The document also claimed that more than $500,000 had
been charged to credit cards and given to "charities
and revolutionary organizations."
Usernames and e-mail addresses were also released;
people were exhorted to "use and abuse these password
lists and credit card information to wreak unholy
havoc upon the systems and personal e-mail accounts
of these rich and powerful oppressors."
First, a lot of those credit cards belonged to ordinary people, not the "rich and powerful oppressors".
Second, when the credit card owners see the charges, they will dispute them. The credit card companies then will take the money back from the "charities and revolutionary organizations", and hit them with a $15-$30 chargeback fee per card.
To say that this guy was an idiot is an understatement.
He's better known to me and my online pals as "tylerknowsthis", a reference to Tyler Durden and his philosophy of destroying the capitalist system to "free the people." Say what you will about his ideals, his methods and actions are beyond retarded.
Here he is at Defcon in 2004 talking about how they need more "footsoldiers" to "fuck shit up in the streets" - to the point that Priest has to come on stage and denounce violent acts or acts that hurt people. http://video.google.com/videoplay?docid=1269112265902193941 In general he defends the use of violence as the last act of a person who is desperate to defend freedoms for people who didn't ask to be helped. His website HackThisSite is a sort of propaganda and training tool used to entice young black hats to join his cause.
You can find a list of his previous run-ins with the law on his wikiepdia page: http://en.wikipedia.org/wiki/Jeremy_Hammond (My favorite is where he attacked a 70-year-old holocaust denier that was having dinner at a restaurant.... what productive direct action!)
He claims he steals his power, water and internet access and at times squats abandoned buildings and eats "freegan" so he isn't helping the capitalist system flourish. At the same time he kept a part-time computer programming job to make spare cash. So he can keep fighting the good fight against capitalism.
I think he may have still been on probation during the events of the Stratfor hack, so he may be royally fucked by the prosecution unless he too snitches - something he has repeatedly said is the worst thing any good hacktivist can do.
He's one of the longest-running jokes my online friends and I have. His rants against "the system" and hypocritical actions which seem to have little purpose serve to foster flame wars and is frequently banned when people get tired of his shit. He then comes back and threatens to "curbstomp" or "shiv" anyone who disliked or banned him. Basically, nobody but the LulzSec freaks like this guy.
Yet again the same people who try to get away with petty online crime get caught due to negligence, bragging and misplaced trust in other criminals. If only they'd learn that trusting a criminal is probably not a good idea they might not be arrested right now.
edit: In case anyone wants to verify this account (in a WikiLeaks-style full transparency way), here is a brief dump of a public chatroom on a public irc server of his comments. I don't have the entire log, just his comments. http://pastebin.mozilla.org/?dl=1506078http://tinypaste.com/a104418f (it's around 1.8MB)
I had no idea he was behind HTS, but I guess it makes sense. I came across it way back in the day on 711chan, and I suspect there's some overlap between those folks and the ones doing legwork for Anon.
Whether or not he's talented is irrelevant. He's an idiot for the same reason the thread OP stated he's an idiot: their actions cause more damage to their supposedly good-natured charities than the victims they stole money from. Not to mention the braggadocio, carelessness, lack of regard for his fellow "footsoldiers", and the haphazard way he conducts his attacks (be they physical or virtual) as to not even be effective at achieving any real results.
You want to smash the state? You want to end the tyrrany of capitalism? You want "freedom" ? Running around the streets in bandannas disabling vehicles and "fucking shit up" ain't gonna get you there buddy. Neither is stealing money from the majority of the people who used a service as a better-filtered newswire in the name of some hokey idea that the "security state" needs to be brought down.
He's a bully and a closed-minded bigot and he's too radical to ever be able to introduce any real change other than making the police remove more of our rights in order to combat people like him. He's a terrorist. And an idiot.
Would be very interesting to do a multi-faceted psychological analysis/profile on people like this. I am curious what makes them tick.
I myself have some very intense sides of my personality, but I've always channeled it into productive pursuits. When I was younger I daydreamt of being a nefarious black hat hacker, but I soon realized that startups, lifestyle design, social dynamics and personal development are far more rewarding ways of hacking reality :)
Contrast this with the China hackers that went underground 15 years ago, no chats..no irc..no bbs boards..nothing..
These anonymous guys are complete effing idiots..meaning any training FBI is doing in catching these folks is actually doing the FBI more harm than good in that its not preparing them for the hard serious hacker threats such as China hackers..
