top
US
US
Indybay
Indybay
Indybay
Regions
Indybay Regions North Coast Central Valley North Bay East Bay South Bay San Francisco Peninsula Santa Cruz IMC - Independent Media Center for the Monterey Bay Area North Coast Central Valley North Bay East Bay South Bay San Francisco Peninsula Santa Cruz IMC - Independent Media Center for the Monterey Bay Area California United States International Americas Haiti Iraq Palestine Afghanistan
Topics
Newswire
Features
From the Open-Publishing Calendar
From the Open-Publishing Newswire
Indybay Feature

Rightwing hacker nailed: Black Hat Down

by repost
Clorox the g00n thought he was a badass hacker. He wasn't badass enough. He's now been outed as Brett Chance from Plano, TX, suspended from his college, and faces potential criminal prosecution.
by Joel Warner, Boulder Weekly
14 May 2005

On 8:20 a.m. on Thursday, April 28, Glen Newell, coffee in hand, opened up a web browser on his home computer in Denver, typed in a web address and caught his breath.

Newell is a heavy-set guy with small, metal-frame glasses who wears a flash drive on a cord around his neck. When he's not preoccupied by his day job as an information-technology consultant, Newell offers his expertise to the Colorado Independent Media Center, a volunteer-run news site where people post articles, opinion pieces, photos and links relating to politics and political movements. As part of the 200-plus-chapter global Indymedia movement, CO-IMC, as it's called in short, has been electronically publishing eye-witness accounts of Colorado peace protests and deconstructions of the myriad CU scandals since the turn of this century.

But on this Thursday morning, as Newell's browser loaded up the web page at colorado.indymedia.org, gone were the articles, the multimedia library, the calendar of upcoming events, the archive of five years of community-developed reporting. Instead, Newell's screen was filled with the following message:

"g00ns r00ted th1s

You have lied to the American People over and over again... Expect more of this. American Imperialism is non-existent. Our soldiers are dying over sees to give men, women, and children a taste of freedom and you call them imperialists. You are nothing but pigs. You are not against Bush you are against Republicans, you are against anyone who has a different opinion and way of thinking than you. Your box got rooted for lying to the American people."

The letter was signed, "Defaced by clorox."

CO-IMC's server, the hard drive storing all the information for the website, was located in the Boulder offices of the Free Speech TV television channel. Representatives of Free Speech TV were not pleased at the news. The channel was in the midst of a major pledge drive; the last thing it needed was a hacker breaking into its servers.

By 11 a.m., CO-IMC volunteers and Free Speech TV staff decided the risk of further computer infiltration was too great. They pulled the plug on CO-IMC's server. The Colorado Independent Media Center disappeared off the Internet.

Meanwhile, news of similar Indymedia hacks started pouring in from around the globe. New Jersey was hit, and so were Austin, Atlanta and Arkansas. The list grew throughout the night and into the next day: New York, Maine, Michigan, Israel, Australia. When it was all over, at least 18 Indymedia sites were infiltrated around the world.

Somewhere out in the ether, clorox had been busy.

There's no place like 127.0.0.1

The g00ns' Internet home base, http://www.g00ns-forum.com, provides scant information on the member who goes by the alias clorox. Clorox's profile page on the website notes he's male, born Jan. 16, 1984. The profile adds his machinery of choice is a 512-megabyte desktop with an Athlon XP processor, that he's Republican and likes the metal band Mudvayne. Under "Location," clorox's profile reads, "127.0.0.1."

The number is a computer-nerd joke. If you try to connect over the Web to the Internet Protocol [IP] address 127.0.0.1, you'll be connected to your own computer. It's computer-speak for "home," which is why you might see a geek or two sporting a T-shirt emblazoned with, "There's no place like 127.0.0.1."

For clorox, "127.0.0.1" is actually a community just outside of Dallas, Texas. He'll tell you as much over the phone. Clorox has a slight Texas accent, a touch more subtle than that of George W. Bush.

"I'm the guy that everyone else wouldn't think would hack," he says. "A lot of people would picture hackers as fat, long-haired guys."

Clorox describes himself as being 5 feet 5 inches, 130 pounds, with brown hair and brown eyes. He has hyperthyroid disease, he says, which makes him look like he's 14.

Clorox first became interested in making computer programs do unexpected things while in a Louisiana high school. Hanging out at the school library, clorox discovered that when a patron used a library card, the library computer displayed that person's social security number. Clorox used this information to access the teachers' e-mail server, where a teacher's username and password were comprised of her initials and her social security number. Then, using a teacher's e-mail address, it was easy for clorox to dupe a school techie into giving him administrator privileges for the school network. This essentially gave him control of every computer in the school.

