Nueva regulación de Protección de Datos

Topiary kept checking Google News for any mentions of Lulz Security or the leaked usernames from Fox and X Factor. He noticed there were hardly any mentions besides a few blog posts from technology news sites. No one seemed to care.

If an individual or group had thousands of Twitter followers, it was more likely to create a buzz among bloggers and journalists and, eventually, to create headlines. Topiary’s imaginative writing style, honed by many hours writing for the satirical website Encyclopedia Dramatica, came into play here. He could write a series of acerbic comments soaked in the parlance of Internet subculture in just a minute or two. It came naturally.

By the end of his first day using the LulzSec Twitter account, May 7, Topiary had amassed fifty followers from eleven tweets. The tone was tongue-in-cheek, cheerful and irreverent, quoting lyrics from the tacky pop song “Friday” by Rebecca Black and taunting the official Twitter feed of X Factor: “We stole your shit and now we’re going to release it! Thoughts?”

Twitter, despite its 140-character limits and status as a gimmicky tool for the social media elite and technorati, could be a powerful communication tool. If it was used smartly and prolifically, thousands of people could start paying attention to LulzSec. By using the @ symbol, or simply by saying a name, he could speak to anyone who had a Twitter account.

The following morning he employed Sabu’s tactic of dangling the prospect of more tantalizing leaks: “Guys and girls, we’re working on lots of fun right now! Here’s your Sunday secret: We’re nowhere near done with Fox.”

On Sunday, May 9, the followers had inched up to around seventy-five, but Topiary kept up the showman-style enthusiasm, as if each tweet were being blared from a ringmaster’s bullhorn. “Monday spoiler: today’s leak will be significantly smaller in quantity, but vastly higher in quality,” he broadcast. “You guys like passwords? So do we!”

He believed it was important to keep throwing out teasers, so then tweeted: “The show starts in a few hours, folks! This one is quite interactive with a finale you’ll appreciate. We, we, we so excited! :3.”

If Sabu had been doing this his way, he would have dumped all the Fox data they had when they were ready, whether that was Friday or at some point during the weekend. But Topiary figured that news outlets were more likely to pick up on stories on a Monday than on a Friday, when many were winding down for the week. It seemed to make sense that if something was released on Monday, it got more attention.

The teasers kept coming on Monday morning: “LulzSec hashtag of the day: #FuckFox—let’s give it another hour or so, tell your friends. ^____^”

Then: “30 minutes…#FuckFox”

Twenty-eight minutes later: “You ready?! #FuckFox.”

When the moment arrived, Topiary didn’t post a long document of information but tweeted a series of URL addresses for the LinkedIn accounts of employees at a Fox TV affiliate in San Diego, California. The first said: “Meet Karen Poulsen, Marketing Consultant at Fox 5 KSWB.” Clicking on the link showed Poulsen’s LinkedIn account now had the LulzSec monocled man as her profile photo. Topiary did the same for Jim Hill, an account executive at Fox, and six other members of management at the media company.

There were seven more managers who got their LinkedIn accounts hacked and Tweeted, including Marian Lai, vice president of Fox Broadcasting. In between, Topiary gave a shout-out to his old constituency still hanging out on AnonOps: “Hey, AnonOps I hear you guys are having a rough time—let’s cheer you up. Anonymous wants to join in? You can very soon!”

There were more tweets to a second press release, all wrapped up in offbeat humor, using the instrument of hash tags at the end of each tweet as a kind of quasi punch line. This was definitely not your ordinary hacking group. After three days, Topiary had posted thirty-five tweets, and he continued with confident profligacy.

Soon Topiary had tweeted a more damaging “phase 2” leak from Fox: a spreadsheet of more than eight hundred Fox.com users and details of the inner workings of the company’s servers.

Moving quickly, he posted a spoofed link to “Secret LulzSec IRC logs,” a nod to the #HQ leak and the eagerness in hacker circles to spy on others’ chats. The post contained no logs, only the images of black-and-white pirate ships made out of asterisk symbols, along with spoofed dialogue between nicknames like Bottle of Rum (the nickname for Tflow), Kraken (Kayla), Seabed (Sabu), and Whirlpool (Topiary). Topiary had decided with the others that pirates and boats would be LulzSec’s theme.

“What gives guys, that boat looks like it belongs in my bath,” Whirlpool says. Then Kraken uses twelve lines of the chat log to create a larger battleship, followed by a mushroom cloud. Whirlpool then claims to be “beaten,” “destroyed,” and “forever alone.” Topiary’s ditty made it clear that LulzSec was not taking any of this, or itself, seriously. “Don’t tell the FBI about these pl0x,” the page’s subtitle said. “We will get in trouble and might be grounded.”

will get in trouble and might be grounded.”

He released another document of ATM information for British cashpoints, none of it particularly harmful but a demonstration that they could get stuff. He linked the release to a YouTube video of the Love Boat theme song and pasted his own lyrics that ended, “Yes LULZ! Welcome aboard: it’s LULZ!”