Good hackers won't be caught, there is no training. If they do XYZ and don't leave any traces they can't be caught. It took a considerable amount of time and effort to catch these people and they left hundreds of logs.
They're creating the assumption that Chinese Gov't or independent parties are hacking systems for gain. The statements of "they leave no trace" or the like attribute to the fact that there isn't any evidence through google or otherwise.
As far as I'm concerned there is evidence of some high profile hacking teams somewhere in the world doing some nasty stuff (such as the fraudulent certificates and hacks on companies that was tied back to Stuxnet). We don't know for sure who does it but a lot of people assume the chinese based off of (what I think) is IP traces.
Its all speculation. We know that someone is hacking, just not who. Its obvious that they're good because there hasn't been enough evidence to pin it on anyone. As anyone on this site should know: IP isn't a very good identifier and even less so for professionals.
"Hi, i'm a professional Sysadmin, intermediate Hacker and hobby Coder."
Cute bio. Didn't know being a professional computer janitor was something to be proud of. Also, amazing hack you pulled on your hacker blog where you blog about your hack poem. You're a modern day Edgar Bloggen Poe.
Here let me give a try,
Blogging is not poking.
Blogging is not tweeting.
Blogging is not programming.
Blogging is not learning.
Blogging is not making.
Blogging is not sharing.
Blogging is not networking.
At any rate, calling yourself a hacker (Without chops to back it up if your using it in the heroes of the computer revolution sense.) to anyone who knows better is either some serious bragging, or braindead stupid depending on which definition you're using.
In fact, the last thing anyone who does stuff like Lulzsec should admit to being is a "Hacker" (Even if they mean it benignly.) because you can bet the farm that the first people the Feds look at are self described "Hackers". I just can't believe the kind of information these people leak about themselves. Doesn't "I trust you today, but not necessarily tomorrow..." mean anything to black hats?
EDIT: Saying anything about the state of the real world should be considered an incredibly bold release of entropy or invasion of privacy if the only thing that keeps you safe at night is your mask.
EDIT2: Sorry, thought the above quote was from Jeremy Hammond's blog. At any rate most of my points still stand from the hypothetical perspective of "If I were a blackhat..."
This is my first time registering and posting on HN.
All of that comes from someone posting on a Web 20 social blog news aggregator of a forum, that's surely powered by some webscale MongoDB Ruby on Rails web app, where everyone is hellbent on taking back the word hack as they attempt to score some "serious" Venture Capital to create the next hot microvlogging service, or perhaps the next hot Android and iOS compatible remote Arduino LED blinking mobile app. I seriously don't understand the motivation.
I wasn't addressing you at all. In fact, I thought you were talking about someone else entirely.
Regardless, as an outsider peering inside, it does seem a bit strange. One of the things effecting my perception is the simple question I ask myself looking at posts like the one you describe. "Does this have any chance of making money?"
Because if it doesn't, I always wonder what the motivation was for making a service for which there are 50 implementations already. I've probably written under 500 lines of code in my life, because I can't justify it to myself to build an application nobody needs, even for practice.
At any rate, the "hack" itself is it's own sort of art. With an almost intangible feeling of delight when executed successfully. I can't really quantify it myself to be honest. And I've only experienced it once.
TL;DR: The short answer is, people here find that stuff fun.
On March 1, the agents obtained a court order allowing them to use a "pen register/trap and trace" device that could reveal only "addressing information" and not content. In other words, if it worked, agents could see what IP addresses Hammond was visiting, but they would see nothing else.
The FBI describes its device as a "wireless router monitoring device” that captures addressing and signaling information and transmits it wirelessly through the air to FBI agents watching the home. It was installed the same day and was soon showing agents what Hammond was up to online.
I'm curious about this device; it would have to be able to fully decrypt 802.11 frames just to be able to see the layer 3 IP information, so in theory it is able to see all of the traffic but the agents aren't allowed to look at (or use) anything beyond the IPs because that would be considered wiretapping. I have to imagine the guy arrested was technically competent enough to use WPA2 with a fairly strong non-dictionary-word key, yet this device was able to crack that key in a short enough amount of time for this sting operation.
It wasn't clear to me that it was a device that was wireless. They said it was installed.. they called it a wireless router monitoring device, which suggests wireless, but it seems more plausible that they would have installed something physical to listen in on the cable connection (or something else north of the router)... the 'wireless' bit being the transmission of data back to them?
