The infamous hacking group LulzSec, which aligned itself with Anonymous, was responsible for hacking some high-profile sites and companies like Sony and PBS. The founder of LulzSec, Hector Monsegur, known by his hacker handle Sabu, now works for Rhino Security Labs, a company that helps businesses assess cybersecurity threats so they can plan to combat them. He talked to Marketplace Tech host Ben Johnson for our series on hacktivism. Below is an edited transcript of their conversation.
Ben Johnson: You started hacking when you were you were very young. Some people have been quick to say you used your hacking skills for your personal benefit, but you said that you considered yourself at one point at least to be a hacktivist right?
Hector Monsegur: Well I was at one point. You know there was a point in time where hacktivism really became something that people were considering. That was a really interesting time frame because...I'm what — 16 (years old), I am on the Internet, I have political ambitions, I have thoughts and opinions about things. And it just so happens that you know I started participating in hacktivism, the first one being my protest against the government of Puerto Rico and the United States Navy.
Johnson: Yeah. So what did you do?
Monsegur: Well I ended up infiltrating the government of Puerto Rico and I left them a nice little message.
|Is 'hacktivism' a force for good ... or chaos?|
|How hacktivism intersects with the law|
|The former Mormon who created a hacktivist website|
Johnson: Tell me a little bit more of where that led for you. How did you get involved in Anonymous?
Monsegur: I participate in Anonymous because I saw the collateral murder video.
Johnson: Just for those who don't know it, describe the video.
Monsegur: So the collateral murder video was a recording done by, I think it was the U.S. Army. They were doing an operation out in Iraq and they were filming the operation. They had spotted a couple of alleged terrorists. Turns out these guys were journalists. It was a situation where they essentially bombed these people. We find out later on they weren't terrorists.
Johnson: So you see this video, it affected you, it had a deep effect on you. How did that change your behavior in the digital space?
Monsegur: Well, it brought back Sabu. It brought Sabu back from retirement. And I am sorry to speak about that, like in third person, but that was just kind of like my online personality, my own persona. And so you know, I saw this video and my old feelings of hacktivism came back and Sabu came out of retirement and it was just a matter of, "what can I do to help?" Well, just so happens that Anonymous was doing their thing. They started to organize these protests and hacktivist operations, and I had skills and I had time and I figured I will participate for round two.
Johnson: And you participated in some Anonymous actions for a while but eventually you kind of broke away because the organization was kind of disorganized in a way, right? And you started your own group, LulzSec.
Monsegur: Well, Anonymous is not as decentralized as people want to think. It's not random chaos. It's actually not. And one of the groups that I participated in essentially made up what people know today as LulzSec. So what we were doing became so aggressive it garnered or rather it gained so much media attention that other members of Anonymous started to complain and say, "Well we got to be careful guys, we're kind of overstepping our boundaries. This is too extreme." So LulzSec was created because of that.
Johnson: You branched off in part because you felt at the time that they weren't doing stuff that was, I don't know, as effective as you well you all wanted to be.
Monsegur: Well to quote some of your rap fans, there's no such thing as a half-way crook. And you can't claim to be a hacktivist and get scared once we do hacktivism.
Johnson: What was the goal of LulzSec?
Monsegur: We had no goals. We were just hacking for the lulz.
Johnson: But there had to be some reasoning behind some of this stuff, right? I mean this group is credited with bringing the CIA website offline, and you know hacking into user accounts at Sony Pictures.
Monsegur: There were reasons for for specific hacks – it was very contextual. Yes, each hack almost had a reason. There was a purpose for the major breaches at the moment, it seemed right. Obviously now, nowadays I see it much differently.
Johnson: Do you feel like LulzSec was a hacktivist organization and do you accept the criticism that LulzSec was a criminal organization and maybe both can be true? I don't know?
Monsegur: That's a hard question to answer because at the time we kind of aligned ourselves to hacktivism and Anonymous. I mean we were hacktivism at the core. Some of the stuff that we did wasn't necessary – it didn't really prove a point. When we hacked into Sony for example, we were also proving a point there. Not that Sony had bad security; that it was kind of a given, but they had a situation where they were suing a security researcher and we felt that we could retaliate in a way. I mean, in hindsight, it was not a good reason. It was not our battle but we did it anyway.
Johnson: Where would you draw the line between hacktivism and criminal activity?
Monsegur: Well, if you're going to be technical — if we want to be technical here, hacktivism and hacking is criminal activity – you know, we're breaking some laws somewhere, right? So for example, if there were no hacking laws in the United States, then you know it wouldn't be criminal activity, it would just be us protesting. So just if we're going to focus on a technicality, then yeah, it was criminal activity and you know I do not deny that. It was. It was a blunder on our part. Especially on mine – I should have known better. And I'm glad that I was caught. I'm glad I was I was able to turn over a new leaf and restart my life the right way. But in that timeframe it was... you know, there was no stopping us. I guess that's the point.
Johnson: Do you think hacktivism is important?
Monsegur: I would say it could really serve a purpose. Or rather it could serve a purpose but to be honest with you it really depends. There's a lot of context that people miss when it comes down to hacking. During the Arab Spring: the Arab Spring I think was important to all of us even if we do not live in Tunisia, for example. But the Arab Spring, for many of us, especially the younger audience, that was the first time you got to see a revolution. And then it was a revolution that happened on the internet, which is insane! And the fact that we could participate with the protesters on the street by hacking and disrupting the Tunisian government, for example. That was major. So now the next question would be, "Do you think that what you did in Tunisia served a purpose?" And the answer to that is, "I don't know." Because Tunisia is not in a good place right now, and the Middle East is in shambles. So what did I really do? Did I help the cause or did I hurt the cause? Because I acknowledge that I did other crimes that have other victims. But the situation in the Middle East – participating in that kind of hacktivism. We had no idea the consequences were going to be so dire. So real.
Johnson: It's a complicated thing to do something like that when you don't know what all the different permutations of the consequences are.
Monsegur: You're 100 percent right. It's easy to get yourself in trouble and hack a U.S. asset, let's say Sony. Then you go to court and they hit you with your indictment and they start talking about the consequences of your action. It took a systems administrator to reimage the server. It cost the company about 10 grand to set everything back. The site was offline for two hours. See, we could gauge the consequences of something like that. We can't gauge the consequences of participating in an actual revolution.
Johnson: The stuff in Tunisia, and some of the other stuff you've done in the past. It sounds like it haunts you a little bit.
Monsegur: It doesn't haunt me like I have trouble sleeping or you know it bothers me to the point that you know I'm going to write a book about that, but it's something that I think about.
Johnson: It sounds like what you're saying, and I haven't really thought about this, of all the people that we've talked to so far, you're the first person who I think has really crystallized this point for me, which is that, the most consistent result of hacking and hacktivism is chaos.
Monsegur: From my personal experience yes. If we could get together in a grassroots environment face to face and go speak with a local community board to try to change some sort of policy, I'm for that. But when you're using hacking to disrupt a government without an understanding of all the consequences, that's when I start to feel like there's a lot more chaos than sense.