Anonymous: Analysis of group structure and #OpIran Mission

Completed for Social Facts with Clay Shirky at the Interactive Telecommunications Program
February 16, 2011

Basic rule: Blend in with the crowd, disperse into the stream. Keep a low profile. Don’t try to be special. Remember, when in Rome, do as Romans do. Don’t try to be a smart ass. FEDs are many, Anonymous is Legion, but you are only one. There are no old heros, there are only young heros and dead heros.”

Anonymous-the uber-secret handbook, compiled by Anonymii, version 0.1.3, date 15.02.111

Anonymous: a flag flown in the name of an innovative form of direct action; a title for an amorphous affiliation of un-named participants, who’s existence depends upon an ever-growing list of directives, and an intrinsically motivated sense of Justice. The Wikipedia entry for Anonymous (which I assume those operating under the flag of Anonymous find satisfactory or else it would have long ago been modified) defines it as a meme “representing the concept of many on-line community users simultaneously existing as an anarchic, digitized global brain.” A representation of a concept via meme is an accurate, if mind-twisting characterization that captures just what makes Anonymous one of the most compelling and mis-categorized phenomena in digital current events.

Anonymous maintains a unique form of self-definition. In always moving between spaces and denying any unified or stable membership, those who define themselves as Anonymous underline a deliberate separation of the greater Anonymous meme from the execution of specific actions. Anonymous is found nowhere specifically at any given point of time, until those flying its flag coalesce at certain points to engage in highly specialized disruptive acts directed towards constantly shifting targets. Its structure is as transparent at the macro level as it is opaque at the micro level. The transparency facilitates many observers, but it is the obfuscation of its individual members, through continually evolving procedures, that makes it possible for it to operate at all.

Anonymous’ iterative self-realization goes hand in hand with the inherent instability of its structure. Just as a wall only keeps out invaders for a certain period of time and necessitates an ever-changing defense system, “Security is a continuing process, not a state.” All discussion and structure is treated in such a way that responsibility rests entirely with those who carry the flag; thus they are advised to conduct “regular audits and encrypted backups.” Security for Anons is security for Anonymous. It would be ridiculous and impossible to go after a meme, but a lazy Anon can end up on an FBI investigation list, and indeed, that is what happened to a number of Anons in December 20102.

In Anonymous-the Uber-Secret Handbook, compiled by Anonymii, version 0.1.3, date 15.02.11, Anonimii state that “the greatest threats to your safety are A) social engineering and your behavior and B) revealing your IP address.” You are instructed to “not give any personal information on the IRC chat as it is public, you mom could read what you write there and so could the Police. And don’t mention your involvement with Anonymous in your real life.” The handbook lays out at a micro level a specific list of procedures designed to prevent the unmasking of Anons.
Among Anonymous’ recent best known acts are DDOoS attacks on Amazon, PayPal, MasterCard, Visa, and recently the HBGary website (also hacking into company email, uncovering a decompiled version of Stuxnet, the code of which was uploaded to Github and posted to Twitter on February 19th). DDoS attacks are conducted via ‘Hive Mind,’ in which participating Anons voluntarily activate a program called LOIC on their computers, to form a voluntary botnet.3

Though there is no center or single central meeting point for Anonymous, there are stable and temporary nodes into which both participants and observers can enter. The AnonOps forum at http://www.anonops.net/ has permanence. My entry into Anonymous came via AnonOps.net, which considers itself an Ops meeting node, made viable through ‘free speech hosting’ via provider Heihachi.net, “DDoS Protected Offshore Bullet Proof Hosting” “here to provide a service for anyone to speak freely on a subject.”

AnonOps.net emerged from pro-Wikileaks Operation: Payback as a security solution for operations conducted by Anonymous, yet it forcefully outlines its organizational autonomy: “We are not Anonymous. We are not 4chan. We are not Operation: Payback and we did not attack any websites. We are merely a network frequented by their movement.” I spent time on AnonOps.net long enough to find Internet Relay Chats of interest, but from that point on I would directly enter into the IRC via URL link.

Internet Relay Chats are where Anons engage in real-time communication; setting directives, comparing notes, and shooting the breeze. The most vital characteristic of the IRCs is that there is no facility or mechanism to archive conversations. A user can enter the IRC either through a server port or link. Using a server port, in conjunction with VPN software, allows for greater security by masking your IP. During my investigation, I did not download the chat client needed to connect through a server port, perhaps compromising my own security (though I did not participate in any missions via LOIC or in any other respect.

New IRCs form as chat participants, Admins, and Operators identify situations ripe for intervention, thus the IRCs become devoted to special “Ops” and topics. Suggestions from Anons are considered by the Admins and Operators. Channels fluctuate in participant numbers and facilitate large conversational breadth, which can cover at any one time both technical updates and asides into “( o ) ( o )” and “8====D,” though this type of 4chan-style sharing tends to be met with reprimands to get back to the Current Channel Topic.