After a few days, most of @LulzSec’s two hundred and fifty Twitter followers were from the Anonymous community. People had heard something was going on and wanted to keep track. Very few people, outside of a few regulars on the Anonymous IRC channels, had any idea that these were the same hackers who had hit HBGary, the same ones who had suffered from Laurelai’s reckless #HQ log leak.

Then Topiary noticed the LulzSec Twitter feed had a new follower: Aaron Barr. He couldn’t help but be thrilled at this and immediately started badgering him on Twitter. “We have the legendary AaronBarr following us…we hear he had a great time with #Anonymous, so great in fact that he quit his job. #ouch. We better watch out now,” he added. “AaronBarr is going to check our Tweet times with every single Facebook account login.”

Then: “We’re following 0 people. if we follow one person, does that mean the e-detectives will pounce on them? Should we follow AaronBarr?.…Okay, we’re now following AaronBarr—he is our leader. He stole those Fox databases, he compromised over 3,000 ATM machines. Wait…shit.”

Topiary thought for a moment about what all this attention on Barr would look like: anyone who knew about the HBGary attack would know the same hackers were now LulzSec. He threw caution to the wind and preemptively put it all out there: “Hey e-detectives: we’ve taken a lot of interest in Mr. Barr, therefore we must be the HBGary hackers. Right? Of course.”

The team spent the next few weeks working through data they already had to plan their next stunt. Topiary, Sabu, and Kayla now had a small clutch of potential leads to work with. In the background was always Infragard, for which they could leak the details of about three hundred usernames and deface the home page.

In the meantime, Topiary’s relationship with Kayla was shifting; he was going from being her friend to being her student. Knowing that he was getting into serious activity with LulzSec, he asked her about her setup for staying so incognito. Kayla taught Topiary how to run a virtual machine, then suggested he run Linux as a virtual operating system and a chat client called X-chat through that virtual machine, which he did.

He also began to store his operating systems on a microSD card inside his encrypted MP3 player: a 32 GB SanDisk microSD, inside an 8 GB SanDisk MP3, inside an encrypted volume. Opening it now required a password and several key files, which were five MP3 songs out of thousands on his player. He had learned this entire setup from Kayla.

Despite many hours of conversations, he was still mystified by Kayla. She would sign off at around four or five a.m. U.K. time most nights, suggesting that was when she was going to bed. She had told Topiary she was not in the United States or the U.K. But in conversation she often made references to things like Lemsip, a cold and flu medicine found in British stores, and beans on toast, a very British snack favored by debt-ridden students.

On another occasion, when Kayla had agreed to meet online for an interview on U.K. time, she missed it, and then apologized that she had “got the time zones mixed up.” In May, Kayla also created a Twitter account, under the name @lolspoon, and it served as another way to confuse people about her true whereabouts. At 2:00 p.m. U.K. time, she would tweet, perhaps tongue in cheek, “Just woke up, early morning XD.”

Topiary had seen screenshots of her desktop, which featured a clock saying 8.41, GMT -8 hours. She had claimed it was a virtual install, which meant the clock wasn’t set up properly. Topiary’s virtual OS was also set to GMT -8 hours. Kayla’s desktop had been very girlie. She had colorful stars as one background for her host operating system; rainbows for her virtual OS; and an anime girl as another one for a terminal window. It may have been too girlie to be girlie—but then Topiary’s desktop was arguably too manly: it featured one collage of comics about sharks and another of a large Slenderman character—a mythical creature spawned on an image board a few years prior—in a black suit and red tie.

The online world has plenty of elaborate liars. Topiary recalled a girl on an old IRC network who fooled everyone online into thinking she was skinny by providing fake photos and acting defensively when talk turned to eating disorders. Once, she told a group of people in an IRC channel that she was going out to get a tattoo. Three hours later she came back online and uploaded a photo of a skinny human back completely covered with tattooed wings.

“This is it,” she said.

Topiary was immediately suspicious. He uploaded it to a website called tineye.com and did a reverse-image search to see where else the image had appeared on the Web. The tattoo was already all over the Web, so it wasn’t real. Eventually it led him to a video site and an account that included another image avatar (a painting) that the girl had used on her Skype account. One of its videos featured an obese girl playing the ukulele. The voice and alias details matched up.

Topiary had laughed a little but didn’t reveal the details. He didn’t want to destroy her online life.

Though he knew it could make his arrest more likely, Topiary started thinking about bringing his nickname back onto the public Web by using it on Twitter and on AnonOps IRC. But he needed some convincing, in the same way Sabu had needed convincing to get the team back together.

“Why have you kept ‘Kayla’ after all this time?” Topiary asked her.

“No one has ever doxxed me,” she replied. “It makes sense to just keep it.” People were always going to try to dox the nickname Topiary, she added. “But if your dox aren’t known you should just be Topiary and say ‘fuck you’ to all the haters.” Kayla’s mantra was to do all you could to be technically secure, then go out there and dismiss anyone who doubted you.

