The fighting continues as AnonOps stages a comeback
by Steve Ragan - May 11 2011, 03:00The recent breakup of AnonOps, the IRC Network where supporters of Anonymous gather, was not due to a security breach or federal agents. Based on interviews, the entire incident was foreshadowed long before it actually happened. Calling it a “civil war” makes for a great headline, but infighting is routine, so events such as this one are nothing new on IRC.
“The point of AnonOps was to provide a platform, a platform of communication. Instead, what has happened is [the] network staff [has taken] more of a leadership role than anything else. Owen and the other [IRC Operators] were influencing ops,” explained Ryan, the ex-AnonOps Network Administrator at the center of the internal conflict.
By influencing ops, Ryan was talking about Anonymous operations, such as OpSony and Operation: Payback. He alleges that a core group of IRC Operators selects the targets and directs others to attack them. While this happens, they tell the public that there are no leaders and that AnonOps is just a chat network.
The target selections and secret votes are said to have taken place in a room on the AnonOps server called #command. This channel, restricted to all but a select few, has been discussed with The Tech Herald before. It is our understanding that the room is where network issues are discussed, in addition to similar conversations held in #opers.
However, it has been previously established that #command will sometimes coordinate Anonymous operations, in order to prevent the masses from abusing the servers, or targeting the CIA for example. Logs in our possession show the room as a place for venting. Some went there to have private chats away from other users. Others used it to deal with internal issues.
For example, a series of debates in #command and #opers (another private room) around April centered on someone within their group who was said to have been raided by the FBI. There were claims the individual had turned rat, handing over logs and other information to authorities. The accusal is based on the person’s previous statement that if they were granted immunity, they would consider turning over evidence.
Fast-forward to May, and Ryan leverages his access to attack and ultimately split the AnonOps network. He’d been running a bot for sometime, which according to several accounts had various purposes. It’s said that when the bot was linked, he used it to monitor backend traffic.
Armed with the bot’s collected information and some friends, Ryan was able to take down the network. Yet, what he did was not a hack. If anything, depending on a person’s point of view, this is abuse of trust and operator status. At the same time, using collected information and other IRC Operators was only one side of the attack itself.
Ryan owns the AnonOps.ru domain used for DNS resolution on the AnonOps IRC network. In addition, he told us that he controls .NET and several other TLD extensions. Due to this he was able to redirect traffic, and the main source of connection to AnonOps via IRC (irc.anonops.ru / irc.anonops.net) was closed. Anyone attempting to use the common server names was redirected to Ryan’s network.
However, even before this happened, Ryan was usually at the center of internal issues, something independently confirmed by several people.
“He was literally involved (and the instigator in almost all cases) with every spat which occurred between network admins. Ryan and his actions are a complete and utter disgrace in my view, and any Anons who follow him are walking right into a trap. Would you trust a guy who's willing to leak your IP if you piss him off?” one of the AnonOps regulars explained.
After he redirected AnonOps to his servers and redirected their websites, Ryan leaked some 600 IP addresses to the public. Given that some of the people listed in the release are guilty of nothing more than watching, it was a risky move. Ryan himself called it “regrettable but necessary”, when giving an interview to thinq_.
“Any valid points Ryan may have made are totally and utterly invalidated by his actions with regard to logs. Which is a shame, because he did make some valid points,” the AnonOps regular added.
For their part, AnonOps administrators were able to keep communications open, by harnessing other IRC Networks and using tools to relay communications between them. This is in addition to communication channels outside of IRC. When speaking to one of the administrators dealing with the AnonOps cleanup, it was clear that there were some lessons learned.
The largest lesson was one of trust. It’s an important part of obtaining an IRC Operator position on any network. The methods for gaining trust usually revolve around being seen and being active, and have nothing to do with actual trustworthiness. With Ryan breaking trust among the others, future IRC Operators are likely to be reigned in, making the spot harder to earn.
“AnonOps as it was had been built on top of the original network and some procedures should have been modified,” the administrator told us. “The new network currently being built has been reconfigured and a number of new safety and security features have been added.”
In all, the entire incident was a rather large and ugly fight between IRC Operators, which spilled out into the public. However, we witnessed an interesting exchange Monday afternoon, between Ryan and the network he helped rip apart.
In a public chat taunting the others from AnonOps, he openly admitted to several actions on his own. For example, posted logs show him and one other person issuing commands to bots in order to attack Sony and BMI during Operation: Payback. Other logs, as well as his public admission, show Ryan directing the bots to target DreamHost on May 1.
Note: The log details are on the following page.
Ryan claimed that OpSony and the attack on BMI were going nowhere until he added his support. This support came by way of 5-10,000 bots, out of an install base of 50,000 to pull from. In addition, he added that the use of LOIC to attack targets was just a scam for the public.
“During OpSony we had a maximum of 40 [LOIC canons],” Ryan told us. “The bot shit was kept secret because it'd be bad PR. If they knew it was bots instead of [LOIC], then what’s the point of the public coming in?”
Throughout the afternoon the taunting between Ryan and the others continued.