One day, right before the lunch menu was to be distributed around the school, clorox used his administrator privileges to access a guidance-counselor computer and changed the entrée on the menu to "Shit on a stick." When the students received their lunch notices that day, they found each entrée listing blacked-out by hand.

Clorox loved the idea of going places he wasn't supposed to go, doing things he wasn't supposed to do. Kevin Mitnick became his idol. In 1995, Mitnick achieved international notoriety when he was convicted and jailed for breaking into some of the most secure computers in the world. Clorox equated his own experiences with Mitnick's story.

"That's kind of how I felt at school," he says. "I wasn't the most popular kid, and all the corporations were just being down on [Mitnick]. Me and him had some kind of parallel. So the things that he did were the things I wanted to learn how to do. I wanted some of that infamous aura. And that's something I went after."

After being turned down for medical reasons by the Army, clorox enrolled in community college in Texas. He began dabbling in trojan horse programs, which allowed him to secretly spy on and control other people's computers. He taught himself the basics of social engineering, tricking computer users into giving him access codes and valuable information. He learned how to "gain root" of a "box," in others words taking complete control of a computer. In short, he was becoming a hacker.

Contrary to the stereotype, a hacker isn't necessarily bad. The term "hack" was reportedly coined by members of an MIT model-railroad club in the 1960s to describe clever ways they improved their railroad systems. The term migrated over to the nascent computer industry to describe methods of changing and improving programs. Some of the first hackers can be credited with helping to create the Internet as we know it. Many hackers are "white hats," meaning they have the skills to access computer programs and networks, but only do so when authorized to. "Black-hat" hackers are the ones who break into systems, a technique also known as cracking. While many hackers fall into the "gray hat" middle ground, clorox had no illusions—he was a cracker, a black hat. And he wanted to join a crew.

The Wild West

Clorox's exploits, rooting boxes, defacing websites, began attracting attention. One of those who took notice was z3r0.

Z3r0, who lives in the eastern United States, describes himself as 27 years old, 5 feet 9 inches, 170 pounds, clean-shaven with multiple ear piercings and blond highlights. Z3r0 has more than 50 computers in his house—in his office, in the master bedroom, in the closets, in the kitchen—plus more than a thousand books on computers. He spends six to 10 hours a day in front of a computer screen, not including his day job.

Until the mid-1990s, z3r0 and his fellow computer geeks were free to explore the burgeoning Internet unencumbered. But then the dot-coms boomed, everyone got AOL, and z3r0 suddenly found himself drowning in neophytes.

"Me and a lot of my friends were frustrated. Maybe it's a little bit arrogant of me to say this, but we kind of felt the Internet was ours. We helped it grow, and all of a sudden there were all these people in our house," he says.

Z3r0 and his buddies decided it was time to teach people to respect the Internet. They created a clan of sorts, with a defined hierarchy and command-and-control structure. Instead of going after established hackers and crackers, they decided to recruit people "out of the cesspool," people who might be novices but who were fresh and committed and who could be molded. Finally, they came up with a name: g00ns. Sure, it was cribbed from the film Goonies, but it also brought to mind the mafia, hit-men-for-hire.

Clorox was one of the first people z3r0 asked to join. He became one of the original eight, now known as the old-timers, who sport handles like CoRrUpTeD, ArYa, Wicked, Mayo and Spic. New members can join, but they have to go through a vetting and hazing routine that can take weeks or months, and even then they might not score the unanimous vote needed to become a full-fledged g00n.

The g00ns are known for all kinds of mischief. Sometimes they root people's boxes, taking control of a website and defacing it. Sometimes they launch a Distributed Denial of Service, or DDOS, which sends so many e-mails to a particular server it's essentially shut down. Sometimes they partake in forum rages, logging into a discussion board and slowly changing the topic of discussion—like, say, the war in Iraq—to something ludicrously different, such as Christina Applegate. Their handiwork isn't limited to computers; often they'll inundate a target with harassing phone calls. Whatever they do, they'll be sure to leave a calling card—"g00ns r00ted th1s."

Z3r0 says the g00ns' attacks aren't random—their targets must have offended the g00ns in some way. Maybe someone posted something online that pissed off one of the g00ns. Maybe a bunch of inexperienced crackers (derogatively referred to as "script kiddies") were encroaching on the g00ns' territory. Every now and then an outsider comes to the g00ns asking for help.