“Kayla’s words had really sunk in that day,” Topiary later said. “I loved her simplistic yet compelling argument: nobody knew who she was, so why should she feel pressured into changing her name? It was a sassy kick in the teeth to the doxers. A kind of ‘Yes, I’m still here, bitches, what of it?’ I was inspired.”

For the past two months, Topiary had been constantly changing nicknames to things like Slevin and Mainframe and trying not to say anything that would make people think he was the original Topiary. He was tired of the stress; maybe it would be nice for his online name to

anything that would make people think he was the original Topiary. He was tired of the stress; maybe it would be nice for his online name to get some of the credit for what was about to go down, and he didn’t like people thinking that Topiary had been arrested and had turned snitch.

So he opened up his old personal Twitter account, called @atopiary, and posted a single tweet. People in the #anonleaks chat room on AnonOps IRC went into a frenzy. Some suggested that the person behind the account was a spy. It was classic Anonymous. Topiary knew the rumors would die down soon enough. They always did.

In mid-May, the PBS news program Frontline showed a documentary about WikiLeaks that Sabu didn’t like one bit. It painted Julian Assange in a bad light. When he talked about it to the group, everyone else agreed. By chance, Kayla had found a vulnerability in one of PBS’s websites a few weeks earlier with her auto-scanning bot. Now Sabu asked the team if they agreed to make PBS their next big target. Never mind that it was America’s public broadcasting service and home to Sesame Street. There was no question—everyone was up for it.

As usual, Sabu entered the PBS network through a security hole Kayla had found, and then he started removing user data—a database of thirty-eight staffers here, hundreds of pressroom users there. Sometimes it was hard to know what was being taken. It didn’t matter. They’d publish it anyway. The team used a tool called Havij to more quickly download the databases for easy viewing. While Sabu and Kayla did the grunt work of hacking, Topiary and AVunit worked on some dramatic calling cards, something that would make Anonymous laugh. The group worked through the night, adding several new pages to the PBS website, starting with www.pbs.org/lulz/, which went to a page with a giant picture of Nyan Cat. This was a cartoon image of a cat flying through space and pooping a rainbow, one of the most famous Internet memes of all time.

They made another page, www.pbs.org/ShadowDXS/, featuring the photo of a fat man eating an enormous one-foot-tall hamburger with the caption “LOL HI I EAT CHILDRENS.” This was a shout-out to another Anon nicknamed ShadowDXS, a man of ample proportions who looked like Hugo from the TV series Lost. (Topiary went on to tweet something about Hugo from Lost, but then deleted it, thinking it was too silly. The Jester came to believe this signified a cover-up, that Sabu was someone actually named Hugo.)

Before the PBS hack, Topiary, Shadow, Pwnsauce, and about fifteen Anons whom they knew from AnonOps had all gone on TinyChat on Saturday night and gotten drunk while chatting via text, with a few on voice and even fewer on webcam. Topiary ended up posting a series of drunken tweets to several thousand followers through his personal account, including, “dudd, you have no idea how uch hotgowg repeat the same proces as the nigger behing barry shadow exx rainbows ubunche fa…” People kept sending him telephone numbers, hoping for a good show, and Topiary kept prank-calling them.

The next morning Barrett Brown woke up to several voice mails from Topiary saying he was “pursuant to being pursuant” as well as messages from a few raunchy transvestites who’d been given Brown’s number and promised a “booty call.” Topiary slept through most of Sunday, then, out of curiosity, dialed one of the many random U.S. numbers on his call history from the night before. He got an angry man with a Southern accent who said, “If you call me again you stupid Indian prick I’ll chop your fucking head off.” Topiary couldn’t remember the man at all but figured he’d had a good time with him. The fun that night seemed to overlap with LulzSec itself. Booze had put Topiary on a high when he was doing prank calls. LulzSec’s small audience and the team’s capabilities did the same when they were hitting PBS.

To Sabu’s later annoyance, Topiary’s Nyan Cat page seemed to say that this hack wasn’t about Assange but about lulz. To drive the point home, in the early hours of Monday British time, Topiary got into NewsHour’s content management system, essentially the system PBS used for publishing stories to its website, and realized he could publish a legitimate-looking news story directly on the PBS NewsHour website.

At first he wanted to make it about Obama choking on a marshmallow. But when he suggested it to the others in the group, they decided a better story would be about Tupac Shakur, the American rapper who had been fatally shot in Las Vegas in 1996 but who in death had enjoyed Elvis-like rumors that he was still alive. In about fifteen minutes Topiary had written up an elaborate story, paragraph by paragraph, in the IRC chat, titled “Tupac Found Alive in New Zealand”:

Prominent rapper Tupac has been found alive and well in a small resort in New Zealand, locals report. The small town—unnamed due to security risks—allegedly housed Tupac and Biggie Smalls (another rapper) for several years. One local, David File, recently passed