-old Kiwi hacker who was prosecuted after a global FBI investigation five years ago, got a job with Telstra. “In the IT world,” says FLaC sardonically, “you either study for 10 years to become a consultant or you go to jail for five years and get all these offers.”
In a spirit of optimism, FLaC recently altered his profile on Twitter; these days he describes himself as a “security researcher” and “reformed grey hat”. That’s the joy of being online – it’s so much easier to change your storyline. * Identifying details have been changed
Facing a five-year jail term: David Pokora
Busted: Sanadodeh Nesheiwat, left, and Matthew Flannery
Careful what you wish for: Nathan Leroux, left, and Matthew Flannery