Ever wonder why black hat hackers and cyber vigilantes risk prison terms to do what they do? The group of four people who hacked the PBS NewsHour website and used it to publish a fake story about Tupac Shakur Sunday night say they did it for “lulz and justice.” Lulz is internet parlance for amusement, and justice refers to a PBS documentary that the hackers took offence with.
One member of the LulzSec hacking group, calling himself Whirlpool, told me in an interview this morning over Instant Message chat that the hack had been a nod to WikiLeaks and Anonymous, after many who support the larger online collective were angered by the PBS documentary “WikiSecrets” and its portrayal of whistleblower Bradley Manning when it broadcast a week ago.
“While our main goal is to spread entertainment, we do greatly wish that Bradley Manning hears about this, and at least smiles,” Whirlpool said.
Late Sunday night LulzSec posted a list of user names and passwords for admins of the PBS websites and their affiliated television stations, then injected a defaced page showing Nyan cat, an Internet meme, into the website.
The entire operation took several hours, but halfway through Whirpool says he proposed planting a fake news story on the PBS site in a bid to win more laughs. “I was gonna write about Obama choking to death on a marshmallow, but I figured Tupac would be funnier,” he says, adding that he typed up the article, which claimed the deceased rapper was alive and well in New Zealand, in about 15 minutes.
Once he had posted it through the PBS content management system, the hackers monitored PBS administrators as they disabled the file that allowed stories to be published in a bid to take it down, meaning no one at PBS could access any of the stories on its blog network. They were stymied at first because the hackers had also deleted the site’s user and admin accounts and created their own to lock them out for as long as possible. Eventually, the admins regained control from a backup database.
The hacker says the site’s content management system was “outdated,” which made it easier to break in and spread through the system. Three hackers initiated the attack, and were joined by a fourth towards the end.
Within a few hours of publishing, the Tupac story had garnered more than 4,000 “likes” on Facebook, before going on to grab the attention of the mainstream press on Monday, a public holiday that was light on news. The group’s Nyan cat page even made it into the Wall Street Journal’s print edition, while a screenshot of the Tupac story popped up on the WikiLeaks Twitter feed, a nod which Whirlpool says he’s “very happy” about.
LulzSec has been on a media-hacking spree lately: they raided the servers of Fox.com to post private user data, then brought down two websites linked to Sony. They have denied being affiliated to Anonymous, but supported its cyber attacks against the websites of repressive Middle Eastern governments like Libya and Tunisia amidst the Arab Spring.
Though Anonymous is a name associated with a loosely-knit, often anarchic collective of cyber vigilantes and online pranksters, supporters typically avoid targeting media companies as a mark of respect for freedom of the press. The attacks on Fox and PBS, a public service broadcaster, would seem to go against that. But Whirlpool’s response to this criticism is simply another meme: “U mad bro.”
PBS’s executive producer of Frontline, David Fanning, told the Associated Press the cyber hack was “a disappointing and irresponsible act, especially since we have been very open to publishing criticism of the film … and the film included other points of view.”
Whirlpool, not surprisingly, disagrees. “From the start [the documentary] painted a negative picture on WikiLeaks, and it put a great deal of focus on discrediting Julian Assange and Bradley Manning,” he says, adding that he had watched the film but wasn’t sure if his other “crew mates” in LulzSec had as well. LulzSec also defaced the official PBS statement in response to the attack. PBS could not be reached for further comment.
Whirlpool says it’s a “fair assessment” for people to look at LulzSec’s cyber attack on PBS and call it illegal and wrong, but retorts, “do what you want ’cause a pirate is free, you are a pirate.” He then provided a link, over IM, to a YouTube clip of the children’s TV show Lazy Town.
The rhetoric might seem juvenile, but Whirlpool and his buddies are intent on causing more serious damage in the name of fun and retribution. Their next target is Sony, a company already beleaguered by a string of security breaches sparked by the Anonymous mass cyber attack last month. That in itself was revenge for Sony’s lawsuit against a hacker who had tried to jailbreak the PlayStation 3.
“We’re going to blast more holes in Sony and leak their booty,” Whirlpool said, adding that the attack would not be as big as the theft in March of personal and financial details of more than 100,000 PlayStation Network user accounts, “but certainly a lot bigger than what we did to Sony Japan.” And there’s more swagger: a few hours ago @LulzSec tweeted, “Hey @Sony, you know we’re making off with a bunch of your internal stuff right now and you haven’t even noticed? Slow and steady, guys.”
LulzSec is bound to get more attention for all this, but Whirlpool breezily denies the group is looking for fame. “We like making people laugh,” he says. “We’ve got a lot of energy to do it with.”