I'm perturbed by the number of hackers getting taken down who blather on about their personal lives, use a VPN with no encryption and think it's safe, and still manage to break into these rather large systems. Either they're skilled but reckless and cavalier, they're idiots and security everywhere is a joke, or both.
Not sure which of those scenarios is more disturbing. Either way, I suspect that, in the wake of these latest arrests, we'll see both better opsec from Anon, as well as an increased focus on security from those who are likely to be targets. In the meantime, I'll get 15 messages on my facebook wall saying, "see who's visited your profile!"
This is nothing surprising. If you listen to the (public) disclosures of wiretaps on e.g., Mob bosses, etc., it's full of mundane chatter about what they had for lunch, who they met, their bowling scores, etc. The reality is that after some time of being secretive and not getting caught, it's human nature to just act normally and let your guard down. If you think about it, the criminal only has to make one mistake out of thousands of individual actions to be caught and prosecuted.
Criminals are just ordinary people, not supervillains!
You just have to read about Gary McKinnon "hacking". The guy himself said that he is no wizard or anything similar but that a lot of the US government computers he got in had a blank password for the administrator...
Yes, from the sound of it the "wireless" part was simply how the device reported back to its owners.
Probably a good call, really. It requires physical presence, but done right it could be nigh undetectable, whereas reporting over the target's uplink could alert a very sharp target, and possibly even reveal who its masters are (based on destination).
While sup_g may indeed have been a "credible threat," he was in the end no match for the overwhelming federal resources of the FBI agents hunting him down. Over the last month, federal agents staked out his home in Chicago constantly, dug up old police surveillance records, tapped his Internet connection, used directional wireless finders to locate and identify his wireless router, and relied on Sabu back in his New York City apartment to let them know when sup_g went on or offline.
...anything beyond the IPs because that would be considered wiretapping.
But that is exactly what it appears they had the authority to do no?
They wouldn't need to decrypt any packets at all, they could simply look at ARP requests. ARP packets are typically left alone and sent un-encrypted,. otherwise it would be far too difficult to find that router and the client when connecting or re-negotiating encryption keys. Even then, it was indicated that he was using tor, so even if they did decrypt the 802.11 packets, only the header would be in clear-text.
Doing this does not count as wiretapping, as it was ruled to be akin to a dump of phone records, rather than listening on the conversation itself. Yes, they are splitting hairs, but that is how justice has to work.
To add more detail, the reason is would not show the IP of the Tor servers is because you only send ARP requests for IPs on your same subnet. If the IP is not on your subnet there is no reason to send an ARP because you already know you cannot talk to it directly.
Huh -- it certainly appears that the FBI had some advanced notice of the Stratfor hack.
I'd be a little irritated if my credit card number was released while the FBI sat back and watched it happen. I'd be a lot more than irritated if I owned Stratfor, and the FBI sat back and watched some people hack my business. (Yes, Stratfor's security was awful. But it's still a crime.)
I'm not a lawyer, but I'm curious -- why isn't the FBI liable for this sort of thing? Surely there has to be some precedent here one way or the other.
Remember this is all situational. I imagine the FBI gets hundreds of tips daily but can't act on all of them without enough mounted evidence to take it seriously. They may have had tips earlier of the attack but they couldn't verify in time.
It always looks worse when you view it in hindsight. If the FBI had enough evidence to work with then they would have done something. Acting early without the evidence they need would have done more damage and not necessarily stopped anything from happening.
"why isn't the FBI liable for this sort of thing? Surely there has to be some precedent here one way or the other."
They have no legally enforceable duty to protect...
". a government and its agents are under no general duty to
provide public services, such as police protection, to any
particular individual citizen...
-- Warren v. District of Columbia, 444 A.2d 1 (D.C. App.181)"
The parties who have something to lose are credit card processors and merchants who could have payments refuted. I'm going to guess processors are pretty happy that its the federal budget paying their security bills and not them.
Given that Sabu is widely regarded as the de facto leader of lulzsec I'm very curious about how the Stratfor attack was planned and undertaken. If, as seems likely, the FBI knew about it before it happened that seems pretty serious. More so, if Sabu originated the idea for the attack and evangelized it to the group that raises the issue of entrapment.
I don't know much about the attack, but the data seem to be 100% legit and really hacked from the Stratfor database.