While anyone can theoretically become involved in the Ops, the aspiring member must be sufficiently motivated to find information for entrance into discussion forums and real-time conversations. Those who participate in Ops by following specifically laid-out instructions experience a satisfying direct line from their pooled actions to outcomes. An Anon feels a swell of pride at the successful denial of service to a website, knowing that it was their vital link, (via LOIC) into the voluntary botnet that made it possible. By making websites temporaily unavailable through distributed denial of service, Anons make a statement that propagates their message and hopefully inspires activists native to the situations they have taken up cause with.

It seems pride is also fed by feeling at some level that Anons are actual soldiers with real firepower. The term “Low Orbital Ion Cannon” is a joke, but the language around using it is humorously jingoistic:
[14:44] (Redacted #1) I’M FIRING MAH LAZER!
[14:44] (Redacted #1) FIRE
[14:44] (Redacted #1) BOOM
Sense of belonging seems both driven by a desire to share a certain brand of humor and to generate results that give it form. For Anons, humor is political.
[12:24] (Redacted #3) among our ranks we have quite a number of those that do it for the lulz.
12:24] (Redacted #4): anonymous is powered by the lulz.
What came next showed an inherent self-consciousness about the historically schadenfreude-tinted sensibilities of Anonymous, and its 4Chan origins:
[12:24] Redacted #3)I don’t think it necessitates giving up. I like tilting at windmills. But I have no illusions about people being intrinsically good and kind.
[12:25] (Redacted #4) Fine. Lets take that. There is no intrinsic need for goodness. Superficial goodness will do.-
[12:25] (Redacted #4) Convenience will do.-
[12:25] (Redacted #4) Fear will do.-
12:25] (Redacted #4) (AND some, some just some, might be good, or good enough, or temporarily good enough…
[12:25] (redacted #5) haha regardless efg, even if its not for the cause of “good” the good is getting done.

Desire for “Lulz” certainly motivates Anon missions, but one might go so far as to say that Lulz becomes a political quest for justice rather than a desire to punish primarily for hilarity’s sake.

On February 14th, in parallel with the fledgling protests on the ground, AnonOps created a new channel, #OpIran, in which discussion and strategy building began for how best to assist protestors and dissidents on the ground. (Redacted #6) – identifiable as either the channel Admin or Operator, quickly put forth a downloadable ‘care package’ for a White Fax Spam Campaign utilizing free internet fax. The package contained general notes of encouragement, as well as instructions for Iranians to create secure internet connections via use of I2P, which “will act as a relay and make the network more robust for the Iranians.” (Previously Anons used TOR, but “ Iranian security services are blocking access to TOR somehow”). Concurrently, #OpIran began a series DDoS attacks against leader.ir, basij.ir, justice.ir, mfa.gov.ir:

[18:39] (redacted #6) This is an ALL NEW White Fax/Spam campaign focusing on I2P which we have packaged into a nice little 10 mb download we are calling Op iran Care Package Light. it contains I2P, a cool Op Iran poster/flyer and the Farsi instructions on the LOIC. The URL for this new action is the same as the last, I simply updated the page with the new info – so if you already have the old one bookmarked just refresh and you go it. So, it’s here.

After (redacted #6)s initial instructions, (redacted #7) took up the torch, reiterating the Channel Topic every few minutes for new IRC entrants, and modifying it nearly hourly in accordance with changing instructions:

[20:07](redacted #7): #OpIran- Channel Topic: CURRENT TARGET: khamenei.ir–TCP 80 | FAX NAO: http://pastebin.com/xwJEhCrd | PR: http://pastebin.info/1119 VIDEOS: http://bit.ly/fnB8lR http://bit.ly/gH0qIa | LOIC: loic.anonops.in #ir1, #ir2; Farsi loic help: http://bit.ly/epqdAp | Carepackage http://bit.ly/ek0VQ4

On February 14th, Anons in the IRCs were riding high after success with #OpTunisia and #OpEgypt, their contributions falling within the more meaningful, effective noise social media had arguably managed to create. #OpTunisia was seen to have successfully inspired Tunisians to conduct their own hacktivism. Of course, there is a meaningful distinction between AnonOps’ unique brand of hacktivism and forms of expression made manifest via other social media platforms. While the act of tweeting occurs through a heavily designed platform with minimal barriers for new users, actions such as undertaking DDoS attacks or defacement of websites can be a disruptive, self-initiated activity pushing the actor outside the spheres of law, though bound to a very specific protocol.

In the case of Anon’s involvement in the Middle Eastern protests since December 25th, the act of defacing an official government website is intended to both propagate Anonymous’ message to the media, and to inspire activists native to the situations AnonOps has taken up cause with to propagate anti-gov actions into both virtual and ‘meat space.’