In this way, z3r0 says the g00ns are like an Internet A-team: If someone screwed you on an eBay transaction, if no one else can help, and if you can find them, maybe you can hire the g00ns.

"The Internet is like the wild west, man. Who's going to stop everybody from doing what they want to?" says z3r0. "We try to put a noble cause into these things."

Clorox has played a major role in the g00n's street cred. He's flourished in the g00ns, becoming a master at C++, a programming code used in many malicious software programs. He's even dabbled in darker stuff, making money off hacking ad programs, selling himself out to people who want to get back at a certain person or company. He has his limits, though—he won't hack Christian websites, and he won't do the dirty work for disgruntled workers wanting to get back at an old boss.

"He's definitely on his way to becoming one of the great ones," says z3r0. But the g00ns' founder doesn't want clorox to try to break into Microsoft or something. While the Internet might be the Wild West, there's still a sheriff—the FBI—and if you make enough noise, he's bound to come knocking on your door. He hopes people like clorox learn that lesson before it's too late.

"He's very talented, but he's got a lot to learn," he says. "Clorox is a lot more aggressive than I am. I've learned from my mistakes, and he will, too."

Battle of the hacktivists

When you're a hacker, the main weapon against you is your identity. That's why when someone stripped away clorox's avatar and hit him where it hurts, he wanted payback.

It started with clorox's politics. He comes from a Roman Catholic, Republican family, and while he considers himself technically an independent, during the 2004 election he was strongly pro-Bush. He joined an organization called ProtestWarrior.com, an organization that poked fun at and disrupted liberal protestors during the campaign. Then someone hacked the ProtestWarrior.com website and posted personal information about its members—including clorox—on Indymedia websites. Clorox says it took the Indymedia sites weeks to remove the hacked information, despite multiple requests. On the other hand, says clorox, Indymedia sites would eliminate any pro-Bush articles he posted on their sites almost immediately.

"They claim to be a free speech outlet, but they're not," says clorox. "So that's the time when my skills in hacking and political ideology merged, and I was ready to take it to the next level."

Clorox gathered similar-minded hackers around him and created rightwingextremist.org, dedicated to combating left-wing hackers over the Internet. It was a combination of politics and hacking, one so-called "hacktivist" group against another. Eventually clorox discovered a weakness in Indymedia's website programming that allowed him to install a hack that redirected Indymedia visitors to websites of his choosing, like rightwingextremist.org and other pro-Bush sites.

But the Indymedia folks fought back. They discovered clorox's real identity and threatened to expose him if he didn't back off. Clorox says he did what they asked, but that they still contacted his school and his family. For clorox, that was stepping over the line.

"It is kind of like a two-life thing. I try to not get my family too involved," he says. "If they hack me, props. I would give them all the props in the world. But you don't go to the law, you don't screw with someone's life. That's not following the code."

At the time, clorox was known by the handle "elac." He changed his alias to clorox, but he still had unfinished business. He began watching Indymedia websites, reading through the posts on their technical pages, waiting for the right opportunity. He found his chance when, about a month ago, an Indymedia administrator posted a warning online about a software vulnerability that could allow crackers to take over entire Indymedia servers. It was just what clorox was looking for.

On Thursday, April 28, clorox sat down at one of his college's computers and ran an exploit, a program that took advantage of the vulnerability in the Indymedia software. Within moments, he was in. Clorox moved from one Indymedia server to the next, one site after another. While the resulting cracks looked like he'd deleted everything on the sites, he says he didn't. He instructed the websites to ignore the information stored on the servers and instead load a new webpage of his own design—hence the "You have lied to the American People over and over again..." messages people found on Indymedia sites all over the world.

Over the next few days, clorox cracked an assortment of Indymedia websites, many of which had nothing to do with his original altercation. In a few instances, after the cracked Indymedia sites came back online and volunteers posted taunting messages that no permanent damage had been done, clorox says he cracked these sites again and deleted all the information on their servers, just to show them he could. He says he could have disguised the location of the computer he was working off of, but he chose not to.

"I wanted them to know who I was and where I was coming from," he says.

Even if they came after him, clorox knew the g00ns had him covered.

"It's really cool that you got people who've got your back, because a lot of people in the community right now are nothing but liars," he says. "If I went down for Indymedia, Indymedia wouldn't be there anymore."

