Tuesday, March 06, 2012

Notes on Sabu arrest

This post is just to jot down interest bits of info on the Sabu arrest. All the good stories with details appear in the first few hours, then the Internet fills up with crud, and I can no longer find the original stories via Google.

Fox News as the original stories at these links:
http://www.foxnews.com/scitech/2012/03/06/hacking-group-lulzsec-swept-up-by-law-enforcement/
http://www.foxnews.com/scitech/2012/03/06/exclusive-inside-lulzsec-mastermind-turns-on-his-minions/
http://www.foxnews.com/scitech/2012/03/06/exclusive-unmasking-worlds-most-wanted-hacker/

They caught him because just once, he logged onto IRC without going through Tor, revealing to the FBI his IP address. This reveals a little bit about the FBI, namely that they've infiltrated enough of the popular IRC relays to be able to get people's IP addresses. We've always suspected they could, now we know.

This is a good lesson for Tor users. Tor, itself, is not enough to keep your identity hidden. It "fails open", which means that if you make a mistake, you'll expose your IP address. If "they" are coming after you, you need to configure a "fail close" network setup, such as by using a second machine as a transparent Tor proxy, such that everything is forced through Tor no matter what you do, and if the Tor service fails, your network connectivity also fails (fail close). Update: Two commenters think I'm criticizing Tor. I'm not. It's like that fact that crypto isn't enough to keep your data private. The FBI cannot crack AES128, but if you've chosen a poor password, they can crack that. It's not AES128's fault you chose a bad password. It's likewise not Tor's fault you bypassed it in order to log onto IRC. It's just that you should be aware of the importance of choosing good passwords, and practicing good Tor hygiene.

Another lesson about the FBI is that this is how they always work. You don't expect arrests right away after a  major hack. Instead, the FBI will plod along for a year infiltrating as much of the organization as they can, turning key members, gathering hard evidence, and THEN they swoop in and gather everyone up.

This is mostly because hard evidence of past crimes is hard to get. You need evidence of future crimes. Once you've infiltrated the organization and can monitor what they are doing in real time, you'll get evidence of the crimes as they are happening, evidence you couldn't get on their previous crimes.

And the evidence the FBI most wants is for things like "conspiracy" [most of those arrested today are indicted on conspiracy]. Proving you committed a crime is hard, proving you conspired to commit it (by monitoring IRC) is pretty easy. Unless they find the stolen credit card numbers on your laptop, they'll find it difficult convicting you of cybercrime. But they can convict you of conspiracy, intent, obstruction of of justice, racketeering, and so on. For example, the Palin hacker was convicted of only misdemeanor hacking, but felony obstruction of justice because he deleted evidence of the hack.

When your little group has done something really bad, and you realize you've gotten over your head and the the FBI is coming after you, you have the prisoner's dilemma to consider. The first one of you that cracks and helps the FBI track everyone else down will get the sweetheart deal, and everyone else will go to jail. I can't see myself doing this, but at the same time, I can't see myself getting involved in such cybercrime.

Anyway, this is just my notes page. As my stories appear on this subject, I'm going to keep updating this post.


--
From the Jimmy Graham in the comments section comes this article (http://www.informationweek.com/news/security/attacks/231000584) from last June that outed Sabu's identity. It points to this pastebin (http://pastebin.com/iVujX4TR) which dumps some key data on their identities. I'm surprised we all missed this back then.

--
Official FBI press statement: http://www.fbi.gov/newyork/press-releases/2012/six-hackers-in-the-united-states-and-abroad-charged-for-crimes-affecting-over-one-million-victims

---
Post from IBtimes (http://www.ibtimes.co.uk/articles/293742/20120206/antisec-anonymous-hackers-fbi-anti-security-hack.htm) from a month ago that looks completely different now that this has been revealed.

---
Post from The Guardian (http://www.guardian.co.uk/technology/2012/mar/06/lulzsec-sabu-working-for-us-fbi?CMP=twt_gu) that regurgitates the Fox News article, though they have some good links to their past coverage of Sabu, such as this article (http://www.guardian.co.uk/technology/2011/jun/24/inside-lulzsec-chatroom-logs-hackers) from last June (around the time Sabu was secretly arrested) discussing leaked chat logs of the LulzSec group.


--
This document (http://blog.wearpants.org/media/namshub.pdf) outs a lot of Anonymous, I'm not sure when it was posted, but it apparently identified Sabu before today's announcement.