By the evening of February 14th, #OpIran had managed for intermittent periods to take down Leader.ir, khamenei.ir, parliran.ir, and president.ir. This begs to question how one qualifies a #Op to be a success. Does only intermittent website downtime signify failure? The #OpIran metrics for success entails assorted Op members checking the DDoS’d site to see if it is accessible, excitedly pointing out if it appears to be down, and then checking in for confirmations from others:

[12:30](Redacted #8)!check irna.ir
[12:30](Redacted #8) It’s not just you! http://irna.ir looks down from here.
[12:32](Redacted #8) if we can get to them – long shot but low cost – it would do much good.
[12:34](Redacted # )(Likes “low cost / good result” ratio way of puttin’ things. That is, partially, it.)

From February 14th-19th, (redacted #6) appeared to consistently to spearhead the QA; for all 5 days that I followed the chat, he remained in charge of confirming successful DDoS attacks. In these missions, success is often not something achieved instantaneously or decidedly. It’s understood that success is tenuous, but this is accepted as it comes at ‘low cost.’ Later in the day, Ops member (redacted #8) gave an international rundown which (redacted #6) confirmed. This lead to an outpouring of encouragement among Ops members:

[15:39](Redacted #6) http://khamenei.ir down from Hong Kong, Munich, Cologne, New York, Stockholm, Vancouver, London, Padova, Amsterdam, Paris.
[15:39](Redacted #6) Good work, Gentlemen.
[15:39(Redacted #9)]It’s not just you! http://khamenei.ir looks down from here.
[15:39](Redacted #11)) nicely done, that was quick
[15:39](Redacted #11) now keep it down
[15:40](Redacted #12) good work
[15:40](Redacted #13) hoho lovely
[15:40](Redacted #14) gogogo
[15:40](Redacted #14) good work
[15:40] * sh4ri4 is proud of the little channel that could

Though specific defacements are pursued for extended periods of time, members check back periodically to provide new suggestions when certain targets show themselves to be unrealistic:

[12:39](redacted #15) FOrget irna.ir
[12:39](redacted #15) go for bmi.ir
[15:23](redacted #6) hey chaps, the target’s changing again soon
[15:25](redacted #6) now it’s changed.
[15:25](redacted #6) thank you for waiting, though!
[15:25](redacted #6)Target’s changed, people

From Monday 2/14 through Tuesday 2/15, the amount of chat users in the #OpIran IRC increased about three-fold. Some were carry-over from previously active channels (#OpEgypt became very quiet), but a number of users of the IRC were newly interested observers made aware of AnonOps via mainstream media. IRC coordinators periodically offered to PM (private message) with any journalists in the IRC, and I saw responses to this solicitation twice on 2/15. There seemed to be a direct line in place between action coordinated via IRC, and media coverage; it took no longer than a few hours of substantial activity in the channel for the wall street journal to make note of OpIran.
[20:20](redacted #16) hey we’re in the Wall Street Journal guise.

At 4:31, on the same day that the OpIran IRC channel was created, Cassel Bryan-Low wrote for WSJ.com that “the online collective known as “Anonymous,” which has attacked a number of corporate and other websites in apparent retaliation for moves against the document-leaking organization WikiLeaks, said Monday it has turned its attention to Iran.”

On Wednesday 2/16, I was surprised to see that I could no longer automatically log into the #OpIran IRC. In a surge of panic, I logged into #OpEgypt, still open but quiet, asking “hey guys, do you know what’s happening with the #OPIran IRC? I can’t log in.” Within 10 seconds I received a reply from a IRC member; “I will check.” After another 10 seconds, I received access as a newly registered user to the #OpIran IRC. This seemed to show an almost instantaneous pace of coordination among the Operators and Admins of the IRCs. This also seemed to mark a point at which Ops members had decided that consolidation and security were more important than recruitment and outside observation.

The increased security of the IRC coincided with the point at which it became clear that Iranian protests would reach no tipping point.

[12:29] (redacted #6) guys the protests in tehran were very crowded but disperesed, hearing back from lots of people at home
[12:36](redacted #8) Derp! Iran protest crackdown condemned | Amnesty International
[12:30](redacted #8) iran will not be as egypt
[12:40](redacted #8) Derp! BBC News – Iran police fire tear gas at opposition rally in Tehran
[12:41](redacted #8) reports of Iranian republican guard on the streets
[12:41](redacted #12)lol
[12:41](redacted #12) sure?
[12:41](redacted #8)this is getting serious
[12:42](redacted #8) wow, protests in portugal are planned for March 12… this is the year of protests! W00t!

Aside from the extent of on-topic conversation, the quality of the conversation in the #OpIran IRC was variable. Most conversation seemed inoffensive and cordial while the group remained on task, but interjections came with fair frequency:
[12:08](redacted #16) Fuck the Jews, no offence (sic).
This came on day 4 of the Op, on 2/17, at which point morale was low.