Clorox admits he doesn't want to get busted. But he says that, deep down, maybe he wants that notoriety, just like his idol Kevin Mitnick.

"I understand what could happen. I mean, sure I do. I don't want to get caught. But if it happens, it happens," he says. "It would be kind of neat to have my face in the paper."

Takedown

When clorox answers the phone on Monday, May 9, some of the characteristic swagger has left his voice. The Thursday before, he'd been summoned to his dean's office. Indymedia volunteers had discovered who was behind the hack and posted clorox's identity online—his name, his college, even his medical history. Hundreds of people had called clorox's college to complain, and now the school wanted answers.

The next day, clorox got a call from the campus sergeant. When he arrived at the sergeant's office, two officers approached him and flashed their badges: FBI.

While clorox hadn't cracked a major corporate website or snooped around top-secret files, his actions still might be a violation of federal law 18,1030: "Fraud and Related Activity in Connection with Computers," says David Mahon, FBI supervisory special agent in charge of the cyber crime unit for Colorado and Wyoming. Mahon oversees a department that tackles online corporate fraud, international cyber espionage and child pornography rings, among other high-profile crimes. But that doesn't mean he'll cut a minor cracker like clorox any slack.

"If you hack into a network and steal someone's [research and development], or hack into a network and steal a mailing list or deface it, you are still committing the same thing—a felony," he says. "Saying you deface a website as a statement of free speech, it's still a crime."

Ironically, says Mahon, clorox's "free speech"-inspired crack is counter-intuitive.

"By actually hacking, they are encouraging more regulation of the Internet," he says. "They are basically knocking on the door of law enforcement and saying, 'Do something.'"

Even in the hacker community, clorox's crack is largely seen as nothing more than a malicious script-kiddie stunt.

"It's not particularly respected by the hackers I know, mostly because it's destructive and random. It's almost viewed as a form of Internet vandalism," says Oxblood Ruffin, "foreign minister" of the Cult of the Dead Cow, a long-standing hacker group that coined the phrase "hacktivism" to describe hacking for political purposes. "There's not a whole lot of difference between someone like this and someone who goes to a graveyard to kick over some gravestones."

While some members of the Indymedia community appear to be pushing for federal prosecution, the main volunteers behind CO-IMC aren't among them. They've been too busy getting their own website back online.

CO-IMC volunteers say clorox's claim that Indymedia sites only publish anti-Bush rhetoric is ridiculous. But despite clorox's delusions, they add, they've benefited from his crack. News of the attack has brought increased attention to the Colorado organization, and volunteers are using the opportunity to reinvigorate the website.

"I guess we are not going to learn about our vulnerabilities unless he shows it to us," says Doug Bohm, one of the founders of CO-IMC. Some of the volunteers joke they may send him a thank-you card and a box of chocolates.

It would be one of the few nice gestures clorox can expect. He used to get several phone calls a day from other g00ns; since the authorities got involved, z3r0 has been one of the only members who's called. On Tuesday, May 10, the Colorado Independent Media Center finally came back online. At the same time, http://www.goons-forum.com had, at least for the time being, disappeared off the Internet.

"What I once thought was a hard-core community is actually just a bunch of kids," says clorox. "As soon as something goes down, they all run away."

Clorox's college suspended him for two years. He's waiting to hear from the FBI about criminal prosecution. His family now knows everything that happened. And he says he won't be doing any black-hat operations for a while.

"It's like when you get into a physical fight. During the whole thing it seems like this serious issue. But afterwards you look back and say, that's pretty stupid," he says.

On the bright side, says Clorox, his run-in with the feds reinforced his idea of a dream job: working for the FBI.

"There were a few times during the conversation I was like, wow, this has to be the coolest job. I would probably get the same thrill out of that that I do out of the black-hat stuff," he says. "How ironic is that. I've always wanted to be the one who catches the bad guy, even if sometimes I am the bad guy."

Mahon, however, has some bad news for clorox.

"He's deluding himself into thinking that we would hire him," he says. "There's a lot of good things a person like that can do that make them stand out that doesn't involve criminal activity."

http://nyc.indymedia.org/newswire/display/150120/index.php

--

see also: http://houston.indymedia.org/news/2005/05/39082.php
Add Your Comments
We are 100% volunteer and depend on your participation to sustain our efforts!

Donate

$110.00 donated
in the past month

Get Involved

If you'd like to help with maintaining or developing the website, contact us.

Publish

Publish your stories and upcoming events on Indybay.

IMC Network