“I’ve seen Ryan. He's this pasty fluffy British kid with a buzz cut, a double chin, and a bag of cookies in his hand laughing about how awesome he thinks he is,” commented one Anon we spoke with.
“That is how I picture Ryan now as he tries to ‘destroy Anonymous for the good of Anonymous’.”
Many of the same topics were rehashed, but when the issue of trust was brought up, Ryan said the others were dumb to give him that.
“[You] didn’t bother to check my background, my affiliations…you got fucking owned…”
We’re positive there are plenty of people who would cheer if Ryan’s words of, “I’m one person...and I have destroyed Anonymous”, were true. However, AnonOps is not Anonymous, no matter how one spins it.
People who associate under Anonymous use AnonOps, but without it, they will still exist and operate.
The shakeup of AnonOps wasn’t a case of hacker vs. hacker, or Anon vs. Anon. Many of the people we talked to told us it was simply a matter of ego and typical IRC drama between network staff.
After watching things play out this afternoon, we’re inclined to agree. At the same time, somewhere a copyright executive is breathing a sigh of relief.
[13:34] evilworks: [09:55] * Rejoined channel #bridge
[13:34] evilworks: [09:55] * evilworks sets mode: +o evilworks
[13:34] evilworks: [13:49] <@Ryan> !syn 199.108.4.73 443 600
[13:34] evilworks: [14:05] <@Ryan> !syn 199.108.4.73 443 600
[13:34] evilworks: [14:08] <@Ryan> !syn 199.108.4.73 443 600
[13:34] evilworks: [14:26] <@Ryan> !syn eu.playstation.com 80 800
[13:34] evilworks: [14:26] <@Ryan> !syn eu.playstation.com 80 800
[13:34] evilworks: [14:26] <@Ryan> !syn eu.playstation.com 80 800
[13:34] evilworks: [14:28] <@Ryan> !syn eu.playstation.com 80 800
[13:34] evilworks: [14:28] * Timer fire activated
[13:34] evilworks: [14:29] <@evilworks> !syn eu.playstation.com 80 120
[13:34] evilworks: [14:30] <@evilworks> !syn eu.playstation.com 80 120
[13:34] evilworks: [14:32] <@Ryan> !syn eu.playstation.com 80 800
[13:34] evilworks: [14:32] <@evilworks> !syn eu.playstation.com 80 120
[13:34] evilworks: [14:34] <@evilworks> !syn eu.playstation.com 80 120
[13:34] evilworks: Session Close: Wed Apr 06 14:35:48 2011
[13:34] evilworks: Session Start: Wed Apr 06 14:35:48 2011
[13:35] evilworks: Session Start: Thu Apr 07 02:43:53 2011
[13:35] evilworks: Session Ident: #bridge
[13:35] evilworks: [02:43] * Disconnected
[13:35] evilworks: [02:44] * Attempting to rejoin channel #bridge
[13:35] evilworks: [02:44] * Rejoined channel #bridge
[13:35] evilworks: [06:11] <@Ryan> !spost auth.station.sony.com 443 650
[13:35] evilworks: [06:22] <@Ryan> !spost auth.station.sony.com 443 650
[13:35] evilworks: [06:32] <@Ryan> !spost auth.station.sony.com 443 650
[13:35] evilworks: [06:35] <@Ryan> !spost auth.station.sony.com 443 650
[13:35] evilworks: [06:35] <@Ryan> !spost auth.station.sony.com 443 650
[13:35] evilworks: [06:35] <@Ryan> !reset
[13:35] evilworks: [06:35] <@Ryan> !spost auth.station.sony.com 443 650
[13:35] evilworks: [06:41] <@Ryan> !spost auth.station.sony.com 443 650
[13:35] evilworks: [06:54] <@Ryan> !spost auth.station.sony.com 443 650
[13:35] evilworks: [07:26] * Ryan sets mode: +o Ryan
[13:35] evilworks: [07:26] <Ryan> !spost auth.station.sony.com 443 500
[13:35] evilworks: [09:32] <Ryan> !spost auth.station.sony.com 443 500
[13:35] evilworks: [09:33] <Ryan> !spost auth.station.sony.com 443 500
[13:35] evilworks: [10:26] <Ryan> !spost auth.station.sony.com 443 500
[13:35] evilworks: [10:35] <Ryan> !spost auth.station.sony.com 443 500
[13:41] evilworks: Session Start: Sun May 01 00:58:39 2011
[13:41] evilworks: Session Ident: #vbot3
[13:41] evilworks: [00:58] * Now talking in #vbot3
[13:41] evilworks: [00:58] * evilworks sets mode: +o evilworks
[13:41] evilworks: [01:00] * Timer startfire activated
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:09] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:27] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:27] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:27] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] evilworks: [01:27] <@Ryan> !syn ps48699.dreamhost.com 53 400
[13:41] Ryan: hehehehe
[13:41] Ryan: everyone already knows i did dreamhost
[13:41] Ryan: jeeze guy
Comment on this Story