Discussion turned to a general indictment of colonialism. One user took pains to point out a genocide of “500k jews by Hitler” had lead up to the founding of the Jewish state.

During the 5 days spent in the #OpIran IRC, there was one major point of contention between Anons. While the Anonymous handbook lays out definitely that Anons should “never attack media,” on February 17th, #OpIran leads decided to pursue the Islamic Republic News Agency, Irna.ir.
[12:29](redacted #8) heh yah irib is not “media”
[12:30] #OpIran- Channel Topic: OUR TARGETING medias is against Anonymous rules, but is in respond to Islamic Regime sending parazit to the whole Hotbird satellite, and DDoSing opposition medias, Such as Kaleme and Balatarin
[12:43](redacted #10) but why Irna
[12:43(redacted #8)] irna sux bigtime
[12:4](redacted #8) its only news station for idiots like ahmadinejad
[12:44](redacted #6) do NOT attack media
[12:45](redacted #6) first media, now banks, what next pensioen funds?
As the debate kicked, up, (redacted#3) changed the official topic of the channel to reflect what was obviously an argument of a certain significance. 11 minutes later, the debate was closed, and the Current Target became Irna.ir.
[12:41] #OpIran- Channel Topic: CURRENT TARGET: IRNA.IR TCP 80 | FAX NAO: http://pastebin.com/xwJEhCrd | PR: http://pastebin.info/1119 VIDEOS: http://bit.ly/fnB8lR http://bit.ly/gH0qIa | LOIC: loic.anonops.in #loic ; Farsi loic help: http://bit.ly/epqdAp | Carepackage http://bit.ly/ek0VQ4

The controversy of attacking IRNA seemed to get the ball rolling on discussion of carrying out further controversial acts. Ultimately, IRNA seemed to be as far as anyone was willing to cross the line in the period that I observed the IRC.

[12:44](redacted #8) ATTACK THE BANK
[12:44](redacted #8)BMI.ir
[12:46](redacted #18) any chance we can actually hack one of these sites and put something funny on there?
[12:50](redacted #6) facepalm:
[12:50](redacted #6) I don’t care if you wanna to attack leaders or media sites
[12:50](redacted #8) hmmm attack their power grid?
[12:50](redacted #6) but bmi.ir is for iranian people
[12:50](redacted #6) no, not power grid
[12:50](redacted #6) people are going to far
[12:50](redacted #8) too much collateral, come on
[12:50](redacted #10) Don’t worry, people suggest retarded shit all the time.
[12:50](redacted #6) true

This exchange demonstrated that while conversation is free and suggestions are taken, potential acts are debated in the context of the greater moral code of Anonymous. When the code, as laid out in Rules of Anonymous, is intentionally breached, it is done soberly and with exception.

The breach of the Rules of Anonymous in the service of attacking government run media website IRNA seems like a significant turn in group dynamics, opening the door to further contention.

(exerpt from Anonymous-the Uber-Secret Handbook):

Q:Why not attack that newspaper/TV/Radiostation?
A:Anonymous does not attack media.
Q:That is no media! It only spreads lies and propaganda!
A:Freedom of speech counts for assholes too3

Though it is probable that their attack on IRNA is what caused a temporary DDoS attack on their servers on 2/16, a DDoS attack in retaliation of Anonymous seems almost inevitable, and #OpIran took it in stride.

What initially drew me to look at Anonymous was the news on January 29th that the FBI issued 40 search warrants in connection with various DDoS attacks carried out over the past year. The FBI’s tactics seem to be more sophisticated than those undertaken by HBGary’s CEO, who claimed he’d identified all key leaders of Anonymous through a unique means worthy of Government investment: drawing lines between login times on Twitter, Facebook, and IRCs and the content posted to respective accounts. Humorously, his means are either directly inspired by the Anonymous handbook, or directly lead Anonymii to update their security advice within the Handbook. Which came first?

Excerpt:
* Never connect at same time. Try to alternate.
* Do not post on the public net while you are in the IRC, and definitely do not mention that you are posting something on Twitter. This is easy to correlate.
* Don’t discuss whether you personally are DDOSing or writing How-Tos or Nmap’ing the target, making graphics etc. or not, just discuss general strategy
* Do not post pictures hosted on Facebook. The filename contains your profile ID.
* Stagger your login & log out times on FaceBook, Twitter & IRC. They can be compared for user info.

I would conclude that the design of various operations undertaken by Anonymii revolves around a shifting tradeoff between taking up defensive security measures and offensive goal-seeking, and that Anonymii act immediately to address inadequacies in security as they arise. The next decision around the design of their group dynamics will be made when the walls have been felt to be breached. In the meantime, Anons must negotiate the ramifications of the exceptions they make to their own rules.