--
This post from last December (http://rickey-g.blogspot.com/2011/12/anonymousabu-aka-xavier-de-leon.html) finds some clues to Sabu's identity, which in hindsight, appear to be true.

--
Wild eye ravings? Is FBI and/or Anymous behind everything? (http://www.deathandtaxesmag.com/179764/anonymous-has-grown-beyond-lulzsec-and-sabu/) Dispels the more extreme notions of the FBI, but still assumes that that the FBI is controlled by corporate/political interests.

--
A paper written describing what LulzSec is: http://pastehtml.com/view/blpmqrn78.html

--
Six things you didn't know about Sabu: http://www.buzzfeed.com/jwherrman/five-things-you-didnt-know-about-sabu-the-lulzse

--
Sabu's indictment: http://www.nypost.com/rw/nypost/2012/03/06/media/030612_hackers.pdf

--
Sabu assumed he was an FBI agent, rather than just a CI: http://gawker.com/5890901/anonymous-snitch-tried-and-failed-to-pass-himself-off-as-an-fbi-agent-last-month (Has he never watched "White Collar" TV show??)

--
Barret Brown, who sometimes acts as a spokesman, had his house raided :http://www.nytimes.com/2012/03/07/technology/lulzsec-hacking-suspects-are-arrested.html?_r=3

--
Interesting Gawker piece (http://gizmodo.com/5890825/lulzsec-leader-betrays-all-of-anonymous) with chat logs with "Virus", a detractor of Sabu who has been claiming Sabu was a snitch nearly from the moment Sabu became a snitch.

--
Great piece from Ars Technica on how Sabu led them to Hammond: http://arstechnica.com/tech-policy/news/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon.ars
--
Sabu's Reddit Ask-Me-Anything thread, Sep'11: "Stick to yourselves. Friends will try to take you down if they have to."

13 comments:

Anonymous said...

How is this a lesson for TOR users? They caught him because he DIDN'T log into IRC through TOR! Quite trying to prove something you previously speculated...

Robert Graham said...

That was exactly my point. If you log into IRC 100 times, but one time you forget to tunnel through Tor first, then you are hosed. That's the lesson.

It's like workers at the CDC (Centers for Disease Control) who work under conditions of extreme paranoia and triple redundancy: all it takes is just once to hose yourself.

It's also like crypto. Crypto itself is perfectly secure, but most people use it poorly, making it easy to hack. It's the way they use it that's the problem, not crypto itself.

This page intentionally left blank said...

This is from June: http://www.informationweek.com/news/security/attacks/231000584

Anonymous said...

u shouldnt need to proxy into yet another second machine, as long as u can torify all ur apps connecting...mail/browsers/IRC clients.....takes some care, but can be done w/out issues...

Anonymous said...

You're using "fail open" in a way that's nonsensical. Tor does not fail open - that's quite an accusation.

This was a stupid mistake and has *absolutely nothing* to do with failure modes.

Robert Graham said...

You're using "fail open" in a way that's nonsensical

It's not when Tor fails, it's when you fail. The way most people use Tor, if they make the slightest mistake, they reveal their identity. You should instead use Tor in such a manner that mistakes lead to loss of connectivity. A transparent proxy on a separate (or VM) machine does this.

AnonSecurityGeek said...

Robert Graham -- Good points, fascinating article, thank you very much for posting it!

I don't know why the other commenters are giving you a hard time about your comments on Tor. Your analysis of the risks with Tor (and the strongest defenses) seem obviously, self-evidently true. Oh well.

Robert Graham said...

To AnonSecurityGeek: I eventually figured out why. I was quoted in Ars Technica in a way that could be misinterpreted, so they followed the link to rebut their misinterpretation.

Anonymous said...

The Death and Taxes piece is not "wild eye ravings", you skimmed it if you think that. It is precisely in refuting those wild eyed ravings that it uses to prove its points

Robert Graham said...

True, I largely skimmed the middle bits of the Death and Taxes piece, but I carefully read the conclusion, which was wild eye ravings about how the FBI should arrest the white-collar criminals who crashed the economy, etc.

But you are right, the middle part wasn't the wild-eye conspiracy theories I got form skimming, but a debunking of those theories.

Anonymous said...

There were several doxes, including the one you linked from A-Team, that were either spot on about Sabu's identity or came very close: http://bit.ly/zUl4ar

Anonymous said...

Sabu was doxed in March of last year, by the same people who revealed the logs that identified him as the HBGary attacker.

Since the coverage is now hard to miss, why is this omitted?

George said...

It's almost as if their equivalent of "Morpheous" turned traitor.