My wild guess is that Sabu was not responsible for the idea, but was instructed by his FBI supervisors to just play along and help people with the attack to build up credibility. Meaning - the feds didn't modify the data at all, they probably just used the server to track down the IPs.
Anyway, the fact that Sabu was an informer is surprising to me, a lot. Especially when he was still posting tweets, accusing OTHERS of being informers.
One interesting thing from this was that the FBI couldn't trace him via the Tor network until they had his physical location. Good for Tor, glad to see they are still anonymous.
If I had been him, I'd have put Tor on top of a couple of vpses in some select countries around the world.
That being said, he was reckless and too ideological without considering he wouldn't be furthering his ideals. Its one thing to dump company secrets, its another to dump personal CCs.
Now if I was the FBI, I'd be trying to combine the successful methods of having undercover agents pose as terrorists with a hacker bent. Its the same sort of system, albeit purely digital.
"...the FBI couldn't trace him via the Tor network..."
I honestly think they already knew who he was from his comments - by reviewing Sabu's chat logs they found he had slipped up and identified himself.
I guess what I'm trying to say is, we have no data either way. Tor may be secure, or it may not.
Take-aways seem to be:
1. IRC logs do not contain identifying info - unless you reveal youself
2. IRC active / away status leaks information about your schedule
3. Using multiple identities online works pretty well
4. Trusting criminals = fail
5. Committing federal crimes = fail
The FBI had a pretty solid case against him. By the time they were doing the IP sniffing and identifying Tor nodes, they already had the guy under 24/7 surveillance. It sounds like they were solidifying their case.
If this were hollywood, I bet he would have sensed the surveillance somehow - and tried to make a run for it. But it didn't sound like he had many friends who would have hidden him.
IRC logs do not contain identifying info - unless you reveal youself
You'd be surprised. I was about six years old when I realized I could tell who was walking upstairs by the sound of their footsteps.
I can identify code that my co-workers have written by their individual styles. And that's after conforming to our coding standard.
It's common knowledge that individual (prose) writing style can be as identifiable as a fingerprint.
In short, pretty much every action you take has the potential of adding to a list of identifying information about you. If your actions are watched long enough, you will be identified.
If they _could_ track via tor, I highly doubt they'd tip their hand in such an obvious way. They'd use their tor-tracking abilities to get a suspect, then use this prior knowledge to assist with ordinary evidence-gathering. Or even not use it at all unless the intelligence gained was valuable enough to risk losing that source of information.
Perhaps the official FBI press release on the arrests provides a supplement to the Ars Technica story, showing what is based on independent reporting and what comes straight from the release:
Wait, how secure is IRC anyway? The article states that he trusted Sabu, but didn't he also trust the people who ran the IRC servers plus anybody able to sniff their traffic?
He connected to IRC via Tor overlay. I don’t know what IRC network is Anonymous using, but even Freenode offers native Onion gateway to their network[1].
Ok, scratch "anybody able to sniff their traffic" (assuming both sides use the native gateway.) This still leaves the IRC server itself as a potential vulnerability.
Everyone of these guys should have been seriously alarmed after that leaked document on Lulzsec/anonymous on pastebin in Jul 2011.
Apparently some of the names published were real (including Sabu's - even though under different nickname).. and he was arrested just month later. If someone in the group would recognize any known real name references, they should have immediately ceased their activities and went undercover, as they should have expected raids!
FBi loves turning caught people to informants to catch the others. It's been that way 10 years ago, when one caught member worked half a year helping to betray the whole warez group, and it seems to be all the same.. FBI is still too lame to advance without informants.
What always confuses me about stories like these is that the guy is always doing it from his basement apartment. Surprise, you got caught. And if you're an exit node for tor, you're going to be under the microscope for something somebody else did.
And if you're hanging out on IRC a little too much, your linguistic fingerprint is probably strong enough to match up to something somewhere else on the Internet with your name on it.
If he really wanted to fight 'the man', he could have gotten a nice cushy job and donated what he made to EFF.
So it would seem that the best defense is to tunnel all traffic from ones home to an IP in another country, if they are tapping a line and checking which IPs you're talking to.
Exactly, this is the lesson to learn from this story. There is no sense in using Tor, VPN and other technology to obfuscate the trace of information if the information itself can identify you.
Second, when the credit card owners see the charges, they will dispute them. The credit card companies then will take the money back from the "charities and revolutionary organizations", and hit them with a $15-$30 chargeback fee per card.